Implement 2FA - Githubissues

ThomasTJdev / nim_websitecreator

Nim fullstack website framework - deploy a website within minutes

https://nimwc.org

MIT License

177 stars 7 forks source link

Implement 2FA #44

Closed juancarlospaco closed 5 years ago

juancarlospaco commented 5 years ago

https://github.com/OpenSystemsLab/otp.nim

Research and implement 2FA TOTP, with the lib of the link, check if its working Ok. :smiley_cat:

ThomasTJdev commented 5 years ago

I've been looking at this package a couple of times, but I haven't had the time to try it out. It's absolutely an important milestone! A big +1

juancarlospaco commented 5 years ago

The UX and other details can be improved but the base is there and working. Tested with FreeOTP and nimwc2fa.nim. For Demo mode dont really checks if Valid.

ThomasTJdev commented 5 years ago

Hi @juancarlospaco I'm trying to test the 2fa solution, but I need some help to understand the flow,

Are you using the username to generate the totp?

const query = sql"SELECT id, name, password, email, salt, status, secretUrl FROM person WHERE email = ? AND status <> 'Deactivated'"
...
let totpServerSide = newTotp(row[1].toLowerAscii).now()

How do you provide a QR or token for the user to add into their 2FA app?
How is the file nimwc2fa.nim used?

juancarlospaco commented 5 years ago

I am no InfoSec expert. Pull request Its not finished yet, here is really hot >35C, so that slows down development.

But reading the standard and docs, user and server needs a string in common, it can be some random string, some use numbers for simplification, Twitter uses numbers 0 to 9 last time I checked, I am using the username to generate the totp, its working Ok on my FreeOTP and nimwc2fa.nim, the algo works with a string in common and time, every 30 seconds OTP expires, I dont know if its the best on the world, but still better than Twitter and others that sends the 2FA by SMS.

I just added my own username on the app, TOTP, 6 Digit, Save. Then tap on the generate.

nim c -r nimwc2fa.nim "username" Its Not meant as the main App, but something to log on if you lost your phone, emergency app. It may look sketchy, but Keybase uses a CLI app too, and people seems to like it. I will move away the link later on, the user facing app will be FreeOTP.

ThomasTJdev commented 5 years ago

We have around 0 degrees :smiley: ..

We should use a unique value for the 2fa-token, the username is too easy to guess for the attacker. The table person could be expanded with a person.2fa to save the token. We could just give the token or create a QR-code.

Let me know if I should add something to the PR.

.. and good idea with nimwc2fa.nim

juancarlospaco commented 5 years ago

The lib can generate a standard Link that the apps should pick up, just like a QR but without adding more dependencies.

Ok about the person field.

I was more worried if the lib works with FreeOTP so I used what I found quickly to try it.