search

nuvla / api-server

Nuvla API server packaged as a Docker container
https://sixsq.com
Apache License 2.0
5 stars 2 forks source link

Add support for 2FA (Two-Factors Authentication) to Nuvla #577

Closed sync-by-unito[bot] closed 2 years ago

sync-by-unito[bot] commented 2 years ago

┆Issue is synchronized with this Trello card by Unito

sync-by-unito[bot] commented 2 years ago

➤ Khaled Basbous commented:

GoalsEnhance security by using a 2FA mechanism. 2FA should be optionnal and user can enable it in his profile. This can be achieved by sending secret to user email account, SMS to his phone or use TOTP ( https://en.wikipedia.org/wiki/Time-based_One-Time_Password ) with some freely available apps (2FAS Auth, Google authenticator, etc.).

Note: SMS workflow support is very similar to Email but we have to work with some providers (not free of charge). The only difference is that user have to provide his phone number.

WorkflowEnable 2FATOTP1) User go to his profile page and click enable 2FA authentication button. 2) Select 2FA method TOTP. 3) Server generate secret code and create a validation callback. Code is stored in callback data. Server respond to user with callback and secret. 4) UI present for a QR code with install app instructions 5) User enter code and submit. 6) Server check code, if is valid? enable 2FA for user. if invalid? server should allow 2 minutes retry and after that callback expire. 7) After expiry, stop and do not enable 2FA.

Email1) User go to his profile page and click enable 2FA authentication button. 2) Select 2FA method Email. 3) Server generate secret code and create a validation callback. Code is stored in callback data. Server send secret to the user via the email. Server respond to user with callback. 4) UI present a button to resend code (enable-2fa again) 5) User enter code and submit 6) Server check code, if is valid? enable 2FA for user. if invalid? server should allow 2 minutes retry and after that callback expire. 7) After expiry, stop and do not enable 2FA.

Login with 2FA1) User login with username password 2) Server check if 2FA is enabled, if yes send generate callback 2FA check and send it to the user 3) UI show new input field to add code and submit button 4) For EMAIL and SMS, generate code and send it to user. 4) User fill code and submit 5) Server validate code, if valid? send ok and create session, if not after 3 faillures fail the callback.

Libraries Name Language Tested with License one-time ( https://github.com/suvash/one-time ) Clojure Google Authenticator, Authy, Lastpass Authenticator EPL-1.0 License two-factor-auth ( https://github.com/j256/two-factor-auth ) Java Google Authenticator, Authy ISC License UI changesUser profile - Enable 2FA button, Modal with steps, QRcode component, check code Sign-in - when callback 2fa in reponse, new page to enter 2fa token and show error message on failure or login on success

Server changesNew dependency one-time Callback validate session-2fa-token Callback validate-user-2fa-token User action enable-2fa, disable-2fa Session username password, when 2fa enabled workflow change and redirect with callback

SMS Service providershttps://www.twilio.com/authy/pricing https://www.smsglobal.com/pricing/ https://www.textmagic.com/sms-pricing/ https://www.clicksend.com/en/pricing/ch/ https://www.vonage.com/communications-apis/pricing/