- Removed `unsafe-inline` for javascript from CSP.
The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
The `config` was always added, but only used at one page.
Same goes for `can_backup` and `version`.
- Also inlined CSS.
We can't remove the `unsafe-inline` from css, because that seems to
break the web-vault currently. That might need some further checks.
But for now the 404 page and all the admin pages are clear of inline scripts and styles.
- Put groups support behind a feature flag, and disabled by default.
The reason is that it has some known issues, but we want to keep
optimizing this feature. Putting it behind a feature flag could help
some users, and the developers into optimizing this feature without to
much trouble.
Further:
- Updates Rust to v1.66.0
- Updated GHA workflows
- Updated Alpine to 3.17
- Updated jquery to v3.6.2
- Moved jdenticon.js to load at the bottom, fixes an issue on chromium
- Added autocomplete attribute to admin login password field
- Added some extra CSP options (Tested this on Safari, Firefox, Chrome, Bitwarden Desktop)
- Moved uppercase convertion from runtime to compile-time using `paste`
for building the environment variables, lowers heap allocations.
- Updated Rust deps and one small change regarding chrono
- Updated bootstrap 5 css
- Updated datatables
- Replaced identicon.js with jdenticon.
identicon.js is unmaintained ( https://github.com/stewartlord/identicon.js/issues/52 )
The icon's are very different, but nice. It also doesn't need custom
code to find and update the icons our selfs.
Currently when you login into the admin, and then directly hit the save
button, it will come with a re-post/re-submit warning.
This has to do with the `window.location.reload()` function, which
triggers the admin login POST again.
By changing the way to reload the page, we prevent this repost.
Updated the logo's so the `V` is better visible.
Also the cog it self is better now, the previous version wasn't fully round.
These versions also are used with the PR to update the web-vault and use these logo's.
Also updated the images in the static folder.
currently, if the admin guard fails the user will get a 404 page.
and when the session times out after 20 minutes post methods will
give the reason "undefined" as a response while generating the support
string will fail without any user feedback.
this commit changes the error handling on admin pages
* by removing the reliance on Rockets forwarding and making the login
page an explicit route that can be redirected to from all admin pages
* by removing the obsolete and mostly unused Referer struct we can
redirect the user back to the requested admin page directley
* by providing an error message for json requests the
`get_diagnostics_config` and all post methods can return a more
comprehensible message and the user can be alerted
* the `admin_url()` function can be simplified because rfc2616 has been
obsoleted by rfc7231 in 2014 (and also by the recently released
rfc9110) which allows relative urls in the Location header.
c.f. https://www.rfc-editor.org/rfc/rfc7231#section-7.1.2 and
https://www.rfc-editor.org/rfc/rfc9110#section-10.2.2
When a icon blacklist regex was configured to not check for a domain, it
still did a DNS lookup first. This could cause a DNS leakage for these
regex blocked domains.
This PR resolves this issue by first checking the regex, and afterwards
the other checks.
Fixes#2909
Set SMTP_EMBED_IMAGES option to false if you don't want to attach images
to the mail.
NOTE: If you have customized the template files `email_header.hbs` and
`email_footer.hbs` you can replace `{url}/vw_static/` to `{img_url}`
to support both URL schemes
Previously FlashMessage was used to provide an error message during login.
This PR changes that flow to not use redirect for this, but renders the HTML and responds using the correct status code where needed. This should solve some issues which were reported in the past.
Thanks to @RealOrangeOne, for initiating this with a PR.
Fixes#2448Fixes#2712Closes#2715
Co-authored-by: Jake Howard <git@theorangeone.net>
- Updated some Rust dependencies
- Fixed an issue with CSP header, this was not configured correctly
- Prevent sending CSP and Frame headers for the MFA connector.html files.
Else some clients will fail to handle these protocols.
- Add `unsafe-inline` for `script-src` only to the CSP for the Admin Interface
- Updated JavaScript and CSS files for the Admin interface
- Changed the layout for showing overridden settings, better visible now.
- Made the version check cachable to prevent hitting the Github API rate limits
- Hide the `database_url` as if it is a password in the Admin Interface
Else for MariaDB/MySQL or PostgreSQL this was plain text.
- Fixed an issue that pressing enter on the SMTP Test would save the config.
resolves#2542
- Prevent user names larger then 50 characters
resolves#2419
Improved sync speed by resolving the N+1 query issues.
Solves #1402 and Solves #1453
With this change there is just one query done to retreive all the
important data, and matching is done in-code/memory.
With a very large database the sync time went down about 3 times.
Also updated misc crates and Github Actions versions.
Favicon:
- Replaced HTML tokenizer, much faster now.
- Caching the domain blacklist function.
- Almost all functions are async now.
- Fixed bug on minimizing data to parse
- Changed maximum icon download size to 5MB to match Bitwarden
- Added `apple-touch-icon.png` as a second fallback besides `favicon.ico`
SMTP:
- Deprecated SMTP_SSL and SMTP_EXPLICIT_TLS, replaced with SMTP_SECURITY
Misc:
- Fixed issue when `resolv.conf` contains errors and trust-dns panics (Fixes#2283)
- Updated Javscript and CSS files for admin interface
- Fixed an issue with the /admin interface which did not cleared the login cookie correctly
- Prevent websocket notifications during org import, this caused a lot of traffic, and slowed down the import.
This is also the same as Bitwarden which does not trigger this refresh via websockets.
Rust:
- Updated to use v1.59
- Use the new `strip` option and enabled to strip `debuginfo`
- Enabled `lto` with `thin`
- Removed the strip RUN from the alpine armv7, this is now done automatically
Squashed commit of the following:
commit 1bdf1c7954e0731c95703d10118f3874ab5155d3
Merge: 8ba6e617257251
Author: Daniel García <dani-garcia@users.noreply.github.com>
Date: Sun Jan 23 23:40:17 2022 +0100
Merge branch 'remove-bwrs' of https://github.com/RealOrangeOne/vaultwarden into RealOrangeOne-remove-bwrs
commit 7257251ecf
Author: Jake Howard <git@theorangeone.net>
Date: Thu Jan 6 17:48:18 2022 +0000
Use `or_else` to save potentially unnecessary function call
commit 40ae81dd3c
Author: Jake Howard <git@theorangeone.net>
Date: Wed Jan 5 21:18:24 2022 +0000
Move $BWRS_VERSION fallback into build.rs
commit 743ef74b30
Author: Jake Howard <git@theorangeone.net>
Date: Sat Jan 1 23:08:27 2022 +0000
Revert "Add feature to enable use of `Option::or` in const context"
This reverts commit fe8e043b8a.
We want to run on stable soon, where these features are not supported
commit a1f0da638c
Author: Jake Howard <git@theorangeone.net>
Date: Sat Jan 1 13:04:47 2022 +0000
Rename web vault version file
https://github.com/dani-garcia/bw_web_builds/pull/58
commit fe8e043b8a
Author: Jake Howard <git@theorangeone.net>
Date: Sat Jan 1 12:56:44 2022 +0000
Add feature to enable use of `Option::or` in const context
commit 687435c8b2
Author: Jake Howard <git@theorangeone.net>
Date: Sat Jan 1 12:27:28 2022 +0000
Continue to allow using `$BWRS_VERSION`
commit 8e2f708e50
Author: Jake Howard <git@theorangeone.net>
Date: Fri Dec 31 11:41:34 2021 +0000
Remove references to "bwrs"
The only remaining one is getting the version of the web vault, which requires coordinating with the web vault patching.
- Enabled trust-dns feature which seems to help a bit when DNS is
causing long timeouts. Though in the blocking version it is less visible
then on the async branch.
- Updated crates
- Removed some redundant code
- Updated javascript/css libraries
Resolves#2118Resolves#2119
An incomplete 2FA login is one where the correct master password was provided,
but the 2FA token or action required to complete the login was not provided
within the configured time limit. This potentially indicates that the user's
master password has been compromised, but the login was blocked by 2FA.
Be aware that the 2FA step can usually still be completed after the email
notification has already been sent out, which could be confusing. Therefore,
the incomplete 2FA time limit should be long enough that this situation would
be unlikely. This feature can also be disabled entirely if desired.
- Fixed a bug in JavaScript which caused no messages to be shown to the
user in-case of an error send by the server.
- Changed mail error handling for better error messages
- Changed user/org actions from a to buttons, this should prevent
strange issues in-case of javascript issues and the page does re-load.
- Added Alpine and Debian info for the running docker image
During the mail error testing i encountered a bug which caused lettre to
panic. This panic only happens on debug builds and not release builds,
so no need to update anything on that part. This bug is also already
fixed. See https://github.com/lettre/lettre/issues/678 and https://github.com/lettre/lettre/pull/679Resolves#2021
Could also fix the issue reported here #2022, or at least no hash `#` in
the url.
- Updated JS Libraries
- Downgraded bootstrap.css to v5.0.2 which works with Bootstrap-Native.
- Fixed issue with settings being able to open/collapse on some systems.
- Added .js and .css to the exclude list for the end-of-file-fixer pre-commit
Updated several dependencies and switch to different totp library.
- Switch oath with totp-lite
oauth hasn't been updated in a long while and some dependencies could not be updated any more
It now also validates a preseeding 0, as the previous library returned an int instead of a str which stripped a leading 0
- Updated rust to the current latest nightly (including build image)
- Updated bootstrap css and js
- Updated hadolint to latest version
- Updated default rust image from v1.53 to v1.54
- Updated new nightly build/clippy messages