Currently there are no checks done during the actual upload of the file of a send item.
This PR adds several checks to make sure it only accepts the correct uploads.
This PR adds a config option to allow the note size to increase to 100_000, instead of the default 10_000.
Since this might cause issues with the clients (in the future), and will cause issues with importing into a Bitwarden server, i added warnings regarding this.
Closes#3168
* Add initial working Duo Universal Prompt support.
* Add db schema and models for Duo 2FA state storage
* store duo states in the database and validate during authentication
* cleanup & comments
* bump state/nonce length
* replace stray use of TimeDelta
* more cleanup
* bind Duo oauth flow to device id, drop redundant device type handling
* drop redundant alphanum string generation code
* error handling cleanup
* directly use JWT_VALIDITY_SECS constant instead of copying it to DuoClient instances
* remove redundant explicit returns, rustfmt
* rearrange constants, update comments, error message
* override charset on duo state column to ascii for mysql
* Reduce twofactor_duo_ctx state/nonce column size in postgres and maria
* Add fixes suggested by clippy
* rustfmt
* Update to use the make_http_request
* Don't handle OrganizationDuo
* move Duo API endpoint fmt strings out of macros and into format! calls
* Add missing indentation
Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
* remove redundant expiry check when purging Duo contexts
---------
Co-authored-by: BlackDex <black.dex@gmail.com>
Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
* allow re-invitations of existing users
* auto-accept existing user if mail is disabled
Apply suggestions from code review
Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>
---------
Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>
- Updated datatables
- Set Cookie Secure flag if the connection is https
- Prevent possible XSS via Organization Name
Converted all `innerHTML` and `innerText` to the Safe Sink version `textContent`
- Removed `jsesc` function as handlebars escapes all these chars already and more by default
- Add missing `Headers` parameter for some functions
This allowed any request from allowing these endpoints by not validating the user correctly.
- Changed the functions to retreive the emergency access record by
using the user uuid which calls the endpoint, instead of validating afterwards.
This is more secure and prevents the need of an if check.
* add group support for Cipher::get_collections()
join group infos assigned to a collection to check
whether user has been given access to all collections via any group
or they have access to a specific collection via any group membership
* fix Collection::is_writable_by_user()
prevent side effects if groups are disabled
* differentiate the /collection endpoints
* return cipherDetails on post_collections_update()
* add collections_v2 endpoint
During import you are able to select an existing folder, or with
Bitwarden exports it can contain existing folders already. In either
case it didn't matter, we always created new folders.
Bitwarden uses the same UUID of the selected or existing folders if they
are already there.
This PR fixes this by using the same behaviour.
Fixes#4700
* Change API inputs/outputs and structs to camelCase
* Fix fields and password history
* Use convert_json_key_lcase_first
* Make sends lowercase
* Update admin and templates
* Update org revoke
* Fix sends expecting size to be a string on mobile
* Convert two-factor providers to string
* fix emergency access invites with no mail
when mail is disabled instead of accepting emergency access for all
invited users automatically, we only accept if the user already exists
on registration of a new account any open emergency access invitations
will be accepted, if mail is disabled
also prevent invited emergency access contacts to register if emergency
access is disabled (this is only relevant for when mail is enabled, if
mail is disabled they should have an Invitation entry)
* delete emergency access invitations
if an invited user is deleted in the /admin panel their emergency
access invitation will remain in the database which causes
the to_json_grantee_details fn to panic
* improve missing emergency access grantees
instead of returning an empty emergency access contact the entry should
not be added to the list. also the error handling can be improved a bit.
Key rotation was changed since 2024.1.x.
Multiple other items were added to be rotated like password-reset and emergency-access data to be part of just one POST instead of having multiple.
See: https://github.com/dani-garcia/bw_web_builds/pull/157
- Updated Rust to v1.77.0
- Updated several crates
The `reqwest` update included `trust-dns` > `hickory-dns` changes.
Also, `reqwest` v0.12 is not working correctly for us, that is something to investigate.
- Fixed a new clippy warning
- Updated sqlite crate
- Updated chrono crate
The latter needed a lot of changes done, mostly `Duration` to `TimeDelta`.
And some changes on how to use Naive.
* Fix#3624: fix manager permission within groups
* Query returns UUID only
* Fix issue when user is manager and in a group having access to all collections
* optimize condition check
* fix(groups): renaming and optimizations
* fix: wrong organization group membership detection
* Simplify group membership check
Co-authored-by: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com>
* Remove unused statement
* improve check if the user has access via groups
instead of returning the two lists of member ids and later checking if
they contain the uuid of the current user, we really only care if
the current user has full access via a group or if they have
access to a given collection via a group
* improve comments for get_org_collections_details
* small refactor to make it easier to review
* fix(groups): query full access via group only when necessary
Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>
* chore(fmt): apply rustfmt
---------
Co-authored-by: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com>
Co-authored-by: Stefan Melmuk <stefan.melmuk@gmail.com>
Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>
* Remove custom WebSocket code
Remove our custom WebSocket code and only use the Rocket code.
Removed all options in regards to WebSockets
Added a new option `WEBSOCKET_DISABLED` which defaults too `false`.
This can be used to disable WebSockets if you really do not want to use it.
* Addressed remarks given and some updates
- Addressed comments given during review
- Updated crates, including Rocket to the latest merged v0.5 changes
- Removed an extra header which should not be sent for websocket connections
* Updated suggestions and crates
- Addressed the suggestions
- Updated Rocket to latest rc4
Also made the needed code changes
- Updated all other crates
Pinned `openssl` and `openssl-sys`
---------
Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
- Update all crates
- Update GHA
- Update Global Domains script to use main instead of master
Also fixed some Python linting warnings
- Updated Admin JS and CSS libraries
- Updated Rust to v1.76.0
- Updated crates
- Updated web-vault to v2024.1.2b
- Fixed some Clippy lints
- Moved lint check configuration Cargo.toml
- Fixed issue with Reset Password Enrollment when logged-in via device
Also check if we are running within a Kubernetes environment.
These do not always run using Docker or Podman of course.
Also renamed all the functions and variables to use `container` instead
of `docker`.
save the push token of new device even if push notifications are not
enabled and provide a way to register the push device at login
unregister device if there already is a push token saved unless the
new token has already been registered.
also the `unregister_push_device` function used the wrong argument
cf. 08d380900b/src/Core/Services/Implementations/RelayPushRegistrationService.cs (L43)
* enforce 2fa policy on removal of second factor
users should be revoked when their second factors are removed.
we want to revoke users so they don't have to be invited again and
organization admins and owners are aware that they no longer have
access.
we make an exception for non-confirmed users to speed up the invitation
process as they would have to be restored before they can accept their
invitation or be confirmed.
if email is enabled, invited users have to add a second factor before
they can accept the invitation to an organization with 2fa policy.
and if it is not enabled that check is done when confirming the user.
* use &str instead of String in log_event()
* enforce the 2fa policy on login
if a user doesn't have a second factor check if they are in an
organization that has the 2fa policy enabled to revoke their access
