Another Discourse bug!

Hi, I’ve got another (two pronged) bug report in Discourse for you. I setup my ThinkPad running Windows 10 for this forum, including setting up Windows Hello as an authenticator.

I signed out and back in to test authentication and I received this error:

The algorithm used for the security key is not recognized.

When I clicked “try again” I got this message:

The provided challenge does not match the challenge generated by the authentication server."

And I was locked out of my account for a few minutes. Once this expired, I logged in with an NFC key to reset any increasing lockout time counter there might be, then logged out and tried again. I got the first error when trying to use Windows Hello. Worse, on the second attempt to sign in (having given up on Windows Hello), I tapped my NFC key… and I got the second error and lockout again!

It appears that there are two problems:

  1. Windows Hello does not work properly.

  2. A failed security key authentication attempt creates a “try again” button that does not work, possibly because it is re-using the original challenge cached in some place, creating the challenge mismatch error.

Sorry to keep reporting bugs but I figured it helps squash them :slight_smile:

Oh, and as I type this, a third error - both the editor and preview are splitting words mid-word when I copy/pasted Markdown from Visual Studio Code. The things I’m typing directly are rendering correctly, however. EDIT - once posted, the rendering was fixed, and it is correct in the editor now - so this seems to be an issue when pasting into the editor (or at least, pasting in from VSCode on Windows into Chrome).

1 Like

Oh hey, I’ve been messing with Windows Hello, FIDO2, and WebAuthn for a few weeks now.

Something is a bit up, but I think it’s an upstream issue with Discourse. I have just tried it (accidentally locking myself out for a bit) and can reproduce your findings exactly.

It’s too late at night for me to be troubleshooting cryptography (02:41 right now…) but your two bugs appear to be correct, Discourse appears to be trying to use the WebAuthn APIs as if it were a mix of FIDO2 and the slightly different FIDO U2F (which is why your security key works!), and the whole implementation seems like someone didn’t quite understand how these components interact. For what it’s worth, Windows Hello theoretically only supports FIDO2’s listed algorithms but that may also mismatch with what Discourse supports.

Ideally, Discourse would just implement proper FIDO2, in fact everyone should implement proper FIDO2 with WebAuthn because it’s great! :stuck_out_tongue:

The retry button does also appear to reuse the original challenge, no idea why.

This is probably something to take to once you figure it out. :grimacing:

1 Like