Joplin Server should support LDAP authentication. From a brief web search, some services (e.g. CISCO DUO) claim to support enabling MFA for apps that support LDAP authentication. Maybe it's possible to enable Joplin Server MFA with this?
Not sure that would work actually because there's no UI to input the MFA code. So even if the LDAP implementation supports MFA it won't be possible to pass it the code.
Or maybe with some trick, like appending the code to the password for example, provided the LDAP implementation can be scripted to handle this.
I'm fully agree the threat model is different for small vs huge system.but it is different from the "service" point of view..
this is not true because attacks on centralized application with a goal to access the data of all users will focus on on generic issues rather single accounts (e.g. brute force attack).. such attacks are more frequent on centralized services and less common on small instances.
MFA doesn't protect against application issues it only protects against attacks on a single account credentials e.g. "password spraying" or "credential stuffing" and this protection is completely unrelated where you account is hosted at home or on a big cloud instance.
it works for for some degree.. for Joplin server it might work somewhat but this approach fails for Nextcloud and other services where you want to share data outside of your bubble.. VPN adds more complexity and many operational issues.. it works if you live in good old 20th century but fails in a today always connected world..
I'm self-hosting JoplinServer, Nextcloud, Jellifin, Keycloak, Zitadel and other services because I can.. likely it would cost less effort and maybe less money to use hosted service but I don't like vendor lock-in.. nobody knows how long you are committed to provide your cloud service..despite the fact nobody offers all this services.. and managing multiple hosting providers is complex as well..
There are marketing reasons to limit features like MFA to a paid cloud instance but this reasons are not security or requirements.. the only legitimization for such cut on a OSS application is the desire to sell "premium" features of the hosted service..If this is the reason I can live with it and somewhat understand it.. but please speak clear language - if you are behind the money OK bad for the users but good for the community. If you are a good open source guy - tell us what you need to add this high value feature to self-hosted Joplin Server.
PS:
LDAP is is related to SSO but it doesn't address MFA (not part of the protocol) neither it protects against before mentioned attacks.. it makes some things easier but still doesn't provide modern account protection..
3 Likes
Supporting MFA, or any feature, on Joplin Server means additional work to document, maintain and provide support for the feature. It's not something free as you seem to be saying.
Well it would be free for you, because someone else would be doing all the work.
2 Likes
Completely agree here -- if MFA support is added to joplin-server i will enable it IMMEDIATELY
i don't put anything i wouldn't be fine with the world seeing (or me losing) in Joplin because it's one admin page login away from disaster... (actually, i should check to see if the login page has anything about ratelimiting etc)
i didn't configure a mailserver so at least i can control the password complexity of all users...
1 Like
this is understandable of course, always a trade-off. just disagreeing as i said above that it is not a useful/meaningful feature. obviously up to you if it's not possible for the reasons you said.
Also, i was curious -- is there a place you prefer to get donations? i won't do paypal, and i don't know what liberapay is, but in general want to know where you get a better cut etc etc
I do disagree but I'm curious what yre the reasons you would prefer self-signed cert over "official" one. I know security is the same from the technical point of view. but the management of a self-signed cert (CA) is a nightmare and I don't see any advantage of this added operation complexity..
1 Like
As I wrote in my post - maybe not clear enough - I understand (somewhat) if you want to keep your cloud offer superior over the free server. this is not totally wrong as everybody needs some source of income.. but please don't tell people they don't need it, there is no value in this feature especially as this is not true... be transparent - show the price tag for such feature and explain if/how people could fund it.. I'm willing to spend some $ on the feature as well (kudos for @ragekage )
2 Likes
The same reason any company's IT department operates as their own certificate authority. Or, at least they should. Why do they do this? Because it's more secure.
Now, I use Joplin Cloud. I live with the fact that my data, though encrypted, and traveling over an encrypted network, is more exposed. I make a judgement on how exposed I think I am and what data I can risk. Adding MFA to the process is certainly a better step forward regardless.
Is being your own CA a nightmare? No. But it's not for casual folks to tackle, as I mentioned in my comment. It's not rocket science, but it's also not trivial.
The same holds true for managing ssh login permissions, root access, what IPs even have any ability to connect, etc.
I.e. if you self-host a server that hosts data, either the data needs to be non-sensitive or you need to be serious about securing and maintaining that server properly. Or both.
I know how to properly lock down a server, but I still use Joplin Cloud and make appropriate compromises. I'm glad MFA was added.
I'm using Joplin across several mac, linux and android devices with the storage sync'd via nextcloud. Today I'm getting a message on one of my Linux machines that in order to sync I have to upgrade the application to version 3.0.0+. I assume that this is because I upgraded the client on one of my other machines (probably a mac) and that triggered an upgrade of the storage format?? The package manager in linux Mint does not yet have version 3.0 so it seems that I'm stuck wrt sync on all my linux machines unless I want to install Joplin in a different manner?
Also! I want to cheer about the new columns for notes lists! I can now have a column for Created date! What's missing now is for search results to be sorted by the "Created" column. This is the feature in Joplin that I've been waiting years for! (And you must admit that it's entirely unintuitive that there can be a 'Created' column for search results complete with a down/up caret but the results do not change their sort when that caret is clicked back and forth...)
Hello
I have installed the latest version. However, the Note list with multiple columns function is not available. If the corresponding plugin has to be installed first: where can I find it? Thanks for help
Click View > Note list style > Detailed to use the note list with multiple columns.
Solved, thanks
How do you add columns to the note list? I'm on Windows, using 3.0.13 and its just looks like the old list. No column heading. No obvious way to add a column.
Unsortable search results is frequently very annoying for me. Probably my most common search is for the latest note which matches the search criteria. Or maybe the 3rd last, or whatever. Having them in a non-chronological order means the latest note could be anywhere in the list. Very very frustrating. Sometimes 'relevance' order is useful, but rarely WHEN YOU ARE SEARCHING YOUR OWN DATA. Its much more useful when searching the web.
Why not simply provide a view property to allow the result list to be either in relevance order or in the order of the new multi column list? I would switch off relevance immediately and probably never turn it on again.
2 Likes
I think it's View - Note list style - Detailed
1 Like
I agree with this. "We impose the SSO tax to get more funding/users" is fine, but "who would ever care about your data anyway?" is misleading and mostly not true.
After any app reaches significant userbase size, the first time there's a significant security issue we might see anyone doing automated scans of the net for joplin server instances and stealing what they can.
2 Likes
when I asked about this a few years back, the answer was GitHub Sponsorship. Might have changed since then, I dunno.