If an external icon service is configured, icon requests return an HTTP
redirect to the corresponding icon at the external service.
An external service may be useful for various reasons, such as if:
* The Vaultwarden instance has no external network connectivity.
* The Vaultwarden instance has trouble handling large bursts of icon requests.
* There are concerns that an attacker may probe the instance to try to detect
whether icons for certain sites have been cached, which would suggest that
the instance contains entries for those sites.
* The external icon service does a better job of providing icons than the
built-in fetcher.
- Enabled trust-dns feature which seems to help a bit when DNS is
causing long timeouts. Though in the blocking version it is less visible
then on the async branch.
- Updated crates
- Removed some redundant code
- Updated javascript/css libraries
Resolves#2118Resolves#2119
- Decreased `recursion_limit` from 512 to 87
Mainly done by optimizing the config macro's.
This fixes an issue with the rust-analyzer which doesn't go beyond 128
- Removed Regex for masking sensitive values and replaced it with a map()
This is much faster then using a Regex.
- Refactored the get_support_json macro's
- All items above also lowered the binary size and possibly compile-time
- Removed `_conn: DbConn` from several functions, these caused unnecessary database connections for functions who didn't used that at all
- Decreased json response for `/plans`
- Updated libraries and where needed some code changes
This also fixes some rare issues with SMTP https://github.com/lettre/lettre/issues/678
- Using Rust 2021 instead of 2018
- Updated rust nightly
Rejecting an emergency access request should transition the grantor/grantee
relationship back into the `Confirmed` state, and the grantor's encrypted key
should remain in escrow rather than being cleared, or else future emergency
access requsts from that grantee will fail.
For one of these flags to be in effect for a cipher, upstream requires all of
(rather than any of) the collections the cipher is in to have that flag set.
Also, some of the logic for loading access restrictions was wrong. I think
that only malicious clients that also had knowledge of the UUIDs of ciphers
they didn't have access to would have been able to take advantage of that.
An incomplete 2FA login is one where the correct master password was provided,
but the 2FA token or action required to complete the login was not provided
within the configured time limit. This potentially indicates that the user's
master password has been compromised, but the login was blocked by 2FA.
Be aware that the 2FA step can usually still be completed after the email
notification has already been sent out, which could be confusing. Therefore,
the incomplete 2FA time limit should be long enough that this situation would
be unlikely. This feature can also be disabled entirely if desired.
During a small discusson on Matrix it seems logical to have the /alive
endpoint also check if the database connection still works.
The reason for this was regarding a certificate which failed/expired
while vaultwarden and the database were still up-and-running, but
suddenly vaultwarden couldn't connect anymore.
With this `DbConn` added to `/alive`, it will be more accurate, because
of vaultwarden can't reach the database, it isn't alive.
- Fixed a bug in JavaScript which caused no messages to be shown to the
user in-case of an error send by the server.
- Changed mail error handling for better error messages
- Changed user/org actions from a to buttons, this should prevent
strange issues in-case of javascript issues and the page does re-load.
- Added Alpine and Debian info for the running docker image
During the mail error testing i encountered a bug which caused lettre to
panic. This panic only happens on debug builds and not release builds,
so no need to update anything on that part. This bug is also already
fixed. See https://github.com/lettre/lettre/issues/678 and https://github.com/lettre/lettre/pull/679Resolves#2021
Could also fix the issue reported here #2022, or at least no hash `#` in
the url.
- Unicode websites could break (www.post.japanpost.jp for example).
regex would fail because it was missing the unicode-perl feature.
- Be less verbose in logging with icon downloads
- Removed duplicate info/error messages
- Added err_silent! macro to help with the less verbose error/info messages.
- Changed the date of the migration folders to be from this date.
- Removed a lot is_email_domain_allowed checks.
This check only needs to be done during the invite it self, else
everything else will fail even if a user has an account created via the
/admin interface which bypasses that specific check! Also, the check was
at the wrong place anyway's, since it would only not send out an e-mail,
but would still have allowed an not allowed domain to be used when
e-mail would have been disabled. While that check always works, even if
sending e-mails is disasbled.
- Added an extra allowed route during password/key-rotation change which
updates/checks the public-key afterwards.
- A small change with some `Some` and `None` orders.
- Change the new invite object to only generate the UTC time once, since
it could be possible that there will be a second difference, and we only
need to call it just once.
by black.dex@gmail.com
Signed-off-by: thelittlefireman <thelittlefireman@users.noreply.github.com>
- Updated JS Libraries
- Downgraded bootstrap.css to v5.0.2 which works with Bootstrap-Native.
- Fixed issue with settings being able to open/collapse on some systems.
- Added .js and .css to the exclude list for the end-of-file-fixer pre-commit
For user management within the organization view you are able to select
multiple users to re-invite, confirm or delete them.
These actions were not working which this PR fixes by adding support for
these endpoints. This will make it easier to confirm and delete multiple
users at once instead of having to do this one-by-one.
In the case when SMTP is disabled and.
when inviting new users either via the admin interface or into an
organization and using uppercase letters, this would fail for those
users to be able to register since the checks which were done are
case-sensitive and never matched.
This PR fixes that issue by ensuring everything is lowercase.
Fixes#1963
Syncing with the latest desktop client (v1.28.0) fails because it expects some json key/values to be there.
This PR adds those key/value pairs.
Resolves#1924
Updated several dependencies and switch to different totp library.
- Switch oath with totp-lite
oauth hasn't been updated in a long while and some dependencies could not be updated any more
It now also validates a preseeding 0, as the previous library returned an int instead of a str which stripped a leading 0
- Updated rust to the current latest nightly (including build image)
- Updated bootstrap css and js
- Updated hadolint to latest version
- Updated default rust image from v1.53 to v1.54
- Updated new nightly build/clippy messages
- Updated some packages
- Updated code related to package updates.
- Disabled User Verification enforcement when WebAuthn Key sends UV=1
This makes it compatible with upstream and resolves#1840
- Fixed a bug where removing an individual WebAuthn key deleted the wrong key.
