vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

commit 5a9aab1a3217ee00b94a0c22f292da56dfd697e6
parent a335bcd682cf3141118288018090fcd2d055ce2a
Author: Daniel GarcĂ­a <dani-garcia@users.noreply.github.com>
Date:   Sun, 16 Dec 2018 20:00:16 +0100

Implement fromform, and ignore case and underscores, fixes #298

Diffstat:
Msrc/api/identity.rs | 102+++++++++++++++++++++++++++++++++++++++++++------------------------------------
1 file changed, 56 insertions(+), 46 deletions(-)

diff --git a/src/api/identity.rs b/src/api/identity.rs @@ -1,4 +1,4 @@ -use rocket::request::LenientForm; +use rocket::request::{Form, FormItems, FromForm}; use rocket::Route; use rocket_contrib::json::Json; @@ -22,13 +22,27 @@ pub fn routes() -> Vec<Route> { } #[post("/connect/token", data = "<data>")] -fn login(data: LenientForm<ConnectData>, conn: DbConn, ip: ClientIp) -> JsonResult { +fn login(data: Form<ConnectData>, conn: DbConn, ip: ClientIp) -> JsonResult { let data: ConnectData = data.into_inner(); - validate_data(&data)?; - match data.grant_type { - GrantType::refresh_token => _refresh_login(data, conn), - GrantType::password => _password_login(data, conn, ip), + match data.grant_type.as_ref() { + "refresh_token" => { + _check_is_some(&data.refresh_token, "refresh_token cannot be blank")?; + _refresh_login(data, conn) + } + "password" => { + _check_is_some(&data.client_id, "client_id cannot be blank")?; + _check_is_some(&data.password, "password cannot be blank")?; + _check_is_some(&data.scope, "scope cannot be blank")?; + _check_is_some(&data.username, "username cannot be blank")?; + + _check_is_some(&data.device_identifier, "device_identifier cannot be blank")?; + _check_is_some(&data.device_name, "device_name cannot be blank")?; + _check_is_some(&data.device_type, "device_type cannot be blank")?; + + _password_login(data, conn, ip) + } + t => err!("Invalid type", t), } } @@ -86,9 +100,10 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: ClientIp) -> JsonResult )) } + // On iOS, device_type sends "iOS", on others it sends a number let device_type = util::try_parse_string(data.device_type.as_ref()).unwrap_or(0); - let device_id = data.device_identifier.clone().unwrap_or_else(crate::util::get_uuid); - let device_name = data.device_name.clone().unwrap_or("unknown_device".into()); + let device_id = data.device_identifier.clone().expect("No device id provided"); + let device_name = data.device_name.clone().expect("No device name provided"); // Find device or create new let mut device = match Device::find_by_uuid(&device_id, &conn) { @@ -101,7 +116,7 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: ClientIp) -> JsonResult device } } - None => Device::new(device_id, user.uuid.clone(), device_name, device_type) + None => Device::new(device_id, user.uuid.clone(), device_name, device_type), }; let twofactor_token = twofactor_auth(&user.uuid, &data.clone(), &mut device, &conn)?; @@ -133,12 +148,7 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: ClientIp) -> JsonResult Ok(Json(result)) } -fn twofactor_auth( - user_uuid: &str, - data: &ConnectData, - device: &mut Device, - conn: &DbConn, -) -> ApiResult<Option<String>> { +fn twofactor_auth(user_uuid: &str, data: &ConnectData, device: &mut Device, conn: &DbConn) -> ApiResult<Option<String>> { let twofactors_raw = TwoFactor::find_by_user(user_uuid, conn); // Remove u2f challenge twofactors (impl detail) let twofactors: Vec<_> = twofactors_raw.iter().filter(|tf| tf.type_ < 1000).collect(); @@ -230,13 +240,9 @@ fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> Api let mut challenge_map = JsonMap::new(); challenge_map.insert("appId".into(), Value::String(request.app_id.clone())); - challenge_map - .insert("challenge".into(), Value::String(request.challenge.clone())); + challenge_map.insert("challenge".into(), Value::String(request.challenge.clone())); challenge_map.insert("version".into(), Value::String(key.version)); - challenge_map.insert( - "keyHandle".into(), - Value::String(key.key_handle.unwrap_or_default()), - ); + challenge_map.insert("keyHandle".into(), Value::String(key.key_handle.unwrap_or_default())); challenge_list.push(Value::Object(challenge_map)); } @@ -269,10 +275,10 @@ fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> Api Ok(result) } -#[derive(FromForm, Debug, Clone)] +#[derive(Debug, Clone, Default)] #[allow(non_snake_case)] struct ConnectData { - grant_type: GrantType, + grant_type: String, // refresh_token, password // Needed for grant_type="refresh_token" refresh_token: Option<String>, @@ -283,40 +289,44 @@ struct ConnectData { scope: Option<String>, username: Option<String>, - #[form(field = "deviceIdentifier")] device_identifier: Option<String>, - #[form(field = "deviceName")] device_name: Option<String>, - #[form(field = "deviceType")] device_type: Option<String>, // Needed for two-factor auth - #[form(field = "twoFactorProvider")] two_factor_provider: Option<i32>, - #[form(field = "twoFactorToken")] two_factor_token: Option<String>, - #[form(field = "twoFactorRemember")] two_factor_remember: Option<i32>, } -#[derive(FromFormValue, Debug, Clone, Copy)] -#[allow(non_camel_case_types)] -enum GrantType { - refresh_token, - password, -} - -fn validate_data(data: &ConnectData) -> EmptyResult { - match data.grant_type { - GrantType::refresh_token => { - _check_is_some(&data.refresh_token, "refresh_token cannot be blank") - } - GrantType::password => { - _check_is_some(&data.client_id, "client_id cannot be blank")?; - _check_is_some(&data.password, "password cannot be blank")?; - _check_is_some(&data.scope, "scope cannot be blank")?; - _check_is_some(&data.username, "username cannot be blank") +impl<'f> FromForm<'f> for ConnectData { + type Error = String; + + fn from_form(items: &mut FormItems<'f>, _strict: bool) -> Result<Self, Self::Error> { + let mut form = Self::default(); + for item in items { + let (key, value) = item.key_value_decoded(); + let mut normalized_key = key.to_lowercase(); + normalized_key.retain(|c| c != '_'); // Remove '_' + + match normalized_key.as_ref() { + "granttype" => form.grant_type = value, + "refreshtoken" => form.refresh_token = Some(value), + "clientid" => form.client_id = Some(value), + "password" => form.password = Some(value), + "scope" => form.scope = Some(value), + "username" => form.username = Some(value), + "deviceidentifier" => form.device_identifier = Some(value), + "devicename" => form.device_name = Some(value), + "devicetype" => form.device_type = Some(value), + "twofactorprovider" => form.two_factor_provider = value.parse().ok(), + "twofactortoken" => form.two_factor_token = Some(value), + "twofactorremember" => form.two_factor_remember = value.parse().ok(), + key => warn!("Detected unexpected parameter during login: {}", key), + } } + + Ok(form) } }