mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-02-07 19:06:05 +03:00
[Feature Request] 2FA Implementation #901
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @cb3inco on GitHub (Nov 13, 2018).
Describe the feature you'd like
Implementation of 2FA time based tokens.
Describe the benefits this feature would bring to BookStack users
The benefit would be that I would feel confident allowing BookStack face the public internet if 2FA could be turned on and enforced. This would allow the user direct access without having to turn on a VPN to get inside our network. I realize this might not be the use case for a lot of folks, but for those who are documenting sensitive systems this would be a huge win.
@vincentmakes commented on GitHub (Mar 24, 2019):
This feature would be great
@Shagon94 commented on GitHub (Apr 19, 2019):
Would love to have this feature, duo has a free plan, I've used duo and its great. The only thing that could be a downside to users would be if this too is behind a paywall like the Oauth feature, security should not be placed behind a paywall.
@ssddanbrown commented on GitHub (Apr 20, 2019):
@Shagon94 Sorry, I may be getting confused since I'm not familiar with Duo, but is the mention of a paywall in reference to Duo or in reference to BookStack?
I'd prefer to stay away from anything vendor specific for this tbh, and go for something fairly open and common such as TOTP.
@Shagon94 commented on GitHub (Apr 20, 2019):
Apologies, I just found the documentation page for Oauth - https://www.bookstackapp.com/docs/admin/third-party-auth/
that being said MFA / 2FA would be great as well, TOTP would also be a great addition.
Regarding duo - duo is a 2FA provider, they have an app as well, it works like any other 2FA compatible app, the reason why I mentioned them was because they have a free plan so people might prefer having a push that they can just accept over entering the key from the OTP.
Even if we exclude duo from this 2FA is a great addition to the security, any implementation would be great.
@ssddanbrown commented on GitHub (Sep 7, 2019):
Just putting this here as a reminder to myself to potentially dig into a webauthn implementation:
https://hacks.mozilla.org/2018/01/using-hardware-token-based-2fa-with-the-webauthn-api/
@ssddanbrown commented on GitHub (Apr 8, 2020):
Copy of my message from the closed (In favor of this issue) original issue:
Just to flesh this out a little further, What kind of controls would you want for 2FA? For example, would you want to force 2FA on all users? Let users decide? User-level control by admins? Something else?
Not looking for extra ideas, just want to know what you'd specifically want for your environment(s).
I'm assuming, for new users and for newly-admin-enabled-2fa users, we'd force a "Setup 2FA" step upon login?
We we need to implement a backup system? Or would an admin CLI command suffice to disable 2FA for system/specfiic-account suffice in scenarios where access is lost.
@Cave-Johnson commented on GitHub (Apr 8, 2020):
As an admin I'd like the option to force enabling 2FA for all users, enable just for Administrators or leave it up to user preference (enabled but not enforced)
This would be the method as far as I can tell.
A backup system would be needed in some form. I think your idea of a CLI command would suffice for small instances. Where that would add more of an overhead is in large deployments. Thats where the option of backup codes (ie 10 codes you download and keep safe when 2FA is configured) would come in handy with the CLI as the ultimate fallback.
@dvdl16 commented on GitHub (Apr 13, 2020):
Even just enabling/enforcing it based on Role can also be sufficient
Sounds good!
The CLI command is a good idea
@triDcontrols commented on GitHub (May 2, 2020):
+1 for this feature.
@ssddanbrown commented on GitHub (May 5, 2020):
Hi @triDcontrols, To help gather guidance for implementation could you read and answer my post above?
@ark- commented on GitHub (Jul 15, 2020):
A keen user for 18 month's opinion...
Feel like forcing on admin is fair as they have much more control. Below that. let users decide. The way nextcloud forces it on for everyone or no-one has caused me issues with people being blocked out in the past.
This would have to exist to stop existing users being blocked out as mentioned above.
Admin CLI is absolutely fine as long as it's well documented. Other projects have fallen down in the past as I've found the secret CLI command buried in a closed issue.
@kayvanaarssen commented on GitHub (Sep 9, 2020):
Any news on this feature? It would make Bookstack more suitable for a lot of things and improve security. Also it will 100% pass Accountant Audits!
@ssddanbrown commented on GitHub (Sep 13, 2020):
@kayvanaarssen No, No news. Please read and answer my post above to help us understand requirements for this.
@kayvanaarssen commented on GitHub (Sep 13, 2020):
Like @ark- is also commented;
Some points that come to mind;
@kayvanaarssen commented on GitHub (Nov 18, 2020):
Sorry for pushing this again. But any news on adding 2FA? This is one thing that's holding us back to use BookStack for our clients to login and look at their documentation. Since we want to have it secure.
@ssddanbrown commented on GitHub (Nov 18, 2020):
@kayvanaarssen No news, I've hardly had time to devote to the project since your last prompt.
Realistically it's not going to be this year, maybe first half of next year but that's a big maybe.
Authentication work is incredibly arduous and time consuming, and often does not benefit the wider existing BookStack user base hence I've pretty much met my limit of working on auth work this year.
If a massively important requirement you could always use one of the other authentication options, such as SAML, along with an identity provider that does support 2FA/MFA.
@kayvanaarssen commented on GitHub (Nov 18, 2020):
I understand, but its really good for security ofcourse.
Hope it will make it to BookStack at some point 👍
@ark- commented on GitHub (Nov 20, 2020):
@kayvanaarssen It might be worth looking into https://github.com/authelia/authelia while waiting for bookstack to implement their own.
@JustinByrne commented on GitHub (Jan 29, 2021):
As the system is built on Laravel have you thought of using fortify for the authentication system, I understand that it would potentially be a lot of extra work replacing the existing authentication system but you will then be able to include MFA as an option for users.
@ssddanbrown commented on GitHub (Jan 30, 2021):
@JustinByrne That would introduce a lot of work and only partially solve the technical part, which is not really the challenge. The challenge here is ensuring we have the correct flows and backup options for various existing BookStack use-cases, while thinking how it might need to work/integrate with the various auth options.
@Jarli01 commented on GitHub (Mar 1, 2021):
Just a bit of a heads up, I believe Snipe-IT uses the same laravel versions that Bookstack does and maybe taking some inspiration from that project would help get this feature moving along.
@ssddanbrown commented on GitHub (Mar 2, 2021):
Thanks for the advise @Jarli01, but as mentioned above it's really fleshing out the expected flows/methods/cases/social-expectations that is the tricky part here, not necessarily the technical implementation. Snip-IT will really have a different intended user-base (within an instance) than many BookStack instances.
Answers to my questions above would really help more than anything else.
@Jarli01 commented on GitHub (Mar 2, 2021):
I would have the option to have mixed mode 2FA - IE Readers only may not be required to have 2FA since they are readers, Editors may be required to have 2FA.
I'd have 2FA disabled by default with an optional flag per user account
@MxD-js commented on GitHub (Mar 2, 2021):
+1, This is the best method of getting 2FA, optional, it's good to have, but not enforced unless the admin specifically enforces this, and is created either during user sign up, or even if admin sets 2FA is required, then on next login user is presented with a 2FA set up.
@Shootify commented on GitHub (Mar 3, 2021):
plz add two factor authentication, is a MUST for IT services providers, so that would be cool. thanks for the project.
@AlexKalopsia commented on GitHub (Apr 7, 2021):
Any concrete plan to put this on the roadmap? Feels like a super important feature.
@cttechcorp commented on GitHub (Apr 26, 2021):
+1 please.
@spencersmallwood commented on GitHub (Jul 20, 2021):
+1
@ssddanbrown commented on GitHub (Jul 21, 2021):
Just to update, An implementation is in progress in #2827
@cttechcorp commented on GitHub (Jul 21, 2021):
Awesome news! Keep up the good work! Where's the donate button?
Chris Tripp
President/CEO
O: 252-360-4805 ext. 101
C: 252-296-6547
Visit our Website!
On 2021-07-21 4:19 pm, Dan Brown wrote:
Links:
[1] https://github.com/BookStackApp/BookStack/pull/2827
[2]
https://github.com/BookStackApp/BookStack/issues/1118#issuecomment-884472279
[3]
https://github.com/notifications/unsubscribe-auth/AHFVKQVARMBESQCZHGYMMVTTY4TURANCNFSM4GDM5GRA
@ssddanbrown commented on GitHub (Aug 21, 2021):
This has now been implemented as part of #2827, and has been merged into master, so will therefore be part of the next feature release.
For this initial implementation, TOTP in addition to backup codes are supported. MFA can be enforced via BookStack roles. A console command has been added to provide the ability to reset MFA for a certain user, from the command line. There's a self-service/setup flow on initial enforcement, otherwise MFA can be configured from the user edit view by any user.
Since this feature is now in the master branch, I'll close this off.
@Cave-Johnson commented on GitHub (Aug 21, 2021):
Amazing work as always! Looking forward to testing this when it's released
@cb3inco commented on GitHub (Aug 21, 2021):
Thank you @ssddanbrown!