vividboarder
/
bitwarden_rs
mirror of https://github.com/ViViDboarder/bitwarden_rs.git
1
0
Fork 0
Code Issues Releases Wiki Activity
1,364 Commits 8 Branches 32 Tags 5 MiB
Commit Graph

72 Commits

Author SHA1 Message Date
BlackDex de86aa671e Fix Key Rotation during password change 
When ticking the 'Also rotate my account's encryption key' box, the key
rotated ciphers are posted after the change of password.

During the password change the security stamp was reseted which made
the posted key's return an invalid auth. This reset is needed to prevent other clients from still being able to read/write.

This fixes this by adding a new database column which stores a stamp exception which includes the allowed route and the current security stamp before it gets reseted.
When the security stamp check fails it will check if there is a stamp exception and tries to match the route and security stamp.

Currently it only allows for one exception. But if needed we could expand it by using a Vec<UserStampException> and change the functions accordingly.

fixes #1240
 2020-12-14 19:58:23 +01:00
Fabian van Steen b41a0d840c
Correction of verify_email error message 2020-10-23 10:30:25 +02:00
BlackDex c64560016e Add /api/accounts/verify-password endpoint 
If for some reason the hashed password is cleared from memory within a
bitwarden client it will try to verify the password at the server side.

This endpoint was missing.

Resolves #1156
 2020-09-25 18:26:48 +02:00
Daniel García 668d5c23dc
Removed try_trait and some formatting, particularly around imports 2020-07-14 18:34:22 +02:00
Jeremy Lin a314933557 Allow email changes for existing accounts even when signups are disabled 2020-05-24 14:38:19 -07:00
theycallmesteve 5571a5d8ed
Update post_keys to return a keys response model 2020-05-08 13:38:49 -04:00
Jeremy Lin c2a324e5da Clean up domain whitelist logic 
* Make `SIGNUPS_DOMAINS_WHITELIST` override the `SIGNUPS_ALLOWED` setting.
  Otherwise, a common pitfall is to set `SIGNUPS_DOMAINS_WHITELIST` without
  realizing that `SIGNUPS_ALLOWED=false` must also be set.

* Whitespace is now accepted in `SIGNUPS_DOMAINS_WHITELIST`. That is,
  `foo.com, bar.com` is now equivalent to `foo.com,bar.com`.

* Add validation on `SIGNUPS_DOMAINS_WHITELIST`. For example, `foo.com,`
  is rejected as containing an empty token.
 2020-04-09 01:42:27 -07:00
Daniel García 912e1f93b7
Fix some lints 2019-12-06 22:12:41 +01:00
tomuta bd1e8be328 Implement change-email, email-verification, account-recovery, and welcome notifications 2019-11-24 22:28:49 -07:00
tomuta 64d6f72e6c Add the ability to disable signups, but allow signups from a whitelist 
This feature can be enabled by setting SIGNUPS_ALLOWED=false and
providing a comma-separated list of whitelisted domains in
SIGNUPS_DOMAINS_WHITELIST.

Fixes #727
 2019-11-16 15:01:45 -07:00
Miro Prasil 00a11b1b78 Stop leaking usernames when SIGNUPS_ALLOWED=false 
This fixes #691 - respond in less specific way to not leak the
fact that user is already registered on the server.
 2019-11-01 22:34:42 +00:00
Emil Madsen e22e290f67 Fix key and type variable names for mysql 2019-05-20 21:24:29 +02:00
Daniel García 6027b969f5
Delete old devices when deauthorizing user sessions 2019-02-16 23:06:26 +01:00
Daniel García 86ed75bf7c
Config can now be serialized / deserialized 2019-02-06 17:34:29 +01:00
Daniel García a1dc47b826
Change config to thread-safe system, needed for a future config panel. 
Improved some two factor methods.
 2019-01-25 18:24:57 +01:00
Daniel García 834c847746
Implement admin JWT cookie, separate JWT issuers for each type of token and migrate admin page to handlebars template 2019-01-19 21:41:49 +01:00
Daniel García 4309df8334
Only create invitations when SMTP is disabled, and ignore invitations if we have a token. 
Disallow users from accepting invitation twice
 2019-01-08 15:42:26 +01:00
Daniel García 5f49ecd7f3
Updated dependencies to use u2f crate directly, and some style changes 2019-01-04 00:25:38 +01:00
Daniel García 30e768613b
Start using rustfmt and some style changes to make some lines shorter 2018-12-30 23:34:31 +01:00
Daniel García 2bb0b15e04
Implemented better errors for JWT 2018-12-30 21:43:55 +01:00
Daniel García 250a2b340f
Use new Errors in latest changes 2018-12-30 21:43:55 +01:00
Daniel García 6a99849a1e
Implemented proper error handling, now we can do `user.save($conn)?;` and it works. 
In the future, maybe we can do the same with the `find_by_id` methods that return an Option.
 2018-12-30 21:31:12 +01:00
Nick Fox 2cd736ab81
Validate JWT if a user registers with SMTP invites enabled 2018-12-20 22:16:41 -05:00
Nick Fox 26bf7bc12f
Use upstream jslib invite/registration workflow 2018-12-18 23:16:03 -05:00
Nick Fox 9479108fb7
Remove CONFIG.email_invitations 2018-12-17 17:10:09 -05:00
Nick Fox 4910b14d57
Implement email invitations and registration workflow 2018-12-14 21:56:00 -05:00
Daniel García 94810c106a
Migrate to rust 2018 edition 2018-12-07 02:05:45 +01:00
Daniel García f71f10eac6
Implemented key rotation with the latest vault 2018-11-24 23:00:41 +01:00
Daniel García c673370103
Updated bw_rs to Rocket version 0.4-rc1 2018-11-01 19:25:09 +01:00
janost e985221b50 User::save() should return QueryResult instead of bool 2018-10-14 19:33:12 +02:00
janost 64f6c60bfd Organization::save() and UserOrganization::save() should return QueryResult instead of bool 2018-10-14 16:04:23 +02:00
Miroslav Prasil a28caa33ef Implement poor man's admin panel 2018-10-12 15:20:10 +01:00
Daniel García 7112c86471
Updated dependencies, removed valid mail check (now done by lettre), and updated global domains file 2018-10-04 00:01:04 +02:00
Daniel García ebb66c374e
Implement KDF iterations change (Fixes #195) 2018-09-19 17:30:14 +02:00
Miroslav Prasil f7951b44ba Add alias for DELETE call on accounts 2018-09-18 11:13:45 +01:00
Daniel García b75ba216d1
Return default prelogin values when the user doesn't exist 2018-09-13 23:04:52 +02:00
Daniel García 8651df8c2a
Fixed some lint issues 2018-09-13 21:55:23 +02:00
Daniel García 3e1afb139c
Remove unnecessary return 2018-09-12 23:58:02 +02:00
Daniel García 1b20a25514
Merge pull request #173 from mprasil/poormans_invites 
Implement poor man's invitation via Organization invitation
 2018-09-11 16:48:56 +02:00
Miroslav Prasil c1cd4d9a6b Modify User::new to be keyless and paswordless 2018-09-11 14:25:12 +01:00
Daniel García b63693aefb
Merge pull request #137 from stammw/master 
SMTP implementation, along with password HINT email
 2018-09-11 14:58:09 +02:00
Miroslav Prasil ec05f14f5a Implement poor man's invitation via Organization invitation 2018-09-11 13:09:59 +01:00
Jean-Christophe BEGUE 37d88be2be return an error when email adress for password hint is not valid 2018-09-11 13:12:24 +02:00
Jean-Christophe BEGUE 1c641d7635 Special messages when user has no password hint 2018-09-11 13:04:34 +02:00
Jean-Christophe BEGUE e2ab2f7306 Save None instead of empty password hint 2018-09-11 13:00:59 +02:00
Daniel García 8d1ee859f2 Implemented basic support for prelogin and notification negotiation 2018-08-24 19:02:34 +02:00
Jean-Christophe BEGUE 9e63985b28 Check email validity before using it for password hint sending 2018-08-16 21:25:28 +02:00
Miroslav Prasil 12a2dc0901 Add PUT alias for profile update 2018-08-15 16:10:40 +01:00
Jean-Christophe BEGUE d68f57cbba Fix password hint showing logic 2018-08-15 14:08:00 +02:00
Jean-Christophe BEGUE 812387e586 SMTP integration, send password hint by email. 2018-08-15 08:45:18 +02:00