filebrowser Two Factor Authentication / 2FA with TOTP

Hello,

As requested multiple times before, but closed due to project changer owners etc. here I am requesting once again a method for optional 2FA TOTP for user login.

How I envision it working:

Add an option so TOTP 2FA can be enabled for users;
Generate a QR code for each account;
Users scan the QR code into their phones with a TOTP compatible App such as Google Authenticator;
On login users must provide username + password + temporary code.

Libraries:

https://github.com/pquerna/otp

Previously mentioned at:

https://github.com/filebrowser/filebrowser/issues/286
https://github.com/filebrowser/filebrowser/issues/1674

Thank you.

Feb 15 '22 18:02 TCB13

I have File browser behind Authelia. I also added a bypass rule in Authelia config for sharing files.

access_control:
  rules:
    - domain:
        - "file.DOMAIN"     #File Browser
      resources:
        - "^/api/public/dl/*"
        - "/share/*"
        - "/static/js/*"
        - "/static/css/*"
        - "/static/img/*"
        - "/static/themes/*"
        - "/static/fonts/*"
      policy: bypass

Feb 22 '22 13:02 just5ky

@Just5KY that is a good solution in some more complex cases. But something built in filebrowser and the current authentication system would be nice.

Feb 22 '22 16:02 TCB13

@Just5KY can you share your .filebrowser.json? I have

{
 "baseURL": "",
 "address": "",
 "port": 8080,
 "log": "stdout",
 "database": "/database.db",
 "root": "/srv",
 "auth": {
  "method": "proxy",
  "header": "Remote-User"
 }
}

But I am still prompted with the builtin auth even after I login on Authelia

Mar 06 '22 18:03 AlphaJack

@Just5KY can you share your .filebrowser.json? I have
{
 "baseURL": "",
 "address": "",
 "port": 8080,
 "log": "stdout",
 "database": "/database.db",
 "root": "/srv",
 "auth": {
  "method": "proxy",
  "header": "Remote-User"
 }
}
But I am still prompted with the builtin auth even after I login on Authelia

My method is not bypassing the default login screen, that's still there. I'm just using authelia for extra security

Mar 07 '22 01:03 just5ky

I have File browser behind Authelia. I also added a bypass rule in Authelia config for sharing files.

access_control:
  rules:
    - domain:
        - "file.DOMAIN"     #File Browser
      resources:
        - "^/api/public/dl/*"
        - "/share/*"
        - "/static/js/*"
        - "/static/css/*"
        - "/static/img/*"
        - "/static/themes/*"
        - "/static/fonts/*"
      policy: bypass

Would you mind sharing how/if you were able to resolve the issue of Authelia being bypassed when Filebrowser is accessed from a shared link? If accessing via a shared link, and then clicking the Login button on the sidebar, Authelia doesn't step in until the page refreshes. Pretty sure I have Authelia configured correctly (it works for all my other resources, and I copied the settings you listed to my config file).

Jul 08 '22 04:07 wlanut

@wlanut

        - "^/api/public/dl/*"
        - "/share/*"

This URI path is bypassed So anyone clicks on the share link, they can access the share. But if they go anywhere else, they get authelia

Jul 08 '22 04:07 just5ky

@Just5KY

I've got that part working, not sure if you're able to replicate the specific instance I'm talking about though.

If accessing via a shared link, and then clicking the Login button on the sidebar, Authelia doesn't step in until the page refreshes.

What I did notice from some brief testing, is that even if you type in the correct credentials at said login screen, access will be denied if you haven't authenticated with Authelia yet. For now, I suppose that works well enough. Having said that, I was using Cloudflare Zero Trust at first and that behavior was not happening, so if I could get to the login screen through the share link, I could successfully login if I knew the password. Might put in a feature request or something for this.

EDIT: just found a comment experiencing this same behavior on another issue - Issue #1878

Jul 08 '22 17:07 wlanut

@wlanut I was able to reproduce it, but it's alright. No one can get in without interacting with authelia.

Jul 10 '22 16:07 just5ky

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

Sep 06 '22 02:09 github-actions[bot]

Ping… pong… just keeping this open.

Sep 06 '22 08:09 TCB13

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

Oct 08 '22 02:10 github-actions[bot]

Ping… pong… just keeping this open.

Oct 09 '22 17:10 TCB13

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

Nov 22 '22 02:11 github-actions[bot]

Ping… pong… just keeping this open.

Nov 23 '22 14:11 just5ky

BTW, i just found out about this https://filebrowser.org/configuration/authentication-method#no-authentication @TCB13 @wlanut

Nov 23 '22 14:11 just5ky

BTW, i just found out about this https://filebrowser.org/configuration/authentication-method#no-authentication @TCB13 @wlanut

That behind Authelia might be a good combination indeed.

Nov 23 '22 20:11 TCB13

BTW, i just found out about this https://filebrowser.org/configuration/authentication-method#no-authentication @TCB13 @wlanut

That behind Authelia might be a good combination indeed.

Yeah, I've also switched from authelia to Authentik as i can Role based access control while having bypass paths on it. But I'm going to it later

Nov 24 '22 04:11 just5ky

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

Dec 25 '22 01:12 github-actions[bot]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

Bad bot 🗡️

Dec 30 '22 12:12 TCB13

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

Jan 30 '23 01:01 github-actions[bot]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

Bad bot 🗡️

Feb 01 '23 20:02 TCB13

I would like that too so I can use from outside. I know other services such as authelia and other but built in is always best.

Feb 25 '23 19:02 piraterx

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

Mar 28 '23 01:03 github-actions[bot]

bot bad me want 2fa

Mar 28 '23 10:03 makkarakka3

To keep open and to ask info.. Can somebody post the Authentik and/or authelia config compose.yml and config files?

Apr 09 '23 12:04 Forsskieken

@Forsskieken

I have moved on to using Authentik, I just add these in Unauthenticated Paths in FileBrowsers Proxy Provider settings inside Authentik.

/static/.*
/share/.*
/api/public/dl/.*

this allows me to share files with anyone and they won't be able to go anywhere else except these three URI paths

Edit: See my first comment at the top, I share how to do it in Authelia too

Apr 09 '23 12:04 just5ky

@Just5KY thanks for that info. Is there a way in FB to give users acces to their directory and a global read share? The way I think I can do it is via mount in the docker-compose.yml volumes: - /mnt/QData/QMedia/QDocu:/srv/users/PeterPan/Documentair - /mnt/QData/QMedia/QDocu:/srv/users/SnowWhite/Documentair but of course if you have a new user the container needs to be recreated. I tried with symlinks but that didn't worked out

Apr 11 '23 17:04 Forsskieken

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

May 12 '23 01:05 github-actions[bot]

Blah.

May 12 '23 09:05 TCB13

Any news about two-step verification feature?

May 14 '23 18:05 pigate-eu