Spiegel von
https://github.com/dani-garcia/vaultwarden.git
synchronisiert 2024-11-25 05:40:29 +01:00
Prevent 401 on main admin page
When you are not loggedin, and have no cookie etc.. we always returned a 401. This was mainly to allow the login page on all the sub pages, and after login being redirected to the requested page, for these pages a 401 is a valid response, since, you do not have access. But for the main `/admin` page, it should just respond with a `200` and show the login page. This PR fixes this flow and response. It should prevent people using Fail2ban, or other tools being triggered by only accessing the login page. Resolves #3540
Dieser Commit ist enthalten in:
Ursprung
9e5b049dca
Commit
636f16dc66
1 geänderte Dateien mit 17 neuen und 1 gelöschten Zeilen
|
@ -36,6 +36,7 @@ pub fn routes() -> Vec<Route> {
|
||||||
get_user_by_mail_json,
|
get_user_by_mail_json,
|
||||||
post_admin_login,
|
post_admin_login,
|
||||||
admin_page,
|
admin_page,
|
||||||
|
admin_page_login,
|
||||||
invite_user,
|
invite_user,
|
||||||
logout,
|
logout,
|
||||||
delete_user,
|
delete_user,
|
||||||
|
@ -256,6 +257,11 @@ fn admin_page(_token: AdminToken) -> ApiResult<Html<String>> {
|
||||||
render_admin_page()
|
render_admin_page()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[get("/", rank = 2)]
|
||||||
|
fn admin_page_login() -> ApiResult<Html<String>> {
|
||||||
|
render_admin_login(None, None)
|
||||||
|
}
|
||||||
|
|
||||||
#[derive(Deserialize, Debug)]
|
#[derive(Deserialize, Debug)]
|
||||||
#[allow(non_snake_case)]
|
#[allow(non_snake_case)]
|
||||||
struct InviteData {
|
struct InviteData {
|
||||||
|
@ -761,7 +767,17 @@ impl<'r> FromRequest<'r> for AdminToken {
|
||||||
|
|
||||||
let access_token = match cookies.get(COOKIE_NAME) {
|
let access_token = match cookies.get(COOKIE_NAME) {
|
||||||
Some(cookie) => cookie.value(),
|
Some(cookie) => cookie.value(),
|
||||||
None => return Outcome::Failure((Status::Unauthorized, "Unauthorized")),
|
None => {
|
||||||
|
let requested_page =
|
||||||
|
request.segments::<std::path::PathBuf>(0..).unwrap_or_default().display().to_string();
|
||||||
|
// When the requested page is empty, it is `/admin`, in that case, Forward, so it will render the login page
|
||||||
|
// Else, return a 401 failure, which will be caught
|
||||||
|
if requested_page.is_empty() {
|
||||||
|
return Outcome::Forward(Status::Unauthorized);
|
||||||
|
} else {
|
||||||
|
return Outcome::Failure((Status::Unauthorized, "Unauthorized"));
|
||||||
|
}
|
||||||
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
if decode_admin(access_token).is_err() {
|
if decode_admin(access_token).is_err() {
|
||||||
|
|
Laden …
In neuem Issue referenzieren