a little cleanup after SSO merge (#6153)

* fix some typos

* rename scss variable to sso_enabled

* refactor is_mobile to device

* also mask sensitive sso config options

src/api/core/accounts.rs

@@ -342,11 +342,11 @@ async fn post_set_password(data: Json<SetPasswordData>, headers: Headers, mut co
     let mut user = headers.user;
 
     if user.private_key.is_some() {
-        err!("Account already intialized cannot set password")
+        err!("Account already initialized, cannot set password")
     }
 
-    // Check against the password hint setting here so if it fails, the user
-    // can retry without losing their invitation below.
+    // Check against the password hint setting here so if it fails,
+    // the user can retry without losing their invitation below.
     let password_hint = clean_password_hint(&data.master_password_hint);
     enforce_password_hint_setting(&password_hint)?;
 

src/api/core/organizations.rs

@@ -2310,7 +2310,7 @@ struct OrgImportData {
     users: Vec<OrgImportUserData>,
 }
 
-/// This function seems to be deprected
+/// This function seems to be deprecated
 /// It is only used with older directory connectors
 /// TODO: Cleanup Tech debt
 #[post("/organizations/<org_id>/import", data = "<data>")]

src/api/icons.rs

@@ -641,9 +641,9 @@ async fn stream_to_bytes_limit(res: Response, max_size: usize) -> Result<Bytes,
     let mut buf = BytesMut::new();
     let mut size = 0;
     while let Some(chunk) = stream.next().await {
-        // It is possible that there might occure UnexpectedEof errors or others
+        // It is possible that there might occur UnexpectedEof errors or others
         // This is most of the time no issue, and if there is no chunked data anymore or at all parsing the HTML will not happen anyway.
-        // Therfore if chunk is an err, just break and continue with the data be have received.
+        // Therefore if chunk is an err, just break and continue with the data be have received.
         if chunk.is_err() {
             break;
         }

src/api/identity.rs

@@ -293,7 +293,7 @@ async fn _sso_login(
         }
     };
 
-    // We passed 2FA get full user informations
+    // We passed 2FA get full user information
     let auth_user = sso::redeem(&user_infos.state, conn).await?;
 
     if sso_user.is_none() {
@@ -1060,12 +1060,12 @@ async fn oidcsignin_redirect(
     wrapper: impl FnOnce(OIDCState) -> sso::OIDCCodeWrapper,
     conn: &DbConn,
 ) -> ApiResult<Redirect> {
-    let state = sso::deocde_state(base64_state)?;
+    let state = sso::decode_state(base64_state)?;
     let code = sso::encode_code_claims(wrapper(state.clone()));
 
     let nonce = match SsoNonce::find(&state, conn).await {
         Some(n) => n,
-        None => err!(format!("Failed to retrive redirect_uri with {state}")),
+        None => err!(format!("Failed to retrieve redirect_uri with {state}")),
     };
 
     let mut url = match url::Url::parse(&nonce.redirect_uri) {

src/api/web.rs

@@ -61,7 +61,7 @@ fn vaultwarden_css() -> Cached<Css<String>> {
         "mail_enabled": CONFIG.mail_enabled(),
         "sends_allowed": CONFIG.sends_allowed(),
         "signup_disabled": CONFIG.is_signup_disabled(),
-        "sso_disabled": !CONFIG.sso_enabled(),
+        "sso_enabled": CONFIG.sso_enabled(),
         "sso_only": CONFIG.sso_enabled() && CONFIG.sso_only(),
         "yubico_enabled": CONFIG._enable_yubico() && CONFIG.yubico_client_id().is_some() && CONFIG.yubico_secret_key().is_some(),
     });

src/auth.rs

@@ -1174,7 +1174,7 @@ impl AuthTokens {
 
         let access_claims = LoginJwtClaims::default(device, user, &sub, client_id);
 
-        let validity = if DeviceType::is_mobile(&device.atype) {
+        let validity = if device.is_mobile() {
             *MOBILE_REFRESH_VALIDITY
         } else {
             *DEFAULT_REFRESH_VALIDITY

src/config.rs

@@ -283,6 +283,9 @@ macro_rules! make_config {
                     "smtp_host",
                     "smtp_username",
                     "_smtp_img_src",
+                    "sso_client_id",
+                    "sso_authority",
+                    "sso_callback_path",
                 ];
 
                 let cfg = {
@@ -1139,7 +1142,7 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
 
 fn validate_internal_sso_issuer_url(sso_authority: &String) -> Result<openidconnect::IssuerUrl, Error> {
     match openidconnect::IssuerUrl::new(sso_authority.clone()) {
-        Err(err) => err!(format!("Invalid sso_authority UR ({sso_authority}): {err}")),
+        Err(err) => err!(format!("Invalid sso_authority URL ({sso_authority}): {err}")),
         Ok(issuer_url) => Ok(issuer_url),
     }
 }

src/db/models/device.rs

@@ -70,6 +70,10 @@ impl Device {
     pub fn is_cli(&self) -> bool {
         matches!(DeviceType::from_i32(self.atype), DeviceType::WindowsCLI | DeviceType::MacOsCLI | DeviceType::LinuxCLI)
     }
+
+    pub fn is_mobile(&self) -> bool {
+        matches!(DeviceType::from_i32(self.atype), DeviceType::Android | DeviceType::Ios)
+    }
 }
 
 pub struct DeviceWithAuthRequest {
@@ -353,10 +357,6 @@ impl DeviceType {
             _ => DeviceType::UnknownBrowser,
         }
     }
-
-    pub fn is_mobile(value: &i32) -> bool {
-        *value == DeviceType::Android as i32 || *value == DeviceType::Ios as i32
-    }
 }
 
 #[derive(

src/db/models/group.rs

@@ -135,7 +135,7 @@ impl CollectionGroup {
         // If both read_only and hide_passwords are false, then manage should be true
         // You can't have an entry with read_only and manage, or hide_passwords and manage
         // Or an entry with everything to false
-        // For backwards compaibility and migration proposes we keep checking read_only and hide_password
+        // For backwards compatibility and migration proposes we keep checking read_only and hide_password
         json!({
             "id": self.groups_uuid,
             "readOnly": self.read_only,

src/sso.rs

@@ -151,7 +151,7 @@ fn decode_token_claims(token_name: &str, token: &str) -> ApiResult<BasicTokenCla
     }
 }
 
-pub fn deocde_state(base64_state: String) -> ApiResult<OIDCState> {
+pub fn decode_state(base64_state: String) -> ApiResult<OIDCState> {
     let state = match data_encoding::BASE64.decode(base64_state.as_bytes()) {
         Ok(vec) => match String::from_utf8(vec) {
             Ok(valid) => OIDCState(valid),
@@ -316,7 +316,7 @@ pub async fn exchange_code(wrapped_code: &str, conn: &mut DbConn) -> ApiResult<U
         user_name: user_name.clone(),
     };
 
-    debug!("Authentified user {authenticated_user:?}");
+    debug!("Authenticated user {authenticated_user:?}");
 
     AC_CACHE.insert(state.clone(), authenticated_user);
 
@@ -443,7 +443,7 @@ pub async fn exchange_refresh_token(
                 err_silent!("Access token is close to expiration but we have no refresh token")
             }
 
-            Client::check_validaty(access_token.clone()).await?;
+            Client::check_validity(access_token.clone()).await?;
 
             let access_claims = auth::LoginJwtClaims::new(
                 device,

src/sso_client.rs

@@ -203,7 +203,7 @@ impl Client {
         }
     }
 
-    pub async fn check_validaty(access_token: String) -> EmptyResult {
+    pub async fn check_validity(access_token: String) -> EmptyResult {
         let client = Client::cached().await?;
         match client.user_info(AccessToken::new(access_token)).await {
             Err(err) => {

src/static/templates/scss/vaultwarden.scss.hbs

@@ -21,21 +21,21 @@ a[href$="/settings/sponsored-families"] {
 }
 
 /* Hide the sso `Email` input field */
-{{#if sso_disabled}}
+{{#if (not sso_enabled)}}
 .vw-email-sso {
   @extend %vw-hide;
 }
 {{/if}}
 
 /* Hide the default/continue `Email` input field */
-{{#if (not sso_disabled)}}
+{{#if sso_enabled}}
 .vw-email-continue {
   @extend %vw-hide;
 }
 {{/if}}
 
 /* Hide the `Continue` button on the login page */
-{{#if (not sso_disabled)}}
+{{#if sso_enabled}}
 .vw-continue-login {
   @extend %vw-hide;
 }
@@ -43,7 +43,7 @@ a[href$="/settings/sponsored-families"] {
 
 /* Hide the `Enterprise Single Sign-On` button on the login page */
 {{#if (webver ">=2025.5.1")}}
-{{#if sso_disabled}}
+{{#if (not sso_enabled)}}
 .vw-sso-login {
   @extend %vw-hide;
 }
@@ -71,7 +71,7 @@ app-root ng-component > form > div:nth-child(1) > div > button[buttontype="secon
 
 /* Hide the or text followed by the two buttons hidden above */
 {{#if (webver ">=2025.5.1")}}
-{{#if (or sso_disabled sso_only)}}
+{{#if (or (not sso_enabled) sso_only)}}
 .vw-or-text {
   @extend %vw-hide;
 }
@@ -83,7 +83,7 @@ app-root ng-component > form > div:nth-child(1) > div:nth-child(3) > div:nth-chi
 {{/if}}
 
 /* Hide the `Other` button on the login page */
-{{#if (or sso_disabled sso_only)}}
+{{#if (or (not sso_enabled) sso_only)}}
 .vw-other-login {
   @extend %vw-hide;
 }