vaultwarden/src
Mathijs van Veluw f863ffb89a
Add Protected Actions Check (#4067)
Since the feature `Login with device` some actions done via the
web-vault need to be verified via an OTP instead of providing the MasterPassword.

This only happens if a user used the `Login with device` on a device
which uses either Biometrics login or PIN. These actions prevent the
athorizing device to send the MasterPasswordHash. When this happens, the
web-vault requests an OTP to be filled-in and this OTP is send to the
users email address which is the same as the email address to login.

The only way to bypass this is by logging in with the your password, in
those cases a password is requested instead of an OTP.

In case SMTP is not enabled, it will show an error message telling to
user to login using there password.

Fixes #4042
2023-11-12 22:15:44 +01:00
..
api Add Protected Actions Check (#4067) 2023-11-12 22:15:44 +01:00
db Add Protected Actions Check (#4067) 2023-11-12 22:15:44 +01:00
static Add Protected Actions Check (#4067) 2023-11-12 22:15:44 +01:00
auth.rs Allow Authorization header for Web Sockets 2023-08-31 12:35:20 +02:00
config.rs Add Protected Actions Check (#4067) 2023-11-12 22:15:44 +01:00
crypto.rs Remove get_random_64() 2022-11-13 10:03:06 +01:00
error.rs Cleanups and Fixes for Emergency Access 2022-12-04 23:17:48 +01:00
mail.rs Add Protected Actions Check (#4067) 2023-11-12 22:15:44 +01:00
main.rs tokio::signal::unix::SignalKind::hangup().as_raw_value() insted of 1 2023-10-21 17:14:03 +02:00
ratelimit.rs Basic ratelimit for user login (including 2FA) and admin login 2021-12-22 21:48:49 +01:00
util.rs Do not send extra headers for Upgrade connection 2023-10-09 20:11:20 +02:00