search

cydrobolt / polr

:aerial_tramway: A modern, powerful, and robust URL shortener
https://polrproject.org
GNU General Public License v2.0
5k stars 889 forks source link

Request to add 2FA and/or SAML SSO support #558

Open fleish opened 4 years ago

fleish commented 4 years ago

Expected Behavior

It would be helpful if Polr could be setup to require TOTP authenticator for user/admin access and/or SAML SSO support so that authentication/authorization/accounting could be handled outside of Polr.

Current Behavior

Currently Polr only offers local, username/password-based credentials for "non-public" features that require signup/login.

Possible Solution

Adding the ability to use an Authenticator app (e.g. Authy or Google Authenticator) and/or a hardware-based token (e.g. Yubikey) for more secure authentication access would be a good security practice. Currently, I am enforcing "2FA" by forcing users to connect via a VPN and then I can limit access to the non-public side of Polr via a crude ACL in the web server config. Here is an example for NGINX:

    location / {
            location ~ (login|admin|signup|setup|lost_password) {
                    allow <TRUSTED_IP_ADDRESS>;
                    deny all;
                    try_files $uri $uri/ /index.php$is_args$args;
                    # rewrite ^/([a-zA-Z0-9]+)/?$ /index.php?$1;
            }
            try_files $uri $uri/ /index.php$is_args$args;
            # rewrite ^/([a-zA-Z0-9]+)/?$ /index.php?$1;
    }

Steps to Reproduce (for bugs)

N/A

Context

Not being able to require 2FA on a service that needs to be exposed to the public internet to function requires other security measures be put in place to protect from possible unauthorized access.

Your Environment

anjaneshbabu commented 4 years ago

This would be a fantastic feature. We have been mulling over Azure AD integration via SAML for a while..

taintedkernel commented 4 years ago

I agree this would be excellent to have. We might end up deprecating our Polr installation in favor of a commercial offering specifically for this feature. But the project also seems abandoned more or less without any commits in 2 years....