luci-plugin-2fa: init checkin

[Tokisaki-Galaxy]

• This PR is not from my main or master branch 💩, but a separate branch ✅
• Each commit has a valid ✒️ Signed-off-by: <my@email.address> row (via git commit --signoff)
• Each commit and PR title has a valid 📝 <package name>: title first line subject for packages
• (N/A) Incremented 🆙 any PKG_VERSION in the Makefile
• Tested on: (architecture, openwrt version, browser) ✅
• ( Preferred ) Screenshot or mp4 of changes:
• ( Optional ) Closes:
  [POC,WIP] Implement 2-Factor Authentication with TOTP or HOTP #7069
  Feature request: Support for Passkey (WebAuthn) authentication in LuCI #8273
• ( Optional ) Depends on: openwrt/luci luci-base: add generic authentication plugin (login HOOK) #8281
• Description: (describe the changes proposed in this PR)

2026-02-04.180055.mp4

the app must changed LuCI core file because:

• No hook point exists between password verification and session creation
• External packages cannot inject authentication logic
• No plugin discovery mechanism in the original code

---

Security Measures

Constant-time string comparison to prevent timing attacks
Username sanitization to prevent command injection
Array-based popen to prevent shell injection
OTP format validation (exactly 6 digits)
Session destroyed if 2FA verification fails
Uses authenticated session username to prevent bypass attacks

origin repo https://github.com/Tokisaki-Galaxy/luci-app-2fa

[Neustradamus]

@Tokisaki-Galaxy: Nice, good job!

Do not forget to solve:

🔶 Author name (Tokisaki-Galaxy) seems to be a nickname or an alias
🔶 Committer name (Tokisaki-Galaxy) seems to be a nickname or an alias

[stangri]

Looks very polished @Tokisaki-Galaxy!

Does this use TOTP? If the OpenWrt device doesn't have RTC and is offline or generally doesn't have correct time, does SSH become the only option to login?

Is there a README/instructions (ideally a hint on failed attempt) on how to disable 2FA from SSH/CLI for people who may be locked out of WebUI and can't read code ahead of time?

[Tokisaki-Galaxy]

@stangri

Please refer to the newly added video at the top of the description section for details.

The plugin can choose either TOTP or HOTP, but TOTP is recommended.
For RTC clock that is not synchronized (for example, the year is 1970), users can choose the 2fa behavior (strict mode) through options. By default, LAN areas are allowed to bypass 2FA for login, while non-LAN areas are prohibited. It can be configured to allow anyone to bypass 2FA for login.

Regarding the documentation for SSH/CLI, I'm not quite sure where it should be placed. Should it be directly included in the web UI? But if users don't read it carefully, they might not be able to log in and it would be impossible to see the result. Do you have any suggestions?

Previously, it was planned to add backup code, but this was abandoned because it would cause the bitward auto-fill function to become unusable and the complexity would be too high.

[systemcrash]

@Tokisaki-Galaxy let's see whether the plugin structure needs some modifications to handle 2FA stuff.

[Tokisaki-Galaxy]

@systemcrash
branch have update

[Tokisaki-Galaxy]

Refactored generate_otp.uc to leverage ucode native modules and built-in features. replaces the manual implementations, improving performance

[systemcrash]

OK - thanks for your patience. This is looking good now. LGTM.

[Tokisaki-Galaxy]

Thank you so much for your patience and thorough review!
To be honest, I’m truly grateful—this is the first time I’ve had someone review my PRs with such care and provide such constructive feedback.

As a non-CS university student with no professional work experience yet, I’ve learned a lot through this process. This project has given me my first real taste of large-scale team collaboration, and your guidance has been invaluable in helping me improve.
Thank you again for your time and for helping me grow!

[systemcrash]

To highlight that this is a plugin, how about naming it luci-plugin-2fa?

[Tokisaki-Galaxy]

great! I have rename and rebase commit

[Tokisaki-Galaxy]

sorry, I forget edit Makefile, have rename and update URL ***@***.***  

…

------------------ Original ------------------ From: "openwrt/luci" ***@***.***>; Date: Tue, Apr 7, 2026 09:18 PM ***@***.***>; ***@***.******@***.***>; Subject: Re: [openwrt/luci] luci-app-2fa: init checkin (PR #8280) @systemcrash commented on this pull request. In plugins/luci-plugin-2fa/Makefile: > @@ -0,0 +1,23 @@ +# +# Copyright (C) 2026 tokisaki galaxy ***@***.***> +# Copyright (C) 2024 Christian Marangi ***@***.***> +# +# This is free software, licensed under the Apache License, Version 2.0. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=luci-app-2fa Here also :) — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>

[systemcrash]

OK - let's see how it works :)

[Tokisaki-Galaxy]

Thank you very much!

[Neustradamus]

@Tokisaki-Galaxy: Thanks for your good work and thanks to @systemcrash for merging!

[github-actions]

Warning

Some formality checks failed.

Consider (re)reading submissions guidelines.

Failed checks

Issues marked with an ❌ are failing checks.

Commit 1833462

• 🔶 Commit(ter) name must be either a real name 'firstname lastname' or a nickname/alias/handle
  Actual: GitHub seems to be a nickname or an alias
  Expected: a real name 'firstname lastname'

For more details, see the full job log.

_{Something broken? Consider providing feedback.}