Merge pull request #1142 from Kukks/bugfix/u2f

Fix U2F bug when using multiple devices
2026-01-08 00:24:23 +01:00 · 2019-11-13 15:37:14 +09:00
parent ba54b5aacf 974101624b
commit c3a84f6577
2 changed files with 14 additions and 3 deletions
--- a/BTCPayServer/U2F/U2FService.cs
+++ b/BTCPayServer/U2F/U2FService.cs
@@ -157,14 +157,22 @@ namespace BTCPayServer.U2F
                var authenticationRequest =
                    UserAuthenticationRequests[userId].First(f =>
                        f.KeyHandle.Equals(authenticateResponse.KeyHandle, StringComparison.InvariantCulture));
+                
                var registration = new DeviceRegistration(device.KeyHandle, device.PublicKey,
                    device.AttestationCert, Convert.ToUInt32(device.Counter));

                var authentication = new StartedAuthentication(authenticationRequest.Challenge,
                    authenticationRequest.AppId, authenticationRequest.KeyHandle);

-                global::U2F.Core.Crypto.U2F.FinishAuthentication(authentication, authenticateResponse, registration);
+                
+                var challengeAuthenticationRequestMatch = UserAuthenticationRequests[userId].First(f =>
+                    f.Challenge.Equals( authenticateResponse.GetClientData().Challenge, StringComparison.InvariantCulture));

+                if (authentication.Challenge != challengeAuthenticationRequestMatch.Challenge)
+                {
+                    authentication = new StartedAuthentication(challengeAuthenticationRequestMatch.Challenge, authenticationRequest.AppId, authenticationRequest.KeyHandle);
+                }
+                global::U2F.Core.Crypto.U2F.FinishAuthentication(authentication, authenticateResponse, registration);

                UserAuthenticationRequests.AddOrReplace(userId, new List<U2FDeviceAuthenticationRequest>());

--- a/BTCPayServer/Views/Account/LoginWithU2F.cshtml
+++ b/BTCPayServer/Views/Account/LoginWithU2F.cshtml
@@ -5,7 +5,10 @@
    <input type="hidden" asp-for="Challenge" />
    <input type="hidden" asp-for="AppId" />
    <input type="hidden" asp-for="DeviceResponse" />
-    <input type="hidden" asp-for="Challenges" />
+    @for (int i = 0; i < Model.Challenges.Count; i++)
+    {
+        @Html.HiddenFor(m => m.Challenges[i])
+    }
    <input type="hidden" asp-for="UserId" />
    <input type="hidden" asp-for="RememberMe" />
 </form>
@@ -32,7 +35,7 @@
        1: 'Unknown error, try again',
        2: "Bad request error, try again",
        3: "This key isn't supported, please try another one",
-        4: 'The device is already registered, please login',
+        4: 'The device is not registered, please try another one',
        5: 'Authentication timed out. Please reload to try again.'
    };
    setTimeout(function() {