Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement 2FA authentication #1054

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Implement 2FA authentication #1054

wants to merge 10 commits into from

Conversation

ner00
Copy link
Contributor

@ner00 ner00 commented Jun 10, 2023
edited
Loading

  • Requires 2FA library based on Google implementation, currently loaded as an external resource (2fa.lib.php).
  • Also uses a flavor of qrcodejs to generate scannable-secrets as QR codes, can also use online APIs for that.
  • Mapped toggle to settings where admin can toggle 2FA on/off.
  • If enabled, first login will generate a QR code that must be scanned and saved by the user and a secret that must be added to TFM $otp_secrets array.

All resources can be tailored and/or be embedded; decided against it since there is no big difference and also because many people may not want to use 2FA, in which case they won't be bothered by extra resources being loaded online or offline.

Everything should be compatible with PHP 5.5+

@ner00 ner00 mentioned this pull request Jun 10, 2023
Open
@prasathmani
Copy link
Owner

It is deviating from the core, TFM is single file manager to make easier to end user to use. Will keep this PR open, it will be useful for someone. @ner00 Thank you for the PR

@ner00
Copy array entry on click
cd25e9e 
- Added JavaScript function to auto-select the OTP secret array entry and copy it to the clipboard on click;

- Trimmed down some of the JS code by removing indentation and packing it in one line; this makes it slightly less readable but also keeps it from taking so much vertical space.

- Some minor adjustments.
@ner00
Remove redundant code
f2edf74
@davidtaubmann
Copy link

Maybe an easier and shorter 2FA implementation could be integrated in TFM, by sending a code over email through a valid SMTP indicated in the configuration. To avoid the need of saving anything, the code sent could be based on the server name, the password and it's validity time frame.

@ner00
Copy link
Contributor Author

ner00 commented Jun 15, 2023
edited
Loading

This idea of sending an OTP code through e-mail sounds simple, but if put into practice probably not so much- even though it has some advantages, like not needing a dedicated device to store the code.

The OTP code itself doesn't really need to rely on any tangible information whatsoever, as long as the user login is valid, the server could rand() a number of a given length and store that in $_SESSION, possibly along with its validity. But then you actually have to send it.

The first dependency is an e-mail address; fair enough, everyone has one, but now you need to store e-mail addresses inside TFM script, not the end of the world just yet though... The second dependency, and this is the biggest one, is the e-mail server itself. We can't simply rely on the server hosting TFM and assume that it is capable of using mail() directly, so then we'd have to think of how to use a third-party SMTP server, and as far as I know we'd need PHPmailer for that, or reinvent the wheel and implement an SMTP library from the ground up.

So, while the idea does seem appealing at first glance, it becomes less so the more you think about the implementation itself.

@marsteel
Copy link

it is better to use reverse proxy for advanced authentication

@ner00
Copy link
Contributor Author

ner00 commented Aug 12, 2024

it is better to use reverse proxy for advanced authentication

Submit a PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ner00 @prasathmani @davidtaubmann @marsteel