Feature addition: Multi-Factor Authentication

[chesspro13]

Features added

• TOTP (Time-based One-Time Password) with recovery codes
• OAuth/OpenID sign on

To test TOTP: You will need some sort of authentication app/extension prior to testing.

1. Go to "Options" -> "MFA"
2. Check the "Enable TOTP" checkbox
3. Click the "Generate TOTP Secret" button
4. Copy the generated secret to your authentication app/extension
5. Click the "Generate Recovery Codes" button
6. Copy the recovery codes. Recovery codes can only be used once in place of TOTP and whill say the date/time they were used in zulu time on subsiquent visits to this page.
7. Save the secret in .env under "TOTP_SECRET"
8. Restart trilium.
9. Logout or navigate to login page. You can now use the TOTP or recovery codes to login.

To test Oauth/OpenID You will need to setup a authentication provider. I tested with Authentik, Google, and 0Auth. This requires a bit of extra setup. Linked here is how to test this with Google.

1. Setup Google or another provider. The key bits of information needed are

• Issuer URL (googles example is https://accounts.google.com/.well-known/openid-configuration
• Client ID
• Secret The redirect URL's needed are http://localhost:8080/ and http://localhost:8080/callback

2. Go to "Options" -> "MFA"
3. Check the "Enable Oauth/OpenID" checkbox
4. Click the "Login to Configured OAuth Service" button. It should redirect you to the authentication provider.
5. When you are redirected back, click the "Save User" button. It should show a toast with the user you logged in as for your provider.
6. You can now login and out with the service provider and should be able to login and logout without using your password.

[chesspro13]

As stated in #52, we really need to get a formatting standard hashed out. I formatted all the files I touched to keep formatting consistent with develop.

[alexpietsch]

Hey, thank you very much for the time and effort. I really like this change. I just had a quick look and I have one big concern: The library you use (speakeasy) isn't maintained anymore. The last change was made 8 years ago. There are also multiple open issues on the repo about OTPs not working. I don't know how others feel about this, but I am not really comfortable adding a library which is outdated for such a long time.

[eliandoran]

@alexpietsch , this is a good point and it's unfortunately a very common problem in the NPM ecosystem. @chesspro13 , are you aware of any newer alternatives to this library? Indeed, new developments based on old libraries are a bit of a risk since either way we'd need to upgrade at some point.

[chesspro13]

I have no problem switching to another library.

[chesspro13]

@alexpietsch @eliandoran I've switched to a library that is still maintained called time2fa