diff options
| author | zeripath <art27@cantab.net> | 2022-02-09 07:37:58 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-02-09 15:37:58 +0800 |
| commit | 2f766082214e8f10375a68323e6b7bb1c742775d (patch) | |
| tree | 9fc308fff5a15ce80de33e99278f92a09a329552 /web_src | |
| parent | 4160aff86e9e606212e6884063c1d15a3c12985a (diff) | |
| download | gitea-2f766082214e8f10375a68323e6b7bb1c742775d.tar.gz gitea-2f766082214e8f10375a68323e6b7bb1c742775d.zip | |
Prevent security failure due to bad APP_ID (#18678)
WebAuthn may cause a security exception if the provided APP_ID is not allowed for the
current origin. Therefore we should reattempt authentication without the appid
extension.
Also we should allow [u2f] as-well as [U2F] sections.
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Diffstat (limited to 'web_src')
| -rw-r--r-- | web_src/js/features/user-auth-webauthn.js | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js index 4cb8c18219..f11a49864d 100644 --- a/web_src/js/features/user-auth-webauthn.js +++ b/web_src/js/features/user-auth-webauthn.js @@ -24,6 +24,19 @@ export function initUserAuthWebAuthn() { .then((credential) => { verifyAssertion(credential); }).catch((err) => { + // Try again... without the appid + if (makeAssertionOptions.publicKey.extensions && makeAssertionOptions.publicKey.extensions.appid) { + delete makeAssertionOptions.publicKey.extensions['appid']; + navigator.credentials.get({ + publicKey: makeAssertionOptions.publicKey + }) + .then((credential) => { + verifyAssertion(credential); + }).catch((err) => { + webAuthnError('general', err.message); + }); + return; + } webAuthnError('general', err.message); }); }).fail(() => { |