luci-app-2fa: init checkin by Tokisaki-Galaxy · Pull Request #8280 · openwrt/luci

Tokisaki-Galaxy · 2026-01-29T09:00:24Z

This PR is not from my main or master branch 💩, but a separate branch ✅
Each commit has a valid ✒️ Signed-off-by: <my@email.address> row (via git commit --signoff)
Each commit and PR title has a valid 📝 <package name>: title first line subject for packages
(N/A) Incremented 🆙 any PKG_VERSION in the Makefile
Tested on: (architecture, openwrt version, browser) ✅
( Preferred ) Screenshot or mp4 of changes:
( Optional ) Closes:
[POC,WIP] Implement 2-Factor Authentication with TOTP or HOTP #7069
Feature request: Support for Passkey (WebAuthn) authentication in LuCI #8273
( Optional ) Depends on: openwrt/luci luci-base: add generic authentication plugin (login HOOK) #8281
Description: (describe the changes proposed in this PR)

2026-02-04.180055.mp4

the app must changed LuCI core file because:

No hook point exists between password verification and session creation
External packages cannot inject authentication logic
No plugin discovery mechanism in the original code

Security Measures

Constant-time string comparison to prevent timing attacks
Username sanitization to prevent command injection
Array-based popen to prevent shell injection
OTP format validation (exactly 6 digits)
Session destroyed if 2FA verification fails
Uses authenticated session username to prevent bypass attacks

origin repo https://github.com/Tokisaki-Galaxy/luci-app-2fa

Neustradamus · 2026-01-29T17:49:16Z

@Tokisaki-Galaxy: Nice, good job!

Do not forget to solve:

🔶 Author name (Tokisaki-Galaxy) seems to be a nickname or an alias
🔶 Committer name (Tokisaki-Galaxy) seems to be a nickname or an alias

stangri · 2026-01-29T18:33:21Z

Looks very polished @Tokisaki-Galaxy!

Does this use TOTP? If the OpenWrt device doesn't have RTC and is offline or generally doesn't have correct time, does SSH become the only option to login?

Is there a README/instructions (ideally a hint on failed attempt) on how to disable 2FA from SSH/CLI for people who may be locked out of WebUI and can't read code ahead of time?

Tokisaki-Galaxy · 2026-01-30T03:55:07Z

@stangri

Please refer to the newly added video at the top of the description section for details.

The plugin can choose either TOTP or HOTP, but TOTP is recommended.
For RTC clock that is not synchronized (for example, the year is 1970), users can choose the 2fa behavior (strict mode) through options. By default, LAN areas are allowed to bypass 2FA for login, while non-LAN areas are prohibited. It can be configured to allow anyone to bypass 2FA for login.

Regarding the documentation for SSH/CLI, I'm not quite sure where it should be placed. Should it be directly included in the web UI? But if users don't read it carefully, they might not be able to log in and it would be impossible to see the result. Do you have any suggestions?

Previously, it was planned to add backup code, but this was abandoned because it would cause the bitward auto-fill function to become unusable and the complexity would be too high.

systemcrash · 2026-03-30T22:20:08Z

@Tokisaki-Galaxy let's see whether the plugin structure needs some modifications to handle 2FA stuff.

Tokisaki-Galaxy · 2026-03-31T14:53:33Z

@systemcrash
branch have update

applications/luci-app-2fa/root/usr/libexec/generate_otp.uc

Co-authored-by: Christian Marangi <ansuelsmth@gmail.com> Signed-off-by: tokisaki galaxy <moebest@outlook.jp>

Tokisaki-Galaxy · 2026-04-02T02:07:35Z

Refactored generate_otp.uc to leverage ucode native modules and built-in features. replaces the manual implementations, improving performance

...uci-app-2fa/root/usr/share/ucode/luci/plugins/auth/login/bb4ea47fcffb44ec9bb3d3673c9b4ed2.uc

applications/luci-app-2fa/htdocs/luci-static/resources/uqr.js

This update adds a priority option and enables QR code display for 2FA. Signed-off-by: tokisaki galaxy <moebest@outlook.jp>

use native ubus IP validation instead of custom regex and parsing, use native fs lock instead of popen-call and add log for logging auth events. now, will clean stale rate limit entries on each check and log when entries are removed due to staleness. This prevents the rate limit file from growing indefinitely with old entries. Signed-off-by: tokisaki galaxy <moebest@outlook.jp>

systemcrash · 2026-04-03T16:18:40Z

applications/luci-app-2fa/Makefile

+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=luci-app-2fa


OK - since it's an auth plugin, let's house it in the plugin folder.

systemcrash · 2026-04-03T16:22:39Z

...uci-app-2fa/root/usr/share/ucode/luci/plugins/auth/login/bb4ea47fcffb44ec9bb3d3673c9b4ed2.uc

+// (e.g., after power loss on devices without RTC battery), TOTP codes will
+// be incorrect and users will be locked out. This threshold disables TOTP
+// when system time appears uncalibrated.
+const DEFAULT_MIN_VALID_TIME = 1767225600;


There is also the trick that the system uses - it sets the minimum clock value to the last file-change time found in the /etc FS. Check openwrt/package/base-files/files/etc/init.d/sysfixtime for how it works. If this is available as a 'fallback', that's also not bad.

github-actions · 2026-04-03T18:03:32Z

Warning

Some formality checks failed.

Consider (re)reading submissions guidelines.

Failed checks

Issues marked with an ❌ are failing checks.

Commit `2bb8966`

🔶 Commit(ter) name must be either a real name 'firstname lastname' or a nickname/alias/handle
Actual: GitHub seems to be a nickname or an alias
Expected: a real name 'firstname lastname'

Commit `6dd1bea`

🔶 Commit(ter) name must be either a real name 'firstname lastname' or a nickname/alias/handle
Actual: GitHub seems to be a nickname or an alias
Expected: a real name 'firstname lastname'

For more details, see the full job log.

_{Something broken? Consider providing feedback.}

Tokisaki-Galaxy mentioned this pull request Jan 29, 2026

luci-base: add generic authentication plugin (login HOOK) #8281

Draft

8 tasks

This comment has been minimized.

Sign in to view

Neustradamus mentioned this pull request Jan 29, 2026

Feature request: Support for Passkey (WebAuthn) authentication in LuCI #8273

Closed

This comment was marked as outdated.

Sign in to view

Tokisaki-Galaxy changed the title ~~[WIP] luci-app-2fa: init checkin~~ luci-app-2fa: init checkin Feb 2, 2026

Tokisaki-Galaxy force-pushed the tokisaki-luci-app-otp branch 2 times, most recently from d55e8c5 to 0e97b5b Compare February 2, 2026 04:46

This comment has been minimized.

Sign in to view

Tokisaki-Galaxy force-pushed the tokisaki-luci-app-otp branch 2 times, most recently from fe02937 to bed757a Compare February 2, 2026 09:50

systemcrash mentioned this pull request Mar 16, 2026

plugin architecture #8430

Closed

10 tasks

Tokisaki-Galaxy force-pushed the tokisaki-luci-app-otp branch from bed757a to 325529e Compare March 31, 2026 14:52

Tokisaki-Galaxy force-pushed the tokisaki-luci-app-otp branch from 325529e to 6561e45 Compare March 31, 2026 14:54

This comment has been minimized.

Sign in to view

Tokisaki-Galaxy force-pushed the tokisaki-luci-app-otp branch from 6561e45 to ef1dfdd Compare April 1, 2026 11:45