mirror of
				https://github.com/dani-garcia/vaultwarden.git
				synced 2025-10-26 16:00:02 +02:00 
			
		
		
		
	Fix 2fa recovery endpoint (#6240)
The newer web-vaults handle the 2fa recovery code differently. This commit fixes this by adding this new flow. Fixes #6200 Fixes #6203 Signed-off-by: BlackDex <black.dex@gmail.com>
This commit is contained in:
		
				
					committed by
					
						 GitHub
						GitHub
					
				
			
			
				
	
			
			
			
						parent
						
							5a8736e116
						
					
				
				
					commit
					7cc4dfabbf
				
			| @@ -267,7 +267,7 @@ async fn _sso_login( | |||||||
|         } |         } | ||||||
|         Some((mut user, sso_user)) => { |         Some((mut user, sso_user)) => { | ||||||
|             let mut device = get_device(&data, conn, &user).await?; |             let mut device = get_device(&data, conn, &user).await?; | ||||||
|             let twofactor_token = twofactor_auth(&user, &data, &mut device, ip, client_version, conn).await?; |             let twofactor_token = twofactor_auth(&mut user, &data, &mut device, ip, client_version, conn).await?; | ||||||
|  |  | ||||||
|             if user.private_key.is_none() { |             if user.private_key.is_none() { | ||||||
|                 // User was invited a stub was created |                 // User was invited a stub was created | ||||||
| @@ -431,7 +431,7 @@ async fn _password_login( | |||||||
|  |  | ||||||
|     let mut device = get_device(&data, conn, &user).await?; |     let mut device = get_device(&data, conn, &user).await?; | ||||||
|  |  | ||||||
|     let twofactor_token = twofactor_auth(&user, &data, &mut device, ip, client_version, conn).await?; |     let twofactor_token = twofactor_auth(&mut user, &data, &mut device, ip, client_version, conn).await?; | ||||||
|  |  | ||||||
|     let auth_tokens = auth::AuthTokens::new(&device, &user, AuthMethod::Password, data.client_id); |     let auth_tokens = auth::AuthTokens::new(&device, &user, AuthMethod::Password, data.client_id); | ||||||
|  |  | ||||||
| @@ -658,7 +658,7 @@ async fn get_device(data: &ConnectData, conn: &mut DbConn, user: &User) -> ApiRe | |||||||
| } | } | ||||||
|  |  | ||||||
| async fn twofactor_auth( | async fn twofactor_auth( | ||||||
|     user: &User, |     user: &mut User, | ||||||
|     data: &ConnectData, |     data: &ConnectData, | ||||||
|     device: &mut Device, |     device: &mut Device, | ||||||
|     ip: &ClientIp, |     ip: &ClientIp, | ||||||
| @@ -723,7 +723,6 @@ async fn twofactor_auth( | |||||||
|         Some(TwoFactorType::Email) => { |         Some(TwoFactorType::Email) => { | ||||||
|             email::validate_email_code_str(&user.uuid, twofactor_code, &selected_data?, &ip.ip, conn).await? |             email::validate_email_code_str(&user.uuid, twofactor_code, &selected_data?, &ip.ip, conn).await? | ||||||
|         } |         } | ||||||
|  |  | ||||||
|         Some(TwoFactorType::Remember) => { |         Some(TwoFactorType::Remember) => { | ||||||
|             match device.twofactor_remember { |             match device.twofactor_remember { | ||||||
|                 Some(ref code) if !CONFIG.disable_2fa_remember() && ct_eq(code, twofactor_code) => { |                 Some(ref code) if !CONFIG.disable_2fa_remember() && ct_eq(code, twofactor_code) => { | ||||||
| @@ -737,6 +736,22 @@ async fn twofactor_auth( | |||||||
|                 } |                 } | ||||||
|             } |             } | ||||||
|         } |         } | ||||||
|  |         Some(TwoFactorType::RecoveryCode) => { | ||||||
|  |             // Check if recovery code is correct | ||||||
|  |             if !user.check_valid_recovery_code(twofactor_code) { | ||||||
|  |                 err!("Recovery code is incorrect. Try again.") | ||||||
|  |             } | ||||||
|  |  | ||||||
|  |             // Remove all twofactors from the user | ||||||
|  |             TwoFactor::delete_all_by_user(&user.uuid, conn).await?; | ||||||
|  |             enforce_2fa_policy(user, &user.uuid, device.atype, &ip.ip, conn).await?; | ||||||
|  |  | ||||||
|  |             log_user_event(EventType::UserRecovered2fa as i32, &user.uuid, device.atype, &ip.ip, conn).await; | ||||||
|  |  | ||||||
|  |             // Remove the recovery code, not needed without twofactors | ||||||
|  |             user.totp_recover = None; | ||||||
|  |             user.save(conn).await?; | ||||||
|  |         } | ||||||
|         _ => err!( |         _ => err!( | ||||||
|             "Invalid two factor provider", |             "Invalid two factor provider", | ||||||
|             ErrorEvent { |             ErrorEvent { | ||||||
|   | |||||||
| @@ -31,6 +31,7 @@ pub enum TwoFactorType { | |||||||
|     Remember = 5, |     Remember = 5, | ||||||
|     OrganizationDuo = 6, |     OrganizationDuo = 6, | ||||||
|     Webauthn = 7, |     Webauthn = 7, | ||||||
|  |     RecoveryCode = 8, | ||||||
|  |  | ||||||
|     // These are implementation details |     // These are implementation details | ||||||
|     U2fRegisterChallenge = 1000, |     U2fRegisterChallenge = 1000, | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user