[Feature Request] Improve server security against attacks #187

Closed
opened 2026-02-28 18:51:38 -06:00 by GiteaMirror · 3 comments
Owner

Originally created by @rich-howell on GitHub (Jan 22, 2023).

Discussed in https://github.com/actualbudget/actual/discussions/174

Originally posted by blakegearin June 2, 2022
Currently a password authenticates a user to access a server. In addition to OAuth2, OIDC, LDAP, SSO support (#61), it would be worth exploring additional security features to make users feel more comfortable when self-hosting.

  1. adding email to the login form
  2. email alerts for multiple incorrect password attempts
  3. re-authenticate when exporting
  4. options to restrict login based on amount of concurrent users or browser/device
  5. 2FA/multi-factor authentication
  6. OTP (yubikey)
  7. CAPTCHA (svg-captcha, react-simple-captcha)
Originally created by @rich-howell on GitHub (Jan 22, 2023). ### Discussed in https://github.com/actualbudget/actual/discussions/174 <div type='discussions-op-text'> <sup>Originally posted by **blakegearin** June 2, 2022</sup> Currently a password authenticates a user to access a server. In addition to OAuth2, OIDC, LDAP, SSO support (#61), it would be worth exploring additional security features to make users feel more comfortable when self-hosting. 1. adding email to the login form 1. email alerts for multiple incorrect password attempts 1. re-authenticate when exporting 1. options to restrict login based on amount of concurrent users or browser/device 1. 2FA/multi-factor authentication 1. OTP ([`yubikey`](https://www.npmjs.com/package/yubikey)) 1. CAPTCHA ([`svg-captcha`](https://www.npmjs.com/package/svg-captcha), [`react-simple-captcha`](https://www.npmjs.com/package/react-simple-captcha))</div>
GiteaMirror added the feature label 2026-02-28 18:51:38 -06:00
Author
Owner

@MatissJanis commented on GitHub (Jan 25, 2023):

👋 The next release will feature e2e encryption. It's not exactly what's discussed here, but it will be a big improvement in terms of security.

Some commentary on the suggestions:

(1) - why?

(2) - this is interesting and could be done; also with lockup period for the budget file if multiple login attempts failed

(3) - not possible due the nature of the offline-first app. You already have ALL the database locally. What protection does adding a login box for local data give? Nothing really. Just a gimick.

(4) - same problem here due the nature of offline-first architecture

(5, 6) - definitely something we could explore

(7) - IMO not worth it, but happy to be proven wrong

@MatissJanis commented on GitHub (Jan 25, 2023): 👋 The next release will feature e2e encryption. It's not exactly what's discussed here, but it will be a big improvement in terms of security. Some commentary on the suggestions: (1) - why? (2) - this is interesting and could be done; also with lockup period for the budget file if multiple login attempts failed (3) - not possible due the nature of the offline-first app. You already have ALL the database locally. What protection does adding a login box for local data give? Nothing really. Just a gimick. (4) - same problem here due the nature of offline-first architecture (5, 6) - definitely something we could explore (7) - IMO not worth it, but happy to be proven wrong
Author
Owner

@j-f1 commented on GitHub (Jan 25, 2023):

Re 5/6, it would be nice to have support for Passkeys (which are supported across platforms/browsers) so that folks get high security without needing to remember a password. This uses WebAuthn so folks who are extra security conscious could pop in an external security key instead. (EDIT: this appears to be kinda complicated especially since we don’t have a way to know what our domain name is, and also WebAuthn as a whole is fairly complex.)

@j-f1 commented on GitHub (Jan 25, 2023): Re 5/6, it would be nice to have support for [Passkeys](https://developer.apple.com/wwdc22/10092) (which are supported across platforms/browsers) so that folks get high security without needing to remember a password. This uses WebAuthn so folks who are extra security conscious could pop in an external security key instead. (EDIT: this appears to be kinda complicated especially since we don’t have a way to know what our domain name is, and also WebAuthn as a whole is fairly complex.)
Author
Owner

@MatissJanis commented on GitHub (Mar 30, 2023):

👋 Thanks for the idea! It seems that this has not gained traction so far.

In order to keep our backlog of issues in order I'll close this one off. But if you are still interested in building this - please open up a new issue where you outline the proposal or open up a PR and we can discuss further there.

@MatissJanis commented on GitHub (Mar 30, 2023): :wave: Thanks for the idea! It seems that this has not gained traction so far. In order to keep our backlog of issues in order I'll close this one off. But if you are still interested in building this - please open up a new issue where you outline the proposal or open up a PR and we can discuss further there.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/actual#187