clients icon indicating copy to clipboard operation
clients copied to clipboard

Published 20 hours ago verified publisher icon bitwarden

WebAuthN fails on localhost because it expects an HTTPS origin

Open allezxandre opened this issue 1 year ago • 13 comments

Steps To Reproduce

  1. Go to a localhost website with WebAuthN (using unencrypted http protocol)
  2. Use WebAuthN authentication

Expected Result

WebAuthN UI opens, mimicking browser behavior on localhost

Actual Result

WebAuthN fails silently on the UI but an error is logged to the console:

Error: 'origin' is not a valid https origin

The error is correct, http://localhost is indeed not https, but I expected localhost to still be a valid origin.

Screenshots or Videos

No response

Additional Context

No response

Operating System

macOS

Operating System Version

No response

Web Browser

Chrome, Safari

Browser Version

Safari 17.0 and Arc 1.15.2

Build Version

Chromium Engine Version 119.0.6045.123 (arm64)

Issue Tracking Info

  • [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

allezxandre avatar Nov 14 '23 01:11 allezxandre

+1

since BitWarden jumps in ahead of native browser (why?) it stops all localhost development using WebAuthn being workable, unless in a browser where the BitWarden chrome extension has been disabled

gregorvand avatar Nov 14 '23 06:11 gregorvand

This also made me go insane debugging today to find out this was Bitwarden related and not my own WebAuthn code. Please at least update the error message so that it's easy to know that it is related to Bitwarden ;)

SDAChess avatar Nov 14 '23 15:11 SDAChess

+1

since BitWarden jumps in ahead of native browser (why?) it stops all localhost development using WebAuthn being workable, unless in a browser where the BitWarden chrome extension has been disabled

I agree, after disabling BitWarden webauthn works as expected

Jhoscy avatar Nov 17 '23 10:11 Jhoscy

I just ran into this too. Seems like it's coming from

https://github.com/bitwarden/clients/blob/a141890b0989736cfa8ee5aab5ce1804f9c138bd/libs/common/src/vault/services/fido2/fido2-client.service.ts#L95-L98

There's a simple window.isSecureContext it could check, but maybe it doesn't have access to the window

At the very least, maybe something like

if (parsedOrigin.hostname == undefined 
    || !(
        params.origin.startsWith("https://") 
        || (params.origin === 'localhost') 
        || params.origin.endsWith('.localhost')
    )
) ...

barryp avatar Nov 17 '23 18:11 barryp

If @barryp's solution is acceptable could we put this into a PR or is further consideration necessary? I have to enable & disable bitwarden when developing locally

taylorjdawson avatar Dec 12 '23 23:12 taylorjdawson

I might need some tweaking such as adding 127.0.0.1 and .local domains maybe? Either way there some to be little to no interest from the Bitwarden team on this issue.

SDAChess avatar Dec 12 '23 23:12 SDAChess

Hey, while I mostly work on Bitwarden passwordless.dev I'm just updating that we're looking to fix this in a way that aligns with the WebAuthn specification.

abergs avatar Jan 29 '24 08:01 abergs

This started being an issue for me today.

acewings27 avatar Jan 29 '24 19:01 acewings27

Hey, while I mostly work on Bitwarden passwordless.dev I'm just updating that we're looking to fix this in a way that aligns with the WebAuthn specification.

Awesome. Any news on this?

carlos-menezes avatar Feb 04 '24 11:02 carlos-menezes

+1 this sucks ass

Aeases avatar Feb 10 '24 14:02 Aeases

@carlos-menezes See https://github.com/w3c/webauthn/pull/2018

coroiu avatar Feb 14 '24 12:02 coroiu

@carlos-menezes and others: Since https://github.com/w3c/webauthn/pull/2018 was merged in the spec we will move forward and allow http://localhost:* for passkeys in bitwarden. I don't have a date, but my guess is that it won't be long.

Thanks for reporting this.

abergs avatar Feb 22 '24 12:02 abergs

Awesome, great to hear!

carlos-menezes avatar Feb 22 '24 15:02 carlos-menezes

Hey there!

Thanks to @coroiu, this issue will be resolved pretty soon, but I have a workaround and I hope this becomes useful for some.

I'm working on a project with Next.js and WebAuthn, and to bypass this limitation, I've created an HTTPS proxy for the development environment.

If you want to try this workaround, first install dependencies by following command:

npm i -D concurrently http-proxy

And then create https-server.js file in root of the project:

import fs from 'node:fs';
import path from 'node:path';
import proxy from 'http-proxy';

proxy
  .createServer({
    // openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout localhost.key -out localhost.crt
    ssl: {
      key: fs.readFileSync(path.resolve('localhost.key')),
      cert: fs.readFileSync(path.resolve('localhost.crt')),
    },
    target: {
      host: 'localhost',
      port: 3000,
    },
    ws: true,
  })
  .listen(3001);

Now run the dev server by following command:

concurrently --raw --kill-others "next dev" "node https-server.js"

Also, make sure that localhost is not excluded in extension settings.

shahradelahi avatar Jun 08 '24 21:06 shahradelahi

@shahradelahi I haven't used Next.js in a while but it seems like they added experimental HTTPS support https://vercel.com/guides/access-nextjs-localhost-https-certificate-self-signed, could that also be a viable workaround while we wait for https://github.com/bitwarden/clients/pull/9236 to get released?

coroiu avatar Jun 10 '24 07:06 coroiu