WebAuthn failure on HTTP instance with a custom domain

[micah686]

Description

Tested on gitea/gitea:1.23.2 and gitea/gitea:latest.
I have this config:

[server]
APP_DATA_PATH = /data/gitea
DOMAIN = server.mydomain.lan
SSH_DOMAIN = server.mydomain.lan
HTTP_PORT = 3000
ROOT_URL = http://server.mydomain.lan:3000/
DISABLE_SSH = false
SSH_PORT = 22
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
LFS_JWT_SECRET = MY_SECRET_KEY
OFFLINE_MODE = true

However, whenever I go to the sign-in page, I get the following error:

Could not read your security key.
WebAuthn only supports secure connections. For testing over HTTP, you can use the origin "localhost" or "127.0.0.1"

This only happens when https was disabled. I thought it might have been something with the data in my gitea instance, or my postgres database, so I tested by recreating a gitea server on a different machine, and added a test repo. Then, once I brought all of the gitea files and the database over again (using docker, but data is stored locally), I tried logging in as localhost. Localhost worked just fine.
However, when I changed the DOMAIN, SSH_DOMAIN, and ROOT_URL, I got the security key error.

Gitea Version

1.23.2

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://gist.github.com/micah686/15facf90586cfe7349aeefa2fced4597

Screenshots

Git Version

2.47.2

Operating System

Host OS: Windows 10. Using gitea gitea/gitea:1.23.2 image

How are you running Gitea?

I am running windows 10, and docker desktop. I am using docker compose to spin up gitea.

services:
  gitea:
    image: gitea/gitea:1.23.2
    environment:
      - DB_TYPE=postgres
      - DB_HOST=db:5432
      - DB_NAME=DB_USERNAME
      - DB_USER=DB_USERNAME
      - DB_PASSWD=DB_PASSWORD
      - GITEA__cache__ENABLED=true
      - GITEA__cache__ADAPTER=redis
      - GITEA__cache__HOST=redis://gitea-cache:6379/0?pool_size=100&idle_timeout=180s
      - GITEA__cache__ITEM_TTL=24h      
    restart: always
    volumes:
      - ./git_data:/data
    ports:
      - 3000:3000
  db:
    image: postgres:16-alpine
    environment:
      - POSTGRES_USER=DB_USERNAME
      - POSTGRES_PASSWORD=DB_PASSWORD
      - POSTGRES_DB=gitea
    restart: always
    ports:
      - 5432:5432    
    volumes:
      - ./db_data:/var/lib/postgresql/data
  redis:
    image: redis:6-alpine
    restart: unless-stopped 
    container_name: gitea-cache
    ports:
      - "6379:6379"  

Database

PostgreSQL

[wxiaoguang]

It is the WebAuthn standard: it only works for HTTPS and http://127.0.0.1

So HTTPS is a must for WebAuthn

---

But I guess we could hide the error message when users do not need it?

[micah686]

It is the WebAuthn standard: it only works for HTTPS and http://127.0.0.1

So HTTPS is a must for WebAuthn

But I guess we could hide the error message when users do not need it?

The issue is I'm not trying to use WebAuthn. I'm trying to login with a basic username and password.

[wxiaoguang]

-> Do not show passkey on http sites #33820