Gitea with a Sub-Path: U2F Token Does Not Work With Chrome/Chromium, Does Work With Firefox

[uli-heller]

I've searched the issues for "fido chrome" and did not find a proper existing issue, so here is a new one...

• Gitea version (or commit ref): 1.13.1 and 1.14.0+dev-575-g1c230f69d
• Git version: 2.25.1
• Operating system: ubuntu-20.04
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
• Log gist:

Description

I've setup a gitea instance. It runs on ubuntu-20.04 behind an apache2 httpd reverse proxy.
My HW token (a solo key) works perfectly within firefox, but not within chrome or chromium.
Using the token with chrome on try.gitea.io works without an issue. Any idea?

Screenshots

[zeripath]

if this works on try - the suspicion has to fall upon the configuration of your server.

Now interestingly the error screen doesn't seem to report an error properly - there should be an errorcode interpretation here.

However the reload points to what the underlying issue.

There is a timeout error reported.

I suspect your server time is incorrect.

[uli-heller]

@zeripath : Thx for looking into this!

The server time is in sync with my local computer:

uli@ulicsl:~/git/datenschutz$ ssh gitea date; date
Fri 22 Jan 2021 07:58:52 AM CET
Fr 22. Jan 07:58:52 CET 2021

My local computer syncs via NTP and TOTP works for various other sites, so I guess the local time is fine.

On the other hand: It works for my gitea when using firefox. This shouldn't work when time sync is an issue, or should it?

[cortices]

I'm getting the same results in Safari 14 (which has native U2F support) trying to add a U2F key as well.
My instance is running behind an nginx reverse proxy, and served over HTTPS, which is terminated by nginx and forwarded locally over HTTP to the gitea docker container.

[uli-heller]

I changed my setup a little bit, now it works with chrome:

• remove the sub-path and restart gitea and apache2 httpd reverse proxy
• try to login using the token:
  • now the token blinks red -> push the button
  • now I'm getting the error page again
• remove the token (was added when sub-path was active)
• add the token again
• works OK with chrome

[uli-heller]

@cortices : Are you using a sub-path, too?

[cortices]

I am not using a subpath. I just tested and found it is working with both Chrome and Firefox, so the bug is Safari-specific. I will open a separate issue.

[cortices]

By the way your issue here seems to be a duplicate of #10231 : #10231 (comment)

[uli-heller]

@cortices : Thx. I tried to set these properties:

[U2F]
APP_ID = https://hetzner-de.daemons.point.com
TRUSTED_FACETS = https://hetzner-de.daemons.point.com

and activated the sub-path again. Unfortunately, the hw token doesn't work with chrome. So maybe I'm facing a different issue?

[6543]

#17957