vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

commit 8867626de898bb8416ed8319806b1c220d57dcb1
parent f5916ec396329a1239641944ebcf2b9e42656179
Author: Daniel GarcĂ­a <dani-garcia@users.noreply.github.com>
Date:   Tue,  4 Feb 2020 22:14:50 +0100

Add option to change invitation org name, fixes #825
Add option to allow additional iframe ancestors, fixes #843
Sort the rocket routes before printing them

Diffstat:
Msrc/api/admin.rs | 3+--
Msrc/config.rs | 8+++++++-
Msrc/util.rs | 8++++++--
3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/api/admin.rs b/src/api/admin.rs @@ -161,8 +161,7 @@ fn invite_user(data: Json<InviteData>, _token: AdminToken, conn: DbConn) -> Empt user.save(&conn)?; if CONFIG.mail_enabled() { - let org_name = "bitwarden_rs"; - mail::send_invite(&user.email, &user.uuid, None, None, &org_name, None) + mail::send_invite(&user.email, &user.uuid, None, None, &CONFIG.invitation_org_name(), None) } else { let invitation = Invitation::new(data.email); invitation.save(&conn) diff --git a/src/config.rs b/src/config.rs @@ -271,6 +271,9 @@ make_config! { /// Admin page token |> The token used to authenticate in this very same page. Changing it here won't deauthorize the current session admin_token: Pass, true, option; + + /// Invitation organization name |> Name shown in the invitation emails that don't come from a specific organization + invitation_org_name: String, true, def, "Bitwarden_RS".to_string(); }, /// Advanced settings @@ -299,7 +302,7 @@ make_config! { /// Disable authenticator time drifted codes to be valid |> Enabling this only allows the current TOTP code to be valid /// TOTP codes of the previous and next 30 seconds will be invalid. - authenticator_disable_time_drift: bool, true, def, false; + authenticator_disable_time_drift: bool, true, def, false; /// Require new device emails |> When a user logs in an email is required to be sent. /// If sending the email fails the login attempt will fail. @@ -323,6 +326,9 @@ make_config! { /// Bypass admin page security (Know the risks!) |> Disables the Admin Token for the admin page so you may use your own auth in-front disable_admin_token: bool, true, def, false; + + /// Allowed iframe ancestors (Know the risks!) |> Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets + allowed_iframe_ancestors: String, true, def, String::new(); }, /// Yubikey settings diff --git a/src/util.rs b/src/util.rs @@ -7,6 +7,8 @@ use rocket::response::{self, Responder}; use rocket::{Data, Request, Response, Rocket}; use std::io::Cursor; +use crate::CONFIG; + pub struct AppHeaders(); impl Fairing for AppHeaders { @@ -23,7 +25,7 @@ impl Fairing for AppHeaders { res.set_raw_header("X-Frame-Options", "SAMEORIGIN"); res.set_raw_header("X-Content-Type-Options", "nosniff"); res.set_raw_header("X-XSS-Protection", "1; mode=block"); - let csp = "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;"; + let csp = format!("frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://* {};", CONFIG.allowed_iframe_ancestors()); res.set_raw_header("Content-Security-Policy", csp); // Disable cache unless otherwise specified @@ -131,7 +133,9 @@ impl Fairing for BetterLogging { fn on_launch(&self, rocket: &Rocket) { if self.0 { info!(target: "routes", "Routes loaded:"); - for route in rocket.routes() { + let mut routes: Vec<_> = rocket.routes().collect(); + routes.sort_by_key(|r| r.uri.path()); + for route in routes { if route.rank < 0 { info!(target: "routes", "{:<6} {}", route.method, route.uri); } else {