From 80e86c52e7480d3946c2dfc324e98464da889662 Mon Sep 17 00:00:00 2001 From: Jens L Date: Mon, 25 Sep 2023 12:43:24 +0200 Subject: [PATCH] web/flows: improve WebAuthn error messages (#6957) * web/flows: improve WebAuthn error messages Signed-off-by: Jens Langhammer * include localhost Signed-off-by: Jens Langhammer --------- Signed-off-by: Jens Langhammer --- Makefile | 2 +- web/src/common/helpers/webauthn.ts | 12 ++++ .../AuthenticatorValidateStageWebAuthn.ts | 2 + .../WebAuthnAuthenticatorRegisterStage.ts | 2 + web/xliff/de.xlf | 21 ++++++ web/xliff/en.xlf | 21 ++++++ web/xliff/es.xlf | 21 ++++++ web/xliff/fr_FR.xlf | 21 ++++++ web/xliff/pl.xlf | 21 ++++++ web/xliff/pseudo-LOCALE.xlf | 21 ++++++ web/xliff/tr.xlf | 21 ++++++ web/xliff/zh-Hans.xlf | 67 ++++++++++++------- web/xliff/zh-Hant.xlf | 21 ++++++ web/xliff/zh_TW.xlf | 21 ++++++ 14 files changed, 250 insertions(+), 24 deletions(-) diff --git a/Makefile b/Makefile index 4750b17ef..f04e8dac8 100644 --- a/Makefile +++ b/Makefile @@ -129,7 +129,7 @@ gen: gen-build gen-clean gen-client-ts web-build: web-install cd web && npm run build -web: web-lint-fix web-lint web-check-compile +web: web-lint-fix web-lint web-check-compile web-i18n-extract web-install: cd web && npm ci diff --git a/web/src/common/helpers/webauthn.ts b/web/src/common/helpers/webauthn.ts index 01b1f05f6..c10edff17 100644 --- a/web/src/common/helpers/webauthn.ts +++ b/web/src/common/helpers/webauthn.ts @@ -1,5 +1,7 @@ import * as base64js from "base64-js"; +import { msg } from "@lit/localize"; + export function b64enc(buf: Uint8Array): string { return base64js.fromByteArray(buf).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, ""); } @@ -14,6 +16,16 @@ export function u8arr(input: string): Uint8Array { ); } +export function checkWebAuthnSupport() { + if ("credentials" in navigator) { + return; + } + if (window.location.protocol === "http:" && window.location.hostname !== "localhost") { + throw new Error(msg("WebAuthn requires this page to be accessed via HTTPS.")); + } + throw new Error(msg("WebAuthn not supported by browser.")); +} + /** * Transforms items in the credentialCreateOptions generated on the server * into byte arrays expected by the navigator.credentials.create() call diff --git a/web/src/flow/stages/authenticator_validate/AuthenticatorValidateStageWebAuthn.ts b/web/src/flow/stages/authenticator_validate/AuthenticatorValidateStageWebAuthn.ts index fdb749981..12e9b0a60 100644 --- a/web/src/flow/stages/authenticator_validate/AuthenticatorValidateStageWebAuthn.ts +++ b/web/src/flow/stages/authenticator_validate/AuthenticatorValidateStageWebAuthn.ts @@ -1,4 +1,5 @@ import { + checkWebAuthnSupport, transformAssertionForServer, transformCredentialRequestOptions, } from "@goauthentik/common/helpers/webauthn"; @@ -57,6 +58,7 @@ export class AuthenticatorValidateStageWebAuthn extends BaseStage< // request the authenticator to create an assertion signature using the // credential private key let assertion; + checkWebAuthnSupport(); try { assertion = await navigator.credentials.get({ publicKey: this.transformedCredentialRequestOptions, diff --git a/web/src/flow/stages/authenticator_webauthn/WebAuthnAuthenticatorRegisterStage.ts b/web/src/flow/stages/authenticator_webauthn/WebAuthnAuthenticatorRegisterStage.ts index a82f10bce..dd056da66 100644 --- a/web/src/flow/stages/authenticator_webauthn/WebAuthnAuthenticatorRegisterStage.ts +++ b/web/src/flow/stages/authenticator_webauthn/WebAuthnAuthenticatorRegisterStage.ts @@ -1,5 +1,6 @@ import { Assertion, + checkWebAuthnSupport, transformCredentialCreateOptions, transformNewAssertionForServer, } from "@goauthentik/common/helpers/webauthn"; @@ -47,6 +48,7 @@ export class WebAuthnAuthenticatorRegisterStage extends BaseStage< if (!this.challenge) { return; } + checkWebAuthnSupport(); // request the authenticator(s) to create a new credential keypair. let credential; try { diff --git a/web/xliff/de.xlf b/web/xliff/de.xlf index 593f5c9b2..dbf951574 100644 --- a/web/xliff/de.xlf +++ b/web/xliff/de.xlf @@ -5904,6 +5904,27 @@ Bindings to groups/users are checked against the user of the event. Discouraged: The authenticator should not create a dedicated credential + + + Lock the user out of this system + + + Allow the user to log in and use this system + + + Temporarily assume the identity of this user + + + Enter a new password for this user + + + Create a link for this user to reset their password + + + WebAuthn requires this page to be accessed via HTTPS. + + + WebAuthn not supported by browser. diff --git a/web/xliff/en.xlf b/web/xliff/en.xlf index fbfbbb585..658eba084 100644 --- a/web/xliff/en.xlf +++ b/web/xliff/en.xlf @@ -6218,6 +6218,27 @@ Bindings to groups/users are checked against the user of the event. Discouraged: The authenticator should not create a dedicated credential + + + Lock the user out of this system + + + Allow the user to log in and use this system + + + Temporarily assume the identity of this user + + + Enter a new password for this user + + + Create a link for this user to reset their password + + + WebAuthn requires this page to be accessed via HTTPS. + + + WebAuthn not supported by browser. diff --git a/web/xliff/es.xlf b/web/xliff/es.xlf index ab6bb5d56..cc46a33f8 100644 --- a/web/xliff/es.xlf +++ b/web/xliff/es.xlf @@ -5812,6 +5812,27 @@ Bindings to groups/users are checked against the user of the event. Discouraged: The authenticator should not create a dedicated credential + + + Lock the user out of this system + + + Allow the user to log in and use this system + + + Temporarily assume the identity of this user + + + Enter a new password for this user + + + Create a link for this user to reset their password + + + WebAuthn requires this page to be accessed via HTTPS. + + + WebAuthn not supported by browser. diff --git a/web/xliff/fr_FR.xlf b/web/xliff/fr_FR.xlf index 9bb71da72..861d7ab89 100644 --- a/web/xliff/fr_FR.xlf +++ b/web/xliff/fr_FR.xlf @@ -5920,6 +5920,27 @@ Bindings to groups/users are checked against the user of the event. Discouraged: The authenticator should not create a dedicated credential + + + Lock the user out of this system + + + Allow the user to log in and use this system + + + Temporarily assume the identity of this user + + + Enter a new password for this user + + + Create a link for this user to reset their password + + + WebAuthn requires this page to be accessed via HTTPS. + + + WebAuthn not supported by browser. diff --git a/web/xliff/pl.xlf b/web/xliff/pl.xlf index e3a653154..99d097f04 100644 --- a/web/xliff/pl.xlf +++ b/web/xliff/pl.xlf @@ -6051,6 +6051,27 @@ Bindings to groups/users are checked against the user of the event. Discouraged: The authenticator should not create a dedicated credential + + + Lock the user out of this system + + + Allow the user to log in and use this system + + + Temporarily assume the identity of this user + + + Enter a new password for this user + + + Create a link for this user to reset their password + + + WebAuthn requires this page to be accessed via HTTPS. + + + WebAuthn not supported by browser. diff --git a/web/xliff/pseudo-LOCALE.xlf b/web/xliff/pseudo-LOCALE.xlf index e2232c6a8..dd53b9b84 100644 --- a/web/xliff/pseudo-LOCALE.xlf +++ b/web/xliff/pseudo-LOCALE.xlf @@ -6153,6 +6153,27 @@ Bindings to groups/users are checked against the user of the event. Discouraged: The authenticator should not create a dedicated credential + + + Lock the user out of this system + + + Allow the user to log in and use this system + + + Temporarily assume the identity of this user + + + Enter a new password for this user + + + Create a link for this user to reset their password + + + WebAuthn requires this page to be accessed via HTTPS. + + + WebAuthn not supported by browser. diff --git a/web/xliff/tr.xlf b/web/xliff/tr.xlf index 2b842266e..34c746642 100644 --- a/web/xliff/tr.xlf +++ b/web/xliff/tr.xlf @@ -5805,6 +5805,27 @@ Bindings to groups/users are checked against the user of the event. Discouraged: The authenticator should not create a dedicated credential + + + Lock the user out of this system + + + Allow the user to log in and use this system + + + Temporarily assume the identity of this user + + + Enter a new password for this user + + + Create a link for this user to reset their password + + + WebAuthn requires this page to be accessed via HTTPS. + + + WebAuthn not supported by browser. diff --git a/web/xliff/zh-Hans.xlf b/web/xliff/zh-Hans.xlf index e3767a0cf..42e46926f 100644 --- a/web/xliff/zh-Hans.xlf +++ b/web/xliff/zh-Hans.xlf @@ -1,4 +1,4 @@ - + @@ -613,9 +613,9 @@ - The URL "" was not found. - 未找到 URL " - "。 + The URL "" was not found. + 未找到 URL " + "。 @@ -1067,8 +1067,8 @@ - To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have. - 要允许任何重定向 URI,请将此值设置为 ".*"。请注意这可能带来的安全影响。 + To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have. + 要允许任何重定向 URI,请将此值设置为 ".*"。请注意这可能带来的安全影响。 @@ -1814,8 +1814,8 @@ - Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test". - 输入完整 URL、相对路径,或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。 + Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test". + 输入完整 URL、相对路径,或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。 @@ -3238,8 +3238,8 @@ doesn't pass when either or both of the selected options are equal or above the - Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...' - 包含组成员的字段。请注意,如果使用 "memberUid" 字段,则假定该值包含相对可分辨名称。例如,'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...' + Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...' + 包含组成员的字段。请注意,如果使用 "memberUid" 字段,则假定该值包含相对可分辨名称。例如,'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...' @@ -4031,8 +4031,8 @@ doesn't pass when either or both of the selected options are equal or above the - When using an external logging solution for archiving, this can be set to "minutes=5". - 使用外部日志记录解决方案进行存档时,可以将其设置为 "minutes=5"。 + When using an external logging solution for archiving, this can be set to "minutes=5". + 使用外部日志记录解决方案进行存档时,可以将其设置为 "minutes=5"。 @@ -4041,8 +4041,8 @@ doesn't pass when either or both of the selected options are equal or above the - Format: "weeks=3;days=2;hours=3,seconds=2". - 格式:"weeks=3;days=2;hours=3,seconds=2"。 + Format: "weeks=3;days=2;hours=3,seconds=2". + 格式:"weeks=3;days=2;hours=3,seconds=2"。 @@ -4238,10 +4238,10 @@ doesn't pass when either or both of the selected options are equal or above the - Are you sure you want to update ""? + Are you sure you want to update ""? 您确定要更新 - " - " 吗? + " + " 吗? @@ -5342,7 +5342,7 @@ doesn't pass when either or both of the selected options are equal or above the - A "roaming" authenticator, like a YubiKey + A "roaming" authenticator, like a YubiKey 像 YubiKey 这样的“漫游”身份验证器 @@ -5677,10 +5677,10 @@ doesn't pass when either or both of the selected options are equal or above the - ("", of type ) + ("", of type ) - (" - ",类型为 + (" + ",类型为 @@ -5729,7 +5729,7 @@ doesn't pass when either or both of the selected options are equal or above the - If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here. + If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here. 如果设置时长大于 0,用户可以选择“保持登录”选项,这将使用户的会话延长此处设置的时间。 @@ -7790,7 +7790,28 @@ Bindings to groups/users are checked against the user of the event. Discouraged: The authenticator should not create a dedicated credential 避免:身份验证器不应该创建专用凭据 + + + Lock the user out of this system + + + Allow the user to log in and use this system + + + Temporarily assume the identity of this user + + + Enter a new password for this user + + + Create a link for this user to reset their password + + + WebAuthn requires this page to be accessed via HTTPS. + + + WebAuthn not supported by browser. - \ No newline at end of file + diff --git a/web/xliff/zh-Hant.xlf b/web/xliff/zh-Hant.xlf index 4861d6f56..2919040eb 100644 --- a/web/xliff/zh-Hant.xlf +++ b/web/xliff/zh-Hant.xlf @@ -5857,6 +5857,27 @@ Bindings to groups/users are checked against the user of the event. Discouraged: The authenticator should not create a dedicated credential + + + Lock the user out of this system + + + Allow the user to log in and use this system + + + Temporarily assume the identity of this user + + + Enter a new password for this user + + + Create a link for this user to reset their password + + + WebAuthn requires this page to be accessed via HTTPS. + + + WebAuthn not supported by browser. diff --git a/web/xliff/zh_TW.xlf b/web/xliff/zh_TW.xlf index e3640fe0c..a4c2ec374 100644 --- a/web/xliff/zh_TW.xlf +++ b/web/xliff/zh_TW.xlf @@ -5856,6 +5856,27 @@ Bindings to groups/users are checked against the user of the event. Discouraged: The authenticator should not create a dedicated credential + + + Lock the user out of this system + + + Allow the user to log in and use this system + + + Temporarily assume the identity of this user + + + Enter a new password for this user + + + Create a link for this user to reset their password + + + WebAuthn requires this page to be accessed via HTTPS. + + + WebAuthn not supported by browser.