Bitwarden allows to use self-hosted forwarded email services.
But for this to work you need to add custom URL's to the `connect-src` CSP entry.
This commit allows setting this and checks if the URL starts with `https://` else it will abort loading.
Fixes #5290
Signed-off-by: BlackDex <black.dex@gmail.com>
* fix password hint check
don't show password hints if you have disabled the hints with
PASSWORD_HINTS_ALLOWED=false or if you have not configured mail and
opted into showing password hints
* update descriptions for pw hints options
* Add dynamic CSS support
Together with https://github.com/dani-garcia/bw_web_builds/pull/180 this PR will add support for dynamic CSS changes.
For example, we could hide the register link if signups are not allowed.
In the future show or hide the SSO button depending on if it is enabled or not.
There also is a special `user.vaultwarden.scss` file so that users can add custom CSS without the need to modify the default (static) changes.
This will prevent future changes from not being applied and still have the custom user changes to be added.
Also added a special redirect when someone goes directly to `/index.html` as that might cause issues with loading other scripts and files.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add versions and fallback to built-in
- Add both Vaultwarden and web-vault versions to the css_options.
- Fallback to the inner templates if rendering or compiling the scss fails.
This ensures the basics are always working even if someone breaks the templates.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix fallback code to actually work
The fallback now works by using an alternative `reg!` macro.
This adds an extra template register which prefixes the template with `fallback_`.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Updated the wiki link in the user template
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix `--version` from failing without config
Since we added the option to show the web-vault version also when running `--version` this causes the config to always be validated.
While this is not very bad in general, it could cause the command to quit during the config validation, and not show the version, but also errors.
This is probably not very useful for this specific command, unlike the `--backup` for example.
To fix this, and preventing the config from being validated, i added an AtomicBool to check if we need to validate the config on first load.
This prevents errors, and will just show the Vaultwarden version, and if possible the web-vault version too.
Fixes #5046
Signed-off-by: BlackDex <black.dex@gmail.com>
* Adjusted the code bsaed upon review
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add extra linting
Added extra linting for some code styles.
Also added the Rust Edition 2024 lints.
Closes #4974
Signed-off-by: BlackDex <black.dex@gmail.com>
* Adjusted according to comments
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Avoid keyword collision with gen in Rust 2024
* Include new api/config setting to disable user registration, not yet used by clients
* Actually qualify CONFIG
* Allow enforcing Single Org with pw reset policy
Bitwarden only allows the Reset Password policy to be set when the Single Org policy is enabled already.
This PR adds a check so that this can be enforced when a config option is enabled.
Since Vaultwarden encouraged to use multiple orgs when groups were not available yet we should not enable this by default now.
This might be something to do in the future.
When enabled, it will prevent the Reset Password policy to be enabled if the Single Org policy is not enabled.
It will also prevent the Single Org policy to be disabled if the Reset Password policy is enabled.
Fixes #4855
Signed-off-by: BlackDex <black.dex@gmail.com>
* Removed some extra if checks
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
This PR adds a config option to allow the note size to increase to 100_000, instead of the default 10_000.
Since this might cause issues with the clients (in the future), and will cause issues with importing into a Bitwarden server, i added warnings regarding this.
Closes #3168
* Add initial working Duo Universal Prompt support.
* Add db schema and models for Duo 2FA state storage
* store duo states in the database and validate during authentication
* cleanup & comments
* bump state/nonce length
* replace stray use of TimeDelta
* more cleanup
* bind Duo oauth flow to device id, drop redundant device type handling
* drop redundant alphanum string generation code
* error handling cleanup
* directly use JWT_VALIDITY_SECS constant instead of copying it to DuoClient instances
* remove redundant explicit returns, rustfmt
* rearrange constants, update comments, error message
* override charset on duo state column to ascii for mysql
* Reduce twofactor_duo_ctx state/nonce column size in postgres and maria
* Add fixes suggested by clippy
* rustfmt
* Update to use the make_http_request
* Don't handle OrganizationDuo
* move Duo API endpoint fmt strings out of macros and into format! calls
* Add missing indentation
Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
* remove redundant expiry check when purging Duo contexts
---------
Co-authored-by: BlackDex <black.dex@gmail.com>
Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
- Updated datatables
- Set Cookie Secure flag if the connection is https
- Prevent possible XSS via Organization Name
Converted all `innerHTML` and `innerText` to the Safe Sink version `textContent`
- Removed `jsesc` function as handlebars escapes all these chars already and more by default
* Remove custom WebSocket code
Remove our custom WebSocket code and only use the Rocket code.
Removed all options in regards to WebSockets
Added a new option `WEBSOCKET_DISABLED` which defaults too `false`.
This can be used to disable WebSockets if you really do not want to use it.
* Addressed remarks given and some updates
- Addressed comments given during review
- Updated crates, including Rocket to the latest merged v0.5 changes
- Removed an extra header which should not be sent for websocket connections
* Updated suggestions and crates
- Addressed the suggestions
- Updated Rocket to latest rc4
Also made the needed code changes
- Updated all other crates
Pinned `openssl` and `openssl-sys`
---------
Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
* Allow customizing the featureStates
Use a comma separated list of features to enable using the FEATURE_FLAGS env variable
* Move feature flag parsing to util
* Fix formatting
* Update supported feature flags
* Rename feature_flags to experimental_client_feature_flags
Additionally, use a caret (^) instead of an exclamation mark (!) to disable features
* Fix formatting issue.
* Add documentation to env template
* Remove functionality to disable feature flags
* Fix JSON key for feature states
* Convert error to warning when feature flag is unrecognized
* Simplify parsing of feature flags
* Fix default value of feature flags in env template
* Fix formatting
Since the feature `Login with device` some actions done via the
web-vault need to be verified via an OTP instead of providing the MasterPassword.
This only happens if a user used the `Login with device` on a device
which uses either Biometrics login or PIN. These actions prevent the
athorizing device to send the MasterPasswordHash. When this happens, the
web-vault requests an OTP to be filled-in and this OTP is send to the
users email address which is the same as the email address to login.
The only way to bypass this is by logging in with the your password, in
those cases a password is requested instead of an OTP.
In case SMTP is not enabled, it will show an error message telling to
user to login using there password.
Fixes #4042
- Fixed issue with domains starting with `admin`
- Fixed issue with DUO not being enabled globally anymore (regression)
- Renamed `Ciphers` to `Entries` in overview
- Improved `ADMIN_TOKEN` description
- Updated jquery-slim and datatables
Resolves #3382
Resolves #3415
Resolves discussion on #3288
Added support for Argon2 hashing support for the `ADMIN_TOKEN` instead
of only supporting a plain text string.
The hash must be a PHC string which can be generated via the `argon2`
CLI **or** via the also built-in hash command in Vaultwarden.
You can simply run `vaultwarden hash` to generate a hash based upon a
password the user provides them self.
Added a warning during startup and within the admin settings panel is
the `ADMIN_TOKEN` is not an Argon2 hash.
Within the admin environment a user can ignore that warning and it will
not be shown for at least 30 days. After that the warning will appear
again unless the `ADMIN_TOKEN` has be converted to an Argon2 hash.
I have also tested this on my RaspberryPi 2b and there the `Bitwarden`
preset takes almost 4.5 seconds to generate/verify the Argon2 hash.
Using the `OWASP` preset it is below 1 second, which I think should be
fine for low-graded hardware. If it is needed people could use lower
memory settings, but in those cases I even doubt Vaultwarden it self
would run. They can always use the `argon2` CLI and generate a faster hash.
- Change default Password Hash KDF Storage from 100_000 to 600_000 iterations
- Update Password Hash when the default iteration value is different
- Validate password_iterations
- Validate client-side KDF to prevent it from being set lower than 100_000
