* Add SSO functionality using OpenID Connect
Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools>
Co-authored-by: Stuart Heap <sheap13@gmail.com>
Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud>
Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com>
Co-authored-by: Jacques B. <timshel@github.com>
* Improvements and error handling
* Stop rolling device token
* Add playwright tests
* Activate PKCE by default
* Ensure result order when searching for sso_user
* add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION
* Toggle SSO button in scss
* Base64 encode state before sending it to providers
* Prevent disabled User from SSO login
* Review fixes
* Remove unused UserOrganization.invited_by_email
* Split SsoUser::find_by_identifier_or_email
* api::Accounts::verify_password add the policy even if it's ignored
* Disable signups if SSO_ONLY is activated
* Add verifiedDate to organizations::get_org_domain_sso_details
* Review fixes
* Remove OrganizationId guard from get_master_password_policy
* Add wrapper type OIDCCode OIDCState OIDCIdentifier
* Membership::confirm_user_invitations fix and tests
* Allow set-password only if account is unitialized
* Review fixes
* Prevent accepting another user invitation
* Log password change event on SSO account creation
* Unify master password policy resolution
* Upgrade openidconnect to 4.0.0
* Revert "Remove unused UserOrganization.invited_by_email"
This reverts commit 548e19995e141314af98a10d170ea7371f02fab4.
* Process org enrollment in accounts::post_set_password
* Improve tests
* Pass the claim invited_by_email in case it was not in db
* Add Slack configuration hints
* Fix playwright tests
* Skip broken tests
* Add sso identifier in admin user panel
* Remove duplicate expiration check, add a log
* Augment mobile refresh_token validity
* Rauthy configuration hints
* Fix playwright tests
* Playwright upgrade and conf improvement
* Playwright tests improvements
* 2FA email and device creation change
* Fix and improve Playwright tests
* Minor improvements
* Fix enforceOnLogin org policies
* Run playwright sso tests against correct db
* PKCE should now work with Zitadel
* Playwright upgrade maildev to use MailBuffer.expect
* Upgrades playwright tests deps
* Check email_verified in id_token and user_info
* Add sso verified endpoint for v2025.6.0
* Fix playwright tests
* Create a separate sso_client
* Upgrade openidconnect to 4.0.1
* Server settings for login fields toggle
* Use only css for login fields
* Fix playwright test
* Review fix
* More review fix
* Perform same checks when setting kdf
---------
Co-authored-by: Felix Eckhofer <felix@eckhofer.com>
Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools>
Co-authored-by: Stuart Heap <sheap13@gmail.com>
Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud>
Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com>
Co-authored-by: Jacques B. <timshel@github.com>
Co-authored-by: Timshel <timshel@480s>
* WIP Sync with Upstream
WIP on syncing API Responses with upstream.
This to prevent issues with new clients, and find possible current issues like members, collections, groups etc..
Signed-off-by: BlackDex <black.dex@gmail.com>
* More API Response fixes
- Some 2fa checks
- Some org checks
- Reconfigured the experimental flags and noted which are deprecated
Also removed some hard-coded defaults.
- Updated crates
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add avatar color to emergency access api
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix spelling and some crate updates
Signed-off-by: BlackDex <black.dex@gmail.com>
* Use PushId and always generate the PushId
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix clippy lints
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix several Push issues and API's
Signed-off-by: BlackDex <black.dex@gmail.com>
* Check if push_uuid is empty and generate when needed
Signed-off-by: BlackDex <black.dex@gmail.com>
* Updated some comments and removed old export format
Signed-off-by: BlackDex <black.dex@gmail.com>
* cargo update
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix bulk edit Fixes#5737
Signed-off-by: BlackDex <black.dex@gmail.com>
* Send an email when an account exists already
When you want to change your email address into an account which already exists, upstream sends an email to the existing account.
Lets do the same.
Kinda fixes#5630
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update 2fa removal/revoke email
Signed-off-by: BlackDex <black.dex@gmail.com>
* Allow col managers to import
This commit adds functionality to allow users with manage access to a collection, or managers with all access to import into an organization.
Fixes#5592
Signed-off-by: BlackDex <black.dex@gmail.com>
* Filter deprected flags and only return active flags
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix grammer
Signed-off-by: BlackDex <black.dex@gmail.com>
* Rename Small to Compact
Signed-off-by: BlackDex <black.dex@gmail.com>
* Rebase with upstream and fix conflicts
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* rename membership
rename UserOrganization to Membership to clarify the relation
and prevent confusion whether something refers to a member(ship) or user
* use newtype pattern
* implement custom derive macro IdFromParam
* add UuidFromParam macro for UUIDs
* add macros to Docker build
Co-authored-by: dfunkt <dfunkt@users.noreply.github.com>
---------
Co-authored-by: dfunkt <dfunkt@users.noreply.github.com>
Fixed an issue with login with device for the new Bitwrden Beta clients.
They seem to not support ISO8601 milli date/time, only micro.
Also updated the device display names to match Upstream and added the
CLI devices which were missing.
Signed-off-by: BlackDex <black.dex@gmail.com>
- Updated sqlite crate
- Updated chrono crate
The latter needed a lot of changes done, mostly `Duration` to `TimeDelta`.
And some changes on how to use Naive.
save the push token of new device even if push notifications are not
enabled and provide a way to register the push device at login
unregister device if there already is a push token saved unless the
new token has already been registered.
also the `unregister_push_device` function used the wrong argument
cf. 08d380900b/src/Core/Services/Implementations/RelayPushRegistrationService.cs (L43)
Large JWT's could cause issue because of header or body sizes of the
HTTP request could get too large when you are a member of a lot of organizations.
This PR removes these specific keys since they are not used either
client side or server side.
Because Bitwarden does add these in there JWT's i would suggest to keep
the code we had but then commented out as a reference.
Removing it and searching for this when needed would be a waist of time.
Fixes#4156
This is a WIP for adding organization token login support.
It has basic token login and verification support, but that's about it.
This branch is a refresh of the previous version, and will contain code
from a PR based upon my previous branch.
All uses of `get_random()` were in the form of:
`&get_random(vec![0u8; SIZE])`
with `SIZE` being a constant.
Building a `Vec` is unnecessary for two reasons. First, it uses a
very short-lived dynamic memory allocation. Second, a `Vec` is a
resizable object, which is useless in those context when random
data have a fixed size and will only be read.
`get_random_bytes()` takes a constant as a generic parameter and
returns an array with the requested number of random bytes.
Stack safety analysis: the random bytes will be allocated on the
caller stack for a very short time (until the encoding function has
been called on the data). In some cases, the random bytes take
less room than the `Vec` did (a `Vec` is 24 bytes on a 64 bit
computer). The maximum used size is 180 bytes, which makes it
for 0.008% of the default stack size for a Rust thread (2MiB),
so this is a non-issue.
Also, most of the uses of those random bytes are to encode them
using an `Encoding`. The function `crypto::encode_random_bytes()`
generates random bytes and encode them with the provided
`Encoding`, leading to code deduplication.
`generate_id()` has also been converted to use a constant generic
parameter as well since the length of the requested String is always
a constant.
A bit inspired by @paolobarbolini from this commit at lettre https://github.com/lettre/lettre/pull/784 .
I added a few more clippy lints here, and fixed the resulted issues.
Overall i think this could help in preventing future issues, and maybe
even peformance problems. It also makes some code a bit more clear.
We could always add more if we want to, i left a few out which i think
arn't that huge of an issue. Some like the `unused_async` are nice,
which resulted in a few `async` removals.
Some others are maybe a bit more estatic, like `string_to_string`, but i
think it looks better to use `clone` in those cases instead of `to_string` while they already are a string.
Improved sync speed by resolving the N+1 query issues.
Solves #1402 and Solves #1453
With this change there is just one query done to retreive all the
important data, and matching is done in-code/memory.
With a very large database the sync time went down about 3 times.
Also updated misc crates and Github Actions versions.
- Updated jsonwebtoken to latest version
- Trim `username` received from the login form ( Fixes#2348 )
- Make uuid and user_uuid a combined primary key for the devices table ( Fixes#2295 )
- Updated crates including regex which contains a CVE ( https://blog.rust-lang.org/2022/03/08/cve-2022-24713.html )
This is a rather large PR which updates the async branch to have all the
database methods as an async fn.
Some iter/map logic needed to be changed to a stream::iter().then(), but
besides that most changes were just adding async/await where needed.
An incomplete 2FA login is one where the correct master password was provided,
but the 2FA token or action required to complete the login was not provided
within the configured time limit. This potentially indicates that the user's
master password has been compromised, but the login was blocked by 2FA.
Be aware that the 2FA step can usually still be completed after the email
notification has already been sent out, which could be confusing. Therefore,
the incomplete 2FA time limit should be long enough that this situation would
be unlikely. This feature can also be disabled entirely if desired.
Diesel requires the following changes:
- Separate connection and pool types per connection, the generate_connections! macro generates an enum with a variant per db type
- Separate migrations and schemas, these were always imported as one type depending on db feature, now they are all imported under different module names
- Separate model objects per connection, the db_object! macro generates one object for each connection with the diesel macros, a generic object, and methods to convert between the connection-specific and the generic ones
- Separate connection queries, the db_run! macro allows writing only one that gets compiled for all databases or multiple ones
PostgreSQL updates/inserts ignored None/null values.
This is nice for new entries, but not for updates.
Added derive option to allways add these none/null values for Option<>
variables.
This solves issue #965
This includes migrations as well as Dockerfile's for amd64.
The biggest change is that replace_into isn't supported by Diesel for the
PostgreSQL backend, instead requiring the use of on_conflict. This
unfortunately requires a branch for save() on all of the models currently
using replace_into.
Improved error logging, now it won't show a generic error message in some situations.
Removed delete device, which is not needed as it will be overwritten later.
Logged more info when an error occurs saving a device.
Added orgmanager to JWT claims.
Known missing:
- import ciphers, create ciphers types other than login and card, update ciphers
- clear and put device_tokens
- Equivalent domains
- Organizations
