Commit Graph

2356 Commits

Author SHA1 Message Date
BlackDex
072f2e24c2
Update Rust to v1.66.1 to patch CVE
This PR sets Rust to v1.66.1 to fix a CVE.
https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
https://blog.rust-lang.org/2023/01/10/Rust-1.66.1.html

Also updated some packages while at it.
2023-01-12 09:45:52 +01:00
BlackDex
36b5350f9b
Add avatar color support
The new web-vault v2023.1.0 supports a custom color for the avatar.
https://github.com/bitwarden/server/pull/2330

This PR adds this feature.
2023-01-11 22:20:03 +01:00
BlackDex
c7489c9fdf
Add MFA icon to org member overview
The Organization member overview supports showing an icon if the user
has MFA enabled or not. This PR adds this feature.

This is very useful if you want to enable force mfa for example.
2023-01-11 22:13:20 +01:00
BlackDex
3181e4e96e
Optimize CipherSyncData for very large vaults
As mentioned in #3111, using a very very large vault causes some issues.
Mainly because of a SQLite limit, but, it could also cause issue on
MariaDB/MySQL or PostgreSQL. It also uses a lot of memory, and memory
allocations.

This PR solves this by removing the need of all the cipher_uuid's just
to gather the correct attachments.

It will use the user_uuid and org_uuid's to get all attachments linked
to both, weither the user has access to them or not. This isn't an
issue, since the matching is done per cipher and the attachment data is
only returned if there is a matching cipher to where the user has access to.

I also modified some code to be able to use `::with_capacity(n)` where
possible. This prevents re-allocations if the `Vec` increases size,
which will happen a lot if there are a lot of ciphers.

According to my tests measuring the time it takes to sync, it seems to
have lowered the duration a bit more.

Fixes #3111
2023-01-11 20:23:53 +01:00
GeekCorner
2ee0d53c5f
fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory 2023-01-10 09:41:35 +01:00
Rychart Redwerkz
dfa629ecc7
Use more modern meta tag for charset encoding 2023-01-10 00:24:37 +01:00
BlackDex
92dc48b882
Fix remaning inline format 2023-01-09 20:41:31 +01:00
Daniel García
367e1ce289
Merge pull request #3065 from BlackDex/future-clippy-fixes
Resolve uninlined_format_args clippy warnings
2023-01-09 20:17:06 +01:00
BlackDex
7390f34355
Resolve uninlined_format_args clippy warnings
The upcomming release of Rust 1.67.0 will warn on `uninlined_format_args`.
This PR resolves that by inlining all these items.
It also looks nicer.
2023-01-09 20:13:48 +01:00
Daniel García
c47d9f6593
Fix some lints: explicit Arc::clone, and unnecessary return after unreachable! 2023-01-09 19:54:25 +01:00
Daniel García
5399ee8208
Merge branch 'BlackDex-update-libraries' 2023-01-09 19:19:11 +01:00
pjsier
117045e6d3
Log message to stderr if LOG_FILE is not writable
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
2023-01-09 19:18:59 +01:00
BlackDex
912ad64555
Resolve uninlined_format_args clippy warnings
The upcomming release of Rust 1.67.0 will warn on `uninlined_format_args`.
This PR resolves that by inlining all these items.
It also looks nicer.
2023-01-09 19:18:58 +01:00
BlackDex
00855ee31d
Fix failing large note imports
When importing to Vaultwarden (or Bitwarden) notes larger then 10_000
encrypted characters are invalid. This because it for one isn't
compatible with Bitwarden. And some clients tend to break on very large
notes.

We already added a check for this limit when adding a single cipher, but
this caused issues during import, and could cause a partial imported
vault. Bitwarden does some validations before actually running it
through the import process and generates a special error message which
helps the user indicate which items are invalid during the import.

This PR adds that validation check and returns the same kind of error.
Fixes #3048
2023-01-09 19:18:19 +01:00
pjsier
c18a273b4a
Log message to stderr if LOG_FILE is not writable
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
2023-01-09 19:18:18 +01:00
pjsier
ca24a4adf1
Log message to stderr if LOG_FILE is not writable
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
2023-01-09 19:18:18 +01:00
BlackDex
a263aaa481
Resolve uninlined_format_args clippy warnings
The upcomming release of Rust 1.67.0 will warn on `uninlined_format_args`.
This PR resolves that by inlining all these items.
It also looks nicer.
2023-01-09 19:18:18 +01:00
Rychart Redwerkz
0a20ba0020
Remove shrink-to-fit=no
This was a workaroud needed for iOS versions before 9.3 and is not part of the recommended viewport meta tag anymore.
https://www.scottohara.me/blog/2018/12/11/shrink-to-fit.html
2023-01-09 19:18:09 +01:00
Jeremy Lin
6541600af6
Change text/plain API responses to application/json
Recent versions of the Bitwarden clients (see bitwarden/clients#3574)
won't parse non-JSON responses. The most noticeable consequence is that
`/api/accounts/revision-date` responses won't be parsed, leading to
`/api/sync` always being called, even when it's not necessary.
2023-01-09 19:17:46 +01:00
Daniel García
525979d5d9
Merge branch 'BlackDex-issue-3048' 2023-01-09 19:17:30 +01:00
pjsier
7dd1959eba
Log message to stderr if LOG_FILE is not writable
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
2023-01-09 19:17:13 +01:00
pjsier
e266b39254
Log message to stderr if LOG_FILE is not writable
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
2023-01-09 19:17:13 +01:00
BlackDex
e935989fee
Resolve uninlined_format_args clippy warnings
The upcomming release of Rust 1.67.0 will warn on `uninlined_format_args`.
This PR resolves that by inlining all these items.
It also looks nicer.
2023-01-09 19:17:13 +01:00
Rychart Redwerkz
25c401f64d
Remove shrink-to-fit=no
This was a workaroud needed for iOS versions before 9.3 and is not part of the recommended viewport meta tag anymore.
https://www.scottohara.me/blog/2018/12/11/shrink-to-fit.html
2023-01-09 19:17:03 +01:00
Jeremy Lin
18b72da657
Change text/plain API responses to application/json
Recent versions of the Bitwarden clients (see bitwarden/clients#3574)
won't parse non-JSON responses. The most noticeable consequence is that
`/api/accounts/revision-date` responses won't be parsed, leading to
`/api/sync` always being called, even when it's not necessary.
2023-01-09 19:16:47 +01:00
Daniel García
e8e6c89927
Merge branch 'BlackDex-future-clippy-fixes' 2023-01-09 19:16:35 +01:00
pjsier
fd5f657334
Log message to stderr if LOG_FILE is not writable
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
2023-01-09 19:16:30 +01:00
Rychart Redwerkz
da9605f2d2
Remove shrink-to-fit=no
This was a workaroud needed for iOS versions before 9.3 and is not part of the recommended viewport meta tag anymore.
https://www.scottohara.me/blog/2018/12/11/shrink-to-fit.html
2023-01-09 19:16:30 +01:00
pjsier
7030de32d5
Log message to stderr if LOG_FILE is not writable
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
2023-01-09 19:16:30 +01:00
Jeremy Lin
b67c5b77be
Change text/plain API responses to application/json
Recent versions of the Bitwarden clients (see bitwarden/clients#3574)
won't parse non-JSON responses. The most noticeable consequence is that
`/api/accounts/revision-date` responses won't be parsed, leading to
`/api/sync` always being called, even when it's not necessary.
2023-01-09 19:16:29 +01:00
BlackDex
d30878c4ea Resolve uninlined_format_args clippy warnings
The upcomming release of Rust 1.67.0 will warn on `uninlined_format_args`.
This PR resolves that by inlining all these items.
It also looks nicer.
2023-01-09 19:12:51 +01:00
BlackDex
6be26f0a38
Fix failing large note imports
When importing to Vaultwarden (or Bitwarden) notes larger then 10_000
encrypted characters are invalid. This because it for one isn't
compatible with Bitwarden. And some clients tend to break on very large
notes.

We already added a check for this limit when adding a single cipher, but
this caused issues during import, and could cause a partial imported
vault. Bitwarden does some validations before actually running it
through the import process and generates a special error message which
helps the user indicate which items are invalid during the import.

This PR adds that validation check and returns the same kind of error.
Fixes #3048
2023-01-09 19:11:58 +01:00
Daniel García
34a6bfaefa
Merge branch 'stapelkai-main' 2023-01-09 19:11:31 +01:00
Jeremy Lin
1c8749eb4d
Change text/plain API responses to application/json
Recent versions of the Bitwarden clients (see bitwarden/clients#3574)
won't parse non-JSON responses. The most noticeable consequence is that
`/api/accounts/revision-date` responses won't be parsed, leading to
`/api/sync` always being called, even when it's not necessary.
2023-01-09 19:11:27 +01:00
Andrés Maldonado
1198c36a2b
Percent-encode org_name in links
If org_name contains spaces, the generated link will not work in some email clients unless it is percent-encoded
2023-01-09 19:11:27 +01:00
BlackDex
41e6c1a383
Optimize config loading messages
As kinda discussed here #3090, the messages regarding loading the
configuration files is a bit strange or unclear. There have been some
other reports regarding this in the past, but wasn't that big a of a
deal.

But to make the whole process it bit more nice, this PR adjusts the way
it reports issues and some small changes to the messages to make it all
a bit more clear.

- Do not report a missing `.env` file, but only send a message when using one.
- Exit instead of Panic, a panic causes a stacktrace, which isn't needed
  here. I'm using a exit code 255 here so it is different to the other
  exit's we use.
- Exit on more issues, since if we continue, it could cause
  configuration issues if the user thinks all is fine.
- Use the actual env file used in the messages instead of `.env`.
- Added a **INFO** message when loading the `config.json`.
  This makes it consistent with the info message for loading the env file.

Resolves #3090
2023-01-09 19:11:27 +01:00
BlackDex
0042c3e4a7
Update WebSocket Notifications
Previously the websocket notifications were using `app_id` as the
`ContextId`. This was incorrect and should have been the device_uuid
from the client device executing the request. The clients will ignore
the websocket request if the uuid matches. This also fixes some issues
with the Desktop client which is able to modify attachments within the
same screen and causes an issue when saving the attachment afterwards.

Also changed the way to handle removed attachments, since that causes an
error saving the vault cipher afterwards, complaining about a missing
attachment. Bitwarden ignores this, and continues with the remaining
attachments (if any). This also fixes #2591 .

Further some more websocket notifications have been added to some other
functions which enhance the user experience.

- Logout users when deauthed, changed password, rotated keys
- Trigger OrgSyncKeys on user confirm and removal
- Added some extra to the send feature

Also renamed UpdateTypes to match Bitwarden naming.
2023-01-09 19:11:27 +01:00
pjsier
724190f262
Log message to stderr if LOG_FILE is not writable
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
2023-01-09 19:11:26 +01:00
BlackDex
6867d23ca2
Validate YUBICO_SERVER string (#3003)
If the `YUBICO_SERVER` is defined to an empty string, the whole yubikey
implementation doesn't work anymore.

This PR adds a check for this variable that it at least starts with `https://`.

Resolves #3003
2023-01-09 19:11:26 +01:00
BlackDex
de26af0c2d
Removed unsafe-inline JS from CSP and other fixes
- Removed `unsafe-inline` for javascript from CSP.
  The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
  Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
  The `config` was always added, but only used at one page.
  Same goes for `can_backup` and `version`.
- Also inlined CSS.
  We can't remove the `unsafe-inline` from css, because that seems to
  break the web-vault currently. That might need some further checks.
  But for now the 404 page and all the admin pages are clear of inline scripts and styles.
2023-01-09 19:11:26 +01:00
Alex Martel
3f223a7514
Remove patched multer-rs 2023-01-09 19:11:25 +01:00
Daniel García
23f5a62d61
Merge branch 'jjlin-json-response' 2023-01-09 19:11:00 +01:00
Andrés Maldonado
81e2054f59
Percent-encode org_name in links
If org_name contains spaces, the generated link will not work in some email clients unless it is percent-encoded
2023-01-09 19:10:57 +01:00
BlackDex
f9337effa5
Optimize config loading messages
As kinda discussed here #3090, the messages regarding loading the
configuration files is a bit strange or unclear. There have been some
other reports regarding this in the past, but wasn't that big a of a
deal.

But to make the whole process it bit more nice, this PR adjusts the way
it reports issues and some small changes to the messages to make it all
a bit more clear.

- Do not report a missing `.env` file, but only send a message when using one.
- Exit instead of Panic, a panic causes a stacktrace, which isn't needed
  here. I'm using a exit code 255 here so it is different to the other
  exit's we use.
- Exit on more issues, since if we continue, it could cause
  configuration issues if the user thinks all is fine.
- Use the actual env file used in the messages instead of `.env`.
- Added a **INFO** message when loading the `config.json`.
  This makes it consistent with the info message for loading the env file.

Resolves #3090
2023-01-09 19:10:56 +01:00
BlackDex
2972904eb8
Update WebSocket Notifications
Previously the websocket notifications were using `app_id` as the
`ContextId`. This was incorrect and should have been the device_uuid
from the client device executing the request. The clients will ignore
the websocket request if the uuid matches. This also fixes some issues
with the Desktop client which is able to modify attachments within the
same screen and causes an issue when saving the attachment afterwards.

Also changed the way to handle removed attachments, since that causes an
error saving the vault cipher afterwards, complaining about a missing
attachment. Bitwarden ignores this, and continues with the remaining
attachments (if any). This also fixes #2591 .

Further some more websocket notifications have been added to some other
functions which enhance the user experience.

- Logout users when deauthed, changed password, rotated keys
- Trigger OrgSyncKeys on user confirm and removal
- Added some extra to the send feature

Also renamed UpdateTypes to match Bitwarden naming.
2023-01-09 19:10:56 +01:00
pjsier
bdd918b4d4
Log message to stderr if LOG_FILE is not writable
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
2023-01-09 19:10:56 +01:00
BlackDex
88085fe17b
Validate YUBICO_SERVER string (#3003)
If the `YUBICO_SERVER` is defined to an empty string, the whole yubikey
implementation doesn't work anymore.

This PR adds a check for this variable that it at least starts with `https://`.

Resolves #3003
2023-01-09 19:10:56 +01:00
BlackDex
2020a302d0
Removed unsafe-inline JS from CSP and other fixes
- Removed `unsafe-inline` for javascript from CSP.
  The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
  Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
  The `config` was always added, but only used at one page.
  Same goes for `can_backup` and `version`.
- Also inlined CSS.
  We can't remove the `unsafe-inline` from css, because that seems to
  break the web-vault currently. That might need some further checks.
  But for now the 404 page and all the admin pages are clear of inline scripts and styles.
2023-01-09 19:10:55 +01:00
Alex Martel
ab2dd0f300
Remove patched multer-rs 2023-01-09 19:10:55 +01:00
BlackDex
8e6fd4b4a1 Update dependencies and MSRV
- Updated dependencies.
  This includes a janked openssl crate version we currently use.
- Updated MSRV to v1.61.0 because hashbrown/cached has this version restriction.
2023-01-09 19:10:11 +01:00