Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two Factor Authentication on Gitea #179

Closed
gencer opened this issue Nov 15, 2016 · 17 comments
Closed

Two Factor Authentication on Gitea #179

gencer opened this issue Nov 15, 2016 · 17 comments
Labels
type/feature Completely new functionality. Can only be merged if feature freeze is not active. type/proposal The new feature has not been accepted yet but needs to be discussed first.
Milestone

Comments

@gencer
Copy link

gencer commented Nov 15, 2016

I couldn't find this request here so i made one.

As you might know, we deploy our secrets (means sources) in gitea/gogs. It will be super-awesome to get Two Factor Authentication besides normal password. There are plenty of implementation for 2FA and I am pretty sure Go has some kind of library out there (didn't looked up yet).

Possibly storing 2FA secret on a disk and an encrypted data on database will make it more secure. Perhaps secret in app.ini.

Can we at least make it happen in v1.0.0.

Personally, I am gonna feel more secure when 2FA is enabled.

@andreynering andreynering added type/feature Completely new functionality. Can only be merged if feature freeze is not active. type/proposal The new feature has not been accepted yet but needs to be discussed first. labels Nov 15, 2016
@metalmatze
Copy link
Contributor

Yesterday I thought about exactly this feature. I really want that too and would like to contribute to this as well. Has anyone tried any lib for 2fa in Go?

@thibaultmeyer
Copy link
Contributor

thibaultmeyer commented Nov 15, 2016

It would be nice if U2F - FIDO Universal 2nd Factor Authentication will be implemented too. It allow usage of USB key rather than SMS / Mail. A GO library exists : https://developers.yubico.com/U2F/Libraries/List_of_libraries.html

@gencer
Copy link
Author

gencer commented Nov 15, 2016

@0xBAADF00D this can be useful, yes, but, many people use a traditional way for 2FA -including me-. So at least for starting, we should have 2FA enabled. If we make generalize, im pretty sure that 2FA users are most.

Correct me If I am wrong.

@thibaultmeyer
Copy link
Contributor

thibaultmeyer commented Nov 15, 2016

@gencer U2F FIDO is 2FA too, but it allow usage of an cryptographic USB Key. By exemple Github propose U2F FIDO or Token generated via "Authenticator" mobile app.

You can read more at https://help.github.com/articles/configuring-two-factor-authentication-via-fido-u2f/

We have just to keep in mind to get something modular with the possibility to add new 2FA methods in future

@tboerger
Copy link
Member

But this won't get into 1.0.0 as this is a release that will be done pretty soon. Maybe we can integrate it for 1.1.0 or 1.2.0.

@tboerger tboerger added this to the 1.x.x milestone Nov 15, 2016
@lunny
Copy link
Member

lunny commented Nov 16, 2016

Yes, this should be enabled on admin panel. It should not be a default setting.

@strk
Copy link
Member

strk commented Nov 16, 2016 via email

@stevenroose
Copy link

Might go good with #183

@mmoya
Copy link

mmoya commented Jan 6, 2017

FTR, a proof of concept for gogs/gogs#945 was posted to minecrafter/gogs@5cd2997.

@lunny
Copy link
Member

lunny commented Jan 6, 2017

@mmoya, Could you send a PR to Gitea?

@gencer
Copy link
Author

gencer commented Jan 6, 2017

@lunny as soon as PR accepted, I will try on brand new server with fresh config for better result and for one to the existing installation to see how its going on. I am preparing a new test server until PR accepted. (Otherwise, I will try target PR source myself)

@mmoya
Copy link

mmoya commented Jan 9, 2017

@lunny, I'll ask OP first. @minecrafter, are you willing to submit a PR to gitea with your 2fa proof-of-concept?

@minecrafter
Copy link
Contributor

minecrafter commented Jan 9, 2017

I'm assuming the only reason I was mentioned was because I did make this attempt to support 2FA from the parent project.

Unfortunately, I do not think I will have the time to continue working on projects like Gitea and Gogs. However, you are free to expand upon my initial work.

@minecrafter
Copy link
Contributor

After getting some more background information, I might be willing to contribute two-factor authentication support to the project. I too have been a former Gogs contributor who was stalled by the maintainer.

@lunny
Copy link
Member

lunny commented Jan 9, 2017

@minecrafter you are welcome back!

@minecrafter
Copy link
Contributor

@lunny Thanks! 👍

@minecrafter
Copy link
Contributor

A little update on the progress I've made:

It's largely working. You can log in with 2FA, disenroll and use scratch codes to log in case you lose access to your Gitea account.

Here's a small taste of what you're looking at:

screenshot from 2017-01-09 17-46-18

@lunny lunny modified the milestones: 1.1.0, 1.x.x Jan 16, 2017
@lunny lunny closed this as completed Jan 16, 2017
@go-gitea go-gitea locked and limited conversation to collaborators Nov 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
type/feature Completely new functionality. Can only be merged if feature freeze is not active. type/proposal The new feature has not been accepted yet but needs to be discussed first.
Projects
None yet
Development

No branches or pull requests

10 participants