A possible user disclosure when you invite an user into an organization which already has an account on the same instance.
This was because we always returned the user's name.
To prevent this, this PR only returns the user's name if the status is accepted or higher, else we will return null.
This is the same as Bitwarden does.
Resolves a reported issue.
Also resolved a new `nightly` reported clippy regarding a regex within a loop.
- Fixed collection management to be usable from the Password Manager UI
- Checked and brought in-to-sync with upstream several json responses
- Fixed a small issue with the `fields` response when it was empty
Signed-off-by: BlackDex <black.dex@gmail.com>
In an oversight i forgot to set the type to a hidden type if converting the int was not possible.
This fixes that.
Signed-off-by: BlackDex <black.dex@gmail.com>
It seems the iOS clients are not able to handle the `type` key within the `fields` array when they are of the type string.
All other clients seem to handle this just fine though.
This PR fixes this by validating it is a number, if this is not the case, try to convert the string to a number, or return the default of `1`.
`1` is used as this is the type `hidden` and should prevent accidental data disclosure.
Fixes #5069
Possibly Fixes #5016
Possibly Fixes #5002
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix `--version` from failing without config
Since we added the option to show the web-vault version also when running `--version` this causes the config to always be validated.
While this is not very bad in general, it could cause the command to quit during the config validation, and not show the version, but also errors.
This is probably not very useful for this specific command, unlike the `--backup` for example.
To fix this, and preventing the config from being validated, i added an AtomicBool to check if we need to validate the config on first load.
This prevents errors, and will just show the Vaultwarden version, and if possible the web-vault version too.
Fixes #5046
Signed-off-by: BlackDex <black.dex@gmail.com>
* Adjusted the code bsaed upon review
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix collections not editable by managers
Since a newer version of the web-vault we use manager were not able to create sub collections anymore.
This was because of some missing details in the response of some json objects.
This commit fixes this by using the `to_json_details` instead of the `to_json`
Fixes #5066
Fixes #5044
* Update crates and GitHub Actions
- Updated all the crates
- Updated all the GHA dependencies
- Configured the trivy workflow to only run on the main repo and not on forks
Also selected a random new scheduled date so it will not run at the same time as all other forks.
The two changes should help running this scan every day without failing, and also prevent the same for new or updated forks.
* Add extra linting
Added extra linting for some code styles.
Also added the Rust Edition 2024 lints.
Closes #4974
Signed-off-by: BlackDex <black.dex@gmail.com>
* Adjusted according to comments
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
It appears that some password histories have an encrypted value on the `lastUsedDate`
Instead of only checking if it is a string, also check if it is a valid RFC Date/Time String.
If not, set it also to epoch 0.
Signed-off-by: BlackDex <black.dex@gmail.com>
It seemed to have been possible to have `null` date values.
This PR fixes this by setting the epoch start date if either the date does not exists or is not a string.
This should solve sync issues with the new native mobile clients.
Fixes https://github.com/dani-garcia/vaultwarden/pull/4932#issuecomment-2357581292
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add a CLI feature to backup the SQLite DB
Many users request to add the sqlite3 binary to the container image.
This isn't really ideal as that might bring in other dependencies and will only bloat the image.
There main reason is to create a backup of the database.
While there already was a feature within the admin interface to do so (or by using the admin API call), this might not be easy.
This PR adds several ways to generate a backup.
1. By calling the Vaultwarden binary with the `backup` command like:
- `/vaultwarden backup`
- `docker exec -it vaultwarden /vaultwarden backup`
2. By sending the USR1 signal to the running process like:
- `kill -s USR1 $(pidof vaultwarden)
- `killall -s USR1 vaultwarden)
This should help users to more easily create backups of there SQLite database.
Also added the Web-Vault version number when using `-v/--version` to the output.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Spelling and small adjustments
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
Fixed an issue with login with device for the new Bitwrden Beta clients.
They seem to not support ISO8601 milli date/time, only micro.
Also updated the device display names to match Upstream and added the
CLI devices which were missing.
Signed-off-by: BlackDex <black.dex@gmail.com>
The web-vault v2024.6.2 we use needs some extra information to allow
managers to actually be able to manage collections.
The v2024.6.2 web-vault has somewhat of a mixture of the newer roles and
older manager roles. To at least fix this for the web-vault we bundle
these changes will make the manager able to manage.
For future web-vaults we would need a lot more changes to be done to fix
this in a better way though.
Fixes #4844
- All users were able to request organizational details from any org,
even if they were not a member (anymore).
Now it will check if that user is a member of the org or not.
- The `/organization/<uuid>/keys` endpoint returned also the private keys.
This should not be the case. Also, according to the upstream server
code the endpoint changed, but the clients do not seem to use it.
I added it anyway just in case they will in the future.
- Also require a valid login before being able to retreve those org
keys. Upstream does not do this, but i see no reason why not.
Fixes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39925
* Update crates, web-vault and fixes
- Updated crates
- Updated web-vault to v2024.6.2
This version is currently the latest version compatible with our API implementation.
For newer versions we need more code updates to make it compatible.
Thanks to @stefan0xC this version fixes #4628
- Added a small fix to prevent errors in the Vaultwarden and Client logs.
The v2024.6.2 web-vault calls an endpoint with invalid arguments.
If this happens we ignore the call and just return an Ok.
- Added the bulk-collection endpoint (Though not yet available in v2024.6.2)
Fixes #4628
* Prevent bulk remove collections to work
This PR adds a config option to allow the note size to increase to 100_000, instead of the default 10_000.
Since this might cause issues with the clients (in the future), and will cause issues with importing into a Bitwarden server, i added warnings regarding this.
Closes #3168
* Add initial working Duo Universal Prompt support.
* Add db schema and models for Duo 2FA state storage
* store duo states in the database and validate during authentication
* cleanup & comments
* bump state/nonce length
* replace stray use of TimeDelta
* more cleanup
* bind Duo oauth flow to device id, drop redundant device type handling
* drop redundant alphanum string generation code
* error handling cleanup
* directly use JWT_VALIDITY_SECS constant instead of copying it to DuoClient instances
* remove redundant explicit returns, rustfmt
* rearrange constants, update comments, error message
* override charset on duo state column to ascii for mysql
* Reduce twofactor_duo_ctx state/nonce column size in postgres and maria
* Add fixes suggested by clippy
* rustfmt
* Update to use the make_http_request
* Don't handle OrganizationDuo
* move Duo API endpoint fmt strings out of macros and into format! calls
* Add missing indentation
Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
* remove redundant expiry check when purging Duo contexts
---------
Co-authored-by: BlackDex <black.dex@gmail.com>
Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
- Add missing `Headers` parameter for some functions
This allowed any request from allowing these endpoints by not validating the user correctly.
- Changed the functions to retreive the emergency access record by
using the user uuid which calls the endpoint, instead of validating afterwards.
This is more secure and prevents the need of an if check.
* add group support for Cipher::get_collections()
join group infos assigned to a collection to check
whether user has been given access to all collections via any group
or they have access to a specific collection via any group membership
* fix Collection::is_writable_by_user()
prevent side effects if groups are disabled
* differentiate the /collection endpoints
* return cipherDetails on post_collections_update()
* add collections_v2 endpoint
Collections were not visible in the organization view.
This was because the `flexibleCollections` was set to `true`
Found an issue with loading some old created Secure Notes which had `{}` or `{"type":null}` as there `data` value.
This isn't allowed. When detected, replace it with `{"type":0}`
Fixes #4682
Fixes #4590
* Change API inputs/outputs and structs to camelCase
* Fix fields and password history
* Use convert_json_key_lcase_first
* Make sends lowercase
* Update admin and templates
* Update org revoke
* Fix sends expecting size to be a string on mobile
* Convert two-factor providers to string
- Updated all crates including Diesel and the new mysqlclient-sys
- Updated the MSRV to v1.78 as that is what Diesel mandates
- Added the mimalloc crate as a patch for now to fix armv6 static builds
This probably makes #4606 possible
- Updated web-vault to v2024.5.1
- Updated GitHub Actions
Fixed an issue with the localhost images for extracting the musl binaries.
* fix emergency access invites with no mail
when mail is disabled instead of accepting emergency access for all
invited users automatically, we only accept if the user already exists
on registration of a new account any open emergency access invitations
will be accepted, if mail is disabled
also prevent invited emergency access contacts to register if emergency
access is disabled (this is only relevant for when mail is enabled, if
mail is disabled they should have an Invitation entry)
* delete emergency access invitations
if an invited user is deleted in the /admin panel their emergency
access invitation will remain in the database which causes
the to_json_grantee_details fn to panic
* improve missing emergency access grantees
instead of returning an empty emergency access contact the entry should
not be added to the list. also the error handling can be improved a bit.
- Updated sqlite crate
- Updated chrono crate
The latter needed a lot of changes done, mostly `Duration` to `TimeDelta`.
And some changes on how to use Naive.
* Fix #3624: fix manager permission within groups
* Query returns UUID only
* Fix issue when user is manager and in a group having access to all collections
* optimize condition check
* fix(groups): renaming and optimizations
* fix: wrong organization group membership detection
* Simplify group membership check
Co-authored-by: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com>
* Remove unused statement
* improve check if the user has access via groups
instead of returning the two lists of member ids and later checking if
they contain the uuid of the current user, we really only care if
the current user has full access via a group or if they have
access to a given collection via a group
* improve comments for get_org_collections_details
* small refactor to make it easier to review
* fix(groups): query full access via group only when necessary
Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>
* chore(fmt): apply rustfmt
---------
Co-authored-by: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com>
Co-authored-by: Stefan Melmuk <stefan.melmuk@gmail.com>
Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>
save the push token of new device even if push notifications are not
enabled and provide a way to register the push device at login
unregister device if there already is a push token saved unless the
new token has already been registered.
also the `unregister_push_device` function used the wrong argument
cf. 08d380900b/src/Core/Services/Implementations/RelayPushRegistrationService.cs (L43)
* enforce 2fa policy on removal of second factor
users should be revoked when their second factors are removed.
we want to revoke users so they don't have to be invited again and
organization admins and owners are aware that they no longer have
access.
we make an exception for non-confirmed users to speed up the invitation
process as they would have to be restored before they can accept their
invitation or be confirmed.
if email is enabled, invited users have to add a second factor before
they can accept the invitation to an organization with 2fa policy.
and if it is not enabled that check is done when confirming the user.
* use &str instead of String in log_event()
* enforce the 2fa policy on login
if a user doesn't have a second factor check if they are in an
organization that has the 2fa policy enabled to revoke their access
There was an error in the single org policy check to determine how many
users there are in an org. The `or` check was at the wrong location in
the DSL.
This is now fixed.
Fixes #4205
Large JWT's could cause issue because of header or body sizes of the
HTTP request could get too large when you are a member of a lot of organizations.
This PR removes these specific keys since they are not used either
client side or server side.
Because Bitwarden does add these in there JWT's i would suggest to keep
the code we had but then commented out as a reference.
Removing it and searching for this when needed would be a waist of time.
Fixes #4156
* Fix BWDC when re-run with cleared cache
Using the BWDC with a cleared cache caused invited users to be converted
to accepted users.
The problem was a wrong check for the `restore` function.
Fixes #4114
* Remove useless variable
During some refactoring this seems to be overlooked.
This variable gets filled but isn't used at all afterwards.
Fixes #4105
* Check some `.git` paths to force a rebuild
When a checked-out repo switches to a specific tag, and that tag does
not have anything else changed in the files except the tag, it could
happen that the build process doesn't see any changes, while it could be
that the version string needs to be different.
This commit ensures that if some specific paths are changed within the
.git directory, cargo will be triggered to rebuild.
Fixes #4087
* Do not delete dir on file delete
Previously during a `delete_file` check we also tried to delete the
parent directory and ignored all errors, like not being empty for
example.
Since this function is called `delete_file` and does not mention
anything in regards to a directory i have removed that code and it will
now only delete the file and leave the rest as-is.
If this somehow is still needed or wanted, which i do not think we want,
then we should create a new function.
Fixes #4081
* Fix healthcheck when using an ENV file
If someone is using a `.env` file or configured the `ENV_FILE` variable
to use that as it's configuration, this was missed by the healthcheck.
So, `DOMAIN` and `ROCKET_TLS` were not seen, and not used in these cases.
This commit fixes this by checking for this file and if it exists, then
it will load those variables first.
Fixes #4112
* Add missing route
While there was a function and a derive, this endpoint wasn't part of
the routes. Since Bitwarden does have this endpoint ill add the route
instead of deleting it.
Fixes #4076
Fixes #4144
* Update crates to update the openssl crate
Because of a bug in the openssl-sys crate we pinned the version to an
older version. This issue has been fixed and was released 2 days ago.
This commit updates the openssl crates including others.
This should also fix the issues with building Vaultwarden using newer
versions of LibreSSL.
Fixes #4051
* Remove another header for websocket connections
* Fix small bake issue
* Update crates
Updated crates and adjusted code where needed.
One major update is Rocket rc4, no need anymore (again) for crates.io patching.
The only item still pending is openssl/openssl-sys for which we need to
wait if https://github.com/sfackler/rust-openssl/pull/2094 will be
merged. If, then we can remove the pinned versions for the openssl crate.
Since the feature `Login with device` some actions done via the
web-vault need to be verified via an OTP instead of providing the MasterPassword.
This only happens if a user used the `Login with device` on a device
which uses either Biometrics login or PIN. These actions prevent the
athorizing device to send the MasterPasswordHash. When this happens, the
web-vault requests an OTP to be filled-in and this OTP is send to the
users email address which is the same as the email address to login.
The only way to bypass this is by logging in with the your password, in
those cases a password is requested instead of an OTP.
In case SMTP is not enabled, it will show an error message telling to
user to login using there password.
Fixes #4042
