Thank you for your project, it has been very helpful to me.

[GrandDuke1106]

Allow me to add totp to my code-server instance in a simple manner. For personal use, it is a method that is easy to implement and has low performance overhead.

[fox34]

Hi,

I'm glad you could make use of this project! Do I understand you correctly that you want to implement a method to modify/extend the shadow_totp file? If so, I’m fine with that. Please try to keep the existing code style. Thanks!

[GrandDuke1106]

No, I'm just explaining my current use case. I don't know anything about Rust at the moment, but I'll contribute once I've learned it.

However, there are still major issues with this project, because it's possible to determine whether the TOTP is correct without knowing the username and password. Additionally, the front-end page should verify the TOTP after verifying the username and password, rather than displaying the TOTP alongside the username and password.

[fox34]

because it's possible to determine whether the TOTP is correct without knowing the username and password

This was initially introduced by design with commit 349d71f to prevent leakage about user names that are not present in the TOTP file. While a short research did not reveal obvious problems in this specific use case, I checked back with the OWASP Authentication Cheat Sheet and will implement some improvements in the next version while also checking passwords before checking TOTP.

Additionally, the front-end page should verify the TOTP after verifying the username and password, rather than displaying the TOTP alongside the username and password.

Since the main point of this project is to always use TOTP, there is no point in hiding the TOTP field. Hiding it would only slow down the login process. If you need this functionality, you need to add a username- or password-only verification step in the login flow (which does weaken security) and modify the login page accordingly in your own fork.

[GrandDuke1106]

Thanks for your answer