Skip to content

Feature addition: Multi-Factor Authentication #401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 92 commits into from
Mar 29, 2025
Merged

Feature addition: Multi-Factor Authentication #401

merged 92 commits into from
Mar 29, 2025

Conversation

chesspro13
Copy link
Contributor

@chesspro13 chesspro13 commented Sep 7, 2024
edited
Loading

Features added

TOTP (Time-based One-Time Password) with recovery codes
OpenID/SSO via Google (for now)

Documentation

Testing Instructions

TOTP

  1. Start Trilium Notes normally.
  2. Go to "Menu" -> "Options" -> "MFA"
  3. Click the "Generate TOTP Secret" button
  4. Copy the generated secret to your authentication app/extension
  5. Set an environment variable "TOTP_SECRET" as the generated secret. Environment variables can be set with a .env file in the root directory, by defining them in the command line, or with a docker container. 
    # .env in the project root directory
TOTP_ENABLED="true"
TOTP_SECRET="secret"
    # Terminal/CLI
export TOTP_ENABLED="true"
export TOTP_SECRET="secret"
    # Docker
docker run -p 8080:8080 -v ~/trilium-data:/home/node/trilium-data -e TOTP_ENABLED="true" -e TOTP_SECRET="secret" triliumnext/notes:[VERSION]
  6. Restart Trilium
  7. Go to "Options" -> "MFA"
  8. Click the "Generate Recovery Codes" button
  9. Save the recovery codes. Recovery codes can be used once in place of the TOTP if you loose access to your authenticator. After a rerecovery code is used, it will show the unix timestamp when it was used in the MFA options tab.
  10. Load the secret into an authentication app like google authenticator

OpenID

Currently only compatible with Google. Other services like Authentik and Auth0 are planned on being added.

In order to setup OpenID, you will need to setup a authentication provider. This requires a bit of extra setup. Follow these instructions to setup an OpenID service through google.

Set an environment variable "SSO_ENABLED" to true and add the client ID and secret you obtained from google. Environment variables can be set with a .env file in the root directory, by defining them in the command line, or with a docker container.

.env File

# .env in the project root directory
SSO_ENABLED="true"
BASE_URL="http://localhost:8080"
CLIENT_ID=<client ID from google>
SECRET=<client secret from google>

Environment variable (linux)

export SSO_ENABLED="true"
export BASE_URL="http://localhost:8080"
export CLIENT_ID=<client ID from google>
export SECRET=<client secret from google>

Docker

docker run -d -p 8080:8080 -v ~/trilium-data:/home/node/trilium-data -e SSO_ENABLED="true" -e BASE_URL="http://localhost:8080" -e CLIENT_ID=<client ID from google> -e SECRET=<client secret from google> triliumnext/notes:[VERSION]

After you restart Trilium Notes, you will be redirected to Google's account selection page. Login to an account and Trilium Next will bind to that account, allowing you to login with it.

You can now login using your google account.

@chesspro13 chesspro13 linked an issue Sep 7, 2024 that may be closed by this pull request
(Feature request) Multi-factor authentication #68
Closed
@chesspro13 chesspro13 marked this pull request as ready for review September 7, 2024 22:17
@chesspro13 chesspro13 requested review from adoriandoran and a team September 7, 2024 22:18
@perfectra1n
Copy link
Member

This is super cool, thanks for doing this.

Is it also possible to configure the .env variables via the local environment variables? I was poking around in the commits, and didn't see any documentation modified for this change, but I'm assuming that you're saving those changes for once someone else with a much bigger brain than myself reviews it! :)

I'll also review the additional routes for the OTP.

@chesspro13
Copy link
Contributor Author

chesspro13 commented Sep 7, 2024
edited
Loading

@perfectra1n the environment variables can be set with environment variables (ie export TOTP_ENABLED="true"), -e with docker, and in a .env file in the root directory.

Honestly I forgot to update documentation. Whoops!

edit: I'm working on adding some pages now.

@chesspro13 chesspro13 mentioned this pull request Sep 9, 2024
Merged
@chesspro13
Copy link
Contributor Author

chesspro13 commented Sep 9, 2024
edited
Loading

@perfectra1n

Docs complete here.

@chesspro13 chesspro13 mentioned this pull request Sep 10, 2024
Closed
@chesspro13 chesspro13 requested review from eliandoran and removed request for adoriandoran September 10, 2024 19:21
@chesspro13 chesspro13 changed the title Feature addition: Updated MFA Feature addition: Multi-Factor Authentication Sep 12, 2024
@JYC333
Copy link
Member

JYC333 commented Mar 28, 2025

TOTP is moved out from config.ini, and OAuth is still there for security concern. I think now it makes more sense now.

@maphew
Copy link
Contributor

maphew commented Mar 28, 2025

so happy to see this happening, thank you. Is hardware auth like Yubikey or fingerprint reader part of this or would that be an additional feature?

@JYC333
Copy link
Member

JYC333 commented Mar 28, 2025

so happy to see this happening, thank you. Is hardware auth like Yubikey or fingerprint reader part of this or would that be an additional feature?

I think that will be an additional feature then, at least won't in this PR.

eliandoran
eliandoran requested changes Mar 28, 2025
View reviewed changes
Copy link
Contributor

@eliandoran eliandoran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost there, @JYC333 ! :)

@eliandoran eliandoran marked this pull request as draft March 28, 2025 23:01
@JYC333 JYC333 marked this pull request as ready for review March 29, 2025 00:46
@JYC333 JYC333 requested a review from eliandoran March 29, 2025 00:46
@perfectra1n
Copy link
Member

For TOTP_ENABLED and TOTP_SECRET - I believe that these variable names should be prepended with TRILIUM_ with our release of environment variables since this PR was created.

@JYC333
Copy link
Member

JYC333 commented Mar 29, 2025

For TOTP_ENABLED and TOTP_SECRET - I believe that these variable names should be prepended with TRILIUM_ with our release of environment variables since this PR was created.

TOTP_ENABLED and TOTP_SECRET are removed from settings, and let user to config through option page. The settings that required for OAuth need to set through config.ini. I also add instructions for user if they want to set through environment variables.

@eliandoran eliandoran merged commit 7be71fc into develop Mar 29, 2025
5 checks passed
@eliandoran eliandoran deleted the feature/MFA branch March 29, 2025 11:06
pano9000 added a commit that referenced this pull request Apr 15, 2025
@pano9000
fix(login): fix regression that removed support for setting custom co…
ce83c91 
…okieMaxAge

regression introduced with #401
custom cookieMaxAge feature added with #1156

fixes #1709
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@minecraftchest1 minecraftchest1 minecraftchest1 left review comments

@JeffrinCh JeffrinCh JeffrinCh left review comments

@eliandoran eliandoran eliandoran approved these changes

@JYC333 JYC333 JYC333 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(Feature request) Multi-factor authentication
9 participants
@chesspro13 @perfectra1n @JYC333 @eliandoran @pano9000 @HyperCriSiS @maphew @minecraftchest1 @JeffrinCh