Hello! First off, big thanks to laurent for this amazing project. I've been running self-hosted Joplin for the better part of a year now, and it's everything I hoped it would be plus more.
Since I run a number of self-hosted services, security is obviously important to me. A lot of my services have native 2-factor authentication, but some of them don't -- including Joplin. This led me to an open source project called Authelia (https://www.authelia.com/docs/) that lets you layer 2FA on top of an existing web service using a reverse proxy.
However, for applications that use mobile apps (like Joplin), the layered 2FA messes up the app's authorization. Thankfully, Authelia lets you configure exclusion rules so that, for example, if a query comes in to https://service.domain.com it gets prompted for 2FA, but if it comes to https://service.domain.com/api, then it doesn't.
All that to say, is there documentation somewhere that describes the URL structure that Joplin mobile apps use when syncing with Joplin Server?
I want to add 2FA support at some point, but it would be, if possible, without relying on an intermediate server.
To login with Joplin Server, you post your credentials to /api/sessions and get back a session ID. So in my mind, with 2FA the flow would be like this:
Still post your credentials to /api/sessions
It responds with some 2FA challenge
The app posts the OTP
The server checks if the OTP is valid and return the session ID
And I hope that can be done without an extra reverse proxy. As to make it work with your particular setup I'm not sure. Perhaps look at the requests that the app is making, in particular the api/sessions calls, and filter based on this.
@laurent Glad to hear 2FA is in the works! I may take a peek at the requests, although at this point (especially if 2FA is already a desired feature), I've got Joplin and my other non-2FA applications secured behind a VPN. So it may be easier to just keep doing that.
@roman_r_m Thanks for the idea! However, my goal is to not have any service exposed to the Internet without 2FA, and obfuscating my Joplin server for mobile access doesn't fit my security requirements. It's a novel idea though!