Commit Graph

1994 Commits

Author SHA1 Message Date
Jeremy Lin 4350e9d241 Update Debian base images to bullseye 2021-09-04 11:46:15 -07:00
Jeremy Lin 0cdc0cb147 Fix incorrect WebAuthn origin
This mainly affects users running Vaultwarden under a subpath.

Refs:

* https://github.com/kanidm/webauthn-rs/blob/b2cbb34/src/core.rs#L941-L948
* https://github.com/kanidm/webauthn-rs/blob/b2cbb34/src/core.rs#L316
* https://w3c.github.io/webauthn/#dictionary-client-data
2021-08-29 15:53:25 -07:00
BlackDex 20535065d7 Build Docker Hub images via Github Actions
Since docker hub stopped Autobuild, we need to switch to something else.
This will trigger building of images on Github Actions and pushes them
to Docker Hub.

You only need to add 3 secrets before you merge this PR to have it working directly.

- DOCKERHUB_USERNAME : The username of the account you are going to push the builds to
- DOCKERHUB_TOKEN : The token needed to login and push builds
- DOCKERHUB_REPO : The repo name in the following form `index.docker.io/<user>/<repo>`
  So for vaultwarden that would be `index.docker.io/vaultwarden/server`

Also some small modifications to the other workflows.
2021-08-28 17:29:13 +02:00
Daniel García a23f4a704b
Merge branch 'fabianthdev-fix/sends_notifications' into main 2021-08-22 22:17:00 +02:00
Daniel García 93f2f74767
Merge branch 'fix/sends_notifications' of https://github.com/fabianthdev/vaultwarden into fabianthdev-fix/sends_notifications 2021-08-22 22:16:50 +02:00
Daniel García 37ca202247
Merge branch 'mrckndt-fix-timezone-alpine-container' into main 2021-08-22 22:14:46 +02:00
Daniel García 37525b1e7e
Merge branch 'fix-timezone-alpine-container' of https://github.com/mrckndt/vaultwarden into mrckndt-fix-timezone-alpine-container 2021-08-22 22:14:38 +02:00
Daniel García d594b5a266
Merge branch 'jjlin-fix-attachment-sharing' into main 2021-08-22 22:14:14 +02:00
Daniel García 41add45e67
Merge branch 'fix-attachment-sharing' of https://github.com/jjlin/vaultwarden into jjlin-fix-attachment-sharing 2021-08-22 22:14:07 +02:00
Daniel García 08b168a0a1
Merge branch 'BlackDex-fix-1878' into main 2021-08-22 22:12:59 +02:00
Daniel García 978ef2bc8b
Merge branch 'fix-1878' of https://github.com/BlackDex/vaultwarden into BlackDex-fix-1878 2021-08-22 22:12:52 +02:00
BlackDex 881d1f4334 Fix wrong display of MFA email.
There was some wrong logic regarding the display of which email is
configured to be used for the email MFA. This is now fixed.

Resolves #1878
2021-08-19 09:25:34 +02:00
Jeremy Lin 56b4f46d7d Fix limitation on sharing ciphers with attachments
This check is several years old, so maybe there was a valid reason
for having it before, but it's not correct anymore.
2021-08-16 22:23:33 -07:00
Marco f6bd8b3462 Adding tzdata to container
To be able to set a timezone inside a container with the env variable TZ
the tzdata package is needed. Otherwise only UTC will be set.
2021-08-06 13:39:33 +02:00
Fabian Thies 1f0f64d961 Sort the imports in notifications.rs alphabetically 2021-08-04 16:56:43 +02:00
Fabian Thies 42ba817a4c Fix errors that occurred in the nightly build 2021-08-04 13:25:41 +02:00
Fabian Thies dd98fe860b Send create, update and delete notifications for `Send`s in the correct format.
Add endpoints to get all sends or a specific send by its uuid.
2021-08-03 17:39:38 +02:00
Daniel García 1fe9f101be
Merge branch 'jjlin-fix-org-attachment-uploads' into main 2021-07-25 19:08:44 +02:00
Daniel García c68fbb41d2
Merge branch 'fix-org-attachment-uploads' of https://github.com/jjlin/vaultwarden into jjlin-fix-org-attachment-uploads 2021-07-25 19:08:38 +02:00
Jeremy Lin 91e80657e4 Fix error with adding file attachment from org vault view 2021-08-18 20:54:36 -07:00
Daniel García 2db30f918e
Merge branch 'BlackDex-fix-sync-desktop-client' into main 2021-07-25 19:07:59 +02:00
Daniel García cfceac3909
Merge branch 'fix-sync-desktop-client' of https://github.com/BlackDex/vaultwarden into BlackDex-fix-sync-desktop-client 2021-07-25 19:07:51 +02:00
BlackDex 58b046fd10 Fix syncing with Bitwarden Desktop v1.28.0
Syncing with the latest desktop client (v1.28.0) fails because it expects some json key/values to be there.

This PR adds those key/value pairs.

Resolves #1924
2021-08-21 10:36:08 +02:00
Daniel García 227779256c
Merge branch 'BlackDex-dep-update' into main 2021-07-25 19:07:04 +02:00
BlackDex 89b5f7c98d Dependency updates
Updated several dependencies and switch to different totp library.

- Switch oath with totp-lite
  oauth hasn't been updated in a long while and some dependencies could not be updated any more
  It now also validates a preseeding 0, as the previous library returned an int instead of a str which stripped a leading 0
- Updated rust to the current latest nightly (including build image)
- Updated bootstrap css and js
- Updated hadolint to latest version
- Updated default rust image from v1.53 to v1.54
- Updated new nightly build/clippy messages
2021-08-22 13:46:48 +02:00
Daniel García c666497130
Update webvault to 2.21.1 2021-07-25 18:56:06 +02:00
Daniel García 2620a1ac8c
Merge pull request #1869 from BlackDex/webauthn-plus-updates
Fix WebAuthn issues and some small updates
2021-07-25 17:23:37 +02:00
BlackDex ffdcafa044 Fix WebAuthn issues and some small updates
- Updated some packages
- Updated code related to package updates.
- Disabled User Verification enforcement when WebAuthn Key sends UV=1
  This makes it compatible with upstream and resolves #1840
- Fixed a bug where removing an individual WebAuthn key deleted the wrong key.
2021-07-25 14:49:55 +02:00
Daniel García 56ffec40f4
Formatting 2021-07-15 21:52:17 +02:00
Daniel García 96c2416903
Merge branch 'BlackDex-future-web-vault' into main 2021-07-15 21:51:52 +02:00
Mathijs van Veluw 340d42a1ca
Merge branch 'main' into future-web-vault 2021-07-15 21:43:23 +02:00
Daniel García e19420160f
Simplify 2fa removed email and remove extra table close in the footer 2021-07-15 21:25:46 +02:00
Daniel García 1741316f42
Merge branch 'olivierIllogika-2fa_enforcement' into main 2021-07-15 19:27:45 +02:00
Daniel García 4f08167d6f
Merge branch '2fa_enforcement' of https://github.com/olivierIllogika/bitwarden_rs into olivierIllogika-2fa_enforcement 2021-07-15 19:27:36 +02:00
Daniel García fef76e2f6f
Merge branch 'BlackDex-attachment-storage' into main 2021-07-15 19:20:57 +02:00
Daniel García f16d56cb27
Merge branch 'attachment-storage' of https://github.com/BlackDex/vaultwarden into BlackDex-attachment-storage 2021-07-15 19:20:52 +02:00
Daniel García 120b286f2b
Merge branch 'umireon-umireon-add-edge-frame-ancestors' into main 2021-07-15 19:20:25 +02:00
Daniel García 7f437b6947
Merge branch 'umireon-add-edge-frame-ancestors' of https://github.com/umireon/vaultwarden into umireon-umireon-add-edge-frame-ancestors 2021-07-15 19:20:19 +02:00
Daniel García 8d6e62e18b
Merge branch 'jjlin-password-hints' into main 2021-07-15 19:18:30 +02:00
Daniel García d0ec410b73
Merge branch 'password-hints' of https://github.com/jjlin/vaultwarden into jjlin-password-hints 2021-07-15 19:18:22 +02:00
Daniel García c546a59c38
Dependency updates 2021-07-15 19:18:16 +02:00
Daniel García e5ec245626
Protect namedfile against path traversal, rocket only does it for pathbuf 2021-07-15 19:15:55 +02:00
BlackDex 6ea95d1ede Updated attachment limit descriptions
The user and org attachment limit use `size` as wording while it should
have been `storage` since it isn't per attachment, but the sum of all attachments.

- Changed the wording in the config/env
- Changed the wording of the error messages.

Resolves #1818
2021-07-13 15:17:03 +02:00
Jeremy Lin 88bea44dd8 Prevent user enumeration via password hints
When `show_password_hint` is enabled but mail is not configured, the previous
implementation returned a differentiable response for non-existent email
addresses.

Even if mail is enabled, there is a timing side channel since mail is sent
synchronously. Add a randomized sleep to mitigate this somewhat.
2021-07-10 01:21:27 -07:00
Jeremy Lin 8ee5d51bd4 Disable `show_password_hint` by default
A setting that provides unauthenticated access to potentially sensitive data
shouldn't be enabled by default.
2021-07-10 01:20:37 -07:00
Kaito Udagawa c640abbcd7
Update src/util.rs
Co-authored-by: William Desportes <williamdes@wdes.fr>
2021-07-08 02:55:58 +09:00
Kaito Udagawa 13598c098f Add links to browser extensions 2021-07-08 02:52:45 +09:00
Kaito Udagawa a622b4d2fb Add Edge's frame-ancestors
Edge's frame-ancestors are required for Edge extension to do WebAuthn.
2021-07-08 01:19:52 +09:00
BlackDex 403f35b571 Added web-vault v2.21.x support + some misc fixes
- The new web-vault v2.21.0+ has support for Master Password Reset. For
this to work it generates a public/private key-pair which needs to be
stored in the database. Currently the Master Password Reset is not
fixed, but there are endpoints which are needed even if we do not
support this feature (yet). This PR fixes those endpoints, and stores
the keys already in the database.

- There was an issue when you want to do a key-rotate when you change
your password, it also called an Emergency Access endpoint, which we do
not yet support. Because this endpoint failed to reply correctly
produced some errors, and also prevent the user from being forced to
logout. This resolves #1826 by adding at least that endpoint.

Because of that extra endpoint check to Emergency Access is done using
an old user stamp, i also modified the stamp exception to allow multiple
rocket routes to be called, and added an expiration timestamp to it.

During these tests i stumbled upon an issue that after my key-change was
done, it triggered the websockets to try and reload my ciphers, because
they were updated. This shouldn't happen when rotating they keys, since
all access should be invalided. Now there will be no websocket
notification for this, which also prevents error toasts.

- Increased Send Size limit to 500MB (with a litle overhead)

As a side note, i tested these changes on both v2.20.4 and v2.21.1 web-vault versions, all keeps working.
2021-07-04 23:02:56 +02:00
Daniel García 3968bc8016
Merge pull request #1800 from BlackDex/pre-commit
Adding pre-commit config
2021-07-04 21:58:43 +02:00