alist icon indicating copy to clipboard operation
alist copied to clipboard

Published 20 hours ago verified publisher icon alist-org

fix: disallow users with 2FA enabled to access WebDAV

Open NekoGirlSAIKOU opened this issue 1 year ago • 5 comments

WebDAV server doesn't validate 2FA. This makes 2FA useless to some extent. I think users with 2FA enabled shouldn't access webdav using only password. Although this can be manually solved by changing user permissions, Alist doesn't support to change permissions of admin.

BREAKING CHANGE: Users with 2FA enabled will not be able to access WebDAV.

NekoGirlSAIKOU avatar Aug 28 '24 10:08 NekoGirlSAIKOU

Thanks for opening this pull request! Please check out our contributing guidelines.

welcome[bot] avatar Aug 28 '24 10:08 welcome[bot]

The purpose of multi-factor authentication, in my opinion, is to protect administrative privileges and sensitive information stored in the backend, such as keys.

I believe that forcibly disabling WebDAV is unacceptable. If the goal is to enhance security, the standard approach is to allow users to set a separate password for WebDAV. Currently, administrators can achieve this by creating a low-privileged, standalone account with a separate password as an alternative solution.

Mmx233 avatar Aug 29 '24 05:08 Mmx233

If the goal is to enhance security, the standard approach is to allow users to set a separate password for WebDAV.

I think the standard approach is to allow users to set a separate password for WebDAV, too.

Currently, administrators can achieve this by creating a low-privileged, standalone account with a separate password as an alternative solution.

But administrator's WebDAV access can't be disabled. It's hard-coded. So there is no way to let administrator set a separate password for WebDAV.

The purpose of multi-factor authentication, in my opinion, is to protect administrative privileges and sensitive information stored in the backend, such as keys.

I think the storage is also sensitive information. After all it's a cloud drive, where can store a lot of private data.

So I think WebDAV should not be accessed by users with 2FA enabled. Any access by any users (include admin and normal users) should fully satisfy their authentication configuration. They can create separate users with different (and more secure) password to access WebDAV.

Maybe I should add an setting for this like the sign all feature?

NekoGirlSAIKOU avatar Aug 29 '24 09:08 NekoGirlSAIKOU

I have no right to decide if the changes in this PR can be merged. But adding a backend toggle or a configuration field is indeed a more acceptable solution for me.

Mmx233 avatar Aug 29 '24 10:08 Mmx233

I suggest directly adding a separate password mechanism. I guess making this change won't be much harder than adding a button.

Mmx233 avatar Aug 29 '24 10:08 Mmx233