1
0
Fork 0
mirror of https://github.com/Luzifer/vault-otp-ui.git synced 2024-11-08 08:10:11 +00:00
Viewer for time based one-time passwords whose secret is stored in Vault
Find a file
Knut Ahlers 3652fda759
Add proper support for shorter period codes
Signed-off-by: Knut Ahlers <knut@ahlers.me>
2019-09-14 14:33:03 +02:00
static Add basic web application manifest 2017-06-15 00:06:39 +02:00
.gitignore Initial version 2017-06-14 20:46:35 +02:00
.repo-runner.yaml Switch to go modules 2019-09-09 19:11:50 +02:00
application.js Rewrite frontend on ES6 with Vue rendering 2019-09-09 19:04:04 +02:00
assets.go Fix: Use right variable for authUrl 2019-09-14 13:25:37 +02:00
Dockerfile Add Dockerfile 2017-06-14 22:08:45 +02:00
go.mod Allow other digit counts than 6 or 8 2019-09-14 13:31:45 +02:00
go.sum Allow other digit counts than 6 or 8 2019-09-14 13:31:45 +02:00
History.md prepare release v0.6.0 2019-09-09 21:00:22 +02:00
index.html Fix: Use right variable for authUrl 2019-09-14 13:25:37 +02:00
LICENSE Fix license: Replace placeholders 2018-03-23 20:49:20 +01:00
main.go Add proper support for shorter period codes 2019-09-14 14:33:03 +02:00
Makefile Remove JS build step 2019-09-09 19:07:01 +02:00
oauth.go Initial version 2017-06-14 20:46:35 +02:00
README.md Update README 2019-09-09 19:08:27 +02:00
token.go Add proper support for shorter period codes 2019-09-14 14:33:03 +02:00

Go Report Card

Luzifer / vault-otp-ui

vault-otp-ui is a viewer for time based one-time passwords whose secret is stored in Vault. After the Github oAuth2 login the interface features a clean list of tokens with their corresponding account names, a (regular expression capable) filter function, automatic refresh of the shown tokens after they got invalid and a mobile-friendly interface which allows the usage on any mobile phone. Additionally with all modern browsers you should be able to copy the one-time password into your clipboard with just one click!

Storage of the secrets

Two different methods are supported to store the secrets in Vault:

  • Vault 0.7.x included TOTP backend
  • Custom (generic) secrets containing secret, name, digits, and icon keys
    • Icons supported are to be chosen from FontAwesome icon set
    • When no name is set the Vault key will be used as a name
    • The digits field supports the values 6 (default) and 8 to generate longer 8-digit-codes

(When using the Vault builtin TOTP backend switching the icons for the tokens is not supported.)

Setup

  1. Create a new oAuth application
  2. Configure <your vault-otp-ui instance>/oauth2 as the callback URL
  3. Configure the Github authentication backend for your users to be able to read the keys containing the secrets / TOTP codes
  4. See vault-otp-ui --help for configuration parameters
    • You must configure the Github oAuth2 credentials
    • You must configure the Vault parameters
    • You should configure a session-secret having at least 64 byte length (If you don't set this it's chosen randomly which will invalidate your session cookies on every restart of the application)

Security vs. Convenience

One of the key questions I found myself asking while developing this was whether to transmit the secrets used to generate the one-time passwords to the browser and to do the code generation in the browser or to keep the secrets in the backend application and only to deliver the codes themselves.

On the one hand the first solution would work when being offline because it can be cached in the browser. But seriously: I've never seen a OTP query when not being online so this wasn't a valid reason. On the other hand transmitting the secrets into the browser IMHO would be a major security flaw as - given the case you loose control over your browser having all those secrets stored in the local storage - an attacker would have the chance to generate unlimited one-time passwords for your accounts.

In the end I went with the solution to transmit only names and the currently valid code. This means being offline you are not able to generate a new code but also this means you can revoke access to the Vault keys and immediately stop the attackers ability to generate codes on your behalf.