vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

commit b60a4a68c7858f54b1d49678c6314473ab873d21
parent d0b53a6a3de61d3352afb8fb11c97e29cefa454a
Author: BlackDex <black.dex@gmail.com>
Date:   Sun, 18 Dec 2022 17:57:35 +0100

Fix a panic during Yubikey register/login

The yubico crate uses blocking reqwest, and we called the `verify` from
a async thread. To prevent issues we need to wrap it within a
`spawn_blocking`.

Diffstat:
Msrc/api/core/two_factor/yubikey.rs | 14++++++++------
Msrc/api/identity.rs | 2+-
2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/api/core/two_factor/yubikey.rs b/src/api/core/two_factor/yubikey.rs @@ -67,14 +67,16 @@ fn get_yubico_credentials() -> Result<(String, String), Error> { } } -fn verify_yubikey_otp(otp: String) -> EmptyResult { +async fn verify_yubikey_otp(otp: String) -> EmptyResult { let (yubico_id, yubico_secret) = get_yubico_credentials()?; let config = Config::default().set_client_id(yubico_id).set_key(yubico_secret); match CONFIG.yubico_server() { - Some(server) => verify(otp, config.set_api_hosts(vec![server])), - None => verify(otp, config), + Some(server) => { + tokio::task::spawn_blocking(move || verify(otp, config.set_api_hosts(vec![server]))).await.unwrap() + } + None => tokio::task::spawn_blocking(move || verify(otp, config)).await.unwrap(), } .map_res("Failed to verify OTP") .and(Ok(())) @@ -152,7 +154,7 @@ async fn activate_yubikey( continue; } - verify_yubikey_otp(yubikey.to_owned()).map_res("Invalid Yubikey OTP provided")?; + verify_yubikey_otp(yubikey.to_owned()).await.map_res("Invalid Yubikey OTP provided")?; } let yubikey_ids: Vec<String> = yubikeys.into_iter().map(|x| (x[..12]).to_owned()).collect(); @@ -188,7 +190,7 @@ async fn activate_yubikey_put( activate_yubikey(data, headers, conn, ip).await } -pub fn validate_yubikey_login(response: &str, twofactor_data: &str) -> EmptyResult { +pub async fn validate_yubikey_login(response: &str, twofactor_data: &str) -> EmptyResult { if response.len() != 44 { err!("Invalid Yubikey OTP length"); } @@ -200,7 +202,7 @@ pub fn validate_yubikey_login(response: &str, twofactor_data: &str) -> EmptyResu err!("Given Yubikey is not registered"); } - let result = verify_yubikey_otp(response.to_owned()); + let result = verify_yubikey_otp(response.to_owned()).await; match result { Ok(_answer) => Ok(()), diff --git a/src/api/identity.rs b/src/api/identity.rs @@ -395,7 +395,7 @@ async fn twofactor_auth( Some(TwoFactorType::Webauthn) => { _tf::webauthn::validate_webauthn_login(user_uuid, twofactor_code, conn).await? } - Some(TwoFactorType::YubiKey) => _tf::yubikey::validate_yubikey_login(twofactor_code, &selected_data?)?, + Some(TwoFactorType::YubiKey) => _tf::yubikey::validate_yubikey_login(twofactor_code, &selected_data?).await?, Some(TwoFactorType::Duo) => { _tf::duo::validate_duo_login(data.username.as_ref().unwrap().trim(), twofactor_code, conn).await? }