selfhosted
/
pasu
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Self-hosted TOTP authenticator PWA with FIDO2 (WebAuthn)
23 Commits 1 Branch 0 Tags 973 KiB
JavaScript 65%
CSS 19.6%
EJS 15.4%
Go to file
soruly 0bc52a836a
Cache busting 		2022-06-20 15:02:09 +00:00
.github Init 2022-06-16 08:28:12 +00:00
src Add FIDO2 web authn 2022-06-18 12:16:02 +00:00
static Improve count down accuracy 2022-06-20 14:28:58 +00:00
view Cache busting 2022-06-20 15:02:09 +00:00
.env.example Add FIDO2 web authn 2022-06-18 12:16:02 +00:00
.gitignore Add FIDO2 web authn 2022-06-18 12:16:02 +00:00
.prettierrc.json Init 2022-06-16 08:28:12 +00:00
CODE_OF_CONDUCT.md Init 2022-06-16 08:28:12 +00:00
LICENSE Init 2022-06-16 08:28:12 +00:00
README.md Update README.md 2022-06-19 03:35:10 +08:00
ecosystem.config.json Update package 2022-06-18 18:24:20 +00:00
package-lock.json Update package 2022-06-18 18:24:20 +00:00
package.json Update package 2022-06-18 18:24:20 +00:00
server.js Cache busting 2022-06-20 15:02:09 +00:00

README.md

pasu

Self-hosted TOTP authenticator PWA with FIDO2 (WebAuthn)

License GitHub Workflow Status

Features

  • 2FA secrets stored in your own server instead of your own device
  • Codes are generated on server side and push to all clients via server-sent events
  • Installable PWA
  • Allow others to access the OTP of your accounts
  • or, Secured by FIDO2 (WebAuthn)
  • Support password-less login via Fingreprint/TouchID/Windows Hello/YubiKey/pin code via FIDO2
  • User-Agent block list
  • IP block list

Notes: FIDO2 (WebAuthn) is not enabled in demo server

Warning

This PWA is open to public by default.
Everyone is able to access your OTP. Do not use it for any serious businesses.
The author does not bear any losses caused by this app.

Demo

https://user-images.githubusercontent.com/1979746/174453876-f4d81b10-bf43-41b9-b135-442b68234660.mp4

Getting Started

Prerequisites: nodejs >= 16

git clone https://github.com/soruly/pasu.git
cd pasu
npm install
node server.js

Note: In order for PWA to work, you must host the server behind a reverse proxy (like nginx) with HTTPS

Example nginx config:

location / {
  proxy_set_header Host $host;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection upgrade;
  proxy_buffering off;
  proxy_cache off;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_pass http://127.0.0.1:3000;
}

Environment Variables

  • Copy .env.example to .env
  • Edit .env as you need
SERVER_PORT=3000        # (optional) Default: 3000
SERVER_ADDR=127.0.0.1   # (optional) Default: 127.0.0.1
SERVER_NAME=localhost   # the app doesn't work without HTTPS, you need a valid hostname
#BLACKLIST_UA=Bot|MSIE|Bytespider|Baidu|Sogou|FB_AN|FB_IOS|FB_IAB|Instagram
#WHITELIST_COUNTRY=ZZ|HK|TW
#GEO_LITE_COUNTRY_PATH=/etc/GeoIP/GeoLite2-Country.mmdb
#GEO_LITE_ASN_PATH=/etc/GeoIP/GeoLite2-ASN.mmdb
#ENABLE_FIDO2=1          # when ENABLE_FIDO2 is not set (default), the server is public
#ALLOW_REGISTER=1        # when ALLOW_REGISTER is not set (default), no new devices can be registered

To register a new device with WebAuthn, turn on both ENABLE_FIDO2 and ALLOW_REGISTER, then visit https://your.server/reg to continue. It is suggested you turn off ALLOW_REGISTER when not needed.

Run by pm2

You also can use pm2 to run this in background.

Use below commands to start / restart / stop server.

npm run start
npm run stop
npm run reload
npm run restart
npm run delete