Commit Graph

643 Commits

Author SHA1 Message Date
BlackDex
b0faaf2527
Several updates and fixes
- Removed all `thread::sleep` and use `tokio::time::sleep` now.
  This solves an issue with updating to Bullseye ( Resolves #1998 )
- Updated all Debian images to Bullseye
- Added MiMalloc feature and enabled it by default for Alpine based images
  This increases performance for the Alpine images because the default
  memory allocator for MUSL based binaries isn't that fast
- Updated `dotenv` to `dotenvy` a maintained and updated fork
- Fixed an issue with a newer jslib (not fully released yet)
  That version uses a different endpoint for `prelogin` Resolves #2378 )
2022-03-20 18:51:24 +01:00
BlackDex
c4d565b15b
Update login API code
- Updated jsonwebtoken to latest version
- Trim `username` received from the login form ( Fixes #2348 )
- Make uuid and user_uuid a combined primary key for the devices table ( Fixes #2295 )
- Updated crates including regex which contains a CVE ( https://blog.rust-lang.org/2022/03/08/cve-2022-24713.html )
2022-03-12 18:45:45 +01:00
Daniel García
843f205f6f
Merge branch 'async-updates' of https://github.com/BlackDex/vaultwarden into BlackDex-async-updates 2022-02-27 21:50:33 +01:00
Daniel García
2ff51ae77e
formatting 2022-02-27 21:37:24 +01:00
Daniel García
2b75d81a8b
Ignore unused field 2022-02-27 21:37:24 +01:00
BlackDex
19b8388950
Upd Dockerfiles, crates. Fixed rust 2018 idioms
- Updated crates
- Fixed Dockerfiles to build using the rust stable version
- Enabled warnings for rust 2018 idioms and fixed them.
2022-02-27 21:37:23 +01:00
BlackDex
87e08b9e50
Async/Awaited all db methods
This is a rather large PR which updates the async branch to have all the
database methods as an async fn.

Some iter/map logic needed to be changed to a stream::iter().then(), but
besides that most changes were just adding async/await where needed.
2022-02-27 21:37:23 +01:00
Daniel García
0b7d6bf6df
Update to rocket 0.5 and made code async, missing updating all db calls, that are currently blocking 2022-02-27 21:36:31 +01:00
BlackDex
42136a7097
Favicon, SMTP and misc updates
Favicon:
- Replaced HTML tokenizer, much faster now.
- Caching the domain blacklist function.
- Almost all functions are async now.
- Fixed bug on minimizing data to parse
- Changed maximum icon download size to 5MB to match Bitwarden
- Added `apple-touch-icon.png` as a second fallback besides `favicon.ico`

SMTP:
- Deprecated SMTP_SSL and SMTP_EXPLICIT_TLS, replaced with SMTP_SECURITY

Misc:
- Fixed issue when `resolv.conf` contains errors and trust-dns panics (Fixes #2283)
- Updated Javscript and CSS files for admin interface
- Fixed an issue with the /admin interface which did not cleared the login cookie correctly
- Prevent websocket notifications during org import, this caused a lot of traffic, and slowed down the import.
  This is also the same as Bitwarden which does not trigger this refresh via websockets.

Rust:
- Updated to use v1.59
- Use the new `strip` option and enabled to strip `debuginfo`
- Enabled `lto` with `thin`
- Removed the strip RUN from the alpine armv7, this is now done automatically
2022-02-26 13:56:42 +01:00
Tomek Mańko
9713a3a555 Add IP address to missing/invalid password message for Sends 2022-02-13 13:13:42 +01:00
Daniel García
d781981bbd
formatting 2022-01-30 22:26:19 +01:00
Daniel García
5125fdb882
Ignore unused field 2022-01-30 22:26:19 +01:00
BlackDex
f38926d666
Upd Dockerfiles, crates. Fixed rust 2018 idioms
- Updated crates
- Fixed Dockerfiles to build using the rust stable version
- Enabled warnings for rust 2018 idioms and fixed them.
2022-01-30 22:26:18 +01:00
BlackDex
775d07e9a0
Async/Awaited all db methods
This is a rather large PR which updates the async branch to have all the
database methods as an async fn.

Some iter/map logic needed to be changed to a stream::iter().then(), but
besides that most changes were just adding async/await where needed.
2022-01-30 22:26:18 +01:00
Daniel García
2d5f172e77
Update to rocket 0.5 and made code async, missing updating all db calls, that are currently blocking 2022-01-30 22:25:54 +01:00
Jeremy Lin
7d552dbdc8 Increase length limit for email token generation
The current limit of 19 is an artifact of the implementation, which can be
easily rewritten in terms of a more general string generation function.
The new limit is 255 (max value of a `u8`); using a larger type would
probably be overkill.
2022-01-24 01:17:00 -08:00
Daniel García
bf6330374c
Merge branch 'api-key' of https://github.com/jjlin/vaultwarden into jjlin-api-key 2022-01-23 23:50:34 +01:00
Daniel García
ba9ad14fbb
Merge branch 'icons' of https://github.com/jjlin/vaultwarden into jjlin-icons 2022-01-23 23:43:24 +01:00
Daniel García
14e3dcad8e
Merge branch 'fix-emergency-invite-register' of https://github.com/BlackDex/vaultwarden into BlackDex-fix-emergency-invite-register 2022-01-23 23:42:35 +01:00
Daniel García
f4a9645b54
Remove references to "bwrs" #2195
Squashed commit of the following:

commit 1bdf1c7954e0731c95703d10118f3874ab5155d3
Merge: 8ba6e61 7257251
Author: Daniel García <dani-garcia@users.noreply.github.com>
Date:   Sun Jan 23 23:40:17 2022 +0100

    Merge branch 'remove-bwrs' of https://github.com/RealOrangeOne/vaultwarden into RealOrangeOne-remove-bwrs

commit 7257251ecf
Author: Jake Howard <git@theorangeone.net>
Date:   Thu Jan 6 17:48:18 2022 +0000

    Use `or_else` to save potentially unnecessary function call

commit 40ae81dd3c
Author: Jake Howard <git@theorangeone.net>
Date:   Wed Jan 5 21:18:24 2022 +0000

    Move $BWRS_VERSION fallback into build.rs

commit 743ef74b30
Author: Jake Howard <git@theorangeone.net>
Date:   Sat Jan 1 23:08:27 2022 +0000

    Revert "Add feature to enable use of `Option::or` in const context"

    This reverts commit fe8e043b8a.

    We want to run on stable soon, where these features are not supported

commit a1f0da638c
Author: Jake Howard <git@theorangeone.net>
Date:   Sat Jan 1 13:04:47 2022 +0000

    Rename web vault version file

    https://github.com/dani-garcia/bw_web_builds/pull/58

commit fe8e043b8a
Author: Jake Howard <git@theorangeone.net>
Date:   Sat Jan 1 12:56:44 2022 +0000

    Add feature to enable use of `Option::or` in const context

commit 687435c8b2
Author: Jake Howard <git@theorangeone.net>
Date:   Sat Jan 1 12:27:28 2022 +0000

    Continue to allow using `$BWRS_VERSION`

commit 8e2f708e50
Author: Jake Howard <git@theorangeone.net>
Date:   Fri Dec 31 11:41:34 2021 +0000

    Remove references to "bwrs"

    The only remaining one is getting the version of the web vault, which requires coordinating with the web vault patching.
2022-01-23 23:40:59 +01:00
Jeremy Lin
8f7900759f Fix scope and refresh_token for API key logins
API key logins use a scope of `api`, not `api offline_access`. Since
`offline_access` is not requested, no `refresh_token` is returned either.
2022-01-21 23:10:15 -08:00
Jeremy Lin
69ee4a70b4 Add support for API keys
This is mainly useful for CLI-based login automation.
2022-01-21 23:10:11 -08:00
Jeremy Lin
a16c656770 Add support for legacy HTTP 301/302 redirects for external icons
At least on Android, it seems the Bitwarden mobile client responds to
HTTP 307, but not to HTTP 308 for some reason.
2022-01-08 23:40:35 -08:00
BlackDex
76b7de15de
Fix emergency access invites for new users
If a new user gets invited it should check if the user is invited via
emergency access, if so, allow that user to register.
2022-01-07 18:55:48 +01:00
Daniel García
8ba6e61fd5
Merge pull request #2197 from BlackDex/issue-2196
Fix issue with Bitwarden CLI.
2022-01-02 23:47:40 +01:00
Daniel García
a30a1c9703
Merge pull request #2194 from BlackDex/issue-2154
Fixed issue #2154
2022-01-02 23:46:32 +01:00
BlackDex
bf5aefd129
Fix issue with Bitwarden CLI.
The CLI seems to send a String instead of an Integer for the maximum access count.
It now accepts both types and converts it to an i32 in all cases.

Fixes #2196
2021-12-31 15:59:58 +01:00
BlackDex
1fa178d1d3
Fixed issue #2154
For emergency access invitations we need to check if invites are
allowed, not if sign-ups are allowed.
2021-12-31 11:53:21 +01:00
Jeremy Lin
b7eedbcddc Add config option to set the HTTP redirect code for external icons
The default code is 307 (temporary) to make it easier to test different icon
services, but once a service has been decided on, users should ideally switch
to using permanent redirects for cacheability.
2021-12-30 23:06:52 -08:00
Jake Howard
4584cfe3c1
Additionally set expires header when caching responses
Browsers are rather smart, but also dumb. This uses the `Expires` header
alongside `cache-control` to better prompt the browser to actually
cache.

Unfortunately, firefox still tries to "race" its own cache, in an
attempt to respond to requests faster, so still ends up making a bunch
of requests which could have been cached. Doesn't appear there's any way
around this.
2021-12-28 16:24:47 +00:00
Daniel García
85ac9783f0
Merge branch 'ratelimit' into main 2021-12-27 21:55:15 +01:00
Daniel García
b89ffb2731
Merge pull request #2170 from BlackDex/issue-2136
Small changes to icon log messages.
2021-12-24 20:40:30 +01:00
BlackDex
2c94ea075c
Small changes to icon log messages.
As requested in #2136, some small changes on the type of log messages
and wording used.

Resolves #2136
2021-12-24 18:24:25 +01:00
BlackDex
4bd8eae07e
Fixed #2151 2021-12-24 17:59:12 +01:00
Daniel García
5529264c3f
Basic ratelimit for user login (including 2FA) and admin login 2021-12-22 21:48:49 +01:00
Jeremy Lin
2f9ac61a4e Add support for external icon services
If an external icon service is configured, icon requests return an HTTP
redirect to the corresponding icon at the external service.

An external service may be useful for various reasons, such as if:

* The Vaultwarden instance has no external network connectivity.
* The Vaultwarden instance has trouble handling large bursts of icon requests.
* There are concerns that an attacker may probe the instance to try to detect
  whether icons for certain sites have been cached, which would suggest that
  the instance contains entries for those sites.
* The external icon service does a better job of providing icons than the
  built-in fetcher.
2021-12-20 01:34:31 -08:00
BlackDex
e327583aa5
Enabled trust-dns and some updates.
- Enabled trust-dns feature which seems to help a bit when DNS is
causing long timeouts. Though in the blocking version it is less visible
then on the async branch.
- Updated crates
- Removed some redundant code
- Updated javascript/css libraries

Resolves #2118
Resolves #2119
2021-12-01 19:01:55 +01:00
BlackDex
c453528dc1
Macro recursion decrease and other optimizations
- Decreased `recursion_limit` from 512 to 87
  Mainly done by optimizing the config macro's.
  This fixes an issue with the rust-analyzer which doesn't go beyond 128
- Removed Regex for masking sensitive values and replaced it with a map()
  This is much faster then using a Regex.
- Refactored the get_support_json macro's
- All items above also lowered the binary size and possibly compile-time
- Removed `_conn: DbConn` from several functions, these caused unnecessary database connections for functions who didn't used that at all
- Decreased json response for `/plans`
- Updated libraries and where needed some code changes
  This also fixes some rare issues with SMTP https://github.com/lettre/lettre/issues/678
- Using Rust 2021 instead of 2018
- Updated rust nightly
2021-11-06 17:44:53 +01:00
Jeremy Lin
14408396bb Fix missing encrypted key after emergency access reject
Rejecting an emergency access request should transition the grantor/grantee
relationship back into the `Confirmed` state, and the grantor's encrypted key
should remain in escrow rather than being cleared, or else future emergency
access requsts from that grantee will fail.
2021-10-31 02:14:18 -07:00
Jeremy Lin
c476e19796 Add email notifications for incomplete 2FA logins
An incomplete 2FA login is one where the correct master password was provided,
but the 2FA token or action required to complete the login was not provided
within the configured time limit. This potentially indicates that the user's
master password has been compromised, but the login was blocked by 2FA.

Be aware that the 2FA step can usually still be completed after the email
notification has already been sent out, which could be confusing. Therefore,
the incomplete 2FA time limit should be long enough that this situation would
be unlikely. This feature can also be disabled entirely if desired.
2021-10-28 00:19:43 -07:00
Daniel García
9f393cfd9d
Formatting 2021-10-27 23:00:26 +02:00
Daniel García
97f9eb1320
Update dependencies 2021-10-24 21:50:26 +02:00
Jeremy Lin
cee3fd5ba2 Emergency Access cleanup
This commit contains mostly superficial user-facing cleanup, to be followed up
with more extensive cleanup and fixes in the API implementation.
2021-10-19 02:22:44 -07:00
Daniel García
4af81ec50e
Merge branch 'domdomegg/2fa-check-accepted' of https://github.com/domdomegg/vaultwarden into domdomegg-domdomegg/2fa-check-accepted 2021-10-18 21:13:50 +02:00
Adam Jones
4cebe1fff4
cargo fmt 2021-10-09 15:42:06 +01:00
Adam Jones
a984dbbdf3
2FA org policy: do not enforce on invited (not accepted) users 2021-10-09 13:54:30 +01:00
BlackDex
881524bd54
Added DbConn to /alive healthcheck
During a small discusson on Matrix it seems logical to have the /alive
endpoint also check if the database connection still works.

The reason for this was regarding a certificate which failed/expired
while vaultwarden and the database were still up-and-running, but
suddenly vaultwarden couldn't connect anymore.

With this `DbConn` added to `/alive`, it will be more accurate, because
of vaultwarden can't reach the database, it isn't alive.
2021-10-09 14:16:27 +02:00
Daniel García
a1c1b9ab3b
Merge branch 'mail-errors' of https://github.com/BlackDex/vaultwarden into BlackDex-mail-errors 2021-10-08 22:28:46 +02:00
BlackDex
338756550a
Fix error reporting in admin and some small fixes
- Fixed a bug in JavaScript which caused no messages to be shown to the
user in-case of an error send by the server.
- Changed mail error handling for better error messages
- Changed user/org actions from a to buttons, this should prevent
strange issues in-case of javascript issues and the page does re-load.
- Added Alpine and Debian info for the running docker image

During the mail error testing i encountered a bug which caused lettre to
panic. This panic only happens on debug builds and not release builds,
so no need to update anything on that part. This bug is also already
fixed. See https://github.com/lettre/lettre/issues/678 and https://github.com/lettre/lettre/pull/679

Resolves #2021
Could also fix the issue reported here #2022, or at least no hash `#` in
the url.
2021-10-08 00:01:24 +02:00
Adam Jones
d014eede9a
feature: Support single organization policy
This adds back-end support for the [single organization policy](https://bitwarden.com/help/article/policies/#single-organization).
2021-10-02 19:30:19 +02:00