Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • funkwhale funkwhale
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 389
    • Issues 389
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 16
    • Merge requests 16
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • funkwhale
  • funkwhalefunkwhale
  • Issues
  • #753

Closed
Open
Created Mar 12, 2019 by gordon@gordonContributor0 of 3 tasks completed0/3 tasks

Add Two-Factor Authentication methods

Nowadays, two-factor auth (2FA) is quite important for web services. It can prevent a large number of privacy violations (unauthorized access to an account), elevation of privileges, and attacks like phishing, or even Person in the Middle with more advanced methods like U2F. Funkwhale is using Django, which is a common web framework with very active community. So, I think adding 2FA methods should be an important improvement, and should also be easy to do, since there is community-driven Django 2FA apps.

So, I suggest to add support for the Django-2FA project in Funkwhale. But doing so would break current authentication schemes, for example if there is Funkwhale clients (as far as i know, there is only the Funkwhale CLI client and the Modipy plugin), setting hardcoded login+password in the configuration file will not be enough (it’s also a bad security practice to write down a user password), so implementing a client authentication method should be a dependency of this feature (#752 (closed)).

Steps:

  • Implement Django-2FA in backend
  • Implement REST endpoints if Django-2FA does not provide them (GET 2FA state for an user, for example)
  • Create VueJS views for 2FA (second authentication step, 2FA methods management pages)
Assignee
Assign to
Time tracking