Merge branch 'api-key' of https://github.com/jjlin/vaultwarden into jjlin-api-key

2025-09-10 18:55:57 +03:00 · 2022-01-23 23:50:34 +01:00
parent e639d9063b 8f7900759f
commit bf6330374c
14 changed files with 182 additions and 17 deletions
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -34,6 +34,8 @@ pub fn routes() -> Vec<rocket::Route> {
        password_hint,
        prelogin,
        verify_password,
+        api_key,
+        rotate_api_key,
    ]
 }

@@ -644,15 +646,17 @@ fn prelogin(data: JsonUpcase<PreloginData>, conn: DbConn) -> Json<Value> {
        "KdfIterations": kdf_iter
    }))
 }
+
+// https://github.com/bitwarden/server/blob/master/src/Api/Models/Request/Accounts/SecretVerificationRequestModel.cs
 #[derive(Deserialize)]
 #[allow(non_snake_case)]
-struct VerifyPasswordData {
+struct SecretVerificationRequest {
    MasterPasswordHash: String,
 }

 #[post("/accounts/verify-password", data = "<data>")]
-fn verify_password(data: JsonUpcase<VerifyPasswordData>, headers: Headers) -> EmptyResult {
-    let data: VerifyPasswordData = data.into_inner().data;
+fn verify_password(data: JsonUpcase<SecretVerificationRequest>, headers: Headers) -> EmptyResult {
+    let data: SecretVerificationRequest = data.into_inner().data;
    let user = headers.user;

    if !user.check_valid_password(&data.MasterPasswordHash) {
@@ -661,3 +665,32 @@ fn verify_password(data: JsonUpcase<VerifyPasswordData>, headers: Headers) -> Em

    Ok(())
 }
+
+fn _api_key(data: JsonUpcase<SecretVerificationRequest>, rotate: bool, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: SecretVerificationRequest = data.into_inner().data;
+    let mut user = headers.user;
+
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password")
+    }
+
+    if rotate || user.api_key.is_none() {
+        user.api_key = Some(crypto::generate_api_key());
+        user.save(&conn).expect("Error saving API key");
+    }
+
+    Ok(Json(json!({
+      "ApiKey": user.api_key,
+      "Object": "apiKey",
+    })))
+}
+
+#[post("/accounts/api-key", data = "<data>")]
+fn api_key(data: JsonUpcase<SecretVerificationRequest>, headers: Headers, conn: DbConn) -> JsonResult {
+    _api_key(data, false, headers, conn)
+}
+
+#[post("/accounts/rotate-api-key", data = "<data>")]
+fn rotate_api_key(data: JsonUpcase<SecretVerificationRequest>, headers: Headers, conn: DbConn) -> JsonResult {
+    _api_key(data, true, headers, conn)
+}
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -43,6 +43,13 @@ fn login(data: Form<ConnectData>, conn: DbConn, ip: ClientIp) -> JsonResult {

            _password_login(data, conn, &ip)
        }
+        "client_credentials" => {
+            _check_is_some(&data.client_id, "client_id cannot be blank")?;
+            _check_is_some(&data.client_secret, "client_secret cannot be blank")?;
+            _check_is_some(&data.scope, "scope cannot be blank")?;
+
+            _api_key_login(data, conn, &ip)
+        }
        t => err!("Invalid type", t),
    }
 }
@@ -54,13 +61,15 @@ fn _refresh_login(data: ConnectData, conn: DbConn) -> JsonResult {
    // Get device by refresh token
    let mut device = Device::find_by_refresh_token(&token, &conn).map_res("Invalid refresh token")?;

-    // COMMON
+    let scope = "api offline_access";
+    let scope_vec = vec!["api".into(), "offline_access".into()];
+
+    // Common
    let user = User::find_by_uuid(&device.user_uuid, &conn).unwrap();
    let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, &conn);
-
-    let (access_token, expires_in) = device.refresh_tokens(&user, orgs);
-
+    let (access_token, expires_in) = device.refresh_tokens(&user, orgs, scope_vec);
    device.save(&conn)?;
+
    Ok(Json(json!({
        "access_token": access_token,
        "expires_in": expires_in,
@@ -72,7 +81,7 @@ fn _refresh_login(data: ConnectData, conn: DbConn) -> JsonResult {
        "Kdf": user.client_kdf_type,
        "KdfIterations": user.client_kdf_iter,
        "ResetMasterPassword": false, // TODO: according to official server seems something like: user.password_hash.is_empty(), but would need testing
-        "scope": "api offline_access",
+        "scope": scope,
        "unofficialServer": true,
    })))
 }
@@ -83,6 +92,7 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: &ClientIp) -> JsonResult
    if scope != "api offline_access" {
        err!("Scope not supported")
    }
+    let scope_vec = vec!["api".into(), "offline_access".into()];

    // Ratelimit the login
    crate::ratelimit::check_limit_login(&ip.ip)?;
@@ -150,8 +160,7 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: &ClientIp) -> JsonResult

    // Common
    let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, &conn);
-
-    let (access_token, expires_in) = device.refresh_tokens(&user, orgs);
+    let (access_token, expires_in) = device.refresh_tokens(&user, orgs, scope_vec);
    device.save(&conn)?;

    let mut result = json!({
@@ -166,7 +175,7 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: &ClientIp) -> JsonResult
        "Kdf": user.client_kdf_type,
        "KdfIterations": user.client_kdf_iter,
        "ResetMasterPassword": false,// TODO: Same as above
-        "scope": "api offline_access",
+        "scope": scope,
        "unofficialServer": true,
    });

@@ -178,6 +187,76 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: &ClientIp) -> JsonResult
    Ok(Json(result))
 }

+fn _api_key_login(data: ConnectData, conn: DbConn, ip: &ClientIp) -> JsonResult {
+    // Validate scope
+    let scope = data.scope.as_ref().unwrap();
+    if scope != "api" {
+        err!("Scope not supported")
+    }
+    let scope_vec = vec!["api".into()];
+
+    // Ratelimit the login
+    crate::ratelimit::check_limit_login(&ip.ip)?;
+
+    // Get the user via the client_id
+    let client_id = data.client_id.as_ref().unwrap();
+    let user_uuid = match client_id.strip_prefix("user.") {
+        Some(uuid) => uuid,
+        None => err!("Malformed client_id", format!("IP: {}.", ip.ip)),
+    };
+    let user = match User::find_by_uuid(user_uuid, &conn) {
+        Some(user) => user,
+        None => err!("Invalid client_id", format!("IP: {}.", ip.ip)),
+    };
+
+    // Check if the user is disabled
+    if !user.enabled {
+        err!("This user has been disabled (API key login)", format!("IP: {}. Username: {}.", ip.ip, user.email))
+    }
+
+    // Check API key. Note that API key logins bypass 2FA.
+    let client_secret = data.client_secret.as_ref().unwrap();
+    if !user.check_valid_api_key(client_secret) {
+        err!("Incorrect client_secret", format!("IP: {}. Username: {}.", ip.ip, user.email))
+    }
+
+    let (mut device, new_device) = get_device(&data, &conn, &user);
+
+    if CONFIG.mail_enabled() && new_device {
+        let now = Utc::now().naive_utc();
+        if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), &now, &device.name) {
+            error!("Error sending new device email: {:#?}", e);
+
+            if CONFIG.require_device_email() {
+                err!("Could not send login notification email. Please contact your administrator.")
+            }
+        }
+    }
+
+    // Common
+    let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, &conn);
+    let (access_token, expires_in) = device.refresh_tokens(&user, orgs, scope_vec);
+    device.save(&conn)?;
+
+    info!("User {} logged in successfully via API key. IP: {}", user.email, ip.ip);
+
+    // Note: No refresh_token is returned. The CLI just repeats the
+    // client_credentials login flow when the existing token expires.
+    Ok(Json(json!({
+        "access_token": access_token,
+        "expires_in": expires_in,
+        "token_type": "Bearer",
+        "Key": user.akey,
+        "PrivateKey": user.private_key,
+
+        "Kdf": user.client_kdf_type,
+        "KdfIterations": user.client_kdf_iter,
+        "ResetMasterPassword": false, // TODO: Same as above
+        "scope": scope,
+        "unofficialServer": true,
+    })))
+}
+
 /// Retrieves an existing device or creates a new device from ConnectData and the User
 fn get_device(data: &ConnectData, conn: &DbConn, user: &User) -> (Device, bool) {
    // On iOS, device_type sends "iOS", on others it sends a number
@@ -374,17 +453,20 @@ fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> Api
    Ok(result)
 }

+// https://github.com/bitwarden/jslib/blob/master/common/src/models/request/tokenRequest.ts
 // https://github.com/bitwarden/mobile/blob/master/src/Core/Models/Request/TokenRequest.cs
 #[derive(Debug, Clone, Default)]
 #[allow(non_snake_case)]
 struct ConnectData {
-    grant_type: String, // refresh_token, password
+    // refresh_token, password, client_credentials (API key)
+    grant_type: String,

    // Needed for grant_type="refresh_token"
    refresh_token: Option<String>,

-    // Needed for grant_type="password"
-    client_id: Option<String>, // web, cli, desktop, browser, mobile
+    // Needed for grant_type = "password" | "client_credentials"
+    client_id: Option<String>,     // web, cli, desktop, browser, mobile
+    client_secret: Option<String>, // API key login (cli only)
    password: Option<String>,
    scope: Option<String>,
    username: Option<String>,
@@ -414,6 +496,7 @@ impl<'f> FromForm<'f> for ConnectData {
                "granttype" => form.grant_type = value,
                "refreshtoken" => form.refresh_token = Some(value),
                "clientid" => form.client_id = Some(value),
+                "clientsecret" => form.client_secret = Some(value),
                "password" => form.password = Some(value),
                "scope" => form.scope = Some(value),
                "username" => form.username = Some(value),