feat: Add TOTP Two-Factor Authentication (2FA) Feature #3885
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- add pquerna/otp package - add TOTP fields to User and Server structs - add TOTP common error - add symmetric (de)encryption and TOTP code validator function
- add TOTP token expiration time default and update the GetTokenExpirationTime function in settings package - update loginResponse struct and loginHandler - add TOTPEnabled field to userInfo struct - add verifyTOTPHandler to verify TOTP codes - add withTOTP middleware - update getUserID and userGetHandler to remove TOTP fields like password - add userEnableTOTPHandler to initiate TOTP setup - add userGetTOTPHandler and userDisableTOTPHandler for management - add userCheckTOTPHandler to check TOTP setup
- add OTP modal component with its css file - add Profile2FA component for 2FA section in settings page - add @scure/base package to encode OTP secrets in Base32, enabling alternative import options for authenticator apps - add new phrases to the en.json localization file
- add OTP APIs - add OTP prompt to Login page - add Profile2FA to Profile page
|
This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
|
This is a nice feature, looking forward to its merge. |
|
When can merge? I'm looking forward to this feature. |
|
@MACFORNAME this is quite a large feature and this project is currently in maintenance mode. To learn what it means, please check the readme and the linked resources: https://github.com/filebrowser/filebrowser#project-status |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements Time-Based One-Time Password (TOTP) 2FA for FileBrowser, enhancing user security by requiring a verification code during login for users with 2FA enabled. It addresses multiple community requests for 2FA support.
Closes #286
Closes #1674
Closes #1827
Closes #2504
Closes #3371
Closes #3800
Description
The TOTP 2FA feature allows users to enable 2FA in their profile settings, scan a QR code or enter a Base32-encoded secret in an authenticator app (e.g., Google Authenticator), and verify codes at login. The flow is:
Further comments
2FA could be handled by reverse proxies like oauth2-proxy or authelia, but this feature simplifies setup without requiring nginx/Apache knowledge.
New options
To enable TOTP, you must configure a 32-byte encryption key in your configuration file.
Generate a cryptographically secure 32-byte Base64-encoded key with this command:
{ "totp": { "encryption": { "key": "<32-byte-base64-encoded-string>" } } }The TOTP token expiration (default: 2 minutes) defines the validity window after initial authentication. Configure this via:
totp-token-expiration-timeoption in clitotp > token > expiration > timein config fileNew dependencies
pquerna/otpon the back-end for TOTP handling@scure/baseon the front-end for base32 encoding of TOTP secretLocalization
Added phrases to
en.jsonbut not other languages. Seek community help to translate phrases.Improvements
/api/users/{id}/otp/checkto prevent brute-force attacks.Documentation
While reviewing the documentation, I identified areas for improvement. Could you guide me to the documentation source (e.g., wiki repository) so I may submit updates?
🚨 Before submitting your PR, please indicate which issues are either fixed or closed by this PR. See GitHub Help: Closing issues using keywords.