Skip to content

WebAuthn failure on HTTP instance with a custom domain #33615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
micah686 opened this issue Feb 17, 2025 · 3 comments · Fixed by #33820
Closed

WebAuthn failure on HTTP instance with a custom domain #33615

micah686 opened this issue Feb 17, 2025 · 3 comments · Fixed by #33820
Labels
type/bug

Comments

@micah686
Copy link

Description

Tested on gitea/gitea:1.23.2 and gitea/gitea:latest.
I have this config:

[server]
APP_DATA_PATH = /data/gitea
DOMAIN = server.mydomain.lan
SSH_DOMAIN = server.mydomain.lan
HTTP_PORT = 3000
ROOT_URL = http://server.mydomain.lan:3000/
DISABLE_SSH = false
SSH_PORT = 22
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
LFS_JWT_SECRET = MY_SECRET_KEY
OFFLINE_MODE = true

However, whenever I go to the sign-in page, I get the following error:

Could not read your security key.
WebAuthn only supports secure connections. For testing over HTTP, you can use the origin "localhost" or "127.0.0.1"

This only happens when https was disabled. I thought it might have been something with the data in my gitea instance, or my postgres database, so I tested by recreating a gitea server on a different machine, and added a test repo. Then, once I brought all of the gitea files and the database over again (using docker, but data is stored locally), I tried logging in as localhost. Localhost worked just fine.
However, when I changed the DOMAIN, SSH_DOMAIN, and ROOT_URL, I got the security key error.

Gitea Version

1.23.2

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://gist.github.com/micah686/15facf90586cfe7349aeefa2fced4597

Screenshots

Image

Git Version

2.47.2

Operating System

Host OS: Windows 10. Using gitea gitea/gitea:1.23.2 image

How are you running Gitea?

I am running windows 10, and docker desktop. I am using docker compose to spin up gitea.

services:
  gitea:
    image: gitea/gitea:1.23.2
    environment:
      - DB_TYPE=postgres
      - DB_HOST=db:5432
      - DB_NAME=DB_USERNAME
      - DB_USER=DB_USERNAME
      - DB_PASSWD=DB_PASSWORD
      - GITEA__cache__ENABLED=true
      - GITEA__cache__ADAPTER=redis
      - GITEA__cache__HOST=redis://gitea-cache:6379/0?pool_size=100&idle_timeout=180s
      - GITEA__cache__ITEM_TTL=24h      
    restart: always
    volumes:
      - ./git_data:/data
    ports:
      - 3000:3000
  db:
    image: postgres:16-alpine
    environment:
      - POSTGRES_USER=DB_USERNAME
      - POSTGRES_PASSWORD=DB_PASSWORD
      - POSTGRES_DB=gitea
    restart: always
    ports:
      - 5432:5432    
    volumes:
      - ./db_data:/var/lib/postgresql/data
  redis:
    image: redis:6-alpine
    restart: unless-stopped 
    container_name: gitea-cache
    ports:
      - "6379:6379"

Database

PostgreSQL
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Feb 17, 2025
edited
Loading

It is the WebAuthn standard: it only works for HTTPS and http://127.0.0.1

So HTTPS is a must for WebAuthn

But I guess we could hide the error message when users do not need it?

@micah686
Copy link
Author

It is the WebAuthn standard: it only works for HTTPS and http://127.0.0.1

So HTTPS is a must for WebAuthn

But I guess we could hide the error message when users do not need it?

The issue is I'm not trying to use WebAuthn. I'm trying to login with a basic username and password.

@wxiaoguang wxiaoguang mentioned this issue Mar 7, 2025
Merged
@wxiaoguang
Copy link
Contributor

-> Do not show passkey on http sites #33820

@lafriks lafriks closed this as completed in b8c2afd Mar 7, 2025
hiifong pushed a commit to hiifong/gitea that referenced this issue Mar 10, 2025
@wxiaoguang @hiifong
Do not show passkey on http sites (go-gitea#33820)
8943909 
Fix go-gitea#33615

(cherry picked from commit b8c2afd)
@wxiaoguang wxiaoguang marked this as a duplicate of #33842 Mar 11, 2025
@wxiaoguang wxiaoguang mentioned this issue Mar 11, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Do not show passkey on http sites wxiaoguang/gitea
2 participants
@wxiaoguang @micah686