Feature Request: Add environment variable to enforce mandatory 2FA for all users #998
Description
Feature Request: Mandatory Two-Factor Authentication
Problem Statement
Currently, 2FA (TOTP, Email OTP, and FIDO devices) is available in Kitsu/Zou but can only be enabled on a per-user basis. There is no way to enforce 2FA as a mandatory security requirement for all users in an organization.
For security-conscious deployments, especially in production environments or organizations with strict security policies, it would be valuable to have the ability to require all users to enable 2FA before they can access the system.
Proposed Solution
Add an environment variable (e.g., REQUIRE_2FA=True) that can be set in the .env file to enforce mandatory 2FA for all users.
Suggested behavior when enabled:
- New users should be prompted to set up 2FA during their first login
- Existing users without 2FA should be redirected to set it up on their next login
- Users should not be able to access the system until 2FA is configured
- Optionally, allow administrators to exempt specific users (e.g., service accounts)
Configuration Example
# .env file
REQUIRE_2FA=True
# Optional: comma-separated list of user emails exempt from 2FA requirement
2FA_EXEMPT_USERS=service-account@example.com,api-user@example.comUse Cases
- Compliance requirements: Organizations subject to security regulations (SOC 2, ISO 27001, etc.)
- Production deployments: Studios handling sensitive or proprietary content
- Remote teams: Enhanced security for distributed teams accessing the system from various locations
- Data protection: Additional layer of security for projects with confidential information
Benefits
- Improved security posture for organizations using Kitsu/Zou
- Flexibility through environment variable configuration (Docker-friendly)
- Maintains backward compatibility (disabled by default)
- Aligns with industry best practices for authentication
Related Work
- PR Add attachments to replies #982: Added TOTP and Email OTP support
- PR api status page falsely reports Indexer-up status as true when the indexer is running, but not configured correctly #992: Added FIDO device support
Additional Context
This feature would be particularly valuable for Docker-based deployments where configuration is managed through environment variables, making it easy for system administrators to enforce security policies without modifying code.
Thank you for considering this feature request!