Commit graph

1078 commits

Author SHA1 Message Date
Stefan Melmuk
ed24d51d3e
validate cron expressions on startup 2022-10-26 21:42:36 +02:00
Stefan Melmuk
870f0d0932
validate billing_email on save 2022-10-26 21:42:36 +02:00
Daniel García
8409b31d6b
Update to diesel2 2022-10-23 00:49:23 +02:00
MFijak
21bc3bfd53 group support 2022-10-20 15:31:53 +02:00
Stefan Melmuk
64ae5d4f81
verify email on registration via invite link
if `SIGNUPS_VERIFY` is enabled new users that have been invited have
their onboarding flow interrupted because they have to first verify
their mail address before they can join an organization.

we can skip the extra verication of the email address when signing up
because a valid invitation token already means that the email address is
working and we don't allow invited users to signup with a different
address.

unfortunately, this is not possible with emergency access invitations
at the moment as they are handled differently.
2022-10-19 22:44:17 +02:00
Jeremy Lin
0c267d073f
Sync global_domains.json to bitwarden/server@ea300b2 (Amazon) 2022-10-19 12:33:04 -07:00
Stefan Melmuk
23f1f8a576
allow registration without invite link
if signups are allowed invited users should be able to complete their
registration even when they don't have the invite link at hand.
2022-10-19 20:39:14 +02:00
Stefan Melmuk
0e6f6e612a
use static_files() for email attachments
Apply suggestions from code review

Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>
2022-10-19 20:39:13 +02:00
Stefan Melmuk
4d1b860dad
attach images to email
Set SMTP_EMBED_IMAGES option to false if you don't want to attach images
to the mail.

NOTE: If you have customized the template files `email_header.hbs` and
`email_footer.hbs` you can replace `{url}/vw_static/` to `{img_url}`
to support both URL schemes
2022-10-19 20:39:13 +02:00
Stefan Melmuk
6576914e55
fix invitations of new users when mail is disabled
If you add a new user that has already been Invited to another
organization they will be Accepted automatically. This should not be
possible because they cannot be Confirmed until they have completed
their registration. It is also not necessary because their invitation
will be accepted automatically once they register.
2022-10-19 20:39:07 +02:00
BlackDex
f41ba2a60f
Fix master password hint update not working.
- The Master Password Hint input has changed it's location to the
password update form. This PR updates the the code to process this.

- Also changed the `ProfileData` struct to exclude `Culture` and
`MasterPasswordHint`, since both are not used at all, and when not
defined they will also not be allocated.

Fixes #2833
2022-10-17 17:23:21 +02:00
Jeremy Lin
46ec11de12
Update CSP for DuckDuckGo email forwarding
Upstream PR: https://github.com/bitwarden/clients/pull/3630
2022-10-14 17:56:42 +02:00
Jeremy Lin
4283a49e0b
Reformat CSP header for readability 2022-10-14 17:56:42 +02:00
Jeremy Lin
1e32db8c41
Add CreationDate to cipher response JSON
Upstream PR: https://github.com/bitwarden/server/pull/2142
2022-10-14 17:56:42 +02:00
Stefan Melmuk
2dd5086916
more verbose permission denied error
be a bit more verbose about why a file could not be created when it is
caused by a permission denied error.
2022-10-12 01:31:10 +02:00
Stefan Melmuk
7532072d50
add check if data folder is a directory 2022-10-12 01:26:28 +02:00
Stefan Melmuk
ef4072e4ff
improve spelling of minimum expiration hours check
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
2022-10-09 16:21:13 +02:00
Stefan Melmuk
c78d383ed1
make invitation expiration time configurable
configure the number of hours after which organization invites,
emergency access invites, email verification emails and account deletion
requests expire (defaults to 5 days or 120 hours and must be atleast 1)
2022-10-09 16:21:13 +02:00
Stefan Melmuk
5b96270874
return "Object" for consistency
Co-authored-by: Jeremy Lin <jjlin@users.noreply.github.com>
2022-10-09 16:21:12 +02:00
Stefan Melmuk
2c0742387b
return CaptchaBypassToken and register object 2022-10-09 16:21:12 +02:00
Stefan Melmuk
1704d14f29
v2022.9.2 expects a json response when registering 2022-10-09 16:21:12 +02:00
Stefan Melmuk
2d7ffbf378
allow the removal of non-confirmed owners
ensure user_to_edit and user_to_delete are actually confirmed users,
before checking if they are the last owner of an organization.
2022-10-09 16:21:11 +02:00
Stefan Melmuk
475c7b8f16
return more descriptive JWT validation messages 2022-10-09 13:55:22 +02:00
Daniel García
6fa6eb18e8
Remove unused value in config endpoint 2022-09-25 19:22:05 +02:00
BlackDex
da9fd6b7d0
Fix organization vault export
Since v2022.9.x it seems they changed the export endpoint and way of working.
This PR fixes this by adding the export endpoint.

Also, it looks like the clients can't handle uppercase first JSON key's.
Because of this there now is a function which converts all the key's to lowercase first.

I have an issue reported at Bitwarden if this is expected behavior: https://github.com/bitwarden/clients/issues/3606

Fixes #2760
Fixes #2764
2022-09-25 19:04:56 +02:00
BlackDex
9eabcd5cae
Add support for send v2 API endpoints
This PR adds support for the Send v2 API.
It should prevent 404 errors which could cause some issues with some
configurations on some reverse proxies.

In the long run, we can probably remove the old file upload API, but for
now lets leave it there, since Bitwarden also still has this endpoint in
the code.

Might fixes #2753
2022-09-25 19:04:48 +02:00
Aaron
d6e0d4cbbd
fix: update warning and success case verbiage 2022-09-25 19:04:48 +02:00
Aaron
e5e6db2688
fix: tooltip typo 2022-09-25 19:04:48 +02:00
Stefan Melmuk
102ee3f871
add api_not_found catcher for 404 errors in /api 2022-09-25 10:59:01 +02:00
Stefan Melmuk
acb5ab08a8
add not_found catcher for 404 errors 2022-09-25 04:02:16 +02:00
Daniel García
9c891baad1
Merge pull request #2739 from BlackDex/fix-restore-revoke
Rename/Fix revoke/restore endpoints
2022-09-12 17:12:23 +02:00
BlackDex
e47a2fd0f3
Rename/Fix revoke/restore endpoints
In web-vault v2022.9.x it seems the endpoints changed.
 - activate > restore
 - deactivate > revoke

This PR adds those endpoints and renames the functions.
It also keeps the previous endpoints for now to be compatible with
previous vault verions for now, just in case.
2022-09-12 16:08:36 +02:00
BlackDex
42b9cc73ac
Fix issue 2737, unable to create org
There was a small oversight on upgrading to v2022.9.0 web-vault version.
It seems the call to the /plans/ endpoint doesn't provide authentication anymore.

Removed this check and it seems to work again.

Fixes #2737
2022-09-12 14:10:54 +02:00
Daniel García
edca4248aa
Use optional env as this variable isn't defined during CI 2022-09-08 18:01:27 +02:00
Daniel García
818b254cef
Implement config endpoint 2022-09-08 17:38:00 +02:00
Daniel García
8b5c945bad
Merge branch 'web-vault-v2022.9-support' of https://github.com/BlackDex/vaultwarden into BlackDex-web-vault-v2022.9-support 2022-09-08 16:30:41 +02:00
BlackDex
94be67eac1
Added support for web-vault v2022.9
- The new web-vault version supports fastmail.com anon email, add the
  correct api host to support it.
- Removed Firefox Relay, this seems only to be supported on SaaS.
- Added a function to the two-factor api to prevent 404 errors.
2022-09-07 20:48:48 +02:00
BlackDex
5a05139efe
Change the handling of login errors.
Previously FlashMessage was used to provide an error message during login.
This PR changes that flow to not use redirect for this, but renders the HTML and responds using the correct status code where needed. This should solve some issues which were reported in the past.

Thanks to @RealOrangeOne, for initiating this with a PR.

Fixes #2448
Fixes #2712
Closes #2715

Co-authored-by: Jake Howard <git@theorangeone.net>
2022-09-06 17:27:20 +02:00
Daniel García
7598997deb
Merge branch 'org-user-revoke-access' of https://github.com/BlackDex/vaultwarden into BlackDex-org-user-revoke-access 2022-09-04 23:04:15 +02:00
BlackDex
1722742ab3
Add Org user revoke feature
This PR adds a the new v2022.8.x revoke feature which allows an
organization owner or admin to revoke access for one or more users.

This PR also fixes several permissions and policy checks which were faulty.

- Modified some functions to use DB Count features instead of iter/count aftwards.
- Rearanged some if statements (faster matching or just one if instead of nested if's)
- Added and fixed several policy checks where needed
- Some small updates on some response models
- Made some functions require an enum instead of an i32
2022-08-20 16:42:36 +02:00
Hagen Tasche
d9c0eb3cfc
Update two external Links to prevent tabnabbing
Added noopener to prevent tabnabbing
2022-08-17 08:14:19 +02:00
Hagen Tasche
0d990e1dc0
Open Externallink in new Tab
The link to the backup documentation was opened in the active tab.
With this change it will open in a new tab and prevent tabnabbing
2022-08-17 08:00:46 +02:00
BlackDex
abfa868423
Mitigate attachment/send upload issues
This PR attends to mitigate (not fix) #2644.
There seems to be an issue when uploading files either as attachment or
via send via the mobile (Android) client.

The binary data gets transfered correctly to Vaultwarden (Checked via
Wireshark), but the data is not parsed correctly for some reason.

Since the parsing is not done by Vaultwarden it self, i think we should
at least try to prevent saving the data and letting users think all
fine.

Further investigation is needed to actually fix this issue.
This is just a quick patch.
2022-07-27 17:12:04 +02:00
BlackDex
9a787dd105
Fix persistent folder check within containers
The previous persistent folder check worked by checking if a file
exists. If you used a bind-mount, then this file is not there. But when
using a docker/podman volume those files are copied, and caused the
container to not start.

This change checks the `/proc/self/mountinfo` for a specific patern to
see if the data folder is persistent or not.

Fixes #2622
2022-07-20 13:29:39 +02:00
BlackDex
0f95bdc9bb
Fix issue with CSP and icon redirects
When using anything else but the `internal` icon service it would
trigger an CSP block because the redirects were not allowed.

This PR fixes #2623 by dynamically adding the needed CSP strings.
This should also work with custom services.

For Google i needed to add an extra check because that does a redirect
it self to there gstatic.com domain.
2022-07-17 16:21:03 +02:00
Daniel García
c9376e3126
Remove read_file and read_file_string and replace them with the std alternatives 2022-07-15 19:13:26 +02:00
Daniel García
e167798449
Merge branch 'more-clippy-checks' of https://github.com/BlackDex/vaultwarden into BlackDex-more-clippy-checks 2022-07-15 19:05:54 +02:00
Daniel García
fc5928772b
Move around comments 2022-07-15 19:05:38 +02:00
BlackDex
55d7c48b1d
Add more clippy checks for better code/readability
A bit inspired by @paolobarbolini from this commit at lettre https://github.com/lettre/lettre/pull/784 .
I added a few more clippy lints here, and fixed the resulted issues.

Overall i think this could help in preventing future issues, and maybe
even peformance problems. It also makes some code a bit more clear.

We could always add more if we want to, i left a few out which i think
arn't that huge of an issue. Some like the `unused_async` are nice,
which resulted in a few `async` removals.

Some others are maybe a bit more estatic, like `string_to_string`, but i
think it looks better to use `clone` in those cases instead of `to_string` while they already are a string.
2022-07-10 16:39:38 +02:00
Yip Rui Fung
bf623eed7f Use if let instead of a match with empty block. 2022-07-09 11:43:00 +08:00