TOTP has security vulnerabilities.

[MyTkme]

Description

There is a security risk with TOTP. I have bound my mobile authenticator to the server-side instance of triliumnext/trilium:v0.102.2. The web interface does require both a password and TOTP to log in, which helps prevent security issues.
However, when the Trilium desktop client connects to the server, it can synchronize all data simply by entering the server URL. No TOTP code is requested, no password verification is shown, and all data is synchronized directly. This is insecure.
If used over the public network, there is no security at all. Anyone can use the client to steal all server data directly. Furthermore, an attacker can clear their local data and then sync with the server, resulting in complete data loss on the server.
Suggestions:
Require password + TOTP authentication on the first sync after the client is opened. Once verified, the client should not ask for re-authentication unless the app is closed, quit, and restarted to sync data again.
Add brute-force protection to the login page, with a login delay after consecutive incorrect password or TOTP attempts.

TriliumNext Version

v0.102.2

What operating system are you using?

Windows

What is your setup?

Local + server sync

Operating System Version

linux

Error logs

No response

[perfectra1n]

Hey @MyTkme,

However, when the Trilium desktop client connects to the server, it can synchronize all data simply by entering the server URL.

When a client first sets up synchronization with a server - it requires the server's password to sync with it. Is that not what you're experiencing? I understand that the TOTP isn't required to set up synchronization between a client and server, but it absolutely does require a password.

[MyTkme]

Hey @MyTkme,

However, when the Trilium desktop client connects to the server, it can synchronize all data simply by entering the server URL.

When a client first sets up synchronization with a server - it requires the server's password to sync with it. Is that not what you're experiencing? I understand that the TOTP isn't required to set up synchronization between a client and server, but it absolutely does require a password.

Hello.
I have retested Trilium Notes.When launching the Windows application for the initial first time, a password is required to connect to the server. However, no verification code is requested even with TOTP authentication enabled, which makes me concerned about potential brute-force attacks.
My previous question was incorrect. After entering the password to connect to the server for the first time in Trilium Notes, the client will no longer need a password. Afterwards, users can perform full data clearing and full export to wipe all server data directly. I always feel that this full-clear synchronization operation is very risky. Could you please add a recycle bin or data recovery function?
In addition, there is a bug when entering the wrong password. The prompt in the window will shift the input content downwards. The scrollbar and window cannot be dragged, causing the input box to be hidden. Users can only close and reopen the program to fix it.
Thank you very much.

[perfectra1n]

The login endpoint is rate limited.

I'm confused about your second question:

After entering the password to connect to the server for the first time in Trilium Notes, the client will no longer need a password. Afterwards, users can perform full data clearing and full export to wipe all server data directly. I always feel that this full-clear synchronization operation is very risky.

Users can of course delete all their Notes, but I'm confused with what you're trying to get across...are you saying that if you synchronize ClientA with ServerA, and then change the sync URL in ClientA to be ServerB, that you're concerned that it'll conflict with ServerB's data?

Thanks for highlighting that third issue :)

[Gouou7]

Yes, I’ve encountered this issue as well. Even with TOTP enabled, I can still log in and sync via the desktop client (macOS 0.102.2) without being prompted for a 2FA code. It seems the client effectively bypasses this security layer, making TOTP redundant.

Furthermore, the current server-side authentication logic feels a bit counterintuitive. It is strictly tied to the note database encryption key, yet the client doesn't support "remembering" the password long-term. This means I have to manually enter the password every single time I access an encrypted note.

When a server is exposed to the public internet, using a password that’s too simple poses a significant security risk; however, if the password is too complex, as mentioned above, you have to enter it every single time you view an encrypted note!
Huge thanks to the developers for your hard work! I really hope this issue can be addressed.

[MyTkme]

The login endpoint is rate limited.

I'm confused about your second question:

After entering the password to connect to the server for the first time in Trilium Notes, the client will no longer need a password. Afterwards, users can perform full data clearing and full export to wipe all server data directly. I always feel that this full-clear synchronization operation is very risky.

Users can of course delete all their Notes, but I'm confused with what you're trying to get across...are you saying that if you synchronize ClientA with ServerA, and then change the sync URL in ClientA to be ServerB, that you're concerned that it'll conflict with ServerB's data?

Thanks for highlighting that third issue :)

Hello.
You are correct: the server password is required when the client synchronizes with the server for the first time.
My previous explanation was wrong. I claimed that the Trilium desktop client only needs the server URL to connect to the server and synchronize all data. That statement was inaccurate. I have retested the process and confirmed that a password is indeed required for the initial synchronization, and the system is working correctly.
Additionally, I personally feel that this full wipe and full import synchronization method carries relatively high data risk. Would it be possible to add a recycle bin and data recovery function in future updates?
Thank you very much.