[PR #11953] [FEAT] [1225] [RFC] [REFACTOR] Add MFA implementation without rate limits nor account locks #22825

Open
opened 2026-04-20 04:25:32 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/11953
Author: @TensorTemplar
Created: 3/22/2025
Status: 🔄 Open

Base: devHead: 1225-totp-support


📝 Commits (3)

  • 85abb57 Add MFA MVP without rate limits. Minor refactoring. See docs/2fa-specification.md
  • f875688 Remove verbose debug logging
  • 1bff553 Duplicate pyotp and qrcode deps in backend/requirements.txt

📊 Changes

27 files changed (+3427 additions, -1044 deletions)

View changed files

📝 backend/dev.sh (+2 -1)
📝 backend/open_webui/constants.py (+1 -1)
📝 backend/open_webui/internal/db.py (+10 -5)
📝 backend/open_webui/main.py (+2 -0)
backend/open_webui/migrations/versions/add_mfa_fields.py (+32 -0)
📝 backend/open_webui/models/auths.py (+155 -2)
📝 backend/open_webui/models/users.py (+72 -15)
📝 backend/open_webui/routers/auths.py (+71 -10)
backend/open_webui/routers/auths_mfa.py (+332 -0)
📝 backend/open_webui/routers/users.py (+2 -1)
backend/open_webui/test/apps/webui/routers/test_auths_mfa.py (+382 -0)
backend/open_webui/test/apps/webui/routers/test_auths_mfa_security.py (+545 -0)
📝 backend/open_webui/utils/auth.py (+38 -4)
backend/open_webui/utils/auth_mfa.py (+93 -0)
📝 backend/requirements.txt (+2 -0)
docs/2fa-specification.md (+189 -0)
📝 pyproject.toml (+4 -1)
📝 src/lib/apis/auths/index.ts (+163 -96)
📝 src/lib/apis/index.ts (+99 -4)
📝 src/lib/apis/users/index.ts (+17 -97)

...and 7 more files

📄 Description

See FR issue-1225

PR is a complete implementation of 2FA with support for QR codes and minor related security improvements. Please see details in docs/2fa-specefication.md

Screen recording of me running through the features quickly is here

Refactor decisions are commented locally.

Please note:

  • I spent only about an hour to get the project's vibes, which was not enough to figure how to autogenerate migrations - so there is a handcrafted one instead.
  • I assume there is a docker-based flow for tests that i am missing here - pointers on what the preference is would be appreciated so I can add proper integration tests.
  • I had logic for account locks and rate limiting as well but don't feel confident committing that without feedback/tests first.
  • no ruff for linting yet to preserve the overall code structure for easier review but let me know what the preferences are.
  • I don't usually write frontend code, so apologies for any eye-bleed and uncentered divs.

There shouldn't be any breaking changes, but the least confident part of the code is the oauth and LDAP interaction - i don't use either and have not specifically tested if there are any conflicts when MFA is on, but nothing obviously incompatible comes to mind from a first glance.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/11953 **Author:** [@TensorTemplar](https://github.com/TensorTemplar) **Created:** 3/22/2025 **Status:** 🔄 Open **Base:** `dev` ← **Head:** `1225-totp-support` --- ### 📝 Commits (3) - [`85abb57`](https://github.com/open-webui/open-webui/commit/85abb57616b80947bd02a6f77aa1018f0364357a) Add MFA MVP without rate limits. Minor refactoring. See docs/2fa-specification.md - [`f875688`](https://github.com/open-webui/open-webui/commit/f8756884a3da78ea463c9c874b60b3cf8338f2ed) Remove verbose debug logging - [`1bff553`](https://github.com/open-webui/open-webui/commit/1bff553b2dd2588803d1e94836b0c76a69f6db72) Duplicate pyotp and qrcode deps in backend/requirements.txt ### 📊 Changes **27 files changed** (+3427 additions, -1044 deletions) <details> <summary>View changed files</summary> 📝 `backend/dev.sh` (+2 -1) 📝 `backend/open_webui/constants.py` (+1 -1) 📝 `backend/open_webui/internal/db.py` (+10 -5) 📝 `backend/open_webui/main.py` (+2 -0) ➕ `backend/open_webui/migrations/versions/add_mfa_fields.py` (+32 -0) 📝 `backend/open_webui/models/auths.py` (+155 -2) 📝 `backend/open_webui/models/users.py` (+72 -15) 📝 `backend/open_webui/routers/auths.py` (+71 -10) ➕ `backend/open_webui/routers/auths_mfa.py` (+332 -0) 📝 `backend/open_webui/routers/users.py` (+2 -1) ➕ `backend/open_webui/test/apps/webui/routers/test_auths_mfa.py` (+382 -0) ➕ `backend/open_webui/test/apps/webui/routers/test_auths_mfa_security.py` (+545 -0) 📝 `backend/open_webui/utils/auth.py` (+38 -4) ➕ `backend/open_webui/utils/auth_mfa.py` (+93 -0) 📝 `backend/requirements.txt` (+2 -0) ➕ `docs/2fa-specification.md` (+189 -0) 📝 `pyproject.toml` (+4 -1) 📝 `src/lib/apis/auths/index.ts` (+163 -96) 📝 `src/lib/apis/index.ts` (+99 -4) 📝 `src/lib/apis/users/index.ts` (+17 -97) _...and 7 more files_ </details> ### 📄 Description See FR [issue-1225](https://github.com/open-webui/open-webui/issues/1225) PR is a complete implementation of 2FA with support for QR codes and minor related security improvements. Please see details in `docs/2fa-specefication.md` Screen recording of me running through the features quickly is [here](https://s3.eu-central-1.amazonaws.com/public-store.droidcraft.io/2025-03-22%2012-35-29.mp4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAZJSNOOFOC73BE6DE%2F20250322%2Feu-central-1%2Fs3%2Faws4_request&X-Amz-Date=20250322T104807Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=098b7705ccdc033f1c61de9f1720d175bad981473ae724d6ae20a7f61cc0fb70) Refactor decisions are commented locally. Please note: - I spent only about an hour to get the project's vibes, which was not enough to figure how to autogenerate migrations - so there is a handcrafted one instead. - I assume there is a docker-based flow for tests that i am missing here - pointers on what the preference is would be appreciated so I can add proper integration tests. - I had logic for account locks and rate limiting as well but don't feel confident committing that without feedback/tests first. - no ruff for linting yet to preserve the overall code structure for easier review but let me know what the preferences are. - I don't usually write frontend code, so apologies for any eye-bleed and uncentered divs. There shouldn't be any breaking changes, but the least confident part of the code is the oauth and LDAP interaction - i don't use either and have not specifically tested if there are any conflicts when MFA is on, but nothing obviously incompatible comes to mind from a first glance. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 04:25:32 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#22825