Support webauthn (#17957)

Migrate from U2F to Webauthn

Co-authored-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

10 files changed, 322 insertions, 281 deletions

diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
index b9765abfb5..d6b3635584 100644
--- a/routers/web/auth/auth.go
+++ b/routers/web/auth/auth.go
@@ -236,14 +236,14 @@ func SignInPost(ctx *context.Context) {
 		return
 	}
 
-	// Check if the user has u2f registration
-	hasU2Ftwofa, err := auth.HasU2FRegistrationsByUID(u.ID)
+	// Check if the user has webauthn registration
+	hasWebAuthnTwofa, err := auth.HasWebAuthnRegistrationsByUID(u.ID)
 	if err != nil {
 		ctx.ServerError("UserSignIn", err)
 		return
 	}
 
-	if !hasTOTPtwofa && !hasU2Ftwofa {
+	if !hasTOTPtwofa && !hasWebAuthnTwofa {
 		// No two factor auth configured we can sign in the user
 		handleSignIn(ctx, u, form.Remember)
 		return
@@ -254,7 +254,7 @@ func SignInPost(ctx *context.Context) {
 		return
 	}
 
-	// User will need to use 2FA TOTP or U2F, save data
+	// User will need to use 2FA TOTP or WebAuthn, save data
 	if err := ctx.Session.Set("twofaUid", u.ID); err != nil {
 		ctx.ServerError("UserSignIn: Unable to set twofaUid in session", err)
 		return
@@ -268,7 +268,7 @@ func SignInPost(ctx *context.Context) {
 	if hasTOTPtwofa {
 		// User will need to use U2F, save data
 		if err := ctx.Session.Set("totpEnrolled", u.ID); err != nil {
-			ctx.ServerError("UserSignIn: Unable to set u2fEnrolled in session", err)
+			ctx.ServerError("UserSignIn: Unable to set WebAuthn Enrolled in session", err)
 			return
 		}
 	}
@@ -279,8 +279,8 @@ func SignInPost(ctx *context.Context) {
 	}
 
 	// If we have U2F redirect there first
-	if hasU2Ftwofa {
-		ctx.Redirect(setting.AppSubURL + "/user/u2f")
+	if hasWebAuthnTwofa {
+		ctx.Redirect(setting.AppSubURL + "/user/webauthn")
 		return
 	}
 
diff --git a/routers/web/auth/linkaccount.go b/routers/web/auth/linkaccount.go
index 9d5a6eb3f8..27eb954a58 100644
--- a/routers/web/auth/linkaccount.go
+++ b/routers/web/auth/linkaccount.go
@@ -172,10 +172,10 @@ func linkAccount(ctx *context.Context, u *user_model.User, gothUser goth.User, r
 		log.Error("Error storing session: %v", err)
 	}
 
-	// If U2F is enrolled -> Redirect to U2F instead
-	regs, err := auth.GetU2FRegistrationsByUID(u.ID)
+	// If WebAuthn is enrolled -> Redirect to WebAuthn instead
+	regs, err := auth.GetWebAuthnCredentialsByUID(u.ID)
 	if err == nil && len(regs) > 0 {
-		ctx.Redirect(setting.AppSubURL + "/user/u2f")
+		ctx.Redirect(setting.AppSubURL + "/user/webauthn")
 		return
 	}
 
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index d20bf97f3c..65ab9f358e 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -34,7 +34,7 @@ import (
 	user_service "code.gitea.io/gitea/services/user"
 
 	"gitea.com/go-chi/binding"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/markbates/goth"
 )
 
@@ -149,7 +149,8 @@ func newAccessTokenResponse(grant *auth.OAuth2Grant, serverKey, clientKey oauth2
 	accessToken := &oauth2.Token{
 		GrantID: grant.ID,
 		Type:    oauth2.TypeAccessToken,
-		StandardClaims: jwt.StandardClaims{
+		// FIXME: Migrate to RegisteredClaims
+		StandardClaims: jwt.StandardClaims{ //nolint
 			ExpiresAt: expirationDate.AsTime().Unix(),
 		},
 	}
@@ -167,7 +168,8 @@ func newAccessTokenResponse(grant *auth.OAuth2Grant, serverKey, clientKey oauth2
 		GrantID: grant.ID,
 		Counter: grant.Counter,
 		Type:    oauth2.TypeRefreshToken,
-		StandardClaims: jwt.StandardClaims{
+		// FIXME: Migrate to RegisteredClaims
+		StandardClaims: jwt.StandardClaims{ // nolint
 			ExpiresAt: refreshExpirationDate,
 		},
 	}
@@ -205,7 +207,8 @@ func newAccessTokenResponse(grant *auth.OAuth2Grant, serverKey, clientKey oauth2
 		}
 
 		idToken := &oauth2.OIDCToken{
-			StandardClaims: jwt.StandardClaims{
+			// FIXME: migrate to RegisteredClaims
+			StandardClaims: jwt.StandardClaims{ //nolint
 				ExpiresAt: expirationDate.AsTime().Unix(),
 				Issuer:    setting.AppURL,
 				Audience:  app.ClientID,
@@ -326,7 +329,8 @@ func IntrospectOAuth(ctx *context.Context) {
 	var response struct {
 		Active bool   `json:"active"`
 		Scope  string `json:"scope,omitempty"`
-		jwt.StandardClaims
+		// FIXME: Migrate to RegisteredClaims
+		jwt.StandardClaims //nolint
 	}
 
 	form := web.GetForm(ctx).(*forms.IntrospectTokenForm)
@@ -1066,10 +1070,10 @@ func handleOAuth2SignIn(ctx *context.Context, source *auth.Source, u *user_model
 		log.Error("Error storing session: %v", err)
 	}
 
-	// If U2F is enrolled -> Redirect to U2F instead
-	regs, err := auth.GetU2FRegistrationsByUID(u.ID)
+	// If WebAuthn is enrolled -> Redirect to WebAuthn instead
+	regs, err := auth.GetWebAuthnCredentialsByUID(u.ID)
 	if err == nil && len(regs) > 0 {
-		ctx.Redirect(setting.AppSubURL + "/user/u2f")
+		ctx.Redirect(setting.AppSubURL + "/user/webauthn")
 		return
 	}
 
diff --git a/routers/web/auth/oauth_test.go b/routers/web/auth/oauth_test.go
index c652d901f3..669d7431fc 100644
--- a/routers/web/auth/oauth_test.go
+++ b/routers/web/auth/oauth_test.go
@@ -12,7 +12,7 @@ import (
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/services/auth/source/oauth2"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/stretchr/testify/assert"
 )
 
diff --git a/routers/web/auth/u2f.go b/routers/web/auth/u2f.go
deleted file mode 100644
index 915671cd1e..0000000000
--- a/routers/web/auth/u2f.go
+++ /dev/null
@@ -1,136 +0,0 @@
-// Copyright 2017 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package auth
-
-import (
-	"errors"
-	"net/http"
-
-	"code.gitea.io/gitea/models/auth"
-	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/base"
-	"code.gitea.io/gitea/modules/context"
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/web"
-	"code.gitea.io/gitea/services/externalaccount"
-
-	"github.com/tstranex/u2f"
-)
-
-var tplU2F base.TplName = "user/auth/u2f"
-
-// U2F shows the U2F login page
-func U2F(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("twofa")
-	ctx.Data["RequireU2F"] = true
-	// Check auto-login.
-	if checkAutoLogin(ctx) {
-		return
-	}
-
-	// Ensure user is in a 2FA session.
-	if ctx.Session.Get("twofaUid") == nil {
-		ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
-		return
-	}
-
-	// See whether TOTP is also available.
-	if ctx.Session.Get("totpEnrolled") != nil {
-		ctx.Data["TOTPEnrolled"] = true
-	}
-
-	ctx.HTML(http.StatusOK, tplU2F)
-}
-
-// U2FChallenge submits a sign challenge to the browser
-func U2FChallenge(ctx *context.Context) {
-	// Ensure user is in a U2F session.
-	idSess := ctx.Session.Get("twofaUid")
-	if idSess == nil {
-		ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
-		return
-	}
-	id := idSess.(int64)
-	regs, err := auth.GetU2FRegistrationsByUID(id)
-	if err != nil {
-		ctx.ServerError("UserSignIn", err)
-		return
-	}
-	if len(regs) == 0 {
-		ctx.ServerError("UserSignIn", errors.New("no device registered"))
-		return
-	}
-	challenge, err := u2f.NewChallenge(setting.U2F.AppID, setting.U2F.TrustedFacets)
-	if err != nil {
-		ctx.ServerError("u2f.NewChallenge", err)
-		return
-	}
-	if err := ctx.Session.Set("u2fChallenge", challenge); err != nil {
-		ctx.ServerError("UserSignIn: unable to set u2fChallenge in session", err)
-		return
-	}
-	if err := ctx.Session.Release(); err != nil {
-		ctx.ServerError("UserSignIn: unable to store session", err)
-	}
-
-	ctx.JSON(http.StatusOK, challenge.SignRequest(regs.ToRegistrations()))
-}
-
-// U2FSign authenticates the user by signResp
-func U2FSign(ctx *context.Context) {
-	signResp := web.GetForm(ctx).(*u2f.SignResponse)
-	challSess := ctx.Session.Get("u2fChallenge")
-	idSess := ctx.Session.Get("twofaUid")
-	if challSess == nil || idSess == nil {
-		ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
-		return
-	}
-	challenge := challSess.(*u2f.Challenge)
-	id := idSess.(int64)
-	regs, err := auth.GetU2FRegistrationsByUID(id)
-	if err != nil {
-		ctx.ServerError("UserSignIn", err)
-		return
-	}
-	for _, reg := range regs {
-		r, err := reg.Parse()
-		if err != nil {
-			log.Error("parsing u2f registration: %v", err)
-			continue
-		}
-		newCounter, authErr := r.Authenticate(*signResp, *challenge, reg.Counter)
-		if authErr == nil {
-			reg.Counter = newCounter
-			user, err := user_model.GetUserByID(id)
-			if err != nil {
-				ctx.ServerError("UserSignIn", err)
-				return
-			}
-			remember := ctx.Session.Get("twofaRemember").(bool)
-			if err := reg.UpdateCounter(); err != nil {
-				ctx.ServerError("UserSignIn", err)
-				return
-			}
-
-			if ctx.Session.Get("linkAccount") != nil {
-				if err := externalaccount.LinkAccountFromStore(ctx.Session, user); err != nil {
-					ctx.ServerError("UserSignIn", err)
-					return
-				}
-			}
-			redirect := handleSignInFull(ctx, user, remember, false)
-			if ctx.Written() {
-				return
-			}
-			if redirect == "" {
-				redirect = setting.AppSubURL + "/"
-			}
-			ctx.PlainText(http.StatusOK, redirect)
-			return
-		}
-	}
-	ctx.Error(http.StatusUnauthorized)
-}
diff --git a/routers/web/auth/webauthn.go b/routers/web/auth/webauthn.go
new file mode 100644
index 0000000000..50dcb919e5
--- /dev/null
+++ b/routers/web/auth/webauthn.go
@@ -0,0 +1,169 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+	"encoding/base64"
+	"errors"
+	"net/http"
+
+	"code.gitea.io/gitea/models/auth"
+	user_model "code.gitea.io/gitea/models/user"
+	wa "code.gitea.io/gitea/modules/auth/webauthn"
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/services/externalaccount"
+
+	"github.com/duo-labs/webauthn/protocol"
+	"github.com/duo-labs/webauthn/webauthn"
+)
+
+var tplWebAuthn base.TplName = "user/auth/webauthn"
+
+// WebAuthn shows the WebAuthn login page
+func WebAuthn(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("twofa")
+
+	// Check auto-login.
+	if checkAutoLogin(ctx) {
+		return
+	}
+
+	//Ensure user is in a 2FA session.
+	if ctx.Session.Get("twofaUid") == nil {
+		ctx.ServerError("UserSignIn", errors.New("not in WebAuthn session"))
+		return
+	}
+
+	ctx.HTML(200, tplWebAuthn)
+}
+
+// WebAuthnLoginAssertion submits a WebAuthn challenge to the browser
+func WebAuthnLoginAssertion(ctx *context.Context) {
+	// Ensure user is in a WebAuthn session.
+	idSess, ok := ctx.Session.Get("twofaUid").(int64)
+	if !ok || idSess == 0 {
+		ctx.ServerError("UserSignIn", errors.New("not in WebAuthn session"))
+		return
+	}
+
+	user, err := user_model.GetUserByID(idSess)
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+
+	exists, err := auth.ExistsWebAuthnCredentialsForUID(user.ID)
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+	if !exists {
+		ctx.ServerError("UserSignIn", errors.New("no device registered"))
+		return
+	}
+
+	assertion, sessionData, err := wa.WebAuthn.BeginLogin((*wa.User)(user), webauthn.WithAssertionExtensions(protocol.AuthenticationExtensions{
+		"appid": setting.U2F.AppID,
+	}))
+	if err != nil {
+		ctx.ServerError("webauthn.BeginLogin", err)
+		return
+	}
+
+	if err := ctx.Session.Set("webauthnAssertion", sessionData); err != nil {
+		ctx.ServerError("Session.Set", err)
+		return
+	}
+	ctx.JSON(http.StatusOK, assertion)
+}
+
+// WebAuthnLoginAssertionPost validates the signature and logs the user in
+func WebAuthnLoginAssertionPost(ctx *context.Context) {
+	idSess, ok := ctx.Session.Get("twofaUid").(int64)
+	sessionData, okData := ctx.Session.Get("webauthnAssertion").(*webauthn.SessionData)
+	if !ok || !okData || sessionData == nil || idSess == 0 {
+		ctx.ServerError("UserSignIn", errors.New("not in WebAuthn session"))
+		return
+	}
+	defer func() {
+		_ = ctx.Session.Delete("webauthnAssertion")
+	}()
+
+	// Load the user from the db
+	user, err := user_model.GetUserByID(idSess)
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+
+	log.Trace("Finishing webauthn authentication with user: %s", user.Name)
+
+	// Now we do the equivalent of webauthn.FinishLogin using a combination of our session data
+	// (from webauthnAssertion) and verify the provided request.0
+	parsedResponse, err := protocol.ParseCredentialRequestResponse(ctx.Req)
+	if err != nil {
+		// Failed authentication attempt.
+		log.Info("Failed authentication attempt for %s from %s: %v", user.Name, ctx.RemoteAddr(), err)
+		ctx.Status(http.StatusForbidden)
+		return
+	}
+
+	// Validate the parsed response.
+	cred, err := wa.WebAuthn.ValidateLogin((*wa.User)(user), *sessionData, parsedResponse)
+	if err != nil {
+		// Failed authentication attempt.
+		log.Info("Failed authentication attempt for %s from %s: %v", user.Name, ctx.RemoteAddr(), err)
+		ctx.Status(http.StatusForbidden)
+		return
+	}
+
+	// Ensure that the credential wasn't cloned by checking if CloneWarning is set.
+	// (This is set if the sign counter is less than the one we have stored.)
+	if cred.Authenticator.CloneWarning {
+		log.Info("Failed authentication attempt for %s from %s: cloned credential", user.Name, ctx.RemoteAddr())
+		ctx.Status(http.StatusForbidden)
+		return
+	}
+
+	// Success! Get the credential and update the sign count with the new value we received.
+	dbCred, err := auth.GetWebAuthnCredentialByCredID(base64.RawStdEncoding.EncodeToString(cred.ID))
+	if err != nil {
+		ctx.ServerError("GetWebAuthnCredentialByCredID", err)
+		return
+	}
+
+	dbCred.SignCount = cred.Authenticator.SignCount
+	if err := dbCred.UpdateSignCount(); err != nil {
+		ctx.ServerError("UpdateSignCount", err)
+		return
+	}
+
+	// Now handle account linking if that's requested
+	if ctx.Session.Get("linkAccount") != nil {
+		if err := externalaccount.LinkAccountFromStore(ctx.Session, user); err != nil {
+			ctx.ServerError("LinkAccountFromStore", err)
+			return
+		}
+	}
+
+	remember := ctx.Session.Get("twofaRemember").(bool)
+	redirect := handleSignInFull(ctx, user, remember, false)
+	if redirect == "" {
+		redirect = setting.AppSubURL + "/"
+	}
+	_ = ctx.Session.Delete("twofaUid")
+
+	// Finally check if the appid extension was used:
+	if value, ok := parsedResponse.ClientExtensionResults["appid"]; ok {
+		if appid, ok := value.(bool); ok && appid {
+			ctx.Flash.Error(ctx.Tr("webauthn_u2f_deprecated", dbCred.Name))
+		}
+	}
+
+	ctx.JSON(200, map[string]string{"redirect": redirect})
+}
diff --git a/routers/web/user/setting/security/security.go b/routers/web/user/setting/security/security.go
index 0ca6503f05..67bbbf8b31 100644
--- a/routers/web/user/setting/security/security.go
+++ b/routers/web/user/setting/security/security.go
@@ -63,11 +63,12 @@ func loadSecurityData(ctx *context.Context) {
 	}
 	ctx.Data["TOTPEnrolled"] = enrolled
 
-	ctx.Data["U2FRegistrations"], err = auth.GetU2FRegistrationsByUID(ctx.User.ID)
+	credentials, err := auth.GetWebAuthnCredentialsByUID(ctx.User.ID)
 	if err != nil {
-		ctx.ServerError("GetU2FRegistrationsByUID", err)
+		ctx.ServerError("GetWebAuthnCredentialsByUID", err)
 		return
 	}
+	ctx.Data["WebAuthnCredentials"] = credentials
 
 	tokens, err := models.ListAccessTokens(models.ListAccessTokensOptions{UserID: ctx.User.ID})
 	if err != nil {
diff --git a/routers/web/user/setting/security/u2f.go b/routers/web/user/setting/security/u2f.go
deleted file mode 100644
index dd35a893f4..0000000000
--- a/routers/web/user/setting/security/u2f.go
+++ /dev/null
@@ -1,111 +0,0 @@
-// Copyright 2018 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package security
-
-import (
-	"errors"
-	"net/http"
-
-	"code.gitea.io/gitea/models/auth"
-	"code.gitea.io/gitea/modules/context"
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/web"
-	"code.gitea.io/gitea/services/forms"
-
-	"github.com/tstranex/u2f"
-)
-
-// U2FRegister initializes the u2f registration procedure
-func U2FRegister(ctx *context.Context) {
-	form := web.GetForm(ctx).(*forms.U2FRegistrationForm)
-	if form.Name == "" {
-		ctx.Error(http.StatusConflict)
-		return
-	}
-	challenge, err := u2f.NewChallenge(setting.U2F.AppID, setting.U2F.TrustedFacets)
-	if err != nil {
-		ctx.ServerError("NewChallenge", err)
-		return
-	}
-	if err := ctx.Session.Set("u2fChallenge", challenge); err != nil {
-		ctx.ServerError("Unable to set session key for u2fChallenge", err)
-		return
-	}
-	regs, err := auth.GetU2FRegistrationsByUID(ctx.User.ID)
-	if err != nil {
-		ctx.ServerError("GetU2FRegistrationsByUID", err)
-		return
-	}
-	for _, reg := range regs {
-		if reg.Name == form.Name {
-			ctx.Error(http.StatusConflict, "Name already taken")
-			return
-		}
-	}
-	if err := ctx.Session.Set("u2fName", form.Name); err != nil {
-		ctx.ServerError("Unable to set session key for u2fName", err)
-		return
-	}
-	// Here we're just going to try to release the session early
-	if err := ctx.Session.Release(); err != nil {
-		// we'll tolerate errors here as they *should* get saved elsewhere
-		log.Error("Unable to save changes to the session: %v", err)
-	}
-	ctx.JSON(http.StatusOK, u2f.NewWebRegisterRequest(challenge, regs.ToRegistrations()))
-}
-
-// U2FRegisterPost receives the response of the security key
-func U2FRegisterPost(ctx *context.Context) {
-	response := web.GetForm(ctx).(*u2f.RegisterResponse)
-	challSess := ctx.Session.Get("u2fChallenge")
-	u2fName := ctx.Session.Get("u2fName")
-	if challSess == nil || u2fName == nil {
-		ctx.ServerError("U2FRegisterPost", errors.New("not in U2F session"))
-		return
-	}
-	challenge := challSess.(*u2f.Challenge)
-	name := u2fName.(string)
-	config := &u2f.Config{
-		// Chrome 66+ doesn't return the device's attestation
-		// certificate by default.
-		SkipAttestationVerify: true,
-	}
-	reg, err := u2f.Register(*response, *challenge, config)
-	if err != nil {
-		ctx.ServerError("u2f.Register", err)
-		return
-	}
-	if _, err = auth.CreateRegistration(ctx.User.ID, name, reg); err != nil {
-		ctx.ServerError("u2f.Register", err)
-		return
-	}
-	ctx.Status(200)
-}
-
-// U2FDelete deletes an security key by id
-func U2FDelete(ctx *context.Context) {
-	form := web.GetForm(ctx).(*forms.U2FDeleteForm)
-	reg, err := auth.GetU2FRegistrationByID(form.ID)
-	if err != nil {
-		if auth.IsErrU2FRegistrationNotExist(err) {
-			ctx.Status(200)
-			return
-		}
-		ctx.ServerError("GetU2FRegistrationByID", err)
-		return
-	}
-	if reg.UserID != ctx.User.ID {
-		ctx.Status(401)
-		return
-	}
-	if err := auth.DeleteRegistration(reg); err != nil {
-		ctx.ServerError("DeleteRegistration", err)
-		return
-	}
-	ctx.JSON(http.StatusOK, map[string]interface{}{
-		"redirect": setting.AppSubURL + "/user/settings/security",
-	})
-}
diff --git a/routers/web/user/setting/security/webauthn.go b/routers/web/user/setting/security/webauthn.go
new file mode 100644
index 0000000000..8d28de8c98
--- /dev/null
+++ b/routers/web/user/setting/security/webauthn.go
@@ -0,0 +1,119 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package security
+
+import (
+	"errors"
+	"net/http"
+
+	"code.gitea.io/gitea/models/auth"
+	wa "code.gitea.io/gitea/modules/auth/webauthn"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web"
+	"code.gitea.io/gitea/services/forms"
+
+	"github.com/duo-labs/webauthn/protocol"
+	"github.com/duo-labs/webauthn/webauthn"
+)
+
+// WebAuthnRegister initializes the webauthn registration procedure
+func WebAuthnRegister(ctx *context.Context) {
+	form := web.GetForm(ctx).(*forms.WebauthnRegistrationForm)
+	if form.Name == "" {
+		ctx.Error(http.StatusConflict)
+		return
+	}
+
+	cred, err := auth.GetWebAuthnCredentialByName(ctx.User.ID, form.Name)
+	if err != nil && !auth.IsErrWebAuthnCredentialNotExist(err) {
+		ctx.ServerError("GetWebAuthnCredentialsByUID", err)
+		return
+	}
+	if cred != nil {
+		ctx.Error(http.StatusConflict, "Name already taken")
+		return
+	}
+
+	_ = ctx.Session.Delete("registration")
+	if err := ctx.Session.Set("WebauthnName", form.Name); err != nil {
+		ctx.ServerError("Unable to set session key for WebauthnName", err)
+		return
+	}
+
+	credentialOptions, sessionData, err := wa.WebAuthn.BeginRegistration((*wa.User)(ctx.User))
+	if err != nil {
+		ctx.ServerError("Unable to BeginRegistration", err)
+		return
+	}
+
+	// Save the session data as marshaled JSON
+	if err = ctx.Session.Set("registration", sessionData); err != nil {
+		ctx.ServerError("Unable to set session", err)
+		return
+	}
+
+	ctx.JSON(http.StatusOK, credentialOptions)
+}
+
+// WebauthnRegisterPost receives the response of the security key
+func WebauthnRegisterPost(ctx *context.Context) {
+	name, ok := ctx.Session.Get("WebauthnName").(string)
+	if !ok || name == "" {
+		ctx.ServerError("Get WebauthnName", errors.New("no WebauthnName"))
+		return
+	}
+
+	// Load the session data
+	sessionData, ok := ctx.Session.Get("registration").(*webauthn.SessionData)
+	if !ok || sessionData == nil {
+		ctx.ServerError("Get registration", errors.New("no registration"))
+		return
+	}
+	defer func() {
+		_ = ctx.Session.Delete("registration")
+	}()
+
+	// Verify that the challenge succeeded
+	cred, err := wa.WebAuthn.FinishRegistration((*wa.User)(ctx.User), *sessionData, ctx.Req)
+	if err != nil {
+		if pErr, ok := err.(*protocol.Error); ok {
+			log.Error("Unable to finish registration due to error: %v\nDevInfo: %s", pErr, pErr.DevInfo)
+		}
+		ctx.ServerError("CreateCredential", err)
+		return
+	}
+
+	dbCred, err := auth.GetWebAuthnCredentialByName(ctx.User.ID, name)
+	if err != nil && !auth.IsErrWebAuthnCredentialNotExist(err) {
+		ctx.ServerError("GetWebAuthnCredentialsByUID", err)
+		return
+	}
+	if dbCred != nil {
+		ctx.Error(http.StatusConflict, "Name already taken")
+		return
+	}
+
+	// Create the credential
+	_, err = auth.CreateCredential(ctx.User.ID, name, cred)
+	if err != nil {
+		ctx.ServerError("CreateCredential", err)
+		return
+	}
+	ctx.JSON(http.StatusCreated, cred)
+}
+
+// WebauthnDelete deletes an security key by id
+func WebauthnDelete(ctx *context.Context) {
+	form := web.GetForm(ctx).(*forms.WebauthnDeleteForm)
+	if _, err := auth.DeleteCredential(form.ID, ctx.User.ID); err != nil {
+		ctx.ServerError("GetWebAuthnCredentialByID", err)
+		return
+	}
+	ctx.JSON(http.StatusOK, map[string]interface{}{
+		"redirect": setting.AppSubURL + "/user/settings/security",
+	})
+}
diff --git a/routers/web/web.go b/routers/web/web.go
index 8abdf7c61f..55a64ee7d5 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -5,7 +5,6 @@
 package web
 
 import (
-	"encoding/gob"
 	"net/http"
 	"os"
 	"path"
@@ -45,7 +44,6 @@ import (
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/go-chi/cors"
 	"github.com/prometheus/client_golang/prometheus"
-	"github.com/tstranex/u2f"
 )
 
 const (
@@ -99,8 +97,6 @@ func Routes(sessioner func(http.Handler) http.Handler) *web.Route {
 		http.Redirect(w, req, path.Join(setting.StaticURLPrefix, "/assets/img/apple-touch-icon.png"), 301)
 	})
 
-	gob.Register(&u2f.Challenge{})
-
 	common := []interface{}{}
 
 	if setting.EnableGzip {
@@ -290,11 +286,10 @@ func RegisterRoutes(m *web.Route) {
 			m.Get("/scratch", auth.TwoFactorScratch)
 			m.Post("/scratch", bindIgnErr(forms.TwoFactorScratchAuthForm{}), auth.TwoFactorScratchPost)
 		})
-		m.Group("/u2f", func() {
-			m.Get("", auth.U2F)
-			m.Get("/challenge", auth.U2FChallenge)
-			m.Post("/sign", bindIgnErr(u2f.SignResponse{}), auth.U2FSign)
-
+		m.Group("/webauthn", func() {
+			m.Get("", auth.WebAuthn)
+			m.Get("/assertion", auth.WebAuthnLoginAssertion)
+			m.Post("/assertion", auth.WebAuthnLoginAssertionPost)
 		})
 	}, reqSignOut)
 
@@ -337,10 +332,10 @@ func RegisterRoutes(m *web.Route) {
 				m.Get("/enroll", security.EnrollTwoFactor)
 				m.Post("/enroll", bindIgnErr(forms.TwoFactorAuthForm{}), security.EnrollTwoFactorPost)
 			})
-			m.Group("/u2f", func() {
-				m.Post("/request_register", bindIgnErr(forms.U2FRegistrationForm{}), security.U2FRegister)
-				m.Post("/register", bindIgnErr(u2f.RegisterResponse{}), security.U2FRegisterPost)
-				m.Post("/delete", bindIgnErr(forms.U2FDeleteForm{}), security.U2FDelete)
+			m.Group("/webauthn", func() {
+				m.Post("/request_register", bindIgnErr(forms.WebauthnRegistrationForm{}), security.WebAuthnRegister)
+				m.Post("/register", security.WebauthnRegisterPost)
+				m.Post("/delete", bindIgnErr(forms.WebauthnDeleteForm{}), security.WebauthnDelete)
 			})
 			m.Group("/openid", func() {
 				m.Post("", bindIgnErr(forms.AddOpenIDForm{}), security.OpenIDPost)