Feature addition: Multi-Factor Authentication

[chesspro13]

Features added

TOTP (Time-based One-Time Password) with recovery codes
OpenID/SSO via Google (for now)

Documentation

Testing Instructions

TOTP

1. Start Trilium Notes normally.
2. Go to "Menu" -> "Options" -> "MFA"
3. Click the "Generate TOTP Secret" button
4. Copy the generated secret to your authentication app/extension
5. Set an environment variable "TOTP_SECRET" as the generated secret. Environment variables can be set with a .env file in the root directory, by defining them in the command line, or with a docker container.

   # .env in the project root directory
   TOTP_ENABLED="true"
   TOTP_SECRET="secret"

   # Terminal/CLI
   export TOTP_ENABLED="true"
   export TOTP_SECRET="secret"

   # Docker
   docker run -p 8080:8080 -v ~/trilium-data:/home/node/trilium-data -e TOTP_ENABLED="true" -e TOTP_SECRET="secret" triliumnext/notes:[VERSION]

6. Restart Trilium
7. Go to "Options" -> "MFA"
8. Click the "Generate Recovery Codes" button
9. Save the recovery codes. Recovery codes can be used once in place of the TOTP if you loose access to your authenticator. After a rerecovery code is used, it will show the unix timestamp when it was used in the MFA options tab.
10. Load the secret into an authentication app like google authenticator

OpenID

Currently only compatible with Google. Other services like Authentik and Auth0 are planned on being added.

In order to setup OpenID, you will need to setup a authentication provider. This requires a bit of extra setup. Follow these instructions to setup an OpenID service through google.

Set an environment variable "SSO_ENABLED" to true and add the client ID and secret you obtained from google. Environment variables can be set with a .env file in the root directory, by defining them in the command line, or with a docker container.

.env File

# .env in the project root directory
SSO_ENABLED="true"
BASE_URL="http://localhost:8080"
CLIENT_ID=<client ID from google>
SECRET=<client secret from google>

Environment variable (linux)

export SSO_ENABLED="true"
export BASE_URL="http://localhost:8080"
export CLIENT_ID=<client ID from google>
export SECRET=<client secret from google>

Docker

docker run -d -p 8080:8080 -v ~/trilium-data:/home/node/trilium-data -e SSO_ENABLED="true" -e BASE_URL="http://localhost:8080" -e CLIENT_ID=<client ID from google> -e SECRET=<client secret from google> triliumnext/notes:[VERSION]

After you restart Trilium Notes, you will be redirected to Google's account selection page. Login to an account and Trilium Next will bind to that account, allowing you to login with it.

You can now login using your google account.

[perfectra1n]

This is super cool, thanks for doing this.

Is it also possible to configure the .env variables via the local environment variables? I was poking around in the commits, and didn't see any documentation modified for this change, but I'm assuming that you're saving those changes for once someone else with a much bigger brain than myself reviews it! :)

I'll also review the additional routes for the OTP.

[chesspro13]

@perfectra1n the environment variables can be set with environment variables (ie export TOTP_ENABLED="true"), -e with docker, and in a .env file in the root directory.

Honestly I forgot to update documentation. Whoops!

edit: I'm working on adding some pages now.

[chesspro13]

@perfectra1n

Docs complete here.

[JYC333]

@eliandoran I have fixed all the problems that I find when testing it, and both methods are working. The UI for MFA option page may not be the optimal, but we can update that later I think.

The playwright test is failing as same as the latest commit on develop, so I suppose that isn't related to this PR.

Please take a look and hope we can merge this soon!

[eliandoran]

@JYC333 , great job.

I've just started testing it and I can see a few relatively big problems with the UI/UX.

To setup TOTP on the server, I need to modify config.ini, otherwise all the options are disabled. If I enable the TOTP in the config, I'm asked to log using the password and the... TOTP that I did not configure.

This makes for a great chicken or the egg problem. I suppose it's because it was mostly meant for the desktop client and not the server?

I don't see why we shouldn't allow the user to generate TOTP even if it's not enabled. Or even better, not sure why we need to modify the config.ini and not activate it from the UI itself.

[JYC333]

To setup TOTP on the server, I need to modify config.ini, otherwise all the options are disabled. If I enable the TOTP in the config, I'm asked to log using the password and the... TOTP that I did not configure.

The setting stuff I just follow what the PR have, but I have thought to allow user to change the setting in the app. I can make a change for that.

As for the login issue, I think after moving to allow user to change the setting in the app, that issue should be gone. I'll fix that.

This makes for a great chicken or the egg problem. I suppose it's because it was mostly meant for the desktop client and not the server?

And I think this MFA is mostly for the server not for the desktop client, since we doesn't request login when you use desktop client. And it also doesn't request authentication when you want to sync with server if I remember correctly. That could be an issue that we need to fix later.

[JYC333]

TOTP is moved out from config.ini, and OAuth is still there for security concern. I think now it makes more sense now.