2FA support

[reklatsmasters]

Is there any plans to add 2fa? This feature isn't possible to add by plugins (right now) due to required UI changes. Anyway, 2fa must be in verdaccio core.

[juanpicado]

@reklatsmasters I'm outdated about what we might do about 2FA with open source. Do you have any suggestion?

[reklatsmasters]

@juanpicado I think verdaccio should provide the same 2fa logic as npm:

• 2FA for login
• ask 2FA for publish
• require 2FA for publish per package

[reklatsmasters]

Of cource, this shouldn't break login from CI.

[juanpicado]

Ok, but I think we need more context here. What pieces are needed to achieve this?
I wonder how would be the connection verdaccio <---> token generator. Since the primary registry is close code, who knows how they achieve that. Any idea?

[MasterOdin]

They (like most everyone else) achieve it by implementing something that follows RFC 6238. The gist of this RFC is that for a user, you generate a "secret". The user is shown this secret through some combination of text and QR code (generally just the QR code) which the user then plugs into some application (like Google Authenticator). Then, any time the user goes to login, you use that "secret" for the user to generate a token (using the RFC algorithm) and then check it against what the user puts in.

In term of how you'd want to implement it, you'd probably want to use something like otplib which wraps all of those details for you, but I've only started looking at this project so I have no idea where exactly this hookup would be in the verdaccio codebase.

[FDMXC0002]

Hi i see this topic from 2018 at now ther is a converstion for add this?