Romern / syncMyMoodle

Synchronization client for RWTH Moodle
GNU General Public License v3.0
73 stars 18 forks source link

Multi-Factor Authentication #118

Closed Nathan-Mossaad closed 4 months ago

Nathan-Mossaad commented 4 months ago

Due to to the new 2fa requirement the standard SSO Login doesn't work any more and results in:

Logging in...
CRITICAL:__main__:Failed to login! Maybe your login-info was wrong or the RWTH-Servers have difficulties, see https://maintenance.rz.rwth-aachen.de/ticket/status/messages . For more info use the --verbose argument.

For more information see: https://help.itc.rwth-aachen.de/service/0f861f53818c44e9a5df6ea7b244dacd/

D-VR commented 4 months ago

Just to give a overview of the steps involved:

After the typical login, you get redirected to another sso page where you need to post which 2FA token generator to use:

csrf_token=<csrf token>
fudis_selected_token_ids_input=<totp ID, like: TOTP0000000A>
_eventId_proceed

Then you get the last SSO page, where you need to post the actual 2FA:

csrf_token=<csrf token>
fudis_otp_input=<otp input e.g. 000000>
_eventId_proceed

Then you get the same stuff as before the MFA update.

Not sure how people want to handle this, but probably you could configure a TOTP ID in the config, but you need user interaction to query the 2FA token (or TOTP ID if not configured?)

ofc this is just for TOTP! Stuff like Hardware tokens would probably be messier

D-VR commented 4 months ago

I'm currently trying to add rudimentary support for TOTP, if I get it working I'll open a PR for further testing!

D-VR commented 4 months ago

@Nathan-Mossaad feel free to test out my PR, let me know if there are any issues with it

Nathan-Mossaad commented 4 months ago

I just ran #119 and had no issue with it, thank you a lot!

It might be nice to not only allow for manual input of an OTP, but also for syncMyMoodle to calculate it automatically by providing it with a Token Secret↗ (although this would defeat the purpose of haven 2FA in the first place) thereby reallowing unattended syncing.

D-VR commented 4 months ago

I think adding the option would not be terrible, since anyone who adds it should be aware of the security risks: i.e. attacker having local file access -> increases risk from Moodle Session hijacking to full RWTH account takeover

Which is the same as before the MFA update :sweat_smile:

Maybe should be in a separate PR though? Feedback welcome

D-VR commented 4 months ago

@Nathan-Mossaad I've added the feature :)

Nathan-Mossaad commented 4 months ago

Great, thanks a lot!

I will close this issue as soon as either #119 or #120 have been merged!

septatrix commented 4 months ago

The proper solution would be to use the Moodle API with a token instead of going through the SSO. See the V2 Branch (which is currently not seeing development, however). Only drawback is that this does not support external pages like sciebo