gitea icon indicating copy to clipboard operation
gitea copied to clipboard

Published 20 hours ago verified publisher icon go-gitea

(Discontinued) Enforce two-factor authentication

Open wxiaoguang opened this issue 4 years ago • 7 comments
trafficstars

Disclaimer: Since this PR doesn't seem to be merged easily (https://github.com/go-gitea/gitea/issues/13606#issuecomment-947320267), and much more work need to do.

I just keep this PR for my personal usage, and update it with main branch regularly.

Anyone who want to continue the work for Enforced 2FA can pick this PR or start a new one.

  • https://github.com/go-gitea/gitea/issues/880

Design:

  1. A global setting security.ENFORCE_TWO_FACTOR_AUTH.
  2. A user without 2FA can login and may explore, but can NOT read or write to any repositories.
  3. Keep things as simple as possible.

wxiaoguang avatar Aug 30 '21 16:08 wxiaoguang

How did you control the permssion?

lunny avatar Aug 31 '21 06:08 lunny

How did you control the permssion?

I just studied the logic of IsRestricted. For my understanding, the key points of permission control are accessLevel and HasAccess->getUserRepoPermission. In these two functions, if GetTwoFactorByUID fails, the return value is AccessModeNone to reject user access.

And unit tests are also updated with 2FA cases.

More thoughts: why are the RepoList related functions not changed: as long as a user without 2FA will setup 2FA soon and then can access to the repositories, listing repositories before 2FA setup can not be a security problem. So I think it's good to keep these logics simple.

wxiaoguang avatar Aug 31 '21 06:08 wxiaoguang

Codecov Report

Merging #16880 (103f4fc) into main (0c8ce71) will decrease coverage by 0.16%. The diff coverage is 40.81%.

@@            Coverage Diff             @@
##             main   #16880      +/-   ##
==========================================
- Coverage   47.16%   47.00%   -0.17%     
==========================================
  Files        1017     1017              
  Lines      138119   138160      +41     
==========================================
- Hits        65147    64937     -210     
- Misses      65030    65299     +269     
+ Partials     7942     7924      -18
Impacted Files Coverage Δ
modules/translation/i18n/i18n.go 100.00% <ø> (ø)
services/auth/session.go 71.42% <ø> (ø)
routers/web/user/setting/security/2fa.go 12.50% <8.33%> (-0.21%) :arrow_down:
routers/web/auth/auth.go 27.16% <20.00%> (+<0.01%) :arrow_up:
models/perm/access/access.go 61.43% <25.00%> (-1.23%) :arrow_down:
modules/translation/translation.go 47.40% <36.36%> (-2.21%) :arrow_down:
models/perm/access/repo_permission.go 52.63% <100.00%> (+0.84%) :arrow_up:
modules/context/context.go 66.73% <100.00%> (+0.27%) :arrow_up:
modules/setting/setting.go 49.65% <100.00%> (+0.06%) :arrow_up:
modules/translation/i18n/localestore.go 83.14% <100.00%> (ø)
... and 28 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

codecov-commenter avatar Sep 01 '21 07:09 codecov-commenter

Maybe we could split it as two PRs, one is always requiring login with 2FA, another is changing the runtime permissions when login with 2fa or password only.

lunny avatar Oct 21 '21 12:10 lunny

There are new commits to this, is it still discontinued, or is it now a WIP?

Edit: nvm. I should've read the description

techknowlogick avatar Dec 06 '21 05:12 techknowlogick

Does this affect the first admin user registry?

lunny avatar Aug 10 '22 09:08 lunny

Discontinued (due to https://github.com/go-gitea/gitea/issues/13606#issuecomment-947320267), I won't spend time on it.

I am still keeping updating my 2FA branch with main branch, and I am still using it in my instance.

wxiaoguang avatar Aug 10 '22 10:08 wxiaoguang