Hi Caddy community!
I’m happy to introduce BasicAuthTOTP, a new plugin for Caddy. This plugin extends Caddy’s existing basic_auth
directive by incorporating Time-based One-Time Password (TOTP) two-factor authentication (2FA).
Overview:
BasicAuthTOTP requires users to input a valid TOTP code in addition to their basic auth credentials, adding an extra layer of security to protected routes. This makes it a suitable option for scenarios where basic auth alone may not be sufficient.
How It Works:
When accessing a protected route, users will first be prompted to enter their Basic Authentication credentials. After successfully completing Basic Authentication, they will see a 2FA prompt to enter their TOTP code, as shown below:
Use Cases:
This plugin is best suited for smaller, internal user groups and is useful for securing routes or applications that need an extra layer of security without requiring a comprehensive authentication solution.
:8080 {
handle /top-secret/* {
basicauth {
user hashed_password
}
basic_auth_totp {
session_inactivity_timeout 8h
secrets_file_path /path/to/2fa-secrets.json
cookie_name basicauthtotp_session
cookie_path /top-secret
logout_path /top-secret/logout
logout_redirect_url /
}
respond "Welcome, you have passed basic and TOTP authentication!"
}
}
I initially developed BasicAuthTOTP for personal projects, but it’s now a registered plugin, so others can try it out as well. I hope it proves useful!