Rather than implementing OAUTH two factor
auth, this implements Time-based one-time password(TOTP).
Storing the
TOTP secret in plaintext next to the user/pass in personal.ini
doesn't seem like it's increasing security to me. What's the
advantage of this over just not using 2FA?
I think you're right: OAUTH and TOTP for 2FA appear unrelated. My mistake.
I consider logging in with FFF inherently insecure. FFF doesn't put more than token effort into protecting user/pass.
Adding TOTP like this to FFF does not,
IMO, make your account more secure. It makes it less secure by
compromising the TOTP secret. In which case, you may as well
turn 2FA off.
Looking back at issue 701, it seems that QQ and other XenForo sites also use TOTP.
I'll look into raising an exception
similar to FailedToLogin to
collect TOTP from the user similar to collecting user/pass when
not saved in personal.ini.
This would not work with CLI
--non-interactive or Calibre plugin
'Background Metadata' options.
--
Project Home: https://github.com/JimmXinu/FanFicFare/wiki
---
You received this message because you are subscribed to the Google Groups "FanFicFare -- Downloader for FanFiction" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fanfic-downloa...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/fanfic-downloader/b8e26c19-84d6-4018-93f1-9d80c7f0678dn%40googlegroups.com.
Based on your code, here's a quick implementation (for CLI only):
https://github.com/JimmXinu/FanFicFare/tree/totp_for_2fa
Needs more testing, especially failure
cases, but does this do what you'd want?
You received this message because you are subscribed to a topic in the Google Groups "FanFicFare -- Downloader for FanFiction" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/fanfic-downloader/cNxbOqLv-q0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to fanfic-downloa...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/fanfic-downloader/3746fc31-24cc-4c7c-93fd-f17fe3d1539f%40gmail.com.
FYI, I've posted test versions that
support TOTP for sites:
https://github.com/JimmXinu/FanFicFare/commit/6c0df42fe72199b803878dfa7fe594761bf36464
That doesn't surprise me. There's a simple loop of 3 tries in CLI around user/pass, is_adult and now TOTP exceptions.
First failure was before user/pass asked the first time, second was wrong user/pass, third was TOTP.
I'll increase the loop count.
For all the supported sites with TOTP I've
looked at so far, if you don't want 2FA you can turn it off.
I'm only reason looking at doing this is
because it will legitimately improve security. Faking it will
not improve security.
That doesn't surprise me. There's a simple loop of 3 tries in CLI around user/pass, is_adult and now TOTP exceptions.
First failure was before user/pass asked the first time, second was wrong user/pass, third was TOTP.
I'll increase the loop count.
--
Project Home: https://github.com/JimmXinu/FanFicFare/wiki
---
You received this message because you are subscribed to the Google Groups "FanFicFare -- Downloader for FanFiction" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fanfic-downloa...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/fanfic-downloader/962a87a9-7475-45bf-ae35-c11157d3a024%40gmail.com.