NC 25 Safari Webauthn not showing up

Question

NC 25 Safari Webauthn not showing up

hendrik1120 opened this issue 2 years ago · comments

Hendrik Sievers commented 2 years ago

Steps to reproduce

Login to your webauthn protected Nextcloud account with safari

This worked flawlessly before upgrading to NC 25.
Works fine in Chrome

Expected behaviour

Webauthn popup

Actual behaviour

nothing

Server configuration

Operating system:
linuxserverio Docker
Web server:
nginx
Database:
mariadb
PHP version:

Version: (see admin page)
25.0.1
Updated from an older version or fresh install:
updated
List of activated apps:

Enabled:
  - activity: 2.17.0
  - bruteforcesettings: 2.5.0
  - calendar: 4.1.0
  - circles: 25.0.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contacts: 5.0.1
  - contactsinteraction: 1.6.0
  - dashboard: 7.5.0
  - dav: 1.24.0
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.1
  - files_external: 1.17.0
  - files_fulltextsearch: 24.0.1
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - firstrunwizard: 2.14.0
  - fulltextsearch: 24.0.0
  - fulltextsearch_elasticsearch: 24.0.1
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - mail: 2.1.2
  - nextcloud_announcements: 1.14.0
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - password_policy: 1.15.0
  - photos: 2.0.0
  - previewgenerator: 5.1.1
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recommendations: 1.4.0
  - related_resources: 1.0.3
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - support: 1.8.0
  - survey_client: 1.13.0
  - systemtags: 1.15.0
  - text: 3.6.0
  - theming: 2.0.1
  - twofactor_backupcodes: 1.14.0
  - twofactor_totp: 7.0.0
  - twofactor_webauthn: 1.0.0
  - updatenotification: 1.15.0
  - user_ldap: 1.15.0
  - viewer: 1.9.0
  - weather_status: 1.5.0
  - workflowengine: 2.7.0
Disabled:
  - admin_audit
  - encryption
  - impersonate: 1.11.0
  - suspicious_login
  - user_status: 1.3.1

The content of config/config.php:

{
    "system": {
        "memcache.local": "\\OC\\Memcache\\APCu",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "192.168.1.10:444",
            "***REMOVED SENSITIVE VALUE***"
        ],
        "dbtype": "mysql",
        "version": "25.0.1.1",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "default_phone_region": "DE",
        "enable_previews": true,
        "preview_max_x": 1000,
        "preview_max_y": 1000,
        "enabledPreviewProviders": [
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\PDF",
            "OC\\Preview\\MSOfficeDoc",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\PNG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\MP3",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\Movie",
            "OC\\Preview\\MKV",
            "OC\\Preview\\MP4",
            "OC\\Preview\\AVI"
        ],
        "mail_smtpmode": "smtp",
        "mail_smtpauth": 1,
        "mail_sendmailmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpsecure": "tls",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "updater.release.channel": "stable",
        "localstorage.allowsymlinks": true,
        "log_type": "file",
        "logfile": "\/config\/nextcloud.log",
        "loglevel": 1,
        "theme": "",
        "app_install_overwrite": [
            "fulltextsearch",
            "files_fulltextsearch",
            "fulltextsearch_elasticsearch"
        ]
    }
}

Client configuration

Browser:
Safari
Operating system:
macOS 13.0.1

Logs

Web server error log

empty

Server log (data/nextcloud.log)

{"reqId":"uCp6xwp0X6UD0wi7MU40","level":3,"time":"2022-11-28T15:42:52+00:00","remoteAddr":"172.18.0.5","user":"--","app":"core","method":"POST","url":"/login","message":"Tried to log in Hendrik Sievers but could not verify token","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15","version":"25.0.1.1","data":{"app":"core"}}
{"reqId":"Sg6LCeeuJNCLMMKXzRhJ","level":3,"time":"2022-11-28T15:42:52+00:00","remoteAddr":"172.18.0.5","user":"--","app":"core","method":"GET","url":"/apps/dashboard/","message":"Tried to log in Hendrik Sievers but could not verify token","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15","version":"25.0.1.1","data":{"app":"core"}}
{"reqId":"ffqZdjQdgFMdITmOrttt","level":3,"time":"2022-11-28T15:42:52+00:00","remoteAddr":"172.18.0.5","user":"--","app":"core","method":"GET","url":"/login?redirect_url=/apps/dashboard/","message":"Tried to log in Hendrik Sievers but could not verify token","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15","version":"25.0.1.1","data":{"app":"core"}}
{"reqId":"tPJsPOpP2FaWjTROotKj","level":3,"time":"2022-11-28T15:42:53+00:00","remoteAddr":"172.18.0.5","user":"--","app":"core","method":"GET","url":"/apps/theming/image/background?v=11","message":"Tried to log in Hendrik Sievers but could not verify token","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15","version":"25.0.1.1","data":{"app":"core"}}

Browser log

empty

Christoph Wurst · Answer 1 · Mon Nov 28 2022 23:57:07 GMT+0800 (China Standard Time)

Browser log

empty

Realistically that is the most probable source for an error given that webauthn is handled with JS APIs. Could you please double-check?

Hendrik Sievers · Answer 2 · Tue Nov 29 2022 00:02:25 GMT+0800 (China Standard Time)

Ok, so because I didn't get anything in the logs I cleared the browser cache from dev tools and after some time it magically worked again. I had this problem for weeks now btw...
But this spawned another now unrelated issue that webauthn fails on the first try and you need to press the retry button to get the popup. I have logs for that now:

[Error] [ERROR] twofactor_webauthn: Challenge failed
Object

app: "twofactor_webauthn"

error: NotAllowedError: The document is not focused.

level: 1

uid: "root"

Object Prototyp
	value (challenge.js:2:8870)
	value (challenge.js:2:9340)
	(anonyme Funktion) (challenge.js:2:234246)
	promiseReactionJob
´´´

Hendrik Sievers · Answer 3 · Tue Nov 29 2022 00:19:03 GMT+0800 (China Standard Time)

I expanded the error log a bit in Safari, this should be more useful:

[Error] [ERROR] twofactor_webauthn: Challenge failed
Object

app: "twofactor_webauthn"

error: NotAllowedError: The document is not focused.

code: 0

column: 233395

line: 2

message: "The document is not focused."

name: "NotAllowedError"

sourceURL: "***REMOVED SENSITIVE VALUE***/apps/twofactor_webauthn/js/challenge.js?v=f0f1bf5a-12"

stack: "get@[native code]↵sign@https://***REMOVED SENSITIVE VALUE***/apps/twofactor_webauthn/js/challenge.js?v=f0f1bf5a-12:2:233395↵sign@[native code…"

v Prototyp

ABORT_ERR: 20

DATA_CLONE_ERR: 25

DOMSTRING_SIZE_ERR: 2

HIERARCHY_REQUEST_ERR: 3

INDEX_SIZE_ERR: 1

INUSE_ATTRIBUTE_ERR: 10

INVALID_ACCESS_ERR: 15

INVALID_CHARACTER_ERR: 5

INVALID_MODIFICATION_ERR: 13

INVALID_NODE_TYPE_ERR: 24

INVALID_STATE_ERR: 11

NAMESPACE_ERR: 14

NETWORK_ERR: 19

NOT_FOUND_ERR: 8

NOT_SUPPORTED_ERR: 9

NO_DATA_ALLOWED_ERR: 6

NO_MODIFICATION_ALLOWED_ERR: 7

QUOTA_EXCEEDED_ERR: 22

SECURITY_ERR: 18

SYNTAX_ERR: 12

TIMEOUT_ERR: 23

TYPE_MISMATCH_ERR: 17

URL_MISMATCH_ERR: 21

VALIDATION_ERR: 16

WRONG_DOCUMENT_ERR: 4

code

constructor: function()

message

name

Symbol(Symbol.toStringTag): "DOMException"

Error Prototyp

level: 1

uid: "root"

Object Prototyp

__defineGetter__(propertyName, getterFunction)

__defineSetter__(propertyName, setterFunction)

__lookupGetter__(propertyName)

__lookupSetter__(propertyName)

constructor: function()

hasOwnProperty(propertyName)

isPrototypeOf(property)

propertyIsEnumerable(propertyName)

toLocaleString()

toString()

valueOf()
	value (challenge.js:2:8870)
	value (challenge.js:2:9340)
	(anonyme Funktion) (challenge.js:2:234246)
	promiseReactionJob

Christoph Wurst · Answer 4 · Tue Nov 29 2022 00:22:49 GMT+0800 (China Standard Time)

"The document is not focused."

That seems odd.

Does webauthn work on other websites?

Hendrik Sievers · Answer 5 · Tue Nov 29 2022 00:32:35 GMT+0800 (China Standard Time)

Yes, just used it on Cloudflare. Works on the first try there.
Just to clarify, it now also works with Nextcloud, except that it fails on the first try and only works on the second.

Apple probably implemented it differently or added some security requirements, since I had issues with this in the early days of webauthn even with cloudflare.
It doesn't really bother me that much, but if you want to investigate this, I'll be happy to provide additional information.