1
0
Fork 0
Commit-Graph

2410 Commits

Autor SHA1 Nachricht Datum
BlackDex
88085fe17b
Validate YUBICO_SERVER string (#3003)
If the `YUBICO_SERVER` is defined to an empty string, the whole yubikey
implementation doesn't work anymore.

This PR adds a check for this variable that it at least starts with `https://`.

Resolves #3003
2023-01-09 19:10:56 +01:00
BlackDex
2020a302d0
Removed unsafe-inline JS from CSP and other fixes
- Removed `unsafe-inline` for javascript from CSP.
  The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
  Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
  The `config` was always added, but only used at one page.
  Same goes for `can_backup` and `version`.
- Also inlined CSS.
  We can't remove the `unsafe-inline` from css, because that seems to
  break the web-vault currently. That might need some further checks.
  But for now the 404 page and all the admin pages are clear of inline scripts and styles.
2023-01-09 19:10:55 +01:00
Alex Martel
ab2dd0f300
Remove patched multer-rs 2023-01-09 19:10:55 +01:00
BlackDex
8e6fd4b4a1 Update dependencies and MSRV
- Updated dependencies.
  This includes a janked openssl crate version we currently use.
- Updated MSRV to v1.61.0 because hashbrown/cached has this version restriction.
2023-01-09 19:10:11 +01:00
Daniel García
988d24927e
Merge branch 'am97-main' 2023-01-09 18:25:41 +01:00
BlackDex
e945d16fcf
Optimize config loading messages
As kinda discussed here #3090, the messages regarding loading the
configuration files is a bit strange or unclear. There have been some
other reports regarding this in the past, but wasn't that big a of a
deal.

But to make the whole process it bit more nice, this PR adjusts the way
it reports issues and some small changes to the messages to make it all
a bit more clear.

- Do not report a missing `.env` file, but only send a message when using one.
- Exit instead of Panic, a panic causes a stacktrace, which isn't needed
  here. I'm using a exit code 255 here so it is different to the other
  exit's we use.
- Exit on more issues, since if we continue, it could cause
  configuration issues if the user thinks all is fine.
- Use the actual env file used in the messages instead of `.env`.
- Added a **INFO** message when loading the `config.json`.
  This makes it consistent with the info message for loading the env file.

Resolves #3090
2023-01-09 18:25:36 +01:00
BlackDex
f1c0aa4f83
Update WebSocket Notifications
Previously the websocket notifications were using `app_id` as the
`ContextId`. This was incorrect and should have been the device_uuid
from the client device executing the request. The clients will ignore
the websocket request if the uuid matches. This also fixes some issues
with the Desktop client which is able to modify attachments within the
same screen and causes an issue when saving the attachment afterwards.

Also changed the way to handle removed attachments, since that causes an
error saving the vault cipher afterwards, complaining about a missing
attachment. Bitwarden ignores this, and continues with the remaining
attachments (if any). This also fixes #2591 .

Further some more websocket notifications have been added to some other
functions which enhance the user experience.

- Logout users when deauthed, changed password, rotated keys
- Trigger OrgSyncKeys on user confirm and removal
- Added some extra to the send feature

Also renamed UpdateTypes to match Bitwarden naming.
2023-01-09 18:25:36 +01:00
pjsier
68362d06b3
Log message to stderr if LOG_FILE is not writable
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
2023-01-09 18:25:36 +01:00
BlackDex
f65c0e2ac8
Validate YUBICO_SERVER string (#3003)
If the `YUBICO_SERVER` is defined to an empty string, the whole yubikey
implementation doesn't work anymore.

This PR adds a check for this variable that it at least starts with `https://`.

Resolves #3003
2023-01-09 18:25:36 +01:00
BlackDex
0f588ced03
Removed unsafe-inline JS from CSP and other fixes
- Removed `unsafe-inline` for javascript from CSP.
  The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
  Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
  The `config` was always added, but only used at one page.
  Same goes for `can_backup` and `version`.
- Also inlined CSS.
  We can't remove the `unsafe-inline` from css, because that seems to
  break the web-vault currently. That might need some further checks.
  But for now the 404 page and all the admin pages are clear of inline scripts and styles.
2023-01-09 18:25:35 +01:00
Alex Martel
b0f03bb49c
Remove patched multer-rs 2023-01-09 18:25:35 +01:00
Daniel García
5063661028
Merge branch 'BlackDex-optimize-config-loading-messages' 2023-01-09 18:25:25 +01:00
BlackDex
7e66ab78ff
Update WebSocket Notifications
Previously the websocket notifications were using `app_id` as the
`ContextId`. This was incorrect and should have been the device_uuid
from the client device executing the request. The clients will ignore
the websocket request if the uuid matches. This also fixes some issues
with the Desktop client which is able to modify attachments within the
same screen and causes an issue when saving the attachment afterwards.

Also changed the way to handle removed attachments, since that causes an
error saving the vault cipher afterwards, complaining about a missing
attachment. Bitwarden ignores this, and continues with the remaining
attachments (if any). This also fixes #2591 .

Further some more websocket notifications have been added to some other
functions which enhance the user experience.

- Logout users when deauthed, changed password, rotated keys
- Trigger OrgSyncKeys on user confirm and removal
- Added some extra to the send feature

Also renamed UpdateTypes to match Bitwarden naming.
2023-01-09 18:25:18 +01:00
pjsier
665e275dc5
Log message to stderr if LOG_FILE is not writable
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
2023-01-09 18:25:18 +01:00
BlackDex
a6da728cca
Validate YUBICO_SERVER string (#3003)
If the `YUBICO_SERVER` is defined to an empty string, the whole yubikey
implementation doesn't work anymore.

This PR adds a check for this variable that it at least starts with `https://`.

Resolves #3003
2023-01-09 18:25:17 +01:00
BlackDex
04e02d7f9f
Removed unsafe-inline JS from CSP and other fixes
- Removed `unsafe-inline` for javascript from CSP.
  The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
  Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
  The `config` was always added, but only used at one page.
  Same goes for `can_backup` and `version`.
- Also inlined CSS.
  We can't remove the `unsafe-inline` from css, because that seems to
  break the web-vault currently. That might need some further checks.
  But for now the 404 page and all the admin pages are clear of inline scripts and styles.
2023-01-09 18:25:17 +01:00
Alex Martel
7c739dd58e
Remove patched multer-rs 2023-01-09 18:25:17 +01:00
Daniel García
05a552910c
Merge branch 'BlackDex-update-notifications' 2023-01-09 18:24:00 +01:00
pjsier
c990837066
Log message to stderr if LOG_FILE is not writable
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
2023-01-09 18:23:56 +01:00
BlackDex
57aec37507
Validate YUBICO_SERVER string (#3003)
If the `YUBICO_SERVER` is defined to an empty string, the whole yubikey
implementation doesn't work anymore.

This PR adds a check for this variable that it at least starts with `https://`.

Resolves #3003
2023-01-09 18:23:56 +01:00
BlackDex
0c5b4476ad
Removed unsafe-inline JS from CSP and other fixes
- Removed `unsafe-inline` for javascript from CSP.
  The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
  Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
  The `config` was always added, but only used at one page.
  Same goes for `can_backup` and `version`.
- Also inlined CSS.
  We can't remove the `unsafe-inline` from css, because that seems to
  break the web-vault currently. That might need some further checks.
  But for now the 404 page and all the admin pages are clear of inline scripts and styles.
2023-01-09 18:23:56 +01:00
Alex Martel
17141147a8
Remove patched multer-rs 2023-01-09 18:23:55 +01:00
Daniel García
193c2fa860
Merge branch 'pjsier-fix/log-file-permissions-3055' 2023-01-09 18:23:28 +01:00
BlackDex
6d01aaa80f
Validate YUBICO_SERVER string (#3003)
If the `YUBICO_SERVER` is defined to an empty string, the whole yubikey
implementation doesn't work anymore.

This PR adds a check for this variable that it at least starts with `https://`.

Resolves #3003
2023-01-09 18:23:24 +01:00
BlackDex
ad60eaa0f3
Removed unsafe-inline JS from CSP and other fixes
- Removed `unsafe-inline` for javascript from CSP.
  The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
  Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
  The `config` was always added, but only used at one page.
  Same goes for `can_backup` and `version`.
- Also inlined CSS.
  We can't remove the `unsafe-inline` from css, because that seems to
  break the web-vault currently. That might need some further checks.
  But for now the 404 page and all the admin pages are clear of inline scripts and styles.
2023-01-09 18:23:23 +01:00
Alex Martel
d878face07
Remove patched multer-rs 2023-01-09 18:23:23 +01:00
Daniel García
8bf8388cd6
Merge branch 'BlackDex-issue-3003' 2023-01-09 18:23:11 +01:00
BlackDex
b4db853bcb
Removed unsafe-inline JS from CSP and other fixes
- Removed `unsafe-inline` for javascript from CSP.
  The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
  Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
  The `config` was always added, but only used at one page.
  Same goes for `can_backup` and `version`.
- Also inlined CSS.
  We can't remove the `unsafe-inline` from css, because that seems to
  break the web-vault currently. That might need some further checks.
  But for now the 404 page and all the admin pages are clear of inline scripts and styles.
2023-01-09 18:23:07 +01:00
Alex Martel
5ee94c0ba9
Remove patched multer-rs 2023-01-09 18:23:07 +01:00
Daniel García
f108349547
Merge branch 'BlackDex-remove-inline-js' 2023-01-09 18:22:55 +01:00
Alex Martel
d25e1ab94b
Remove patched multer-rs 2023-01-09 18:22:50 +01:00
Daniel García
79fee269ee
Merge branch 'manofthepeace-removePatchedMulter' 2023-01-09 18:22:39 +01:00
Rychart Redwerkz
ffe362f856
Merge pull request #2 from stapelkai/update-viewport-meta-tag
Remove `shrink-to-fit=no`
2023-01-09 02:18:29 +01:00
Rychart Redwerkz
04bb15a802
Remove shrink-to-fit=no
This was a workaroud needed for iOS versions before 9.3 and is not part of the recommended viewport meta tag anymore.
https://www.scottohara.me/blog/2018/12/11/shrink-to-fit.html
2023-01-08 23:18:55 +01:00
Jeremy Lin
4d9d649db9 Change text/plain API responses to application/json
Recent versions of the Bitwarden clients (see bitwarden/clients#3574)
won't parse non-JSON responses. The most noticeable consequence is that
`/api/accounts/revision-date` responses won't be parsed, leading to
`/api/sync` always being called, even when it's not necessary.
2023-01-07 10:41:28 -08:00
Andrés Maldonado
2897c24e83 Percent-encode org_name in links
If org_name contains spaces, the generated link will not work in some email clients unless it is percent-encoded
2023-01-03 12:51:44 +01:00
BlackDex
5964dc95f0
Optimize config loading messages
As kinda discussed here #3090, the messages regarding loading the
configuration files is a bit strange or unclear. There have been some
other reports regarding this in the past, but wasn't that big a of a
deal.

But to make the whole process it bit more nice, this PR adjusts the way
it reports issues and some small changes to the messages to make it all
a bit more clear.

- Do not report a missing `.env` file, but only send a message when using one.
- Exit instead of Panic, a panic causes a stacktrace, which isn't needed
  here. I'm using a exit code 255 here so it is different to the other
  exit's we use.
- Exit on more issues, since if we continue, it could cause
  configuration issues if the user thinks all is fine.
- Use the actual env file used in the messages instead of `.env`.
- Added a **INFO** message when loading the `config.json`.
  This makes it consistent with the info message for loading the env file.

Resolves #3090
2023-01-02 18:18:28 +01:00
BlackDex
613b2519ed
Removed unsafe-inline JS from CSP and other fixes
- Removed `unsafe-inline` for javascript from CSP.
  The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
  Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
  The `config` was always added, but only used at one page.
  Same goes for `can_backup` and `version`.
- Also inlined CSS.
  We can't remove the `unsafe-inline` from css, because that seems to
  break the web-vault currently. That might need some further checks.
  But for now the 404 page and all the admin pages are clear of inline scripts and styles.
2022-12-31 22:17:16 +01:00
BlackDex
996b60e43d
Update WebSocket Notifications
Previously the websocket notifications were using `app_id` as the
`ContextId`. This was incorrect and should have been the device_uuid
from the client device executing the request. The clients will ignore
the websocket request if the uuid matches. This also fixes some issues
with the Desktop client which is able to modify attachments within the
same screen and causes an issue when saving the attachment afterwards.

Also changed the way to handle removed attachments, since that causes an
error saving the vault cipher afterwards, complaining about a missing
attachment. Bitwarden ignores this, and continues with the remaining
attachments (if any). This also fixes #2591 .

Further some more websocket notifications have been added to some other
functions which enhance the user experience.

- Logout users when deauthed, changed password, rotated keys
- Trigger OrgSyncKeys on user confirm and removal
- Added some extra to the send feature

Also renamed UpdateTypes to match Bitwarden naming.
2022-12-31 20:39:53 +01:00
Alex Martel
a6d09407b9 Remove patched multer-rs 2022-12-29 12:09:53 -05:00
pjsier
f2e9ddef4e Log message to stderr if LOG_FILE is not writable
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
2022-12-29 07:21:04 -06:00
BlackDex
ca417d3257
Validate YUBICO_SERVER string (#3003)
If the `YUBICO_SERVER` is defined to an empty string, the whole yubikey
implementation doesn't work anymore.

This PR adds a check for this variable that it at least starts with `https://`.

Resolves #3003
2022-12-29 12:45:18 +01:00
Daniel García
10dadfca06
Update web vault to 2022.12.0 2022-12-18 20:37:01 +01:00
Daniel García
bf73a8235f
Merge branch 'BlackDex-fix-yubikey-panic' 2022-12-18 20:32:10 +01:00
BlackDex
67a584c1d4
Disable groups by default and Some optimizations
- Put groups support behind a feature flag, and disabled by default.
  The reason is that it has some known issues, but we want to keep
  optimizing this feature. Putting it behind a feature flag could help
  some users, and the developers into optimizing this feature without to
  much trouble.

Further:

- Updates Rust to v1.66.0
- Updated GHA workflows
- Updated Alpine to 3.17
- Updated jquery to v3.6.2
- Moved jdenticon.js to load at the bottom, fixes an issue on chromium
- Added autocomplete attribute to admin login password field
- Added some extra CSP options (Tested this on Safari, Firefox, Chrome, Bitwarden Desktop)
- Moved uppercase convertion from runtime to compile-time using `paste`
  for building the environment variables, lowers heap allocations.
2022-12-18 20:32:06 +01:00
BlackDex
8e5f03972e
Fix recover-2fa not working.
When audit logging was introduced there entered a small bug preventing
the recover-2fa from working.

This PR fixes that by add a new headers check to extract the device-type
when possible and use that for the logging.

Fixes #2985
2022-12-18 20:32:06 +01:00
Daniel García
d8abf8f98f
Merge branch 'BlackDex-some-optimizations' 2022-12-18 20:31:22 +01:00
BlackDex
cb348d2e05
Fix recover-2fa not working.
When audit logging was introduced there entered a small bug preventing
the recover-2fa from working.

This PR fixes that by add a new headers check to extract the device-type
when possible and use that for the logging.

Fixes #2985
2022-12-18 20:31:17 +01:00
Daniel García
aceb111024
Merge branch 'BlackDex-issue-2985' 2022-12-18 20:25:46 +01:00
BlackDex
b60a4a68c7
Fix a panic during Yubikey register/login
The yubico crate uses blocking reqwest, and we called the `verify` from
a async thread. To prevent issues we need to wrap it within a
`spawn_blocking`.
2022-12-18 17:57:35 +01:00