Two factor authentification / 2FA

tagirijus · October 20, 2024, 1:18pm

Hey there, I could not find anything in the web and also not in this forum and not the docs neither:

Two factor authentification login.

Is this already possible somehow (e.g. with a plugin or so?) or is this maybe a valid feature request at this point?

The only thing I found so far is this Authelia thing, but I am not sure, what and how this exactly would work. A native 2FA login option would be nicer to have, I think.

Another question I would have is: how could someone make all the data be more securely stored on the server. Or how to make the access to these files more secure at all? Thanks for any input here! (=

zef · October 21, 2024, 4:31pm

There’s no 2FA support, nor is it really possible to add this with a plug. If you’d like to have this, I’d really suggest looking at a system specifically designed for this like Authelia that you mentioned. Adding 2FA to SilverBullet would be quite an increase in scope and complexity, and honestly I’d prefer to delegate that to systems that already exist (like Authelia or similar) for those who need it.

As to how protect content in general: this I would also delegate to the underlying system. You can apply on disk encryption, or any other way to secure a file system.

pomdtr · October 21, 2024, 6:09pm

An interesting option for this https://lastlogin.net/.

It gives you email / github / google / … oauth without needing to register a client on these auth provider.

tagirijus · October 21, 2024, 6:12pm

Hey there, thanks for your reply. I did not know that implementing something like 2FA in addition to login would be that problematic after all. I just thought that it’s basically just a second login with some kind of algorithm behind it.

I looked at this Authelia twice and I am honest here: I have quite a hard time understanding what exactly this is and how it works. I imagine it to be similar to “Google” services, where you log in once and after that can use other services as well. I will have a third look at it. Though I am running the server, on which I run Silverbullet, with Apache. According to Authelias compatibility table I found, it does not seem to support it. So either I will find something that would explain how to still use it with Apache or maybe I will find an alternative. Thanks for pushing me towards Authelia or similar. Maybe it will get handy with other projects as well, who knows.

Regarding the content protection answer: thanks. I am just wondering how Silverbullet then would be able to access encrypted files or the encrypted disk. But maybe I am just not experience enough to imagine this.

tagirijus · October 21, 2024, 6:13pm

Hey Achille, thanks for the hint. I will have a look! (=

tagirijus · October 22, 2024, 6:54pm

Do I understand it correct that this had to be implemented by Zef? Or am I missing something how I could set something up to be able to log in with LastLogin?

bent0n · October 22, 2024, 10:32pm

An analogy that may help your understanding: Authelia is like a doorman in front of your apps. If you’re on the guest list, he will let you in.

A common way to use these kind of system is to do forward authentication with a reverse proxy.

The reverse proxy first redirects the request to the authentication provider. If it gets the green light, it will then let the request go through to the app.

Some benefit of this approach:

Only one login to access multiple services (SSO)
Possibility to protect apps that have no authentication built-in
Outsourcing the security to a dedicated app

If you’re worried about the security of your data but don’t feel like the setup of an identity provider (Authelia) is something you can do. An alternative would be to only allow traffic to SB through a VPN tunnel. There is a guide on setting up Tailscale for this use case.

archie · October 27, 2024, 8:03am

I am also worried about brute force attacks, I have set a decent password to my silverbullet docker, but I want to make sure it is safe as there is no protection.
btw, is there a way to set a time out limit on entering the wrong password? I guess people can just switch IP and try again, but still better than nothing.

zef · October 27, 2024, 8:57am

Not right now, but some sort of rate limiting would be fairly easy to add. Could you create a GitHub issue for this?

By the way, since this is single user. I think the rate limiting can even happen globally ignoring the source IP.

archie · October 27, 2024, 10:17am

yes , i think it is a good idea, i would create the issue for it tonight when get back home.

tagirijus · October 29, 2024, 4:01pm

I just found out about “OpenID” and / or “OAuth2” and Keycloak. Is this basically the same as Authelia and would work with Silverbullet? Or is this something which Silverbullet hat to implement first?

paletochen · October 30, 2024, 8:58am

I use Authelia for 2FA and works really nicely.

I have the whole setup in docker:

silverbullet
Reverse proxy (now using SWAG)
Authelia

montarion · November 2, 2024, 11:57pm

The lovely thing about authelia is that whatever web pages you’re protecting with it don’t (have to) know about authelia existing. The protection happens at the level of the webserver (nginx or apache), so before you actually get to the application.

From a quick look I think that Keycloak is basically the same as Authelia, though I’ve never used Keycloak.

OpenID is an authentication protocol to facilitate SSO, not software in itself. Authelia (and probably Keycloak) make use of this protocol.

Oauth is also an authentication protocol, but to give software access to your accounts (e.g a dashboard that looks at your github commits)