tinyfilemanager
tinyfilemanager copied to clipboard
Implement 2FA authentication
- Requires 2FA library based on Google implementation, currently loaded as an external resource (2fa.lib.php).
- Also uses a flavor of
qrcodejs
to generate scannable-secrets as QR codes, can also use online APIs for that. - Mapped toggle to settings where admin can toggle 2FA on/off.
- If enabled, first login will generate a QR code that must be scanned and saved by the user and a secret that must be added to TFM
$otp_secrets
array.
All resources can be tailored and/or be embedded; decided against it since there is no big difference and also because many people may not want to use 2FA, in which case they won't be bothered by extra resources being loaded online or offline.
Everything should be compatible with PHP 5.5+
It is deviating from the core, TFM is single file manager to make easier to end user to use. Will keep this PR open, it will be useful for someone. @ner00 Thank you for the PR
Maybe an easier and shorter 2FA implementation could be integrated in TFM, by sending a code over email through a valid SMTP indicated in the configuration. To avoid the need of saving anything, the code sent could be based on the server name, the password and it's validity time frame.
This idea of sending an OTP code through e-mail sounds simple, but if put into practice probably not so much- even though it has some advantages, like not needing a dedicated device to store the code.
The OTP code itself doesn't really need to rely on any tangible information whatsoever, as long as the user login is valid, the server could rand()
a number of a given length and store that in $_SESSION
, possibly along with its validity. But then you actually have to send it.
The first dependency is an e-mail address; fair enough, everyone has one, but now you need to store e-mail addresses inside TFM script, not the end of the world just yet though... The second dependency, and this is the biggest one, is the e-mail server itself. We can't simply rely on the server hosting TFM and assume that it is capable of using mail()
directly, so then we'd have to think of how to use a third-party SMTP server, and as far as I know we'd need PHPmailer for that, or reinvent the wheel and implement an SMTP library from the ground up.
So, while the idea does seem appealing at first glance, it becomes less so the more you think about the implementation itself.
it is better to use reverse proxy for advanced authentication
it is better to use reverse proxy for advanced authentication
Submit a PR