updated with 2fa (#681)

Author: gtsteffaniak

CHANGELOG.md

@@ -6,6 +6,8 @@ All notable changes to this project will be documented in this file. For commit
 
  **New Features**
  - new `./filebrowser.exe setup` command for creating a config.yaml on first run. https://github.com/gtsteffaniak/filebrowser/issues/675
+ - new 2FA/OTP support for password-based users.
+ - `auth.password.enforcedOtp` option to enforce 2FA usage for password users.
 
  **Notes**:
  - logging uses localtime, optional UTC config added https://github.com/gtsteffaniak/filebrowser/issues/665
@@ -23,7 +25,9 @@ All notable changes to this project will be documented in this file. For commit
  - rename button doesn't close prompt https://github.com/gtsteffaniak/filebrowser/issues/664
  - webm video preview issue https://github.com/gtsteffaniak/filebrowser/issues/673
  - fix signup issue https://github.com/gtsteffaniak/filebrowser/issues/648
- #- fix default source bug (needs tests)
+ - fix default source bug
+
+![image](https://github.com/user-attachments/assets/28e4e67e-31a1-4107-9294-0e715e87b558)
 
 ## v0.7.4-beta
 

README.md

@@ -21,7 +21,7 @@
 FileBrowser Quantum is a massive fork of the file browser open-source project with the following changes:
 
   1. ✅ Multiple sources support
-  2. ✅ Login support for OIDC, password, and proxy.
+  2. ✅ Login support for OIDC, password + 2FA, and proxy.
   3. ✅ Revamped UI
   4. ✅ Simplified configuration via `config.yaml` config file.
   5. ✅ Ultra-efficient [indexing](https://github.com/gtsteffaniak/filebrowser/wiki/Indexing) and real-time updates

backend/auth/json.go

@@ -8,38 +8,26 @@ import (
 	"os"
 	"strings"
 
+	"github.com/gtsteffaniak/filebrowser/backend/common/errors"
 	"github.com/gtsteffaniak/filebrowser/backend/database/users"
 	"github.com/gtsteffaniak/go-logger/logger"
 )
 
-type jsonCred struct {
-	Password  string `json:"password"`
-	Username  string `json:"username"`
-	ReCaptcha string `json:"recaptcha"`
-}
-
 // JSONAuth is a json implementation of an Auther.
 type JSONAuth struct {
 	ReCaptcha *ReCaptcha `json:"recaptcha" yaml:"recaptcha"`
 }
 
 // Auth authenticates the user via a json in content body.
-func (a JSONAuth) Auth(r *http.Request, userStore *users.Storage) (*users.User, error) {
-	var cred jsonCred
-
-	if r.Body == nil {
-		logger.Error("nil body error")
-		return nil, os.ErrPermission
-	}
-	err := json.NewDecoder(r.Body).Decode(&cred)
-	if err != nil {
-		logger.Error("decode body error")
-		return nil, os.ErrPermission
-	}
+func (auther JSONAuth) Auth(r *http.Request, userStore *users.Storage) (*users.User, error) {
+	password := r.URL.Query().Get("password")
+	username := r.URL.Query().Get("username")
+	recaptcha := r.URL.Query().Get("recaptcha")
+	totpCode := r.URL.Query().Get("code")
 
 	// If ReCaptcha is enabled, check the code.
-	if a.ReCaptcha != nil && len(a.ReCaptcha.Secret) > 0 {
-		ok, err := a.ReCaptcha.Ok(cred.ReCaptcha) //nolint:govet
+	if auther.ReCaptcha != nil && len(auther.ReCaptcha.Secret) > 0 {
+		ok, err := auther.ReCaptcha.Ok(recaptcha) //nolint:govet
 
 		if err != nil {
 			return nil, err
@@ -49,16 +37,42 @@ func (a JSONAuth) Auth(r *http.Request, userStore *users.Storage) (*users.User,
 			return nil, os.ErrPermission
 		}
 	}
-	u, err := userStore.Get(cred.Username)
+
+	user, err := userStore.Get(username)
 	if err != nil {
 		return nil, fmt.Errorf("unable to get user from store: %v", err)
 	}
-	err = users.CheckPwd(cred.Password, u.Password)
+	err = users.CheckPwd(password, user.Password)
 	if err != nil {
 		return nil, err
 	}
 
-	return u, nil
+	// check for OTP for password
+	if user.TOTPSecret != "" {
+		if totpCode == "" {
+			return nil, errors.ErrNoTotpProvided
+		}
+		err = VerifyTotpCode(user, totpCode, userStore)
+		if err != nil {
+			logger.Error("OTP verification failed")
+			return nil, err
+		}
+	}
+
+	if user.LoginMethod != users.LoginMethodPassword {
+		logger.Warningf("user %s is not allowed to login with password authentication, bypassing and updating login method", user.Username)
+		user.LoginMethod = users.LoginMethodPassword
+		// Perform the user update
+		err = userStore.Update(user, true, "LoginMethod")
+		if err != nil {
+			logger.Debug(err.Error())
+		}
+		//http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+		//return
+	}
+
+	return user, nil
+
 }
 
 // LoginPage tells that json auth doesn't require a login page.

backend/auth/storage.go

@@ -1,7 +1,11 @@
 package auth
 
 import (
+	"encoding/base64"
+
+	"github.com/gtsteffaniak/filebrowser/backend/common/settings"
 	"github.com/gtsteffaniak/filebrowser/backend/database/users"
+	"github.com/gtsteffaniak/go-logger/logger"
 )
 
 // StorageBackend is a storage backend for auth storage.
@@ -35,6 +39,10 @@ func NewStorage(back StorageBackend, userStore *users.Storage) (*Storage, error)
 	if err != nil {
 		return nil, err
 	}
+	encryptionKey, err = base64.StdEncoding.DecodeString(settings.Config.Auth.TotpSecret)
+	if err != nil {
+		logger.Warning("failed to decode TOTP secret, using default key. This is insecure and should be fixed.")
+	}
 	return store, nil
 }
 

backend/auth/totp.go

@@ -0,0 +1,200 @@
+package auth
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"io"
+	"strings"
+	"time"
+
+	"github.com/gtsteffaniak/filebrowser/backend/common/settings"
+	"github.com/gtsteffaniak/filebrowser/backend/database/users"
+	"github.com/gtsteffaniak/go-cache/cache"
+	"github.com/gtsteffaniak/go-logger/logger"
+	"github.com/pquerna/otp"
+	"github.com/pquerna/otp/totp"
+)
+
+// Constants for TOTP (Time-based One-Time Password) configuration.
+const (
+	// IssuerName is the name of the application or service.
+	IssuerName = "FileBrowser Quantum"
+
+	// TokenValidTime defines the total duration a token is considered valid.
+	// Note: The actual validation window might be slightly longer depending on the period.
+	TokenValidTime = time.Minute * 2
+
+	// TOTPPeriod is the standard duration in seconds that a TOTP code is valid.
+	TOTPPeriod uint = 30
+
+	// TOTPSecretSize is the byte length of the shared secret.
+	TOTPSecretSize uint = 20
+
+	// TOTPDigits specifies the number of digits in the OTP code.
+	TOTPDigits = otp.DigitsSix
+
+	// TOTPAlgorithm is the hashing algorithm to use.
+	TOTPAlgorithm = otp.AlgorithmSHA1
+)
+
+var (
+	// TOTPSkew allows for a certain number of periods of clock drift.
+	// We calculate it to best match the TokenValidTime.
+	// (2 * Skew + 1) * Period >= TokenValidTime
+	// For a 2-minute (120s) window with a 30s period, we need a Skew of 2.
+	// (2*2 + 1) * 30s = 150s (2.5 minutes). This is the closest we can get.
+	TOTPSkew      uint = uint(TokenValidTime.Seconds()) / (2 * uint(TOTPPeriod))
+	encryptionKey []byte
+	TotpCache     = cache.NewCache(5 * time.Minute)
+)
+
+func GenerateOtpForUser(user *users.User, userStore *users.Storage) (string, error) {
+	// Generate a new TOTP key using the defined constants.
+	key, err := totp.Generate(totp.GenerateOpts{
+		Issuer:      IssuerName,
+		AccountName: user.Username,
+		Period:      TOTPPeriod,
+		SecretSize:  TOTPSecretSize,
+		Digits:      TOTPDigits,
+		Algorithm:   TOTPAlgorithm,
+	})
+	if err != nil {
+		return "", fmt.Errorf("error generating TOTP key: %w", err)
+	}
+
+	secretText := key.Secret()
+	nonce := ""
+	if settings.Config.Auth.TotpSecret != "" {
+		// If an encryption key is provided, encrypt the secret.
+		secretText, nonce, err = encryptSecret(secretText, encryptionKey)
+		if err != nil {
+			return "", fmt.Errorf("failed to encrypt TOTP secret: %w", err)
+		}
+	}
+	// set cache so verify can attempt to use it but not require it for user yet.
+	TotpCache.Set(user.Username, secretText+"||"+nonce)
+	url := "otpauth://totp/FileBrowser%20Quantum?secret=" + secretText
+	return url, nil
+}
+
+// encryptSecret uses AES-GCM to encrypt a plaintext secret.
+// It returns the base64-encoded ciphertext and nonce, or an error.
+func encryptSecret(secret string, key []byte) (string, string, error) {
+	if len(key) != 32 {
+		return "", "", fmt.Errorf("invalid encryption key length: must be 32 bytes")
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return "", "", err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", "", err
+	}
+
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return "", "", err
+	}
+
+	ciphertext := gcm.Seal(nil, nonce, []byte(secret), nil)
+
+	return base64.StdEncoding.EncodeToString(ciphertext), base64.StdEncoding.EncodeToString(nonce), nil
+}
+
+// decryptSecret uses AES-GCM to decrypt a ciphertext using its key and nonce.
+// It returns the plaintext secret or an error.
+func decryptSecret(b64Ciphertext, b64Nonce string) (string, error) {
+	if len(encryptionKey) != 32 {
+		return "", fmt.Errorf("invalid encryption key length: must be 32 bytes")
+	}
+
+	ciphertext, err := base64.StdEncoding.DecodeString(b64Ciphertext)
+	if err != nil {
+		return "", fmt.Errorf("failed to decode ciphertext: %w", err)
+	}
+
+	nonce, err := base64.StdEncoding.DecodeString(b64Nonce)
+	if err != nil {
+		return "", fmt.Errorf("failed to decode nonce: %w", err)
+	}
+
+	block, err := aes.NewCipher(encryptionKey)
+	if err != nil {
+		return "", err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", err
+	}
+
+	plaintext, err := gcm.Open(nil, nonce, ciphertext, nil)
+	if err != nil {
+		// This error often means the key is wrong or the data is corrupt
+		return "", fmt.Errorf("failed to decrypt secret: %w", err)
+	}
+
+	return string(plaintext), nil
+}
+
+func VerifyTotpCode(user *users.User, code string, userStore *users.Storage) error {
+	// get data from cache
+	cachedSecret, found := TotpCache.Get(user.Username).(string)
+	if !found && user.TOTPSecret == "" {
+		return fmt.Errorf("OTP token not found in cache, please generate a new one")
+	}
+	totpSecret := user.TOTPSecret // The encrypted or plaintext secret
+	totpNonce := user.TOTPNonce   // The nonce if encrypted, or empty if plaintext
+	if found {
+		splitSecret := strings.Split(cachedSecret, "||")
+		if len(splitSecret) < 2 {
+			return fmt.Errorf("invalid cached OTP token format")
+		}
+		totpSecret = splitSecret[0]
+		totpNonce = splitSecret[1]
+	}
+	secretToValidate := totpSecret
+	if settings.Config.Auth.TotpSecret != "" {
+		// If an encryption key is configured, we must decrypt the secret first.
+		if totpNonce == "" {
+			return fmt.Errorf("secret is encrypted but nonce is missing")
+		}
+		decryptedSecret, err := decryptSecret(totpSecret, totpNonce)
+		if err != nil {
+			return fmt.Errorf("failed to decrypt TOTP secret: %w", err)
+		}
+		secretToValidate = decryptedSecret
+	}
+	// --- END: ADD THIS DECRYPTION LOGIC ---
+
+	// Validate the token using the (now plaintext) secret.
+	valid, err := totp.ValidateCustom(code, secretToValidate, time.Now().UTC(), totp.ValidateOpts{
+		Period:    TOTPPeriod,
+		Skew:      TOTPSkew,
+		Digits:    TOTPDigits,
+		Algorithm: TOTPAlgorithm,
+	})
+	if err != nil {
+		logger.Errorf("error during TOTP validation: %v", err)
+	}
+	if !valid {
+		return fmt.Errorf("invalid OTP token")
+	}
+	if totpSecret != "" {
+		user.TOTPSecret = totpSecret // The encrypted or plaintext secret
+		user.TOTPNonce = totpNonce   // The nonce if encrypted, or empty if plaintext
+		user.OtpEnabled = true       // Enable OTP for the user
+	}
+	// save user
+	if err := userStore.Update(user, user.Permissions.Admin, "TOTPSecret", "TOTPNonce"); err != nil {
+		logger.Debug("error updating user with OTP token:", err)
+		return fmt.Errorf("error updating user with OTP token: %w", err)
+	}
+	return nil
+}

backend/cmd/cli.go

@@ -88,7 +88,8 @@ func runCLI() bool {
 			user, err := store.Users.Get(username)
 			if err != nil {
 				newUser := users.User{
-					Username: username,
+					Username:    username,
+					LoginMethod: users.LoginMethodPassword,
 					NonAdminEditable: users.NonAdminEditable{
 						Password: password,
 					},
@@ -114,7 +115,13 @@ func runCLI() bool {
 				}
 				return false
 			}
+			if user.LoginMethod != users.LoginMethodPassword {
+				logger.Warningf("user %s is not allowed to login with password authentication, bypassing and updating login method", user.Username)
+			}
 			user.Password = password
+			user.TOTPSecret = "" // reset TOTP secret if it exists
+			user.TOTPNonce = ""  // reset TOTP nonce if it exists
+			user.LoginMethod = users.LoginMethodPassword
 			if asAdmin {
 				user.Permissions.Admin = true
 			}

backend/common/errors/errors.go

@@ -18,4 +18,7 @@ var (
 	ErrInvalidRequestParams = errors.New("invalid request params")
 	ErrSourceIsParent       = errors.New("source is parent")
 	ErrRootUserDeletion     = errors.New("user with id 1 can't be deleted")
+	ErrNoTotpProvided       = errors.New("OTP code is required for user")
+	ErrNoTotpConfigured     = errors.New("OTP is enforced, but user is not yet configured")
+	ErrUnauthorized         = errors.New("user unauthorized")
 )