mirror of
https://github.com/advplyr/audiobookshelf.git
synced 2026-05-30 23:40:40 +02:00
[Feature Request] 2FA #191
Assignees
adam (Adam Melkus)
Clear assignees
adam (Adam Melkus)
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: starred/audiobookshelf#191
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @LevinCeglie on GitHub (Jan 29, 2022).
Hey there!
So far I really enjoyed using your application. Great job! But there is one feature that I would really like seeing implemented, namely Two Factor Authentication. Since I want to listen to my audiobooks from everywhere I have to expose the service. Consequently the only thing keeping a lock on the root user is a password.
Kind regards
@advplyr commented on GitHub (Jan 29, 2022):
I've not setup 2FA for a self-hosted project before.
I know Plex has this but I suspect they use their own servers and they are closed source (haven't used it though). Do you use any open source self-hosted software that can be referenced?
@typhooncarr commented on GitHub (Jan 29, 2022):
If we could link with something like Authelia, Keycloak, etc that would be great
@mx03 commented on GitHub (Jan 30, 2022):
For 2fa: https://www.npmjs.com/package/speakeasy
But before implement 2fa the login system should made more secure.
The token that authorize the user is always the same after every login instead a random session id.
@advplyr commented on GitHub (Jan 30, 2022):
I think enhancing the auth should be a priority, at a minimum improving the token based auth.
Speakeasy does look like an easy solution for adding TOTP w/ QR code 2FA.
I'm not sure how to integrate with Authelia or Keycloak. They would sit in front of Abs and users would authenticate, but how does Abs retrieve the sign-in info?
As far as the api tokens go, refreshing them on every login could be problematic when moving between mobile and the web app. Adding an expiration with a configurable expiration time may be the best option there.
Also, android auto doesn't allow signing in, so this could be frustrating when tokens expire while listening in AA.
@NorthhtroN commented on GitHub (Mar 10, 2022):
Not sure if you have looked into this so apologies if this is stuff you know but look into SAML, oauth and openid connect.
Basically abs would allow external identity providers to authenticate a user and provide abs with a token with info about the uses (username, role, etc). Since abs sees this identity provides as trusted a user coming from the provided is allowd access.
You can get more complex and link accounts/auto create users, etc, but the main benefits is that users who have rolled their own SSO system can use 1 login accross multiple services and login once the provider will pass the auth token to abs when a user navigates
Abs would be considered a service provided in the oauth flow
@MidnightSnowleopard commented on GitHub (Mar 10, 2022):
There is already work being done on this very thing. #351
It's still ongoing and will probably take a bit before it's merged and fully stable but it has already started. Given how quickly this project has already progressed I wouldn't be surprised if this was sooner rather than later.
@NorthhtroN commented on GitHub (Mar 10, 2022):
Thanks @MidnightSnowleopard I guess that is what i get for commenting on a 2 month feature request :)
@davidLeimroth commented on GitHub (Mar 16, 2022):
@MidnightSnowleopard @NorthhtroN My time was super limited recently and it'll be like that for another couple of days. So if you have experience with oidc, feel free to contribute to #351. Being able to centrally manage users for selfhosted apps is a big plus point for everyone hosting multiple apps.
@genebean commented on GitHub (May 27, 2022):
Just wanted to add how awesome adding totp based 2FA would be.
@DDriggs00 commented on GitHub (Oct 11, 2022):
Some methods for supporting 2fa will also open up support for sso, so I thought I'd link that feature request
@jrhedman commented on GitHub (Dec 22, 2022):
I know firefly-iii has 2FA as an option and is an open source project that's self hosted.
I'll try to to take a look into this when I get a chance and see what is used there and if it's possible to use a similar implementation here.
@michaelkrieger commented on GitHub (Feb 8, 2023):
Something like Authelia adds Remote-User and Remote-Groups HTTP headers as the verify middleware is trigged. This would let you get a trusted username of the currently logged in user. This would be on the server-side of things. You'd then need the iOS/Android app to identify when authentication is required and open a web page so you can do the web-based authentication and the cookies can be grabbed. It would then need to pass the cookie with future requests. This is probably the simple way. Most other authentication backends work the same way.
The complicated/future-proof way would be to do Oath2 authentication, which is again supported by things like Authelia. Same idea that the client apps would need to interface with this to prompt the user.
@JohanPotgieter commented on GitHub (Jul 16, 2023):
It has been 18 months since this request was logged. Is it still in the works or has it been abandoned? This is a vital feature today as more and more systems are hacked and self-hosted systems are most vulnerable as most of us don't have "system admin" level knowledge to keep our systems secure.
@BlackHoleFox commented on GitHub (Jul 16, 2023):
To interject, what do you think makes 2FA/MFA on its own a "vital feature" for a self-hosted web server? Is there a specific threat you are hoping to remove? A random password, some kind of autofill either from your OS, browser, or third-party password manager, and server TLS gets you a long way. The first two are not only for system admins. MFA would not save you from a failure of another of the prior two (MFA setup secrets are vulnerable without TLS, for example).
@JohanPotgieter commented on GitHub (Jul 16, 2023):
I don't mean to suggest that any one security measure will make you safe. You have to use a series of measures to try and keep your system safe. This will add another layer of protection that will contribute to the whole security profile of a server. There is no silver bullet for server security. I still feel that we should strive to make each system as secure as possible.
@advplyr commented on GitHub (Jul 16, 2023):
This is still planned
@turnercore commented on GitHub (Sep 13, 2023):
Audiobookshelf is not hosting vital or sensitive data. A password with brute force protection is plenty secure enough for this kind of application, in my opinion. If you make backups of your server and data (as you should) then who even cares if someone gets into the app?
It would be cool to allow integration with Authelia or some SSO/2FA app that you can run as a middleware for users who care, but it doesn't seem like an urgent enhancement to me. Certainly add it if it's easy, but I wouldn't spend a lot of time on 2FA when there are lots of other feature requests and bug fixes that would be of higher impact. That's my unasked for two cents 🪙🪙
@Sapd commented on GitHub (Nov 21, 2023):
This is now possible using SSO. You can set up SSO and disable password login. (and ofc set up 2FA in your SSO provider)
https://github.com/advplyr/audiobookshelf/issues/998
@advplyr commented on GitHub (Dec 24, 2023):
This is supported through OIDC. That gives more flexibility than implementing some specific 2FA auth.