mirrored/vaultwarden
1
0
Fork 1
Spiegel von https://github.com/dani-garcia/vaultwarden.git synchronisiert 2025-02-07 11:17:02 +01:00
Code Issues Releases Aktivität

api::Accounts::verify_password add the policy even if it's ignored

Quellcode durchsuchen
Dieser Commit ist enthalten in:
Timshel 2025-01-03 16:41:27 +01:00
Ursprung bee619ff52
Commit 44045a865b
3 geänderte Dateien mit 11 neuen und 3 gelöschten Zeilen
Statistiken anzeigen Patch-Datei herunterladen Diff-Datei herunterladen Alle Dateien ausklappen Alle Dateien einklappen

2
.env.template
Datei anzeigen

@ -475,7 +475,7 @@
## Set your Client ID and Client Key ## Set your Client ID and Client Key
# SSO_CLIENT_ID=11111 # SSO_CLIENT_ID=11111
# SSO_CLIENT_SECRET=AAAAAAAAAAAAAAAAAAAAAAAA # SSO_CLIENT_SECRET=AAAAAAAAAAAAAAAAAAAAAAAA
## Optional Master password policy (minComplexity=[0-4]) ## Optional Master password policy (minComplexity=[0-4]), `enforceOnLogin` is not supported at the moment.
# SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}' # SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
## Use sso only for authentication not the session lifecycle ## Use sso only for authentication not the session lifecycle
# SSO_AUTH_ONLY_NOT_SESSION=false # SSO_AUTH_ONLY_NOT_SESSION=false

2
SSO.md
Datei anzeigen

@ -25,7 +25,7 @@ The following configurations are available
- `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`. - `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`.
- `SSO_CLIENT_ID` : Client Id - `SSO_CLIENT_ID` : Client Id
- `SSO_CLIENT_SECRET` : Client Secret - `SSO_CLIENT_SECRET` : Client Secret
- `SSO_MASTER_PASSWORD_POLICY`: Optional Master password policy - `SSO_MASTER_PASSWORD_POLICY`: Optional Master password policy (`enforceOnLogin` is not supported).
- `SSO_AUTH_ONLY_NOT_SESSION`: Enable to use SSO only for authentication not session lifecycle - `SSO_AUTH_ONLY_NOT_SESSION`: Enable to use SSO only for authentication not session lifecycle
- `SSO_CLIENT_CACHE_EXPIRATION`: Cache calls to the discovery endpoint, duration in seconds, `0` to disable (default `0`); - `SSO_CLIENT_CACHE_EXPIRATION`: Cache calls to the discovery endpoint, duration in seconds, `0` to disable (default `0`);
- `SSO_DEBUG_TOKENS`: Log all tokens (default `false`, `LOG_LEVEL=debug` is required) - `SSO_DEBUG_TOKENS`: Log all tokens (default `false`, `LOG_LEVEL=debug` is required)

10
src/api/core/accounts.rs
Datei anzeigen

@ -1050,6 +1050,8 @@ pub async fn kdf_upgrade(user: &mut User, pwd_hash: &str, conn: &mut DbConn) ->
Ok(()) Ok(())
} }
// It appears that at the moment the return policy is required but ignored.
// As such the `enforceOnLogin` part is not working.
#[post("/accounts/verify-password", data = "<data>")] #[post("/accounts/verify-password", data = "<data>")]
async fn verify_password(data: Json<SecretVerificationRequest>, headers: Headers, mut conn: DbConn) -> JsonResult { async fn verify_password(data: Json<SecretVerificationRequest>, headers: Headers, mut conn: DbConn) -> JsonResult {
let data: SecretVerificationRequest = data.into_inner(); let data: SecretVerificationRequest = data.into_inner();
@ -1061,8 +1063,14 @@ async fn verify_password(data: Json<SecretVerificationRequest>, headers: Headers
kdf_upgrade(&mut user, &data.master_password_hash, &mut conn).await?; kdf_upgrade(&mut user, &data.master_password_hash, &mut conn).await?;
let policy = if let Some(policy_str) = CONFIG.sso_master_password_policy().filter(|_| CONFIG.sso_enabled()) {
serde_json::from_str(&policy_str).unwrap_or(json!({}))
} else {
json!({})
};
Ok(Json(json!({ Ok(Json(json!({
"MasterPasswordPolicy": {}, // Required for SSO login with mobile apps "MasterPasswordPolicy": policy,
}))) })))
} }