Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login 2fa (totp) #1680

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Login 2fa (totp) #1680

wants to merge 7 commits into from

Conversation

riccardobl
Copy link
Member

Description

Add optional TOTP 2fa for login.
Partially solves: #1439

Screenshots

Screenshot_20241204_155305
Screenshot_20241204_153539

Additional Context

next-auth does not support 2fa natively.
There are several ways to implement it, but i've come up with this custom solution that is tailored to sn.

The goals of this implementation are:

  • don't make it feel like an hack
    • don't ask for TOTP before the login (eg. enter the totp code if you have one)
    • don't ask the user to login twice
  • make it work for every present and future credential provider
  • use graphql apis like the rest of the site
  • don't mess with next-auth internals
  • make it extensible for other 2fa methods

To achieve this i've implemented 2fa as two middlewares:

  • pageGuard: that redirects the user to the 2fa prompt
  • sessionGuard: that forces the session to 'anon' until 2fa is resolved

Most of the logic is contained in /lib/auth2fa

As reference i've used the github 2fa flow.

Checklist

Are your changes backwards compatible? Please answer below:
yes

On a scale of 1-10 how well and how have you QA'd this change and any features it might affect? Please answer below:
6

For frontend changes: Tested on mobile, light and dark mode? Please answer below:
not yet

Did you introduce any new environment variables? If so, call them out explicitly here:
no

@socket-security Socket Security
Copy link

socket-security bot commented Dec 4, 2024
edited
Loading

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/[email protected] None 0 694 kB hectormolinero

View full report↗︎

riccardobl
riccardobl commented Dec 4, 2024
View reviewed changes
lib/auth2fa.js
export function generateTotpSecret ({ label = 'stacker.news - login' }) {
const totp = getTotp({ label })
return {
base32: totp.secret.base32,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this one is the setup-key in google authenticator

@riccardobl riccardobl added feature new product features that weren't there before auth labels Dec 4, 2024
@riccardobl riccardobl mentioned this pull request Dec 5, 2024
Open
@riccardobl riccardobl marked this pull request as ready for review December 19, 2024 09:19
huumn
huumn reviewed Dec 29, 2024
View reviewed changes
Copy link
Member

@huumn huumn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the design goals of this and the code looks pretty straightforward.

This will need very careful focused review and QA from both @ekzyis and I. At least on my part, I likely won't get to deep review until after jan 3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@huumn huumn huumn left review comments

Assignees
No one assigned
Labels
auth feature new product features that weren't there before
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@riccardobl @huumn