yrccondor / wp-webauthn Goto Github PK

Hello.

Just tested with my WordPress installation : all is ok except that I can't register using BitWarden Chrome addon. Is says "failed" but the access key is registered inside BitWarden addon/vault.
If I try again, BitWarden asks e if I want to register a new one over the old one.

Chrome : 109.0.5414.120 (last one compatible with mandatory Windows 7)
BitWarden addon : 2024.2.1 (last release).

1 fact : on webauthn.io all is ok (can test/register/authenticate)

Don't know in fact is problem comes from WP extension OR BitWarden addon.

Thanks.

Hello I uses your plugin for about two months but after finger scan on my MacBook it refuse to login. Please help because I can't edit my website...

Hi,

After activate plugin, I don't see it work in WP register page.

How to do that?

Thanks,

i have a little problem with it on my wordpress (last version (05/09/20 (mm/dd/yyyy)) with php 7.3), i have to authenticate myself two time, (i don't know why but the first time always fail)

I don't know if i'm alone with this bug

I have registered a Nitrokey 3 NFC as a FIDO2/Passkey USB device.
The login form asks for my user name: "admin".
I click on "Auth" and instantly get "Auth failed".

The Nitrokey works with other Passkey-enabled web sites in the same browser though.

The PHP error log does not show anything.

wordpress和插件都是最新版本，php运行方式是cgi转发

When I add my MacBook fingerprint it adds perfect. When I delete this and add the iPhone fingerprint it adds perfect. When I add the MacBook or the iPhone when I already have 1 fingerprint I get an error. InvalidStateError: at least one credential matches an entry of the excludeCredentials list in the platform attached authenticator.

I love the plugin and options. Very happy. If this works I can disable the password login :)

My wp version: 5.2.4，installed the plugin，the admin login page is following:

js error

The login window looks a bit strange in german translation with wrapped around text overlapping the buttons.

Hello,
Thanks for creating WP-Webauth - it is great to get finally rid of passwords.
It would be really helpful to add a magic link via mail as a fallback method.
With this added, passwords could be disabled altogether as users, who have not yet set up Web-Auth could still login, but don't need to remember a password.
Also with new users, you could just enter the mail and they can use Magic Link until they setup Web-Auth.

Thanks a lot!

If you check Site Health while this plugin is enabled, the following error will occur.

The REST API encountered an error

The REST API is one way WordPress, and other applications, communicate with the server. One example is the block editor screen, which relies on this to display, and save, your posts and pages.

The REST API request failed due to an error.
Error: cURL error 28: Operation timed out after 10001 milliseconds with 0 bytes received (http_request_failed)

Your site could not complete a loopback request

Loopback requests are used to run scheduled events, and are also used by the built-in editors for themes and plugins to verify code stability.

The loopback request to your site failed, this means features relying on them are not currently working as expected.
Error: cURL error 28: Operation timed out after 10001 milliseconds with 0 bytes received (http_request_failed)

Disabling the plugin will eliminate this error.

For reference, the environment of the server where the problem occurs is as follows.

### wp-core ###

version: 5.4.2
site_language: ja
user_language: en_US
timezone: Asia/Tokyo
https_status: true
user_registration: 1
default_comment_status: open
multisite: false
dotorg_communication: true

### wp-server ###

server_architecture: Linux 4.2.8 armv7l
httpd_software: Apache/2.4.29
php_version: 7.4.9
php_sapi: fpm-fcgi
max_input_variables: 1000
time_limit: 30
memory_limit: 256M
max_input_time: 60
upload_max_size: 128M
php_post_max_size: 128M
curl_version: 7.58.0 OpenSSL/1.1.1g
suhosin: false
imagick_availability: true
htaccess_extra_rules: true

### wp-database ###

extension: mysqli
server_version: 5.5.57-MariaDB
client_version: mysqlnd 7.4.9

### wp-constants ###

WP_HOME: undefined
WP_SITEURL: undefined
WP_CONTENT_DIR: /var/www/html/wp-content
WP_PLUGIN_DIR: /var/www/html/wp-content/plugins
WP_MAX_MEMORY_LIMIT: 256M
WP_DEBUG: false
WP_DEBUG_DISPLAY: true
WP_DEBUG_LOG: false
SCRIPT_DEBUG: false
WP_CACHE: false
CONCATENATE_SCRIPTS: undefined
COMPRESS_SCRIPTS: undefined
COMPRESS_CSS: undefined
WP_LOCAL_DEV: undefined
DB_CHARSET: utf8mb4
DB_COLLATE: undefined

### wp-filesystem ###

wordpress: writable
wp-content: writable
uploads: writable
plugins: writable
themes: writable

Was testing this out locally and after removing the checks for the 'gmp' extension it was still working. The test environment did have bcmath and mbstring installed.

Perhaps the plugin can be updated to work without the 'gmp' extension in specific circumstances, making it easier to deploy on environments that cannot install the extension.

Debug Log below:
[2023-06-08 19:52:17][568e3c] Warning: PHP extension gmp not found [2023-06-08 19:52:17][568e3c] PHP Version => 8.0.22, WordPress Version => 6.2.2, WP-WebAuthn Version => 1.2.8 [2023-06-08 19:52:17][568e3c] Current config: first_choice => "true", website_name => "WebAuth", website_domain => "webauth.local", remember_me => "false", user_verification => "false", allow_authenticator_type => "none", usernameless_login => "false" [2023-06-08 19:52:17][568e3c] Logger initialized [2023-06-08 19:53:51][7530a9] ajax_ajax_authenticator_list: Empty authenticator list [2023-06-08 19:54:34][5a6837] ajax_ajax_authenticator_list: Empty authenticator list [2023-06-08 19:54:40][2c5977] ajax_create: Start [2023-06-08 19:54:40][2c5977] ajax_create: name => "test", type => "none", usernameless => "false" [2023-06-08 19:54:40][2c5977] ajax_create: user => "df" [2023-06-08 19:54:40][2c5977] ajax_create: User not initialized, initialize [2023-06-08 19:54:40][2c5977] ajax_create: excludeCredentials => [] [2023-06-08 19:54:40][2c5977] ajax_create: user_verification => "false" [2023-06-08 19:54:40][2c5977] ajax_create: Challenge sent [2023-06-08 19:54:50][cd6714] ajax_create_response: Client response received [2023-06-08 19:54:50][cd6714] ajax_create_response: name => "test", type => "none", usernameless => "false" [2023-06-08 19:54:50][cd6714] ajax_create_response: data => {"id":"2hc4gwTGlz7-O-aQFA5A4Q","type":"public-key","rawId":"2hc4gwTGlz7+O+aQFA5A4Q==","response":{"clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiTFIydHhpcHVPeXg2N1cwMVFaRUd5LTFXN0NjWGpUeTRSSmd0UlNVXzdYUSIsIm9yaWdpbiI6Imh0dHBzOi8vd2ViYXV0aC5sb2NhbCJ9","attestationObject":"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViUeUxkStrdv+PkYHQfUpl2NFUTVu5S6YQOLIiD2/dTT6VdAAAAAAAAAAAAAAAAAAAAAAAAAAAAENoXOIMExpc+/jvmkBQOQOGlAQIDJiABIVgg3/+3gbwHXPSTGk7VgU2GMR/m+Zndd9z1HtTfC3bz9BciWCAJDtdbqsiSHkBHRxZdjbH19/b5d+d4qNUqTxnH+WtQMA=="}} [2023-06-08 19:54:50][cd6714] ajax_create_response: Credential ID unique check passed [2023-06-08 19:54:50][cd6714] ajax_create_response: Challenge verified [2023-06-08 19:54:50][cd6714] ajax_create_response: Authenticator added [2023-06-08 19:55:12][750667] ajax_auth: Start [2023-06-08 19:55:12][750667] ajax_auth: type => "auth", user => "df" [2023-06-08 19:55:12][750667] ajax_auth: allowedCredentials => [{"type":"public-key","id":"2hc4gwTGlz7-O-aQFA5A4Q"}] [2023-06-08 19:55:12][750667] ajax_auth: user_verification => "false" [2023-06-08 19:55:12][750667] ajax_auth: Challenge sent [2023-06-08 19:55:15][c014d2] ajax_auth_response: Client response received [2023-06-08 19:55:15][c014d2] ajax_auth_response: type => "auth", user => "df" [2023-06-08 19:55:15][c014d2] ajax_auth_response: data => {"id":"2hc4gwTGlz7-O-aQFA5A4Q","type":"public-key","rawId":"2hc4gwTGlz7+O+aQFA5A4Q==","response":{"authenticatorData":"eUxkStrdv+PkYHQfUpl2NFUTVu5S6YQOLIiD2/dTT6UdAAAAAA==","clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiRGZKdER5RjRDcU1GVHRXdDRKcFp0YkhWaWJoeGotYVJ2cWNaQ0ZvemRkWSIsIm9yaWdpbiI6Imh0dHBzOi8vd2ViYXV0aC5sb2NhbCJ9","signature":"MEYCIQCUG4AFLwwbDtdeIkf48I5irtbTNkUfUbZnQHjaWI5EEwIhAMTAdUivxyaKv/8mqWiLWHi4ZmomWKdH/DgoUfsTgjGv","userHandle":"YjNhNGUyNmM2ODA3NGNmYmIzYmZiMTAyYmVhY2VkYTU2NjcxMDVhNWZkY2MxMzExOTE3ZDY5OWQyNzM4ZjlkZQ=="}} [2023-06-08 19:55:15][c014d2] ajax_auth_response: Challenge verified [2023-06-08 19:55:15][c014d2] ajax_auth_response: Log in user => "df" [2023-06-08 19:56:14][ff5aae] ajax_auth: Start [2023-06-08 19:56:14][ff5aae] ajax_auth: type => "test", user => "df", usernameless => "false" [2023-06-08 19:56:14][ff5aae] ajax_auth: allowedCredentials => [{"type":"public-key","id":"2hc4gwTGlz7-O-aQFA5A4Q"}] [2023-06-08 19:56:14][ff5aae] ajax_auth: user_verification => "false" [2023-06-08 19:56:14][ff5aae] ajax_auth: Challenge sent [2023-06-08 19:56:16][72fca2] ajax_auth_response: Client response received [2023-06-08 19:56:16][72fca2] ajax_auth_response: type => "test", user => "df" [2023-06-08 19:56:16][72fca2] ajax_auth_response: data => {"id":"2hc4gwTGlz7-O-aQFA5A4Q","type":"public-key","rawId":"2hc4gwTGlz7+O+aQFA5A4Q==","response":{"authenticatorData":"eUxkStrdv+PkYHQfUpl2NFUTVu5S6YQOLIiD2/dTT6UdAAAAAA==","clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiNXVWSGxFQURvc1kzNkdQRDVIZDR6QTV3Ni0xRzRWazdxU3NUYUNRbm4ySSIsIm9yaWdpbiI6Imh0dHBzOi8vd2ViYXV0aC5sb2NhbCJ9","signature":"MEUCIQCL1J3LtM+Heu9o6Z5FoMNmAr3b2QD/LE3QVNDFwCLESQIgEn9lylnTsZ0jiO7R/kAX3TV06PySvcdH+0pYR4cMuwE=","userHandle":"YjNhNGUyNmM2ODA3NGNmYmIzYmZiMTAyYmVhY2VkYTU2NjcxMDVhNWZkY2MxMzExOTE3ZDY5OWQyNzM4ZjlkZQ=="}} [2023-06-08 19:56:16][72fca2] ajax_auth_response: Challenge verified

Currently, I log in using WebAuthn and log out when I close the browser.
Is it possible to add an option to save the login status?

This plugin works great on single-site installs, but does not work well at all on network installs. Can network support be added?

The problem I think is that the authenticators are stored in a site-specific manner in the WP database. This means that only one site on a network install will be able to have that log in method work, since registering the same authenticator on subsequent sites will overwrite the earlier passkey in most cases (I use 1Password and iCloud). I'm not sure how to get around this on networks with sites at different URLs, but it is a nercesary bug to fix for this plugin to be usable in such contexts.

Hi,

I don't seem to be able to setup my Yubikey for a secondary factor authenticator.

The plugin appears to allow either password or my Yubikey. Can both be enabled?

Am I missing something? If it's not supported can you add it in please?

Thanks.

When the Gutenberg block is used for logging in on the frontend without a username, the username field is prepopulated with the word ”undefined”. If the user doesn’t delete this prepopulated word, the usernameless login fails. This is not an issue when the shortcode is used instead of the Gutenberg Block.

• WordPress 6.0
• WP-WebAuthn 1.2.8
• PHP 7.4

Hi
if I set Preferred Password or Prefered WebAuthn there is not the possibility to switch to the other authentication method

Hi,
Cool Plugin but I receive the error:
PHP extension gmp does not exist. WP-WebAuthn will not work. (translated error message)

The error occurs after activating and going to the plugins settings page.

Wordpress 5.6.1, Docker, Up to date ubuntu
WP-WebAuthn Version: 1.2.2

The authentication flow will usually fail to detect device on the first try. ( Andriod Device ) Prompting a second try which will go through immediately.

Webauthn has been in use for a number of years and works well. I recently changed from Brave browser to Vivaldi, both Chrom(e|ium) based.

When I try to authenticate via webauthn I now get a Bitwarden popup that says, "No passkeys found for this application."

I'm not sure whether this is a Vivaldi problem, a Bitwarden problem or a webauthn problem. Using a different browser fixes it; disabling the Bitwarden plugin fixes it.

I'd welcome any suggestions to help pin down the cause (and to fix it).

关键信息已用<>隐藏

[2022-06-27 13:50:03][a79cbf] ajax_create: Start
[2022-06-27 13:50:03][a79cbf] ajax_create: name => "Yubikey", type => "none", usernameless => "false"
[2022-06-27 13:50:03][a79cbf] ajax_create: user => "SakuraPuare"
[2022-06-27 13:50:03][a79cbf] ajax_create: excludeCredentials => []
[2022-06-27 13:50:03][a79cbf] ajax_create: user_verification => "true"
[2022-06-27 13:50:03][a79cbf] ajax_create: Challenge sent
[2022-06-27 13:50:17][6902a0] ajax_create_response: Client response received
[2022-06-27 13:50:17][6902a0] ajax_create_response: name => "Yubikey", type => "none", usernameless => "false"
[2022-06-27 13:50:17][6902a0] ajax_create_response: data => {"id":"<>","type":"public-key","rawId":"<>","response":{"clientDataJSON":"<>","attestationObject":"<>"}}
[2022-06-27 13:50:17][6902a0] ajax_create_response: (ERROR)Challenge not found in transient, exit

Android, Windows, Mac OS and iOS now support passkey, which allows users to generate and store keys by software , but use the key by biometric or screen lock. This helps to synchronize keys between devices.
But I can only use the feature on my iPad with iPad OS 16.3. On my pixel7 with android 13, I can't generate passkey but build-in security key.

I have ensured gmp and mbstring are enabled on my wordpress hosting site but cannot register yubi keys (including yubi 4)
Is there a restriction on which version of key can be used? The general information suggests that webauthn should work with any of the u2f keys
The only config item with mbstring that may be an issue that I can see is HTTP input encoding translation is Disabled
Does that need to be changed?
Client is gentoo linux, browser google chrome 99.0 4844.51

Thanks
Chris

Simply put, I get the above error every time I attempt to register/use an authenticator. I've enabled the PHP extension and rebooted my webserver, but it doesn't seem to have changed anything.

Testing on Wordpress 6.4.2 with Woocommerce 8.4.0 on Debian + Nginx + PHP8.2-fpm, gmp and mbstring are installed.
Browser is Safari.

I can register an authenticator (fingerprint scanner) just fine. When i go to the login page i can click the 'Auth' button and it asks for my finger, then then goes through 'authenticating', then 'Auth Failed'.

I see this in the log: (i removed some bits, not sure which of them are needed for debugging and which show too much private data)
[2024-01-13 17:28:44][8e044a] ajax_auth: Start
[2024-01-13 17:28:44][8e044a] ajax_auth: type => "auth", user => "testuser"
[2024-01-13 17:28:44][8e044a] ajax_auth: allowedCredentials => [{"type":"public-key","id":"4u8J-........"}]
[2024-01-13 17:28:44][8e044a] ajax_auth: user_verification => "true"
[2024-01-13 17:28:44][8e044a] ajax_auth: Challenge sent
[2024-01-13 17:28:50][9f6357] ajax_auth_response: Client response received
[2024-01-13 17:28:50][9f6357] ajax_auth_response: type => "auth", user => "testuser"
[2024-01-13 17:28:50][9f6357] ajax_auth_response: data => {"id":"4u8J-.........","type":"public-key","rawId":"4u8J+.........","response":{"authenticatorData":".......","clientDataJSON":".........","signature":"........","userHandle":"......."}}
[2024-01-13 17:28:50][9f6357] ajax_auth_response: Challenge verified
[2024-01-13 17:28:50][9f6357] ajax_auth_response: Log in user => "testuser"

so that looks all ok?

Any hints or tips on what to do or test?

I have both php7.3-gmp and php7.3-mbstring installed on my Ubuntu system but it seems that wp-webauthn is unable to use it. Is this version supported at all?

Logs are here: https://hastebin.com/zecikapabe.md

I have deployed the Two Factor feature plugin on all my sites. The WP-WebAuthn plugin seems to be hiding the field for the second factor auth code when users try to log in with the normal way with username/password and have two factor turned on. This is no problem if all users always use WebAuthn, but we aren't anywhere near that yet and so it effectively locks users who don't use Webauthn and do use two factor out. I see this incompatibility on some sites, but not on others, and have yet to determine why that may be (it isn't network, I checked that), but know that with this plugin deactivated all is well again.

When WP-Webauthn is on and is hiding the auth code field of Two Factor the auth code field's markup on the login page looks like this:

<p style="display: none;">
	<label for="authcode">Username</label>
	<input type="tel" autocomplete="off" name="authcode" id="authcode" class="input" value="" size="20" pattern="[0-9]*">
</p>

Normally that auth code field looks like this when WP-Webauthn is not active or for the unknown reason is not interfering:

<p>
	<label for="authcode">Authentication Code:</label>
	<input type="tel" autocomplete="off" name="authcode" id="authcode" class="input" value="" size="20" pattern="[0-9]*" data-com-onepassword-filled="light">
</p>

Since on the same site all I can change is enabling or disabling WP-Webauthn and the auth code field for Two Factor disappears or appears, I feel like there may be something in the javascript of WP-Webauthn that is the problem and may need some more specificity to not take away the auth code field of Two Factor.

I really like this plugin otherwise and look forward to being able to deploy it to my client sites, but simply cannot deploy it right now because I need the Two Factor plugin to work as well. Since that plugin is a "feature plugin" of WP, it may someday be part of WP Core, and so making sure that WP-Webauthn plays nicely with it I think is important.

Reset Password page (typically /wp-login.php?action=rp) is used to set the new password. WP-WebAuthn affects the layout and hides the "Save Password" button, which breaks the functionality.

• Original:

• WP-WebAuthn enabled:

First of all, thank you for the great plugin. Would you consider adding support for WordPress multi-site? It'd be great if WebAuthN support could be set up for all sites on an installation in the network settings tab.

Please how do I disable username to make it usernameless also?

部署时
报错如下

你的站点似乎没有运行在安全上下文中，这会导致 WebAuthn 无法使用。请确保你的站点在使用 HTTPS 连接或处于 localhost 中。

然而事实上我开启了HTTPS，这就很疑惑，翻看了一下插件的代码
最终发现问题在于检测点 $_SERVER['HTTPS'] = 'on';
而我设置的是 $_SERVER['HTTPS'] = 'ON';大小写问题导致了插件误报
关于此，也许是我单方面设置的问题

提交下，就当作为后来的人避免走一段弯路叭

[2023-06-14 08:31:14][7a5246] PHP Version => 7.4.30, WordPress Version => 6.2.2, WP-WebAuthn Version => 1.2.8
[2023-06-14 08:31:14][7a5246] Current config: first_choice => "true", website_name => "FIDO2pub", website_domain => "dev-fido2testing.pantheonsite.io", remember_me => "false", user_verification => "false", allow_authenticator_type => "none", usernameless_login => "false"
[2023-06-14 08:31:14][7a5246] Logger initialized
[2023-06-14 08:31:20][f1817c] ajax_auth: Start
[2023-06-14 08:31:20][f1817c] ajax_auth: type => "auth", user => "[email protected]"
[2023-06-14 08:31:20][f1817c] ajax_auth: User not exists, create a fake id
[2023-06-14 08:31:20][f1817c] ajax_auth: allowedCredentials => []
[2023-06-14 08:31:20][f1817c] ajax_auth: user_verification => "false"
[2023-06-14 08:31:20][f1817c] ajax_auth: Challenge sent
[2023-06-14 08:31:25][f3751d] ajax_auth_response: Client response received
[2023-06-14 08:31:25][f3751d] ajax_auth_response: type => "auth", user => "[email protected]"
[2023-06-14 08:31:25][f3751d] ajax_auth_response: data => {"id":"GOlDfBHUIZrfNVz7azNPgdYikTiI2n3_So3DCCwaxuexSGnntwzLtuLsoHQIhEmWd0bYRpLKEyMN1ZnHurr5nA","type":"public-key","rawId":"GOlDfBHUIZrfNVz7azNPgdYikTiI2n3/So3DCCwaxuexSGnntwzLtuLsoHQIhEmWd0bYRpLKEyMN1ZnHurr5nA==","response":{"authenticatorData":"1KhIAeSvzmN1mAM379I/36qR60cZpSx5UuOgkGcv7A8FAAAABg==","clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiN0dIOWZXUnd1QWc2LTlwTkYyVWQzYUJtSmNQd3VfUmlJckRfeHotVHZSSSIsIm9yaWdpbiI6Imh0dHBzOi8vZGV2LWZpZG8ydGVzdGluZy5wYW50aGVvbnNpdGUuaW8iLCJjcm9zc09yaWdpbiI6ZmFsc2UsIm90aGVyX2tleXNfY2FuX2JlX2FkZGVkX2hlcmUiOiJkbyBub3QgY29tcGFyZSBjbGllbnREYXRhSlNPTiBhZ2FpbnN0IGEgdGVtcGxhdGUuIFNlZSBodHRwczovL2dvby5nbC95YWJQZXgifQ==","signature":"MEQCICVelH26mdNFZDiK7KYkHd2YrnSBr+MPT+GlHVhguzzWAiAOzPei67Cvl+m2u+G28NPcfKsoVR9Gl65Mln4JVv3y7g==","userHandle":"MTYyOGUzOGVhYzkyZWEyYjdjM2IxM2UyYTMyYzhlNGIyYzYwYTJjMDNjMGZlYWNkZDMzOGJlNjI1MTU4ZjNkZQ=="}}
[2023-06-14 08:31:25][f3751d] ajax_auth_response: (ERROR)Invalid user handle
[2023-06-14 08:31:25][f3751d] Traceback:
1) /code/wp-admin/admin-ajax.php(203): do_action('wp_ajax_nopriv_...')
2) /code/wp-includes/plugin.php(517): WP_Hook->do_action(Array)
3) /code/wp-includes/class-wp-hook.php(332): WP_Hook->apply_filters('', Array)
4) /code/wp-includes/class-wp-hook.php(308): wwa_ajax_auth('')
5) /code/wp-content/plugins/wp-webauthn/wwa-ajax.php(981): Webauthn\Server->loadAndCheckAssertionResponse('{"id":"GOlDfBHU...', Object(Webauthn\PublicKeyCredentialRequestOptions), Object(Webauthn\PublicKeyCredentialUserEntity), Object(Nyholm\Psr7\ServerRequest))
6) /code/wp-content/plugins/wp-webauthn/vendor/web-auth/webauthn-lib/src/Server.php(301): Webauthn\AuthenticatorAssertionResponseValidator->check('\x18\xE9C|\x11\xD4!\x9A\xDF5\\xFBk3O...', Object(Webauthn\AuthenticatorAssertionResponse), Object(Webauthn\PublicKeyCredentialRequestOptions), Object(Nyholm\Psr7\ServerRequest), '8fa2b3855825aa9...', Array)
7) /code/wp-content/plugins/wp-webauthn/vendor/web-auth/webauthn-lib/src/AuthenticatorAssertionResponseValidator.php(122): Assert\Assertion::eq('1628e38eac92ea2...', '8fa2b3855825aa9...', 'Invalid user ha...')
[2023-06-14 08:31:25][f3751d] ajax_auth_response: (ERROR)Challenge not verified, exit

I have successfully register a key in my profile and it works under the "verify authenticator option" but when it comes to actual login, it has error

Hello, first of all, love your work.

On to my issue, my passwordless login works like a charm on my pc through default login form.
The issue is that the login forms i tried creating with provided shortcodes and gutenberg blocks for my users that will register their custom roles through ultimate member don't work. Specificaly login block when I press "Auth" button nothing happens. I tried putting them in a custom popup (both shortcode and gutenberg block) and on a normal wordpress page. Other shortcodes
Register Form, Verify Button, Authenticator List seam to work without issues and I can register authenticator and verify it is working , but when I use Login Form and press "Auth" nothing happens and nothing is loged in a Log. Could you verify this behaviour,

thanks in advance.

PS: Is it possible to translate part of visible text to users?

I see a few similar issues here, but none seem to have a resolution. The log shows that authentication was successful, but the result was a failure. I am able to verify authenticator successfully. Below is redacted log. I'm also attaching the network output from browser dev tools.

[2024-02-06 23:55:05][d17710] ajax_auth: Start
[2024-02-06 23:55:05][d17710] ajax_auth: email_login => "true", trying to find user by email address "[email protected]"
[2024-02-06 23:55:05][d17710] ajax_auth: type => "auth", user => "[email protected]"
[2024-02-06 23:55:05][d17710] ajax_auth: allowedCredentials => [{"type":"public-key","id":[Redacted]},{"type":"public-key","id":[Redacted]}]
[2024-02-06 23:55:05][d17710] ajax_auth: user_verification => "false"
[2024-02-06 23:55:05][d17710] ajax_auth: Challenge sent
[2024-02-06 23:55:08][3d75cb] ajax_auth_response: Client response received
[2024-02-06 23:55:08][3d75cb] ajax_auth_response: type => "auth", user => "[email protected]"
[2024-02-06 23:55:08][3d75cb] ajax_auth_response: data => {"id":"pQKZFy4IQc66Dnk-GtgsAkeACusyTzf37f83UhQUlMA","type":"public-key","rawId":"[Redacted]","signature":[Redacted]}}
[2024-02-06 23:55:08][3d75cb] ajax_auth_response: Challenge verified
[2024-02-06 23:55:08][3d75cb] ajax_auth_response: Log in user => "[email protected]"
sevenfeetundercreations.com.json

It would be great if I could disable the username field, as every browser I've tested works without entering it.

我最近不小心丢了yubikey，账号设置了只能用安全密钥登录，不知道如何修改文件才能取消

目前用的是宝塔面板，能否直接删除插件目录呢

PS. 在上学，也许不能及时回复

Hi, running wp-webauthn 1.2.6 just fine. However, when I try to visit: wp-admin/options-general.php?page=wwa_admin I get Sorry, you are not allowed to access this page.

I AM logged in as Administrator and using the PublishPress Capabilities plugin I have verified that my user has the edit_plugins capability just fine. Is there anything I have been overlooking?

插件现在有gmp没有安装可能导致问题的提示
但是sodium未安装也会导致验证失败，并且相关信息目前只能在log中得到反馈

One of my more complex client sites is in the situation where the "Verify Authenticator" button in the user profile works fine, but the actual auth to login fails with the Auth failed message. This is a membership site that uses Paid Memberships Pro currently under development at a temporary subdomain. When I try on a test site with a more vanilla install of Paid Memberships Pro this works fine. Switching settings to use the normal domain in webauthn settings doesn't work, so I assume that needs to be the temporary domain for now, but then again I get this error either way. The site does also have a custom-built SMS login method plugin I wrote, but webauthn fails regardless if that plugin is active or not so I can't imagine it is at fault. I notice that when auth is failing there are no log entries in the webauthn log, but a verification logs are:

[2024-02-03 17:20:13][0f2bf5] PHP Version => 8.1.27, WordPress Version => 6.4.3, WP-WebAuthn Version => 1.3.1
[2024-02-03 17:20:13][0f2bf5] Current config: first_choice => "false", website_name => "REDACTED", website_domain => "new.REDACTED.net", remember_me => "false", email_login => "false", user_verification => "false", allow_authenticator_type => "none", usernameless_login => "false", password_reset => "off", after_user_registration => "none"
[2024-02-03 17:20:13][0f2bf5] Logger initialized
[2024-02-03 17:27:38][75d797] ajax_auth: Start
[2024-02-03 17:27:38][75d797] ajax_auth: type => "test", user => "alex", usernameless => "false"
[2024-02-03 17:27:38][75d797] ajax_auth: allowedCredentials => [{"type":"public-key","id":REDACTED}]
[2024-02-03 17:27:38][75d797] ajax_auth: user_verification => "false"
[2024-02-03 17:27:38][75d797] ajax_auth: Challenge sent
[2024-02-03 17:27:41][4bf11f] ajax_auth_response: Client response received
[2024-02-03 17:27:41][4bf11f] ajax_auth_response: type => "test", user => "alex"
[2024-02-03 17:27:41][4bf11f] ajax_auth_response: data => {"id":REDACTED,"type":"public-key","rawId":REDACTED"response":{"authenticatorData":REDACTED,"clientDataJSON":REDACTED,"signature":REDACTED,"userHandle":REDACTED}}
[2024-02-03 17:27:41][4bf11f] ajax_auth_response: Challenge verified

When the login fails the only thing in the javasvcript console appears to be the entire HTML of the login page being printed as a warning followed by:

(anonymous) @ login.js?ver=1.3.1:307
xmlHttpReq.onreadystatechange @ login.js?ver=1.3.1:18
XMLHttpRequest.send (async)
get @ login.js?ver=1.3.1:15
check @ login.js?ver=1.3.1:300

Ordinary username or email and password login works fine, as does my SMS login, and on both this and the more vanila site I have Two Factor running and working fine.

Any idea what is going wrong or where further to look to figure this out?