mirrored/vaultwarden
1
0
Fork 1
Spiegel von https://github.com/dani-garcia/vaultwarden.git synchronisiert 2025-03-12 16:47:03 +01:00
Code Issues Releases Aktivität
vaultwarden/src/api/core/mod.rs

249 Zeilen
8,1 KiB
Rust
Originalformat Normale Ansicht Verlauf

Several updates and fixes - Removed all `thread::sleep` and use `tokio::time::sleep` now. This solves an issue with updating to Bullseye ( Resolves #1998 ) - Updated all Debian images to Bullseye - Added MiMalloc feature and enabled it by default for Alpine based images This increases performance for the Alpine images because the default memory allocator for MUSL based binaries isn't that fast - Updated `dotenv` to `dotenvy` a maintained and updated fork - Fixed an issue with a newer jslib (not fully released yet) That version uses a different endpoint for `prelogin` Resolves #2378 )
2022-03-20 18:51:24 +01:00
pub mod accounts;
First working version
2018-02-10 01:00:55 +01:00
mod ciphers;
Added web-vault v2.21.x support + some misc fixes - The new web-vault v2.21.0+ has support for Master Password Reset. For this to work it generates a public/private key-pair which needs to be stored in the database. Currently the Master Password Reset is not fixed, but there are endpoints which are needed even if we do not support this feature (yet). This PR fixes those endpoints, and stores the keys already in the database. - There was an issue when you want to do a key-rotate when you change your password, it also called an Emergency Access endpoint, which we do not yet support. Because this endpoint failed to reply correctly produced some errors, and also prevent the user from being forced to logout. This resolves #1826 by adding at least that endpoint. Because of that extra endpoint check to Emergency Access is done using an old user stamp, i also modified the stamp exception to allow multiple rocket routes to be called, and added an expiration timestamp to it. During these tests i stumbled upon an issue that after my key-change was done, it triggered the websockets to try and reload my ciphers, because they were updated. This shouldn't happen when rotating they keys, since all access should be invalided. Now there will be no websocket notification for this, which also prevents error toasts. - Increased Send Size limit to 500MB (with a litle overhead) As a side note, i tested these changes on both v2.20.4 and v2.21.1 web-vault versions, all keeps working.
2021-07-04 23:02:56 +02:00
mod emergency_access;
Add Organizational event logging feature This PR adds event/audit logging support for organizations. By default this feature is disabled, since it does log a lot and adds extra database transactions. All events are touched except a few, since we do not support those features (yet), like SSO for example. This feature is tested with multiple clients and all database types. Fixes #229
2022-11-20 19:15:45 +01:00
mod events;
First working version
2018-02-10 01:00:55 +01:00
mod folders;
Some initial work on organizations, nothing works yet
2018-02-17 22:30:19 +01:00
mod organizations;
Merge and modify PR from @Kurnihil Merging a PR from @Kurnihil into the already rebased branch. Made some small changes to make it work with newer changes. Some finetuning is probably still needed. Co-authored-by: Daniele Andrei <daniele.andrei@geo-satis.com> Co-authored-by: Kurnihil
2023-06-02 22:28:30 +02:00
mod public;
Send API
2021-03-14 23:35:55 +01:00
mod sends;
Run `cargo fmt` on codebase
2021-03-31 21:18:35 +01:00
pub mod two_factor;
First working version
2018-02-10 01:00:55 +01:00
Implement login-with-device
2023-08-04 21:12:23 +02:00
pub use accounts::purge_auth_requests;
Fix failing large note imports When importing to Vaultwarden (or Bitwarden) notes larger then 10_000 encrypted characters are invalid. This because it for one isn't compatible with Bitwarden. And some clients tend to break on very large notes. We already added a check for this limit when adding a single cipher, but this caused issues during import, and could cause a partial imported vault. Bitwarden does some validations before actually running it through the import process and generates a special error message which helps the user indicate which items are invalid during the import. This PR adds that validation check and returns the same kind of error. Fixes #3048
2023-01-01 15:09:10 +01:00
pub use ciphers::{purge_trashed_ciphers, CipherData, CipherSyncData, CipherSyncType};
Add Emergency contact feature Signed-off-by: thelittlefireman <thelittlefireman@users.noreply.github.com>
2021-03-24 20:15:55 +01:00
pub use emergency_access::{emergency_notification_reminder_job, emergency_request_timeout_job};
Add Organizational event logging feature This PR adds event/audit logging support for organizations. By default this feature is disabled, since it does log a lot and adds extra database transactions. All events are touched except a few, since we do not support those features (yet), like SSO for example. This feature is tested with multiple clients and all database types. Fixes #229
2022-11-20 19:15:45 +01:00
pub use events::{event_cleanup_job, log_event, log_user_event};
Improved HTTP client (#4740) * Improved HTTP client * Change config compat to use auto, rename blacklist * Fix wrong doc references
2024-07-12 22:33:11 +02:00
use reqwest::Method;
Add a generic job scheduler Also rewrite deletion of old sends using the job scheduler.
2021-04-02 20:16:49 -07:00
pub use sends::purge_sends;
Send deletion thread and updated users revision
2021-03-22 19:57:35 +01:00
First working version
2018-02-10 01:00:55 +01:00
pub fn routes() -> Vec<Route> {
Add `/api/{alive,now,version}` endpoints The added endpoints work the same as in their upstream implementations. Upstream also implements `/api/ip`. This seems to include the server's public IP address (the one that should be hidden behind Cloudflare), which doesn't seem like a great idea.
2022-04-23 23:47:49 -07:00
let mut eq_domains_routes = routes![get_eq_domains, post_eq_domains, put_eq_domains];
let mut hibp_routes = routes![hibp_breach];
Fix issue with key-rotate (#5348) The new web-vault seems to call an extra endpoint, which looks like it is only used when passkeys can be used for login. Since we do not support this (yet), we can just return an empty data object. Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-04 23:00:05 +01:00
let mut meta_routes = routes![alive, now, version, config, get_api_webauthn];
Updated bw_rs to Rocket version 0.4-rc1
2018-10-10 20:40:39 +02:00
let mut routes = Vec::new();
routes.append(&mut accounts::routes());
routes.append(&mut ciphers::routes());
Added web-vault v2.21.x support + some misc fixes - The new web-vault v2.21.0+ has support for Master Password Reset. For this to work it generates a public/private key-pair which needs to be stored in the database. Currently the Master Password Reset is not fixed, but there are endpoints which are needed even if we do not support this feature (yet). This PR fixes those endpoints, and stores the keys already in the database. - There was an issue when you want to do a key-rotate when you change your password, it also called an Emergency Access endpoint, which we do not yet support. Because this endpoint failed to reply correctly produced some errors, and also prevent the user from being forced to logout. This resolves #1826 by adding at least that endpoint. Because of that extra endpoint check to Emergency Access is done using an old user stamp, i also modified the stamp exception to allow multiple rocket routes to be called, and added an expiration timestamp to it. During these tests i stumbled upon an issue that after my key-change was done, it triggered the websockets to try and reload my ciphers, because they were updated. This shouldn't happen when rotating they keys, since all access should be invalided. Now there will be no websocket notification for this, which also prevents error toasts. - Increased Send Size limit to 500MB (with a litle overhead) As a side note, i tested these changes on both v2.20.4 and v2.21.1 web-vault versions, all keeps working.
2021-07-04 23:02:56 +02:00
routes.append(&mut emergency_access::routes());
Add Organizational event logging feature This PR adds event/audit logging support for organizations. By default this feature is disabled, since it does log a lot and adds extra database transactions. All events are touched except a few, since we do not support those features (yet), like SSO for example. This feature is tested with multiple clients and all database types. Fixes #229
2022-11-20 19:15:45 +01:00
routes.append(&mut events::routes());
Updated bw_rs to Rocket version 0.4-rc1
2018-10-10 20:40:39 +02:00
routes.append(&mut folders::routes());
routes.append(&mut organizations::routes());
routes.append(&mut two_factor::routes());
Send API
2021-03-14 23:35:55 +01:00
routes.append(&mut sends::routes());
Merge and modify PR from @Kurnihil Merging a PR from @Kurnihil into the already rebased branch. Made some small changes to make it work with newer changes. Some finetuning is probably still needed. Co-authored-by: Daniele Andrei <daniele.andrei@geo-satis.com> Co-authored-by: Kurnihil
2023-06-02 22:28:30 +02:00
routes.append(&mut public::routes());
Add `/api/{alive,now,version}` endpoints The added endpoints work the same as in their upstream implementations. Upstream also implements `/api/ip`. This seems to include the server's public IP address (the one that should be hidden behind Cloudflare), which doesn't seem like a great idea.
2022-04-23 23:47:49 -07:00
routes.append(&mut eq_domains_routes);
routes.append(&mut hibp_routes);
routes.append(&mut meta_routes);
Adding some oganization features
2018-04-20 17:35:11 +01:00
Updated bw_rs to Rocket version 0.4-rc1
2018-10-10 20:40:39 +02:00
routes
First working version
2018-02-10 01:00:55 +01:00
}
Add Organizational event logging feature This PR adds event/audit logging support for organizations. By default this feature is disabled, since it does log a lot and adds extra database transactions. All events are touched except a few, since we do not support those features (yet), like SSO for example. This feature is tested with multiple clients and all database types. Fixes #229
2022-11-20 19:15:45 +01:00
pub fn events_routes() -> Vec<Route> {
let mut routes = Vec::new();
routes.append(&mut events::main_routes());
routes
}
Start using rustfmt and some style changes to make some lines shorter
2018-12-30 23:34:31 +01:00
//
// Move this somewhere else
//
Allow customizing the featureStates (#4168) * Allow customizing the featureStates Use a comma separated list of features to enable using the FEATURE_FLAGS env variable * Move feature flag parsing to util * Fix formatting * Update supported feature flags * Rename feature_flags to experimental_client_feature_flags Additionally, use a caret (^) instead of an exclamation mark (!) to disable features * Fix formatting issue. * Add documentation to env template * Remove functionality to disable feature flags * Fix JSON key for feature states * Convert error to warning when feature flag is unrecognized * Simplify parsing of feature flags * Fix default value of feature flags in env template * Fix formatting
2024-01-01 08:44:02 -06:00
use rocket::{serde::json::Json, serde::json::Value, Catcher, Route};
First working version
2018-02-10 01:00:55 +01:00
Removed try_trait and some formatting, particularly around imports
2020-07-14 18:00:09 +02:00
use crate::{
Change API and structs to camelCase (#4386) * Change API inputs/outputs and structs to camelCase * Fix fields and password history * Use convert_json_key_lcase_first * Make sends lowercase * Update admin and templates * Update org revoke * Fix sends expecting size to be a string on mobile * Convert two-factor providers to string
2024-06-23 21:31:02 +02:00
api::{JsonResult, Notify, UpdateType},
Removed try_trait and some formatting, particularly around imports
2020-07-14 18:00:09 +02:00
auth::Headers,
db::DbConn,
error::Error,
Improved HTTP client (#4740) * Improved HTTP client * Change config compat to use auto, rename blacklist * Fix wrong doc references
2024-07-12 22:33:11 +02:00
http_client::make_http_request,
util::parse_experimental_client_feature_flags,
Removed try_trait and some formatting, particularly around imports
2020-07-14 18:00:09 +02:00
};
First working version
2018-02-10 01:00:55 +01:00
Change API and structs to camelCase (#4386) * Change API inputs/outputs and structs to camelCase * Fix fields and password history * Use convert_json_key_lcase_first * Make sends lowercase * Update admin and templates * Update org revoke * Fix sends expecting size to be a string on mobile * Convert two-factor providers to string
2024-06-23 21:31:02 +02:00
#[derive(Debug, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
Equivalent domains
2018-02-17 23:21:04 +01:00
struct GlobalDomain {
Change API and structs to camelCase (#4386) * Change API inputs/outputs and structs to camelCase * Fix fields and password history * Use convert_json_key_lcase_first * Make sends lowercase * Update admin and templates * Update org revoke * Fix sends expecting size to be a string on mobile * Convert two-factor providers to string
2024-06-23 21:31:02 +02:00
r#type: i32,
domains: Vec<String>,
excluded: bool,
Equivalent domains
2018-02-17 23:21:04 +01:00
}
Initial version of admin panel, list users and reload user list works. No serious auth method yet, password is 'token123'
2018-12-18 01:53:21 +01:00
const GLOBAL_DOMAINS: &str = include_str!("../../static/global_domains.json");
Equivalent domains
2018-02-17 23:21:04 +01:00
First working version
2018-02-10 01:00:55 +01:00
#[get("/settings/domains")]
Remove unnecessary result return types
2021-03-27 15:07:26 +00:00
fn get_eq_domains(headers: Headers) -> Json<Value> {
Don't include excluded global equivalent domains during sync Fixes #681
2019-11-05 15:30:57 +13:00
_get_eq_domains(headers, false)
}
Remove unnecessary result return types
2021-03-27 15:07:26 +00:00
fn _get_eq_domains(headers: Headers, no_excluded: bool) -> Json<Value> {
Equivalent domains
2018-02-17 23:21:04 +01:00
let user = headers.user;
use serde_json::from_str;
let equivalent_domains: Vec<Vec<String>> = from_str(&user.equivalent_domains).unwrap();
let excluded_globals: Vec<i32> = from_str(&user.excluded_globals).unwrap();
let mut globals: Vec<GlobalDomain> = from_str(GLOBAL_DOMAINS).unwrap();
for global in &mut globals {
Change API and structs to camelCase (#4386) * Change API inputs/outputs and structs to camelCase * Fix fields and password history * Use convert_json_key_lcase_first * Make sends lowercase * Update admin and templates * Update org revoke * Fix sends expecting size to be a string on mobile * Convert two-factor providers to string
2024-06-23 21:31:02 +02:00
global.excluded = excluded_globals.contains(&global.r#type);
Equivalent domains
2018-02-17 23:21:04 +01:00
}
Don't include excluded global equivalent domains during sync Fixes #681
2019-11-05 15:30:57 +13:00
if no_excluded {
Change API and structs to camelCase (#4386) * Change API inputs/outputs and structs to camelCase * Fix fields and password history * Use convert_json_key_lcase_first * Make sends lowercase * Update admin and templates * Update org revoke * Fix sends expecting size to be a string on mobile * Convert two-factor providers to string
2024-06-23 21:31:02 +02:00
globals.retain(|g| !g.excluded);
Don't include excluded global equivalent domains during sync Fixes #681
2019-11-05 15:30:57 +13:00
}
Remove unnecessary result return types
2021-03-27 15:07:26 +00:00
Json(json!({
Change API and structs to camelCase (#4386) * Change API inputs/outputs and structs to camelCase * Fix fields and password history * Use convert_json_key_lcase_first * Make sends lowercase * Update admin and templates * Update org revoke * Fix sends expecting size to be a string on mobile * Convert two-factor providers to string
2024-06-23 21:31:02 +02:00
"equivalentDomains": equivalent_domains,
"globalEquivalentDomains": globals,
"object": "domains",
Remove unnecessary result return types
2021-03-27 15:07:26 +00:00
}))
First working version
2018-02-10 01:00:55 +01:00
}
Change API and structs to camelCase (#4386) * Change API inputs/outputs and structs to camelCase * Fix fields and password history * Use convert_json_key_lcase_first * Make sends lowercase * Update admin and templates * Update org revoke * Fix sends expecting size to be a string on mobile * Convert two-factor providers to string
2024-06-23 21:31:02 +02:00
#[derive(Debug, Deserialize)]
#[serde(rename_all = "camelCase")]
Fixed cipher import, created missing data structs instead of using generic Value, and fixed some warnings
2018-02-23 00:38:54 +01:00
struct EquivDomainData {
Change API and structs to camelCase (#4386) * Change API inputs/outputs and structs to camelCase * Fix fields and password history * Use convert_json_key_lcase_first * Make sends lowercase * Update admin and templates * Update org revoke * Fix sends expecting size to be a string on mobile * Convert two-factor providers to string
2024-06-23 21:31:02 +02:00
excluded_global_equivalent_domains: Option<Vec<i32>>,
equivalent_domains: Option<Vec<Vec<String>>>,
Fixed cipher import, created missing data structs instead of using generic Value, and fixed some warnings
2018-02-23 00:38:54 +01:00
}
Upload and download attachments, and added License file
2018-02-15 00:40:34 +01:00
#[post("/settings/domains", data = "<data>")]
Update WebSocket Notifications Previously the websocket notifications were using `app_id` as the `ContextId`. This was incorrect and should have been the device_uuid from the client device executing the request. The clients will ignore the websocket request if the uuid matches. This also fixes some issues with the Desktop client which is able to modify attachments within the same screen and causes an issue when saving the attachment afterwards. Also changed the way to handle removed attachments, since that causes an error saving the vault cipher afterwards, complaining about a missing attachment. Bitwarden ignores this, and continues with the remaining attachments (if any). This also fixes #2591 . Further some more websocket notifications have been added to some other functions which enhance the user experience. - Logout users when deauthed, changed password, rotated keys - Trigger OrgSyncKeys on user confirm and removal - Added some extra to the send feature Also renamed UpdateTypes to match Bitwarden naming.
2022-12-30 21:23:55 +01:00
async fn post_eq_domains(
Change API and structs to camelCase (#4386) * Change API inputs/outputs and structs to camelCase * Fix fields and password history * Use convert_json_key_lcase_first * Make sends lowercase * Update admin and templates * Update org revoke * Fix sends expecting size to be a string on mobile * Convert two-factor providers to string
2024-06-23 21:31:02 +02:00
data: Json<EquivDomainData>,
Update WebSocket Notifications Previously the websocket notifications were using `app_id` as the `ContextId`. This was incorrect and should have been the device_uuid from the client device executing the request. The clients will ignore the websocket request if the uuid matches. This also fixes some issues with the Desktop client which is able to modify attachments within the same screen and causes an issue when saving the attachment afterwards. Also changed the way to handle removed attachments, since that causes an error saving the vault cipher afterwards, complaining about a missing attachment. Bitwarden ignores this, and continues with the remaining attachments (if any). This also fixes #2591 . Further some more websocket notifications have been added to some other functions which enhance the user experience. - Logout users when deauthed, changed password, rotated keys - Trigger OrgSyncKeys on user confirm and removal - Added some extra to the send feature Also renamed UpdateTypes to match Bitwarden naming.
2022-12-30 21:23:55 +01:00
headers: Headers,
mut conn: DbConn,
nt: Notify<'_>,
) -> JsonResult {
Change API and structs to camelCase (#4386) * Change API inputs/outputs and structs to camelCase * Fix fields and password history * Use convert_json_key_lcase_first * Make sends lowercase * Update admin and templates * Update org revoke * Fix sends expecting size to be a string on mobile * Convert two-factor providers to string
2024-06-23 21:31:02 +02:00
let data: EquivDomainData = data.into_inner();
Upload and download attachments, and added License file
2018-02-15 00:40:34 +01:00
Change API and structs to camelCase (#4386) * Change API inputs/outputs and structs to camelCase * Fix fields and password history * Use convert_json_key_lcase_first * Make sends lowercase * Update admin and templates * Update org revoke * Fix sends expecting size to be a string on mobile * Convert two-factor providers to string
2024-06-23 21:31:02 +02:00
let excluded_globals = data.excluded_global_equivalent_domains.unwrap_or_default();
let equivalent_domains = data.equivalent_domains.unwrap_or_default();
Upload and download attachments, and added License file
2018-02-15 00:40:34 +01:00
Equivalent domains
2018-02-17 23:21:04 +01:00
let mut user = headers.user;
use serde_json::to_string;
Upload and download attachments, and added License file
2018-02-15 00:40:34 +01:00
Fixed some clippy lints and changed update_uuid_revision to only use one db query
2019-02-08 18:45:07 +01:00
user.excluded_globals = to_string(&excluded_globals).unwrap_or_else(|_| "[]".to_string());
user.equivalent_domains = to_string(&equivalent_domains).unwrap_or_else(|_| "[]".to_string());
Equivalent domains
2018-02-17 23:21:04 +01:00
Update to diesel2
2022-05-20 23:39:47 +02:00
user.save(&mut conn).await?;
Implemented proper error handling, now we can do `user.save($conn)?;` and it works. In the future, maybe we can do the same with the `find_by_id` methods that return an Option.
2018-12-19 21:52:53 +01:00
Update WebSocket Notifications Previously the websocket notifications were using `app_id` as the `ContextId`. This was incorrect and should have been the device_uuid from the client device executing the request. The clients will ignore the websocket request if the uuid matches. This also fixes some issues with the Desktop client which is able to modify attachments within the same screen and causes an issue when saving the attachment afterwards. Also changed the way to handle removed attachments, since that causes an error saving the vault cipher afterwards, complaining about a missing attachment. Bitwarden ignores this, and continues with the remaining attachments (if any). This also fixes #2591 . Further some more websocket notifications have been added to some other functions which enhance the user experience. - Logout users when deauthed, changed password, rotated keys - Trigger OrgSyncKeys on user confirm and removal - Added some extra to the send feature Also renamed UpdateTypes to match Bitwarden naming.
2022-12-30 21:23:55 +01:00
nt.send_user_update(UpdateType::SyncSettings, &user).await;
Implemented proper error handling, now we can do `user.save($conn)?;` and it works. In the future, maybe we can do the same with the `find_by_id` methods that return an Option.
2018-12-19 21:52:53 +01:00
Ok(Json(json!({})))
First working version
2018-02-10 01:00:55 +01:00
}
Accept PUT and POST on /settings/domains, returns JsonResult, fixes saving Custom Equivalent Domains
2018-10-23 00:32:43 +02:00
#[put("/settings/domains", data = "<data>")]
Change API and structs to camelCase (#4386) * Change API inputs/outputs and structs to camelCase * Fix fields and password history * Use convert_json_key_lcase_first * Make sends lowercase * Update admin and templates * Update org revoke * Fix sends expecting size to be a string on mobile * Convert two-factor providers to string
2024-06-23 21:31:02 +02:00
async fn put_eq_domains(data: Json<EquivDomainData>, headers: Headers, conn: DbConn, nt: Notify<'_>) -> JsonResult {
Update WebSocket Notifications Previously the websocket notifications were using `app_id` as the `ContextId`. This was incorrect and should have been the device_uuid from the client device executing the request. The clients will ignore the websocket request if the uuid matches. This also fixes some issues with the Desktop client which is able to modify attachments within the same screen and causes an issue when saving the attachment afterwards. Also changed the way to handle removed attachments, since that causes an error saving the vault cipher afterwards, complaining about a missing attachment. Bitwarden ignores this, and continues with the remaining attachments (if any). This also fixes #2591 . Further some more websocket notifications have been added to some other functions which enhance the user experience. - Logout users when deauthed, changed password, rotated keys - Trigger OrgSyncKeys on user confirm and removal - Added some extra to the send feature Also renamed UpdateTypes to match Bitwarden naming.
2022-12-30 21:23:55 +01:00
post_eq_domains(data, headers, conn, nt).await
Accept PUT and POST on /settings/domains, returns JsonResult, fixes saving Custom Equivalent Domains
2018-10-23 00:32:43 +02:00
}
Implement HIBP check [WIP]. Add extra security attributes to admin cookie. Error handling.
2019-01-20 15:36:33 +01:00
#[get("/hibp/breach?<username>")]
Limit HIBP to authed users
2024-11-10 23:59:06 +01:00
async fn hibp_breach(username: &str, _headers: Headers) -> JsonResult {
fix hibp username encoding and pw hint check (#5180) * fix hibp username encoding Signed-off-by: BlackDex <black.dex@gmail.com> * Fix password-hint check Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-11-12 11:09:28 +01:00
let username: String = url::form_urlencoded::byte_serialize(username.as_bytes()).collect();
Update HIBP to v3, requires paid API key, fixes #583
2019-08-20 20:07:12 +02:00
if let Some(api_key) = crate::CONFIG.hibp_api_key() {
Limit HIBP to authed users
2024-11-10 23:59:06 +01:00
let url = format!(
"https://haveibeenpwned.com/api/v3/breachedaccount/{username}?truncateResponse=false&includeUnverified=false"
);
Improved HTTP client (#4740) * Improved HTTP client * Change config compat to use auto, rename blacklist * Fix wrong doc references
2024-07-12 22:33:11 +02:00
let res = make_http_request(Method::GET, &url)?.header("hibp-api-key", api_key).send().await?;
Update HIBP to v3, requires paid API key, fixes #583
2019-08-20 20:07:12 +02:00
// If we get a 404, return a 404, it means no breached accounts
if res.status() == 404 {
return Err(Error::empty().with_code(404));
}
Update to rocket 0.5 and made code async, missing updating all db calls, that are currently blocking
2021-11-07 18:53:39 +01:00
let value: Value = res.error_for_status()?.json().await?;
Update HIBP to v3, requires paid API key, fixes #583
2019-08-20 20:07:12 +02:00
Ok(Json(value))
} else {
Ok(Json(json!([{
Change API and structs to camelCase (#4386) * Change API inputs/outputs and structs to camelCase * Fix fields and password history * Use convert_json_key_lcase_first * Make sends lowercase * Update admin and templates * Update org revoke * Fix sends expecting size to be a string on mobile * Convert two-factor providers to string
2024-06-23 21:31:02 +02:00
"name": "HaveIBeenPwned",
"title": "Manual HIBP Check",
"domain": "haveibeenpwned.com",
"breachDate": "2019-08-18T00:00:00Z",
"addedDate": "2019-08-18T00:00:00Z",
"description": format!("Go to: <a href=\"https://haveibeenpwned.com/account/{username}\" target=\"_blank\" rel=\"noreferrer\">https://haveibeenpwned.com/account/{username}</a> for a manual check.<br/><br/>HaveIBeenPwned API key not set!<br/>Go to <a href=\"https://haveibeenpwned.com/API/Key\" target=\"_blank\" rel=\"noreferrer\">https://haveibeenpwned.com/API/Key</a> to purchase an API key from HaveIBeenPwned.<br/><br/>"),
"logoPath": "vw_static/hibp.png",
"pwnCount": 0,
"dataClasses": [
Changed HIBP Error message. - Moved the manual link to the check to the top. - Clearified that hibp is a payed service. - Changed error logo to hibp logo.
2019-10-08 22:29:12 +02:00
"Error - No API key set!"
Some modification when no HIBP API Key is set - Added an URL with the useraccount for manual check. - Added support for HTTP(S)_PROXY for hibp.
2019-10-08 21:39:11 +02:00
]
Update HIBP to v3, requires paid API key, fixes #583
2019-08-20 20:07:12 +02:00
}])))
Allow changing error codes and create an empty error. Return 404 instead of 400 when no accounts breached.
2019-03-14 00:17:36 +01:00
}
Implement HIBP check [WIP]. Add extra security attributes to admin cookie. Error handling.
2019-01-20 15:36:33 +01:00
}
Add `/api/{alive,now,version}` endpoints The added endpoints work the same as in their upstream implementations. Upstream also implements `/api/ip`. This seems to include the server's public IP address (the one that should be hidden behind Cloudflare), which doesn't seem like a great idea.
2022-04-23 23:47:49 -07:00
// We use DbConn here to let the alive healthcheck also verify the database connection.
#[get("/alive")]
fn alive(_conn: DbConn) -> Json<String> {
now()
}
#[get("/now")]
pub fn now() -> Json<String> {
Json(crate::util::format_date(&chrono::Utc::now().naive_utc()))
}
#[get("/version")]
fn version() -> Json<&'static str> {
Json(crate::VERSION.unwrap_or_default())
}
Implement config endpoint
2022-09-08 17:38:00 +02:00
Fix issue with key-rotate (#5348) The new web-vault seems to call an extra endpoint, which looks like it is only used when passkeys can be used for login. Since we do not support this (yet), we can just return an empty data object. Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-04 23:00:05 +01:00
#[get("/webauthn")]
fn get_api_webauthn(_headers: Headers) -> Json<Value> {
// Prevent a 404 error, which also causes key-rotation issues
// It looks like this is used when login with passkeys is enabled, which Vaultwarden does not (yet) support
// An empty list/data also works fine
Json(json!({
"object": "list",
"data": [],
"continuationToken": null
}))
}
Implement config endpoint
2022-09-08 17:38:00 +02:00
#[get("/config")]
fn config() -> Json<Value> {
let domain = crate::CONFIG.domain();
Update Key Rotation web-vault v2024.3.x (#4446) Key rotation was changed since 2024.1.x. Multiple other items were added to be rotated like password-reset and emergency-access data to be part of just one POST instead of having multiple. See: https://github.com/dani-garcia/bw_web_builds/pull/157
2024-04-06 14:42:53 +02:00
let mut feature_states =
parse_experimental_client_feature_flags(&crate::CONFIG.experimental_client_feature_flags());
// Force the new key rotation feature
feature_states.insert("key-rotation-improvements".to_string(), true);
Update crates, web-vault and fixes (#4823) * Update crates, web-vault and fixes - Updated crates - Updated web-vault to v2024.6.2 This version is currently the latest version compatible with our API implementation. For newer versions we need more code updates to make it compatible. Thanks to @stefan0xC this version fixes #4628 - Added a small fix to prevent errors in the Vaultwarden and Client logs. The v2024.6.2 web-vault calls an endpoint with invalid arguments. If this happens we ignore the call and just return an Ok. - Added the bulk-collection endpoint (Though not yet available in v2024.6.2) Fixes #4628 * Prevent bulk remove collections to work
2024-08-07 22:46:03 +02:00
feature_states.insert("flexible-collections-v-1".to_string(), false);
Implement config endpoint
2022-09-08 17:38:00 +02:00
Json(json!({
Implement cipher key encryption (#3990)
2023-10-23 00:18:14 +02:00
// Note: The clients use this version to handle backwards compatibility concerns
// This means they expect a version that closely matches the Bitwarden server version
// We should make sure that we keep this updated when we support the new server features
// Version history:
Org fixes (#5438) * Security fixes for admin and sendmail Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions. This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers. By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used. This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`. Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies. Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix security issue with organizationId validation Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks. This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead. This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions. Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org. Signed-off-by: BlackDex <black.dex@gmail.com> * Update server version in config endpoint Updated the server version reported to the clients to `2025.1.0`. This should make Vaultwarden future proof for the newer clients released by Bitwarden. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix and adjust build workflow The build workflow had an issue with some `if` checks. For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls. Using `!cancelled()` is the preferred way. Signed-off-by: BlackDex <black.dex@gmail.com> * Update crates Signed-off-by: BlackDex <black.dex@gmail.com> * Allow sendmail to be configurable This reverts a previous change which removed the sendmail to be configurable. We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface. Signed-off-by: BlackDex <black.dex@gmail.com> * Add more org_id checks Added more org_id checks at all functions which use the org_id in there path. Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-25 01:32:09 +01:00
// - Individual cipher key encryption: 2024.2.0
"version": "2025.1.0",
Use optional env as this variable isn't defined during CI
2022-09-08 18:01:27 +02:00
"gitHash": option_env!("GIT_REV"),
Implement config endpoint
2022-09-08 17:38:00 +02:00
"server": {
"name": "Vaultwarden",
Prepare for repo to org move This PR prepares this repo to be moved to the Vaultwarden organization. Signed-off-by: BlackDex <black.dex@gmail.com>
2024-05-25 15:14:16 +02:00
"url": "https://github.com/vaultwarden/vaultwarden"
Implement config endpoint
2022-09-08 17:38:00 +02:00
},
Fix keyword collision in Rust 2024 and add new api/config value (#4975) * Avoid keyword collision with gen in Rust 2024 * Include new api/config setting to disable user registration, not yet used by clients * Actually qualify CONFIG
2024-09-20 21:39:00 +02:00
"settings": {
"disableUserRegistration": !crate::CONFIG.signups_allowed() && crate::CONFIG.signups_domains_whitelist().is_empty(),
},
Implement config endpoint
2022-09-08 17:38:00 +02:00
"environment": {
"vault": domain,
"api": format!("{domain}/api"),
"identity": format!("{domain}/identity"),
"notifications": format!("{domain}/notifications"),
"sso": "",
},
Allow customizing the featureStates (#4168) * Allow customizing the featureStates Use a comma separated list of features to enable using the FEATURE_FLAGS env variable * Move feature flag parsing to util * Fix formatting * Update supported feature flags * Rename feature_flags to experimental_client_feature_flags Additionally, use a caret (^) instead of an exclamation mark (!) to disable features * Fix formatting issue. * Add documentation to env template * Remove functionality to disable feature flags * Fix JSON key for feature states * Convert error to warning when feature flag is unrecognized * Simplify parsing of feature flags * Fix default value of feature flags in env template * Fix formatting
2024-01-01 08:44:02 -06:00
"featureStates": feature_states,
Fix the web-vault v2023.2.0 API calls - Supports the new Collection/Group/User editing UI's - Support `/partial` endpoint for cipher updating to allow folder and favorite update for read-only ciphers. - Prevent `Favorite`, `Folder`, `read-only` and `hide-passwords` from being added to the organizational sync. - Added and corrected some `Object` key's to the output json. Fixes #3279
2023-02-27 16:37:58 +01:00
"object": "config",
Implement config endpoint
2022-09-08 17:38:00 +02:00
}))
}
add api_not_found catcher for 404 errors in /api
2022-09-25 10:55:55 +02:00
pub fn catchers() -> Vec<Catcher> {
catchers![api_not_found]
}
#[catch(404)]
fn api_not_found() -> Json<Value> {
Json(json!({
"error": {
"code": 404,
"reason": "Not Found",
"description": "The requested resource could not be found."
}
}))
}
Permalink kopieren