Commit Graph

2467 Commits

Author SHA1 Message Date
BlackDex
636f16dc66 Prevent 401 on main admin page
When you are not loggedin, and have no cookie etc.. we always returned a 401.
This was mainly to allow the login page on all the sub pages, and after
login being redirected to the requested page, for these pages a 401 is a
valid response, since, you do not have access.

But for the main `/admin` page, it should just respond with a `200` and
show the login page.

This PR fixes this flow and response. It should prevent people using
Fail2ban, or other tools being triggered by only accessing the login page.

Resolves #3540
2023-05-25 23:40:36 +02:00
Mathijs van Veluw
9e5b049dca Merge pull request #3532 from jjlin/global-domains
Sync global_domains.json (Pinterest)
2023-05-17 21:20:48 +02:00
Jeremy Lin
23aa9088f3 Sync global_domains.json to bitwarden/server@8dda73a (Pinterest) 2023-05-17 12:04:31 -07:00
Mathijs van Veluw
4f0ed06b06 Merge pull request #3522 from stefan0xC/update-to-v2023.4.2
update web-vault to v2023.4.2
2023-05-12 09:48:56 +02:00
Stefan Melmuk
349c97efaf update crates 2023-05-12 09:31:29 +02:00
Stefan Melmuk
8b05a5d192 update web-vault to v2023.4.2 2023-05-12 08:05:35 +02:00
Mathijs van Veluw
83bf77d713 Merge pull request #3513 from stefan0xC/fix-empty-policy
policy data should be `null` not an empty object
2023-05-09 12:00:10 +02:00
Stefan Melmuk
4d5c047ddc policy data should be null not an empty object 2023-05-09 11:14:46 +02:00
Daniel García
147c9c7b50 Merge pull request #3505 from gitouche-sur-osm/dockerfile-fqin
Use fully qualified image names in Dockerfile
2023-05-08 21:00:30 +02:00
Daniel García
6515a2fcad Merge pull request #3502 from BlackDex/fix-trailing-slash
Use Rocket `v0.5` branch to fix endpoints
2023-05-08 21:00:19 +02:00
BlackDex
4a2ed553df Use Rocket v0.5 branch to fix endpoints
There now is a `v0.5` branch which will be the final release version
when the time is there. Switched to this instead of the `master` branch
which contains other fixes and enhancements as well (for `v0.6`).

This should solve all the endpoint issue we were having.
2023-05-06 19:46:55 +02:00
Gitouche
ba492c0602 Use fully qualified image names in Dockerfile 2023-05-03 18:31:28 +02:00
Daniel García
1ec049e2b5 Update web vault to v2023.4.0 2023-05-01 19:49:48 +02:00
Daniel García
0fb8563b13 Merge pull request #3491 from BlackDex/rocket_changes
Change `String` to `&str` for all Rocket functions and some other fixes
2023-04-30 23:53:15 +02:00
BlackDex
f906f6230a Change String to &str for all Rocket functions
During setting the latest commit hash for Rocket and updating all the
other crates, there were some messages regarding the usage of `String`
for the Rocket endpoint function calls. I acted upon this message and
changed all `String` types to `&str` and modified the code where needed.

This ended up in less alloc calls, and probably also a bit less memory usage.

- Updated all the crates and commit hashes
- Modified all `String` to `&str` where applicable
2023-04-30 17:18:12 +02:00
BlackDex
951ba55123 Prevent some ::_ logs from outputting 2023-04-30 17:17:43 +02:00
BlackDex
18abf226be Fix admin post endpoints 2023-04-30 17:09:42 +02:00
Daniel García
393645617e Merge pull request #3469 from BlackDex/rust-and-crate-updates
Update Rust and Crates
2023-04-24 18:54:35 +02:00
Daniel García
5bf243b675 Merge pull request #3475 from vilgotf/inline-statics
inline static rsa keys
2023-04-24 18:54:19 +02:00
BlackDex
cfba8347a3 Update Rust and Crates
- Updated Rust to v1.69.0
- Updated MSRV to v1.67.1
- Updated crates
- Updated GitHub Actions
2023-04-24 14:10:58 +02:00
Tim Vilgot Mikael Fredenberg
55c1b6e8d5 inline static rsa keys 2023-04-23 21:34:26 +02:00
Daniel García
3d7e80a7aa Merge pull request #3440 from BlackDex/switch-ws-to-streams
Small update to Rocket WebSockets
2023-04-17 20:26:03 +02:00
Daniel García
5866338de4 Merge pull request #3439 from kennymc-c/main
Fixed missing footer_text and a few inconsistencies in email templates
2023-04-17 20:25:36 +02:00
kennymc-c
271e3ae757 Changed permissions back to 644 2023-04-12 18:06:46 +02:00
BlackDex
48cc31a59f Small update to Rocket WebSockets
Switched from channels to stream. This is able to use yield, and the
code looks a bit nicer this way.

Also updated all the crates.
2023-04-12 15:59:05 +02:00
kennymc-c
6a7cee4e7e Fixed footer to footer_text 2023-04-11 22:00:10 +02:00
kennymc-c
f850dbb310 Fixed some missing footer_text partials and a few inconsistencies between plain text and html email templates 2023-04-11 21:27:38 +02:00
Daniel García
07099df41a Merge pull request #3436 from BlackDex/fix-admin-base-url
Several config and admin interface fixes
2023-04-10 21:11:44 +02:00
Daniel García
0c0a80720e Merge pull request #3404 from BlackDex/websockets-via-rocket
WebSockets via Rocket's Upgrade connection
2023-04-10 21:10:29 +02:00
BlackDex
ae437f70a3 Several config and admin interface fixes
- Fixed issue with domains starting with `admin`
- Fixed issue with DUO not being enabled globally anymore (regression)
- Renamed `Ciphers` to `Entries` in overview
- Improved `ADMIN_TOKEN` description
- Updated jquery-slim and datatables

Resolves #3382
Resolves #3415
Resolves discussion on #3288
2023-04-10 20:39:51 +02:00
BlackDex
3d11f4cd16 WebSockets via Rocket's Upgrade connection
This PR implements a (not yet fully released) new feature of Rocket which allows WebSockets/Upgrade connections.
No more need for multiple ports to be opened for Vaultwarden.
No explicit need for a reverse proxy to get WebSockets to work (Although I still suggest to use a reverse proxy).

- Using a git revision for Rocket, since `rocket_ws` is not yet released.
- Updated other crates as well.
- Added a connection guard to clear the WS connection from the Users list.

Fixes #685
Fixes #2917
Fixes #1424
2023-04-10 16:58:58 +02:00
Daniel García
3bd4e42fb0 Merge pull request #3427 from stefan0xC/check-if-policies-enabled
check if reset password policy is enabled
2023-04-09 19:02:27 +02:00
Stefan Melmuk
89e94b1d91 check if reset policy is enabled 2023-04-06 22:34:05 +02:00
Daniel García
0b28ab3be1 Merge pull request #3403 from BlackDex/update-dockerfile-and-rust
Revert setcap, update rust and crates
1.28.1
2023-04-02 15:39:36 +02:00
Daniel García
c5bcc340fa Merge pull request #3405 from BlackDex/fix-multiple-websocket-messages
Fix sending out multiple websocket notifications
2023-04-02 15:24:00 +02:00
BlackDex
bff54fbfdb Fix sending out multiple websocket notifications
For some reason I encountered a strange bug which resulted in sending
out multiple websocket notifications for the exact same user.

Added a `distinct()` for the query to filter out multiple uuid's.
2023-04-02 15:23:36 +02:00
Daniel García
867c6ba056 Merge pull request #3398 from stefan0xC/dont-expect-kdf-memory-or-parallelism
always return KdfMemory and KdfParallelism
2023-04-02 15:22:42 +02:00
Daniel García
d1ecf03f44 Merge pull request #3397 from nikolaevn/feature/add-admin-reinvite-endpoint
support `/users/<uuid>/invite/resend` admin api
2023-04-02 15:21:51 +02:00
BlackDex
fc43608eec Revert setcap, update rust and crates
- Revert #3170 as discussed in #3387
  In hindsight it's better to not have this feature
- Update Dockerfile.j2 for easy version changes.
  Just change it in one place instead of multiple
- Updated to Rust to latest patched version
- Updated crates to latest available
- Pinned mimalloc to an older version, as it breaks on musl builds
2023-04-02 15:19:59 +02:00
Daniel García
15dd05c78d Merge pull request #3390 from BlackDex/fix-abort-pw-reset-on-mail-error
Fix abort on pw reset mail error
2023-04-02 15:19:53 +02:00
Nikolay Nikolaev
aa6f774f65 add check user state 2023-03-31 14:03:37 +03:00
Nikolay Nikolaev
379f885354 add mail check 2023-03-31 13:00:57 +03:00
Stefan Melmuk
39a5f2dbe8 clear kdf memory and parallelism with pbkdf2
when changing back from argon2id to PBKDF2 the unused parameters
should be set to 0.

also fix small bug in _register
2023-03-31 07:31:40 +02:00
Stefan Melmuk
0daaa9b175 always return KdfMemory and KdfParallelism
the client will ignore the value of theses fields in case of `PBKDF2`
(whether they are unset or left from trying out `Argon2id` as KDF).

with `Argon2id` those fields should never be `null` but always in a
valid state. if they are `null` (how would that even happen?) the
client still assumes default values for `Argon2id` (i.e. m=64 and p=4)
and if they are set to something else login will fail anyway.
2023-03-31 01:10:28 +02:00
Nikolay Nikolaev
0c085d21ce fmt 2023-03-30 16:04:35 +03:00
Nikolay Nikolaev
dcaaa430f0 support /users/<uuid>/invite/resend admin api 2023-03-30 15:23:16 +03:00
BlackDex
2cda54ceff Fix password reset issues
There was used a wrong macro to produce an error message when mailing
the user his password was reset failed. It was using `error!()` which
does not return an `Err` and aborts the rest of the code.

This resulted in the users password still being resetted, but not being
notified. This PR fixes this by using `err!()`. Also, do not set the
user object as mutable until it really is needed.

Second, when a user was using the new Argon2id KDF with custom values
like memory and parallelism, that would have rendered the password
incorrect. The endpoint which should return all the data did not
returned all the new Argon2id values.

Fixes #3388

Co-authored-by: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com>
2023-03-30 09:41:13 +02:00
Daniel García
525e6bb65a Merge pull request #3376 from jjlin/knowndevices-nopad
Decode knowndevice `X-Request-Email` as base64url with no padding
2023-03-27 09:32:25 +02:00
Jeremy Lin
62cebebd3d Decode knowndevice X-Request-Email as base64url with no padding
The clients end up removing the padding characters [1][2].

[1] https://github.com/bitwarden/clients/blob/web-v2023.3.0/libs/common/src/misc/utils.ts#L141-L143
[2] https://github.com/bitwarden/mobile/blob/v2023.3.1/src/Core/Utilities/CoreHelpers.cs#L227-L234
2023-03-27 00:03:54 -07:00
Daniel García
3646f14042 Update web vault to v2023.3.0b 1.28.0 2023-03-26 14:10:51 +02:00