search

nextcloud / twofactor_u2f

🔑 U2F second factor provider for Nextcloud
https://apps.nextcloud.com/apps/twofactor_u2f
GNU Affero General Public License v3.0
112 stars 26 forks source link

9 out of 10 times, u2f device is not detected #193

Open basildane opened 6 years ago

basildane commented 6 years ago

Steps to reproduce

  1. login to nextcloud
  2. get u2f prompt, press button on token

Expected behaviour

Should authenticate

Actual behaviour

Nothing happens

My client is Chrome 67. My token is a Yubikey NEO. It works with other applications.

Usually, when I get the "Please plug in your U2F device and press the device button to authorize" prompt, I push the button on my device, and there is no response on the web page. I know the device saw my button press because the light blinks. And again, the token works on other u2f applications.

If I refresh the nextcloud login page over and over, eventually I can get it respond. It's almost like it doesn't have focus or it's not looking for it.

Strangely, sometimes it just works perfectly the first time. I've tried to find a pattern but nothing obvious so far.

Version is 1.5.5. Nextcloud is 13.0.4.

ChristophWurst commented 6 years ago

Probably related to https://github.com/nextcloud/twofactor_u2f/issues/167. Could you open your browser's dev console and check for error messages? That would be helpful.

Thanks a lot for reporting this!

basildane commented 6 years ago

I did see some errors.

Error: U2F not supported at i (challenge.js?v=2fc4bdcf-4:1) at challenge.js?v=2fc4bdcf-4:1 Promise.catch (async) s @ challenge.js?v=2fc4bdcf-4:1 j @ core.js?v=2fc4bdcf-4:2 fireWith @ core.js?v=2fc4bdcf-4:2 ready @ core.js?v=2fc4bdcf-4:2 I @ core.js?v=2fc4bdcf-4:2

ChristophWurst commented 6 years ago

Error: U2F not supported

This is quite unexpected, especially on Chrome. Do you use any addons/extensions that modify the user agent or similar?

basildane commented 6 years ago

The only addon i use is uBlock. I will test this more at home. This is at work I am currently having an issue.

That U2F not supported is intermittent.

RedQuarck commented 6 years ago

Hi guys, Also encountering the same issue here. Error in Chrome devoloper's console is the same one as @basildane Will be happy to make any other debug test if this can help. Just let me know :-)

Windows 10 - 64 bits - 10.0.15063.1155 Chrome 64 bits - 67.0.3396.87 U2F Nextcloud extension : 1.5.5 Nextcloud : 13.0.3 U2F devices : both Keydo U2F and Yubikey

ChristophWurst commented 6 years ago

Are you connected via HTTPS all the time? IIRC Chrome denies u2f requests on HTTP connections.

basildane commented 6 years ago

Everything is https.

ChristophWurst commented 6 years ago

Okay, thanks for the update. So the error seems to originate from https://github.com/grantila/u2f-api/blob/59662374bb3b47edb50cc6d0d5f78aab6d276d9b/lib/u2f-api.ts#L116. Now, the question is why that condition is met. Either the lib selects the wrong backend (Chrome vs. native) or there is an issue with the u2f implementation in Chrome.

One way to debug this would be to fork the u2f api lib, add console.log statements everywhere it calls notSupported(), package the app and see what it logs on your system.

MikeZuluUSA commented 6 years ago

Same issue over here. Nextcloud 13.0.6. u2f version 1.55. chrome 68.0.3440.106 Yubikey not able to register through app. Always say u2f not supported. 10/10 failure quote 100%

How can I see the errors in the dev console of chrome (F12 key)... JQMIGRATE: Migrate is installed, version 1.4.0 security:1 [DOM] Password forms should have (optionally hidden) username fields for accessibility: (More info: https://goo.gl/9p2vKq) <form id=​"sudo-login-form" class=​"hidden">​…​​ DevTools failed to parse SourceMap: https://xxxxxxxx/core/vendor/purify.min.js.map onloadwff.js:58 [Violation] 'setTimeout' handler took 95ms

vincentertainment commented 5 years ago

I'm having the same issue from Chrome. I just used my Yubikey to authenticate with Github but it's not working in NextCloud. Have tried from Win 10 and Ubuntu. I am using https

w84death commented 5 years ago

Same issue with Fireofox 68.0.1 (works on twitter so the stack is ready). Ubuntu 19.04. YubiKey. 100% failed.

But I have worring errors: `starting u2f registration settings.js:529:5275 Error: "Registration failed" u https://nextcloud.p1x.in/custom_apps/twofactor_u2f/js/settings.js?v=470293da-15:33 register https://nextcloud.p1x.in/custom_apps/twofactor_u2f/js/settings.js?v=470293da-15:33 register https://nextcloud.p1x.in/custom_apps/twofactor_u2f/js/settings.js?v=470293da-15:33 S https://nextcloud.p1x.in/custom_apps/twofactor_u2f/js/settings.js?v=470293da-15:209 register https://nextcloud.p1x.in/custom_apps/twofactor_u2f/js/settings.js?v=470293da-15:33 N https://nextcloud.p1x.in/custom_apps/twofactor_u2f/js/settings.js?v=470293da-15:209 N https://nextcloud.p1x.in/custom_apps/twofactor_u2f/js/settings.js?v=470293da-15:209 u https://nextcloud.p1x.in/custom_apps/twofactor_u2f/js/settings.js?v=470293da-15:209 settings.js:209:38020 Source map error: TypeError: NetworkError when attempting to fetch resource. Resource URL: https://nextcloud.p1x.in/core/js/dist/main.js?v=470293da-15 Source Map URL: main.js.map

Source map error: TypeError: NetworkError when attempting to fetch resource. Resource URL: https://nextcloud.p1x.in/custom_apps/twofactor_u2f/js/settings.js?v=470293da-15 Source Map URL: settings.js.map

​`

ChristophWurst commented 5 years ago

do you access the cloud with the same domain every time?

w84death commented 5 years ago

All mobile devices uses one custom domain. But few PC's that never leave the network uses IP addresses. It's also on the Docker behind Apache reverse-proxy (same server).

ChristophWurst commented 5 years ago

Okay, I don't know if IP-based U2F is actually allowed. Some browsers might require a domain and HTTPS. That would explain why it works on public services but not on the self-hosted one.

If the hostname (domain or IP) is the very same that was used on registration then login should be fine. If you switch from one to the other then it will fail.

ChristophWurst commented 5 years ago

What about @basildane and @RedQuarck? Do you still experience this? If not, what was the fix? :) It's been more than a year since your report/comment.

w84death commented 5 years ago

@ChristophWurst what if I did not get to register yet? those errors are on the settings page. The nextcloud (after cicking add key) do not ask browser (no popup) and stops on that error I posted.

I moved all the clients to domain login. But I need to register the key first. I'm using TOTP auth also, it's working perfectly fine.

ChristophWurst commented 5 years ago

Your error might be slightly different to the one originally reported then. For the OP the registration works, but sometimes the login doesn't.

Could you please fix your webserver to properly serve .map.js files, reproduce and post the actual stack trace of the error? Hopefully that can give some insights.

w84death commented 5 years ago

I will do this and then create a new bug with better description.

w84death commented 5 years ago

update: I was creating a fresh nextcloud instance on new server and I did those steps:

Now I can use both the code and key (YubiKey) with full success. Tested on mobile (code) and few desktops (key for browser / code for apps). No problem at all.

I'm thinking that my "testing" instance was just overheated with ..testing lot of apps/ configurations/etc.