search

The-NeXT-Project / NeXT-Panel

Next generation proxy service management system (OSS Edition)
https://nextpanel.dev
GNU General Public License v3.0
167 stars 39 forks source link

feat: support for WebAuthn #25

Closed pplulee closed 6 months ago

pplulee commented 6 months ago

Allow login via WebAuthn.

Remaining front-end issues:

pplulee commented 6 months ago

Planning to add FIDO2 as MFA

AutisticShark commented 6 months ago

Very interesting PR! I actually did a few investigations to add Webauthn to the SSP, the major blocker back then was the nonunified MFA interface and fragmented implementation.

Now we already have an MFA and other notification-related services in place(IM, Notification, etc.), we can refactor the MFA service, allow it to be extended, and incorporate more MFA methods including this one.

You can continue to work on this PR in the meantime, I will need to do some foundational re-work on Auth and MFA systems before adding the Webauthn feature to the panel.

And to clarify, the reason #23 hasn't been merged is that I am currently working on a new logging interface for the panel, using https://github.com/Seldaek/monolog, I expect that work to be done this week or early next week, and after that, I will merge the #23 and start the refactoring process, hope you can understand I only part-time working on this project.

PS: I didn't know that webauthn-framework would import half of Symfony framework as dependency, but it seems there is no lightweight alternative that exists.

pplulee commented 6 months ago

The current implementation is to allow Passkey logins, and I'm planning WebAuthn/FIDO2 as a MFA. To add this feature, it would be best to refactor the MFA. I have the following ideas:

These are my thoughts, and it is not easy to refactor the current MFA, looking forward to your suggestions @M1Screw .

pplulee commented 6 months ago

The current implementation is to allow Passkey logins, and I'm planning WebAuthn/FIDO2 as a MFA. To add this feature, it would be best to refactor the MFA. I have the following ideas:

  • add a mfa table, users are allowed to add multiple MFAs
  • remove the default ga
  • after user login, redirect user to a specific page for MFA (if they enable MFA), or maybe a pop-up window.

These are my thoughts, and it is not easy to refactor the current MFA, looking forward to your suggestions @M1Screw .

The verification part was actually not difficult, but integrating it into existing user systems was more difficult than I expected.

AutisticShark commented 6 months ago

To say the current Auth system is a dumpster fire is an understatement :)

AutisticShark commented 6 months ago

add a mfa table, users are allowed to add multiple MFAs remove the default ga after user login, redirect user to a specific page for MFA (if they enable MFA), or maybe a pop-up window.

Agree on all points, I can invite you to SSPanel-UIM org to work on this on a separate branch, if you want.

pplulee commented 6 months ago

add a mfa table, users are allowed to add multiple MFAs remove the default ga after user login, redirect user to a specific page for MFA (if they enable MFA), or maybe a pop-up window.

Agree on all points, I can invite you to SSPanel-UIM org to work on this on a separate branch, if you want.

Thanks for the invite, I'd love to join.

I'll try to refactor first and discuss with you if I run into any issues.