twofactor_u2f
twofactor_u2f copied to clipboard
nextcloud
Support change of domain
Feature Request
Summary
As discussed in #630, the appId is currently built exclusively from the URL (https://github.com/nextcloud/twofactor_u2f/blob/master/lib/Service/U2FManager.php#L63). This means that, if the Nextcloud instance ever changes domain, all logins with u2f enabled will fail, and backup keys will not work either.
This seems like something that should probably be addressed, but I'll freely admit to not having enough experience with this codebase or u2f server implementation as to be able to come up with a solution myself. Any suggestions would be appreciated!
I think changing domain is generally a problematic operation with Nextcloud, there are federated cloud IDs and other things that would have to be updated in the database. The u2f registrations are not the only party that are prone to errors with this.
Sure, but to the extent to which those are held on the nextcloud server, they can be updated by doing a sed (or equivalent) on the database dump file and just reimporting, in theory (if I understand correctly). u2f does not have that ability, and it's also the only thing which prevents people even logging in if the domain has been changed. In any case, fixing it in as many places as possible would I'm sure be a good idea :sweat_smile:
Additional to that: if you run nextcloud with multiple domains than the U2F needs to be registered multiple times. It would be useful, if the related domain is shown in the overview. Maybe it should be obvious to the user, that he needs to register the device for multiple domains.
- check if multiple domains are in the config.php
- warn the user for the missing u2f domain registration
- extend an u2f overview for the admin to show whether the u2f tokens are correctly registered for each domain
- allow after checking point 3 allow to deactivate a specific domain without locking out the users
