vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

commit 9ecc98c3ccdb01c6c69765f543100256be5a12c1
parent 02fd68d63b0d1d82665b187098feb6d25caeb471
Author: Miroslav Prasil <miroslav@prasil.info>
Date:   Sun, 14 Oct 2018 23:25:16 +0100

Disable WebSockets negotiation by default

Diffstat:
MREADME.md | 13++++++++++++-
Msrc/api/notifications.rs | 14+++++++++-----
Msrc/main.rs | 2++
3 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md @@ -212,12 +212,23 @@ docker run -d --name bitwarden \ *Important: This does not apply to the mobile clients, which use push notifications.* To enable WebSockets notifications, an external reverse proxy is necessary, and it must be configured to do the following: -- Route the `/notifications/hub` endpoint to the WebSocket server, by default at port `3012`, making sure to pass the `Connection` and `Upgrade` headers. +- Route the `/notifications/hub` endpoint to the WebSocket server, by default at port `3012`, making sure to pass the `Connection` and `Upgrade` headers. (Note the port can be changed with `WEBSOCKET_PORT` variable) - Route everything else, including `/notifications/hub/negotiate`, to the standard Rocket server, by default at port `80`. - If using Docker, you may need to map both ports with the `-p` flag Example configurations are included in the [PROXY.md](https://github.com/dani-garcia/bitwarden_rs/blob/master/PROXY.md) file. +Then you need to enable WebSockets negotiation on the bitwarden_rs side by setting the `WEBSOCKET_ENABLED` variable to `true`: + +```sh +docker run -d --name bitwarden \ + -e WEBSOCKET_ENABLED=true \ + -v /bw-data/:/data/ \ + -p 80:80 \ + -p 3012:3012 \ + mprasil/bitwarden:latest +``` + Note: The reason for this workaround is the lack of support for WebSockets from Rocket (though [it's a planned feature](https://github.com/SergioBenitez/Rocket/issues/90)), which forces us to launch a secondary server on a separate port. ### Enabling U2F authentication diff --git a/src/api/notifications.rs b/src/api/notifications.rs @@ -1,5 +1,6 @@ use rocket::Route; use rocket_contrib::Json; +use serde_json::Value as JsonValue; use api::JsonResult; use auth::Headers; @@ -22,17 +23,20 @@ fn negotiate(_headers: Headers, _conn: DbConn) -> JsonResult { use data_encoding::BASE64URL; let conn_id = BASE64URL.encode(&crypto::get_random(vec![0u8; 16])); + let mut available_transports: Vec<JsonValue> = Vec::new(); + + if CONFIG.websocket_enabled { + available_transports.push(json!({"transport":"WebSockets", "transferFormats":["Text","Binary"]})); + } // TODO: Implement transports // Rocket WS support: https://github.com/SergioBenitez/Rocket/issues/90 // Rocket SSE support: https://github.com/SergioBenitez/Rocket/issues/33 + // {"transport":"ServerSentEvents", "transferFormats":["Text"]}, + // {"transport":"LongPolling", "transferFormats":["Text","Binary"]} Ok(Json(json!({ "connectionId": conn_id, - "availableTransports":[ - {"transport":"WebSockets", "transferFormats":["Text","Binary"]}, - // {"transport":"ServerSentEvents", "transferFormats":["Text"]}, - // {"transport":"LongPolling", "transferFormats":["Text","Binary"]} - ] + "availableTransports": available_transports }))) } diff --git a/src/main.rs b/src/main.rs @@ -232,6 +232,7 @@ pub struct Config { web_vault_folder: String, web_vault_enabled: bool, + websocket_enabled: bool, websocket_url: String, local_icon_extractor: bool, @@ -269,6 +270,7 @@ impl Config { web_vault_folder: get_env_or("WEB_VAULT_FOLDER", "web-vault/".into()), web_vault_enabled: get_env_or("WEB_VAULT_ENABLED", true), + websocket_enabled: get_env_or("WEBSOCKET_ENABLED", false), websocket_url: format!("{}:{}", get_env_or("WEBSOCKET_ADDRESS", "0.0.0.0".to_string()), get_env_or("WEBSOCKET_PORT", 3012)), local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false),