MyFavMirrors/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-01-08 21:43:23 -05:00
Code Issues Packages Projects Releases Wiki Activity
1,452 Commits 3 Branches 67 Tags 40 MiB
ea57dc3bc9
Commit Graph

72 Commits

Author SHA1 Message Date
BlackDex
de86aa671e Fix Key Rotation during password change 
When ticking the 'Also rotate my account's encryption key' box, the key
rotated ciphers are posted after the change of password.

During the password change the security stamp was reseted which made
the posted key's return an invalid auth. This reset is needed to prevent other clients from still being able to read/write.

This fixes this by adding a new database column which stores a stamp exception which includes the allowed route and the current security stamp before it gets reseted.
When the security stamp check fails it will check if there is a stamp exception and tries to match the route and security stamp.

Currently it only allows for one exception. But if needed we could expand it by using a Vec<UserStampException> and change the functions accordingly.

fixes #1240
 2020-12-14 19:58:23 +01:00
Fabian van Steen
b41a0d840c
Correction of verify_email error message 2020-10-23 10:30:25 +02:00
BlackDex
c64560016e Add /api/accounts/verify-password endpoint 
If for some reason the hashed password is cleared from memory within a
bitwarden client it will try to verify the password at the server side.

This endpoint was missing.

Resolves #1156
 2020-09-25 18:26:48 +02:00
Daniel García
668d5c23dc
Removed try_trait and some formatting, particularly around imports 2020-07-14 18:34:22 +02:00
Jeremy Lin
a314933557 Allow email changes for existing accounts even when signups are disabled 2020-05-24 14:38:19 -07:00
theycallmesteve
5571a5d8ed
Update post_keys to return a keys response model 2020-05-08 13:38:49 -04:00
Jeremy Lin
c2a324e5da Clean up domain whitelist logic 
* Make `SIGNUPS_DOMAINS_WHITELIST` override the `SIGNUPS_ALLOWED` setting.
  Otherwise, a common pitfall is to set `SIGNUPS_DOMAINS_WHITELIST` without
  realizing that `SIGNUPS_ALLOWED=false` must also be set.

* Whitespace is now accepted in `SIGNUPS_DOMAINS_WHITELIST`. That is,
  `foo.com, bar.com` is now equivalent to `foo.com,bar.com`.

* Add validation on `SIGNUPS_DOMAINS_WHITELIST`. For example, `foo.com,`
  is rejected as containing an empty token.
 2020-04-09 01:42:27 -07:00
Daniel García
912e1f93b7
Fix some lints 2019-12-06 22:12:41 +01:00
tomuta
bd1e8be328 Implement change-email, email-verification, account-recovery, and welcome notifications 2019-11-24 22:28:49 -07:00
tomuta
64d6f72e6c Add the ability to disable signups, but allow signups from a whitelist 
This feature can be enabled by setting SIGNUPS_ALLOWED=false and
providing a comma-separated list of whitelisted domains in
SIGNUPS_DOMAINS_WHITELIST.

Fixes #727
 2019-11-16 15:01:45 -07:00
Miro Prasil
00a11b1b78 Stop leaking usernames when SIGNUPS_ALLOWED=false 
This fixes #691 - respond in less specific way to not leak the
fact that user is already registered on the server.
 2019-11-01 22:34:42 +00:00
Emil Madsen
e22e290f67 Fix key and type variable names for mysql 2019-05-20 21:24:29 +02:00
Daniel García
6027b969f5
Delete old devices when deauthorizing user sessions 2019-02-16 23:06:26 +01:00
Daniel García
86ed75bf7c
Config can now be serialized / deserialized 2019-02-06 17:34:29 +01:00
Daniel García
a1dc47b826
Change config to thread-safe system, needed for a future config panel. 
Improved some two factor methods.
 2019-01-25 18:24:57 +01:00
Daniel García
834c847746
Implement admin JWT cookie, separate JWT issuers for each type of token and migrate admin page to handlebars template 2019-01-19 21:41:49 +01:00
Daniel García
4309df8334
Only create invitations when SMTP is disabled, and ignore invitations if we have a token. 
Disallow users from accepting invitation twice
 2019-01-08 15:42:26 +01:00
Daniel García
5f49ecd7f3
Updated dependencies to use u2f crate directly, and some style changes 2019-01-04 00:25:38 +01:00
Daniel García
30e768613b
Start using rustfmt and some style changes to make some lines shorter 2018-12-30 23:34:31 +01:00
Daniel García
2bb0b15e04
Implemented better errors for JWT 2018-12-30 21:43:55 +01:00
Daniel García
250a2b340f
Use new Errors in latest changes 2018-12-30 21:43:55 +01:00
Daniel García
6a99849a1e
Implemented proper error handling, now we can do user.save($conn)?; and it works. 
In the future, maybe we can do the same with the `find_by_id` methods that return an Option.
 2018-12-30 21:31:12 +01:00
Nick Fox
2cd736ab81
Validate JWT if a user registers with SMTP invites enabled 2018-12-20 22:16:41 -05:00
Nick Fox
26bf7bc12f
Use upstream jslib invite/registration workflow 2018-12-18 23:16:03 -05:00
Nick Fox
9479108fb7
Remove CONFIG.email_invitations 2018-12-17 17:10:09 -05:00
Nick Fox
4910b14d57
Implement email invitations and registration workflow 2018-12-14 21:56:00 -05:00
Daniel García
94810c106a
Migrate to rust 2018 edition 2018-12-07 02:05:45 +01:00
Daniel García
f71f10eac6
Implemented key rotation with the latest vault 2018-11-24 23:00:41 +01:00
Daniel García
c673370103
Updated bw_rs to Rocket version 0.4-rc1 2018-11-01 19:25:09 +01:00
janost
e985221b50 User::save() should return QueryResult instead of bool 2018-10-14 19:33:12 +02:00
janost
64f6c60bfd Organization::save() and UserOrganization::save() should return QueryResult instead of bool 2018-10-14 16:04:23 +02:00
Miroslav Prasil
a28caa33ef Implement poor man's admin panel 2018-10-12 15:20:10 +01:00
Daniel García
7112c86471
Updated dependencies, removed valid mail check (now done by lettre), and updated global domains file 2018-10-04 00:01:04 +02:00
Daniel García
ebb66c374e
Implement KDF iterations change (Fixes #195) 2018-09-19 17:30:14 +02:00
Miroslav Prasil
f7951b44ba Add alias for DELETE call on accounts 2018-09-18 11:13:45 +01:00
Daniel García
b75ba216d1
Return default prelogin values when the user doesn't exist 2018-09-13 23:04:52 +02:00
Daniel García
8651df8c2a
Fixed some lint issues 2018-09-13 21:55:23 +02:00
Daniel García
3e1afb139c
Remove unnecessary return 2018-09-12 23:58:02 +02:00
Daniel García
1b20a25514
Merge pull request #173 from mprasil/poormans_invites 
Implement poor man's invitation via Organization invitation
 2018-09-11 16:48:56 +02:00
Miroslav Prasil
c1cd4d9a6b Modify User::new to be keyless and paswordless 2018-09-11 14:25:12 +01:00
Daniel García
b63693aefb
Merge pull request #137 from stammw/master 
SMTP implementation, along with password HINT email
 2018-09-11 14:58:09 +02:00
Miroslav Prasil
ec05f14f5a Implement poor man's invitation via Organization invitation 2018-09-11 13:09:59 +01:00
Jean-Christophe BEGUE
37d88be2be return an error when email adress for password hint is not valid 2018-09-11 13:12:24 +02:00
Jean-Christophe BEGUE
1c641d7635 Special messages when user has no password hint 2018-09-11 13:04:34 +02:00
Jean-Christophe BEGUE
e2ab2f7306 Save None instead of empty password hint 2018-09-11 13:00:59 +02:00
Daniel García
8d1ee859f2 Implemented basic support for prelogin and notification negotiation 2018-08-24 19:02:34 +02:00
Jean-Christophe BEGUE
9e63985b28 Check email validity before using it for password hint sending 2018-08-16 21:25:28 +02:00
Miroslav Prasil
12a2dc0901 Add PUT alias for profile update 2018-08-15 16:10:40 +01:00
Jean-Christophe BEGUE
d68f57cbba Fix password hint showing logic 2018-08-15 14:08:00 +02:00
Jean-Christophe BEGUE
812387e586 SMTP integration, send password hint by email. 2018-08-15 08:45:18 +02:00