Remove U2F support (#20141)

- Completely remove U2F support from 1.18.0, 1.17.0 will be the last
release that U2F is somewhat supported. Users who used U2F would already
be warned about using U2F for a while now and should hopefully already
be migrated. But starting 1.18 definitely remove it.

1 files changed, 2 insertions, 3 deletions

diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
index 213b88903d..610e4d2904 100644
--- a/routers/web/auth/auth.go
+++ b/routers/web/auth/auth.go
@@ -266,7 +266,7 @@ func SignInPost(ctx *context.Context) {
 	}
 
 	if hasTOTPtwofa {
-		// User will need to use U2F, save data
+		// User will need to use WebAuthn, save data
 		if err := ctx.Session.Set("totpEnrolled", u.ID); err != nil {
 			ctx.ServerError("UserSignIn: Unable to set WebAuthn Enrolled in session", err)
 			return
@@ -278,7 +278,7 @@ func SignInPost(ctx *context.Context) {
 		return
 	}
 
-	// If we have U2F redirect there first
+	// If we have WebAuthn redirect there first
 	if hasWebAuthnTwofa {
 		ctx.Redirect(setting.AppSubURL + "/user/webauthn")
 		return
@@ -317,7 +317,6 @@ func handleSignInFull(ctx *context.Context, u *user_model.User, remember, obeyRe
 	_ = ctx.Session.Delete("openid_determined_username")
 	_ = ctx.Session.Delete("twofaUid")
 	_ = ctx.Session.Delete("twofaRemember")
-	_ = ctx.Session.Delete("u2fChallenge")
 	_ = ctx.Session.Delete("linkAccount")
 	if err := ctx.Session.Set("uid", u.ID); err != nil {
 		log.Error("Error setting uid %d in session: %v", u.ID, err)