Spiegel von
https://github.com/dani-garcia/vaultwarden.git
synchronisiert 2024-11-21 05:00:28 +01:00
More authrequest fixes (#5176)
Dieser Commit ist enthalten in:
Ursprung
d0581da638
Commit
37c14c3c69
2 geänderte Dateien mit 47 neuen und 36 gelöschten Zeilen
|
@ -1136,15 +1136,15 @@ async fn post_auth_request(
|
||||||
|
|
||||||
#[get("/auth-requests/<uuid>")]
|
#[get("/auth-requests/<uuid>")]
|
||||||
async fn get_auth_request(uuid: &str, headers: Headers, mut conn: DbConn) -> JsonResult {
|
async fn get_auth_request(uuid: &str, headers: Headers, mut conn: DbConn) -> JsonResult {
|
||||||
if headers.user.uuid != uuid {
|
|
||||||
err!("AuthRequest doesn't exist", "User uuid's do not match")
|
|
||||||
}
|
|
||||||
|
|
||||||
let auth_request = match AuthRequest::find_by_uuid(uuid, &mut conn).await {
|
let auth_request = match AuthRequest::find_by_uuid(uuid, &mut conn).await {
|
||||||
Some(auth_request) => auth_request,
|
Some(auth_request) => auth_request,
|
||||||
None => err!("AuthRequest doesn't exist", "Record not found"),
|
None => err!("AuthRequest doesn't exist", "Record not found"),
|
||||||
};
|
};
|
||||||
|
|
||||||
|
if headers.user.uuid != auth_request.user_uuid {
|
||||||
|
err!("AuthRequest doesn't exist", "User uuid's do not match")
|
||||||
|
}
|
||||||
|
|
||||||
let response_date_utc = auth_request.response_date.map(|response_date| format_date(&response_date));
|
let response_date_utc = auth_request.response_date.map(|response_date| format_date(&response_date));
|
||||||
|
|
||||||
Ok(Json(json!({
|
Ok(Json(json!({
|
||||||
|
@ -1190,15 +1190,18 @@ async fn put_auth_request(
|
||||||
err!("AuthRequest doesn't exist", "User uuid's do not match")
|
err!("AuthRequest doesn't exist", "User uuid's do not match")
|
||||||
}
|
}
|
||||||
|
|
||||||
auth_request.approved = Some(data.request_approved);
|
if data.request_approved {
|
||||||
auth_request.enc_key = Some(data.key);
|
auth_request.approved = Some(data.request_approved);
|
||||||
auth_request.master_password_hash = data.master_password_hash;
|
auth_request.enc_key = Some(data.key);
|
||||||
auth_request.response_device_id = Some(data.device_identifier.clone());
|
auth_request.master_password_hash = data.master_password_hash;
|
||||||
auth_request.save(&mut conn).await?;
|
auth_request.response_device_id = Some(data.device_identifier.clone());
|
||||||
|
auth_request.save(&mut conn).await?;
|
||||||
|
|
||||||
if auth_request.approved.unwrap_or(false) {
|
|
||||||
ant.send_auth_response(&auth_request.user_uuid, &auth_request.uuid).await;
|
ant.send_auth_response(&auth_request.user_uuid, &auth_request.uuid).await;
|
||||||
nt.send_auth_response(&auth_request.user_uuid, &auth_request.uuid, data.device_identifier, &mut conn).await;
|
nt.send_auth_response(&auth_request.user_uuid, &auth_request.uuid, data.device_identifier, &mut conn).await;
|
||||||
|
} else {
|
||||||
|
// If denied, there's no reason to keep the request
|
||||||
|
auth_request.delete(&mut conn).await?;
|
||||||
}
|
}
|
||||||
|
|
||||||
let response_date_utc = auth_request.response_date.map(|response_date| format_date(&response_date));
|
let response_date_utc = auth_request.response_date.map(|response_date| format_date(&response_date));
|
||||||
|
|
|
@ -165,20 +165,22 @@ async fn _password_login(
|
||||||
// Set the user_uuid here to be passed back used for event logging.
|
// Set the user_uuid here to be passed back used for event logging.
|
||||||
*user_uuid = Some(user.uuid.clone());
|
*user_uuid = Some(user.uuid.clone());
|
||||||
|
|
||||||
// Check password
|
// Check if the user is disabled
|
||||||
let password = data.password.as_ref().unwrap();
|
if !user.enabled {
|
||||||
if let Some(auth_request_uuid) = data.auth_request.clone() {
|
err!(
|
||||||
if let Some(auth_request) = AuthRequest::find_by_uuid(auth_request_uuid.as_str(), conn).await {
|
"This user has been disabled",
|
||||||
if !auth_request.check_access_code(password) {
|
format!("IP: {}. Username: {}.", ip.ip, username),
|
||||||
err!(
|
ErrorEvent {
|
||||||
"Username or access code is incorrect. Try again",
|
event: EventType::UserFailedLogIn
|
||||||
format!("IP: {}. Username: {}.", ip.ip, username),
|
|
||||||
ErrorEvent {
|
|
||||||
event: EventType::UserFailedLogIn,
|
|
||||||
}
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
} else {
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
let password = data.password.as_ref().unwrap();
|
||||||
|
|
||||||
|
// If we get an auth request, we don't check the user's password, but the access code of the auth request
|
||||||
|
if let Some(ref auth_request_uuid) = data.auth_request {
|
||||||
|
let Some(auth_request) = AuthRequest::find_by_uuid(auth_request_uuid.as_str(), conn).await else {
|
||||||
err!(
|
err!(
|
||||||
"Auth request not found. Try again.",
|
"Auth request not found. Try again.",
|
||||||
format!("IP: {}. Username: {}.", ip.ip, username),
|
format!("IP: {}. Username: {}.", ip.ip, username),
|
||||||
|
@ -186,6 +188,23 @@ async fn _password_login(
|
||||||
event: EventType::UserFailedLogIn,
|
event: EventType::UserFailedLogIn,
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
};
|
||||||
|
|
||||||
|
// Delete the request after we used it
|
||||||
|
auth_request.delete(conn).await?;
|
||||||
|
|
||||||
|
if auth_request.user_uuid != user.uuid
|
||||||
|
|| !auth_request.approved.unwrap_or(false)
|
||||||
|
|| ip.ip.to_string() != auth_request.request_ip
|
||||||
|
|| !auth_request.check_access_code(password)
|
||||||
|
{
|
||||||
|
err!(
|
||||||
|
"Username or access code is incorrect. Try again",
|
||||||
|
format!("IP: {}. Username: {}.", ip.ip, username),
|
||||||
|
ErrorEvent {
|
||||||
|
event: EventType::UserFailedLogIn,
|
||||||
|
}
|
||||||
|
)
|
||||||
}
|
}
|
||||||
} else if !user.check_valid_password(password) {
|
} else if !user.check_valid_password(password) {
|
||||||
err!(
|
err!(
|
||||||
|
@ -197,8 +216,8 @@ async fn _password_login(
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Change the KDF Iterations
|
// Change the KDF Iterations (only when not logging in with an auth request)
|
||||||
if user.password_iterations != CONFIG.password_iterations() {
|
if data.auth_request.is_none() && user.password_iterations != CONFIG.password_iterations() {
|
||||||
user.password_iterations = CONFIG.password_iterations();
|
user.password_iterations = CONFIG.password_iterations();
|
||||||
user.set_password(password, None, false, None);
|
user.set_password(password, None, false, None);
|
||||||
|
|
||||||
|
@ -207,17 +226,6 @@ async fn _password_login(
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if the user is disabled
|
|
||||||
if !user.enabled {
|
|
||||||
err!(
|
|
||||||
"This user has been disabled",
|
|
||||||
format!("IP: {}. Username: {}.", ip.ip, username),
|
|
||||||
ErrorEvent {
|
|
||||||
event: EventType::UserFailedLogIn
|
|
||||||
}
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
let now = Utc::now().naive_utc();
|
let now = Utc::now().naive_utc();
|
||||||
|
|
||||||
if user.verified_at.is_none() && CONFIG.mail_enabled() && CONFIG.signups_verify() {
|
if user.verified_at.is_none() && CONFIG.mail_enabled() && CONFIG.signups_verify() {
|
||||||
|
|
Laden …
In neuem Issue referenzieren