mirror of
				https://github.com/dani-garcia/vaultwarden.git
				synced 2025-10-26 16:00:02 +02:00 
			
		
		
		
	Add configuration options for Email 2FA
This commit is contained in:
		| @@ -4,21 +4,19 @@ use serde_json; | ||||
|  | ||||
| use crate::api::{EmptyResult, JsonResult, JsonUpcase, PasswordData}; | ||||
| use crate::auth::Headers; | ||||
| use crate::crypto; | ||||
| use crate::db::{ | ||||
|     models::{TwoFactor, TwoFactorType}, | ||||
|     DbConn, | ||||
| }; | ||||
| use crate::error::Error; | ||||
| use crate::mail; | ||||
| use crate::crypto; | ||||
| use crate::CONFIG; | ||||
|  | ||||
| use chrono::{Duration, NaiveDateTime, Utc}; | ||||
| use std::char; | ||||
| use std::ops::Add; | ||||
|  | ||||
| const MAX_TIME_DIFFERENCE: i64 = 600; | ||||
| const TOKEN_LEN: usize = 6; | ||||
|  | ||||
| pub fn routes() -> Vec<Route> { | ||||
|     routes![ | ||||
|         get_email, | ||||
| @@ -54,10 +52,14 @@ fn send_email_login(data: JsonUpcase<SendEmailLoginData>, conn: DbConn) -> Empty | ||||
|         err!("Username or password is incorrect. Try again.") | ||||
|     } | ||||
|  | ||||
|     if !CONFIG._enable_email_2fa() { | ||||
|         err!("Email 2FA is disabled") | ||||
|     } | ||||
|  | ||||
|     let type_ = TwoFactorType::Email as i32; | ||||
|     let mut twofactor = TwoFactor::find_by_user_and_type(&user.uuid, type_, &conn)?; | ||||
|  | ||||
|     let generated_token = generate_token(); | ||||
|     let generated_token = generate_token(CONFIG.email_token_size()); | ||||
|     let mut twofactor_data = EmailTokenData::from_json(&twofactor.data)?; | ||||
|     twofactor_data.set_token(generated_token); | ||||
|     twofactor.data = twofactor_data.to_json(); | ||||
| @@ -68,6 +70,7 @@ fn send_email_login(data: JsonUpcase<SendEmailLoginData>, conn: DbConn) -> Empty | ||||
|     Ok(()) | ||||
| } | ||||
|  | ||||
| /// When user clicks on Manage email 2FA show the user the related information | ||||
| #[post("/two-factor/get-email", data = "<data>")] | ||||
| fn get_email(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> JsonResult { | ||||
|     let data: PasswordData = data.into_inner().data; | ||||
| @@ -98,12 +101,11 @@ struct SendEmailData { | ||||
|     MasterPasswordHash: String, | ||||
| } | ||||
|  | ||||
| fn generate_token() -> String { | ||||
|     crypto::get_random(vec![0; TOKEN_LEN]) | ||||
| fn generate_token(token_size: u64) -> String { | ||||
|     crypto::get_random(vec![0; token_size as usize]) | ||||
|         .iter() | ||||
|         .map(|byte| { (byte % 10)}) | ||||
|         .map(|num| { | ||||
|             dbg!(num); | ||||
|             char::from_digit(num as u32, 10).unwrap() | ||||
|         }) | ||||
|         .collect() | ||||
| @@ -119,13 +121,17 @@ fn send_email(data: JsonUpcase<SendEmailData>, headers: Headers, conn: DbConn) - | ||||
|         err!("Invalid password"); | ||||
|     } | ||||
|  | ||||
|     if !CONFIG._enable_email_2fa() { | ||||
|         err!("Email 2FA is disabled") | ||||
|     } | ||||
|  | ||||
|     let type_ = TwoFactorType::Email as i32; | ||||
|  | ||||
|     if let Some(tf) = TwoFactor::find_by_user_and_type(&user.uuid, type_, &conn) { | ||||
|         tf.delete(&conn)?; | ||||
|     } | ||||
|  | ||||
|     let generated_token = generate_token(); | ||||
|     let generated_token = generate_token(CONFIG.email_token_size()); | ||||
|     let twofactor_data = EmailTokenData::new(data.Email, generated_token); | ||||
|  | ||||
|     // Uses EmailVerificationChallenge as type to show that it's not verified yet. | ||||
| @@ -170,7 +176,7 @@ fn email(data: JsonUpcase<EmailData>, headers: Headers, conn: DbConn) -> JsonRes | ||||
|     }; | ||||
|  | ||||
|     if issued_token != &data.Token { | ||||
|         err!("Email token does not match") | ||||
|         err!("Token is invalid") | ||||
|     } | ||||
|  | ||||
|     email_data.reset_token(); | ||||
| @@ -195,7 +201,14 @@ pub fn validate_email_code_str(user_uuid: &str, token: &str, data: &str, conn: & | ||||
|     }; | ||||
|  | ||||
|     if issued_token != &*token { | ||||
|         err!("Email token does not match") | ||||
|         email_data.add_attempt(); | ||||
|         if email_data.attempts >= CONFIG.email_attempts_limit() { | ||||
|             email_data.reset_token(); | ||||
|         } | ||||
|         twofactor.data = email_data.to_json(); | ||||
|         twofactor.save(&conn)?; | ||||
|  | ||||
|         err!("Token is invalid") | ||||
|     } | ||||
|  | ||||
|     email_data.reset_token(); | ||||
| @@ -203,18 +216,25 @@ pub fn validate_email_code_str(user_uuid: &str, token: &str, data: &str, conn: & | ||||
|     twofactor.save(&conn)?; | ||||
|  | ||||
|     let date = NaiveDateTime::from_timestamp(email_data.token_sent, 0); | ||||
|     if date.add(Duration::seconds(MAX_TIME_DIFFERENCE)) < Utc::now().naive_utc() { | ||||
|         err!("Email token too old") | ||||
|     let max_time = CONFIG.email_expiration_time() as i64; | ||||
|     if date.add(Duration::seconds(max_time)) < Utc::now().naive_utc() { | ||||
|         err!("Token has expired") | ||||
|     } | ||||
|  | ||||
|     Ok(()) | ||||
| } | ||||
|  | ||||
| /// Data stored in the TwoFactor table in the db | ||||
| #[derive(Serialize, Deserialize)] | ||||
| pub struct EmailTokenData { | ||||
|     /// Email address where the token will be sent to. Can be different from account email. | ||||
|     pub email: String, | ||||
|     /// Some(token): last valid token issued that has not been entered. | ||||
|     /// None: valid token was used and removed. | ||||
|     pub last_token: Option<String>, | ||||
|     /// UNIX timestamp of token issue. | ||||
|     pub token_sent: i64, | ||||
|     /// Amount of token entry attempts for last_token. | ||||
|     pub attempts: u64, | ||||
| } | ||||
|  | ||||
| impl EmailTokenData { | ||||
| @@ -223,6 +243,7 @@ impl EmailTokenData { | ||||
|             email, | ||||
|             last_token: Some(token), | ||||
|             token_sent: Utc::now().naive_utc().timestamp(), | ||||
|             attempts: 0, | ||||
|         } | ||||
|     } | ||||
|  | ||||
| @@ -233,6 +254,11 @@ impl EmailTokenData { | ||||
|  | ||||
|     pub fn reset_token(&mut self) { | ||||
|         self.last_token = None; | ||||
|         self.attempts = 0; | ||||
|     } | ||||
|  | ||||
|     pub fn add_attempt(&mut self) { | ||||
|         self.attempts = self.attempts + 1; | ||||
|     } | ||||
|  | ||||
|     pub fn to_json(&self) -> String { | ||||
| @@ -295,8 +321,8 @@ mod tests { | ||||
|  | ||||
|     #[test] | ||||
|     fn test_token() { | ||||
|         let result = generate_token(); | ||||
|         let result = generate_token(100); | ||||
|  | ||||
|         assert_eq!(result.chars().count(), 6); | ||||
|         assert_eq!(result.chars().count(), 100); | ||||
|     } | ||||
| } | ||||
|   | ||||
| @@ -318,6 +318,18 @@ make_config! { | ||||
|         _duo_akey:              Pass,   false,  option; | ||||
|     }, | ||||
|  | ||||
|     /// Email 2FA Settings | ||||
|     email_2fa: _enable_email_2fa { | ||||
|         /// Enabled |> Disabling will prevent users from setting up new email 2FA and using existing email 2FA configured | ||||
|         _enable_email_2fa:      bool,   true,   def,      true; | ||||
|         /// Token number length |> Length of the numbers in an email token | ||||
|         email_token_size:       u64,    true,   def,      6; | ||||
|         /// Token expiration time |> Maximum time in seconds a token is valid. The time the user has to open email client and copy token. | ||||
|         email_expiration_time:  u64,    true,   def,      600; | ||||
|         /// Maximum attempts |> Maximum attempts before an email token is reset and a new email will need to be sent | ||||
|         email_attempts_limit:   u64,    true,   def,      3; | ||||
|     }, | ||||
|  | ||||
|     /// SMTP Email Settings | ||||
|     smtp: _enable_smtp { | ||||
|         /// Enabled | ||||
|   | ||||
		Reference in New Issue
	
	Block a user