nursoda / twofactor_email Goto Github PK
View Code? Open in Web Editor NEWNextcloud 2FA Provider that uses e-mail as transport
License: GNU Affero General Public License v3.0
Nextcloud 2FA Provider that uses e-mail as transport
License: GNU Affero General Public License v3.0
Version 22 was just released. Thanks for considering.
Hello, I'm trying to develop a very simple two factor auth app into Nextcloud.
At first, I just want a simple PHP code to do the authentication.
Here is a link for my Nextcloud Forums post, where I provide more information about my struggle: link.
Basically I just need a bare bone minimal code-base for a such and app. Could you please help me?
Hi, @rullzer ! Great respect for your work. Very necessary thing.
I am confused by the inscription: "An access code has been sent to *******[email protected]"
Does such a hint make sense?
How safe is it?
And will it be possible in the future to customize the prompts yourself.
For a start, at least be able to hide it.
Sorry, if I was stupid.
There is no need for TOTP here. We can just generate an X char secret.
Even when displayed on IE11, the explanation and enable button are displayed.
In IE11, explanation text and button are not displayed. It is displayed correctly in Google Chrome etc.
Operating system: CentOS7
Web server: Nginx
Database: MariaDB
PHP version: 7.3
Nextcloud version: Nextcloud 17.0.1
Updated from an older Nextcloud/ownCloud or fresh install: fresh install
Where did you install Nextcloud from: Install from tarball package on nextcloud.com
List of activated apps:
Enabled:
- accessibility: 1.3.0
- activity: 2.10.1
- admin_audit: 1.7.0
- bruteforcesettings: 1.5.0
- calendar: 2.0.2
- cloud_federation_api: 1.0.0
- comments: 1.7.0
- dav: 1.13.0
- federatedfilesharing: 1.7.0
- federation: 1.7.0
- files: 1.12.0
- files_pdfviewer: 1.6.0
- files_rightclick: 0.15.1
- files_sharing: 1.9.0
- files_trashbin: 1.7.0
- files_versions: 1.10.0
- files_videoplayer: 1.6.0
- firstrunwizard: 2.6.0
- gallery: 18.4.0
- logreader: 2.2.0
- lookup_server_connector: 1.5.0
- nextcloud_announcements: 1.6.0
- notifications: 2.5.0
- oauth2: 1.5.0
- password_policy: 1.7.0
- privacy: 1.1.0
- provisioning_api: 1.7.0
- recommendations: 0.5.0
- serverinfo: 1.7.0
- sharebymail: 1.7.0
- support: 1.0.1
- survey_client: 1.5.0
- systemtags: 1.7.0
- text: 1.1.1
- theming: 1.8.0
- twofactor_backupcodes: 1.6.0
- twofactor_email: 1.0.1
- updatenotification: 1.7.0
- user_ldap: 1.7.0
- viewer: 1.2.0
- workflowengine: 1.7.0
Disabled:
- encryption
- files_external
- twofactor_totp
Nextcloud configuration:
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"172.16.204.65",
"nc_17.0.1"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "17.0.1.1",
"overwrite.cli.url": "https:\/\/nc_17.0.1",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"maintenance": false,
"ldapIgnoreNamingRules": false,
"ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory"
}
}
Browser: Internet Explorer 11 (ver11.719.18362.0)
Operating system: Windows10
Hello all,
My predecessor built this 2FA into the cloud. I updated to version 27 last week and now the 2FA no longer works. I wanted to deactivate the 2FA, but the cloud now complains that min one of my 2FA could not be loaded. In the config it says 'twofactor_enforced' => 'false', but I think it belongs to another 2FA method. Does anyone know how I can completely disable the 2FA so that at least the users can access their data again? Unfortunately, deactivating the app leads to the error message.
Thank you very much for an answer.
I use this app "untested" in production NC19 since early betas, no issues. I just tested it in NC20b3 and there also no issue at all. – Why is it still marked "incompatible" for versions beyond NC18?
Hi Roeland,
is your app still in development and is it possible to use your app in Nextcloud 15 too?
Thanks a lot
Michael
Derived from NC25 changes. Unclear if this is a "good idea" or even necessary, how much effort it is and what benefits there are. Needs to be discussed with package owners. Would not be necessary if the whole app functionality is rebased on twofactor_totp (see twofactor_email/v3). Same applies for the nextcloud/ocp dependency.
Hello,
would it be possible to follow instructions on:
https://docs.nextcloud.com/server/latest/developer_manual/basics/front-end/l10n.html#adding-translations
...and gain benefits from work of whole Nextcloud translators community for users of your app please?
Thanks :-)
Hi all,
we need to update out nextcloud instance from 25.0.13 to 26.0.10. After the update, all users having email 2fa provider can not login any more. The E-Mail is not sent.
I even disabled and deleted the app... After that, during login nextcloud is complaining about a missing 2fa provider.
The translation is:
At least one of your 2fa providers could not be loaded. Contact your admin.
2fa is mandarory, but is not configured for your account. Use your Backup Codes or ask your admin for advice...
We dont have mandatory 2fa...
Any hints?
Thank you very much...
Kind regards
Alex
Future work:
I just got SMS 2FA working on my Nextcloud instance. It wasn't too bad, but I had to sign-up for an SMS gateway service. I'm willing to spend the ten cents or so for each 2FA text because I have very few users and we rarely logout.
A lot of (most? all?) cell carriers allow for sending text messages to a phone by sending an email to a specific email address that incorporates the cell phone's number. For example, to send a text message to a phone on the at&t wireless network, you can send an email to [phone number]@txt.att.net. Verizon is similar: [phone number]@vtext.com. If the app could be configured to send authorization codes to one of these email addresses, it would be equivalent (I think) to SMS 2FA, without requiring any sort of gateway setup.
I see two enhancements that would facilitate this use case:
I don't think there would be any need to explicitly call-out this use case. Just adding the necessary enhancements would allow people who are trying to setup SMS 2FA to figure it out. That's how I ended up installing this Nextcloud app; I thought, "Oh, maybe this email 2FA will let me email a text message." Alas, no - but so close.
Hi Guys, I would like to ask is that possible for new user to enable automatic email authentication once the administrator created the account?
thanks.
Hello
A simple enhancement:
Please add a -> arrow on the code enter window.
Of course you can enter the code and "hit" the enter-key.
But a button to click would be nice and takes the confusion how to login. :-)
Something like that for example (or a button on the bottom of the code enter window named "Login"):
!
Thanks a lot for this great app
Hi guys, I would like to ask if it is possible to block non-administrator users from disabling two-factor email authentication .
The idea is that after the first boot, users enable authentication, but once this is done, they can no longer disable it again.
I would need the only user who could disable it to be a user with administrator permissions.
Does anyone know if this is possible?
Please make twofactor_email compatible to NC19.
If you have 2FA enforced on NC and create a new user, that user has to set up 2FA upon 1st login. TOTP and U2F are available upon 1st login, twofactor_email is not but should be.
Hello,
I use a WebDav explorer (Hopic Explorer in this case) and I don't know how two factor authentication should be handled.
Is it up to the explorer to manage it?
Anyway. I can't connect to the Nextcloud when two-factor authentication is enabled, it's probably not up to the application to handle that, but I'm asking here in doubt.
Would there be a way to log the explorer despite this double authentication?
(By the way, thank you very much for this application which allow really simply to enable two factor authentication :) Thank to you!)
Steps to reproduce:
We tried to fix it in src/components/GatewaySettings.vue (after line 81 at the end of mounted() ) like this
// Catch user removing mail address while in state CREATED
if (!this.isAvailable) {
this.state = STATE.DISABLED
}
Didn't work. Why?
Email verification
The server can send authentication codes to your email address.
You are not using Email as a two-factor authentication method at the moment. "Enable"
I push the button "enable", but it did not function! No 2FA email would be send!
If the user has no email in his account, GET /settings/user/security
trows this error:
[index] Error: Exception: Argument 1 passed to OCA\TwoFactorEmail\EmailMask::maskEmail() must be of the type string, null given, called in /var/www/nextcloud/apps/twofactor_email/lib/Provider/State.php on line 80 at <<closure>>
0. /var/www/nextcloud/lib/private/AppFramework/App.php line 126
OC\AppFramework\Http\Dispatcher->dispatch(OC\Settings\Cont ... {}, "index")
1. /var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php line 47
OC\AppFramework\App::main("OC\\Settings\\C ... r", "index", OC\AppFramework\ ... {}, {section: "secur ... "})
2. <<closure>>
OC\AppFramework\Routing\RouteActionHandler->__invoke({section: "secur ... "})
3. /var/www/nextcloud/lib/private/Route/Router.php line 297
undefinedundefinedcall_user_func(OC\AppFramework\ ... {}, {section: "secur ... "})
4. /var/www/nextcloud/lib/base.php line 1000
OC\Route\Router->match("/settings/user/security")
5. /var/www/nextcloud/index.php line 42
OC::handleRequest()
At least via OCC (in the twofactorauth and/or twofactor_email namespace), ideally also via web interface.
Currently, there's only this occ command:
$ occ twofactorauth:disable USER email
The provider does not support this operation.
$ occ twofactorauth:enable USER email
The provider does not support this operation.
Is it possible to disable the two-factor if the user is in lan ip range or enforce it if the user comes from outside this lan ip range? Some of my friends want to access our server from outside campus, but the server is basically a PC, it wouldn't hold against attacks.
One of the downsides of this add on as is that every time you login you must get and supply a email 2FA code.
Even more problematic (and I have not checked this out) but a nextcloud desktop client uses a browser to authenticate and thus every time it would have to go through this step (I assume like every time you reboot the machine).
Further I wonder what happens with android/IOS apps?
Anyway not being able to "trust" devices is an issue that pretty much makes this otherwise good add on a no go for me. I can't see myself or my users being happy doing 2FA over and over on the the same machine same browser.
As I am sure many have seen it is possible to ask the user if they want to forgo further 2FA with that particular browser instance.
Personally at this time I don't know how that is coded but this post indicates that it uses a browser cookie.
https://stackoverflow.com/questions/41228238/asp-net-identity-with-2fa-list-of-trusted-browsers
https://apple.stackexchange.com/questions/352351/apples-2fa-and-the-notion-of-trusted-device-and-trusted-browser
So, I'd say this is another enhancement request and maybe you should add it to list.
How long is the code valid?
Is it possible to adjust the validity of the code? How is it possible?
Dear all,
our Nextcloud is attached to our Windows Domain and the users will be created automatically. I read some issues here about the first setup/first login of 2AF-Email and I had the same problems like e.g. in the Issue #83.
I know and understand that this app is limited and not really implement this feature but maybe somebody can give me a workaround.
My goal:
I want to enforce 2FA-Mail OR i want to check that every user has 2FA activated (both can be done by a script from my side, e.g. Bash, SQL, php, etc.)
Has anybody a tipp for me where to find these informations?
Best regards
Rainer
Hi,
in our case we need to be able to force 2fa to all users but to also have the option to exclude specific groups. Nextcloud does the same with their implemented 2fa.
Why force 2fa to all:
When dealing with large environments you will always have internal policies and local laws enforcing companies to implenent security features. If you have 14000 users you can be sure that only half of them will enable 2fa by their own. Most of them will just ignore the 2fa and the rest won't even know it's there. The only solution to ensure that everyone is using it is by giving administrators the option to force it to everyone.
Why exlude specific groups:
We are running a large NC environment serving 14000 Enterprise Users. Not all of them are "real" users / persons. About 90% of all users are read from active directory using LDAP but not all of them have an emailaddress / Exchange Mailbox. That's because we also use service accounts from within AD which are used to export and import data from SAP into Nextcloud and then back again from Nextcloud into other subsystems on other locations. Because all the automation and syhconization is done in the background there is no one logging into NC manually - that's where the exclude groups feature would really help.
Regards,
Jones
Hello,
today I updated the app to the latest version 2.1.1 and I've immediately noticed that the submit button is no more appearing (see screenshot below) .
I can login by filling in the code and followed by pressing the enter key but most of my users are stuck and can´t log in to nextcloud.
When I upgraded the app I was initially running nextcloud 21.03, now I've upgraded to the last 22.2.3 hoping that it could fix the problem but nothing changed.
I removed all my css cutomizations, I'm not running any other exotic app.
Do you by chance have a suggestion or an idea about how I could fix this problem?
Thank you!
Using the 2-factor email provider, I can see following security problem:
If the email account is compromised, an attacker would be able to request a password reset for the nextcloud account and with the same email address he can request the 2FA token. This would give the attacker easy access to the cloud system.
Can you add a feature that a different email address (than the standard address connected to the account), can be used for 2-factor email provider?
The app installed ok, but when I click the button to enable email 2FA it doesn't activate it and the "enable" button just reappears. Is there a known issue that would cause this to happen or a fix for it?
I've tried removing and reinstalling but the same thing happens.
Thanks
As Nextcloud 29 still is not allowing to install the app, I went back to 28.0.5 and tried to disable 2-factor e-mail via
sudo -u http php82 -d memory_limit=1024M occ twofactorauth:disable 'myuser' email
Buit I get the error message:
The provider does not support this operation.
How can I get rid of 2-factor e-mail authentification completely until compatibility to v29 is available?
The authentication is activated by all Users, but you can't Login because the Email Address is not verified to the authentication.
Please make twofactor_email compatible to NC18 and PHP 7.4.
Support for NC 29
Hello, there!
As part of the university research we are currently doing regarding the security of Github Actions, we noticed that one or many of the workflows that are part of this repository are referencing vulnerable versions of the third-party actions. As part of a disclosure process, we decided to open issues to notify GitHub Community.
Please note that there are could be some false positives in our methodology, thus not all of the open issues could be valid. If that is the case, please let us know, so that we can improve on our approach. You can contact me directly using an email: ikoishy [at] ncsu.edu
Thanks in advance
The vulnerability fix that is missing by actions' versions could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider updating the reference to the action.
If you end up updating the reference, please let us know. We need the stats for the paper :-)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.