vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

commit 5794969f5bfdf52fa1f8c098579d71cc87682f44
parent b50c27b61988cf3dfc01eb9fff75d3a00d41b445
Author: Daniel GarcĂ­a <dani-garcia@users.noreply.github.com>
Date:   Wed, 20 Feb 2019 23:06:52 +0100

Merge pull request #406 from shauder/feature/disable-admin-token

Allow the Admin token to be disabled in the advanced menu
Diffstat:
M.env.template | 4++--
Msrc/api/admin.rs | 45+++++++++++++++++++++++++--------------------
Msrc/config.rs | 3+++
3 files changed, 30 insertions(+), 22 deletions(-)

diff --git a/.env.template b/.env.template @@ -69,6 +69,7 @@ ## One option is to use 'openssl rand -base64 48' ## If not set, the admin panel is disabled # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp +# DISABLE_ADMIN_TOKEN=false ## Invitations org admins to invite users, even when signups are disabled # INVITATIONS_ALLOWED=true @@ -110,4 +111,4 @@ # SMTP_PORT=587 # SMTP_SSL=true # SMTP_USERNAME=username -# SMTP_PASSWORD=password -\ No newline at end of file +# SMTP_PASSWORD=password diff --git a/src/api/admin.rs b/src/api/admin.rs @@ -15,7 +15,7 @@ use crate::mail; use crate::CONFIG; pub fn routes() -> Vec<Route> { - if CONFIG.admin_token().is_none() { + if CONFIG.admin_token().is_none() && !CONFIG.disable_admin_token() { return routes![admin_disabled]; } @@ -194,25 +194,30 @@ impl<'a, 'r> FromRequest<'a, 'r> for AdminToken { type Error = &'static str; fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> { - let mut cookies = request.cookies(); - - let access_token = match cookies.get(COOKIE_NAME) { - Some(cookie) => cookie.value(), - None => return Outcome::Forward(()), // If there is no cookie, redirect to login - }; - - let ip = match request.guard::<ClientIp>() { - Outcome::Success(ip) => ip.ip, - _ => err_handler!("Error getting Client IP"), - }; - - if decode_admin(access_token).is_err() { - // Remove admin cookie - cookies.remove(Cookie::named(COOKIE_NAME)); - error!("Invalid or expired admin JWT. IP: {}.", ip); - return Outcome::Forward(()); + if CONFIG.disable_admin_token() { + Outcome::Success(AdminToken {}) + } + else { + let mut cookies = request.cookies(); + + let access_token = match cookies.get(COOKIE_NAME) { + Some(cookie) => cookie.value(), + None => return Outcome::Forward(()), // If there is no cookie, redirect to login + }; + + let ip = match request.guard::<ClientIp>() { + Outcome::Success(ip) => ip.ip, + _ => err_handler!("Error getting Client IP"), + }; + + if decode_admin(access_token).is_err() { + // Remove admin cookie + cookies.remove(Cookie::named(COOKIE_NAME)); + error!("Invalid or expired admin JWT. IP: {}.", ip); + return Outcome::Forward(()); + } + + Outcome::Success(AdminToken {}) } - - Outcome::Success(AdminToken {}) } } diff --git a/src/config.rs b/src/config.rs @@ -269,6 +269,9 @@ make_config! { /// Enable DB WAL |> Turning this off might lead to worse performance, but might help if using bitwarden_rs on some exotic filesystems, that do not support WAL. Please make sure you read project wiki on the topic before changing this setting. enable_db_wal: bool, false, def, true; + + /// Disable Admin Token (Know the risks!) |> Disables the Admin Token for the admin page so you may use your own auth in-front + disable_admin_token: bool, true, def, false; }, /// Yubikey settings