NC 25 Safari Webauthn not showing up
hendrik1120 opened this issue · comments
Steps to reproduce
- Login to your webauthn protected Nextcloud account with safari
This worked flawlessly before upgrading to NC 25.
Works fine in Chrome
Expected behaviour
Webauthn popup
Actual behaviour
nothing
Server configuration
Operating system:
linuxserverio Docker
Web server:
nginx
Database:
mariadb
PHP version:
Version: (see admin page)
25.0.1
Updated from an older version or fresh install:
updated
List of activated apps:
Enabled:
- activity: 2.17.0
- bruteforcesettings: 2.5.0
- calendar: 4.1.0
- circles: 25.0.0
- cloud_federation_api: 1.8.0
- comments: 1.15.0
- contacts: 5.0.1
- contactsinteraction: 1.6.0
- dashboard: 7.5.0
- dav: 1.24.0
- federatedfilesharing: 1.15.0
- federation: 1.15.0
- files: 1.20.1
- files_external: 1.17.0
- files_fulltextsearch: 24.0.1
- files_pdfviewer: 2.6.0
- files_rightclick: 1.4.0
- files_sharing: 1.17.0
- files_trashbin: 1.15.0
- files_versions: 1.18.0
- firstrunwizard: 2.14.0
- fulltextsearch: 24.0.0
- fulltextsearch_elasticsearch: 24.0.1
- logreader: 2.10.0
- lookup_server_connector: 1.13.0
- mail: 2.1.2
- nextcloud_announcements: 1.14.0
- notifications: 2.13.1
- oauth2: 1.13.0
- password_policy: 1.15.0
- photos: 2.0.0
- previewgenerator: 5.1.1
- privacy: 1.9.0
- provisioning_api: 1.15.0
- recommendations: 1.4.0
- related_resources: 1.0.3
- serverinfo: 1.15.0
- settings: 1.7.0
- sharebymail: 1.15.0
- support: 1.8.0
- survey_client: 1.13.0
- systemtags: 1.15.0
- text: 3.6.0
- theming: 2.0.1
- twofactor_backupcodes: 1.14.0
- twofactor_totp: 7.0.0
- twofactor_webauthn: 1.0.0
- updatenotification: 1.15.0
- user_ldap: 1.15.0
- viewer: 1.9.0
- weather_status: 1.5.0
- workflowengine: 2.7.0
Disabled:
- admin_audit
- encryption
- impersonate: 1.11.0
- suspicious_login
- user_status: 1.3.1
The content of config/config.php:
{
"system": {
"memcache.local": "\\OC\\Memcache\\APCu",
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"192.168.1.10:444",
"***REMOVED SENSITIVE VALUE***"
],
"dbtype": "mysql",
"version": "25.0.1.1",
"overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
"overwriteprotocol": "https",
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"default_phone_region": "DE",
"enable_previews": true,
"preview_max_x": 1000,
"preview_max_y": 1000,
"enabledPreviewProviders": [
"OC\\Preview\\TXT",
"OC\\Preview\\MarkDown",
"OC\\Preview\\PDF",
"OC\\Preview\\MSOfficeDoc",
"OC\\Preview\\JPEG",
"OC\\Preview\\PNG",
"OC\\Preview\\GIF",
"OC\\Preview\\BMP",
"OC\\Preview\\XBitmap",
"OC\\Preview\\MP3",
"OC\\Preview\\HEIC",
"OC\\Preview\\Movie",
"OC\\Preview\\MKV",
"OC\\Preview\\MP4",
"OC\\Preview\\AVI"
],
"mail_smtpmode": "smtp",
"mail_smtpauth": 1,
"mail_sendmailmode": "smtp",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "587",
"mail_smtpauthtype": "LOGIN",
"mail_smtpsecure": "tls",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"maintenance": false,
"ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
"updater.release.channel": "stable",
"localstorage.allowsymlinks": true,
"log_type": "file",
"logfile": "\/config\/nextcloud.log",
"loglevel": 1,
"theme": "",
"app_install_overwrite": [
"fulltextsearch",
"files_fulltextsearch",
"fulltextsearch_elasticsearch"
]
}
}
Client configuration
Browser:
Safari
Operating system:
macOS 13.0.1
Logs
Web server error log
empty
Server log (data/nextcloud.log)
{"reqId":"uCp6xwp0X6UD0wi7MU40","level":3,"time":"2022-11-28T15:42:52+00:00","remoteAddr":"172.18.0.5","user":"--","app":"core","method":"POST","url":"/login","message":"Tried to log in Hendrik Sievers but could not verify token","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15","version":"25.0.1.1","data":{"app":"core"}}
{"reqId":"Sg6LCeeuJNCLMMKXzRhJ","level":3,"time":"2022-11-28T15:42:52+00:00","remoteAddr":"172.18.0.5","user":"--","app":"core","method":"GET","url":"/apps/dashboard/","message":"Tried to log in Hendrik Sievers but could not verify token","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15","version":"25.0.1.1","data":{"app":"core"}}
{"reqId":"ffqZdjQdgFMdITmOrttt","level":3,"time":"2022-11-28T15:42:52+00:00","remoteAddr":"172.18.0.5","user":"--","app":"core","method":"GET","url":"/login?redirect_url=/apps/dashboard/","message":"Tried to log in Hendrik Sievers but could not verify token","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15","version":"25.0.1.1","data":{"app":"core"}}
{"reqId":"tPJsPOpP2FaWjTROotKj","level":3,"time":"2022-11-28T15:42:53+00:00","remoteAddr":"172.18.0.5","user":"--","app":"core","method":"GET","url":"/apps/theming/image/background?v=11","message":"Tried to log in Hendrik Sievers but could not verify token","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15","version":"25.0.1.1","data":{"app":"core"}}
Browser log
empty
Browser log
empty
Realistically that is the most probable source for an error given that webauthn is handled with JS APIs. Could you please double-check?
Ok, so because I didn't get anything in the logs I cleared the browser cache from dev tools and after some time it magically worked again. I had this problem for weeks now btw...
But this spawned another now unrelated issue that webauthn fails on the first try and you need to press the retry button to get the popup. I have logs for that now:
[Error] [ERROR] twofactor_webauthn: Challenge failed
Object
app: "twofactor_webauthn"
error: NotAllowedError: The document is not focused.
level: 1
uid: "root"
Object Prototyp
value (challenge.js:2:8870)
value (challenge.js:2:9340)
(anonyme Funktion) (challenge.js:2:234246)
promiseReactionJob
´´´
I expanded the error log a bit in Safari, this should be more useful:
[Error] [ERROR] twofactor_webauthn: Challenge failed
Object
app: "twofactor_webauthn"
error: NotAllowedError: The document is not focused.
code: 0
column: 233395
line: 2
message: "The document is not focused."
name: "NotAllowedError"
sourceURL: "***REMOVED SENSITIVE VALUE***/apps/twofactor_webauthn/js/challenge.js?v=f0f1bf5a-12"
stack: "get@[native code]↵sign@https://***REMOVED SENSITIVE VALUE***/apps/twofactor_webauthn/js/challenge.js?v=f0f1bf5a-12:2:233395↵sign@[native code…"
v Prototyp
ABORT_ERR: 20
DATA_CLONE_ERR: 25
DOMSTRING_SIZE_ERR: 2
HIERARCHY_REQUEST_ERR: 3
INDEX_SIZE_ERR: 1
INUSE_ATTRIBUTE_ERR: 10
INVALID_ACCESS_ERR: 15
INVALID_CHARACTER_ERR: 5
INVALID_MODIFICATION_ERR: 13
INVALID_NODE_TYPE_ERR: 24
INVALID_STATE_ERR: 11
NAMESPACE_ERR: 14
NETWORK_ERR: 19
NOT_FOUND_ERR: 8
NOT_SUPPORTED_ERR: 9
NO_DATA_ALLOWED_ERR: 6
NO_MODIFICATION_ALLOWED_ERR: 7
QUOTA_EXCEEDED_ERR: 22
SECURITY_ERR: 18
SYNTAX_ERR: 12
TIMEOUT_ERR: 23
TYPE_MISMATCH_ERR: 17
URL_MISMATCH_ERR: 21
VALIDATION_ERR: 16
WRONG_DOCUMENT_ERR: 4
code
constructor: function()
message
name
Symbol(Symbol.toStringTag): "DOMException"
Error Prototyp
level: 1
uid: "root"
Object Prototyp
__defineGetter__(propertyName, getterFunction)
__defineSetter__(propertyName, setterFunction)
__lookupGetter__(propertyName)
__lookupSetter__(propertyName)
constructor: function()
hasOwnProperty(propertyName)
isPrototypeOf(property)
propertyIsEnumerable(propertyName)
toLocaleString()
toString()
valueOf()
value (challenge.js:2:8870)
value (challenge.js:2:9340)
(anonyme Funktion) (challenge.js:2:234246)
promiseReactionJob
"The document is not focused."
That seems odd.
Does webauthn work on other websites?
Yes, just used it on Cloudflare. Works on the first try there.
Just to clarify, it now also works with Nextcloud, except that it fails on the first try and only works on the second.
Apple probably implemented it differently or added some security requirements, since I had issues with this in the early days of webauthn even with cloudflare.
It doesn't really bother me that much, but if you want to investigate this, I'll be happy to provide additional information.