search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.73k stars 2.67k forks source link

Docs: security-webauthn and security-webauthn-quickstart Guide #37516

Closed jcarranzan closed 8 months ago

jcarranzan commented 10 months ago

Describe the bug

I went through https://quarkus.io/guides/security-webauthn guide and found the following issues:

  1. In the introduction section https://quarkus.io/guides/security-webauthn#introduction-to-webauthn in the second paragraph also could be added the emulated with webauthn devtools from Chrome browser (https://developer.chrome.com/docs/devtools/webauthn/).
  2. MyWebAuthnSetup class in the quickstart application uses @ReactiveTransactional annotation that has been deprecated and points users to use io.quarkus.hibernate.reactive.panache.common.WithTransaction instead. It would be nice to have this change reflected in https://github.com/quarkusio/quarkus/wiki/Migration-Guide-3.0#hibernate-reactive-panache.
  3. If I execute the security-webauthn-quickstart as said in the README steps, it will throw an error as I described here https://github.com/quarkusio/quarkus-quickstarts/issues/1336 HR000021: DDL command failed [io.netty.channel.AbstractChannel$AnnotatedConnectException: Connection refused: localhost/127.0.0.1:32769] When the db is up and running (after docker-compose up) , we need to specify in our mvn command these parameters to connect wh the db properly: mvn quarkus:dev -Dquarkus.datasource.reactive.url=postgresql://localhost:5432/elytron_security_webauthn -Dquarkus.datasource.username=quarkus -Dquarkus.datasource.password=quarkus So I would suggest changing some description steps in the READ.me
  4. On the other hand, when the application is running and we go to localhost:8080 and go on the Admin API section (http://localhost:8080/api/admin) without logging in, the server returns a 302 and no changes are observed on the page. Perhaps the server should perform a proper redirection to a new webpage and send a 403 Forbidden code for unauthorized access.

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

quarkus-bot[bot] commented 10 months ago

/cc @sberyozkin (security)

jcarranzan commented 10 months ago

Also, area/documentation

sberyozkin commented 10 months ago

@FroMage Hi Steph, is there a chance you can have a quick look, we keep getting issues opened against the WebAuthn extension, see also #32376

Doogiemuc commented 9 months ago

I am really sorry, that I have to support the OP (original poster). The quarkus-webauthn docu does have issues. To add another example:

sixcorners commented 9 months ago

@Doogiemuc I think it works without https. Do you have the bitwarden extension installed? https://github.com/bitwarden/clients/issues/6882 Because that does check for https.

FroMage commented 9 months ago
  1. In the introduction section https://quarkus.io/guides/security-webauthn#introduction-to-webauthn in the second paragraph also could be added the emulated with webauthn devtools from Chrome browser (https://developer.chrome.com/docs/devtools/webauthn/).

Good point, I didn't know it existed. I'll add a note about it in Prerequisites and in Testing the Application.

  1. MyWebAuthnSetup class in the quickstart application uses @ReactiveTransactional annotation that has been deprecated and points users to use io.quarkus.hibernate.reactive.panache.common.WithTransaction instead. It would be nice to have this change reflected in https://github.com/quarkusio/quarkus/wiki/Migration-Guide-3.0#hibernate-reactive-panache.

OK, let's fix that.

  1. If I execute the security-webauthn-quickstart as said in the README steps, it will throw an error as I described here security-web-authn-quickstart fails with a netty connection refused in localhost/127.0.0.1:32769  quarkus-quickstarts#1336 HR000021: DDL command failed [io.netty.channel.AbstractChannel$AnnotatedConnectException: Connection refused: localhost/127.0.0.1:32769] When the db is up and running (after docker-compose up) , we need to specify in our mvn command these parameters to connect wh the db properly: mvn quarkus:dev -Dquarkus.datasource.reactive.url=postgresql://localhost:5432/elytron_security_webauthn -Dquarkus.datasource.username=quarkus -Dquarkus.datasource.password=quarkus So I would suggest changing some description steps in the READ.me

I can't reproduce that.

  1. On the other hand, when the application is running and we go to localhost:8080 and go on the Admin API section (http://localhost:8080/api/admin) without logging in, the server returns a 302 and no changes are observed on the page. Perhaps the server should perform a proper redirection to a new webpage and send a 403 Forbidden code for unauthorized access.

This is by design: you get auto-redirected when credentials are needed and you're not logged in. You will get a non-redirect error when trying to access the admin page and you're logged in, though.

FroMage commented 9 months ago

The quarkus-webauthn must definitely mention that this whole thing ONLY works in HTTPS with all TLS setup in place!

For Google Chrome, this is not true, localhost is allowed. I will mention it in the guide, though, because this is relevant for production deployment.

FroMage commented 8 months ago

https://github.com/quarkusio/quarkus/pull/38373 should fix that.

jcarranzan commented 8 months ago

Ok, thank you @FroMage .