mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2025-09-09 10:25:56 +03:00
cff6c2b3af
* Add SSO functionality using OpenID Connect Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools> Co-authored-by: Stuart Heap <sheap13@gmail.com> Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud> Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com> Co-authored-by: Jacques B. <timshel@github.com> * Improvements and error handling * Stop rolling device token * Add playwright tests * Activate PKCE by default * Ensure result order when searching for sso_user * add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION * Toggle SSO button in scss * Base64 encode state before sending it to providers * Prevent disabled User from SSO login * Review fixes * Remove unused UserOrganization.invited_by_email * Split SsoUser::find_by_identifier_or_email * api::Accounts::verify_password add the policy even if it's ignored * Disable signups if SSO_ONLY is activated * Add verifiedDate to organizations::get_org_domain_sso_details * Review fixes * Remove OrganizationId guard from get_master_password_policy * Add wrapper type OIDCCode OIDCState OIDCIdentifier * Membership::confirm_user_invitations fix and tests * Allow set-password only if account is unitialized * Review fixes * Prevent accepting another user invitation * Log password change event on SSO account creation * Unify master password policy resolution * Upgrade openidconnect to 4.0.0 * Revert "Remove unused UserOrganization.invited_by_email" This reverts commit 548e19995e141314af98a10d170ea7371f02fab4. * Process org enrollment in accounts::post_set_password * Improve tests * Pass the claim invited_by_email in case it was not in db * Add Slack configuration hints * Fix playwright tests * Skip broken tests * Add sso identifier in admin user panel * Remove duplicate expiration check, add a log * Augment mobile refresh_token validity * Rauthy configuration hints * Fix playwright tests * Playwright upgrade and conf improvement * Playwright tests improvements * 2FA email and device creation change * Fix and improve Playwright tests * Minor improvements * Fix enforceOnLogin org policies * Run playwright sso tests against correct db * PKCE should now work with Zitadel * Playwright upgrade maildev to use MailBuffer.expect * Upgrades playwright tests deps * Check email_verified in id_token and user_info * Add sso verified endpoint for v2025.6.0 * Fix playwright tests * Create a separate sso_client * Upgrade openidconnect to 4.0.1 * Server settings for login fields toggle * Use only css for login fields * Fix playwright test * Review fix * More review fix * Perform same checks when setting kdf --------- Co-authored-by: Felix Eckhofer <felix@eckhofer.com> Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools> Co-authored-by: Stuart Heap <sheap13@gmail.com> Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud> Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com> Co-authored-by: Jacques B. <timshel@github.com> Co-authored-by: Timshel <timshel@480s>
93 lines
4.9 KiB
TypeScript
93 lines
4.9 KiB
TypeScript
import { expect, type Page, Test } from '@playwright/test';
|
|
import { type MailBuffer } from 'maildev';
|
|
import * as OTPAuth from "otpauth";
|
|
|
|
import * as utils from '../../global-utils';
|
|
|
|
export async function activateTOTP(test: Test, page: Page, user: { name: string, password: string }): OTPAuth.TOTP {
|
|
return await test.step('Activate TOTP 2FA', async () => {
|
|
await page.getByRole('button', { name: user.name }).click();
|
|
await page.getByRole('menuitem', { name: 'Account settings' }).click();
|
|
await page.getByRole('link', { name: 'Security' }).click();
|
|
await page.getByRole('link', { name: 'Two-step login' }).click();
|
|
await page.locator('bit-item').filter({ hasText: /Authenticator app/ }).getByRole('button').click();
|
|
await page.getByLabel('Master password (required)').fill(user.password);
|
|
await page.getByRole('button', { name: 'Continue' }).click();
|
|
|
|
const secret = await page.getByLabel('Key').innerText();
|
|
let totp = new OTPAuth.TOTP({ secret, period: 30 });
|
|
|
|
await page.getByLabel(/Verification code/).fill(totp.generate());
|
|
await page.getByRole('button', { name: 'Turn on' }).click();
|
|
await page.getByRole('heading', { name: 'Turned on', exact: true });
|
|
await page.getByLabel('Close').click();
|
|
|
|
return totp;
|
|
})
|
|
}
|
|
|
|
export async function disableTOTP(test: Test, page: Page, user: { password: string }) {
|
|
await test.step('Disable TOTP 2FA', async () => {
|
|
await page.getByRole('button', { name: 'Test' }).click();
|
|
await page.getByRole('menuitem', { name: 'Account settings' }).click();
|
|
await page.getByRole('link', { name: 'Security' }).click();
|
|
await page.getByRole('link', { name: 'Two-step login' }).click();
|
|
await page.locator('bit-item').filter({ hasText: /Authenticator app/ }).getByRole('button').click();
|
|
await page.getByLabel('Master password (required)').click();
|
|
await page.getByLabel('Master password (required)').fill(user.password);
|
|
await page.getByRole('button', { name: 'Continue' }).click();
|
|
await page.getByRole('button', { name: 'Turn off' }).click();
|
|
await page.getByRole('button', { name: 'Yes' }).click();
|
|
await utils.checkNotification(page, 'Two-step login provider turned off');
|
|
});
|
|
}
|
|
|
|
export async function activateEmail(test: Test, page: Page, user: { name: string, password: string }, mailBuffer: MailBuffer) {
|
|
await test.step('Activate Email 2FA', async () => {
|
|
await page.getByRole('button', { name: user.name }).click();
|
|
await page.getByRole('menuitem', { name: 'Account settings' }).click();
|
|
await page.getByRole('link', { name: 'Security' }).click();
|
|
await page.getByRole('link', { name: 'Two-step login' }).click();
|
|
await page.locator('bit-item').filter({ hasText: 'Email Email Enter a code sent' }).getByRole('button').click();
|
|
await page.getByLabel('Master password (required)').fill(user.password);
|
|
await page.getByRole('button', { name: 'Continue' }).click();
|
|
await page.getByRole('button', { name: 'Send email' }).click();
|
|
});
|
|
|
|
let code = await retrieveEmailCode(test, page, mailBuffer);
|
|
|
|
await test.step('input code', async () => {
|
|
await page.getByLabel('2. Enter the resulting 6').fill(code);
|
|
await page.getByRole('button', { name: 'Turn on' }).click();
|
|
await page.getByRole('heading', { name: 'Turned on', exact: true });
|
|
});
|
|
}
|
|
|
|
export async function retrieveEmailCode(test: Test, page: Page, mailBuffer: MailBuffer): string {
|
|
return await test.step('retrieve code', async () => {
|
|
const codeMail = await mailBuffer.expect((mail) => mail.subject.includes("Login Verification Code"));
|
|
const page2 = await page.context().newPage();
|
|
await page2.setContent(codeMail.html);
|
|
const code = await page2.getByTestId("2fa").innerText();
|
|
await page2.close();
|
|
return code;
|
|
});
|
|
}
|
|
|
|
export async function disableEmail(test: Test, page: Page, user: { password: string }) {
|
|
await test.step('Disable Email 2FA', async () => {
|
|
await page.getByRole('button', { name: 'Test' }).click();
|
|
await page.getByRole('menuitem', { name: 'Account settings' }).click();
|
|
await page.getByRole('link', { name: 'Security' }).click();
|
|
await page.getByRole('link', { name: 'Two-step login' }).click();
|
|
await page.locator('bit-item').filter({ hasText: 'Email' }).getByRole('button').click();
|
|
await page.getByLabel('Master password (required)').click();
|
|
await page.getByLabel('Master password (required)').fill(user.password);
|
|
await page.getByRole('button', { name: 'Continue' }).click();
|
|
await page.getByRole('button', { name: 'Turn off' }).click();
|
|
await page.getByRole('button', { name: 'Yes' }).click();
|
|
|
|
await utils.checkNotification(page, 'Two-step login provider turned off');
|
|
});
|
|
}
|