Closed bovender closed 2 years ago
I'm not sure what's going wrong there. The webauthn 'library' I used isn't very clear about the possible failure modes and I didn't dive into the webauthn spec to figure them out, which is why error handling is lacking atm. Could you please apply the following patch to get some more logging out of it and try again?
diff --git a/twofactor_webauthn.js b/twofactor_webauthn.js
index 73e0188..9672e42 100644
--- a/twofactor_webauthn.js
+++ b/twofactor_webauthn.js
@@ -28,11 +28,12 @@ function twofactor_webauthn_save() {
function twofactor_webauthn_challenge(data) {
console.log('oink');
if (data.mode == 'register') {
+ console.log(data);
webauthnRegister(data.challenge, function(success, info) {
if (success) {
rcmail.http_post('plugin.twofactor_webauthn_register', { response: info });
}
- else { /* do something already! */ }
+ else { console.log(info); }
});
}
else if (data.mode == 'test') {
Hopefully the JS console will then give us some more information.
Thank you so much for trying to help with this!
data:
{
"mode": "register",
"challenge": ... see below ...
}
{
"publicKey": {
"challenge": [
116,
71,
165,
243,
101,
100,
63,
21,
89,
194,
115,
168,
51,
82,
210,
177
],
"user": {
"displayName": "RoundCube",
"name": "RoundCube",
"id": [
49
]
},
"rp": {
"id": "localhost:8085",
"name": "localhost:8085"
},
"pubKeyCredParams": [
{
"alg": -7,
"type": "public-key"
},
{
"alg": -257,
"type": "public-key"
}
],
"authenticatorSelection": {
"authenticatorAttachment": "cross-platform",
"requireResidentKey": false,
"userVerification": "discouraged"
},
"attestation": null,
"timeout": 60000,
"excludeCredentials": [],
"extensions": {
"exts": true
}
},
"b64challenge": "dEel82VkPxVZwnOoM1LSsQ"
}
info:
SecurityError: The relying party ID is not a registrable domain suffix of, nor equal to the current domain.
I wonder if it has something to do with this being behind a reverse proxy. I mean, the "rp"
's "id"
above is "localhost:8085"
, but this, of course, is not the outside domain?
OK, now I added
ProxyPreserveHost on
to my Apache config. Now I am being prompted to insert the security key, but when I touch the key's button, I get logged out of Roundcube immediately.
Will investigate further...
OK, finally got it to work. Weirdly, inbetween my trying to fix it, the SSL connection between the reverse proxy and the docker container failed with handshake errors, but I succeeded by re-simplifying the setup. In the end, it turned out that the immediate logout was caused by the twofactor_gauthenticator
plugin -- evidently the two don't agree with one another.
So, to summarize: Getting webauthn to work in a setup with an Apache reverse proxy and a Roundcube docker container:
ProxyPreserveHost on
in your Apache site config.twofactor_webauth
and twofactor_gauthenticator
plugins together.It would be great though if I could have the choice at run-time whether I use my security key or a TOTP generated by an app.
Thanks again for your help.
Good to hear you've solved your problem. And thanks for sharing your insights. I created this plugin by modifying the twofactor_gauthenticator one, so it's certainly possible that they interfere with each other. It was my intention to also add TOTP functionality to this one because it makes sense to offer various 2FA mechanisms as a fallback. But unfortunately time is limited and I have some projects with more priority. But I hope to revisit this in the future.
I am unable to register a security key. When I click on "Add security key", nothing happens. The JavaScript console shows "oink", which originates from this line: https://github.com/bartnv/twofactor_webauthn/blob/78d8f91033c50395698bb1e181a3104f60902b0b/twofactor_webauthn.js#L29
However, evidently the subsequent call to
webauthnRegister
is not successful.Could it be that this is because I am running Roundcube in a Docker container behind a reverse proxy? I have enabled SSL for the communication between reverse proxy and the Docker container (which required me to
a2enmod ssl
,apt-get install ssl-cert
, anda2ensite default-ssl
), but that did not help.I have successfully used webauthn for a number of self-hosted apps which are sitting behind the same reverse proxy, so I believe something is wrong with my specific Roundcube setup.
Is this a bug with the plugin?