Merge pull request #406 from shauder/feature/disable-admin-token

Allow the Admin token to be disabled in the advanced menu
2024-11-25 14:46:38 +00:00 · 2019-02-20 23:06:52 +01:00 · 2019-02-20 23:06:52 +01:00 · 5794969f5b
commit 5794969f5b
parent b50c27b619 8b5b06c3d1
3 changed files with 29 additions and 20 deletions
--- a/.env.template
+++ b/.env.template
@ -69,6 +69,7 @@
 ## One option is to use 'openssl rand -base64 48'
 ## If not set, the admin panel is disabled
 # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
+# DISABLE_ADMIN_TOKEN=false

 ## Invitations org admins to invite users, even when signups are disabled
 # INVITATIONS_ALLOWED=true
@ -110,4 +111,4 @@
 # SMTP_PORT=587
 # SMTP_SSL=true
 # SMTP_USERNAME=username
-# SMTP_PASSWORD=password
+# SMTP_PASSWORD=password
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@ -15,7 +15,7 @@ use crate::mail;
 use crate::CONFIG;

 pub fn routes() -> Vec<Route> {
-    if CONFIG.admin_token().is_none() {
+    if CONFIG.admin_token().is_none() && !CONFIG.disable_admin_token() {
        return routes![admin_disabled];
    }

@ -194,25 +194,30 @@ impl<'a, 'r> FromRequest<'a, 'r> for AdminToken {
    type Error = &'static str;

    fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
-        let mut cookies = request.cookies();
-
-        let access_token = match cookies.get(COOKIE_NAME) {
-            Some(cookie) => cookie.value(),
-            None => return Outcome::Forward(()), // If there is no cookie, redirect to login
-        };
-
-        let ip = match request.guard::<ClientIp>() {
-            Outcome::Success(ip) => ip.ip,
-            _ => err_handler!("Error getting Client IP"),
-        };
-
-        if decode_admin(access_token).is_err() {
-            // Remove admin cookie
-            cookies.remove(Cookie::named(COOKIE_NAME));
-            error!("Invalid or expired admin JWT. IP: {}.", ip);
-            return Outcome::Forward(());
+        if CONFIG.disable_admin_token() {
+            Outcome::Success(AdminToken {})
        }
+        else {
+            let mut cookies = request.cookies();

-        Outcome::Success(AdminToken {})
+            let access_token = match cookies.get(COOKIE_NAME) {
+                Some(cookie) => cookie.value(),
+                None => return Outcome::Forward(()), // If there is no cookie, redirect to login
+            };
+
+            let ip = match request.guard::<ClientIp>() {
+                Outcome::Success(ip) => ip.ip,
+                _ => err_handler!("Error getting Client IP"),
+            };
+
+            if decode_admin(access_token).is_err() {
+                // Remove admin cookie
+                cookies.remove(Cookie::named(COOKIE_NAME));
+                error!("Invalid or expired admin JWT. IP: {}.", ip);
+                return Outcome::Forward(());
+            }
+
+            Outcome::Success(AdminToken {})
+        }
    }
 }
--- a/src/config.rs
+++ b/src/config.rs
@ -269,6 +269,9 @@ make_config! {

        /// Enable DB WAL |> Turning this off might lead to worse performance, but might help if using bitwarden_rs on some exotic filesystems, that do not support WAL. Please make sure you read project wiki on the topic before changing this setting.
        enable_db_wal:          bool,   false,  def,    true;
+
+        /// Disable Admin Token (Know the risks!) |> Disables the Admin Token for the admin page so you may use your own auth in-front
+        disable_admin_token:    bool,   true,   def,    false;
    },

    /// Yubikey settings