2FA for Storiesonline

[xbmd]

I've implemented 2FA token generator and used it with storiesonline adapter, the quick poc is here. Is something like that will be ok to add to this project? If so how would you see this be implemented?

[Jim Miller]

Rather than implementing OAUTH two factor auth, this implements Time-based one-time password(TOTP).

Storing the TOTP secret in plaintext next to the user/pass in personal.ini doesn't seem like it's increasing security to me.  What's the advantage of this over just not using 2FA?

[xbmd]

Well, I haven't seen a mention of the OAuth implementation anywhere on the website. I wanted to download a story, but I would have to disable the TOTP every time I download, which is a bother. If something unwanted can read the configuration files and knows what to look for to steal the data, I feel that the user has bigger problems on their hands. Alternatively, or perhaps in addition, there could also be a prompt to enter the TOTP code?

[Jim Miller]

I think you're right: OAUTH and TOTP for 2FA appear unrelated.  My mistake.

I consider logging in with FFF inherently insecure.  FFF doesn't put more than token effort into protecting user/pass.  

Adding TOTP like this to FFF does not, IMO, make your account more secure.  It makes it less secure by compromising the TOTP secret.  In which case, you may as well turn 2FA off. 

Looking back at issue 701, it seems that QQ and other XenForo sites also use TOTP.

I'll look into raising an exception similar to FailedToLogin to collect TOTP from the user similar to collecting user/pass when not saved in personal.ini.


This would not work with CLI --non-interactive or Calibre plugin 'Background Metadata' options.

--
Project Home: https://github.com/JimmXinu/FanFicFare/wiki
---
You received this message because you are subscribed to the Google Groups "FanFicFare -- Downloader for FanFiction" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fanfic-downloa...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/fanfic-downloader/b8e26c19-84d6-4018-93f1-9d80c7f0678dn%40googlegroups.com.

[Jim Miller]

Based on your code, here's a quick implementation (for CLI only):

https://github.com/JimmXinu/FanFicFare/tree/totp_for_2fa

Needs more testing, especially failure cases, but does this do what you'd want?

[John]

Yeah, that is something i was looking for. For the couple stories it seems to work fine, outdated codes are throwing failed to login as expected. Maybe for the non interactive users you would be open for keeping the generation?

You received this message because you are subscribed to a topic in the Google Groups "FanFicFare -- Downloader for FanFiction" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/fanfic-downloader/cNxbOqLv-q0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to fanfic-downloa...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/fanfic-downloader/3746fc31-24cc-4c7c-93fd-f17fe3d1539f%40gmail.com.

[John]

I maybe found a bug? When user fails to input correct credentials first time but correct the second time, the adapter will raise NeedTimedOneTimePassword and exit without prompting for a code. Log

To view this discussion visit https://groups.google.com/d/msgid/fanfic-downloader/Ns3Kp8Gt0w31EI2ofKpWPFlKODO4OTR6IQbmq5CUJ4J4OhTD5nI5QL9evuouwaewaj056KsE3tCmRtQTQ3T-hbX3KxPDXg0gk0meC0KvbXc%3D%40protonmail.com.

[Jim Miller]

FYI, I've posted test versions that support TOTP for sites:

• storiesonline.net
• finestories.com
• scifistories.com
• alternatehistory.com
• QQ
• SV
• SB
• the-sietch.com

https://github.com/JimmXinu/FanFicFare/commit/6c0df42fe72199b803878dfa7fe594761bf36464

On 3/24/2025 11:07 AM, Jim Miller wrote:

That doesn't surprise me.  There's a simple loop of 3 tries in CLI around user/pass, is_adult and now TOTP exceptions.  

First failure was before user/pass asked the first time, second was wrong user/pass, third was TOTP.

I'll increase the loop count.

[Jim Miller]

For all the supported sites with TOTP I've looked at so far, if you don't want 2FA you can turn it off. 

I'm only reason looking at doing this is because it will legitimately improve security.  Faking it will not improve security.

[xbmd]

Something like that yes. But, for those who have their config protected, would you be open for the automatic generation feature?

[Jim Miller]

That doesn't surprise me.  There's a simple loop of 3 tries in CLI around user/pass, is_adult and now TOTP exceptions.  

First failure was before user/pass asked the first time, second was wrong user/pass, third was TOTP.

I'll increase the loop count.

[Jim Miller]

Honestly, no.  Not storing the TOTP secrets in personal.ini.  It defeats
the entire point of 2FA, IMO.

If there's a reasonably good python interface library to call dedicated
TOTP apps, I would consider it.

I also might consider reusing the cookie store between sessions; I can't
remember off hand why I rejected that before.  I know I've considered it
before.

On 3/23/2025 11:25 AM, 'xbmd' via FanFicFare -- Downloader for

[Jason Straw]

If you're looking for a solution to not type the code as frequently, something like Yubikey's hardware TOTP might work: https://support.yubico.com/hc/en-us/articles/360013789259-Using-Your-YubiKey-with-Authenticator-Codes

Jason

--
Project Home: https://github.com/JimmXinu/FanFicFare/wiki
---
You received this message because you are subscribed to the Google Groups "FanFicFare -- Downloader for FanFiction" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fanfic-downloa...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/fanfic-downloader/962a87a9-7475-45bf-ae35-c11157d3a024%40gmail.com.