commit 6fd4044fa6ff4169d514125ec96df8404a5e0f82
parent 3dae594e30d1de8fa270f4d58142d6c05d88e455
Author: Zack Newman <zack@philomathiclife.com>
Date: Wed, 13 Dec 2023 16:30:07 -0700
merge upstream
Diffstat:
6 files changed, 84 insertions(+), 44 deletions(-)
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,3 @@
+/.github @dani-garcia @BlackDex
+/.github/CODEOWNERS @dani-garcia @BlackDex
+/.github/workflows/** @dani-garcia @BlackDex
diff --git a/.github/workflows/releasecache-cleanup.yml b/.github/workflows/releasecache-cleanup.yml
@@ -0,0 +1,25 @@
+on:
+ workflow_dispatch:
+ inputs:
+ manual_trigger:
+ description: "Manual trigger buildcache cleanup"
+ required: false
+ default: ""
+
+ schedule:
+ - cron: '0 1 * * FRI'
+
+name: Cleanup
+jobs:
+ releasecache-cleanup:
+ name: Releasecache Cleanup
+ runs-on: ubuntu-22.04
+ timeout-minutes: 30
+ steps:
+ - name: Delete vaultwarden-buildcache containers
+ uses: actions/delete-package-versions@0d39a63126868f5eefaa47169615edd3c0f61e20 # v4.1.1
+ with:
+ package-name: 'vaultwarden-buildcache'
+ package-type: 'container'
+ min-versions-to-keep: 0
+ delete-only-untagged-versions: 'false'
diff --git a/src/api/core/emergency_access.rs b/src/api/core/emergency_access.rs
@@ -12,6 +12,7 @@ pub fn routes() -> Vec<Route> {
get_emergency_access,
post_emergency_access,
put_emergency_access,
+ post_emergency_access,
delete_emergency_access,
post_delete_emergency_access,
send_invite,
diff --git a/src/api/identity.rs b/src/api/identity.rs
@@ -6,10 +6,7 @@ use crate::{
auth::{generate_organization_api_key_login_claims, ClientHeaders, ClientIp},
config,
db::{
- models::{
- AuthRequest, Device, OrganizationApiKey, TwoFactor, TwoFactorType, User,
- UserOrganization,
- },
+ models::{AuthRequest, Device, OrganizationApiKey, TwoFactor, TwoFactorType, User},
DbConn,
},
error::MapResult,
@@ -71,8 +68,13 @@ async fn _refresh_login(data: ConnectData, conn: &DbConn) -> JsonResult {
let scope_vec = vec!["api".into(), "offline_access".into()];
// Common
let user = User::find_by_uuid(&device.user_uuid, conn).await.unwrap();
- let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, conn).await;
- let (access_token, expires_in) = device.refresh_tokens(&user, &orgs, scope_vec);
+ // ---
+ // Disabled this variable, it was used to generate the JWT
+ // Because this might get used in the future, and is add by the Bitwarden Server, lets keep it, but then commented out
+ // See: https://github.com/dani-garcia/vaultwarden/issues/4156
+ // ---
+ // let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, conn).await;
+ let (access_token, expires_in) = device.refresh_tokens(&user, scope_vec);
device.save(conn).await?;
let result = json!({
"access_token": access_token,
@@ -155,8 +157,14 @@ async fn _password_login(
}
let (mut device, _) = get_device(&data, conn, &user).await;
let twofactor_token = twofactor_auth(&user.uuid, &data, &mut device, ip, conn).await?;
- let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, conn).await;
- let (access_token, expires_in) = device.refresh_tokens(&user, &orgs, scope_vec);
+ // Common
+ // ---
+ // Disabled this variable, it was used to generate the JWT
+ // Because this might get used in the future, and is add by the Bitwarden Server, lets keep it, but then commented out
+ // See: https://github.com/dani-garcia/vaultwarden/issues/4156
+ // ---
+ // let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, conn).await;
+ let (access_token, expires_in) = device.refresh_tokens(&user, scope_vec);
device.save(conn).await?;
let mut result = json!({
"access_token": access_token,
@@ -231,8 +239,13 @@ async fn _user_api_key_login(
}
let (mut device, _) = get_device(&data, conn, &user).await;
let scope_vec = vec!["api".into()];
- let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, conn).await;
- let (access_token, expires_in) = device.refresh_tokens(&user, &orgs, scope_vec);
+ // ---
+ // Disabled this variable, it was used to generate the JWT
+ // Because this might get used in the future, and is add by the Bitwarden Server, lets keep it, but then commented out
+ // See: https://github.com/dani-garcia/vaultwarden/issues/4156
+ // ---
+ // let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, conn).await;
+ let (access_token, expires_in) = device.refresh_tokens(&user, scope_vec);
device.save(conn).await?;
info!(
"User {} logged in successfully via API key. IP: {}",
diff --git a/src/auth.rs b/src/auth.rs
@@ -265,10 +265,16 @@ pub struct LoginJwtClaims {
pub name: String,
pub email: String,
pub email_verified: bool,
- pub orgowner: Vec<String>,
- pub orgadmin: Vec<String>,
- pub orguser: Vec<String>,
- pub orgmanager: Vec<String>,
+ // ---
+ // Disabled these keys to be added to the JWT since they could cause the JWT to get too large
+ // Also These key/value pairs are not used anywhere by either Vaultwarden or Bitwarden Clients
+ // Because these might get used in the future, and they are added by the Bitwarden Server, lets keep it, but then commented out
+ // See: https://github.com/dani-garcia/vaultwarden/issues/4156
+ // ---
+ // pub orgowner: Vec<String>,
+ // pub orgadmin: Vec<String>,
+ // pub orguser: Vec<String>,
+ // pub orgmanager: Vec<String>,
// user security_stamp
pub sstamp: String,
// device uuid
diff --git a/src/db/models/device.rs b/src/db/models/device.rs
@@ -43,12 +43,7 @@ impl Device {
self.twofactor_remember = None;
}
- pub fn refresh_tokens(
- &mut self,
- user: &super::User,
- orgs: &[super::UserOrganization],
- scope: Vec<String>,
- ) -> (String, i64) {
+ pub fn refresh_tokens(&mut self, user: &super::User, scope: Vec<String>) -> (String, i64) {
// If there is no refresh token, we create one
if self.refresh_token.is_empty() {
use data_encoding::BASE64URL;
@@ -57,26 +52,17 @@ impl Device {
// Update the expiration of the device and the last update date
let time_now = Utc::now().naive_utc();
self.updated_at = time_now;
- let orgowner: Vec<_> = orgs
- .iter()
- .filter(|o| o.atype == 0i32)
- .map(|o| o.org_uuid.clone())
- .collect();
- let orgadmin: Vec<_> = orgs
- .iter()
- .filter(|o| o.atype == 1i32)
- .map(|o| o.org_uuid.clone())
- .collect();
- let orguser: Vec<_> = orgs
- .iter()
- .filter(|o| o.atype == 2i32)
- .map(|o| o.org_uuid.clone())
- .collect();
- let orgmanager: Vec<_> = orgs
- .iter()
- .filter(|o| o.atype == 3i32)
- .map(|o| o.org_uuid.clone())
- .collect();
+ // ---
+ // Disabled these keys to be added to the JWT since they could cause the JWT to get too large
+ // Also These key/value pairs are not used anywhere by either Vaultwarden or Bitwarden Clients
+ // Because these might get used in the future, and they are added by the Bitwarden Server, lets keep it, but then commented out
+ // ---
+ // fn arg: orgs: Vec<super::UserOrganization>,
+ // ---
+ // let orgowner: Vec<_> = orgs.iter().filter(|o| o.atype == 0).map(|o| o.org_uuid.clone()).collect();
+ // let orgadmin: Vec<_> = orgs.iter().filter(|o| o.atype == 1).map(|o| o.org_uuid.clone()).collect();
+ // let orguser: Vec<_> = orgs.iter().filter(|o| o.atype == 2).map(|o| o.org_uuid.clone()).collect();
+ // let orgmanager: Vec<_> = orgs.iter().filter(|o| o.atype == 3).map(|o| o.org_uuid.clone()).collect();
// Create the JWT claims struct, to send to the client
use crate::auth::{self, encode_jwt, LoginJwtClaims};
let claims = LoginJwtClaims {
@@ -90,10 +76,16 @@ impl Device {
name: user.name.clone(),
email: user.email.clone(),
email_verified: true,
- orgowner,
- orgadmin,
- orguser,
- orgmanager,
+ // ---
+ // Disabled these keys to be added to the JWT since they could cause the JWT to get too large
+ // Also These key/value pairs are not used anywhere by either Vaultwarden or Bitwarden Clients
+ // Because these might get used in the future, and they are added by the Bitwarden Server, lets keep it, but then commented out
+ // See: https://github.com/dani-garcia/vaultwarden/issues/4156
+ // ---
+ // orgowner,
+ // orgadmin,
+ // orguser,
+ // orgmanager,
sstamp: user.security_stamp.clone(),
device: self.uuid.clone(),
scope,
