How to manage the double authentication?


#1

Hello,

I would like to know if it’s possible to manage (verify, enable, disable) the user double authentication ?
If it’s not possible using the API, is there a way to store a custom secret key directly to the seafile database ?
I found the tables the Seafile client is using but it seems like the secret code of the QRcode is encrypted.

Cheers


#2

Can you more clear about what you want to do?

Only second auth API doesn’t exist. If you want to authorize in API and have TWA enabled you have to send security code (generated by HOTP) over special header.

Here is describe for header


#3

I would like to be able to create the secret key of the 2FA in PHP and then store it in the Seafile database. Once I got the token what I’m supposed to do ?


#4

Sorry I didn’t got notification about your answer.

No. Seafile generate random binary data(same as everyone using TOTP), convert it to HEX and save into database

`seahub-db`.`two_factor_totpdevice`.`key`

Why you want generate your secret? Did you think about using seafile’s secret. Here I made example how to convert seafile database value to standard code used by Google authenticator for example. https://3v4l.org/f0GLc
In shortcut, it take database(HEX) value convert it to binary data and encode them to base32 in php.

If you want force seafile to use your secret, you have to reverse this. So take your generated secret decode it from base32, convert to HEX and save to database with other settings like period, digits, etc.
Example in PHP is here https://3v4l.org/GRjjM

function binaryChunk is same for both examples.


#5

This is actually what I wanted but do you know how I can add user to be able to fill the column in the correct way. And also how to generate the static token in the two_factor_statictoken table.


#6

Can explain context? I really don’t know about what you talking.


#7

I’m developing in PHP a web interface. I would like to be able to enable the Seafile 2FA on my custom web page. Actually the Seafile API doesn’t allow to make any action on the 2FA. That’s why I want to insert a custom secret code in the correct way. I want to reproduce the same behaviour like the original web client of Seafile. I hope this is clearer.


#8

Sure! :slight_smile:

So. You have to generate cryptographically strong random binary data. you can use function openssl_random_pseudo_bytes($bytecount). By default seafile use 20 bytes length so $bytecount = 20. Then just convert it to HEXa by bin2hex() and save to table with other options as period, digits etc.

If you want to generate standar QR code you have to encode into it special URL. For example
otpauth://totp/Seafile:john@example.com?secret=AXKXT5U4SCHRYAULRDJDJF57LCQDGHQS&issuer=Seafile&algorithm=SHA1&digits=6&period=30

You can keep URL as it is. Only change Seafile:john@example.com in format <page_title>:<user_login>, secret attribute to secret=<base32encode($hexKeyFromDatabase)> and issuer attribute to issuer=<page_title>

Values user_login and issuer are optional and have nothing to do with generated codes.

I hope this can help you.

Keep in mind I’m writting this from scratch, didn’t test it and don’t know if something missing.


#9

Thank you for your quick answer ! Really appreciated.
I would like to ask if you can explain what the other column are doing and how to fill it if I have to.


#10

Here is explained what columns means and their definition


#11

@Vipera7

Hey! I did some research in source code and I see theres an api for disabling 2FA for any user by admin account.
/api2/two-factor-auth/john@example.com/ with HTTP method DELETE


#12

I tested it, it works like a charm ! Do you have an idea if there is a command to add or enable or even retrieve a generated qrcode from the API ? :slightly_smiling_face:


#13

By source code, there is only delete method. QR Code are generated internally by view so there is no easy way how to do it. Maybe only by python API and write your own API methods using it.

But as I said. You can generate your own QR code for example by google charts (example below).

BUT! You have to know that you sending your private data over internet to 3rd party server. So I recommend use some library to generate QR on your own. For example this looks good and there are examples with otp URI.

<?php

$size = 200;
$otpUrl = 'otpauth://totp/Seafile:john@example.com?secret=AXKXT5U4SCHRYAULRDJDJF57LCQDGHQS&issuer=Seafile&algorithm=SHA1&digits=6&period=30'; // URL mentioned in post above

$qrUrl = "https://chart.googleapis.com/chart?cht=qr&chs={$size}x{$size}&chld=L|1&chl=" . rawurlencode($otpUrl);

?>

<img src="<?php echo $qrUrl; ?>" alt="2FA QR code">


#14

It’s working well, but do you know how I can obtain the token from a user who have a 2FA enable ?
I’m receiving an error like : non_fields_errors:[Two factor auth token is missing]

I’m using this curl command curl -d "username=username@example.com&password=123456" https://cloud.seafile.com/api2/auth-token/

I guess I have to add a new parameter.

EDIT:
In the librairy you send, there is no verify function to check if the user token is correct.


#15

It’s in link which I send in my first answer :slight_smile:


#17

I have a last question. Do you know why I can’t disable an user 2FA when I defined the column confirmed to 0 ? There is no description of the column.


#18

Seafile delete whole row when you disable 2FA. Exactly don’t know for what is this column. I can look closer to source code, but on Monday …

Fridayyyyyy :joy:


#19

Anyway I don’t need that I found a workaround. I wish you a happy weekend and WC too :grinning:


#20

I don’t see anything about this column. Maybe it’s prepared for some other use case. But you can use API Delete method, or just remove user’s totp row.


#21

I use the cURL command to DELETE the user row.