2019-11-25 06:28:49 +01:00
|
|
|
use chrono::Utc;
|
2021-11-07 18:53:39 +01:00
|
|
|
use rocket::serde::json::Json;
|
2021-03-27 16:07:26 +01:00
|
|
|
use serde_json::Value;
|
2018-02-10 01:00:55 +01:00
|
|
|
|
2020-07-14 18:00:09 +02:00
|
|
|
use crate::{
|
|
|
|
api::{EmptyResult, JsonResult, JsonUpcase, Notify, NumberOrString, PasswordData, UpdateType},
|
|
|
|
auth::{decode_delete, decode_invite, decode_verify_email, Headers},
|
|
|
|
crypto,
|
|
|
|
db::{models::*, DbConn},
|
|
|
|
mail, CONFIG,
|
|
|
|
};
|
2018-02-10 01:00:55 +01:00
|
|
|
|
2020-07-14 18:00:09 +02:00
|
|
|
pub fn routes() -> Vec<rocket::Route> {
|
2018-10-10 20:40:39 +02:00
|
|
|
routes![
|
|
|
|
register,
|
|
|
|
profile,
|
|
|
|
put_profile,
|
|
|
|
post_profile,
|
|
|
|
get_public_keys,
|
|
|
|
post_keys,
|
|
|
|
post_password,
|
|
|
|
post_kdf,
|
2018-11-24 23:00:41 +01:00
|
|
|
post_rotatekey,
|
2018-10-10 20:40:39 +02:00
|
|
|
post_sstamp,
|
|
|
|
post_email_token,
|
|
|
|
post_email,
|
2019-11-25 06:28:49 +01:00
|
|
|
post_verify_email,
|
|
|
|
post_verify_email_token,
|
|
|
|
post_delete_recover,
|
|
|
|
post_delete_recover_token,
|
2018-10-10 20:40:39 +02:00
|
|
|
delete_account,
|
|
|
|
post_delete_account,
|
|
|
|
revision_date,
|
|
|
|
password_hint,
|
|
|
|
prelogin,
|
2020-09-25 18:26:48 +02:00
|
|
|
verify_password,
|
2022-01-19 11:51:26 +01:00
|
|
|
api_key,
|
|
|
|
rotate_api_key,
|
2018-10-10 20:40:39 +02:00
|
|
|
]
|
|
|
|
}
|
|
|
|
|
2018-02-10 01:00:55 +01:00
|
|
|
#[derive(Deserialize, Debug)]
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
struct RegisterData {
|
2018-06-01 00:18:50 +02:00
|
|
|
Email: String,
|
2018-09-19 17:30:14 +02:00
|
|
|
Kdf: Option<i32>,
|
|
|
|
KdfIterations: Option<i32>,
|
2018-06-01 00:18:50 +02:00
|
|
|
Key: String,
|
|
|
|
Keys: Option<KeysData>,
|
|
|
|
MasterPasswordHash: String,
|
|
|
|
MasterPasswordHint: Option<String>,
|
|
|
|
Name: Option<String>,
|
2018-12-21 04:16:41 +01:00
|
|
|
Token: Option<String>,
|
2021-09-22 21:39:31 +02:00
|
|
|
#[allow(dead_code)]
|
2018-12-21 04:16:41 +01:00
|
|
|
OrganizationUserId: Option<String>,
|
2018-02-10 01:00:55 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
#[derive(Deserialize, Debug)]
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
struct KeysData {
|
2018-06-01 00:35:30 +02:00
|
|
|
EncryptedPrivateKey: String,
|
|
|
|
PublicKey: String,
|
2018-02-10 01:00:55 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
#[post("/accounts/register", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
|
2018-06-01 00:18:50 +02:00
|
|
|
let data: RegisterData = data.into_inner().data;
|
2021-09-09 13:50:18 +02:00
|
|
|
let email = data.Email.to_lowercase();
|
2018-02-17 23:38:55 +01:00
|
|
|
|
2021-11-16 17:07:55 +01:00
|
|
|
let mut user = match User::find_by_mail(&email, &conn).await {
|
2018-11-24 23:00:41 +01:00
|
|
|
Some(user) => {
|
2019-01-08 15:11:16 +01:00
|
|
|
if !user.password_hash.is_empty() {
|
2021-09-09 13:50:18 +02:00
|
|
|
if CONFIG.is_signup_allowed(&email) {
|
2019-11-01 23:34:42 +01:00
|
|
|
err!("User already exists")
|
|
|
|
} else {
|
|
|
|
err!("Registration not allowed or user already exists")
|
|
|
|
}
|
2019-01-08 15:11:16 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(token) = data.Token {
|
2019-01-19 21:36:34 +01:00
|
|
|
let claims = decode_invite(&token)?;
|
2021-09-09 13:50:18 +02:00
|
|
|
if claims.email == email {
|
2018-12-15 03:56:00 +01:00
|
|
|
user
|
|
|
|
} else {
|
2019-01-08 15:11:16 +01:00
|
|
|
err!("Registration email does not match invite email")
|
|
|
|
}
|
2021-11-16 17:07:55 +01:00
|
|
|
} else if Invitation::take(&email, &conn).await {
|
|
|
|
for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).await.iter_mut() {
|
2019-01-08 15:11:16 +01:00
|
|
|
user_org.status = UserOrgStatus::Accepted as i32;
|
2021-11-16 17:07:55 +01:00
|
|
|
user_org.save(&conn).await?;
|
2018-11-24 23:00:41 +01:00
|
|
|
}
|
2022-01-07 18:55:48 +01:00
|
|
|
user
|
2021-11-16 17:07:55 +01:00
|
|
|
} else if EmergencyAccess::find_invited_by_grantee_email(&email, &conn).await.is_some() {
|
2019-01-08 15:11:16 +01:00
|
|
|
user
|
2021-09-09 13:50:18 +02:00
|
|
|
} else if CONFIG.is_signup_allowed(&email) {
|
2022-01-07 18:55:48 +01:00
|
|
|
err!("Account with this email already exists")
|
2018-09-10 15:51:40 +02:00
|
|
|
} else {
|
2019-11-01 23:34:42 +01:00
|
|
|
err!("Registration not allowed or user already exists")
|
2018-09-10 15:51:40 +02:00
|
|
|
}
|
2018-11-24 23:00:41 +01:00
|
|
|
}
|
2018-09-10 15:51:40 +02:00
|
|
|
None => {
|
2020-04-09 10:42:27 +02:00
|
|
|
// Order is important here; the invitation check must come first
|
2021-04-27 23:18:32 +02:00
|
|
|
// because the vaultwarden admin can invite anyone, regardless
|
2020-04-09 10:42:27 +02:00
|
|
|
// of other signup restrictions.
|
2021-11-16 17:07:55 +01:00
|
|
|
if Invitation::take(&email, &conn).await || CONFIG.is_signup_allowed(&email) {
|
2021-09-09 13:50:18 +02:00
|
|
|
User::new(email.clone())
|
2018-09-10 15:51:40 +02:00
|
|
|
} else {
|
2019-11-01 23:34:42 +01:00
|
|
|
err!("Registration not allowed or user already exists")
|
2018-09-10 15:51:40 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
};
|
2018-02-10 01:00:55 +01:00
|
|
|
|
2019-01-08 15:11:16 +01:00
|
|
|
// Make sure we don't leave a lingering invitation.
|
2021-11-16 17:07:55 +01:00
|
|
|
Invitation::take(&email, &conn).await;
|
2019-01-08 15:11:16 +01:00
|
|
|
|
2018-09-19 17:30:14 +02:00
|
|
|
if let Some(client_kdf_iter) = data.KdfIterations {
|
|
|
|
user.client_kdf_iter = client_kdf_iter;
|
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(client_kdf_type) = data.Kdf {
|
|
|
|
user.client_kdf_type = client_kdf_type;
|
|
|
|
}
|
|
|
|
|
2020-12-14 19:58:23 +01:00
|
|
|
user.set_password(&data.MasterPasswordHash, None);
|
2019-05-20 21:24:29 +02:00
|
|
|
user.akey = data.Key;
|
2018-02-10 01:00:55 +01:00
|
|
|
|
|
|
|
// Add extra fields if present
|
2018-06-01 00:18:50 +02:00
|
|
|
if let Some(name) = data.Name {
|
2018-02-10 01:00:55 +01:00
|
|
|
user.name = name;
|
|
|
|
}
|
|
|
|
|
2018-06-01 00:18:50 +02:00
|
|
|
if let Some(hint) = data.MasterPasswordHint {
|
2018-02-10 01:00:55 +01:00
|
|
|
user.password_hint = Some(hint);
|
|
|
|
}
|
|
|
|
|
2018-06-01 00:18:50 +02:00
|
|
|
if let Some(keys) = data.Keys {
|
2018-06-01 00:35:30 +02:00
|
|
|
user.private_key = Some(keys.EncryptedPrivateKey);
|
|
|
|
user.public_key = Some(keys.PublicKey);
|
2018-02-10 01:00:55 +01:00
|
|
|
}
|
|
|
|
|
2019-11-25 06:28:49 +01:00
|
|
|
if CONFIG.mail_enabled() {
|
|
|
|
if CONFIG.signups_verify() {
|
|
|
|
if let Err(e) = mail::send_welcome_must_verify(&user.email, &user.uuid) {
|
|
|
|
error!("Error sending welcome email: {:#?}", e);
|
|
|
|
}
|
|
|
|
|
|
|
|
user.last_verifying_at = Some(user.created_at);
|
2021-03-27 15:03:31 +01:00
|
|
|
} else if let Err(e) = mail::send_welcome(&user.email) {
|
|
|
|
error!("Error sending welcome email: {:#?}", e);
|
2019-11-25 06:28:49 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-11-16 17:07:55 +01:00
|
|
|
user.save(&conn).await
|
2018-02-10 01:00:55 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
#[get("/accounts/profile")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn profile(headers: Headers, conn: DbConn) -> Json<Value> {
|
|
|
|
Json(headers.user.to_json(&conn).await)
|
2018-04-24 22:01:55 +02:00
|
|
|
}
|
|
|
|
|
2018-06-17 00:06:59 +02:00
|
|
|
#[derive(Deserialize, Debug)]
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
struct ProfileData {
|
|
|
|
#[serde(rename = "Culture")]
|
2018-11-24 23:00:41 +01:00
|
|
|
_Culture: String, // Ignored, always use en-US
|
2018-06-17 00:06:59 +02:00
|
|
|
MasterPasswordHint: Option<String>,
|
|
|
|
Name: String,
|
|
|
|
}
|
|
|
|
|
2018-08-15 17:10:40 +02:00
|
|
|
#[put("/accounts/profile", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn put_profile(data: JsonUpcase<ProfileData>, headers: Headers, conn: DbConn) -> JsonResult {
|
|
|
|
post_profile(data, headers, conn).await
|
2018-08-15 17:10:40 +02:00
|
|
|
}
|
|
|
|
|
2018-06-17 00:06:59 +02:00
|
|
|
#[post("/accounts/profile", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn post_profile(data: JsonUpcase<ProfileData>, headers: Headers, conn: DbConn) -> JsonResult {
|
2018-06-17 00:06:59 +02:00
|
|
|
let data: ProfileData = data.into_inner().data;
|
|
|
|
|
|
|
|
let mut user = headers.user;
|
|
|
|
|
|
|
|
user.name = data.Name;
|
2018-09-11 13:00:59 +02:00
|
|
|
user.password_hint = match data.MasterPasswordHint {
|
|
|
|
Some(ref h) if h.is_empty() => None,
|
|
|
|
_ => data.MasterPasswordHint,
|
|
|
|
};
|
2021-11-16 17:07:55 +01:00
|
|
|
user.save(&conn).await?;
|
|
|
|
Ok(Json(user.to_json(&conn).await))
|
2018-06-17 00:06:59 +02:00
|
|
|
}
|
|
|
|
|
2018-04-24 22:01:55 +02:00
|
|
|
#[get("/users/<uuid>/public-key")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn get_public_keys(uuid: String, _headers: Headers, conn: DbConn) -> JsonResult {
|
|
|
|
let user = match User::find_by_uuid(&uuid, &conn).await {
|
2018-04-24 22:01:55 +02:00
|
|
|
Some(user) => user,
|
2018-11-24 23:00:41 +01:00
|
|
|
None => err!("User doesn't exist"),
|
2018-04-24 22:01:55 +02:00
|
|
|
};
|
|
|
|
|
2018-05-04 22:54:23 +02:00
|
|
|
Ok(Json(json!({
|
|
|
|
"UserId": user.uuid,
|
|
|
|
"PublicKey": user.public_key,
|
|
|
|
"Object":"userKey"
|
|
|
|
})))
|
2018-02-10 01:00:55 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
#[post("/accounts/keys", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn post_keys(data: JsonUpcase<KeysData>, headers: Headers, conn: DbConn) -> JsonResult {
|
2018-06-01 00:18:50 +02:00
|
|
|
let data: KeysData = data.into_inner().data;
|
2018-02-17 23:38:55 +01:00
|
|
|
|
2018-02-10 01:00:55 +01:00
|
|
|
let mut user = headers.user;
|
|
|
|
|
2018-06-01 00:35:30 +02:00
|
|
|
user.private_key = Some(data.EncryptedPrivateKey);
|
|
|
|
user.public_key = Some(data.PublicKey);
|
2018-02-10 01:00:55 +01:00
|
|
|
|
2021-11-16 17:07:55 +01:00
|
|
|
user.save(&conn).await?;
|
2020-05-08 19:38:49 +02:00
|
|
|
|
|
|
|
Ok(Json(json!({
|
|
|
|
"PrivateKey": user.private_key,
|
|
|
|
"PublicKey": user.public_key,
|
|
|
|
"Object":"keys"
|
|
|
|
})))
|
2018-02-10 01:00:55 +01:00
|
|
|
}
|
|
|
|
|
2018-02-23 00:38:54 +01:00
|
|
|
#[derive(Deserialize)]
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
struct ChangePassData {
|
2018-06-01 00:18:50 +02:00
|
|
|
MasterPasswordHash: String,
|
|
|
|
NewMasterPasswordHash: String,
|
|
|
|
Key: String,
|
2018-02-23 00:38:54 +01:00
|
|
|
}
|
2018-02-10 01:00:55 +01:00
|
|
|
|
2018-02-23 00:38:54 +01:00
|
|
|
#[post("/accounts/password", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, conn: DbConn) -> EmptyResult {
|
2018-06-01 00:18:50 +02:00
|
|
|
let data: ChangePassData = data.into_inner().data;
|
2018-02-10 01:00:55 +01:00
|
|
|
let mut user = headers.user;
|
|
|
|
|
2018-06-01 00:18:50 +02:00
|
|
|
if !user.check_valid_password(&data.MasterPasswordHash) {
|
2018-02-10 01:00:55 +01:00
|
|
|
err!("Invalid password")
|
|
|
|
}
|
|
|
|
|
Added web-vault v2.21.x support + some misc fixes
- The new web-vault v2.21.0+ has support for Master Password Reset. For
this to work it generates a public/private key-pair which needs to be
stored in the database. Currently the Master Password Reset is not
fixed, but there are endpoints which are needed even if we do not
support this feature (yet). This PR fixes those endpoints, and stores
the keys already in the database.
- There was an issue when you want to do a key-rotate when you change
your password, it also called an Emergency Access endpoint, which we do
not yet support. Because this endpoint failed to reply correctly
produced some errors, and also prevent the user from being forced to
logout. This resolves #1826 by adding at least that endpoint.
Because of that extra endpoint check to Emergency Access is done using
an old user stamp, i also modified the stamp exception to allow multiple
rocket routes to be called, and added an expiration timestamp to it.
During these tests i stumbled upon an issue that after my key-change was
done, it triggered the websockets to try and reload my ciphers, because
they were updated. This shouldn't happen when rotating they keys, since
all access should be invalided. Now there will be no websocket
notification for this, which also prevents error toasts.
- Increased Send Size limit to 500MB (with a litle overhead)
As a side note, i tested these changes on both v2.20.4 and v2.21.1 web-vault versions, all keeps working.
2021-07-04 23:02:56 +02:00
|
|
|
user.set_password(
|
|
|
|
&data.NewMasterPasswordHash,
|
2021-09-01 12:54:47 +02:00
|
|
|
Some(vec![String::from("post_rotatekey"), String::from("get_contacts"), String::from("get_public_keys")]),
|
Added web-vault v2.21.x support + some misc fixes
- The new web-vault v2.21.0+ has support for Master Password Reset. For
this to work it generates a public/private key-pair which needs to be
stored in the database. Currently the Master Password Reset is not
fixed, but there are endpoints which are needed even if we do not
support this feature (yet). This PR fixes those endpoints, and stores
the keys already in the database.
- There was an issue when you want to do a key-rotate when you change
your password, it also called an Emergency Access endpoint, which we do
not yet support. Because this endpoint failed to reply correctly
produced some errors, and also prevent the user from being forced to
logout. This resolves #1826 by adding at least that endpoint.
Because of that extra endpoint check to Emergency Access is done using
an old user stamp, i also modified the stamp exception to allow multiple
rocket routes to be called, and added an expiration timestamp to it.
During these tests i stumbled upon an issue that after my key-change was
done, it triggered the websockets to try and reload my ciphers, because
they were updated. This shouldn't happen when rotating they keys, since
all access should be invalided. Now there will be no websocket
notification for this, which also prevents error toasts.
- Increased Send Size limit to 500MB (with a litle overhead)
As a side note, i tested these changes on both v2.20.4 and v2.21.1 web-vault versions, all keeps working.
2021-07-04 23:02:56 +02:00
|
|
|
);
|
2019-05-20 21:24:29 +02:00
|
|
|
user.akey = data.Key;
|
2021-11-16 17:07:55 +01:00
|
|
|
user.save(&conn).await
|
2018-02-10 01:00:55 +01:00
|
|
|
}
|
|
|
|
|
2018-09-19 17:30:14 +02:00
|
|
|
#[derive(Deserialize)]
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
struct ChangeKdfData {
|
|
|
|
Kdf: i32,
|
|
|
|
KdfIterations: i32,
|
|
|
|
|
|
|
|
MasterPasswordHash: String,
|
|
|
|
NewMasterPasswordHash: String,
|
|
|
|
Key: String,
|
|
|
|
}
|
|
|
|
|
|
|
|
#[post("/accounts/kdf", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn post_kdf(data: JsonUpcase<ChangeKdfData>, headers: Headers, conn: DbConn) -> EmptyResult {
|
2018-09-19 17:30:14 +02:00
|
|
|
let data: ChangeKdfData = data.into_inner().data;
|
|
|
|
let mut user = headers.user;
|
|
|
|
|
|
|
|
if !user.check_valid_password(&data.MasterPasswordHash) {
|
|
|
|
err!("Invalid password")
|
|
|
|
}
|
|
|
|
|
|
|
|
user.client_kdf_iter = data.KdfIterations;
|
|
|
|
user.client_kdf_type = data.Kdf;
|
2020-12-14 19:58:23 +01:00
|
|
|
user.set_password(&data.NewMasterPasswordHash, None);
|
2019-05-20 21:24:29 +02:00
|
|
|
user.akey = data.Key;
|
2021-11-16 17:07:55 +01:00
|
|
|
user.save(&conn).await
|
2018-09-19 17:30:14 +02:00
|
|
|
}
|
|
|
|
|
2018-11-24 23:00:41 +01:00
|
|
|
#[derive(Deserialize)]
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
struct UpdateFolderData {
|
|
|
|
Id: String,
|
|
|
|
Name: String,
|
|
|
|
}
|
|
|
|
|
|
|
|
use super::ciphers::CipherData;
|
|
|
|
|
|
|
|
#[derive(Deserialize)]
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
struct KeyData {
|
|
|
|
Ciphers: Vec<CipherData>,
|
|
|
|
Folders: Vec<UpdateFolderData>,
|
|
|
|
Key: String,
|
|
|
|
PrivateKey: String,
|
|
|
|
MasterPasswordHash: String,
|
|
|
|
}
|
|
|
|
|
|
|
|
#[post("/accounts/key", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, conn: DbConn, nt: Notify<'_>) -> EmptyResult {
|
2018-11-24 23:00:41 +01:00
|
|
|
let data: KeyData = data.into_inner().data;
|
|
|
|
|
|
|
|
if !headers.user.check_valid_password(&data.MasterPasswordHash) {
|
|
|
|
err!("Invalid password")
|
|
|
|
}
|
|
|
|
|
|
|
|
let user_uuid = &headers.user.uuid;
|
|
|
|
|
|
|
|
// Update folder data
|
|
|
|
for folder_data in data.Folders {
|
2021-11-16 17:07:55 +01:00
|
|
|
let mut saved_folder = match Folder::find_by_uuid(&folder_data.Id, &conn).await {
|
2018-11-24 23:00:41 +01:00
|
|
|
Some(folder) => folder,
|
|
|
|
None => err!("Folder doesn't exist"),
|
|
|
|
};
|
|
|
|
|
|
|
|
if &saved_folder.user_uuid != user_uuid {
|
|
|
|
err!("The folder is not owned by the user")
|
|
|
|
}
|
|
|
|
|
|
|
|
saved_folder.name = folder_data.Name;
|
2021-11-16 17:07:55 +01:00
|
|
|
saved_folder.save(&conn).await?
|
2018-11-24 23:00:41 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// Update cipher data
|
|
|
|
use super::ciphers::update_cipher_from_data;
|
|
|
|
|
|
|
|
for cipher_data in data.Ciphers {
|
2021-11-16 17:07:55 +01:00
|
|
|
let mut saved_cipher = match Cipher::find_by_uuid(cipher_data.Id.as_ref().unwrap(), &conn).await {
|
2018-11-24 23:00:41 +01:00
|
|
|
Some(cipher) => cipher,
|
|
|
|
None => err!("Cipher doesn't exist"),
|
|
|
|
};
|
|
|
|
|
|
|
|
if saved_cipher.user_uuid.as_ref().unwrap() != user_uuid {
|
|
|
|
err!("The cipher is not owned by the user")
|
|
|
|
}
|
|
|
|
|
Added web-vault v2.21.x support + some misc fixes
- The new web-vault v2.21.0+ has support for Master Password Reset. For
this to work it generates a public/private key-pair which needs to be
stored in the database. Currently the Master Password Reset is not
fixed, but there are endpoints which are needed even if we do not
support this feature (yet). This PR fixes those endpoints, and stores
the keys already in the database.
- There was an issue when you want to do a key-rotate when you change
your password, it also called an Emergency Access endpoint, which we do
not yet support. Because this endpoint failed to reply correctly
produced some errors, and also prevent the user from being forced to
logout. This resolves #1826 by adding at least that endpoint.
Because of that extra endpoint check to Emergency Access is done using
an old user stamp, i also modified the stamp exception to allow multiple
rocket routes to be called, and added an expiration timestamp to it.
During these tests i stumbled upon an issue that after my key-change was
done, it triggered the websockets to try and reload my ciphers, because
they were updated. This shouldn't happen when rotating they keys, since
all access should be invalided. Now there will be no websocket
notification for this, which also prevents error toasts.
- Increased Send Size limit to 500MB (with a litle overhead)
As a side note, i tested these changes on both v2.20.4 and v2.21.1 web-vault versions, all keeps working.
2021-07-04 23:02:56 +02:00
|
|
|
// Prevent triggering cipher updates via WebSockets by settings UpdateType::None
|
|
|
|
// The user sessions are invalidated because all the ciphers were re-encrypted and thus triggering an update could cause issues.
|
2021-11-16 17:07:55 +01:00
|
|
|
update_cipher_from_data(&mut saved_cipher, cipher_data, &headers, false, &conn, &nt, UpdateType::None).await?
|
2018-11-24 23:00:41 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// Update user data
|
|
|
|
let mut user = headers.user;
|
|
|
|
|
2019-05-20 21:24:29 +02:00
|
|
|
user.akey = data.Key;
|
2018-11-24 23:00:41 +01:00
|
|
|
user.private_key = Some(data.PrivateKey);
|
|
|
|
user.reset_security_stamp();
|
|
|
|
|
2021-11-16 17:07:55 +01:00
|
|
|
user.save(&conn).await
|
2018-11-24 23:00:41 +01:00
|
|
|
}
|
|
|
|
|
2018-02-10 01:00:55 +01:00
|
|
|
#[post("/accounts/security-stamp", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn post_sstamp(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult {
|
2018-06-01 00:18:50 +02:00
|
|
|
let data: PasswordData = data.into_inner().data;
|
2018-02-10 01:00:55 +01:00
|
|
|
let mut user = headers.user;
|
|
|
|
|
2018-06-01 00:18:50 +02:00
|
|
|
if !user.check_valid_password(&data.MasterPasswordHash) {
|
2018-02-10 01:00:55 +01:00
|
|
|
err!("Invalid password")
|
|
|
|
}
|
|
|
|
|
2021-11-16 17:07:55 +01:00
|
|
|
Device::delete_all_by_user(&user.uuid, &conn).await?;
|
2018-02-10 01:00:55 +01:00
|
|
|
user.reset_security_stamp();
|
2021-11-16 17:07:55 +01:00
|
|
|
user.save(&conn).await
|
2018-02-10 01:00:55 +01:00
|
|
|
}
|
|
|
|
|
2018-02-23 00:38:54 +01:00
|
|
|
#[derive(Deserialize)]
|
|
|
|
#[allow(non_snake_case)]
|
2018-06-17 00:06:59 +02:00
|
|
|
struct EmailTokenData {
|
2018-06-01 00:18:50 +02:00
|
|
|
MasterPasswordHash: String,
|
|
|
|
NewEmail: String,
|
2018-02-23 00:38:54 +01:00
|
|
|
}
|
2018-02-10 01:00:55 +01:00
|
|
|
|
2018-02-23 00:38:54 +01:00
|
|
|
#[post("/accounts/email-token", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn post_email_token(data: JsonUpcase<EmailTokenData>, headers: Headers, conn: DbConn) -> EmptyResult {
|
2018-06-17 00:06:59 +02:00
|
|
|
let data: EmailTokenData = data.into_inner().data;
|
2019-11-25 06:28:49 +01:00
|
|
|
let mut user = headers.user;
|
2018-06-17 00:06:59 +02:00
|
|
|
|
2019-11-25 06:28:49 +01:00
|
|
|
if !user.check_valid_password(&data.MasterPasswordHash) {
|
2018-06-17 00:06:59 +02:00
|
|
|
err!("Invalid password")
|
|
|
|
}
|
|
|
|
|
2021-11-16 17:07:55 +01:00
|
|
|
if User::find_by_mail(&data.NewEmail, &conn).await.is_some() {
|
2018-06-17 00:06:59 +02:00
|
|
|
err!("Email already in use");
|
|
|
|
}
|
|
|
|
|
2020-05-24 23:00:26 +02:00
|
|
|
if !CONFIG.is_email_domain_allowed(&data.NewEmail) {
|
|
|
|
err!("Email domain not allowed");
|
2019-11-25 06:28:49 +01:00
|
|
|
}
|
|
|
|
|
2022-01-24 10:17:00 +01:00
|
|
|
let token = crypto::generate_email_token(6);
|
2019-11-25 06:28:49 +01:00
|
|
|
|
|
|
|
if CONFIG.mail_enabled() {
|
|
|
|
if let Err(e) = mail::send_change_email(&data.NewEmail, &token) {
|
|
|
|
error!("Error sending change-email email: {:#?}", e);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
user.email_new = Some(data.NewEmail);
|
|
|
|
user.email_new_token = Some(token);
|
2021-11-16 17:07:55 +01:00
|
|
|
user.save(&conn).await
|
2018-06-17 00:06:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
#[derive(Deserialize)]
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
struct ChangeEmailData {
|
|
|
|
MasterPasswordHash: String,
|
|
|
|
NewEmail: String,
|
2018-11-24 23:00:41 +01:00
|
|
|
|
2018-06-17 00:06:59 +02:00
|
|
|
Key: String,
|
|
|
|
NewMasterPasswordHash: String,
|
2019-11-25 06:28:49 +01:00
|
|
|
Token: NumberOrString,
|
2018-06-17 00:06:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
#[post("/accounts/email", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn post_email(data: JsonUpcase<ChangeEmailData>, headers: Headers, conn: DbConn) -> EmptyResult {
|
2018-06-01 00:18:50 +02:00
|
|
|
let data: ChangeEmailData = data.into_inner().data;
|
2018-02-10 01:00:55 +01:00
|
|
|
let mut user = headers.user;
|
|
|
|
|
2018-06-01 00:18:50 +02:00
|
|
|
if !user.check_valid_password(&data.MasterPasswordHash) {
|
2018-02-10 01:00:55 +01:00
|
|
|
err!("Invalid password")
|
|
|
|
}
|
|
|
|
|
2021-11-16 17:07:55 +01:00
|
|
|
if User::find_by_mail(&data.NewEmail, &conn).await.is_some() {
|
2018-02-15 00:40:34 +01:00
|
|
|
err!("Email already in use");
|
|
|
|
}
|
|
|
|
|
2019-11-25 06:28:49 +01:00
|
|
|
match user.email_new {
|
|
|
|
Some(ref val) => {
|
2019-12-06 22:12:41 +01:00
|
|
|
if val != &data.NewEmail {
|
2019-11-25 06:28:49 +01:00
|
|
|
err!("Email change mismatch");
|
|
|
|
}
|
2019-12-06 22:12:41 +01:00
|
|
|
}
|
2019-11-25 06:28:49 +01:00
|
|
|
None => err!("No email change pending"),
|
|
|
|
}
|
|
|
|
|
|
|
|
if CONFIG.mail_enabled() {
|
|
|
|
// Only check the token if we sent out an email...
|
|
|
|
match user.email_new_token {
|
2019-12-06 22:12:41 +01:00
|
|
|
Some(ref val) => {
|
2019-11-25 06:28:49 +01:00
|
|
|
if *val != data.Token.into_string() {
|
|
|
|
err!("Token mismatch");
|
|
|
|
}
|
2019-12-06 22:12:41 +01:00
|
|
|
}
|
2019-11-25 06:28:49 +01:00
|
|
|
None => err!("No email change pending"),
|
|
|
|
}
|
|
|
|
user.verified_at = Some(Utc::now().naive_utc());
|
|
|
|
} else {
|
|
|
|
user.verified_at = None;
|
|
|
|
}
|
|
|
|
|
2018-06-01 00:18:50 +02:00
|
|
|
user.email = data.NewEmail;
|
2019-11-25 06:28:49 +01:00
|
|
|
user.email_new = None;
|
|
|
|
user.email_new_token = None;
|
2018-11-24 23:00:41 +01:00
|
|
|
|
2020-12-14 19:58:23 +01:00
|
|
|
user.set_password(&data.NewMasterPasswordHash, None);
|
2019-05-20 21:24:29 +02:00
|
|
|
user.akey = data.Key;
|
2018-06-17 00:06:59 +02:00
|
|
|
|
2021-11-16 17:07:55 +01:00
|
|
|
user.save(&conn).await
|
2018-02-10 01:00:55 +01:00
|
|
|
}
|
|
|
|
|
2019-11-25 06:28:49 +01:00
|
|
|
#[post("/accounts/verify-email")]
|
2021-11-05 19:18:54 +01:00
|
|
|
fn post_verify_email(headers: Headers) -> EmptyResult {
|
2019-11-25 06:28:49 +01:00
|
|
|
let user = headers.user;
|
|
|
|
|
|
|
|
if !CONFIG.mail_enabled() {
|
|
|
|
err!("Cannot verify email address");
|
|
|
|
}
|
|
|
|
|
|
|
|
if let Err(e) = mail::send_verify_email(&user.email, &user.uuid) {
|
2020-10-23 10:30:25 +02:00
|
|
|
error!("Error sending verify_email email: {:#?}", e);
|
2019-11-25 06:28:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
#[derive(Deserialize)]
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
struct VerifyEmailTokenData {
|
|
|
|
UserId: String,
|
|
|
|
Token: String,
|
|
|
|
}
|
|
|
|
|
|
|
|
#[post("/accounts/verify-email-token", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn post_verify_email_token(data: JsonUpcase<VerifyEmailTokenData>, conn: DbConn) -> EmptyResult {
|
2019-11-25 06:28:49 +01:00
|
|
|
let data: VerifyEmailTokenData = data.into_inner().data;
|
|
|
|
|
2021-11-16 17:07:55 +01:00
|
|
|
let mut user = match User::find_by_uuid(&data.UserId, &conn).await {
|
2019-11-25 06:28:49 +01:00
|
|
|
Some(user) => user,
|
|
|
|
None => err!("User doesn't exist"),
|
|
|
|
};
|
|
|
|
|
|
|
|
let claims = match decode_verify_email(&data.Token) {
|
|
|
|
Ok(claims) => claims,
|
|
|
|
Err(_) => err!("Invalid claim"),
|
|
|
|
};
|
|
|
|
if claims.sub != user.uuid {
|
2019-12-06 22:12:41 +01:00
|
|
|
err!("Invalid claim");
|
2019-11-25 06:28:49 +01:00
|
|
|
}
|
|
|
|
user.verified_at = Some(Utc::now().naive_utc());
|
|
|
|
user.last_verifying_at = None;
|
|
|
|
user.login_verify_count = 0;
|
2021-11-16 17:07:55 +01:00
|
|
|
if let Err(e) = user.save(&conn).await {
|
2019-11-25 06:28:49 +01:00
|
|
|
error!("Error saving email verification: {:#?}", e);
|
|
|
|
}
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
#[derive(Deserialize)]
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
struct DeleteRecoverData {
|
|
|
|
Email: String,
|
|
|
|
}
|
|
|
|
|
2019-12-06 22:12:41 +01:00
|
|
|
#[post("/accounts/delete-recover", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn post_delete_recover(data: JsonUpcase<DeleteRecoverData>, conn: DbConn) -> EmptyResult {
|
2019-11-25 06:28:49 +01:00
|
|
|
let data: DeleteRecoverData = data.into_inner().data;
|
|
|
|
|
|
|
|
if CONFIG.mail_enabled() {
|
2021-11-16 17:07:55 +01:00
|
|
|
if let Some(user) = User::find_by_mail(&data.Email, &conn).await {
|
2019-11-25 06:28:49 +01:00
|
|
|
if let Err(e) = mail::send_delete_account(&user.email, &user.uuid) {
|
|
|
|
error!("Error sending delete account email: {:#?}", e);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
Ok(())
|
|
|
|
} else {
|
|
|
|
// We don't support sending emails, but we shouldn't allow anybody
|
|
|
|
// to delete accounts without at least logging in... And if the user
|
|
|
|
// cannot remember their password then they will need to contact
|
|
|
|
// the administrator to delete it...
|
|
|
|
err!("Please contact the administrator to delete your account");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#[derive(Deserialize)]
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
struct DeleteRecoverTokenData {
|
|
|
|
UserId: String,
|
|
|
|
Token: String,
|
|
|
|
}
|
|
|
|
|
2019-12-06 22:12:41 +01:00
|
|
|
#[post("/accounts/delete-recover-token", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn post_delete_recover_token(data: JsonUpcase<DeleteRecoverTokenData>, conn: DbConn) -> EmptyResult {
|
2019-11-25 06:28:49 +01:00
|
|
|
let data: DeleteRecoverTokenData = data.into_inner().data;
|
|
|
|
|
2021-11-16 17:07:55 +01:00
|
|
|
let user = match User::find_by_uuid(&data.UserId, &conn).await {
|
2019-11-25 06:28:49 +01:00
|
|
|
Some(user) => user,
|
|
|
|
None => err!("User doesn't exist"),
|
|
|
|
};
|
|
|
|
|
|
|
|
let claims = match decode_delete(&data.Token) {
|
|
|
|
Ok(claims) => claims,
|
|
|
|
Err(_) => err!("Invalid claim"),
|
|
|
|
};
|
|
|
|
if claims.sub != user.uuid {
|
2019-12-06 22:12:41 +01:00
|
|
|
err!("Invalid claim");
|
2019-11-25 06:28:49 +01:00
|
|
|
}
|
2021-11-16 17:07:55 +01:00
|
|
|
user.delete(&conn).await
|
2019-11-25 06:28:49 +01:00
|
|
|
}
|
|
|
|
|
2018-02-10 01:00:55 +01:00
|
|
|
#[post("/accounts/delete", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn post_delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult {
|
|
|
|
delete_account(data, headers, conn).await
|
2018-09-18 12:13:45 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
#[delete("/accounts", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult {
|
2018-06-01 00:18:50 +02:00
|
|
|
let data: PasswordData = data.into_inner().data;
|
2018-02-15 00:53:11 +01:00
|
|
|
let user = headers.user;
|
2018-02-10 01:00:55 +01:00
|
|
|
|
2018-06-01 00:18:50 +02:00
|
|
|
if !user.check_valid_password(&data.MasterPasswordHash) {
|
2018-02-10 01:00:55 +01:00
|
|
|
err!("Invalid password")
|
|
|
|
}
|
2018-11-24 23:00:41 +01:00
|
|
|
|
2021-11-16 17:07:55 +01:00
|
|
|
user.delete(&conn).await
|
2018-02-10 01:00:55 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
#[get("/accounts/revision-date")]
|
2018-02-17 20:47:13 +01:00
|
|
|
fn revision_date(headers: Headers) -> String {
|
2018-08-10 18:17:44 +02:00
|
|
|
let revision_date = headers.user.updated_at.timestamp_millis();
|
2018-02-17 20:47:13 +01:00
|
|
|
revision_date.to_string()
|
2018-02-10 01:00:55 +01:00
|
|
|
}
|
2018-08-10 15:21:42 +02:00
|
|
|
|
|
|
|
#[derive(Deserialize)]
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
struct PasswordHintData {
|
|
|
|
Email: String,
|
|
|
|
}
|
|
|
|
|
|
|
|
#[post("/accounts/password-hint", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn password_hint(data: JsonUpcase<PasswordHintData>, conn: DbConn) -> EmptyResult {
|
2021-07-10 10:21:27 +02:00
|
|
|
if !CONFIG.mail_enabled() && !CONFIG.show_password_hint() {
|
|
|
|
err!("This server is not configured to provide password hints.");
|
|
|
|
}
|
2018-08-10 15:21:42 +02:00
|
|
|
|
2021-07-10 10:21:27 +02:00
|
|
|
const NO_HINT: &str = "Sorry, you have no password hint...";
|
2018-08-15 08:32:19 +02:00
|
|
|
|
2021-07-10 10:21:27 +02:00
|
|
|
let data: PasswordHintData = data.into_inner().data;
|
|
|
|
let email = &data.Email;
|
|
|
|
|
2021-11-16 17:07:55 +01:00
|
|
|
match User::find_by_mail(email, &conn).await {
|
2021-07-10 10:21:27 +02:00
|
|
|
None => {
|
|
|
|
// To prevent user enumeration, act as if the user exists.
|
|
|
|
if CONFIG.mail_enabled() {
|
|
|
|
// There is still a timing side channel here in that the code
|
|
|
|
// paths that send mail take noticeably longer than ones that
|
|
|
|
// don't. Add a randomized sleep to mitigate this somewhat.
|
|
|
|
use rand::{thread_rng, Rng};
|
|
|
|
let mut rng = thread_rng();
|
|
|
|
let base = 1000;
|
|
|
|
let delta: i32 = 100;
|
|
|
|
let sleep_ms = (base + rng.gen_range(-delta..=delta)) as u64;
|
|
|
|
std::thread::sleep(std::time::Duration::from_millis(sleep_ms));
|
|
|
|
Ok(())
|
|
|
|
} else {
|
|
|
|
err!(NO_HINT);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
Some(user) => {
|
|
|
|
let hint: Option<String> = user.password_hint;
|
|
|
|
if CONFIG.mail_enabled() {
|
|
|
|
mail::send_password_hint(email, hint)?;
|
|
|
|
Ok(())
|
|
|
|
} else if let Some(hint) = hint {
|
|
|
|
err!(format!("Your password hint is: {}", hint));
|
|
|
|
} else {
|
|
|
|
err!(NO_HINT);
|
|
|
|
}
|
2018-09-11 13:04:34 +02:00
|
|
|
}
|
2018-08-10 15:21:42 +02:00
|
|
|
}
|
|
|
|
}
|
2018-08-24 19:02:34 +02:00
|
|
|
|
|
|
|
#[derive(Deserialize)]
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
struct PreloginData {
|
|
|
|
Email: String,
|
|
|
|
}
|
|
|
|
|
|
|
|
#[post("/accounts/prelogin", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn prelogin(data: JsonUpcase<PreloginData>, conn: DbConn) -> Json<Value> {
|
2018-08-24 19:02:34 +02:00
|
|
|
let data: PreloginData = data.into_inner().data;
|
|
|
|
|
2021-11-16 17:07:55 +01:00
|
|
|
let (kdf_type, kdf_iter) = match User::find_by_mail(&data.Email, &conn).await {
|
2018-09-19 17:30:14 +02:00
|
|
|
Some(user) => (user.client_kdf_type, user.client_kdf_iter),
|
|
|
|
None => (User::CLIENT_KDF_TYPE_DEFAULT, User::CLIENT_KDF_ITER_DEFAULT),
|
2018-09-13 23:04:52 +02:00
|
|
|
};
|
|
|
|
|
2021-03-27 16:07:26 +01:00
|
|
|
Json(json!({
|
2018-09-13 23:04:52 +02:00
|
|
|
"Kdf": kdf_type,
|
|
|
|
"KdfIterations": kdf_iter
|
2021-03-27 16:07:26 +01:00
|
|
|
}))
|
2018-08-24 19:02:34 +02:00
|
|
|
}
|
2022-01-19 11:51:26 +01:00
|
|
|
|
|
|
|
// https://github.com/bitwarden/server/blob/master/src/Api/Models/Request/Accounts/SecretVerificationRequestModel.cs
|
2020-09-25 18:26:48 +02:00
|
|
|
#[derive(Deserialize)]
|
|
|
|
#[allow(non_snake_case)]
|
2022-01-19 11:51:26 +01:00
|
|
|
struct SecretVerificationRequest {
|
2020-09-25 18:26:48 +02:00
|
|
|
MasterPasswordHash: String,
|
|
|
|
}
|
|
|
|
|
|
|
|
#[post("/accounts/verify-password", data = "<data>")]
|
2022-01-19 11:51:26 +01:00
|
|
|
fn verify_password(data: JsonUpcase<SecretVerificationRequest>, headers: Headers) -> EmptyResult {
|
|
|
|
let data: SecretVerificationRequest = data.into_inner().data;
|
2020-09-25 18:26:48 +02:00
|
|
|
let user = headers.user;
|
|
|
|
|
|
|
|
if !user.check_valid_password(&data.MasterPasswordHash) {
|
|
|
|
err!("Invalid password")
|
|
|
|
}
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
2022-01-19 11:51:26 +01:00
|
|
|
|
2022-01-30 22:03:27 +01:00
|
|
|
async fn _api_key(
|
|
|
|
data: JsonUpcase<SecretVerificationRequest>,
|
|
|
|
rotate: bool,
|
|
|
|
headers: Headers,
|
|
|
|
conn: DbConn,
|
|
|
|
) -> JsonResult {
|
2022-01-19 11:51:26 +01:00
|
|
|
let data: SecretVerificationRequest = data.into_inner().data;
|
|
|
|
let mut user = headers.user;
|
|
|
|
|
|
|
|
if !user.check_valid_password(&data.MasterPasswordHash) {
|
|
|
|
err!("Invalid password")
|
|
|
|
}
|
|
|
|
|
|
|
|
if rotate || user.api_key.is_none() {
|
|
|
|
user.api_key = Some(crypto::generate_api_key());
|
2021-11-16 17:07:55 +01:00
|
|
|
user.save(&conn).await.expect("Error saving API key");
|
2022-01-19 11:51:26 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
Ok(Json(json!({
|
|
|
|
"ApiKey": user.api_key,
|
|
|
|
"Object": "apiKey",
|
|
|
|
})))
|
|
|
|
}
|
|
|
|
|
|
|
|
#[post("/accounts/api-key", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn api_key(data: JsonUpcase<SecretVerificationRequest>, headers: Headers, conn: DbConn) -> JsonResult {
|
|
|
|
_api_key(data, false, headers, conn).await
|
2022-01-19 11:51:26 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
#[post("/accounts/rotate-api-key", data = "<data>")]
|
2021-11-16 17:07:55 +01:00
|
|
|
async fn rotate_api_key(data: JsonUpcase<SecretVerificationRequest>, headers: Headers, conn: DbConn) -> JsonResult {
|
|
|
|
_api_key(data, true, headers, conn).await
|
2022-01-19 11:51:26 +01:00
|
|
|
}
|