Disable webdav for users that have 2fa enabled

Is there a way to disallow webdav access for users that have 2fa enabled on their account?

I couldn’t find any configuration to allow this kind of behaviour so I’d better code it myself.

I know I need to check for the existence of 2FA devices on SeafileDomainController.authDomainUser for the specified user, I don’t know however how to aproach it, since CcnetThreadedRpcClient has no methods that would allow the server to check that.

Maybe Web API can you help


Hi,

I would like to ask when webdav access via normal password is disabled if 2FA is used.

@daniel.pan Back in October 2019 you announced this would come with 7.1.
See https://github.com/haiwen/seafile/issues/2017#issuecomment-540302623

My server runs with Seafile Pro 7.1.7. Even if I set ENABLE_WEBDAV_SECRET = True
I am able to login with normal user credentials.

This feature seems to be not implemented yet?

1 Like

This feature is not implemented yet as very few people need this.

I don’t understand your argument here.
Obviously there was some demand over the last two years.
Furthermore the basic structures for a seperate password are already implemented for sso users.
Alternatively you can just disable webdav for users who enabled 2fa, as you announced.

For me it comes with some bitter taste if a feature is announced with concrete release information but then doesn’t got implemented.

1 Like

Thanks for your feedback. We will add this feature definitely in version 8.0.

3 Likes

@daniel.pan can you please add this to the 8.0.x changelog? While I really like this feature, it’s an important change and breaking for some users, e.g. Two factor auth is enabled, no access to webdav
It should at least be mentioned in the change log

Please make this behaviour configurable. At the moment I’m stuck on 7.1.8 because this change breaks my main use case. And yes, I do understand the related security issue.

Many thanks!

Would love to see a way to continue using webdav while using 2FA… perhaps with app specific passwords? It is odd to be forced to choose between webdav and higher security via 2FA. There are plenty of use cases where both 2FA and webdav are desired. Thanks.

I agree that this should be configurable.

The setup that I had was to configure the front-end proxy (Apache in my case but the same could be achieved via nginx) so that webdav access was limited to a library called webdav. So if 2FA was enabled this would apply to all files stored in all other libraries but where an application required webdav it could still be used by using the “special” (lower security) webdav library.

8.x breaks this approach.

Matthew

Just to explain my setup. Instead of using the following in the Apache setup:

<Location /seafdav>
    ProxyPass "http://127.0.0.1:8080/seafdav"
</Location>

I’ve used the following:

<Location /seafdav/webdav>
    ProxyPass "http://127.0.0.1:8080/seafdav/webdav"
</Location>

This means that only the library called “webdav” in a users account is accessible via webdav so for a user with 2FA available all other libraries require 2FA to access, whereas only files in the webdav library can be accessed in a way which bypasses the 2FA (viz via webdav).

The same should be achievable in nginx by changing:

location /seafdav {
    proxy_pass         http://127.0.0.1:8080/seafdav;

to

location /seafdav/webdav {
    proxy_pass         http://127.0.0.1:8080/seafdav/webdav;  

(but I’ve not tested this).

A better approach would be to allow webdav to be enabled on a library by library basis - however, this would require some additional development work rather than a quick fix in the proxy config - perhaps with the ability for an admin to control\limit this via some policy config.

In any case the heavy handed approach of just disabling webdav for 2FA accounts is undesirable so I would classify this as a big in 8.x!

Matthew

3 Likes

This will be added in the next release.

4 Likes

Glad to hear. The way it should be! :wink: