vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

commit 2cda54ceff9fbc2dae0d1d03962fc827e580359e
parent 525e6bb65a6926e0f9de3fc5dafd5c5b63981f9f
Author: BlackDex <black.dex@gmail.com>
Date:   Wed, 29 Mar 2023 15:43:58 +0200

Fix password reset issues

There was used a wrong macro to produce an error message when mailing
the user his password was reset failed. It was using `error!()` which
does not return an `Err` and aborts the rest of the code.

This resulted in the users password still being resetted, but not being
notified. This PR fixes this by using `err!()`. Also, do not set the
user object as mutable until it really is needed.

Second, when a user was using the new Argon2id KDF with custom values
like memory and parallelism, that would have rendered the password
incorrect. The endpoint which should return all the data did not
returned all the new Argon2id values.

Fixes #3388

Co-authored-by: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com>

Diffstat:
Msrc/api/core/organizations.rs | 10+++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs @@ -2694,7 +2694,7 @@ async fn put_reset_password( None => err!("User to reset isn't member of required organization"), }; - let mut user = match User::find_by_uuid(&org_user.user_uuid, &mut conn).await { + let user = match User::find_by_uuid(&org_user.user_uuid, &mut conn).await { Some(user) => user, None => err!("User not found"), }; @@ -2711,11 +2711,12 @@ async fn put_reset_password( // Sending email before resetting password to ensure working email configuration and the resulting // user notification. Also this might add some protection against security flaws and misuse if let Err(e) = mail::send_admin_reset_password(&user.email, &user.name, &org.name).await { - error!("Error sending user reset password email: {:#?}", e); + err!(format!("Error sending user reset password email: {e:#?}")); } let reset_request = data.into_inner().data; + let mut user = user; user.set_password(reset_request.NewMasterPasswordHash.as_str(), Some(reset_request.Key), true, None); user.save(&mut conn).await?; @@ -2759,12 +2760,15 @@ async fn get_reset_password_details( check_reset_password_applicable_and_permissions(&org_id, &org_user_id, &headers, &mut conn).await?; + // https://github.com/bitwarden/server/blob/3b50ccb9f804efaacdc46bed5b60e5b28eddefcf/src/Api/Models/Response/Organizations/OrganizationUserResponseModel.cs#L111 Ok(Json(json!({ "Object": "organizationUserResetPasswordDetails", "Kdf":user.client_kdf_type, "KdfIterations":user.client_kdf_iter, + "KdfMemory":user.client_kdf_memory, + "KdfParallelism":user.client_kdf_parallelism, "ResetPasswordKey":org_user.reset_password_key, - "EncryptedPrivateKey":org.private_key , + "EncryptedPrivateKey":org.private_key, }))) }