Hi all, I would like to hear some opinions about the possibility / feasibility of adding 2FA to stash logins. I want to make my remotely hosted stash instance publicly accessible so I can reach it even when I don’t have a VPN tunnel. I feel that a basic username / password security system is no longer secure enough for publicly available services in 2024.
I might even be able to work on this topic myself, but I would like to know if there are any already known show-stoppers.
I can’t add anything from the dev perspective, but wouldn’t it make more sense add external security to the reverse proxy itself? Something like Authelia would always be superior to what Stash itself could offer.
I agree with Dogma here, while 2FA would offer some more security, there are still stash endpoints such as the plugin static routes (plugin/*) that are accessible without login and /graphql is accessible without apikey for introspection. Putting a reverse proxy in front of it would actually secure it and offers a lot more potential
This is a very good point. I didn’t consider this. In this case, a reverse-proxy makes a lot more sense. I will investigate whether Authelia it can sufficiently satisfy my security concerns before continuing here.
computer security expert here weighing in, tfa is a fool resistant method as long as we use the google authenticator option and possibly passkey auth where we completely eliminate username/password in lieu of passkey.