Remove U2F support (#20141)

- Completely remove U2F support from 1.18.0, 1.17.0 will be the last
release that U2F is somewhat supported. Users who used U2F would already
be warned about using U2F for a while now and should hopefully already
be migrated. But starting 1.18 definitely remove it.

routers/web/auth/auth.go

@@ -266,7 +266,7 @@ func SignInPost(ctx *context.Context) {
 	}
 
 	if hasTOTPtwofa {
-		// User will need to use U2F, save data
+		// User will need to use WebAuthn, save data
 		if err := ctx.Session.Set("totpEnrolled", u.ID); err != nil {
 			ctx.ServerError("UserSignIn: Unable to set WebAuthn Enrolled in session", err)
 			return
@@ -278,7 +278,7 @@ func SignInPost(ctx *context.Context) {
 		return
 	}
 
-	// If we have U2F redirect there first
+	// If we have WebAuthn redirect there first
 	if hasWebAuthnTwofa {
 		ctx.Redirect(setting.AppSubURL + "/user/webauthn")
 		return
@@ -317,7 +317,6 @@ func handleSignInFull(ctx *context.Context, u *user_model.User, remember, obeyRe
 	_ = ctx.Session.Delete("openid_determined_username")
 	_ = ctx.Session.Delete("twofaUid")
 	_ = ctx.Session.Delete("twofaRemember")
-	_ = ctx.Session.Delete("u2fChallenge")
 	_ = ctx.Session.Delete("linkAccount")
 	if err := ctx.Session.Set("uid", u.ID); err != nil {
 		log.Error("Error setting uid %d in session: %v", u.ID, err)

routers/web/auth/webauthn.go

@@ -67,10 +67,7 @@ func WebAuthnLoginAssertion(ctx *context.Context) {
 		return
 	}
 
-	// FIXME: DEPRECATED appid is deprecated and is planned to be removed in v1.18.0
-	assertion, sessionData, err := wa.WebAuthn.BeginLogin((*wa.User)(user), webauthn.WithAssertionExtensions(protocol.AuthenticationExtensions{
-		"appid": setting.U2F.AppID,
-	}))
+	assertion, sessionData, err := wa.WebAuthn.BeginLogin((*wa.User)(user))
 	if err != nil {
 		ctx.ServerError("webauthn.BeginLogin", err)
 		return
@@ -159,12 +156,5 @@ func WebAuthnLoginAssertionPost(ctx *context.Context) {
 	}
 	_ = ctx.Session.Delete("twofaUid")
 
-	// Finally check if the appid extension was used:
-	if value, ok := parsedResponse.ClientExtensionResults["appid"]; ok {
-		if appid, ok := value.(bool); ok && appid {
-			ctx.Flash.Error(ctx.Tr("webauthn_u2f_deprecated", dbCred.Name))
-		}
-	}
-
 	ctx.JSON(http.StatusOK, map[string]string{"redirect": redirect})
 }

routers/web/user/setting/security/security.go

@@ -26,7 +26,6 @@ const (
 func Security(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("settings")
 	ctx.Data["PageIsSettingsSecurity"] = true
-	ctx.Data["RequireU2F"] = true
 
 	if ctx.FormString("openid.return_to") != "" {
 		settingsOpenIDVerify(ctx)