Demo instructions invoke migrate no such file or directory

[Frikster]

The Demo instructions get me as far as invoke migrate after which I am stuck:

invoke migrate
/bin/bash: line 1: /home/dirk/.local/share/virtualenvs/kagi/bin/python: No such file or directory

Related note: installation script for poetry doesn't work. I had to use curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/install-poetry.py | python - which I got directly from their site. Note how this is different from the bash command in the README

[justinmayer]

Hi Dirk. I updated the Poetry installation instructions; thank you for pointing that out.

I can't replicate the other issue you mentioned. It's not normal for a virtual environment to be missing a python executable. Did you create that virtual environment manually, or did Poetry create it automatically?

I see the problem and will push a fix momentarily.

[justinmayer]

@Frikster: I just updated the documentation via https://github.com/justinmayer/kagi/commit/848cea0680df320072e64e2b297d2249628c6286, which I believe should address the problem you experienced. The short explanation is that when using Poetry to automatically manage virtual environments (which is assumed in the README), one must run poetry shell after poetry install. Otherwise, subsequent commands (like invoke migrate) may not work properly.

Would you try the updated instructions and let me know whether that resolved the issue you experienced?

[justinmayer]

By the way, I just released Kagi 0.2.0 with some enhancements that had piled up. This release, and all future releases, are fully-automated, so the release cadence going forward should be considerably more frequent. 🚀

[Frikster]

I've updated to the latest release. Thanx for the rapid fixes!

Unfortunately, I still cannot get the demo to work. I get to this stage:

I click my Yubikey and it flashes away and then... nothing. Navigating to http://localhost:8000/kagi/keys reveals no keys have been set. Logging in again reveals my login is not protected with MFA.

Chrome devtools has this to say:

Error creating credential: DOMException: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.
didClickRegister @ webauthn.js:77
async function (async)
didClickRegister @ webauthn.js:61

First thought is I need HTTPS, but I thought that isn't needed when using Webauthn on localhost?

[justinmayer]

Which exact YubiKey model do you have?

[Frikster]

@justinmayer YubiKey 5 NFC

Ah, I see, I believe I need the FIPS series for Webauthn

Actually hold on no, it says the Yubikey 5 series supports FIDO2. Webauthn is essentially the spec for FIDO2. You cant support FIDO2 without supporting Webauthn is my understanding. So it should work?

[justinmayer]

Yes, my understanding is that model should indeed work just fine. While I don't have that specific model on hand, I currently have a few USB keys at my disposal for testing, all of which seem to work just fine on my Mac version of Chromium 85:

• YubiKey 4C Nano
• SoloKey USB-C
• YubiKey FIDO U2F (v1)

The SoloKey supports FIDO2, so it is the most comparable to your YubiKey 5. I just tested the first two keys above on a fresh project clone to demonstrate that adding keys works as expected. I recorded myself as I did it, which I am uploading to my site temporarily in case it is useful: https://justinmayer.com/media/Kagi-Add-WebAuthn-Keys-2021-11-05.mp4

Do you get the same result on the most recent version of Firefox?

[justinmayer]

Hey @Frikster. Were you able to follow the video I posted in order to test those exact steps on the latest version of Firefox?

[Frikster]

@justinmayer Wow, I never thought I'd see the day where something works on Firefox but not on Chromium! It indeed works flawlessly on the latest version of Firefox. After registering on Firefox login is protected by 2FA on Chromium and works as expected.

So, I think this issue on Chromium is caused by the Linux issue you do point out in your README. I am noticing that when the "Use your security key with localhost" popup appears that after clicking my key the following popup "allow this site to see your security keys" that you show in the video does not show up. The reason I think this is a Linux-specific issue is that the Yubikey does not have any lights flashing on Chromium (but it does on Firefox) when the "Use your security key with localhost" popup appears.

Reading through the links in the README (https://github.com/Yubico/libu2f-host/issues/2 and https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules) I am at a loss and don't understand what you mean I can do to get around this problem. Could you perhaps clarify that and then I can if I can get it working on Chromium?

Note though, that I have managed to get Webauthn 2FA working on Chromium without any hacks using django-fido so possibly there is something they are doing you want to incorporate into this repo. Though I didn't try using django-fido on localhost and went straight to using https so maybe not a fair apples to apples comparison.

[justinmayer]

Under the hood, Kagi uses the WebAuthn library, whereas Django-fido uses the fido2 library. I prefer the former, in part because PyPI uses it for their own MFA implementation, and also because it was written by engineers with strong cryptography backgrounds whom I respect.

WebAuthn recently had a very big release that added many enhancements. It is quite possible those enhancements will resolve the issue you experienced. Kagi currently uses the previous version, because Kagi's test suite will need to be updated to account for the changed behaviors in the underlying library's new release. I don't know when I will be able to allocate time for that, so if you want to help out by adding/changing Kagi's tests such that we maintain 100% test coverage with WebAuthn v1.0+, any assistance you can offer would be greatly appreciated. 😁