Closed MarkSonghurst closed 6 years ago
Hi @MarkSonghurst thanks for the kind words. The library is indeed not built to be used in a distributed way. It will need some adjustments in order to support a multi-server setup. If that's ok for you to wait a couple of days, I should be able to modify the library so that it accepts an interface which reads and writes information from a central location. (For example: shared file system, a database or anything which will implement the interface).
Thank you for the fast response - an interface sounds like an excellent solution.
Hi. Any progress with this please?
Hi @MarkSonghurst I did progress with it and I have managed to add an interface and implement a first version which allows multiple processes in the same machines to coordinate and generate tokens. However I am not too happy about the implementation and I need to refactor a couple of parts. I am hoping to be able to work on it this upcoming weekend.
In my fork of this package I have dropped use of cryptoengine and used golang's secretbox package with a shared secret key that I can install on all my hosts. Closing issue.
I am in a similar case of @MarkSonghurst working in a distributed environment. I like the idea of using secretbox.
@MarkSonghurst, @silenteh Would you consider merging the code in the original package?
Thanks for a great library.
Some internal behaviour of twofactor has caught me out in my distributed infrastructure. I noticed through a log message that the cryptoengine package used by twofactor writes a bunch of files to disk in a keys subdirectory:
example.com_nonce.key
example.com_salt.key example.com_private.key
example.com_secret.key example.com_public.key
After looking at the code I can see environment variable SEC51_KEYPATH can be used to declare the path for these files. However, I'm using twofactor in a highly scaled daemon, of which I run multiple instances (1 per CPU) on the same host and also run on other separate hosts. Each instance of my daemon needs to successfully encrypt or decrypt the totp struct which is stored centrally in a database.
Please can you confirm which of the cryptoengine files must be identical on all my hosts for totp encryption/decryption to work correctly across my infrastructure? I plan to pre-generate these files and install them to each of my hosts before my daemon is run. However from reading the cryptoengine source code, I think that some of the files are refreshed over time - please could you confirm which files these are (I think the salt, nonce and secret?), and would it matter if these refreshed files were different for every instance of my daemon?
Many thanks.