API Key Access

Question

API Key Access

Closed this issue 4 months ago · 8 comments

Hello,

I may be misunderstand the current MFA token implementation, but when I set up MFA with Uptime Kuma and launch Autokuma, login works temporarily until the current MFA code expires, then I am no longer able to connect and start getting login errors.

Is it possible to use an API key to access Uptime Kuma continuously via Autokuma while having MFA enabled? Else, I'll disable MFA.

Thank you.

Answer 1 · 2024-09-11T18:56:02.000Z

Hmm you're right, in that case an MFA token doesn't really make sense. I'm not using the built-in authentication so I never bothered with it. Unfortunately the API keys in uptime kuma serve a different purpose, so I guess the only solution is to disable MFA.

Answer 2 · 2024-09-11T22:49:22.000Z

Understood, thank you!

Answer 3 · 2024-09-29T15:58:19.000Z

So no chance to get this working with built-in MFA?

Answer 4 · 2024-10-01T17:10:58.000Z

The only way I see is to generate 2FA a new token from the secret for every login, so you'd have to give your 2FA secret to autokuma. Would this be an acceptable solution?

Answer 5 · 2024-12-25T18:13:53.000Z

The only way I see is to generate 2FA a new token from the secret for every login, so you'd have to give your 2FA secret to autokuma. Would this be an acceptable solution?

Might be far-fetched, but I have my 2FA codes in 1Password, and they have an API - maybe you can integrate with them and get the 2FA from there?

Answer 6 · 2024-12-25T18:47:44.000Z

Hi @tomerh2001 this is already implemented in master by passing the token secret to autokuma, (.e.g AUTOKUMA__KUMA__MFA_SECRET=JBSWY3DPEHPK3PXP). However there are some problems with this. Uptime Kuma uses TOTP tokens with a 30 second time step. i.e. you only get one token every 30 seconds, with each token only being usable once.

Considering AutoKuma by default tries to sync every 5 seconds seconds this leads to login failures, so you'll need to increase the sync interval to at least 30 seconds, additionally the tokens are shared with the WebUI login, so you'd need to increase the sync interval to at least 60 seconds to even get a chance a logging into the WebUI.

Answer 7 · 2024-12-25T19:15:50.000Z

What I meant is that my password manager (1Passowrd) can store OTP secrets and generate the temporary code by itself:

They also have an API where you can retrieve any value from them:
https://developer.1password.com/docs/connect/connect-api-reference/#get-item-details

So in theory, I could provide you with an API key to my 1Password and the name the credentials are stored under, and you could retrieve the OTP code by yourself.

Technically, this kind of integration could be an alternative to the username/password entirely, as you could retrieve them too from 1Password.

Just an idea though

Answer 8 · 2024-12-25T19:37:20.000Z

I got that, you'd still be hit by the same limits though