mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-15 21:19:39 -05:00
[PR #11953] [CLOSED] [FEAT] [1225] [RFC] [REFACTOR] Add MFA implementation without rate limits nor account locks #126482
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/11953
Author: @TensorTemplar
Created: 3/22/2025
Status: ❌ Closed
Base:
dev← Head:1225-totp-support📝 Commits (3)
85abb57Add MFA MVP without rate limits. Minor refactoring. See docs/2fa-specification.mdf875688Remove verbose debug logging1bff553Duplicate pyotp and qrcode deps in backend/requirements.txt📊 Changes
27 files changed (+3427 additions, -1044 deletions)
View changed files
📝
backend/dev.sh(+2 -1)📝
backend/open_webui/constants.py(+1 -1)📝
backend/open_webui/internal/db.py(+10 -5)📝
backend/open_webui/main.py(+2 -0)➕
backend/open_webui/migrations/versions/add_mfa_fields.py(+32 -0)📝
backend/open_webui/models/auths.py(+155 -2)📝
backend/open_webui/models/users.py(+72 -15)📝
backend/open_webui/routers/auths.py(+71 -10)➕
backend/open_webui/routers/auths_mfa.py(+332 -0)📝
backend/open_webui/routers/users.py(+2 -1)➕
backend/open_webui/test/apps/webui/routers/test_auths_mfa.py(+382 -0)➕
backend/open_webui/test/apps/webui/routers/test_auths_mfa_security.py(+545 -0)📝
backend/open_webui/utils/auth.py(+38 -4)➕
backend/open_webui/utils/auth_mfa.py(+93 -0)📝
backend/requirements.txt(+2 -0)➕
docs/2fa-specification.md(+189 -0)📝
pyproject.toml(+4 -1)📝
src/lib/apis/auths/index.ts(+163 -96)📝
src/lib/apis/index.ts(+99 -4)📝
src/lib/apis/users/index.ts(+17 -97)...and 7 more files
📄 Description
See FR issue-1225
PR is a complete implementation of 2FA with support for QR codes and minor related security improvements. Please see details in
docs/2fa-specefication.mdScreen recording of me running through the features quickly is here
Refactor decisions are commented locally.
Please note:
There shouldn't be any breaking changes, but the least confident part of the code is the oauth and LDAP interaction - i don't use either and have not specifically tested if there are any conflicts when MFA is on, but nothing obviously incompatible comes to mind from a first glance.
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.