Skip to content

fix webAuthn insecure error view #36165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
silverwind merged 2 commits into from
Dec 15, 2025
Merged

fix webAuthn insecure error view #36165

silverwind merged 2 commits into from
Dec 15, 2025
+1 −6

Conversation

@a1012112796
Copy link
Member

@a1012112796 a1012112796 commented Dec 15, 2025

as you seen, in cureent status initUserAuthWebAuthn will prcheck window.isSecureContext, if not ok, will hide the passkey btton and return directly. I think it's not right, first, not show any error message looks not a good ui, and it's looks will make an empty container was show if the registion button was disabled also (maybe f-i-x #36115), then initUserAuthWebAuthn has window.isSecureContext check also which looks duplcate ref:

gitea/web_src/js/features/user-auth-webauthn.ts

Lines 202 to 206 in 26602fd

function detectWebAuthnSupport() {
if (!window.isSecureContext) {
webAuthnError('insecure');
return false;
}

so I'd like move hideElem(elSignInPasskeyBtn); to detectWebAuthnSupport failed routs to make it simple and show insecure error corectly.
联想截图_20251215184757

@a1012112796
fix webAuthn insecure error view
1386ea4 
as you seen, in cureent status `initUserAuthWebAuthn` will prcheck
`window.isSecureContext`, if not ok, will hide the `passkey` btton
and return directly. I think it's not right, first, not show any
error message looks not a good ui, and it's looks will make an
empty container was show when registion button was disabled also
(maybe f-i-x go-gitea#36115), then initUserAuthWebAuthn has `window.isSecureContext`
check also which looks duplcate. so I'd like move hideElem(elSignInPasskeyBtn);
to `detectWebAuthnSupport` failed routs to make it simple and show insecure error
corectly.

Signed-off-by: a1012112796 <[email protected]>
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Dec 15, 2025
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Dec 15, 2025
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 15, 2025
@lunny lunny added type/bug backport/v1.25 reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. labels Dec 15, 2025
@silverwind silverwind merged commit 822ee60 into go-gitea:main Dec 15, 2025
23 checks passed
@GiteaBot GiteaBot added this to the 1.26.0 milestone Dec 15, 2025
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Dec 15, 2025
@a1012112796 a1012112796 deleted the zzc/dev/fix_signup_container_ui branch December 16, 2025 00:07
silverwind added a commit to silverwind/gitea that referenced this pull request Dec 16, 2025
@silverwind
Merge remote-tracking branch 'origin/main' into deps-105
a0b6c75 
* origin/main:
  fix webAuthn insecure error view (go-gitea#36165)
  Some small refactors (go-gitea#36163)
  Remove undocumented support of signing key in the repository git configuration file (go-gitea#36143)
  Enable gocheckcompilerdirectives linter (go-gitea#36156)
  Fix code highlighting on blame page (go-gitea#36157)
  Check user visibility when redirecting to a renamed user (go-gitea#36148)
  Fix bug when viewing the commit diff page with non-ANSI files (go-gitea#36149)
@GiteaBot
Copy link
Collaborator

GiteaBot commented Dec 16, 2025

I was unable to create a backport for 1.25. @a1012112796, please send one manually. 🍵

go run ./contrib/backport 36165
...  // fix git conflicts if any
go run ./contrib/backport --continue

@GiteaBot GiteaBot added the backport/manual No power to the bots! Create your backport yourself! label Dec 16, 2025
zjjhot added a commit to zjjhot/gitea that referenced this pull request Dec 17, 2025
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
3e5054b 
* giteaofficial/main:
  Automatic generation of release notes (go-gitea#35977)
  Update chroma to v2.21.0 (go-gitea#36171)
  [skip ci] Updated translations via Crowdin
  Move blame to gitrepo (go-gitea#36161)
  Enable `bodyclose` linter (go-gitea#36168)
  fix nilnil in onedev downloader (go-gitea#36154)
  fix webAuthn insecure error view (go-gitea#36165)
  Some small refactors (go-gitea#36163)
a1012112796 added a commit to a1012112796/gitea that referenced this pull request Dec 17, 2025
@a1012112796 @lunny
fix webAuthn insecure error view (go-gitea#36165)
bc95533 
as you seen, in cureent status `initUserAuthWebAuthn` will prcheck
`window.isSecureContext`, if not ok, will hide the `passkey` btton and
return directly. I think it's not right, first, not show any error
message looks not a good ui, and it's looks will make an empty container
was show if the registion button was disabled also (maybe f-i-x go-gitea#36115),
then initUserAuthWebAuthn has `window.isSecureContext` check also which
looks duplcate ref:

https://github.com/go-gitea/gitea/blob/26602fd2070886a1e7e0545f11f5541a38396003/web_src/js/features/user-auth-webauthn.ts#L202-L206

so I'd like move hideElem(elSignInPasskeyBtn); to
`detectWebAuthnSupport` failed routs to make it simple and show insecure
error corectly.

![联想截图_20251215184757](https://github.com/user-attachments/assets/0eff43a0-18a6-4978-aa27-b4574fcf2601)

Signed-off-by: a1012112796 <[email protected]>
Co-authored-by: Lunny Xiao <[email protected]>
@a1012112796 a1012112796 mentioned this pull request Dec 17, 2025
Merged
lunny added a commit that referenced this pull request Dec 17, 2025
@a1012112796 @lunny
fix webAuthn insecure error view (#36165) (#36179)
522cc25 
backport #36165

Signed-off-by: a1012112796 <[email protected]>
Co-authored-by: Lunny Xiao <[email protected]>
@lunny lunny added the backport/done All backports for this PR have been created label Dec 17, 2025
@wxiaoguang wxiaoguang mentioned this pull request Dec 20, 2025
Closed
@silverwind
Copy link
Member

silverwind commented Dec 20, 2025
edited
Loading

We probably need to revert this because now all users that use gitea on non-localhost http will see this useless error message, even if they are not using webauthn. We should only show webauthn errors if they actually originate from a user interaction.

@silverwind
Copy link
Member

silverwind commented Dec 20, 2025

#36219 is the proper fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lunny lunny lunny approved these changes

@silverwind silverwind silverwind approved these changes

Assignees

No one assigned

Labels

backport/done All backports for this PR have been created backport/manual No power to the bots! Create your backport yourself! backport/v1.25 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/frontend type/bug

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

4 participants

@a1012112796 @GiteaBot @silverwind @lunny