feat: add TOTP Two-Factor Authentication (2FA) Feature#3885
feat: add TOTP Two-Factor Authentication (2FA) Feature#3885KhashayarKhm wants to merge 6 commits intofilebrowser:masterfrom
Conversation
- add pquerna/otp package - add TOTP fields to User and Server structs - add TOTP common error - add symmetric (de)encryption and TOTP code validator function
- add TOTP token expiration time default and update the GetTokenExpirationTime function in settings package - update loginResponse struct and loginHandler - add TOTPEnabled field to userInfo struct - add verifyTOTPHandler to verify TOTP codes - add withTOTP middleware - update getUserID and userGetHandler to remove TOTP fields like password - add userEnableTOTPHandler to initiate TOTP setup - add userGetTOTPHandler and userDisableTOTPHandler for management - add userCheckTOTPHandler to check TOTP setup
- add OTP modal component with its css file - add Profile2FA component for 2FA section in settings page - add @scure/base package to encode OTP secrets in Base32, enabling alternative import options for authenticator apps - add new phrases to the en.json localization file
- add OTP APIs - add OTP prompt to Login page - add Profile2FA to Profile page
|
This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
|
This is a nice feature, looking forward to its merge. |
|
When can merge? I'm looking forward to this feature. |
|
@MACFORNAME this is quite a large feature and this project is currently in maintenance mode. To learn what it means, please check the readme and the linked resources: https://github.com/filebrowser/filebrowser#project-status |
We know it's in maintenance mode! |
|
I'd like to add this, but it's gotten a bit out of date. If someone wants to rebase this, I will look at it then. |
|
Over the past months, I've realized I don't have enough time to review new features, especially quite large ones. Sadly, I need to mark this PR. Read more on https://hacdias.com/2026/03/11/filebrowser/ |
|
I urgently need this feature to enhance our system's security, as we are deployed on the public network. |
|
Status on this? This is the only function missing |
This PR implements Time-Based One-Time Password (TOTP) 2FA for FileBrowser, enhancing user security by requiring a verification code during login for users with 2FA enabled. It addresses multiple community requests for 2FA support.
Closes #286
Closes #1674
Closes #1827
Closes #2504
Closes #3371
Closes #3800
Description
The TOTP 2FA feature allows users to enable 2FA in their profile settings, scan a QR code or enter a Base32-encoded secret in an authenticator app (e.g., Google Authenticator), and verify codes at login. The flow is:
Further comments
2FA could be handled by reverse proxies like oauth2-proxy or authelia, but this feature simplifies setup without requiring nginx/Apache knowledge.
New options
To enable TOTP, you must configure a 32-byte encryption key in your configuration file.
Generate a cryptographically secure 32-byte Base64-encoded key with this command:
{ "totp": { "encryption": { "key": "<32-byte-base64-encoded-string>" } } }The TOTP token expiration (default: 2 minutes) defines the validity window after initial authentication. Configure this via:
totp-token-expiration-timeoption in clitotp > token > expiration > timein config fileNew dependencies
pquerna/otpon the back-end for TOTP handling@scure/baseon the front-end for base32 encoding of TOTP secretLocalization
Added phrases to
en.jsonbut not other languages. Seek community help to translate phrases.Improvements
/api/users/{id}/otp/checkto prevent brute-force attacks.Documentation
While reviewing the documentation, I identified areas for improvement. Could you guide me to the documentation source (e.g., wiki repository) so I may submit updates?
🚨 Before submitting your PR, please indicate which issues are either fixed or closed by this PR. See GitHub Help: Closing issues using keywords.