Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: disallow users with 2FA enabled to access WebDAV #7097

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: disallow users with 2FA enabled to access WebDAV #7097

wants to merge 1 commit into from
+5 −1

Conversation

NekoGirlSAIKOU
Copy link

WebDAV server doesn't validate 2FA. This makes 2FA useless to some extent. I think users with 2FA enabled shouldn't access webdav using only password. Although this can be manually solved by changing user permissions, Alist doesn't support to change permissions of admin.

BREAKING CHANGE: Users with 2FA enabled will not be able to access WebDAV.

@NekoGirlSAIKOU
fix: disallow users with 2FA enabled to access WebDAV
51365d0 
WebDAV server doesn't validate 2FA. This makes 2FA useless to some extent. I think users with 2FA enabled shouldn't access webdav using only password. Although this can be manually solved by changing user permissions, Alist doesn't support to change permissions of admin.

BREAKING CHANGE: Users with 2FA enabled will not be able to access WebDAV.
@welcome Welcome
Copy link

welcome bot commented Aug 28, 2024

Thanks for opening this pull request! Please check out our contributing guidelines.

@Mmx233
Copy link
Contributor

Mmx233 commented Aug 29, 2024

The purpose of multi-factor authentication, in my opinion, is to protect administrative privileges and sensitive information stored in the backend, such as keys.

I believe that forcibly disabling WebDAV is unacceptable. If the goal is to enhance security, the standard approach is to allow users to set a separate password for WebDAV. Currently, administrators can achieve this by creating a low-privileged, standalone account with a separate password as an alternative solution.

@NekoGirlSAIKOU
Copy link
Author

If the goal is to enhance security, the standard approach is to allow users to set a separate password for WebDAV.

I think the standard approach is to allow users to set a separate password for WebDAV, too.

Currently, administrators can achieve this by creating a low-privileged, standalone account with a separate password as an alternative solution.

But administrator's WebDAV access can't be disabled. It's hard-coded. So there is no way to let administrator set a separate password for WebDAV.

The purpose of multi-factor authentication, in my opinion, is to protect administrative privileges and sensitive information stored in the backend, such as keys.

I think the storage is also sensitive information. After all it's a cloud drive, where can store a lot of private data.

So I think WebDAV should not be accessed by users with 2FA enabled. Any access by any users (include admin and normal users) should fully satisfy their authentication configuration. They can create separate users with different (and more secure) password to access WebDAV.

Maybe I should add an setting for this like the sign all feature?

@Mmx233
Copy link
Contributor

Mmx233 commented Aug 29, 2024
edited
Loading

I have no right to decide if the changes in this PR can be merged. But adding a backend toggle or a configuration field is indeed a more acceptable solution for me.

@Mmx233
Copy link
Contributor

Mmx233 commented Aug 29, 2024

I suggest directly adding a separate password mechanism. I guess making this change won't be much harder than adding a button.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@NekoGirlSAIKOU @Mmx233