vw_small

accounts.rs (23082B)

---

 use crate::{
     api::{EmptyResult, JsonResult, PasswordOrOtpData},
     auth::{ClientHeaders, Headers, decode_delete},
     db::{
         DbConn,
         models::{Cipher, Device, Folder, User, UserKdfType, UserOrganization},
     },
     error::Error,
     util::NumberOrString,
 };
 use rocket::serde::json::Json;
 use rocket::{
     http::Status,
     request::{FromRequest, Outcome, Request},
 };
 use serde_json::Value;
 
 pub fn routes() -> Vec<rocket::Route> {
     routes![
         api_key,
         delete_account,
         get_auth_request,
         get_auth_request_response,
         get_auth_requests,
         get_known_device,
         get_public_keys,
         password_hint,
         post_auth_request,
         post_clear_device_token,
         post_delete_account,
         post_delete_recover,
         post_delete_recover_token,
         post_device_token,
         post_email,
         post_email_token,
         post_kdf,
         post_keys,
         post_password,
         post_profile,
         post_rotatekey,
         post_sstamp,
         post_verify_email,
         post_verify_email_token,
         prelogin,
         profile,
         put_auth_request,
         put_avatar,
         put_clear_device_token,
         put_device_token,
         put_profile,
         register,
         revision_date,
         rotate_api_key,
         verify_password,
     ]
 }
 
 #[derive(Debug, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct RegisterData {
     #[allow(dead_code)]
     email: String,
     #[allow(dead_code)]
     kdf: Option<i32>,
     #[allow(dead_code)]
     kdf_iterations: Option<i32>,
     #[allow(dead_code)]
     kdf_memory: Option<i32>,
     #[allow(dead_code)]
     kdf_parallelism: Option<i32>,
     #[allow(dead_code)]
     key: String,
     #[allow(dead_code)]
     keys: Option<KeysData>,
     #[allow(dead_code)]
     master_password_hash: String,
     #[allow(dead_code)]
     master_password_hint: Option<String>,
     #[allow(dead_code)]
     name: Option<String>,
     #[allow(dead_code)]
     token: Option<String>,
     #[allow(dead_code)]
     organization_user_id: Option<String>,
 }
 
 #[derive(Debug, Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct KeysData {
     encrypted_private_key: String,
     public_key: String,
 }
 
 /// Trims whitespace from password hints, and converts blank password hints to `None`.
 fn clean_password_hint(password_hint: Option<&str>) -> Option<String> {
     password_hint.and_then(|h| match h.trim() {
         "" => None,
         ht => Some(ht.to_owned()),
     })
 }
 
 fn enforce_password_hint_setting(password_hint: Option<&str>) -> EmptyResult {
     if password_hint.is_some() {
         err!(
             "Password hints have been disabled by the administrator. Remove the hint and try again."
         );
     }
     Ok(())
 }
 
 #[allow(unused_variables, clippy::needless_pass_by_value)]
 #[post("/accounts/register", data = "<data>")]
 fn register(data: Json<RegisterData>) -> Error {
     const MSG: &str = "Registration is permanently disabled.";
     Error::new(MSG, MSG)
 }
 #[get("/accounts/profile")]
 async fn profile(headers: Headers, conn: DbConn) -> Json<Value> {
     Json(headers.user.to_json(&conn).await)
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct ProfileData {
     // Culture: String, // Ignored, always use en-US
     // MasterPasswordHint: Option<String>, // Ignored, has been moved to ChangePassData
     name: String,
 }
 
 #[put("/accounts/profile", data = "<data>")]
 async fn put_profile(data: Json<ProfileData>, headers: Headers, conn: DbConn) -> JsonResult {
     post_profile(data, headers, conn).await
 }
 
 #[post("/accounts/profile", data = "<data>")]
 async fn post_profile(data: Json<ProfileData>, headers: Headers, conn: DbConn) -> JsonResult {
     let prof_data: ProfileData = data.into_inner();
     // Check if the length of the username exceeds 50 characters (Same is Upstream Bitwarden)
     // This also prevents issues with very long usernames causing to large JWT's. See #2419
     if prof_data.name.len() > 50 {
         err!("The field Name must be a string with a maximum length of 50.");
     }
     let mut user = headers.user;
     user.name = prof_data.name;
     user.save(&conn).await?;
     Ok(Json(user.to_json(&conn).await))
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct AvatarData {
     avatar_color: Option<String>,
 }
 
 #[put("/accounts/avatar", data = "<data>")]
 async fn put_avatar(data: Json<AvatarData>, headers: Headers, conn: DbConn) -> JsonResult {
     let av_data: AvatarData = data.into_inner();
     // It looks like it only supports the 6 hex color format.
     // If you try to add the short value it will not show that color.
     // Check and force 7 chars, including the #.
     if let Some(ref color) = av_data.avatar_color {
         if color.len() != 7 {
             err!(
                 "The field AvatarColor must be a HTML/Hex color code with a length of 7 characters"
             )
         }
     }
     let mut user = headers.user;
     user.avatar_color = av_data.avatar_color;
     user.save(&conn).await?;
     Ok(Json(user.to_json(&conn).await))
 }
 
 #[get("/users/<uuid>/public-key")]
 async fn get_public_keys(uuid: &str, _headers: Headers, conn: DbConn) -> JsonResult {
     let Some(user) = User::find_by_uuid(uuid, &conn).await else {
         err!("User doesn't exist")
     };
     Ok(Json(json!({
         "userId": user.uuid,
         "publicKey": user.public_key,
         "object":"userKey"
     })))
 }
 
 #[post("/accounts/keys", data = "<data>")]
 async fn post_keys(data: Json<KeysData>, headers: Headers, conn: DbConn) -> JsonResult {
     let key_data: KeysData = data.into_inner();
     let mut user = headers.user;
     user.private_key = Some(key_data.encrypted_private_key);
     user.public_key = Some(key_data.public_key);
     user.save(&conn).await?;
     Ok(Json(json!({
         "privateKey": user.private_key,
         "publicKey": user.public_key,
         "object":"keys"
     })))
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct ChangePassData {
     master_password_hash: String,
     new_master_password_hash: String,
     master_password_hint: Option<String>,
     key: String,
 }
 
 #[post("/accounts/password", data = "<data>")]
 async fn post_password(data: Json<ChangePassData>, headers: Headers, conn: DbConn) -> EmptyResult {
     let pass_data: ChangePassData = data.into_inner();
     let mut user = headers.user;
     if !user.check_valid_password(&pass_data.master_password_hash) {
         err!("Invalid password")
     }
     user.password_hint = clean_password_hint(pass_data.master_password_hint.as_deref());
     enforce_password_hint_setting(user.password_hint.as_deref())?;
     user.set_password(
         &pass_data.new_master_password_hash,
         Some(pass_data.key),
         true,
         Some(vec![
             String::from("post_rotatekey"),
             String::from("get_contacts"),
             String::from("get_public_keys"),
         ]),
     );
     user.save(&conn).await
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct ChangeKdfData {
     kdf: i32,
     kdf_iterations: u32,
     kdf_memory: Option<u32>,
     kdf_parallelism: Option<u32>,
     master_password_hash: String,
     new_master_password_hash: String,
     key: String,
 }
 
 #[post("/accounts/kdf", data = "<data>")]
 async fn post_kdf(data: Json<ChangeKdfData>, headers: Headers, conn: DbConn) -> EmptyResult {
     let kdf_data: ChangeKdfData = data.into_inner();
     let mut user = headers.user;
     if !user.check_valid_password(&kdf_data.master_password_hash) {
         err!("Invalid password")
     }
     if kdf_data.kdf == i32::from(UserKdfType::Pbkdf2) && kdf_data.kdf_iterations < 100_000u32 {
         err!("PBKDF2 KDF iterations must be at least 100000.")
     }
     if kdf_data.kdf == i32::from(UserKdfType::Argon2id) {
         if kdf_data.kdf_iterations < 1u32 {
             err!("Argon2 KDF iterations must be at least 1.")
         }
         if let Some(m) = kdf_data.kdf_memory {
             if !(15u32..=1024u32).contains(&m) {
                 err!("Argon2 memory must be between 15 MB and 1024 MB.")
             }
             user.set_client_kdf_memory(kdf_data.kdf_memory);
         } else {
             err!("Argon2 memory parameter is required.")
         }
         if let Some(p) = kdf_data.kdf_parallelism {
             if !(1u32..=16u32).contains(&p) {
                 err!("Argon2 parallelism must be between 1 and 16.")
             }
             user.set_client_kdf_parallelism(kdf_data.kdf_parallelism);
         } else {
             err!("Argon2 parallelism parameter is required.")
         }
     } else {
         user.set_client_kdf_memory(None);
         user.set_client_kdf_parallelism(None);
     }
     user.set_client_kdf_iter(kdf_data.kdf_iterations);
     user.client_kdf_type = kdf_data.kdf;
     user.set_password(
         &kdf_data.new_master_password_hash,
         Some(kdf_data.key),
         true,
         None,
     );
     user.save(&conn).await
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct UpdateFolderData {
     id: Option<String>,
     name: String,
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct UpdateResetPasswordData {
     organization_id: String,
     reset_password_key: String,
 }
 
 use super::ciphers::CipherData;
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct KeyData {
     ciphers: Vec<CipherData>,
     folders: Vec<UpdateFolderData>,
     reset_password_keys: Vec<UpdateResetPasswordData>,
     key: String,
     master_password_hash: String,
     private_key: String,
 }
 
 #[post("/accounts/key", data = "<data>")]
 async fn post_rotatekey(data: Json<KeyData>, headers: Headers, conn: DbConn) -> EmptyResult {
     let key_data: KeyData = data.into_inner();
     if !headers
         .user
         .check_valid_password(&key_data.master_password_hash)
     {
         err!("Invalid password")
     }
     // Validate the import before continuing
     // Bitwarden does not process the import if there is one item invalid.
     // Since we check for the size of the encrypted note length, we need to do that here to pre-validate it.
     // TODO: See if we can optimize the whole cipher adding/importing and prevent duplicate code and checks.
     Cipher::validate_cipher_data(&key_data.ciphers)?;
     let user_uuid = &headers.user.uuid;
     // Update folder data
     for folder_data in key_data.folders {
         if let Some(folder_id) = folder_data.id {
             let Some(mut saved_folder) = Folder::find_by_uuid(&folder_id, &conn).await else {
                 err!("Folder doesn't exist")
             };
             if &saved_folder.user_uuid != user_uuid {
                 err!("The folder is not owned by the user")
             }
 
             saved_folder.name = folder_data.name;
             saved_folder.save(&conn).await?;
         }
     }
     for reset_password_data in key_data.reset_password_keys {
         let Some(mut user_org) = UserOrganization::find_by_user_and_org(
             user_uuid,
             &reset_password_data.organization_id,
             &conn,
         )
         .await
         else {
             err!("Reset password doesn't exist")
         };
         user_org.reset_password_key = Some(reset_password_data.reset_password_key);
         user_org.save(&conn).await?;
     }
     // Update cipher data
     use super::ciphers::update_cipher_from_data;
     for cipher_data in key_data.ciphers {
         if cipher_data.organization_id.is_none() {
             let Some(mut saved_cipher) =
                 Cipher::find_by_uuid(cipher_data.id.as_ref().unwrap(), &conn).await
             else {
                 err!("Cipher doesn't exist")
             };
             if saved_cipher.user_uuid.as_ref().unwrap() != user_uuid {
                 err!("The cipher is not owned by the user")
             }
             update_cipher_from_data(&mut saved_cipher, cipher_data, &headers, None, &conn, true)
                 .await?;
         }
     }
 
     // Update user data
     let mut user = headers.user;
     user.akey = key_data.key;
     user.private_key = Some(key_data.private_key);
     user.reset_security_stamp();
     user.save(&conn).await
 }
 
 #[post("/accounts/security-stamp", data = "<data>")]
 async fn post_sstamp(data: Json<PasswordOrOtpData>, headers: Headers, conn: DbConn) -> EmptyResult {
     let otp_data: PasswordOrOtpData = data.into_inner();
     let mut user = headers.user;
     otp_data.validate(&user)?;
     Device::delete_all_by_user(&user.uuid, &conn).await?;
     user.reset_security_stamp();
     user.save(&conn).await
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct EmailTokenData {
     #[allow(dead_code)]
     master_password_hash: String,
     #[allow(dead_code)]
     new_email: String,
 }
 
 #[allow(unused_variables, clippy::needless_pass_by_value)]
 #[post("/accounts/email-token", data = "<data>")]
 fn post_email_token(data: Json<EmailTokenData>, _headers: Headers) -> Error {
     const MSG: &str = "E-mail change is not allowed.";
     Error::new(MSG, MSG)
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct ChangeEmailData {
     #[allow(dead_code)]
     master_password_hash: String,
     #[allow(dead_code)]
     new_email: String,
     #[allow(dead_code)]
     key: String,
     #[allow(dead_code)]
     new_master_password_hash: String,
     #[allow(dead_code)]
     token: NumberOrString,
 }
 
 #[allow(unused_variables, clippy::needless_pass_by_value)]
 #[post("/accounts/email", data = "<data>")]
 fn post_email(data: Json<ChangeEmailData>, _headers: Headers) -> Error {
     const MSG: &str = "E-mail change is not allowed.";
     Error::new(MSG, MSG)
 }
 
 #[allow(clippy::needless_pass_by_value)]
 #[post("/accounts/verify-email")]
 fn post_verify_email(_headers: Headers) -> Error {
     const MSG: &str = "E-mail is disabled.";
     Error::new(MSG, MSG)
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct VerifyEmailTokenData {
     #[allow(dead_code)]
     user_id: String,
     #[allow(dead_code)]
     token: String,
 }
 
 #[allow(unused_variables, clippy::needless_pass_by_value)]
 #[post("/accounts/verify-email-token", data = "<data>")]
 fn post_verify_email_token(data: Json<VerifyEmailTokenData>) -> Error {
     const MSG: &str = "E-mail is disabled.";
     Error::new(MSG, MSG)
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct DeleteRecoverData {
     #[allow(dead_code)]
     email: String,
 }
 
 #[allow(unused_variables, clippy::needless_pass_by_value)]
 #[post("/accounts/delete-recover", data = "<data>")]
 fn post_delete_recover(data: Json<DeleteRecoverData>) -> Error {
     const MSG: &str = "Account deletion is disabled with at this endpoint.";
     Error::new(MSG, MSG)
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct DeleteRecoverTokenData {
     user_id: String,
     token: String,
 }
 
 #[post("/accounts/delete-recover-token", data = "<data>")]
 async fn post_delete_recover_token(
     data: Json<DeleteRecoverTokenData>,
     conn: DbConn,
 ) -> EmptyResult {
     let token_data: DeleteRecoverTokenData = data.into_inner();
     let Some(user) = User::find_by_uuid(&token_data.user_id, &conn).await else {
         err!("User doesn't exist")
     };
     let Ok(claims) = decode_delete(&token_data.token) else {
         err!("Invalid claim")
     };
     if claims.sub != user.uuid {
         err!("Invalid claim");
     }
     user.delete(&conn).await
 }
 
 #[post("/accounts/delete", data = "<data>")]
 async fn post_delete_account(
     data: Json<PasswordOrOtpData>,
     headers: Headers,
     conn: DbConn,
 ) -> EmptyResult {
     delete_account(data, headers, conn).await
 }
 
 #[delete("/accounts", data = "<data>")]
 async fn delete_account(
     data: Json<PasswordOrOtpData>,
     headers: Headers,
     conn: DbConn,
 ) -> EmptyResult {
     let otp_data: PasswordOrOtpData = data.into_inner();
     let user = headers.user;
     otp_data.validate(&user)?;
     user.delete(&conn).await
 }
 #[allow(clippy::needless_pass_by_value)]
 #[get("/accounts/revision-date")]
 fn revision_date(headers: Headers) -> Json<Value> {
     Json(json!(headers.user.updated_at.and_utc().timestamp_millis()))
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct PasswordHintData {
     #[allow(dead_code)]
     email: String,
 }
 
 #[allow(unused_variables, clippy::needless_pass_by_value)]
 #[post("/accounts/password-hint", data = "<data>")]
 fn password_hint(data: Json<PasswordHintData>) -> Error {
     const MSG: &str = "Password hints are disabled.";
     Error::new(MSG, MSG)
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct PreloginData {
     email: String,
 }
 
 #[post("/accounts/prelogin", data = "<data>")]
 async fn prelogin(data: Json<PreloginData>, conn: DbConn) -> Json<Value> {
     _prelogin(data, conn).await
 }
 
 pub async fn _prelogin(data: Json<PreloginData>, conn: DbConn) -> Json<Value> {
     let login_data: PreloginData = data.into_inner();
     let (kdf_type, kdf_iter, kdf_mem, kdf_para) =
         match User::find_by_mail(&login_data.email, &conn).await {
             Some(user) => (
                 user.client_kdf_type,
                 user.client_kdf_iter(),
                 user.client_kdf_memory(),
                 user.client_kdf_parallelism(),
             ),
             None => (
                 User::client_kdf_type_default(),
                 User::CLIENT_KDF_ITER_DEFAULT,
                 None,
                 None,
             ),
         };
     let result = json!({
         "kdf": kdf_type,
         "kdfIterations": kdf_iter,
         "kdfMemory": kdf_mem,
         "kdfParallelism": kdf_para,
     });
     Json(result)
 }
 
 // https://github.com/bitwarden/server/blob/master/src/Api/Models/Request/Accounts/SecretVerificationRequestModel.cs
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct SecretVerificationRequest {
     master_password_hash: String,
 }
 
 #[post("/accounts/verify-password", data = "<data>")]
 fn verify_password(data: Json<SecretVerificationRequest>, headers: Headers) -> EmptyResult {
     let req: SecretVerificationRequest = data.into_inner();
     let user = headers.user;
     if !user.check_valid_password(&req.master_password_hash) {
         err!("Invalid password")
     }
     Ok(())
 }
 
 const API_DISABLED_MSG: &str = "API access is disabled.";
 #[allow(unused_variables, clippy::needless_pass_by_value)]
 #[post("/accounts/api-key", data = "<data>")]
 fn api_key(data: Json<PasswordOrOtpData>, _headers: Headers) -> Error {
     Error::new(API_DISABLED_MSG, API_DISABLED_MSG)
 }
 
 #[allow(unused_variables, clippy::needless_pass_by_value)]
 #[post("/accounts/rotate-api-key", data = "<data>")]
 fn rotate_api_key(data: Json<PasswordOrOtpData>, _headers: Headers) -> Error {
     Error::new(API_DISABLED_MSG, API_DISABLED_MSG)
 }
 
 #[get("/devices/knowndevice")]
 async fn get_known_device(device: KnownDevice, conn: DbConn) -> JsonResult {
     let mut result = false;
     if let Some(user) = User::find_by_mail(&device.email, &conn).await {
         result = Device::find_by_uuid_and_user(&device.uuid, &user.uuid, &conn)
             .await
             .is_some();
     }
     Ok(Json(json!(result)))
 }
 
 struct KnownDevice {
     email: String,
     uuid: String,
 }
 
 #[rocket::async_trait]
 impl<'r> FromRequest<'r> for KnownDevice {
     type Error = &'static str;
     async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
         let email = if let Some(email_b64) = request.headers().get_one("X-Request-Email") {
             let Ok(email_bytes) = data_encoding::BASE64URL_NOPAD.decode(email_b64.as_bytes())
             else {
                 return Outcome::Error((
                     Status::BadRequest,
                     "X-Request-Email value failed to decode as base64url",
                 ));
             };
             match String::from_utf8(email_bytes) {
                 Ok(email) => email,
                 Err(_) => {
                     return Outcome::Error((
                         Status::BadRequest,
                         "X-Request-Email value failed to decode as UTF-8",
                     ));
                 }
             }
         } else {
             return Outcome::Error((Status::BadRequest, "X-Request-Email value is required"));
         };
 
         let uuid = if let Some(uuid) = request.headers().get_one("X-Device-Identifier") {
             uuid.to_owned()
         } else {
             return Outcome::Error((Status::BadRequest, "X-Device-Identifier value is required"));
         };
         Outcome::Success(Self { email, uuid })
     }
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct PushToken {
     #[allow(dead_code)]
     push_token: String,
 }
 
 #[allow(unused_variables, clippy::needless_pass_by_value)]
 #[post("/devices/identifier/<uuid>/token", data = "<data>")]
 fn post_device_token(uuid: &str, data: Json<PushToken>, _headers: Headers) {}
 #[allow(unused_variables, clippy::needless_pass_by_value)]
 #[put("/devices/identifier/<uuid>/token", data = "<data>")]
 fn put_device_token(uuid: &str, data: Json<PushToken>, _headers: Headers) {}
 #[allow(unused_variables)]
 #[put("/devices/identifier/<uuid>/clear-token")]
 const fn put_clear_device_token(uuid: &str) {}
 
 // On upstream server, both PUT and POST are declared. Implementing the POST method in case it would be useful somewhere
 #[allow(unused_variables)]
 #[post("/devices/identifier/<uuid>/clear-token")]
 const fn post_clear_device_token(uuid: &str) {}
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct AuthRequestRequest {
     #[allow(dead_code)]
     access_code: String,
     #[allow(dead_code)]
     device_identifier: String,
     #[allow(dead_code)]
     email: String,
     #[allow(dead_code)]
     public_key: String,
     #[serde(alias = "type")]
     _type: i32,
 }
 const AUTH_DISABLED_MSG: &str = "Auth requests and log in via device are disabled.";
 #[allow(unused_variables, clippy::needless_pass_by_value)]
 #[post("/auth-requests", data = "<data>")]
 fn post_auth_request(data: Json<AuthRequestRequest>, _headers: ClientHeaders) -> Error {
     Error::new(AUTH_DISABLED_MSG, AUTH_DISABLED_MSG)
 }
 
 #[allow(unused_variables)]
 #[get("/auth-requests/<uuid>")]
 fn get_auth_request(uuid: &str) -> Error {
     Error::new(AUTH_DISABLED_MSG, AUTH_DISABLED_MSG)
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct AuthResponseRequest {
     #[allow(dead_code)]
     device_identifier: String,
     #[allow(dead_code)]
     key: String,
     #[allow(dead_code)]
     master_password_hash: Option<String>,
     #[allow(dead_code)]
     request_approved: bool,
 }
 
 #[allow(unused_variables, clippy::needless_pass_by_value)]
 #[put("/auth-requests/<uuid>", data = "<data>")]
 fn put_auth_request(uuid: &str, data: Json<AuthResponseRequest>) -> Error {
     Error::new(AUTH_DISABLED_MSG, AUTH_DISABLED_MSG)
 }
 
 #[allow(unused_variables)]
 #[get("/auth-requests/<uuid>/response?<code>")]
 fn get_auth_request_response(uuid: &str, code: &str) -> Error {
     Error::new(AUTH_DISABLED_MSG, AUTH_DISABLED_MSG)
 }
 
 #[allow(unused_variables, clippy::needless_pass_by_value)]
 #[get("/auth-requests")]
 fn get_auth_requests(headers: Headers) -> Json<Value> {
     Json(json!({
         "data": Vec::<Value>::new(),
         "continuationToken": null,
         "object": "list"
     }))
 }