Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: add TOTP Two-Factor Authentication (2FA) Feature#3885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
KhashayarKhm wants to merge6 commits intofilebrowser:master
base:master
Choose a base branch
Loading
fromKhashayarKhm:feat/totp

Conversation

@KhashayarKhm
Copy link

@KhashayarKhmKhashayarKhm commentedApr 30, 2025
edited
Loading

This PR implements Time-Based One-Time Password (TOTP) 2FA for FileBrowser, enhancing user security by requiring a verification code during login for users with 2FA enabled. It addresses multiple community requests for 2FA support.

Closes#286
Closes#1674
Closes#1827
Closes#2504
Closes#3371
Closes#3800

Description

The TOTP 2FA feature allows users to enable 2FA in their profile settings, scan a QR code or enter a Base32-encoded secret in an authenticator app (e.g., Google Authenticator), and verify codes at login. The flow is:

  1. Enable 2FA in Settings > Profile > 2FA section by entering the password and receiving a QR code or secret.
  2. Add the secret to an authenticator app.
  3. Verify a TOTP code to activate 2FA.
  4. On subsequent logins, enter a TOTP code after the password if 2FA is enabled.

Further comments

2FA could be handled by reverse proxies likeoauth2-proxy orauthelia, but this feature simplifies setup without requiring nginx/Apache knowledge.

New options

  • To enable TOTP, you must configure a 32-byte encryption key in your configuration file.
    Generate a cryptographically secure 32-byte Base64-encoded key with this command:

    openssl rand -base64 32
    {"totp": {"encryption": {"key":"<32-byte-base64-encoded-string>"     }  }}

  • The TOTP token expiration (default: 2 minutes) defines the validity window after initial authentication. Configure this via:

    • totp-token-expiration-time option in cli
    • totp > token > expiration > time in config file

New dependencies

  • pquerna/otp on the back-end for TOTP handling
  • @scure/base on the front-end for base32 encoding of TOTP secret

Localization

Added phrases toen.json but not other languages. Seek community help to translate phrases.

Improvements

  1. Add rate limiting to/api/users/{id}/otp/check to prevent brute-force attacks.
  2. Implement backup codes for when the authenticator device is unavailable.
  3. Allow users to configure which routes require 2FA.

Documentation

While reviewing the documentation, I identified areas for improvement. Could you guide me to the documentation source (e.g., wiki repository) so I may submit updates?

🚨 Before submitting your PR, please indicate which issues are either fixed or closed by this PR. SeeGitHub Help: Closing issues using keywords.

  • DO make sure you are requesting topull a topic/feature/bugfix branch (right side). Don't request your master!
  • DO make sure you are making a pull request against themaster branch (left side). Also you should startyour branch offour master.
  • DO make sure that File Browser can be successfully built. Seebuilds anddevelopment.
  • AVOID breaking the continuous integration build.

MoShiKB and tehKaiN reacted with thumbs up emojipgadmin7 reacted with heart emoji
- add pquerna/otp package- add TOTP fields to User and Server structs- add TOTP common error- add symmetric (de)encryption and TOTP code validator function
- add TOTP token expiration time default and update the GetTokenExpirationTime function in settings package- update loginResponse struct and loginHandler- add TOTPEnabled field to userInfo struct- add verifyTOTPHandler to verify TOTP codes- add withTOTP middleware- update getUserID and userGetHandler to remove TOTP fields like password- add userEnableTOTPHandler to initiate TOTP setup- add userGetTOTPHandler and userDisableTOTPHandler for management- add userCheckTOTPHandler to check TOTP setup
- add OTP modal component with its css file- add Profile2FA component for 2FA section in settings page- add @scure/base package to encode OTP secrets in Base32, enabling alternative import options for authenticator apps- add new phrases to the en.json localization file
- add OTP APIs- add OTP prompt to Login page- add Profile2FA to Profile page
@KhashayarKhmKhashayarKhm changed the titleAdd TOTP Two-Factor Authentication (2FA) Featurefeat: Add TOTP Two-Factor Authentication (2FA) FeatureApr 30, 2025
@github-actions
Copy link

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@Matinal111
Copy link

This is a nice feature, looking forward to its merge.

@MACFORNAME
Copy link

MACFORNAME commentedJul 29, 2025
edited
Loading

When can merge? I'm looking forward to this feature.

@hacdias
Copy link
Member

@MACFORNAME this is quite a large feature and this project is currently in maintenance mode. To learn what it means, please check the readme and the linked resources:https://github.com/filebrowser/filebrowser#project-status

@hacdiashacdias requested review froma team and removed request foro1eglNovember 14, 2025 16:43
@hacdiashacdias changed the titlefeat: Add TOTP Two-Factor Authentication (2FA) Featurefeat: add TOTP Two-Factor Authentication (2FA) FeatureNov 14, 2025
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

4 participants

@KhashayarKhm@Matinal111@MACFORNAME@hacdias
[8]ページ先頭
©2009-2025 Movatter.jp