vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README
commit 9876aedd6780c60c70c603e3bb329478bb0357ed
parent 19e671ff25bffa47424b5af44264c2c74c2cc84b
Author: sirux88 <sirux88@gmail.com>
Date:   Tue,  4 Jul 2023 18:57:49 +0200

added password check for manual reset
password enrollment endpoint

Diffstat:

Msrc/api/core/organizations.rs | 17+++++++++++++++--


1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs
@@ -2668,6 +2668,7 @@ async fn delete_group_user(
 #[allow(non_snake_case)]
 struct OrganizationUserResetPasswordEnrollmentRequest {
     ResetPasswordKey: Option<String>,
+    MasterPasswordHash: Option<String>,
 }
 
 #[derive(Deserialize)]
@@ -2849,6 +2850,19 @@ async fn put_reset_password_enrollment(
         err!("Reset password can't be withdrawed due to an enterprise policy");
     }
 
+    let user = headers.user;
+
+    if reset_request.ResetPasswordKey.is_some() {
+        match reset_request.MasterPasswordHash {
+            Some(password) => {
+                if !user.check_valid_password(&password) {
+                    err!("Invalid or wrong password")
+                }
+            }
+            None => err!("No password provided"),
+        };
+    }
+
     org_user.reset_password_key = reset_request.ResetPasswordKey;
     org_user.save(&mut conn).await?;
 
@@ -2858,8 +2872,7 @@ async fn put_reset_password_enrollment(
         EventType::OrganizationUserResetPasswordWithdraw as i32
     };
 
-    log_event(log_id, org_user_id, org_id, headers.user.uuid.clone(), headers.device.atype, &headers.ip.ip, &mut conn)
-        .await;
+    log_event(log_id, org_user_id, org_id, user.uuid.clone(), headers.device.atype, &headers.ip.ip, &mut conn).await;
 
     Ok(())
 }