search

kryptco / kr-u2f

DEPRECATED A Browser extension that lets you use your phone as a U2F/WebAuthN Authenticator for strong, unphishable 2FA.
https://krypt.co
125 stars 36 forks source link

Problem when url has a port #41

Closed PeterStaev closed 4 years ago

PeterStaev commented 4 years ago

I'm having the problem with testing an app on localhost, but i suspect the same problem will happen on a production URL as well. So per specs the rp.id should not have ports specified. When I have it set to localhost I dont get any authorization request on my phone and I get the following error in console

ERROR Error: Uncaught (in promise): NotAllowedError: The operation either timed out or was not allowed. See: https://w3c.github.io/webauthn/#sec-assertion-privacy.

And in the stack trace we have:

652.__awaiter | @ | inject_webauthn.js:2837
-- | -- | --
  | create | @ | inject_webauthn.js:2896

Yet if I set to locahost:44368 I get an authorization request, but the native browser extension fails with the following error

ERROR Error: Uncaught (in promise): SecurityError: The relying party ID 'localhost:44368' is not a registrable domain suffix of, nor equal to 'https://localhost:44368'.

So the whole cred creation fails.

Krypton should strip down ports from the URL when sending auth request.

kevinkiel commented 4 years ago

Same issue here. Can someone merge this PR?