nursoda / twofactor_email Goto Github PK

I just got SMS 2FA working on my Nextcloud instance. It wasn't too bad, but I had to sign-up for an SMS gateway service. I'm willing to spend the ten cents or so for each 2FA text because I have very few users and we rarely logout.

A lot of (most? all?) cell carriers allow for sending text messages to a phone by sending an email to a specific email address that incorporates the cell phone's number. For example, to send a text message to a phone on the at&t wireless network, you can send an email to [phone number]@txt.att.net. Verizon is similar: [phone number]@vtext.com. If the app could be configured to send authorization codes to one of these email addresses, it would be equivalent (I think) to SMS 2FA, without requiring any sort of gateway setup.

I see two enhancements that would facilitate this use case:

1. Allow for specification of the 2FA email address, separate from the user's primary email address (essentially #177).
2. Allow for customization of the actual email content so that it can be formatted (shortened? - I haven't actually seen what the current email looks like) for better text message appearance.

I don't think there would be any need to explicitly call-out this use case. Just adding the necessary enhancements would allow people who are trying to setup SMS 2FA to figure it out. That's how I ended up installing this Nextcloud app; I thought, "Oh, maybe this email 2FA will let me email a text message." Alas, no - but so close.

Hi Roeland,
is your app still in development and is it possible to use your app in Nextcloud 15 too?
Thanks a lot
Michael

There is no need for TOTP here. We can just generate an X char secret.

Hi, @rullzer ! Great respect for your work. Very necessary thing.

I am confused by the inscription: "An access code has been sent to *******[email protected]"
Does such a hint make sense?
How safe is it?
And will it be possible in the future to customize the prompts yourself.
For a start, at least be able to hide it.

Sorry, if I was stupid.

Derived from NC25 changes. Unclear if this is a "good idea" or even necessary, how much effort it is and what benefits there are. Needs to be discussed with package owners. Would not be necessary if the whole app functionality is rebased on twofactor_totp (see twofactor_email/v3). Same applies for the nextcloud/ocp dependency.

Version 22 was just released. Thanks for considering.

Hi,

in our case we need to be able to force 2fa to all users but to also have the option to exclude specific groups. Nextcloud does the same with their implemented 2fa.

Why force 2fa to all:
When dealing with large environments you will always have internal policies and local laws enforcing companies to implenent security features. If you have 14000 users you can be sure that only half of them will enable 2fa by their own. Most of them will just ignore the 2fa and the rest won't even know it's there. The only solution to ensure that everyone is using it is by giving administrators the option to force it to everyone.

Why exlude specific groups:
We are running a large NC environment serving 14000 Enterprise Users. Not all of them are "real" users / persons. About 90% of all users are read from active directory using LDAP but not all of them have an emailaddress / Exchange Mailbox. That's because we also use service accounts from within AD which are used to export and import data from SAP into Nextcloud and then back again from Nextcloud into other subsystems on other locations. Because all the automation and syhconization is done in the background there is no one logging into NC manually - that's where the exclude groups feature would really help.

Regards,
Jones

Using the 2-factor email provider, I can see following security problem:
If the email account is compromised, an attacker would be able to request a password reset for the nextcloud account and with the same email address he can request the 2FA token. This would give the attacker easy access to the cloud system.

Can you add a feature that a different email address (than the standard address connected to the account), can be used for 2-factor email provider?

Please make twofactor_email compatible to NC19.

1. On settings page have an enable button
2. Some sanity checks are done against the configured e-mail
3. E-mail with verification code is send to the user
4. Enters code
5. Provider gets really enabled

Future work:

• Listen to e-mail changes
• Act accordingly (what is that in this context :P)

Using default theme, buttons are blue. Buttons in twofactor_email still are gray:

This also applies to the buttons during the 2FA authentication phase (public pages?).

Hello all,
My predecessor built this 2FA into the cloud. I updated to version 27 last week and now the 2FA no longer works. I wanted to deactivate the 2FA, but the cloud now complains that min one of my 2FA could not be loaded. In the config it says 'twofactor_enforced' => 'false', but I think it belongs to another 2FA method. Does anyone know how I can completely disable the 2FA so that at least the users can access their data again? Unfortunately, deactivating the app leads to the error message.

Thank you very much for an answer.

As Nextcloud 29 still is not allowing to install the app, I went back to 28.0.5 and tried to disable 2-factor e-mail via

sudo -u http php82 -d memory_limit=1024M occ twofactorauth:disable 'myuser' email

Buit I get the error message:
The provider does not support this operation.

How can I get rid of 2-factor e-mail authentification completely until compatibility to v29 is available?

Hi Guys, I would like to ask is that possible for new user to enable automatic email authentication once the administrator created the account?

thanks.

Hi, when I attempt to enable two-factor email I get the below for around 5 seconds:

Then I'm just taken back to this:

I've added an email address in personal info but still not working. Any ideas?

Hello,
would it be possible to follow instructions on:
https://docs.nextcloud.com/server/latest/developer_manual/basics/front-end/l10n.html#adding-translations
...and gain benefits from work of whole Nextcloud translators community for users of your app please?

Thanks :-)

Is it possible to disable the two-factor if the user is in lan ip range or enforce it if the user comes from outside this lan ip range? Some of my friends want to access our server from outside campus, but the server is basically a PC, it wouldn't hold against attacks.

Steps to reproduce:

• enter email address in /settings/user
• start registering for email verification in /settings/user/security (→ state CREATED)
• delete email address from /settings/user
• reload /settings/user/security → missing email address is shown (!isAvailable) → state should be reset to DISABLED
• re-enter email address in /settings/user
• reload /settings/user/security → another e-mail is sent upon first page load

We tried to fix it in src/components/GatewaySettings.vue (after line 81 at the end of mounted() ) like this

                // Catch user removing mail address while in state CREATED
                if (!this.isAvailable) {
                        this.state = STATE.DISABLED
                }

Didn't work. Why?

I use this app "untested" in production NC19 since early betas, no issues. I just tested it in NC20b3 and there also no issue at all. – Why is it still marked "incompatible" for versions beyond NC18?

How long is the code valid?
Is it possible to adjust the validity of the code? How is it possible?

Support for NC 29

One of the downsides of this add on as is that every time you login you must get and supply a email 2FA code.

Even more problematic (and I have not checked this out) but a nextcloud desktop client uses a browser to authenticate and thus every time it would have to go through this step (I assume like every time you reboot the machine).

Further I wonder what happens with android/IOS apps?

Anyway not being able to "trust" devices is an issue that pretty much makes this otherwise good add on a no go for me. I can't see myself or my users being happy doing 2FA over and over on the the same machine same browser.

As I am sure many have seen it is possible to ask the user if they want to forgo further 2FA with that particular browser instance.

Personally at this time I don't know how that is coded but this post indicates that it uses a browser cookie.
https://stackoverflow.com/questions/41228238/asp-net-identity-with-2fa-list-of-trusted-browsers
https://apple.stackexchange.com/questions/352351/apples-2fa-and-the-notion-of-trusted-device-and-trusted-browser

So, I'd say this is another enhancement request and maybe you should add it to list.

Hello, I'm trying to develop a very simple two factor auth app into Nextcloud.
At first, I just want a simple PHP code to do the authentication.

Here is a link for my Nextcloud Forums post, where I provide more information about my struggle: link.

Basically I just need a bare bone minimal code-base for a such and app. Could you please help me?

If the user has no email in his account, GET /settings/user/security trows this error:

[index] Error: Exception: Argument 1 passed to OCA\TwoFactorEmail\EmailMask::maskEmail() must be of the type string, null given, called in /var/www/nextcloud/apps/twofactor_email/lib/Provider/State.php on line 80 at <<closure>>

0. /var/www/nextcloud/lib/private/AppFramework/App.php line 126
   OC\AppFramework\Http\Dispatcher->dispatch(OC\Settings\Cont ... {}, "index")
1. /var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php line 47
   OC\AppFramework\App::main("OC\\Settings\\C ... r", "index", OC\AppFramework\ ... {}, {section: "secur ... "})
2. <<closure>>
   OC\AppFramework\Routing\RouteActionHandler->__invoke({section: "secur ... "})
3. /var/www/nextcloud/lib/private/Route/Router.php line 297
   undefinedundefinedcall_user_func(OC\AppFramework\ ... {}, {section: "secur ... "})
4. /var/www/nextcloud/lib/base.php line 1000
   OC\Route\Router->match("/settings/user/security")
5. /var/www/nextcloud/index.php line 42
   OC::handleRequest()

Hello,

I use a WebDav explorer (Hopic Explorer in this case) and I don't know how two factor authentication should be handled.
Is it up to the explorer to manage it?
Anyway. I can't connect to the Nextcloud when two-factor authentication is enabled, it's probably not up to the application to handle that, but I'm asking here in doubt.

Would there be a way to log the explorer despite this double authentication?

(By the way, thank you very much for this application which allow really simply to enable two factor authentication :) Thank to you!)

Hi guys, I would like to ask if it is possible to block non-administrator users from disabling two-factor email authentication .
The idea is that after the first boot, users enable authentication, but once this is done, they can no longer disable it again.
I would need the only user who could disable it to be a user with administrator permissions.
Does anyone know if this is possible?

If you have 2FA enforced on NC and create a new user, that user has to set up 2FA upon 1st login. TOTP and U2F are available upon 1st login, twofactor_email is not but should be.

Hello
A simple enhancement:
Please add a -> arrow on the code enter window.
Of course you can enter the code and "hit" the enter-key.
But a button to click would be nice and takes the confusion how to login. :-)
Something like that for example (or a button on the bottom of the code enter window named "Login"):
!

Thanks a lot for this great app

Please use the word "authenticate" instead of "verificate" which is not a word in english

Dear all,

our Nextcloud is attached to our Windows Domain and the users will be created automatically. I read some issues here about the first setup/first login of 2AF-Email and I had the same problems like e.g. in the Issue #83.

I know and understand that this app is limited and not really implement this feature but maybe somebody can give me a workaround.

My goal:

I want to enforce 2FA-Mail OR i want to check that every user has 2FA activated (both can be done by a script from my side, e.g. Bash, SQL, php, etc.)

1. Possible solution: If I force to enable 2FA nobody can login because 2FA is not enable and setup by any user. How can I as admin setup the 2FA (maybe direct in the database aso.) in the background for each user.
2. Possible solution: If I not enforce 2FA I want to check (e.g. every hour) that every user has 2FA enabled. How can I do this

Has anybody a tipp for me where to find these informations?

Best regards

Rainer

Steps to reproduce

1. Install and enable the "twofactor_email 1.0.1" APP.
2. Open Security of Personal Settings Page.
3. Confirm that the description is not displayed and that the enable button is not displayed.

Expected behaviour

Even when displayed on IE11, the explanation and enable button are displayed.

Actual behaviour

In IE11, explanation text and button are not displayed. It is displayed correctly in Google Chrome etc.

Server configuration

Operating system: CentOS7

Web server: Nginx

Database: MariaDB

PHP version: 7.3

Nextcloud version: Nextcloud 17.0.1

Updated from an older Nextcloud/ownCloud or fresh install: fresh install

Where did you install Nextcloud from: Install from tarball package on nextcloud.com

List of activated apps:

Enabled:
  - accessibility: 1.3.0
  - activity: 2.10.1
  - admin_audit: 1.7.0
  - bruteforcesettings: 1.5.0
  - calendar: 2.0.2
  - cloud_federation_api: 1.0.0
  - comments: 1.7.0
  - dav: 1.13.0
  - federatedfilesharing: 1.7.0
  - federation: 1.7.0
  - files: 1.12.0
  - files_pdfviewer: 1.6.0
  - files_rightclick: 0.15.1
  - files_sharing: 1.9.0
  - files_trashbin: 1.7.0
  - files_versions: 1.10.0
  - files_videoplayer: 1.6.0
  - firstrunwizard: 2.6.0
  - gallery: 18.4.0
  - logreader: 2.2.0
  - lookup_server_connector: 1.5.0
  - nextcloud_announcements: 1.6.0
  - notifications: 2.5.0
  - oauth2: 1.5.0
  - password_policy: 1.7.0
  - privacy: 1.1.0
  - provisioning_api: 1.7.0
  - recommendations: 0.5.0
  - serverinfo: 1.7.0
  - sharebymail: 1.7.0
  - support: 1.0.1
  - survey_client: 1.5.0
  - systemtags: 1.7.0
  - text: 1.1.1
  - theming: 1.8.0
  - twofactor_backupcodes: 1.6.0
  - twofactor_email: 1.0.1
  - updatenotification: 1.7.0
  - user_ldap: 1.7.0
  - viewer: 1.2.0
  - workflowengine: 1.7.0
Disabled:
  - encryption
  - files_external
  - twofactor_totp

Nextcloud configuration:

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "172.16.204.65",
            "nc_17.0.1"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "17.0.1.1",
        "overwrite.cli.url": "https:\/\/nc_17.0.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory"
    }
}

Client configuration

Browser: Internet Explorer 11 (ver11.719.18362.0)

Operating system: Windows10

Browser log

The authentication is activated by all Users, but you can't Login because the Email Address is not verified to the authentication.

Hello, there!

As part of the university research we are currently doing regarding the security of Github Actions, we noticed that one or many of the workflows that are part of this repository are referencing vulnerable versions of the third-party actions. As part of a disclosure process, we decided to open issues to notify GitHub Community.

Please note that there are could be some false positives in our methodology, thus not all of the open issues could be valid. If that is the case, please let us know, so that we can improve on our approach. You can contact me directly using an email: ikoishy [at] ncsu.edu

Thanks in advance

1. The workflow lint.yml is referencing action shivammathur/setup-php using references v1. However this reference is missing the commit 7163319 which may contain fix to the vulnerability.

The vulnerability fix that is missing by actions' versions could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider updating the reference to the action.

If you end up updating the reference, please let us know. We need the stats for the paper :-)

Hello,
today I updated the app to the latest version 2.1.1 and I've immediately noticed that the submit button is no more appearing (see screenshot below) .
I can login by filling in the code and followed by pressing the enter key but most of my users are stuck and can´t log in to nextcloud.
When I upgraded the app I was initially running nextcloud 21.03, now I've upgraded to the last 22.2.3 hoping that it could fix the problem but nothing changed.
I removed all my css cutomizations, I'm not running any other exotic app.
Do you by chance have a suggestion or an idea about how I could fix this problem?
Thank you!

The app installed ok, but when I click the button to enable email 2FA it doesn't activate it and the "enable" button just reappears. Is there a known issue that would cause this to happen or a fix for it?

I've tried removing and reinstalling but the same thing happens.

Thanks

Please make twofactor_email compatible to NC18 and PHP 7.4.

Email verification

The server can send authentication codes to your email address.
You are not using Email as a two-factor authentication method at the moment. "Enable"

I push the button "enable", but it did not function! No 2FA email would be send!

Hi all,

we need to update out nextcloud instance from 25.0.13 to 26.0.10. After the update, all users having email 2fa provider can not login any more. The E-Mail is not sent.

I even disabled and deleted the app... After that, during login nextcloud is complaining about a missing 2fa provider.

The translation is:

At least one of your 2fa providers could not be loaded. Contact your admin.

2fa is mandarory, but is not configured for your account. Use your Backup Codes or ask your admin for advice...

We dont have mandatory 2fa...

Any hints?

Thank you very much...

Kind regards

Alex

Review "Changes for developers" for NC26 and NC27 and implement changes if necessary or best practice. Version 2.7.2 released to bump max-version to NC26 (and subsequent version bumps to NC27 and NC28) ignored these!

At least via OCC (in the twofactorauth and/or twofactor_email namespace), ideally also via web interface.

Currently, there's only this occ command:

$ occ twofactorauth:disable USER email
The provider does not support this operation.
$ occ twofactorauth:enable USER email
The provider does not support this operation.