[SIP-175] TOTP Authentication for Login
Motivation
Apache Superset currently supports database logins (AUTH_DB) and external identity providers (LDAP, OAuth, SAML, etc.).
It does not offer native two-factor authentication (2FA).
Adding TOTP (Time-based One-Time Password) support will:
- Strengthen security for self-hosted deployments that lack SSO
- Align Superset with industry standards (Google Authenticator, Authy, Microsoft Authenticator, etc.)
- Reduce risk associated with password-only authentication
Proposed Change
- Database
- Add a nullable
totp_secretcolumn to theab_usertable.
python
# Alembic upgrade()
op.add_column(
"ab_user",
sa.Column("totp_secret", sa.String(length=255), nullable=True)
)
- Login Flow
-
Extend
AuthDBViewandAuthLDAPView:- After username/password succeeds, check
totp_secret. - If
None, redirect to/totp-enroll: - Generate
totp_secretwithpyotp.random_base32() - Display QR code for enrollment
- Otherwise, redirect to
/totp-verifyto validate the OTP
- After username/password succeeds, check
-
Templates
totp_enroll.html– shows QR and first-time OTP entry-
totp_verify.html– OTP form on every login -
Admin Reset (Optional)
- Add Reset TOTP bulk action in Security → List Users which can be implemented
New or Changed Public Interfaces
| Interface | Change |
|---|---|
| DB (ab_user) | Adds totp_secret column |
| Views | New routes: /totp-enroll, /totp-verify |
| Admin UI | Optional reset action in UserDBModelView |
New Dependencies
| Package | Purpose | License | Maintained |
|---|---|---|---|
pyotp |
TOTP generation and verification | MIT | :white_check_mark: |
qrcode |
Generate QR codes for secret | BSD | :white_check_mark: |
Migration Plan & Compatibility
- One Alembic migration adds the new column
- Existing users unaffected unless they opt-in