Support webauthn (#17957)

Migrate from U2F to Webauthn Co-authored-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2025-07-03 09:07:19 +00:00 · 2022-01-14 23:03:31 +08:00
parent 8808293247
commit 35c3553870
224 changed files with 35040 additions and 1079 deletions
--- a/services/auth/auth.go
+++ b/services/auth/auth.go
@ -14,6 +14,7 @@ import (

 	"code.gitea.io/gitea/models/db"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/auth/webauthn"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/session"
 	"code.gitea.io/gitea/modules/setting"
@ -69,6 +70,8 @@ func Init() {
 			log.Error("Could not initialize '%s' auth method, error: %s", reflect.TypeOf(method).String(), err)
 		}
 	}
+
+	webauthn.Init()
 }

 // Free should be called exactly once when the application is terminating to allow Auth plugins
@ -121,7 +124,7 @@ func handleSignIn(resp http.ResponseWriter, req *http.Request, sess SessionStore
 	_ = sess.Delete("openid_determined_username")
 	_ = sess.Delete("twofaUid")
 	_ = sess.Delete("twofaRemember")
-	_ = sess.Delete("u2fChallenge")
+	_ = sess.Delete("webauthnAssertion")
 	_ = sess.Delete("linkAccount")
 	err = sess.Set("uid", user.ID)
 	if err != nil {
--- a/services/auth/source/oauth2/jwtsigningkey.go
+++ b/services/auth/source/oauth2/jwtsigningkey.go
@ -25,7 +25,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"

-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	ini "gopkg.in/ini.v1"
 )

--- a/services/auth/source/oauth2/token.go
+++ b/services/auth/source/oauth2/token.go
@ -10,7 +10,7 @@ import (

 	"code.gitea.io/gitea/modules/timeutil"

-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 )

 // ___________     __
@ -37,6 +37,7 @@ type Token struct {
 	GrantID int64     `json:"gnt"`
 	Type    TokenType `json:"tt"`
 	Counter int64     `json:"cnt,omitempty"`
+	// FIXME: Migrate to registered claims
 	jwt.StandardClaims
 }

@ -69,6 +70,7 @@ func (token *Token) SignToken(signingKey JWTSigningKey) (string, error) {

 // OIDCToken represents an OpenID Connect id_token
 type OIDCToken struct {
+	// FIXME: Migrate to RegisteredClaims
 	jwt.StandardClaims
 	Nonce string `json:"nonce,omitempty"`

--- a/services/forms/user_form.go
+++ b/services/forms/user_form.go
@ -409,24 +409,24 @@ func (f *TwoFactorScratchAuthForm) Validate(req *http.Request, errs binding.Erro
 	return middleware.Validate(errs, ctx.Data, f, ctx.Locale)
 }

-// U2FRegistrationForm for reserving an U2F name
-type U2FRegistrationForm struct {
+// WebauthnRegistrationForm for reserving an WebAuthn name
+type WebauthnRegistrationForm struct {
 	Name string `binding:"Required"`
 }

 // Validate validates the fields
-func (f *U2FRegistrationForm) Validate(req *http.Request, errs binding.Errors) binding.Errors {
+func (f *WebauthnRegistrationForm) Validate(req *http.Request, errs binding.Errors) binding.Errors {
 	ctx := context.GetContext(req)
 	return middleware.Validate(errs, ctx.Data, f, ctx.Locale)
 }

-// U2FDeleteForm for deleting U2F keys
-type U2FDeleteForm struct {
+// WebauthnDeleteForm for deleting WebAuthn keys
+type WebauthnDeleteForm struct {
 	ID int64 `binding:"Required"`
 }

 // Validate validates the fields
-func (f *U2FDeleteForm) Validate(req *http.Request, errs binding.Errors) binding.Errors {
+func (f *WebauthnDeleteForm) Validate(req *http.Request, errs binding.Errors) binding.Errors {
 	ctx := context.GetContext(req)
 	return middleware.Validate(errs, ctx.Data, f, ctx.Locale)
 }
--- a/services/lfs/server.go
+++ b/services/lfs/server.go
@ -30,7 +30,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/storage"

-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 )

 // requestContext contain variables from the HTTP request.
@ -45,6 +45,7 @@ type Claims struct {
 	RepoID int64
 	Op     string
 	UserID int64
+	// FIXME: Migrate to RegisteredClaims
 	jwt.StandardClaims
 }