Giter Site home page Giter Site logo

nodebb-plugin-2factor's Introduction

NodeBB

Workflow Coverage Status Code Climate

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. NodeBB takes the best of the modern web: real-time streaming discussions, mobile responsiveness, and rich RESTful read/write APIs, while staying true to the original bulletin board/forum format → categorical hierarchies, local user accounts, and asynchronous messaging.

NodeBB by itself contains a "common core" of basic functionality, while additional functionality and integrations are enabled through the use of third-party plugins.

Try it now | Documentation

Screenshots

NodeBB's theming engine is highly flexible and does not restrict your design choices. Check out some themed installs in these screenshots below:

Our minimalist "Harmony" theme gets you going right away, no coding experience required.

Rendering of a NodeBB install on desktop and mobile devices

How can I follow along/contribute?

  • If you are a developer, feel free to check out the source and submit pull requests. We also have a wide array of plugins which would be a great starting point for learning the codebase.
  • If you are a designer, NodeBB needs themes! NodeBB's theming system allows extension of the base templates as well as styling via SCSS or CSS. NodeBB's base theme utilizes Bootstrap 5 as a frontend toolkit.
  • If you know languages other than English you can help us translate NodeBB. We use Transifex for internationalization.
  • Please don't forget to like, follow, and star our repo! Join our growing community to keep up to date with the latest NodeBB development.

Requirements

NodeBB requires the following software to be installed:

  • A version of Node.js at least 16 or greater (installation/upgrade instructions)
  • MongoDB, version 3.6 or greater or Redis, version 2.8.9 or greater
  • If you are using clustering you need Redis installed and configured.
  • nginx, version 1.3.13 or greater (only if intending to use nginx to proxy requests to a NodeBB)

Installation

Please refer to platform-specific installation documentation. If installing via the cloud (or using Docker), please see cloud-based installation documentation.

Securing NodeBB

It is important to ensure that your NodeBB and database servers are secured. Bear these points in mind:

  1. While some distributions set up Redis with a more restrictive configuration, Redis by default listens to all interfaces, which is especially dangerous when a server is open to the public. Some suggestions:
    • Set bind_address to 127.0.0.1 so as to restrict access to the local machine only
    • Use requirepass to secure Redis behind a password (preferably a long one)
    • Familiarise yourself with Redis Security
  2. Use iptables to secure your server from unintended open ports. In Ubuntu, ufw provides a friendlier interface to working with iptables.
    • e.g. If your NodeBB is proxied, no ports should be open except 80 (and possibly 22, for SSH access)

Upgrading NodeBB

Detailed upgrade instructions are listed in Upgrading NodeBB

License

NodeBB is licensed under the GNU General Public License v3 (GPL-3) (http://www.gnu.org/copyleft/gpl.html).

Interested in a sublicense agreement for use of NodeBB in a non-free/restrictive environment? Contact us at [email protected].

More Information/Links

nodebb-plugin-2factor's People

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

anthodingo ornithes barisusakli a632079 0312birdzhang paciakpl katzeilla psychobunny x1nf1 alex1702 oplik0 gitpuffy idx401 navystack nhlpl

nodebb-plugin-2factor's Issues

Hook `filter:user.profileLinks` is deprecated, please use `filter:user.profileMenu` instead. 

3/12 14:49 [60] - info: Time: Sat Dec 03 2016 14:49:02 GMT+0100 (CET)
3/12 14:49 [60] - info: Initializing NodeBB v1.4.0
3/12 14:49 [60] - info: initializing NodeBB ...
video started
3/12 14:49 [60] - warn: [plugins/nodebb-plugin-2factor] Hook `filter:user.profileLinks` is deprecated, please use `filter:user.profileMenu` instead.

Everything seems to work but I figured this would be good to know.

compatibility string needs updating

Plugin uses async functions from core which aren't added until 1.13.x, installing on nodebb 1.12.0 causes a crash.

undefined Error: test
at Object.module.isObjectField (/home/nodebb/forum/nodebb/src/database/mongo/hash.js:156:32)
at Object.plugin.hasKey (/home/nodebb/forum/nodebb/node_modules/nodebb-plugin-2factor/library.js:107:35)
at Object.plugin.checkSocket [as method] (/home/nodebb/forum/nodebb/node_modules/nodebb-plugin-2factor/library.js:196:19)
at /home/nodebb/forum/nodebb/src/plugins/hooks.js:172:14
at /home/nodebb/forum/nodebb/node_modules/async/dist/async.js:3110:16
at eachOfArrayLike (/home/nodebb/forum/nodebb/node_modules/async/dist/async.js:1069:9)
at eachOf (/home/nodebb/forum/nodebb/node_modules/async/dist/async.js:1117:5)
at Object.eachLimit (/home/nodebb/forum/nodebb/node_modules/async/dist/async.js:3172:5)
at fireStaticHook (/home/nodebb/forum/nodebb/src/plugins/hooks.js:161:9)
at Object.Plugins.fireHook (/home/nodebb/forum/nodebb/src/plugins/hooks.js:111:4)

https://community.nodebb.org/topic/14679/error-while-restarting-the-forum-after-several-plugin-update

down work :/ 

/api/user/revunix/2factor Not Found
You seem to have stumbled upon a page that does not exist. Return to the home page.

i don't know hmm ;/

Internationalisation

Hello,
Could be great to add internationalization support for non english users.

Support webauthn

Webauthn is one of a components of FIDO2, a successor to u2f, that allows websites to use hardware authenticators as a second factor or even as the only factor (either passwordless or by storing residential keys even without the need for usernames).

Implementing it as a second factor here would allow for use of more secure and convenient hardware security keys like Yubikey or Solokey and additionally for use of biometrics integrated in current devices (I believe Windows Hello supports this and Android offered some platform authentication capabilities too, but I think there were some additional steps in implementation of the Android version).

I believe that integrating it with this plugin would be better than doing it separately, because users could have one interface for 2FA setup and be able to set up both webauthn and code based 2FA and switch between them at login.

Only for users in certain groups

Is it possible for this plugin to only work for users in certain groups? I would like for my admins/moderators to need 2fa but not my normal users.

log warn

warn: [deprecated] User.getMultipleUserFields is deprecated please use User.getUsersFields"

Why does it get such a notice?

Error executing 'static:sockets.validateSession' in plugin 'nodebb-plugin-2factor'

After add 2FA for admin account. I got this error every time login.
This is repo: https://github.com/boydaihungst/nodebb-error
Using this command to start docker-compose up --build

mio-translator-forum_1  | 2021-11-19T04:58:07.405Z [4567/70] - error: [plugins] Error executing 'static:sockets.validateSession' in plugin 'nodebb-plugin-2factor'
mio-translator-forum_1  | Error: [[2factor:second-factor-required]]
mio-translator-forum_1  |     at plugin.checkSocket (/usr/src/app/node_modules/nodebb-plugin-2factor/library.js:210:9)
mio-translator-forum_1  |     at processTicksAndRejections (node:internal/process/task_queues:96:5)
mio-translator-forum_1  |     at async Object.fireStaticHook [as static] (/usr/src/app/src/plugins/hooks.js:209:5)
mio-translator-forum_1  |     at async Hooks.fire (/usr/src/app/src/plugins/hooks.js:105:17)
mio-translator-forum_1  |     at async validateSession (/usr/src/app/src/socket.io/index.js:210:17)
mio-translator-forum_1  |     at async onConnect (/usr/src/app/src/socket.io/index.js:88:3)
mio-translator-forum_1  | 2021-11-19T04:58:07.408Z [4567/70] - error: uncaughtException: [[2factor:second-factor-required]]
mio-translator-forum_1  | Error: [[2factor:second-factor-required]]
mio-translator-forum_1  |     at plugin.checkSocket (/usr/src/app/node_modules/nodebb-plugin-2factor/library.js:210:9)
mio-translator-forum_1  |     at processTicksAndRejections (node:internal/process/task_queues:96:5)
mio-translator-forum_1  |     at async Object.fireStaticHook [as static] (/usr/src/app/src/plugins/hooks.js:209:5)
mio-translator-forum_1  |     at async Hooks.fire (/usr/src/app/src/plugins/hooks.js:105:17)
mio-translator-forum_1  |     at async validateSession (/usr/src/app/src/socket.io/index.js:210:17)
mio-translator-forum_1  |     at async onConnect (/usr/src/app/src/socket.io/index.js:88:3) {"date":"Fri Nov 19 2021 04:58:07 GMT+0000 (Coordinated Universal Time)","error":{},"exception":true,"os":{"loadavg":[1.1,0.71,0.74],"uptime":673444.95},"process":{"argv":["/usr/local/bin/node","/usr/src/app/app.js"],"cwd":"/usr/src/app","execPath":"/usr/local/bin/node","gid":1000,"memoryUsage":{"arrayBuffers":18370131,"external":22945963,"heapTotal":120328192,"heapUsed":75774488,"rss":175878144},"pid":70,"uid":1000,"version":"v16.13.0"},"stack":"Error: [[2factor:second-factor-required]]\n    at plugin.checkSocket (/usr/src/app/node_modules/nodebb-plugin-2factor/library.js:210:9)\n    at processTicksAndRejections (node:internal/process/task_queues:96:5)\n    at async Object.fireStaticHook [as static] (/usr/src/app/src/plugins/hooks.js:209:5)\n    at async Hooks.fire (/usr/src/app/src/plugins/hooks.js:105:17)\n    at async validateSession (/usr/src/app/src/socket.io/index.js:210:17)\n    at async onConnect (/usr/src/app/src/socket.io/index.js:88:3)","trace":[{"column":9,"file":"/usr/src/app/node_modules/nodebb-plugin-2factor/library.js","function":"plugin.checkSocket","line":210,"method":"checkSocket","native":false},{"column":5,"file":"node:internal/process/task_queues","function":"processTicksAndRejections","line":96,"method":null,"native":false},{"column":5,"file":"/usr/src/app/src/plugins/hooks.js","function":"async Object.fireStaticHook [as static]","line":209,"method":"fireStaticHook [as static]","native":false},{"column":17,"file":"/usr/src/app/src/plugins/hooks.js","function":"async Hooks.fire","line":105,"method":"fire","native":false},{"column":17,"file":"/usr/src/app/src/socket.io/index.js","function":"async validateSession","line":210,"method":null,"native":false},{"column":3,"file":"/usr/src/app/src/socket.io/index.js","function":"async onConnect","line":88,"method":null,"native":false}]}

image

Error executing 'static:app.load'

Hello,

I got this error :

[plugins] Error executing 'static:app.load' in plugin 'nodebb-plugin-2factor'
Error: Route.get() requires callback functions but got a [object Undefined]
    at Route.(anonymous function) [as get] (/var/www/nodebb/node_modules/express/lib/router/route.js:196:15)
    at Function.proto.(anonymous function) [as get] (/var/www/nodebb/node_modules/express/lib/router/index.js:510:19)
    at Object.helpers.setupPageRoute (/var/www/nodebb/src/routes/helpers.js:8:9)
    at Object.plugin.init [as method] (/var/www/nodebb/node_modules/nodebb-plugin-2factor/library.js:25:14)
    at /var/www/nodebb/src/plugins/hooks.js:133:14
    at /var/www/nodebb/node_modules/async/lib/async.js:122:13
    at _each (/var/www/nodebb/node_modules/async/lib/async.js:46:13)
    at Object.async.each (/var/www/nodebb/node_modules/async/lib/async.js:121:9)
    at fireStaticHook (/var/www/nodebb/src/plugins/hooks.js:122:9)
    at Object.Plugins.fireHook (/var/www/nodebb/src/plugins/hooks.js:68:5)

My system informations :

Nodejs : 0.10.40
NPM : 1.4.28
OS : Debian
NodeBB : 0.7.1

I saw in the sources that the plugin is compatible with version 0.7.2.
Can you try to fix it for version 0.7.1 please ?

Disregard spaces in TOTP input field

via @NavyStack:

Some applications use a space character when presenting a 6-digit number. For instance, 123456 may appear as 123 456 when copied to the clipboard.
Given the increasing prevalence of users utilizing this feature via a browser extension plugin, I believe enhancing the user experience by disregarding space characters and accepting numbers solely would be beneficial.

tries using connect-ensure-login from core

021-03-14T02:51:52.591Z [4570/8085] - error: Error: Cannot find module 'connect-ensure-login'
Require stack:

  • /home/nodebb/community.nodebb.org/require-main.js
  • /home/nodebb/community.nodebb.org/app.js
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:892:15)
    at Function.Module._load (internal/modules/cjs/loader.js:742:27)
    at Module.require (internal/modules/cjs/loader.js:964:19)
    at require (internal/modules/cjs/helpers.js:88:18)
    at Module.require.main.require (/home/nodebb/community.nodebb.org/require-main.js:8:10)
    at Object. (/home/nodebb/community.nodebb.org/node_modules/nodebb-plugin-2factor/library.js:5:31)
    at Module._compile (internal/modules/cjs/loader.js:1075:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1096:10)
    at Module.load (internal/modules/cjs/loader.js:940:32)
    at Function.Module._load (internal/modules/cjs/loader.js:781:14)

Crash on 2fa login to admin panel

After the latest upgrade of nodebb to v2.4.4 the 2fa login (v5.0.2) crashes with the following error:

Aug 19 15:47:18 TypeError: Cannot set properties of undefined (setting 'datetime')
Aug 19 15:47:18 at /run/nodebb/node_modules/nodebb-plugin-2factor/library.js:47:29
Aug 19 15:47:18 at Layer.handle [as handle_request] (/run/nodebb/node_modules/express/lib/router/layer.js:95:5)
Aug 19 15:47:18 at next (/run/nodebb/node_modules/express/lib/router/route.js:144:13)
Aug 19 15:47:18 at complete (/run/nodebb/node_modules/passport/lib/middleware/authenticate.js:271:13)
Aug 19 15:47:18 at /run/nodebb/node_modules/passport/lib/middleware/authenticate.js:278:15
Aug 19 15:47:18 at pass (/run/nodebb/node_modules/passport/lib/authenticator.js:428:14)
Aug 19 15:47:18 at Authenticator.transformAuthInfo (/run/nodebb/node_modules/passport/lib/authenticator.js:450:5)
Aug 19 15:47:18 at /run/nodebb/node_modules/passport/lib/middleware/authenticate.js:275:22
Aug 19 15:47:18 at /run/nodebb/node_modules/passport/lib/http/request.js:41:7
Aug 19 15:47:18 at /run/nodebb/node_modules/passport/lib/sessionmanager.js:51:9

Basically req.session.meta is undefined at that point.

Chat viewable on 2FA Screen

As shown below you can access chats while on the 2FA Screen, this exposes some account information before being properly authenticated. Thoughts?

1fn6ny2

Email verification broken for accounts with 2FA

NodeBB version

v3.2.3

NodeBB git hash

b06d3e63cbdd0f00aed73dd8550221e5ee48ba2f

NodeJS version

v18.16.0

Installed NodeBB plugins

Database type

MongoDB

Database version

v6.0.4

Exact steps to cause this issue

  1. Have the Require new users to specify an email address setting disabled
  2. Register a new user (not verifying email), set up 2FA and logout
  3. Enable the Require new users to specify an email address setting
  4. Login with the new user (redirects to /register/complete)
  5. Attempt to open verification link from email

What you expected

The email to be verified, and redirected to the home page.

What happened instead

Gets endlessly stuck at /register/complete, and the following error in console:

2023-08-09T21:26:48.264Z [4567/26040] - error: [plugins] Error executing 'static:sockets.validateSession' in plugin 'nodebb-plugin-2factor'
Error: [[2factor:second-factor-required]]
    at plugin.checkSocket (-snip-\NodeBB-3\node_modules\nodebb-plugin-2factor\library.js:377:9)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.fireStaticHook [as static] (-snip-\NodeBB-3\src\plugins\hooks.js:236:5)
    at async Hooks.fire (-snip-\NodeBB-3\src\plugins\hooks.js:132:17)
    at async validateSession (-snip-\NodeBB-3\src\socket.io\index.js:248:2)
    at async onConnect (-snip-\NodeBB-3\src\socket.io\index.js:109:3)

Anything else?

The bug seems to happen when a user that has configured 2FA previously (at a time when email verification wasn't required) tries to verify their email address, and their session hasn't passed 2FA, ie. session doesn't have tfa: true. This can happen very naturally if an old user attempts to login, finds their email is unverified on login and then tries to validate it.

It doesn't seem to happen when the user already has at least one verified email ('email:confirmed': 1), like when changing it, since the forum can be used like normal, and the 2FA prompt is shown on login, properly elevating the session. I'd assume the bug lies here, and that 2FA should be challenged before /register/complete.

Clicking the link in an unauthenticated session ironically works as expected, so that's a workaround until fixed 😁.

Error when entering an incorrect 2FA code

If you enter an incorrect 2FA code you get this error. Entering the correct code and everything works.
NodeBB v1.16.2.

Internal Error.
Oops! Looks like something went wrong!
/login/2fa
Cannot read property 'startsWith' of undefined

Error: ENOENT: no such file or directory, open

Missing translation "2factor:title"
Missing translation "2factor:title"
2018-03-02T23:44:27.257Z [3194] - �[31merror�[39m: /assets/templates/admin/plugins/2factor.js
Error: ENOENT: no such file or directory, open '/var/www/NodeBB/build/public/templates/admin/plugins/2factor.tpl'
at Error (native)
Missing translation "2factor:title"
Missing translation "2factor:title"
Missing translation "2factor:title"
Missing translation "2factor:title"
Missing translation "2factor:title"
Missing translation "2factor:title"

I used NodeBB v1.7.5.

/user/<xyz>/2factor Access Denied

Got "Access Denied" and "You seem to have stumbled upon a page that you do not have access to." when different user accessed my NodeBB 3.7.2 site.

In one case, it is a user in the "Global Moderator" group, on which I just turned on enforced 2FA, but the user does not have 2FA set up yet. That user seems to be forced to visit /user//2factor no matter what the route is.

Another case is a user not in any group but does have 2FA set up. In this case, user2 can log in, and browse around. Just /user//2factor would give an Access Denied.

error in clearSession 

11/8 18:14 [29190] - error: [plugins] Error executing 'static:user.loggedOut' in plugin 'nodebb-plugin-2factor'
11/8 18:14 [29190] - error:  TypeError: Cannot convert undefined or null to object
    at Object.plugin.clearSession [as method] (/home/nodebb/community.nodebb.org/node_modules/nodebb-plugin-2factor/library.js:191:17)
    at /home/nodebb/community.nodebb.org/src/plugins/hooks.js:156:14
    at /home/nodebb/community.nodebb.org/node_modules/async/lib/async.js:181:20
    at Object.async.forEachOf.async.eachOf (/home/nodebb/community.nodebb.org/node_modules/async/lib/async.js:233:13)
    at Object.async.forEach.async.each (/home/nodebb/community.nodebb.org/node_modules/async/lib/async.js:209:22)
    at fireStaticHook (/home/nodebb/community.nodebb.org/src/plugins/hooks.js:145:9)
    at Object.Plugins.fireHook (/home/nodebb/community.nodebb.org/src/plugins/hooks.js:91:5)
    at /home/nodebb/community.nodebb.org/src/controllers/authentication.js:392:12
    at /home/nodebb/community.nodebb.org/node_modules/async/lib/async.js:726:13
    at /home/nodebb/community.nodebb.org/node_modules/async/lib/async.js:52:16
    at done (/home/nodebb/community.nodebb.org/node_modules/async/lib/async.js:246:17)
    at /home/nodebb/community.nodebb.org/node_modules/async/lib/async.js:44:16
    at /home/nodebb/community.nodebb.org/node_modules/async/lib/async.js:723:17
    at /home/nodebb/community.nodebb.org/node_modules/async/lib/async.js:167:37
    at done (/home/nodebb/community.nodebb.org/src/database/mongo/sorted.js:65:4)
    at handleCallback (/home/nodebb/community.nodebb.org/node_modules/mongodb/lib/utils.js:96:12)

Challenge page shows a couple error toaster alerts

7ec5009 introduced the ability to restrict websocket messages from being parsed if the second factor was required but not verified.

In practice nothing changes, except for the challenge page, which is really the only time socket calls are made but the challenge hasn't been answered, hence the error is shown.

image

Missing abort button on 2fa choices screen

Used to be you were logged in, but access was denied unless challenge was passed. Now as of v7 of this plugin, you are not logged in at all.

Which leaves us in a situation where you can be challenged, but can't back out of it.

QR code API shut down

Using chart.googleapis.com is no longer viable as the service has been shut down.

Unable to disable 2FA

I can't disable 2FA on community.nodebb.org, so I can't re-enable it on a new device.

Not working with Microsoft Authenticator

When I try to scan the code in, it says "The code you scanned does not contain valid account and key data."

My account name comes up in the field in the app however it has issues getting the secret key. I'm running the latest plugin (1.1.7) and nodebb version (0.9.3).

Should admin lock out timer also reset 2fa?

Feels slightly weird to get prompted to re-login but no 2fa anyway (that said I notice a lot of sites are like this ex. DO, though not all)

The password is likely autofilled as well so it's basically an exercise in pressing a button to log back in, what's the point :P

Some sort of hasSolvedTFA: 30 days kinda option in ACP maybe?

Backup codes - 403

nodebb-plugin-2factor: 1.1.0
Nodebb : v0.8.2

When we try to generate backup codes the ajax put request is erroring with a 403 ( forbidden ).

Allow for multiple concurrent second factors

Right now the code only checks to see if a second factor is set up, but does not allow multiple factors to be set up as the second factor.

The logic is simply: if account contains a webauthn public key, use webauthn, otherwise present totp challenge (if neither, then it's skipped, naturally).

Ideally would present user with all of their registered additional factors. Settings page should also allow for the registration of additional keys, or TOTP, in addition to just generating backup codes.

@oplik0 expressed some interest in playing with this, but it is actually quite a large task with some housekeeping involved 😬

Admin panel access

Hello,

While the system is asking us the token, we can access to the admin panel.
Is there any way to disallow this access while the 2factor authentication is performing ?

Thank you.

static:user.loggedOut

[plugins/nodebb-plugin-2factor] Hook action:user.loggedOut is deprecated, please use static:user.loggedOut instead.

Cannot change language automatically

I translate it to Chinese by follow the translate.md, but it still shows English version in my Chinese nodebb.

But I get it work by change "defaultLang" in plugin.json to zh_CN...

So how can I make it change language automatically?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.