Plugin does not work with github

[AndreasBilke]

I use firefox 44.0.2 with the latest plugin of u2f4moz (it does not matter if I use the addons.mozilla.org version ir build it on my own) on arch linux. Since 1 week I can't login with my yubi key egde on github. If I try chrome browser it works.

How can I debug this issue in more detail? As I said, it worked very well before.

With "it does not work" I mean that I no longer get the u2f4moz popup with "please insert your token". If I still press the button on the yubi key nothing happens.

[prefiks]

Hello Andreas,

Can you tell me what happens when you try log in? Do you get notification that ask you to plug in or press button on device?

[prefiks]

Ups scratch that, didn't read your edit

[prefiks]

Could you please open any page from github, and inside webconsole (you can open it with ctrl+shift+i/cmd+LT+I) and in console panel type window.u2f&&(window.u2f.register+"") and see what this returns?

[AndreasBilke]

I opend this issue page and got

> window.u2f&&(window.u2f.register+"")
> "function register() {
    [native code]
}

[iam-TJ]

Same here. Was debugging it and came to report and found this issue.

console.info: u2f: EB1 sign https://github.com Array ["https://github.com/u2f/trusted_facets"] null console.info: u2f: EB2 /home/tj/.mozilla/firefox/profile_trusty/extensions/u2f4moz@prefiks.org/bin/linux_x86_64-gcc3/u2f console.info: u2f: EB3 constructor {"killed":false,"stdin":{"readable":false,"writable":false,"encoding":null},"stdout":{"readable":false,"writable":false,"encoding":null},"stderr":{"readable":false,"writable":false,"encoding":null}} console.info: u2f: stdin s001200010027https://github.com"https://github.com/u2f/trusted_facets" console.error: u2f: Object

• prototype Object console.info: u2f: exit null undefined console.error: u2f: Object
  • _errorType = Error
  • message = callback is not a function
  • fileName = resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/loader/sandbox.js -> resource://u2f4moz-at-prefiks-dot-org/data/content-script.js
  • lineNumber = 16
  • stack = sendToChrome/timer<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/loader/sandbox.js -> resource://u2f4moz-at-prefiks-dot-org/data/content-script.js:16:5|onFire@resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/loader/sandbox.js -> resource://gre/modules/commonjs/sdk/content/content-worker.js:149:11|
  • name = TypeError got error from stdinWorker: error: wrote -1 instead of 70 bytes

[iam-TJ]

Not clear if this is relevant, but when in _execBin()

var timer = setTimeout( function() {..}, timeout);

timeout == null

which percolates down from the pageMod.PageMod() U2FRequest function. Inserting an explicit override and not having the Yubikey connected causes the "Please Plugin your U2F device" notification to be shown:

timeout = 10 * 1000;

But as soon as the Yubikey is inserted and the notification is removed it fails with:

console.info: u2f: EBD i console.info: u2f: insert device console.info: u2f: EBD j console.info: u2f: device inserted console.info: u2f: EBD e0046{"errorCode": 2, "errorMessage":"authenticate:error in JSON handling"} console.info: u2f: exit 256 null console.info: u2f: U2F error response: authenticate:error in JSON handling console.info: u2f: TypeError: callback is not a function

At

worker.port.on("U2FRequest", function(msg, callbackid, domain, timeout) {

The debugger shows:

msg.type = "sign" msg.signRequests = "https://github.com/u2f/trusted_facets" callbackid = 0 domain = "https://github.com" timeout = null

so it looks likely something in how github is calling the authenticator code

[prefiks]

Ok, i can reproduce this now, looks like change on github made it call sign function exported by extension with completly different arguments than before (all arguments are shifted by two positions, and looks like sign request are missing some fields) will try to add workaround for it.

[prefiks]

I pushed commit that do fix this for me, it would be nice to see if this works for you guys too. I will prepare new release later today.

[prefiks]

New version uploaded to github and AMO, it should fix this so i am closing this issue now, but please reopen if updated version will still cause problems.

[iam-TJ]

With commit 8a10014 added I no longer even get the extension code being called at all (no notification, no break-points hit); the github page simple spins on the "Press the button on your security key…" message on the page.

[prefiks]

Could you try installing 0.0.15 from https://addons.mozilla.org/pl/firefox/addon/u2f-support-add-on/versions/, i just checked this on 2 computers, and it worked on them.

[iam-TJ]

I'm using the git code directly; the debugger shows some kind of unreported failure in data/content-script.js in u2f.sign() where the 'timeout' argument contains the requests object (has members keyHandle, version).

[prefiks]

Yeah, thats what github pass as arguments to this functions now, maybe you have breakpoint set somewhere in that function?

[iam-TJ]

I've been testing with breakpoints to identify the problem. The interpreter fails silently on the tuple assignment line 87 of data/content-script.js. Breakpoints after that line do not trigger, and the extension isn't executing after that. Strangely the exception doesn't show up in the console, only in the debugger's Block scope.

[appId, challenge, keys, callback, timeout] = arguments;

The debugger shows a (silent) exception: "arguments[Symbol.iterator] is not a function"

Without the debugger and just console messaging with the following change:

diff --git a/ext/data/content-script.js b/ext/data/content-script.js
index 451f0da..732df68 100644
--- a/ext/data/content-script.js
+++ b/ext/data/content-script.js
@@ -84,7 +84,9 @@ var u2f = {
   sign: function(signRequests, callback, timeout, extra) {
     if (typeof(extra) == "function" && typeof(callback) != "function") {
       let appId, challenge, keys;
+      console.info("u2f.sign() swapping arguments");
       [appId, challenge, keys, callback, timeout] = arguments;
+      console.info("u2f.sign() done swapping arguments");
       signRequests = Array.map(keys, v => ({
         version: v.version,
         challenge: challenge,

The console only shows

console.info: u2f: u2f.sign() swapping arguments

[prefiks]

Strange, can you tell me which firefox version are you using?

Can you replace offending line with: appId=arguments[0];challenge=arguments[1];keys=arguments[2];callback=arguments[3], timeout=arguments[4];

and see if it will work?

[iam-TJ]

Version 44.0.2. "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0"

This works:

diff --git a/ext/data/content-script.js b/ext/data/content-script.js
index 451f0da..498432a 100644
--- a/ext/data/content-script.js
+++ b/ext/data/content-script.js
@@ -84,7 +84,8 @@ var u2f = {
   sign: function(signRequests, callback, timeout, extra) {
     if (typeof(extra) == "function" && typeof(callback) != "function") {
       let appId, challenge, keys;
-      [appId, challenge, keys, callback, timeout] = arguments;
+      var argsArray = Array.prototype.slice.apply(arguments);
+      [appId, challenge, keys, callback, timeout] = argsArray;
       signRequests = Array.map(keys, v => ({
         version: v.version,
         challenge: challenge,

[prefiks]

Commited change that does something similar, that seems to work on ff44 here.

[iam-TJ]

Confirmed, thanks for the quick fixes.

[AndreasBilke]

0.0.16 from addons.mozilla.org works for me now. thanks.

[AndreasBilke]

It seems that it does not work again.

[prefiks]

Confirm

[prefiks]

Version 0.0.17 that i just released should have fixed this. GitHub did change a way of detection of window.u2f object and it didn't work if typeof(window.u2f) was not of type "function"