Feature addition: Multi-Factor Authentication

[chesspro13]

Features added

TOTP (Time-based One-Time Password) with recovery codes
OpenID/SSO via Google (for now)

Documentation

Testing Instructions

TOTP

1. Start Trilium Notes normally.
2. Go to "Menu" -> "Options" -> "MFA"
3. Click the "Generate TOTP Secret" button
4. Copy the generated secret to your authentication app/extension
5. Set an environment variable "TOTP_SECRET" as the generated secret. Environment variables can be set with a .env file in the root directory, by defining them in the command line, or with a docker container.

   # .env in the project root directory
   TOTP_ENABLED="true"
   TOTP_SECRET="secret"

   # Terminal/CLI
   export TOTP_ENABLED="true"
   export TOTP_SECRET="secret"

   # Docker
   docker run -p 8080:8080 -v ~/trilium-data:/home/node/trilium-data -e TOTP_ENABLED="true" -e TOTP_SECRET="secret" triliumnext/notes:[VERSION]

6. Restart Trilium
7. Go to "Options" -> "MFA"
8. Click the "Generate Recovery Codes" button
9. Save the recovery codes. Recovery codes can be used once in place of the TOTP if you loose access to your authenticator. After a rerecovery code is used, it will show the unix timestamp when it was used in the MFA options tab.
10. Load the secret into an authentication app like google authenticator

OpenID

Currently only compatible with Google. Other services like Authentik and Auth0 are planned on being added.

In order to setup OpenID, you will need to setup a authentication provider. This requires a bit of extra setup. Follow these instructions to setup an OpenID service through google.

Set an environment variable "SSO_ENABLED" to true and add the client ID and secret you obtained from google. Environment variables can be set with a .env file in the root directory, by defining them in the command line, or with a docker container.

.env File

# .env in the project root directory
SSO_ENABLED="true"
BASE_URL="http://localhost:8080"
CLIENT_ID=<client ID from google>
SECRET=<client secret from google>

Environment variable (linux)

export SSO_ENABLED="true"
export BASE_URL="http://localhost:8080"
export CLIENT_ID=<client ID from google>
export SECRET=<client secret from google>

Docker

docker run -d -p 8080:8080 -v ~/trilium-data:/home/node/trilium-data -e SSO_ENABLED="true" -e BASE_URL="http://localhost:8080" -e CLIENT_ID=<client ID from google> -e SECRET=<client secret from google> triliumnext/notes:[VERSION]

After you restart Trilium Notes, you will be redirected to Google's account selection page. Login to an account and Trilium Next will bind to that account, allowing you to login with it.

You can now login using your google account.

[perfectra1n]

This is super cool, thanks for doing this.

Is it also possible to configure the .env variables via the local environment variables? I was poking around in the commits, and didn't see any documentation modified for this change, but I'm assuming that you're saving those changes for once someone else with a much bigger brain than myself reviews it! :)

I'll also review the additional routes for the OTP.

[chesspro13]

@perfectra1n the environment variables can be set with environment variables (ie export TOTP_ENABLED="true"), -e with docker, and in a .env file in the root directory.

Honestly I forgot to update documentation. Whoops!

edit: I'm working on adding some pages now.

[chesspro13]

@perfectra1n

Docs complete here.

[JYC333]

Thanks for your great work! I didn't finish testing the functionality, but the setup steps need some changes I believe.

Since you are adding a new table, and it doesn't add it automatically. I got an error here:

I'm not sure whether I'm doing something wrong, if not, I think this PR also need to fix the database migration stuff.

I don't know exactly how the database version is handled in Trilium, but for syncing, the database version should be the same. So after we merge this PR, it won't compatible with the latest Trilium from Zadam. (Correct me if I'm wrong) It could be the first big step for TriliumNext, not sure how careful we should be hhh.

Some minor stuffs I find so far:

1. MFA in option doesn't in the "right" place if I already have a database (I mean not start from scratch).
   
2. We have already upgrade bootstrap from v4 to v5, so some layouts are changed. Not sure whether you would like to fix it in this PR, it's ok to do it in a seperate PR I guess.

[JYC333]

TOTP is moved out from config.ini, and OAuth is still there for security concern. I think now it makes more sense now.

[maphew]

so happy to see this happening, thank you. Is hardware auth like Yubikey or fingerprint reader part of this or would that be an additional feature?

[JYC333]

so happy to see this happening, thank you. Is hardware auth like Yubikey or fingerprint reader part of this or would that be an additional feature?

I think that will be an additional feature then, at least won't in this PR.

[eliandoran]

Almost there, @JYC333 ! :)

[perfectra1n]

For TOTP_ENABLED and TOTP_SECRET - I believe that these variable names should be prepended with TRILIUM_ with our release of environment variables since this PR was created.

[JYC333]

For TOTP_ENABLED and TOTP_SECRET - I believe that these variable names should be prepended with TRILIUM_ with our release of environment variables since this PR was created.

TOTP_ENABLED and TOTP_SECRET are removed from settings, and let user to config through option page. The settings that required for OAuth need to set through config.ini. I also add instructions for user if they want to set through environment variables.