when i try to create passkey in my own site, it reminds
The passkey registration process either timed out, was cancelled or is not allowed
but i can create passkey in discourse meta forum in same browser(mirosoft edge) and same plugin( apple passkey)
i have upgraded my discourse to latest, but it doesn’t work like this post
Hey, it looks like we do show a console error when this message you share shows up in a dialog.
Could you open your browser console and share with us the error you might see?
is this right?
forum.beginner.center/:1 Mixed Content: The page at 'https://forum.beginner.center/' was loaded over HTTPS, but requested an insecure font 'http://forum.beginner.center/fonts/JetBrainsMono-Regular.woff2?v=0.0.19'. This request has been blocked; the content must be served over HTTPS.
forum.beginner.center/:1 Mixed Content: The page at 'https://forum.beginner.center/' was loaded over HTTPS, but requested an insecure font 'http://forum.beginner.center/fonts/JetBrainsMono-Bold.woff2?v=0.0.19'. This request has been blocked; the content must be served over HTTPS.
app.js:270 ℹ️ Discourse v3.5.0.beta9-dev — https://github.com/discourse/discourse/commits/33dfd7dba9 — Ember v5.12.0
[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-4YvvTZffYuqGaENC8DnQ7yeNg' 'strict-dynamic'".
[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-4YvvTZffYuqGaENC8DnQ7yeNg' 'strict-dynamic'".
[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-4YvvTZffYuqGaENC8DnQ7yeNg' 'strict-dynamic'".
[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-4YvvTZffYuqGaENC8DnQ7yeNg' 'strict-dynamic'".
[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-4YvvTZffYuqGaENC8DnQ7yeNg' 'strict-dynamic'".
[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-4YvvTZffYuqGaENC8DnQ7yeNg' 'strict-dynamic'".
[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-4YvvTZffYuqGaENC8DnQ7yeNg' 'strict-dynamic'".
[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-4YvvTZffYuqGaENC8DnQ7yeNg' 'strict-dynamic'".
[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-4YvvTZffYuqGaENC8DnQ7yeNg' 'strict-dynamic'".
analytics.eu.umami.is/script.js:1 Failed to load resource: net::ERR_CONNECTION_CLOSED
Tracking Prevention blocked access to storage for <URL>.
Tracking Prevention blocked access to storage for <URL>.
Tracking Prevention blocked access to storage for <URL>.
Tracking Prevention blocked access to storage for <URL>.
Tracking Prevention blocked access to storage for <URL>.
Tracking Prevention blocked access to storage for <URL>.
Tracking Prevention blocked access to storage for <URL>.
Tracking Prevention blocked access to storage for <URL>.
Tracking Prevention blocked access to storage for <URL>.
Tracking Prevention blocked access to storage for <URL>.
Tracking Prevention blocked access to storage for <URL>.
Tracking Prevention blocked access to storage for <URL>.
Tracking Prevention blocked access to storage for <URL>.
Tracking Prevention blocked access to storage for <URL>.
Tracking Prevention blocked access to storage for <URL>.
Tracking Prevention blocked access to storage for <URL>.
deprecated.js:62 Deprecation notice: Setting timezone property of user object is deprecated. Use user_option object instead [deprecated since Discourse 2.9.0.beta12] [removal in Discourse 3.0.0.beta1] [deprecation id: discourse.user.userOptions]
a @ deprecated.js:62
security:1 Autofocus processing was blocked because a document already has a focused element.
completion_list.html:14 GET chrome-extension://mfbcdcnpokpoajjciilocoachedjkima/heuristicsRedefinitions.js net::ERR_FILE_NOT_FOUND
completion_list.html:13 GET chrome-extension://mfbcdcnpokpoajjciilocoachedjkima/extensionState.js net::ERR_FILE_NOT_FOUND
completion_list.html:12 GET chrome-extension://mfbcdcnpokpoajjciilocoachedjkima/utils.js net::ERR_FILE_NOT_FOUND
ajax.js:188 POST https://forum.beginner.center/u/register_passkey.json 401 (Unauthorized)
send @ jquery.js:9940
ajax @ jquery.js:9521
o @ ajax.js:188
(匿名) @ rsvp-DaQAFb0W.js:435
e @ rsvp-DaQAFb0W.js:451
A @ ajax.js:201
registerPasskey @ user.js:650
createPasskey @ user-passkeys.gjs:86
await in createPasskey
didConfirm @ user-passkeys.gjs:140
didConfirmWrapped @ dialog.js:134
_join @ index.js:788
join @ index.js:605
p @ index.js:152
(匿名) @ index.js:250
submit @ confirm-session.gjs:84
await in submit
(匿名) @ d-button.gjs:138
invoke @ index.js:264
flush @ index.js:180
flush @ index.js:334
_end @ index.js:762
end @ index.js:565
_runExpiredTimers @ index.js:869
setTimeout
setTimeout @ index.js:39
_installTimerTimeout @ index.js:912
_later @ index.js:823
later @ index.js:652
T @ index.js:562
_triggerAction @ d-button.gjs:135
click @ d-button.gjs:93
user-passkeys.gjs:104 {jqXHR: {…}, textStatus: 'error', errorThrown: ''}errorThrown: ""jqXHR: abort: ƒ (e)always: ƒ ()catch: ƒ (e)done: ƒ ()fail: ƒ ()getAllResponseHeaders: ƒ ()getResponseHeader: ƒ (e)jqTextStatus: "error"overrideMimeType: ƒ (e)pipe: ƒ ()progress: ƒ ()promise: ƒ (e)readyState: 4requestedUrl: "/u/register_passkey.json"responseJSON: {errors: Array(1)}responseText: "{\"errors\":[\"The origin of the authentication request does not match the server origin.\"]}"setRequestHeader: ƒ (e,t)state: ƒ ()status: 401statusCode: ƒ (e)statusText: "error"then: ƒ (e,i,n)[[Prototype]]: ObjecttextStatus: "error"[[Prototype]]: Objectconstructor: ƒ Object()hasOwnProperty: ƒ hasOwnProperty()isPrototypeOf: ƒ isPrototypeOf()propertyIsEnumerable: ƒ propertyIsEnumerable()toLocaleString: ƒ toLocaleString()toString: ƒ toString()valueOf: ƒ valueOf()__defineGetter__: ƒ __defineGetter__()__defineSetter__: ƒ __defineSetter__()__lookupGetter__: ƒ __lookupGetter__()__lookupSetter__: ƒ __lookupSetter__()__proto__: (...)get __proto__: ƒ __proto__()set __proto__: ƒ __proto__()
createPasskey @ user-passkeys.gjs:104
await in createPasskey
didConfirm @ user-passkeys.gjs:140
didConfirmWrapped @ dialog.js:134
_join @ index.js:788
join @ index.js:605
p @ index.js:152
(匿名) @ index.js:250
submit @ confirm-session.gjs:84
await in submit
(匿名) @ d-button.gjs:138
invoke @ index.js:264
flush @ index.js:180
flush @ index.js:334
_end @ index.js:762
end @ index.js:565
_runExpiredTimers @ index.js:869
setTimeout
setTimeout @ index.js:39
_installTimerTimeout @ index.js:912
_later @ index.js:823
later @ index.js:652
T @ index.js:562
_triggerAction @ d-button.gjs:135
click @ d-button.gjs:93
Oh hmm this is useful but 401s can be triggered by a myriad of reasons. Will check with our resident passkeys expert.
Zorg ervoor dat uw site is geconfigureerd om alles via https te leveren. De verificatie van de passkey-uitdaging vereist dat alle verzoeken via https verlopen. Ook moet het domein tussen de browser en de server exact overeenkomen. Als er ergens een discrepantie is, zal de verificatie mislukken.
We hebben hiervoor een instelling, force_https, die u kunt proberen. Dit kan helpen (maar wees voorzichtig, het kan u ook buitensluiten als de server niet correct is geconfigureerd).
this is my app.yml
i am using reverse proxy by OpenResty (based on nginx)
expose:
- "6180:80" # http
- "6443:443" # https
- "587:587"
i can’t use my site by https port 6443
so i only set reverse proxy of http
this is my OpenResty config
server {
listen 80 ;
listen 443 ssl http2 ;
server_name forum.beginner.center;
index index.php index.html index.htm default.php default.htm default.html;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
access_log /www/sites/forum.beginner.center/log/access.log main;
error_log /www/sites/forum.beginner.center/log/error.log;
location ^~ /.well-known/acme-challenge {
allow all;
root /usr/share/nginx/html;
}
if ($scheme = http) {
return 301 https://$host$request_uri;
}
ssl_certificate /www/sites/forum.beginner.center/ssl/fullchain.pem;
ssl_certificate_key /www/sites/forum.beginner.center/ssl/privkey.pem;
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!SRP:!CAMELLIA:!SEED;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
error_page 497 https://$host$request_uri;
proxy_set_header X-Forwarded-Proto https;
add_header Strict-Transport-Security "max-age=31536000";
include /www/sites/forum.beginner.center/proxy/*.conf;
}
this is reverse proxy config
location ^~ / {
proxy_pass http://127.0.0.1:6180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
add_header X-Cache $upstream_cache_status;
add_header Cache-Control no-cache;
proxy_ssl_server_name off;
proxy_ssl_name $proxy_host;
add_header Strict-Transport-Security "max-age=31536000";
}
Hallo, kan iemand mij helpen?
Sorry voor de vertraging. Het probleem hier heeft inderdaad te maken met uw proxy. Ik kan niet precies zeggen wat het is, maar een van de domeinnamen, protocollen (http of https) en poorten zit in de weg.
Passkeys verifiëren dat de frontend en backend beide op hetzelfde domein, protocol en poort draaien. Als een van deze niet overeenkomt, krijgt u een foutmelding zoals deze.
Kunt u in de Rails CLI het volgende proberen:
DiscourseWebauthn.origin
en vergelijken met de URL die u gebruikt om de site in de browser te openen? De twee zouden overeen moeten komen.
As far as I understand the Webauthn Standard for Passkey, it relies on a secure connection between the Relying Party (Discourse) and the Client (Browser or mobile device) and the Authenticator (e.g. a yubikey). Thus we need https for the communication coming from the Discourse application. Forcing https may be the solution, but just a header for
proxy_set_header X-Forwarded-Proto https;
could also be enough. If forcing of https helps (which is recommended anyway), all is fine.
i don’t know how to config proxy_set_header X-Forwarded-Proto
in app.yaml?
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.