Skip to content

Comments

fix webAuthn insecure error view#36165

Merged
silverwind merged 2 commits intogo-gitea:mainfrom
a1012112796:zzc/dev/fix_signup_container_ui
Dec 15, 2025
Merged

fix webAuthn insecure error view#36165
silverwind merged 2 commits intogo-gitea:mainfrom
a1012112796:zzc/dev/fix_signup_container_ui

Conversation

@a1012112796
Copy link
Member

@a1012112796 a1012112796 commented Dec 15, 2025

as you seen, in cureent status initUserAuthWebAuthn will prcheck window.isSecureContext, if not ok, will hide the passkey btton and return directly. I think it's not right, first, not show any error message looks not a good ui, and it's looks will make an empty container was show if the registion button was disabled also (maybe f-i-x #36115), then initUserAuthWebAuthn has window.isSecureContext check also which looks duplcate ref:

gitea/web_src/js/features/user-auth-webauthn.ts

Lines 202 to 206 in 26602fd

function detectWebAuthnSupport() {
if (!window.isSecureContext) {
webAuthnError('insecure');
return false;
}

so I'd like move hideElem(elSignInPasskeyBtn); to detectWebAuthnSupport failed routs to make it simple and show insecure error corectly.
联想截图_20251215184757

@a1012112796
fix webAuthn insecure error view
1386ea4 
as you seen, in cureent status `initUserAuthWebAuthn` will prcheck
`window.isSecureContext`, if not ok, will hide the `passkey` btton
and return directly. I think it's not right, first, not show any
error message looks not a good ui, and it's looks will make an
empty container was show when registion button was disabled also
(maybe f-i-x go-gitea#36115), then initUserAuthWebAuthn has `window.isSecureContext`
check also which looks duplcate. so I'd like move hideElem(elSignInPasskeyBtn);
to `detectWebAuthnSupport` failed routs to make it simple and show insecure error
corectly.

Signed-off-by: a1012112796 <1012112796@qq.com>
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Dec 15, 2025
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Dec 15, 2025
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 15, 2025
@lunny lunny added type/bug backport/v1.25 reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. labels Dec 15, 2025
@silverwind silverwind merged commit 822ee60 into go-gitea:main Dec 15, 2025
23 checks passed
@GiteaBot GiteaBot added this to the 1.26.0 milestone Dec 15, 2025
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Dec 15, 2025
@a1012112796 a1012112796 deleted the zzc/dev/fix_signup_container_ui branch December 16, 2025 00:07
silverwind added a commit to silverwind/gitea that referenced this pull request Dec 16, 2025
@silverwind
Merge remote-tracking branch 'origin/main' into deps-105
a0b6c75 
* origin/main:
  fix webAuthn insecure error view (go-gitea#36165)
  Some small refactors (go-gitea#36163)
  Remove undocumented support of signing key in the repository git configuration file (go-gitea#36143)
  Enable gocheckcompilerdirectives linter (go-gitea#36156)
  Fix code highlighting on blame page (go-gitea#36157)
  Check user visibility when redirecting to a renamed user (go-gitea#36148)
  Fix bug when viewing the commit diff page with non-ANSI files (go-gitea#36149)
@GiteaBot
Copy link
Collaborator

GiteaBot commented Dec 16, 2025

I was unable to create a backport for 1.25. @a1012112796, please send one manually. 🍵

go run ./contrib/backport 36165
...  // fix git conflicts if any
go run ./contrib/backport --continue

@GiteaBot GiteaBot added the backport/manual No power to the bots! Create your backport yourself! label Dec 16, 2025
zjjhot added a commit to zjjhot/gitea that referenced this pull request Dec 17, 2025
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
3e5054b 
* giteaofficial/main:
  Automatic generation of release notes (go-gitea#35977)
  Update chroma to v2.21.0 (go-gitea#36171)
  [skip ci] Updated translations via Crowdin
  Move blame to gitrepo (go-gitea#36161)
  Enable `bodyclose` linter (go-gitea#36168)
  fix nilnil in onedev downloader (go-gitea#36154)
  fix webAuthn insecure error view (go-gitea#36165)
  Some small refactors (go-gitea#36163)
a1012112796 added a commit to a1012112796/gitea that referenced this pull request Dec 17, 2025
@a1012112796 @lunny
fix webAuthn insecure error view (go-gitea#36165)
bc95533 
as you seen, in cureent status `initUserAuthWebAuthn` will prcheck
`window.isSecureContext`, if not ok, will hide the `passkey` btton and
return directly. I think it's not right, first, not show any error
message looks not a good ui, and it's looks will make an empty container
was show if the registion button was disabled also (maybe f-i-x go-gitea#36115),
then initUserAuthWebAuthn has `window.isSecureContext` check also which
looks duplcate ref:

https://github.com/go-gitea/gitea/blob/26602fd2070886a1e7e0545f11f5541a38396003/web_src/js/features/user-auth-webauthn.ts#L202-L206

so I'd like move hideElem(elSignInPasskeyBtn); to
`detectWebAuthnSupport` failed routs to make it simple and show insecure
error corectly.

![联想截图_20251215184757](https://github.com/user-attachments/assets/0eff43a0-18a6-4978-aa27-b4574fcf2601)

Signed-off-by: a1012112796 <1012112796@qq.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
@a1012112796 a1012112796 mentioned this pull request Dec 17, 2025
Merged
lunny added a commit that referenced this pull request Dec 17, 2025
@a1012112796 @lunny
fix webAuthn insecure error view (#36165) (#36179)
522cc25 
backport #36165

Signed-off-by: a1012112796 <1012112796@qq.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
@lunny lunny added the backport/done All backports for this PR have been created label Dec 17, 2025
@wxiaoguang wxiaoguang mentioned this pull request Dec 20, 2025
Closed
@silverwind
Copy link
Member

silverwind commented Dec 20, 2025
edited
Loading

We probably need to revert this because now all users that use gitea on non-localhost http will see this useless error message, even if they are not using webauthn. We should only show webauthn errors if they actually originate from a user interaction.

@silverwind
Copy link
Member

silverwind commented Dec 20, 2025

#36219 is the proper fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lunny lunny lunny approved these changes

@silverwind silverwind silverwind approved these changes

Assignees

No one assigned

Labels

backport/done All backports for this PR have been created backport/manual No power to the bots! Create your backport yourself! backport/v1.25 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/frontend type/bug

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

4 participants

@a1012112796 @GiteaBot @silverwind @lunny