vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README
commit 8b5b06c3d1711ddcc194a80850f6a8b3fd0d6629
parent 5ee04e31e58165f726cecce672528968034643e1
Author: Shane Faulkner <contact@shanefaulkner.com>
Date:   Wed, 20 Feb 2019 14:44:35 -0600

Allow the Admin token to be disabled in the advanced menu

Diffstat:

M.env.template | 4++--


Msrc/api/admin.rs | 45+++++++++++++++++++++++++--------------------


Msrc/config.rs | 3+++


3 files changed, 30 insertions(+), 22 deletions(-)

diff --git a/.env.template b/.env.template
@@ -69,6 +69,7 @@
 ## One option is to use 'openssl rand -base64 48'
 ## If not set, the admin panel is disabled
 # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
+# DISABLE_ADMIN_TOKEN=false
 
 ## Invitations org admins to invite users, even when signups are disabled
 # INVITATIONS_ALLOWED=true
@@ -110,4 +111,4 @@
 # SMTP_PORT=587
 # SMTP_SSL=true
 # SMTP_USERNAME=username
-# SMTP_PASSWORD=password
-\ No newline at end of file
+# SMTP_PASSWORD=password
diff --git a/src/api/admin.rs b/src/api/admin.rs
@@ -15,7 +15,7 @@ use crate::mail;
 use crate::CONFIG;
 
 pub fn routes() -> Vec<Route> {
-    if CONFIG.admin_token().is_none() {
+    if CONFIG.admin_token().is_none() && !CONFIG.disable_admin_token() {
         return routes![admin_disabled];
     }
 
@@ -194,25 +194,30 @@ impl<'a, 'r> FromRequest<'a, 'r> for AdminToken {
     type Error = &'static str;
 
     fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
-        let mut cookies = request.cookies();
-
-        let access_token = match cookies.get(COOKIE_NAME) {
-            Some(cookie) => cookie.value(),
-            None => return Outcome::Forward(()), // If there is no cookie, redirect to login
-        };
-
-        let ip = match request.guard::<ClientIp>() {
-            Outcome::Success(ip) => ip.ip,
-            _ => err_handler!("Error getting Client IP"),
-        };
-
-        if decode_admin(access_token).is_err() {
-            // Remove admin cookie
-            cookies.remove(Cookie::named(COOKIE_NAME));
-            error!("Invalid or expired admin JWT. IP: {}.", ip);
-            return Outcome::Forward(());
+        if CONFIG.disable_admin_token() {
+            Outcome::Success(AdminToken {})
+        }
+        else {
+            let mut cookies = request.cookies();
+
+            let access_token = match cookies.get(COOKIE_NAME) {
+                Some(cookie) => cookie.value(),
+                None => return Outcome::Forward(()), // If there is no cookie, redirect to login
+            };
+
+            let ip = match request.guard::<ClientIp>() {
+                Outcome::Success(ip) => ip.ip,
+                _ => err_handler!("Error getting Client IP"),
+            };
+
+            if decode_admin(access_token).is_err() {
+                // Remove admin cookie
+                cookies.remove(Cookie::named(COOKIE_NAME));
+                error!("Invalid or expired admin JWT. IP: {}.", ip);
+                return Outcome::Forward(());
+            }
+
+            Outcome::Success(AdminToken {})
         }
-
-        Outcome::Success(AdminToken {})
     }
 }
diff --git a/src/config.rs b/src/config.rs
@@ -256,6 +256,9 @@ make_config! {
 
         /// Enable DB WAL |> Turning this off might lead to worse performance, but might help if using bitwarden_rs on some exotic filesystems, that do not support WAL. Please make sure you read project wiki on the topic before changing this setting.
         enable_db_wal:          bool,   false,  def,    true;
+
+        /// Disable Admin Token (Know the risks!) |> Disables the Admin Token for the admin page so you may use your own auth in-front
+        disable_admin_token:    bool,   true,   def,    false;
     },
 
     /// Yubikey settings