From 44045a865b838d0ee2877b530ec074a5dad0abeb Mon Sep 17 00:00:00 2001 From: Timshel Date: Fri, 3 Jan 2025 16:41:27 +0100 Subject: [PATCH] api::Accounts::verify_password add the policy even if it's ignored --- .env.template | 2 +- SSO.md | 2 +- src/api/core/accounts.rs | 10 +++++++++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/.env.template b/.env.template index 0fc5cddb..05b640e4 100644 --- a/.env.template +++ b/.env.template @@ -475,7 +475,7 @@ ## Set your Client ID and Client Key # SSO_CLIENT_ID=11111 # SSO_CLIENT_SECRET=AAAAAAAAAAAAAAAAAAAAAAAA -## Optional Master password policy (minComplexity=[0-4]) +## Optional Master password policy (minComplexity=[0-4]), `enforceOnLogin` is not supported at the moment. # SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}' ## Use sso only for authentication not the session lifecycle # SSO_AUTH_ONLY_NOT_SESSION=false diff --git a/SSO.md b/SSO.md index 97286aa4..b113db61 100644 --- a/SSO.md +++ b/SSO.md @@ -25,7 +25,7 @@ The following configurations are available - `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`. - `SSO_CLIENT_ID` : Client Id - `SSO_CLIENT_SECRET` : Client Secret - - `SSO_MASTER_PASSWORD_POLICY`: Optional Master password policy + - `SSO_MASTER_PASSWORD_POLICY`: Optional Master password policy (`enforceOnLogin` is not supported). - `SSO_AUTH_ONLY_NOT_SESSION`: Enable to use SSO only for authentication not session lifecycle - `SSO_CLIENT_CACHE_EXPIRATION`: Cache calls to the discovery endpoint, duration in seconds, `0` to disable (default `0`); - `SSO_DEBUG_TOKENS`: Log all tokens (default `false`, `LOG_LEVEL=debug` is required) diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs index 2af07d9d..c829ce93 100644 --- a/src/api/core/accounts.rs +++ b/src/api/core/accounts.rs @@ -1050,6 +1050,8 @@ pub async fn kdf_upgrade(user: &mut User, pwd_hash: &str, conn: &mut DbConn) -> Ok(()) } +// It appears that at the moment the return policy is required but ignored. +// As such the `enforceOnLogin` part is not working. #[post("/accounts/verify-password", data = "")] async fn verify_password(data: Json, headers: Headers, mut conn: DbConn) -> JsonResult { let data: SecretVerificationRequest = data.into_inner(); @@ -1061,8 +1063,14 @@ async fn verify_password(data: Json, headers: Headers kdf_upgrade(&mut user, &data.master_password_hash, &mut conn).await?; + let policy = if let Some(policy_str) = CONFIG.sso_master_password_policy().filter(|_| CONFIG.sso_enabled()) { + serde_json::from_str(&policy_str).unwrap_or(json!({})) + } else { + json!({}) + }; + Ok(Json(json!({ - "MasterPasswordPolicy": {}, // Required for SSO login with mobile apps + "MasterPasswordPolicy": policy, }))) }