mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2025-09-11 03:05:58 +03:00
Improved error messagees, implemented delete ciphers, attachments and account, implemented two factor recovery.
Known missing: - import ciphers, create ciphers types other than login and card, update ciphers - clear and put device_tokens - Equivalent domains - Organizations
This commit is contained in:
Daniel García
@@ -144,11 +144,23 @@ fn delete_account(data: Json<Value>, headers: Headers, conn: DbConn) -> Result<(
|
||||
err!("Invalid password")
|
||||
}
|
||||
|
||||
// Delete all ciphers by user_uuid
|
||||
// Delete all devices by user_uuid
|
||||
// Delete user
|
||||
// Delete ciphers and their attachments
|
||||
for cipher in Cipher::find_by_user(&user.uuid, &conn) {
|
||||
for a in Attachment::find_by_cipher(&cipher.uuid, &conn) { a.delete(&conn); }
|
||||
|
||||
err!("Not implemented")
|
||||
cipher.delete(&conn);
|
||||
}
|
||||
|
||||
// Delete folders
|
||||
for f in Folder::find_by_user(&user.uuid, &conn) { f.delete(&conn); }
|
||||
|
||||
// Delete devices
|
||||
for d in Device::find_by_user(&user.uuid, &conn) { d.delete(&conn); }
|
||||
|
||||
// Delete user
|
||||
user.delete(&conn);
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[get("/accounts/revision-date")]
|
||||
|
||||
@@ -258,11 +258,7 @@ fn delete_attachment(uuid: String, attachment_id: String, headers: Headers, conn
|
||||
err!("Cipher is not owned by user")
|
||||
}
|
||||
|
||||
// Delete file
|
||||
let file = attachment.get_file_path();
|
||||
util::delete_file(&file);
|
||||
|
||||
// Delete entry in cipher
|
||||
// Delete attachment
|
||||
attachment.delete(&conn);
|
||||
|
||||
Ok(())
|
||||
@@ -274,13 +270,32 @@ fn post_cipher(uuid: String, headers: Headers, conn: DbConn) -> Result<Json, Bad
|
||||
}
|
||||
|
||||
#[put("/ciphers/<uuid>")]
|
||||
fn put_cipher(uuid: String, headers: Headers, conn: DbConn) -> Result<Json, BadRequest<Json>> { err!("Not implemented") }
|
||||
fn put_cipher(uuid: String, headers: Headers, conn: DbConn) -> Result<Json, BadRequest<Json>> {
|
||||
err!("Not implemented")
|
||||
}
|
||||
|
||||
#[delete("/ciphers/<uuid>")]
|
||||
fn delete_cipher(uuid: String, headers: Headers, conn: DbConn) -> Result<Json, BadRequest<Json>> { err!("Not implemented") }
|
||||
fn delete_cipher(uuid: String, headers: Headers, conn: DbConn) -> Result<(), BadRequest<Json>> {
|
||||
let cipher = match Cipher::find_by_uuid(&uuid, &conn) {
|
||||
Some(cipher) => cipher,
|
||||
None => err!("Cipher doesn't exist")
|
||||
};
|
||||
|
||||
if cipher.user_uuid != headers.user.uuid {
|
||||
err!("Cipher is not owned by user")
|
||||
}
|
||||
|
||||
// Delete attachments
|
||||
for a in Attachment::find_by_cipher(&cipher.uuid, &conn) { a.delete(&conn); }
|
||||
|
||||
// Delete cipher
|
||||
cipher.delete(&conn);
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[post("/ciphers/delete", data = "<data>")]
|
||||
fn delete_all(data: Json<Value>, headers: Headers, conn: DbConn) -> Result<Json, BadRequest<Json>> {
|
||||
fn delete_all(data: Json<Value>, headers: Headers, conn: DbConn) -> Result<(), BadRequest<Json>> {
|
||||
let password_hash = data["masterPasswordHash"].as_str().unwrap();
|
||||
|
||||
let user = headers.user;
|
||||
@@ -289,7 +304,15 @@ fn delete_all(data: Json<Value>, headers: Headers, conn: DbConn) -> Result<Json,
|
||||
err!("Invalid password")
|
||||
}
|
||||
|
||||
// Cipher::delete_from_user(&conn);
|
||||
// Delete ciphers and their attachments
|
||||
for cipher in Cipher::find_by_user(&user.uuid, &conn) {
|
||||
for a in Attachment::find_by_cipher(&cipher.uuid, &conn) { a.delete(&conn); }
|
||||
|
||||
err!("Not implemented")
|
||||
cipher.delete(&conn);
|
||||
}
|
||||
|
||||
// Delete folders
|
||||
for f in Folder::find_by_user(&user.uuid, &conn) { f.delete(&conn); }
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
@@ -43,6 +43,7 @@ pub fn routes() -> Vec<Route> {
|
||||
|
||||
get_twofactor,
|
||||
get_recover,
|
||||
recover,
|
||||
generate_authenticator,
|
||||
activate_authenticator,
|
||||
disable_authenticator,
|
||||
@@ -107,8 +108,7 @@ fn post_eq_domains(data: Json<EquivDomainData>, headers: Headers, conn: DbConn)
|
||||
|
||||
let user = headers.user;
|
||||
|
||||
|
||||
//BODY. "{\"ExcludedGlobalEquivalentDomains\":[2],\"EquivalentDomains\":[[\"uoc.edu\",\"uoc.es\"]]}"
|
||||
//BODY. "{\"ExcludedGlobalEquivalentDomains\":[2],\"EquivalentDomains\":[[\"example.org\",\"example.net\"]]}"
|
||||
|
||||
err!("Not implemented")
|
||||
}
|
||||
|
||||
@@ -44,6 +44,39 @@ fn get_recover(data: Json<Value>, headers: Headers) -> Result<Json, BadRequest<J
|
||||
})))
|
||||
}
|
||||
|
||||
#[post("/two-factor/recover", data = "<data>")]
|
||||
fn recover(data: Json<Value>, conn: DbConn) -> Result<Json, BadRequest<Json>> {
|
||||
println!("{:#?}", data);
|
||||
|
||||
use db::models::User;
|
||||
|
||||
// Get the user
|
||||
let username = data["email"].as_str().unwrap();
|
||||
let mut user = match User::find_by_mail(username, &conn) {
|
||||
Some(user) => user,
|
||||
None => err!("Username or password is incorrect. Try again.")
|
||||
};
|
||||
|
||||
// Check password
|
||||
let password = data["masterPasswordHash"].as_str().unwrap();
|
||||
if !user.check_valid_password(password) {
|
||||
err!("Username or password is incorrect. Try again.")
|
||||
}
|
||||
|
||||
// Check if recovery code is correct
|
||||
let recovery_code = data["recoveryCode"].as_str().unwrap();
|
||||
|
||||
if !user.check_valid_recovery_code(recovery_code) {
|
||||
err!("Recovery code is incorrect. Try again.")
|
||||
}
|
||||
|
||||
user.totp_secret = None;
|
||||
user.totp_recover = None;
|
||||
user.save(&conn);
|
||||
|
||||
Ok(Json(json!({})))
|
||||
}
|
||||
|
||||
#[post("/two-factor/get-authenticator", data = "<data>")]
|
||||
fn generate_authenticator(data: Json<Value>, headers: Headers) -> Result<Json, BadRequest<Json>> {
|
||||
let password_hash = data["masterPasswordHash"].as_str().unwrap();
|
||||
@@ -71,8 +104,8 @@ fn activate_authenticator(data: Json<Value>, headers: Headers, conn: DbConn) ->
|
||||
if !headers.user.check_valid_password(password_hash) {
|
||||
err!("Invalid password");
|
||||
}
|
||||
let token = data["token"].as_str(); // 123456
|
||||
let key = data["key"].as_str().unwrap(); // YI4SKBIXG32LOA6VFKH2NI25VU3E4QML
|
||||
let token = data["token"].as_str();
|
||||
let key = data["key"].as_str().unwrap();
|
||||
|
||||
// Validate key as base32 and 20 bytes length
|
||||
let decoded_key: Vec<u8> = match BASE32.decode(key.as_bytes()) {
|
||||
|
||||
@@ -71,7 +71,7 @@ fn get_icon_cached(key: &str, url: &str) -> io::Result<Vec<u8>> {
|
||||
|
||||
// Save the currently downloaded icon
|
||||
match File::create(path) {
|
||||
Ok(mut f) => { f.write_all(&icon); }
|
||||
Ok(mut f) => { f.write_all(&icon).expect("Error writing icon file"); }
|
||||
Err(_) => { /* Continue */ }
|
||||
};
|
||||
|
||||
|
||||
@@ -41,61 +41,44 @@ fn login(connect_data: Form<ConnectData>, conn: DbConn) -> Result<Json, BadReque
|
||||
let username = data.get("username").unwrap();
|
||||
let user = match User::find_by_mail(username, &conn) {
|
||||
Some(user) => user,
|
||||
None => err!("Invalid username or password")
|
||||
None => err!("Username or password is incorrect. Try again.")
|
||||
};
|
||||
|
||||
// Check password
|
||||
let password = data.get("password").unwrap();
|
||||
if !user.check_valid_password(password) {
|
||||
err!("Invalid username or password")
|
||||
err!("Username or password is incorrect. Try again.")
|
||||
}
|
||||
|
||||
/*
|
||||
//TODO: When invalid username or password, return this with a 400 BadRequest:
|
||||
{
|
||||
"error": "invalid_grant",
|
||||
"error_description": "invalid_username_or_password",
|
||||
"ErrorModel": {
|
||||
"Message": "Username or password is incorrect. Try again.",
|
||||
"ValidationErrors": null,
|
||||
"ExceptionMessage": null,
|
||||
"ExceptionStackTrace": null,
|
||||
"InnerExceptionMessage": null,
|
||||
"Object": "error"
|
||||
}
|
||||
}
|
||||
*/
|
||||
|
||||
// Check if totp code is required and the value is correct
|
||||
let totp_code = util::parse_option_string(data.get("twoFactorToken").map(String::as_ref));
|
||||
let totp_code = util::parse_option_string(data.get("twoFactorToken"));
|
||||
|
||||
if !user.check_totp_code(totp_code) {
|
||||
// Return error 400
|
||||
err_json!(json!({
|
||||
"error" : "invalid_grant",
|
||||
"error_description" : "Two factor required.",
|
||||
"TwoFactorProviders" : [ 0 ],
|
||||
"TwoFactorProviders2" : { "0" : null }
|
||||
}))
|
||||
"error" : "invalid_grant",
|
||||
"error_description" : "Two factor required.",
|
||||
"TwoFactorProviders" : [ 0 ],
|
||||
"TwoFactorProviders2" : { "0" : null }
|
||||
}))
|
||||
}
|
||||
|
||||
// Let's only use the header and ignore the 'devicetype' parameter
|
||||
// TODO Get header Device-Type
|
||||
let device_type_num = 0;// headers.device_type;
|
||||
|
||||
let (device_id, device_name) = match data.get("client_id").unwrap().as_ref() {
|
||||
"web" => { (format!("web-{}", user.uuid), String::from("web")) }
|
||||
"browser" | "mobile" => {
|
||||
let (device_id, device_name) = match data.is_device {
|
||||
false => { (format!("web-{}", user.uuid), String::from("web")) }
|
||||
true => {
|
||||
(
|
||||
data.get("deviceidentifier").unwrap().clone(),
|
||||
data.get("devicename").unwrap().clone(),
|
||||
)
|
||||
}
|
||||
_ => err!("Invalid client id")
|
||||
};
|
||||
|
||||
// Find device or create new
|
||||
let device = match Device::find_by_uuid(&device_id, &conn) {
|
||||
match Device::find_by_uuid(&device_id, &conn) {
|
||||
Some(device) => {
|
||||
// Check if valid device
|
||||
if device.user_uuid != user.uuid {
|
||||
@@ -109,10 +92,7 @@ fn login(connect_data: Form<ConnectData>, conn: DbConn) -> Result<Json, BadReque
|
||||
// Create new device
|
||||
Device::new(device_id, user.uuid, device_name, device_type_num)
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
device
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
@@ -120,7 +100,6 @@ fn login(connect_data: Form<ConnectData>, conn: DbConn) -> Result<Json, BadReque
|
||||
let (access_token, expires_in) = device.refresh_tokens(&user);
|
||||
device.save(&conn);
|
||||
|
||||
// TODO: when to include :privateKey and :TwoFactorToken?
|
||||
Ok(Json(json!({
|
||||
"access_token": access_token,
|
||||
"expires_in": expires_in,
|
||||
@@ -134,27 +113,22 @@ fn login(connect_data: Form<ConnectData>, conn: DbConn) -> Result<Json, BadReque
|
||||
#[derive(Debug)]
|
||||
struct ConnectData {
|
||||
grant_type: GrantType,
|
||||
is_device: bool,
|
||||
data: HashMap<String, String>,
|
||||
}
|
||||
|
||||
#[derive(Debug, Copy, Clone)]
|
||||
enum GrantType { RefreshToken, Password }
|
||||
|
||||
impl ConnectData {
|
||||
fn get(&self, key: &str) -> Option<&String> {
|
||||
self.data.get(&key.to_lowercase())
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Copy, Clone)]
|
||||
enum GrantType { RefreshToken, Password }
|
||||
|
||||
|
||||
const VALUES_REFRESH: [&str; 1] = ["refresh_token"];
|
||||
|
||||
const VALUES_PASSWORD: [&str; 5] = ["client_id",
|
||||
"grant_type", "password", "scope", "username"];
|
||||
|
||||
const VALUES_DEVICE: [&str; 3] = ["deviceidentifier",
|
||||
"devicename", "devicetype"];
|
||||
|
||||
const VALUES_PASSWORD: [&str; 5] = ["client_id", "grant_type", "password", "scope", "username"];
|
||||
const VALUES_DEVICE: [&str; 3] = ["deviceidentifier", "devicename", "devicetype"];
|
||||
|
||||
impl<'f> FromForm<'f> for ConnectData {
|
||||
type Error = String;
|
||||
@@ -164,62 +138,40 @@ impl<'f> FromForm<'f> for ConnectData {
|
||||
|
||||
// Insert data into map
|
||||
for (key, value) in items {
|
||||
let decoded_key: String = match key.url_decode() {
|
||||
Ok(decoded) => decoded,
|
||||
Err(_) => return Err(format!("Error decoding key: {}", value)),
|
||||
match (key.url_decode(), value.url_decode()) {
|
||||
(Ok(key), Ok(value)) => data.insert(key.to_lowercase(), value),
|
||||
_ => return Err(format!("Error decoding key or value")),
|
||||
};
|
||||
|
||||
let decoded_value: String = match value.url_decode() {
|
||||
Ok(decoded) => decoded,
|
||||
Err(_) => return Err(format!("Error decoding value: {}", value)),
|
||||
};
|
||||
|
||||
data.insert(decoded_key.to_lowercase(), decoded_value);
|
||||
}
|
||||
|
||||
// Validate needed values
|
||||
let grant_type =
|
||||
match data.get("grant_type").map(|s| &s[..]) {
|
||||
let (grant_type, is_device) =
|
||||
match data.get("grant_type").map(String::as_ref) {
|
||||
Some("refresh_token") => {
|
||||
// Check if refresh token is proviced
|
||||
if let Err(msg) = check_values(&data, &VALUES_REFRESH) {
|
||||
return Err(msg);
|
||||
}
|
||||
|
||||
GrantType::RefreshToken
|
||||
check_values(&data, &VALUES_REFRESH)?;
|
||||
(GrantType::RefreshToken, false) // Device doesn't matter here
|
||||
}
|
||||
Some("password") => {
|
||||
// Check if basic values are provided
|
||||
if let Err(msg) = check_values(&data, &VALUES_PASSWORD) {
|
||||
return Err(msg);
|
||||
}
|
||||
check_values(&data, &VALUES_PASSWORD)?;
|
||||
|
||||
// Check that device values are present on device
|
||||
match data.get("client_id").unwrap().as_ref() {
|
||||
"browser" | "mobile" => {
|
||||
if let Err(msg) = check_values(&data, &VALUES_DEVICE) {
|
||||
return Err(msg);
|
||||
}
|
||||
}
|
||||
_ => {}
|
||||
}
|
||||
|
||||
GrantType::Password
|
||||
let is_device = match data.get("client_id").unwrap().as_ref() {
|
||||
"browser" | "mobile" => check_values(&data, &VALUES_DEVICE)?,
|
||||
_ => false
|
||||
};
|
||||
(GrantType::Password, is_device)
|
||||
}
|
||||
|
||||
_ => return Err(format!("Grant type not supported"))
|
||||
};
|
||||
|
||||
Ok(ConnectData { grant_type, data })
|
||||
Ok(ConnectData { grant_type, is_device, data })
|
||||
}
|
||||
}
|
||||
|
||||
fn check_values(map: &HashMap<String, String>, values: &[&str]) -> Result<(), String> {
|
||||
fn check_values(map: &HashMap<String, String>, values: &[&str]) -> Result<bool, String> {
|
||||
for value in values {
|
||||
if !map.contains_key(*value) {
|
||||
return Err(format!("{} cannot be blank", value));
|
||||
}
|
||||
}
|
||||
|
||||
Ok(())
|
||||
Ok(true)
|
||||
}
|
||||
Reference in New Issue
Block a user