2 Factor Authentication (2FA)

Felix · January 14, 2017, 1:06pm

InvoicePlane is a web software, which means that some installations (the majority maybe?) are online, to public facing servers. This could be an issue security-wise.

It would be really nice to have a two-factor authentication option available, TOTP preferably.

What do you think? Is that too difficult to implement?
Discuss/vote

DevBot · January 14, 2017, 2:05pm

Last Update: 2018-02-21

maxdevos · January 27, 2017, 6:18pm

Found this github with Google-2fa: https://github.com/antonioribeiro/google2fa

**Compatibility**
You don't need Laravel to use it, but it's compatible with

* Laravel 4.1+
* Laravel 5+

It also has some instructions as to how you can install it in Laravel. (which is the framework for IP if I’m not mistaken)

cornelinux · January 29, 2017, 8:55am

The credentials of the user are checked in the auth method. https://github.com/InvoicePlane/InvoicePlane/blob/master/application/modules/sessions/models/mdl_sessions.php#L21

So at this point we can jump in and check the credentials e.g. against LDAP, against an internal TOTP token.
I am developing a 2FA system (https://privacyidea.org). So I want to connect invoicePlane to this.
The easy thing is, that I do not need to manage the second factor within invoicePlane. I do not have to display a QR code in invoicePlane to enroll the TOTP token.

I will simply have to create a REST Request to the privacyIDEA server, which validates the credentials.
http://privacyidea.readthedocs.io/en/latest/modules/api/validate.html#post--validate-check

Well, the perfect thing would be to make this authentication code kind of modular, so that authentication plugins can be developed without touching the session class. But this should be a design task within invoicePlane.
Kind regards
Cornelius

cornelinux · January 28, 2018, 10:49pm

I see there have been request in regards to authentication earlier. AD/LDAP Authentication, External Authentication, 2 Factor Authentication (2FA).

I think one would expect to have LDAP authentication. But in this case I would also expect to have some kind of role concept.

Anyways, I would like to go for the low hanging fruit and add two factor authentication against privacyIDEA. Why? Because:

we use it
it is our project
it is simple.

It is as simple as issuing a REST request and evaluating the JSON response.

BUT: I am not sure if invoiceplane already uses an http client module somewhere that could be used in this case? Is there a http client, which I did not see in the project? (…to avoid new dependencies)

What do you think?