Cloudron Forum

@james we already have --token (primarily meant for CI automation). It's not saved in the cloudron.json intentionally because long-lived tokens should ideally not get saved somewhere. With login, you get a temporary token that is stored in the cache file. I think maybe your point is that we should use API tokens to login in general? I wouldn't mind removing username/password based login entirely. The current auth mechanism of CLI bypasses all the OIDC security mechanisms . CLI tools like npm already now require auth on browser. I think we will move to this in coming releases. Technically, the CLI was not built for end users, it was only for app development. Not sure how many people this impacts. https://www.npmjs.com/package/cloudron does say ~400 a week....

At the bottom of the user edit dialog there is a section for this. If the user has 2fa enabled it would look like this: [image: 1677704070010-ba92d23e-ddaa-4850-bc1b-8078da14c862-image.png]

@zion please always provide context. As a reader I have to much space to interpret. Do you mean: private Cloudron Cloudron.io account A Cloudron App ?

@sufian-mughal Currently, this is not possible. This is because LDAP has no standard way of passing through LDAP information. That said, usually apps are able to enable 2FA independently of LDAP. This means that users manage 2FA inside the app instead of Cloudron - it works this way for GitLab/Gitea etc for example. For matrix, upstream is still working on it - https://github.com/matrix-org/matrix-spec-proposals/pull/1998

This is fixed in https://git.cloudron.io/cloudron/dashboard/-/commit/b3cdcb2adb4666f274ed23f2ab05428563531dc8

@LoudLemur I have seen this idea implemented on some services now. I guess this will only work for the Cloudron dashboard?

@atridad yes it does. If you run cloudron --help you can see the "global" options on the top, which apply also to subcommands.

@rohit507 Use https://docs.cloudron.io/user-management/#password-reset-ssh to create a one time password to login. Once you logged in, you can disable the 2FA and re-set it up.

@girish That's awesome, thank you. I was going to do it and post the screenshots here, but paused, not sure if even starting the process would "turn it on" and then what... This is super helpeful.

Tested and confirmed fixed - thanks!

@archos no worries glad you got that sorted out.

@girish thanks a lot, that sounds just right

@girish Thanks! - should have figured that out - didn't see the button

@alexdimarco Added for next release. [image: 1618511804107-27b68a07-8d7d-4715-a7cf-128adaf1dd60-image.png]

@privsec That is what I personally call computer vodoo

I will mark this as solved. LDAP standard hasn't moved to support 2FA and neither have apps settled on a pseudo standard. There is not much we can do.

@JOduMonT Thanks! merged, should be part of our next deploy.

This is implemented in 5.4