Internxt: Add Optional 2FA Secret to automate 2FA code generation.#9529
Internxt: Add Optional 2FA Secret to automate 2FA code generation.#9529Adelzu wants to merge 1 commit into
Conversation
In automated backup scenarios using Internxt integration with 2FA enabled on the account, using totp (2FA code) is not sufficient as it can result in a sudden authoriza tion issues with Internxt. Instead of using a one time use 2fa code, you can set the integration up with 2FA secret and rclone will automatically generate 2FA code when nee ded.
|
Hi @ncw Appreciate your support in reviewing this, the change is minimal. Thanks, |
ncw
left a comment
ncw
left a comment
There was a problem hiding this comment.
Please see comments inline
Storing the TOTP seed in the rclone config materially weakens 2FA: an attacker with the config file now has password and a working second factor, reducing 2FA to single-factor. This is an inherent trade-off of the feature and is reasonably opt-in, with a Caution: in the config prompt. However, the docs change only updated the login-prompt paragraph - consider adding a sentence to the existing "Security Considerations" section in docs/content/internxt.md so the trade-off is documented where security-conscious users will look.
Thank you :-)
| // Returns the AccessResponse on success, or an error if 2FA is required or login fails. | ||
| func (f *Fs) reLogin(ctx context.Context) (*internxtauth.AccessResponse, error) { | ||
| password, err := obscure.Reveal(f.opt.Pass) | ||
| twoFASecret, _ := obscure.Reveal(f.opt.TwoFASecret) |
There was a problem hiding this comment.
Don't ignore errors
Move this line to below the if err != nil and make a new if err != nil with a sensible error message, eg fmt.Errorf("invalid 2FA secret: %w", err)
| case "login": | ||
| twoFA, _ := m.Get("2fa_code") | ||
| twoFAObsecuredSecret, _ := m.Get("2fa_secret") | ||
| twoFASecret, _ := obscure.Reveal(twoFAObsecuredSecret) |
|
|
||
| case "login": | ||
| twoFA, _ := m.Get("2fa_code") | ||
| twoFAObsecuredSecret, _ := m.Get("2fa_secret") |
There was a problem hiding this comment.
Typo here twoFAObscuredSecret not twoFAObsecuredSecret
| Email string `config:"email"` | ||
| Pass string `config:"pass"` | ||
| TwoFA string `config:"2fa"` | ||
| TwoFASecret string `config:"2fa_secret"` // The TOTP seed/secret |
There was a problem hiding this comment.
This is missing a description in fs.RegInfo.Options as is 2fa - can you add them both as Advanced and Sensitive
Mimic the ones in the protondrive backend
}, {
Name: "2fa",
Help: `The 2FA code
The value can also be provided with --protondrive-2fa=000000
The 2FA code of your proton drive account if the account is set up with
two-factor authentication`,
Required: false,
}, {
Name: "otp_secret_key",
Help: `The OTP secret key
The value can also be provided with --protondrive-otp-secret-key=ABCDEFGHIJKLMNOPQRSTUVWXYZ234567
The OTP secret key of your proton drive account if the account is set up with
two-factor authentication`,
Required: false,
Sensitive: true,
IsPassword: true,
}, {
Name: clientUIDKey,
Which probably means we should rename 2fa secret to otp secret for consistency
2 participants
In automated backup scenarios using Internxt integration with 2FA enabled on the account, using totp (2FA code) is not sufficient as it can result in a sudden authorization issues with Internxt. Instead of using a one time use 2fa code, you can set the integration up with 2FA secret and rclone will automatically generate 2FA code when needed.
What is the purpose of this change?
Internxt Integration: Adds the ability to use 2FA secret instead of 2FA code, making the authentication more robust and self-recovering.
Was the change discussed in an issue or in the forum before?
Yes,
https://forum.rclone.org/t/use-internext-otp-secret-instead-of-totp-code/53932
Closes #9528
Checklist