Two Factor Authentication on Gitea

[gencer]

I couldn't find this request here so i made one.

As you might know, we deploy our secrets (means sources) in gitea/gogs. It will be super-awesome to get Two Factor Authentication besides normal password. There are plenty of implementation for 2FA and I am pretty sure Go has some kind of library out there (didn't looked up yet).

Possibly storing 2FA secret on a disk and an encrypted data on database will make it more secure. Perhaps secret in app.ini.

Can we at least make it happen in v1.0.0.

Personally, I am gonna feel more secure when 2FA is enabled.

[metalmatze]

Yesterday I thought about exactly this feature. I really want that too and would like to contribute to this as well. Has anyone tried any lib for 2fa in Go?

[thibaultmeyer]

It would be nice if U2F - FIDO Universal 2nd Factor Authentication will be implemented too. It allow usage of USB key rather than SMS / Mail. A GO library exists : https://developers.yubico.com/U2F/Libraries/List_of_libraries.html

[gencer]

@0xBAADF00D this can be useful, yes, but, many people use a traditional way for 2FA -including me-. So at least for starting, we should have 2FA enabled. If we make generalize, im pretty sure that 2FA users are most.

Correct me If I am wrong.

[thibaultmeyer]

@gencer U2F FIDO is 2FA too, but it allow usage of an cryptographic USB Key. By exemple Github propose U2F FIDO or Token generated via "Authenticator" mobile app.

You can read more at https://help.github.com/articles/configuring-two-factor-authentication-via-fido-u2f/

We have just to keep in mind to get something modular with the possibility to add new 2FA methods in future

[tboerger]

But this won't get into 1.0.0 as this is a release that will be done pretty soon. Maybe we can integrate it for 1.1.0 or 1.2.0.

[lunny]

Yes, this should be enabled on admin panel. It should not be a default setting.

[strk]

Agreed this cannot be in 1.0.0. Open for 1.1+, as soon as a PR is ready :)

[stevenroose]

Might go good with #183

[mmoya]

FTR, a proof of concept for gogs/gogs#945 was posted to minecrafter/gogs@5cd2997.

[lunny]

@mmoya, Could you send a PR to Gitea?

[gencer]

@lunny as soon as PR accepted, I will try on brand new server with fresh config for better result and for one to the existing installation to see how its going on. I am preparing a new test server until PR accepted. (Otherwise, I will try target PR source myself)

[mmoya]

@lunny, I'll ask OP first. @minecrafter, are you willing to submit a PR to gitea with your 2fa proof-of-concept?

[minecrafter]

I'm assuming the only reason I was mentioned was because I did make this attempt to support 2FA from the parent project.

Unfortunately, I do not think I will have the time to continue working on projects like Gitea and Gogs. However, you are free to expand upon my initial work.

[minecrafter]

After getting some more background information, I might be willing to contribute two-factor authentication support to the project. I too have been a former Gogs contributor who was stalled by the maintainer.

[lunny]

@minecrafter you are welcome back!

[minecrafter]

@lunny Thanks! 👍

[minecrafter]

A little update on the progress I've made:

It's largely working. You can log in with 2FA, disenroll and use scratch codes to log in case you lose access to your Gitea account.

Here's a small taste of what you're looking at: