Add 2-factor authentication to JS UI

[MistyMoose]

Is your feature request related to a problem? Please describe.

The z-wave JS UI is incredibly useful for z-wave security devices, like locks and motion sensors. It would significantly improve the security of the server if 2FA could be implemented for user authentication into the UI, similar to that in HA or Homebridge.

Describe the solution you'd like*
Have a 2-factor authentication option for UI users.

Describe alternatives you've considered
Home assistant has this option, but for those of us running HA not as an OS a separate installation of z-wave JS is required. It would help a lot if z-wave JS had a 2fa as well.

[robertsLando]

Hi @MistyMoose. Thanks for your issue, this is interesting and I can implement it, will also change the base auth method to a better one using cookies. Follow the updates on this issue

[geekifier]

Hi @MistyMoose. Thanks for your issue, this is interesting and I can implement it, will also change the base auth method to a better one using cookies. Follow the updates on this issue

I assume this would also make it possible to pass an authentication cookie from a third party auth provider? If so, that would be great! I use Authelia to handle SSO for most of my hosted apps. Would love to be able to use it with zwave-js-ui.

[robertsLando]

@geekifier I'm not sure I understand what you mean, I never did that

[geekifier]

Sorry, don't mean to be derailing this issue. But I can give you an example of how I have it set up.

Long story short, you can have a reverse proxy with some sort of authentication provider that handles the authentication of the user. I use Traefik and Authelia for this, but you can use Ngingx, HAproxy, Caddy or whatever else.

The reverse proxy redirects unauthenticated user requests to your identity provider, which you can have authenticate against LDAP, OpenID, local DB etc.
Once authenticated, the reverse proxy sets a set of headers, such as Remote-User, Remote-Email, Remote-Groups.

I use this for Grafana and other software, but I think Kanboard has a decent description on this.

The target app checks to see if the Remote-User header is sent, and uses it to authorize the session depending on the software config. You can configure it to automatically create user accounts, or to just map Remote-User against the value of its internal auth DB.

Since this auth method is pretty basic (there is no cryptographic token or certificates), the target app needs to be only accessible from the proxy service (easily accomplished with a Docker network).

The value here is rather than setting a bunch of "local" accounts and passwords across many apps, you log on with a single set of centrally managed credentials. You also only sign on once, and stay logged on for the duration set in the config, across many apps.

But thinking more on this, since your app doesn't really support multiple accounts currently, one can simply disable auth and have the proxy server handle the gatekeeping.

Sorry if this is OT, I saw you mentioning switching to cookie auth and was wondering if something like that header check would be possible as part of those changes.

[robertsLando]

@geekifier No worries, thanks for pointing this out, seems interesting and I never heard of such kind of auth method! I will dig into this and let you know in case I will be able to add that support. Thanks 🙏🏼