1
0
Fork 1
Spiegel von https://github.com/dani-garcia/vaultwarden.git synchronisiert 2024-12-18 10:40:42 +01:00
Commit-Graph

2766 Commits

Autor SHA1 Nachricht Datum
Mathijs van Veluw
45e5f06b86
Some Backend Admin fixes and updates (#5272)
* Some Backend Admin fixes and updates

- Updated datatables
- Added a `X-Robots-Tags` header to prevent indexing
- Modified some layout settings
- Added Websocket check to diagnostics
- Added Security Header checks to diagnostics
- Added Error page response checks to diagnostics
- Modifed support string layout a bit

Signed-off-by: BlackDex <black.dex@gmail.com>

* Some small fixes

Signed-off-by: BlackDex <black.dex@gmail.com>

---------

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-10 21:52:12 +01:00
Daniel
620ad92331
Update crates (#5268)
- fixes CVE-2024-12224
2024-12-10 17:59:28 +01:00
Mathijs van Veluw
c9860af11c
Fix another sync issue with native clients (#5259)
The `reprompt` value somehow sometimes has a value of `4`.
This isn't a valid value, and doesn't cause issues with other clients, but the native clients are more strict.

This commit fixes this by validating the value before storing and returning.

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-08 21:48:19 +01:00
Daniel
d7adce97df
Update Alpine to version 3.21 (#5256) 2024-12-06 11:05:52 +01:00
Mathijs van Veluw
71b3d3c818
Update Rust and crates (#5248)
* Update Rust and crates

- Updated Rust to v1.83.0
- Updated MSRV to v1.82.0 (Needed for html5gum crate)
- Updated icon fetching code to match new html5gum version
- Updated workflows
- Enabled edition 2024 clippy lints
  Nightly reports some clippy hints, but that would be too much to change in this PR i think.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Some additional updates

- Patch fern to allow syslog-7 feature
- Fixed diesel logger which was broken because of the sqlite backup feature
  Refactored the sqlite backup because of this
- Added a build workflow test to include the query_logger feature

Signed-off-by: BlackDex <black.dex@gmail.com>

* Also patch yubico-rs and latest updates

Signed-off-by: BlackDex <black.dex@gmail.com>

---------

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-05 22:10:59 +01:00
chuangjinglu
da3701c0cf
chore: fix some comments (#5224)
Signed-off-by: chuangjinglu <chuangjinglu@outlook.com>
2024-11-25 18:35:00 +01:00
Mathijs van Veluw
96813b1317
Fix editing members which have access-all rights (#5213)
With web-vault v2024.6.2 and lower, if a user has access-all rights either as an org-member or via a group it shouldn't return individual collections.

This probably needs to be changed with newer versions which do not support the `access-all` feature anymore and work with manage.
But with the current version this should solve access right issues.

Fixes #5212

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-11-20 17:38:16 +01:00
Mathijs van Veluw
b0b953f348
Fix push not working (#5214)
The new native mobile clients seem to use PascalCase for the push payload.
Also the date/time could cause issues.

This PR fixes this by formatting the date/time correctly and use PascalCase for the payload key's
I now receive cipher updates and login-with-device requests again.

Fixes #5182

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-11-20 17:32:44 +01:00
Mathijs van Veluw
cdfdc6ff4f
Fix Org Import duplicate collections (#5200)
This fixes an issue with collections be duplicated same as was an issue with folders.
Also made some optimizations by using HashSet where possible and device the Vec/Hash capacity.
And instead of passing objects only use the UUID which was the only value we needed.

Also found an issue with importing a personal export via the Org import where folders are used.
Since Org's do not use folder we needed to clear those out, same as Bitwarden does.

Fixes #5193

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-11-17 21:33:23 +01:00
Daniel García
2393c3f3c0
Support SSH keys on desktop 2024.12 (#5187)
* Support SSH keys on desktop 2024.12

* Document flags in .env.template

* Validate key rotation contents
2024-11-15 18:38:16 +01:00
Daniel García
0d16b38a68
Some more authrequest changes (#5188) 2024-11-15 11:25:51 +01:00
Stefan Melmuk
ff33534c07
don't infer manage permission for groups (#5190)
the web-vault v2024.6.2 currently cannot deal with manage permission so
instead of relying on the org user type this should just default to false
2024-11-13 19:19:19 +01:00
Stefan Melmuk
adb21d5c1a
fix password hint check (#5189)
* fix password hint check

don't show password hints if you have disabled the hints with
PASSWORD_HINTS_ALLOWED=false or if you have not configured mail and
opted into showing password hints

* update descriptions for pw hints options
2024-11-12 21:22:25 +01:00
Mathijs van Veluw
e927b8aa5e
Remove auth-request deletion (#5184)
2FA is needed to login even when using login-with-device.
If the user didn't saved the 2FA token they still need to provide this.
We deleted the auth-request after validation the request, but before 2FA was triggered.

Removing the deletion of this record from that point as it will get cleaned-up automatically anyways.

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-11-12 15:48:39 +01:00
Mathijs van Veluw
ba48ca68fc
fix hibp username encoding and pw hint check (#5180)
* fix hibp username encoding

Signed-off-by: BlackDex <black.dex@gmail.com>

* Fix password-hint check

Signed-off-by: BlackDex <black.dex@gmail.com>

---------

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-11-12 11:09:28 +01:00
Mathijs van Veluw
294b429436
Add dynamic CSS support (#4940)
* Add dynamic CSS support

Together with https://github.com/dani-garcia/bw_web_builds/pull/180 this PR will add support for dynamic CSS changes.

For example, we could hide the register link if signups are not allowed.
In the future show or hide the SSO button depending on if it is enabled or not.

There also is a special `user.vaultwarden.scss` file so that users can add custom CSS without the need to modify the default (static) changes.
This will prevent future changes from not being applied and still have the custom user changes to be added.

Also added a special redirect when someone goes directly to `/index.html` as that might cause issues with loading other scripts and files.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Add versions and fallback to built-in

- Add both Vaultwarden and web-vault versions to the css_options.
- Fallback to the inner templates if rendering or compiling the scss fails.
  This ensures the basics are always working even if someone breaks the templates.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Fix fallback code to actually work

The fallback now works by using an alternative `reg!` macro.
This adds an extra template register which prefixes the template with `fallback_`.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Updated the wiki link in the user template

---------

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-11-11 20:14:04 +01:00
Daniel García
37c14c3c69
More authrequest fixes (#5176) 2024-11-11 20:13:02 +01:00
Mathijs van Veluw
d0581da638
Fix if logic error (#5171)
Fixing a logical error in an if statement where we used `&&` which should have been `||`.

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-11-11 11:50:33 +01:00
Daniel García
38aad4f7be
Limit HIBP to authed users 2024-11-10 23:59:06 +01:00
BlackDex
20d9e885bf
Update crates and fix several issues
Signed-off-by: BlackDex <black.dex@gmail.com>
2024-11-10 23:56:19 +01:00
Mathijs van Veluw
2f20ad86f9
Update README (#5153)
Updating the Readme to be more modern and more clear.
Added and moved several shields/badges and changed some default colors to have a better contrast.
Added a Disclaimer section.

Closes #4901
Closes #4930
Closes #4931
Closes #5024

Co-authored-by: ipitio <21136719+ipitio@users.noreply.github.com>
Co-authored-by: Robert Schütz <github@dotlambda.de>
Co-authored-by: Yonas Yanfa <yonas.y@gmail.com>
Co-authored-by: KUSUMA RUSHIKESH <141169227+rushi-k12@users.noreply.github.com>
2024-11-02 22:20:10 +01:00
Mathijs van Veluw
33bae5fbe9
Update crates and fix Mail issue (#5125)
- Updated all the crates
  Including in this update is an update from lettre, which solves an issue with some specific SMTP mail providers.
2024-10-24 19:13:20 +02:00
Daniel
f60502a17e
Add documentation for the extension-refresh feature flag (#5112) 2024-10-21 00:05:11 +02:00
Mathijs van Veluw
13f4b66e62
Hide user name on invite status (#5110)
A possible user disclosure when you invite an user into an organization which already has an account on the same instance.
This was because we always returned the user's name.
To prevent this, this PR only returns the user's name if the status is accepted or higher, else we will return null.
This is the same as Bitwarden does.

Resolves a reported issue.

Also resolved a new `nightly` reported clippy regarding a regex within a loop.
2024-10-19 18:22:21 +02:00
Daniel
c967d0ddc1
Add extension-refresh feature flag (#5106)
- in case people want to try out the new extension design
2024-10-19 18:21:00 +02:00
Mathijs van Veluw
ae6ed0ece8
Fix collection management and match some json output (#5095)
- Fixed collection management to be usable from the Password Manager UI
- Checked and brought in-to-sync with upstream several json responses
- Fixed a small issue with the `fields` response when it was empty

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-10-18 20:37:32 +02:00
Daniel
b7c254eb30
Update Rust to 1.82.0 (#5099)
- raise MSRV to 1.80.0
- also update the crates
2024-10-18 20:34:31 +02:00
Mathijs van Veluw
a47b484172
Fix org invite url being html encoded (#5100)
Ever since we changed to pass the full url as a template value handlebars now html-encodes this.
This causes issues with the plain/text mails, but it also could potentially cause issues with the text/html templates.

This PR encloses the template values inside triple braces `{{{ }}}` which prevents html-encoding.
Since the URL is generated via the `url` crate the values are percent-encoded anyway.

Fixes #5097

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-10-18 20:34:11 +02:00
Mathijs van Veluw
65629a99f0
Fix field type to actually be hidden (#5082)
In an oversight i forgot to set the type to a hidden type if converting the int was not possible.
This fixes that.

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-10-13 20:32:15 +02:00
Mathijs van Veluw
49c5dec9b6
Fix iOS sync by converting field types to int (#5081)
It seems the iOS clients are not able to handle the `type` key within the `fields` array when they are of the type string.
All other clients seem to handle this just fine though.

This PR fixes this by validating it is a number, if this is not the case, try to convert the string to a number, or return the default of `1`.
`1` is used as this is the type `hidden` and should prevent accidental data disclosure.

Fixes #5069

Possibly Fixes #5016
Possibly Fixes #5002

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-10-13 20:25:09 +02:00
Mathijs van Veluw
cd195ff243
Fix --version from failing without config (#5055)
* Fix `--version` from failing without config

Since we added the option to show the web-vault version also when running `--version` this causes the config to always be validated.
While this is not very bad in general, it could cause the command to quit during the config validation, and not show the version, but also errors.
This is probably not very useful for this specific command, unlike the `--backup` for example.

To fix this, and preventing the config from being validated, i added an AtomicBool to check if we need to validate the config on first load.
This prevents errors, and will just show the Vaultwarden version, and if possible the web-vault version too.

Fixes #5046

Signed-off-by: BlackDex <black.dex@gmail.com>

* Adjusted the code bsaed upon review

Signed-off-by: BlackDex <black.dex@gmail.com>

---------

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-10-11 18:58:25 +02:00
Mathijs van Veluw
e3541763fd
Updates and collection management fixes (#5072)
* Fix collections not editable by managers

Since a newer version of the web-vault we use manager were not able to create sub collections anymore.
This was because of some missing details in the response of some json objects.

This commit fixes this by using the `to_json_details` instead of the `to_json`

Fixes #5066
Fixes #5044

* Update crates and GitHub Actions

- Updated all the crates
- Updated all the GHA dependencies
- Configured the trivy workflow to only run on the main repo and not on forks
  Also selected a random new scheduled date so it will not run at the same time as all other forks.
  The two changes should help running this scan every day without failing, and also prevent the same for new or updated forks.
2024-10-11 18:42:40 +02:00
Mathijs van Veluw
f0efec7c96
Fix compiling for Windows targets (#5053)
The `unix::signal` was also included during Windows compilations.
This of course will not work. Fix this by only including it for `unix` targets.

Also changed all other conditional compilation options to use `cfg(unix)` instead of `cfg(not(windows))`.
The latter may also include `wasm` for example, or any other future target family.
This way we will only match `unix`

Fixes #5052
2024-10-06 13:49:00 +02:00
Mathijs van Veluw
040e2a7bb0
Add extra linting (#4977)
* Add extra linting

Added extra linting for some code styles.
Also added the Rust Edition 2024 lints.

Closes #4974

Signed-off-by: BlackDex <black.dex@gmail.com>

* Adjusted according to comments

Signed-off-by: BlackDex <black.dex@gmail.com>

---------

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-23 20:25:32 +02:00
Daniel García
d184c8f08c
Fix keyword collision in Rust 2024 and add new api/config value (#4975)
* Avoid keyword collision with gen in Rust 2024

* Include new api/config setting to disable user registration, not yet used by clients

* Actually qualify CONFIG
2024-09-20 21:39:00 +02:00
Mathijs van Veluw
7d6dec6413
Fix encrypted lastUsedDate (#4972)
It appears that some password histories have an encrypted value on the `lastUsedDate`
Instead of only checking if it is a string, also check if it is a valid RFC Date/Time String.
If not, set it also to epoch 0.

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-20 20:38:42 +02:00
Mathijs van Veluw
de01111082
Fix Device Type column for 2FA migration (#4971) 2024-09-20 12:06:06 +02:00
Stefan Melmuk
0bd8f607cb
remove backtics from postgresql migrations (#4968) 2024-09-19 19:18:09 +02:00
Daniel
21efc0800d
Actually use Device Type for mails (#4916)
- match Bitwarden behaviour
- add a different segment in mails for Device Name
2024-09-18 19:03:15 +02:00
Stefan Melmuk
1031c2e286
fix 2fa policy check on registration (#4956) 2024-09-18 19:00:10 +02:00
Mathijs van Veluw
1bf85201e7
Fix Pw History null dates (#4966)
It seemed to have been possible to have `null` date values.
This PR fixes this by setting the epoch start date if either the date does not exists or is not a string.

This should solve sync issues with the new native mobile clients.

Fixes https://github.com/dani-garcia/vaultwarden/pull/4932#issuecomment-2357581292

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-18 18:57:08 +02:00
Stefan Melmuk
6ceed9284d
fix invitation link via /admin (#4950) 2024-09-13 22:08:59 +02:00
Mathijs van Veluw
25d99e3506
Fix collection update from native client (#4937) 2024-09-10 21:33:59 +02:00
Mathijs van Veluw
dca14285fd
Fix sync with new native clients (#4932) 2024-09-09 11:36:37 +02:00
Daniel
66baa5e7d8
Update Rust version & crates (#4928) 2024-09-07 10:39:29 +02:00
Timshel
248e561b3f
Add orgUserHasExistingUser parameters to org invite (#4827) 2024-09-01 15:55:41 +02:00
Mathijs van Veluw
55623ad9c6
Update web-vault, crates and gha (#4909)
- Updated the web-vault to fix an issue with personal export.
  Thanks to @stefan0xC for patching this.
  Fixes #4875
- Updated crates to there latest version
- Updated the GitHub Actions
- Updated the xx image to the latest version

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-01 15:53:03 +02:00
Mathijs van Veluw
e9acd8bd3c
Add a CLI feature to backup the SQLite DB (#4906)
* Add a CLI feature to backup the SQLite DB

Many users request to add the sqlite3 binary to the container image.
This isn't really ideal as that might bring in other dependencies and will only bloat the image.
There main reason is to create a backup of the database.

While there already was a feature within the admin interface to do so (or by using the admin API call), this might not be easy.

This PR adds several ways to generate a backup.
1. By calling the Vaultwarden binary with the `backup` command like:
  - `/vaultwarden backup`
  - `docker exec -it vaultwarden /vaultwarden backup`
2. By sending the USR1 signal to the running process like:
  - `kill -s USR1 $(pidof vaultwarden)
  - `killall -s USR1 vaultwarden)

This should help users to more easily create backups of there SQLite database.

Also added the Web-Vault version number when using `-v/--version` to the output.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Spelling and small adjustments

Signed-off-by: BlackDex <black.dex@gmail.com>

---------

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-01 15:52:29 +02:00
Mathijs van Veluw
544b7229e8
Allow enforcing Single Org with pw reset policy (#4903)
* Allow enforcing Single Org with pw reset policy

Bitwarden only allows the Reset Password policy to be set when the Single Org policy is enabled already.
This PR adds a check so that this can be enforced when a config option is enabled.

Since Vaultwarden encouraged to use multiple orgs when groups were not available yet we should not enable this by default now.
This might be something to do in the future.

When enabled, it will prevent the Reset Password policy to be enabled if the Single Org policy is not enabled.
It will also prevent the Single Org policy to be disabled if the Reset Password policy is enabled.

Fixes #4855

Signed-off-by: BlackDex <black.dex@gmail.com>

* Removed some extra if checks

Signed-off-by: BlackDex <black.dex@gmail.com>

---------

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-08-30 21:37:59 +02:00
Mathijs van Veluw
978f009293
Allow Org Master-Pw policy enforcement (#4899)
* Allow Org Master-Pw policy enforcement

We didn't returned the master password policy for the user.
If the `Require existing members to change their passwords` check was enabled this should trigger the login to show a change password dialog.

All the master password policies are merged into one during the login response and it will contain the max values and all `true` values which are set by all the different orgs if a user is an accepted member.

Fixes #4507

Signed-off-by: BlackDex <black.dex@gmail.com>

* Use .reduce instead of .fold

Signed-off-by: BlackDex <black.dex@gmail.com>

---------

Signed-off-by: BlackDex <black.dex@gmail.com>
2024-08-27 19:37:51 +02:00