2FA for Storiesonline

51 views
Skip to first unread message

xbmd

unread,
Mar 22, 2025, 7:52:43 PMMar 22
to FanFicFare -- Downloader for FanFiction
I've implemented 2FA token generator and used it with storiesonline adapter, the quick poc is here. Is something like that will be ok to add to this project? If so how would you see this be implemented?

Jim Miller

unread,
Mar 23, 2025, 10:27:31 AMMar 23
to fanfic-d...@googlegroups.com


Rather than implementing OAUTH two factor auth, this implements Time-based one-time password(TOTP).

Storing the TOTP secret in plaintext next to the user/pass in personal.ini doesn't seem like it's increasing security to me.  What's the advantage of this over just not using 2FA?

xbmd

unread,
Mar 23, 2025, 10:59:55 AMMar 23
to FanFicFare -- Downloader for FanFiction
Well, I haven't seen a mention of the OAuth implementation anywhere on the website. I wanted to download a story, but I would have to disable the TOTP every time I download, which is a bother. If something unwanted can read the configuration files and knows what to look for to steal the data, I feel that the user has bigger problems on their hands. Alternatively, or perhaps in addition, there could also be a prompt to enter the TOTP code?

Jim Miller

unread,
Mar 23, 2025, 11:32:34 AMMar 23
to fanfic-d...@googlegroups.com

I think you're right: OAUTH and TOTP for 2FA appear unrelated.  My mistake.

I consider logging in with FFF inherently insecure.  FFF doesn't put more than token effort into protecting user/pass.  

Adding TOTP like this to FFF does not, IMO, make your account more secure.  It makes it less secure by compromising the TOTP secret.  In which case, you may as well turn 2FA off. 

Looking back at issue 701, it seems that QQ and other XenForo sites also use TOTP.

I'll look into raising an exception similar to FailedToLogin to collect TOTP from the user similar to collecting user/pass when not saved in personal.ini.

This would not work with CLI --non-interactive or Calibre plugin 'Background Metadata' options.

--
Project Home: https://github.com/JimmXinu/FanFicFare/wiki
---
You received this message because you are subscribed to the Google Groups "FanFicFare -- Downloader for FanFiction" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fanfic-downloa...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/fanfic-downloader/b8e26c19-84d6-4018-93f1-9d80c7f0678dn%40googlegroups.com.

Jim Miller

unread,
Mar 23, 2025, 12:04:50 PMMar 23
to fanfic-d...@googlegroups.com

Based on your code, here's a quick implementation (for CLI only):

https://github.com/JimmXinu/FanFicFare/tree/totp_for_2fa

Needs more testing, especially failure cases, but does this do what you'd want?

Message has been deleted

John

unread,
Mar 23, 2025, 3:52:45 PMMar 23
to fanfic-d...@googlegroups.com
Yeah, that is something i was looking for. For the couple stories it seems to work fine, outdated codes are throwing failed to login as expected. Maybe for the non interactive users you would be open for keeping the generation?
You received this message because you are subscribed to a topic in the Google Groups "FanFicFare -- Downloader for FanFiction" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/fanfic-downloader/cNxbOqLv-q0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to fanfic-downloa...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/fanfic-downloader/3746fc31-24cc-4c7c-93fd-f17fe3d1539f%40gmail.com.

John

unread,
Mar 23, 2025, 5:24:41 PMMar 23
to fanfic-d...@googlegroups.com
I maybe found a bug? When user fails to input correct credentials first time but correct the second time, the adapter will raise NeedTimedOneTimePassword and exit without prompting for a code. Log

Jim Miller

unread,
Mar 25, 2025, 9:41:02 AMMar 25
to fanfic-d...@googlegroups.com

FYI, I've posted test versions that support TOTP for sites:

https://github.com/JimmXinu/FanFicFare/commit/6c0df42fe72199b803878dfa7fe594761bf36464

On 3/24/2025 11:07 AM, Jim Miller wrote:

That doesn't surprise me.  There's a simple loop of 3 tries in CLI around user/pass, is_adult and now TOTP exceptions.  

First failure was before user/pass asked the first time, second was wrong user/pass, third was TOTP.

I'll increase the loop count.

Jim Miller

unread,
Mar 25, 2025, 9:41:02 AMMar 25
to fanfic-d...@googlegroups.com

For all the supported sites with TOTP I've looked at so far, if you don't want 2FA you can turn it off. 

I'm only reason looking at doing this is because it will legitimately improve security.  Faking it will not improve security.

xbmd

unread,
Mar 25, 2025, 9:41:02 AMMar 25
to FanFicFare -- Downloader for FanFiction
Something like that yes. But, for those who have their config protected, would you be open for the automatic generation feature?

Jim Miller

unread,
Mar 25, 2025, 9:41:02 AMMar 25
to fanfic-d...@googlegroups.com

That doesn't surprise me.  There's a simple loop of 3 tries in CLI around user/pass, is_adult and now TOTP exceptions.  

First failure was before user/pass asked the first time, second was wrong user/pass, third was TOTP.

I'll increase the loop count.

Jim Miller

unread,
Mar 25, 2025, 9:59:12 AMMar 25
to fanfic-d...@googlegroups.com
Honestly, no.  Not storing the TOTP secrets in personal.ini.  It defeats
the entire point of 2FA, IMO.

If there's a reasonably good python interface library to call dedicated
TOTP apps, I would consider it.

I also might consider reusing the cookie store between sessions; I can't
remember off hand why I rejected that before.  I know I've considered it
before.

On 3/23/2025 11:25 AM, 'xbmd' via FanFicFare -- Downloader for

Jason Straw

unread,
Mar 25, 2025, 12:31:41 PMMar 25
to fanfic-d...@googlegroups.com
If you're looking for a solution to not type the code as frequently, something like Yubikey's hardware TOTP might work: https://support.yubico.com/hc/en-us/articles/360013789259-Using-Your-YubiKey-with-Authenticator-Codes

Jason

--
Project Home: https://github.com/JimmXinu/FanFicFare/wiki
---
You received this message because you are subscribed to the Google Groups "FanFicFare -- Downloader for FanFiction" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fanfic-downloa...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages