Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebAuthn broken on clients for Unified server #2536

Closed
1 task done
Tracked by #2480
Skimige opened this issue Jan 4, 2023 · 1 comment · Fixed by #2569
Closed
1 task done
Tracked by #2480

WebAuthn broken on clients for Unified server #2536

Skimige opened this issue Jan 4, 2023 · 1 comment · Fixed by #2569
Labels
bug bw-unified-deploy An Issue related to Bitwarden unified deployment good first issue help wanted

Comments

@Skimige
Copy link

Skimige commented Jan 4, 2023

Steps To Reproduce

  1. Logout from Windows Client (for example), reset session from web vault if necessary
  2. Try to login from Windows Client
  3. At "FIDO2 WebAuthn" page, the webauthn-connector.html iframe is refused to be displayed; More details can be checked through Dev Tools

Expected Result

FIDO2 WebAuthn iframe can load and properly prompts user to insert a key / complete 2FA.

Actual Result

Client chromium refuses to display webauthn-connector.html iframe because of X-Frame-Options (and Content-Security-Policy maybe, if X-Frame-Options is removed, not tested, just assumption)

Screenshots or Videos

image

Additional Context

Request URL:
https://bitwarden.yourdomain.tld/webauthn-connector.html?data=......&&parent=file%253A%252F%252F%252FC%253A%252FUsers%252F<Username>%252FAppData%252FLocal%252FPrograms%252FBitwarden%252Fresources%252Fapp.asar%252Findex.html%2523%252F2fa&btnText=%25E9%25AA%258C%25E8%25AF%2581%2520WebAuthn&v=1

Response Headers captured from Dev Tools:

alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
cf-cache-status: DYNAMIC
cf-ray: 78410202d8a607a9-HKG
content-encoding: br
content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com https://2fa.directory; object-src 'self' blob:;
content-type: text/html
date: Wed, 04 Jan 2023 03:50:04 GMT
last-modified: Tue, 13 Dec 2022 20:45:32 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
referrer-policy: same-origin
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dka5Wf3VV7vqP0WipAGFXm7Sh8lmfq4N%2F9fKUoW%2BS%2BIKmJaQXhquUXVFpmvr9AK%2BQEZ6DkxlkBuix9yib0TC%2FM3tUIFY%2FE%2BPF%2FjWk%2B7QdUQDfr%2BbFMctBCCJagK8LNax9tHc%2Bj9zfpSWikElGFlbBg%3D%3D"}],"group":"cf-nel","max_age":604800}
server: cloudflare
strict-transport-security: max-age=15552000
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-robots-tag: noindex, nofollow
x-xss-protection: 1; mode=block

I have a temporary workaround to fix this, which is to modify the nginx config inside the docker container. I create this by checking difference of unified nginx hbs template and normal nginx hbs template.
(not a generated diff, self-formartted)

   location = /app-id.json {
     root /app/Web;
     include /etc/nginx/security-headers.conf;
     proxy_hide_header Content-Type;
     add_header Content-Type $fido_content_type;
   }
 
+  location = /duo-connector.html {
+    root /app/Web;
+    include /etc/nginx/security-headers.conf;
+    add_header X-Robots-Tag "noindex, nofollow";
+  }
+
+  location = /webauthn-connector.html {
+    root /app/Web;
+    include /etc/nginx/security-headers.conf;
+    add_header X-Robots-Tag "noindex, nofollow";
+  }
+
+  location = /webauthn-fallback-connector.html {
+    root /app/Web;
+    include /etc/nginx/security-headers.conf;
+    add_header X-Robots-Tag "noindex, nofollow";
+  }
+
+  location = /sso-connector.html {
+    root /app/Web;
+    include /etc/nginx/security-headers.conf;
+    add_header X-Robots-Tag "noindex, nofollow";
+  }
+
   location /attachments {
     alias /etc/bitwarden/attachments/;
   }

In the actual case, the hbs template should be updated to fix this issue. In the master branch, the config template does not change

I don't create a pull request directly because I'm not that familiar with nginx and I think the temporary workaround does not look concise.

Githash Version

455d62e-dirty

Environment Details

  • OS: Debian 11 inside Proxmox VE (KVM virt)
  • Docker Version: 5:20.10.22~3-0~debian-bullseye
  • Reverse Proxy: Cloudflare Tunnel (Cloudflare says that they won't modify CSP header; they didn't modify XFO header too I guess)

Database Image

madiadb:10

Issue-Link

#2480

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
@Skimige Skimige added bug bw-unified-deploy An Issue related to Bitwarden unified deployment labels Jan 4, 2023
@justindbaur
Copy link
Member

Your assessment looks good and is probably what we will want. You can similarly see those in the standard deployments file. @vgrassia should we add these to the template?

include /etc/nginx/security-headers.conf;
proxy_hide_header Content-Type;
add_header Content-Type $fido_content_type;
}
location = /duo-connector.html {
proxy_pass http://web:5000/duo-connector.html;
}
location = /webauthn-connector.html {
proxy_pass http://web:5000/webauthn-connector.html;
}
location = /webauthn-fallback-connector.html {
proxy_pass http://web:5000/webauthn-fallback-connector.html;
}
location = /sso-connector.html {
proxy_pass http://web:5000/sso-connector.html;
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug bw-unified-deploy An Issue related to Bitwarden unified deployment good first issue help wanted
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants