search

Arksine / moonraker

Web API Server for Klipper
https://moonraker.readthedocs.io
GNU General Public License v3.0
1.02k stars 392 forks source link

Add TOTP Authorization to moonraker auth. algo #844

Closed SlimRG closed 2 months ago

SlimRG commented 2 months ago

https://github.com/Arksine/moonraker/issues/842

SlimRG commented 2 months ago

Sorry, git system is new for me...

Arksine commented 2 months ago

Thanks. At this time I don't think support for 2FA is a good candidate for this repo. Moonraker is not intended to run facing the wan directly. It may be something I consider in the future, but I think I would prefer adding support for OAuth and allowing the provider to handle 2FA.

If you need to add additional security and cannot use a VPN I would recommend looking into authentication options provided by reverse proxies, etc.

SlimRG commented 2 months ago

We can't use VPN in many countries, such as Russia (if you don't have licence), if we don't want to have problems with law (I had this problems by local WireGuard). Google Authenticator is used in banking services (I know, as I work there). It's quiet simple and secure way to improve security. I have in use some printers and want to connect them from office next to my home. Why you don't want to add this secure layer?

SlimRG commented 2 months ago

P.S. Localhost is not secure enough too, as lots of people use phone number as wifi pass. Also, MGTS provider sets routers with default pass MGTS98765 and without possiblility to change this password.

As I think, 2FA additional secure layer will be better and simpler way, than using LDAP.

Arksine commented 2 months ago

We can't use VPN in many countries, such as Russia (if you don't have licence), if we don't want to have problems with law (I had this problems by local WireGuard).

I understand. This is why I suggested using a reverse proxy to provide additional authentication if you want expose Moonraker to the wan.

I have in use some printers and want to connect them from office next to my home. Why you don't want to add this secure layer?

At this time I don't think 2FA adds significant value to Moonraker. Moonraker is not intended to run directly facing the wan. The overwhelming majority of users will not want to enable 2FA on their local installation, in fact the majority do not even have user authentication enabled. I have not reviewed your submission in detail, however a cursory glance indicates that it would need significant refactoring before its eligible for merging. The contribution guidelines need to be followed before I provide a detailed review.

In addition, I think it may be possible to add OpenID/OAuth support which would accomplish a similar goal, with the bonus of allowing users to log in with existing accounts.

P.S. Localhost is not secure enough too, as lots of people use phone number as wifi pass. Also, MGTS provider sets routers with default pass MGTS98765 and without possiblility to change this password.

Users who don't secure their local network and/or routers would be unlikely to enable user authentication, much less two factor authentication. They would have larger problems than an open instance of Moonraker.

As I think, 2FA additional secure layer will be better and simpler way, than using LDAP.

LDAP is already integrated and well tested.

SlimRG commented 2 months ago

Thanks for answer. As I think, you are on the right way. If you want to make OAuth - it will be nice. Good luck and thanks for your work