identity.rs (15438B)
1 use crate::{ 2 api::{ 3 ApiResult, EmptyResult, JsonResult, 4 core::accounts::{_prelogin, PreloginData, RegisterData}, 5 }, 6 auth::{ClientHeaders, ClientIp}, 7 config, 8 db::{ 9 DbConn, 10 models::{Device, OrgPolicy, OrgPolicyType, TwoFactorType, User}, 11 }, 12 error::{Error, MapResult as _}, 13 util, 14 }; 15 use rocket::serde::json::Json; 16 use rocket::{ 17 Route, 18 form::{Form, FromForm}, 19 }; 20 use serde_json::Value; 21 22 pub fn routes() -> Vec<Route> { 23 routes![identity_register, login, prelogin] 24 } 25 26 #[post("/connect/token", data = "<data>")] 27 async fn login(data: Form<ConnectData>, client_header: ClientHeaders, conn: DbConn) -> JsonResult { 28 let data: ConnectData = data.into_inner(); 29 let mut user_uuid: Option<String> = None; 30 let login_result = match data.grant_type.as_ref() { 31 "refresh_token" => { 32 _check_is_some(data.refresh_token.as_ref(), "refresh_token cannot be blank")?; 33 _refresh_login(data, &conn).await 34 } 35 "password" => { 36 _check_is_some(data.client_id.as_ref(), "client_id cannot be blank")?; 37 _check_is_some(data.password.as_ref(), "password cannot be blank")?; 38 _check_is_some(data.scope.as_ref(), "scope cannot be blank")?; 39 _check_is_some(data.username.as_ref(), "username cannot be blank")?; 40 _check_is_some( 41 data.device_identifier.as_ref(), 42 "device_identifier cannot be blank", 43 )?; 44 _check_is_some(data.device_name.as_ref(), "device_name cannot be blank")?; 45 _check_is_some(data.device_type.as_ref(), "device_type cannot be blank")?; 46 _password_login(data, &mut user_uuid, &conn, &client_header.ip).await 47 } 48 t => err!("Invalid type", t), 49 }; 50 login_result 51 } 52 53 async fn _refresh_login(data: ConnectData, conn: &DbConn) -> JsonResult { 54 // Extract token 55 let token = data.refresh_token.unwrap(); 56 // Get device by refresh token 57 let mut device = Device::find_by_refresh_token(&token, conn) 58 .await 59 .map_res("Invalid refresh token")?; 60 let scope = "api offline_access"; 61 let scope_vec = vec!["api".into(), "offline_access".into()]; 62 // Common 63 let user = User::find_by_uuid(&device.user_uuid, conn).await.unwrap(); 64 // --- 65 // Disabled this variable, it was used to generate the JWT 66 // Because this might get used in the future, and is add by the Bitwarden Server, lets keep it, but then commented out 67 // See: https://github.com/dani-garcia/vaultwarden/issues/4156 68 // --- 69 // let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, conn).await; 70 let (access_token, expires_in) = device.refresh_tokens(&user, scope_vec); 71 device.save(conn).await?; 72 let result = json!({ 73 "access_token": access_token, 74 "expires_in": expires_in, 75 "token_type": "Bearer", 76 "refresh_token": device.refresh_token, 77 "scope": scope, 78 }); 79 Ok(Json(result)) 80 } 81 #[expect(clippy::struct_excessive_bools, reason = "upstream")] 82 #[derive(Default, Deserialize, Serialize)] 83 #[serde(rename_all = "camelCase")] 84 struct MasterPasswordPolicy { 85 min_complexity: u8, 86 min_length: u32, 87 require_lower: bool, 88 require_upper: bool, 89 require_numbers: bool, 90 require_special: bool, 91 enforce_on_login: bool, 92 } 93 94 #[allow(clippy::else_if_without_else)] 95 async fn _password_login( 96 data: ConnectData, 97 user_uuid: &mut Option<String>, 98 conn: &DbConn, 99 ip: &ClientIp, 100 ) -> JsonResult { 101 // Validate scope 102 let scope = data.scope.as_ref().unwrap(); 103 if scope != "api offline_access" { 104 err!("Scope not supported") 105 } 106 let scope_vec = vec!["api".into(), "offline_access".into()]; 107 // Get the user 108 let username = data.username.as_ref().unwrap().trim(); 109 let Some(mut user) = User::find_by_mail(username, conn).await else { 110 err!( 111 "Username or password is incorrect. Try again", 112 format!("IP: {}. Username: {}.", ip.ip, username) 113 ) 114 }; 115 // Set the user_uuid here to be passed back used for event logging. 116 *user_uuid = Some(user.uuid.clone()); 117 // Check password 118 let password = data.password.as_ref().unwrap(); 119 if data.auth_request.is_some() { 120 err!( 121 "Auth request not found. Try again.", 122 format!("IP: {}. Username: {}.", ip.ip, username) 123 ) 124 } else if !user.check_valid_password(password) { 125 err!( 126 "Username or password is incorrect. Try again", 127 format!("IP: {}. Username: {}.", ip.ip, username) 128 ) 129 } 130 // Change the KDF Iterations 131 if user.password_iterations() != config::get_config().password_iterations { 132 user.set_password_iterations(config::get_config().password_iterations); 133 user.set_password(password, None, false, None); 134 if let Err(e) = user.save(conn).await { 135 panic!("Error updating user: {e:#?}"); 136 } 137 } 138 // Check if the user is disabled 139 if !user.enabled { 140 err!( 141 "This user has been disabled", 142 format!("IP: {}. Username: {}.", ip.ip, username) 143 ) 144 } 145 let (mut device, _) = get_device(&data, conn, &user).await; 146 let (access_token, expires_in) = device.refresh_tokens(&user, scope_vec); 147 let kdf = user.client_kdf_type; 148 let kdf_iter = user.client_kdf_iter(); 149 let kdf_mem = user.client_kdf_memory(); 150 let kdf_par = user.client_kdf_parallelism(); 151 let twofactor_token = twofactor_auth(&user.uuid, &data, &mut device, ip, conn).await?; 152 // Common 153 // --- 154 // Disabled this variable, it was used to generate the JWT 155 // Because this might get used in the future, and is add by the Bitwarden Server, lets keep it, but then commented out 156 // See: https://github.com/dani-garcia/vaultwarden/issues/4156 157 // --- 158 // let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, conn).await; 159 device.save(conn).await?; 160 // Fetch all valid Master Password Policies and merge them into one with all true's and larges numbers as one policy 161 let master_password_policies: Vec<MasterPasswordPolicy> = 162 OrgPolicy::find_accepted_and_confirmed_by_user_and_active_policy( 163 &user.uuid, 164 OrgPolicyType::MasterPassword, 165 conn, 166 ) 167 .await 168 .into_iter() 169 .filter_map(|p| serde_json::from_str(&p.data).ok()) 170 .collect(); 171 172 let master_password_policy = if master_password_policies.is_empty() { 173 json!({"object": "masterPasswordPolicy"}) 174 } else { 175 let mut mpp_json = json!(master_password_policies.into_iter().reduce(|acc, policy| { 176 MasterPasswordPolicy { 177 min_complexity: acc.min_complexity.max(policy.min_complexity), 178 min_length: acc.min_length.max(policy.min_length), 179 require_lower: acc.require_lower || policy.require_lower, 180 require_upper: acc.require_upper || policy.require_upper, 181 require_numbers: acc.require_numbers || policy.require_numbers, 182 require_special: acc.require_special || policy.require_special, 183 enforce_on_login: acc.enforce_on_login || policy.enforce_on_login, 184 } 185 })); 186 mpp_json["object"] = json!("masterPasswordPolicy"); 187 mpp_json 188 }; 189 let mut result = json!({ 190 "access_token": access_token, 191 "expires_in": expires_in, 192 "token_type": "Bearer", 193 "refresh_token": device.refresh_token, 194 "Key": user.akey, 195 "PrivateKey": user.private_key, 196 "Kdf": kdf, 197 "KdfIterations": kdf_iter, 198 "KdfMemory": kdf_mem, 199 "KdfParallelism": kdf_par, 200 "ResetMasterPassword": false, // TODO: Same as above 201 "ForcePasswordReset": false, 202 "MasterPasswordPolicy": master_password_policy, 203 "scope": scope, 204 "UserDecryptionOptions": { 205 "HasMasterPassword": !user.password_hash.is_empty(), 206 "Object": "userDecryptionOptions" 207 }, 208 }); 209 if let Some(token) = twofactor_token { 210 result["TwoFactorToken"] = Value::String(token); 211 } 212 info!("User {} logged in successfully. IP: {}", username, ip.ip); 213 Ok(Json(result)) 214 } 215 216 /// Retrieves an existing device or creates a new device from ConnectData and the User 217 async fn get_device(data: &ConnectData, conn: &DbConn, user: &User) -> (Device, bool) { 218 // On iOS, device_type sends "iOS", on others it sends a number 219 // When unknown or unable to parse, return 14, which is 'Unknown Browser' 220 let device_type = util::try_parse_string(data.device_type.as_ref()).unwrap_or(14i32); 221 let device_id = data 222 .device_identifier 223 .clone() 224 .expect("No device id provided"); 225 let device_name = data.device_name.clone().expect("No device name provided"); 226 let mut new_device = false; 227 // Find device or create new 228 let device = (Device::find_by_uuid_and_user(&device_id, &user.uuid, conn).await).map_or_else( 229 || { 230 new_device = true; 231 Device::new(device_id, user.uuid.clone(), device_name, device_type) 232 }, 233 |device| device, 234 ); 235 (device, new_device) 236 } 237 238 async fn twofactor_auth( 239 user_uuid: &str, 240 data: &ConnectData, 241 device: &mut Device, 242 ip: &ClientIp, 243 conn: &DbConn, 244 ) -> ApiResult<Option<String>> { 245 let (authn, totp_token) = TwoFactorType::get_factors(user_uuid, conn).await?; 246 if authn || totp_token.is_some() { 247 let Some(ref token) = data.two_factor_token else { 248 err_json!( 249 _json_err_twofactor(authn, totp_token.is_some(), user_uuid, conn).await?, 250 "2FA token not provided" 251 ) 252 }; 253 // If no provider is given, we use a fallback. 254 // The fallback is prioritized to be WebAuthn if possible. 255 let tf_type = data 256 .two_factor_provider 257 .map(|prov| { 258 TwoFactorType::try_from(prov).and_then(|tf| { 259 if matches!(tf, TwoFactorType::WebAuthn) { 260 if authn { 261 Ok(tf) 262 } else { 263 const MSG: &str = "no webauthn registrations"; 264 Err(Error::new(MSG, MSG)) 265 } 266 } else if totp_token.is_some() { 267 Ok(tf) 268 } else { 269 const MSG: &str = "no totp registrations"; 270 Err(Error::new(MSG, MSG)) 271 } 272 }) 273 }) 274 .transpose()? 275 .unwrap_or({ 276 if authn { 277 TwoFactorType::WebAuthn 278 } else { 279 TwoFactorType::Totp 280 } 281 }); 282 use crate::api::core::two_factor as _tf; 283 match tf_type { 284 TwoFactorType::Totp => { 285 _tf::authenticator::validate_totp_code_str( 286 user_uuid, 287 token, 288 totp_token.unwrap_or_else(|| { 289 unreachable!("no totp registrations, but we verified there are") 290 }), 291 ip, 292 conn, 293 ) 294 .await?; 295 } 296 TwoFactorType::WebAuthn => { 297 _tf::webauthn::validate_webauthn_login(user_uuid, token, conn).await?; 298 } 299 } 300 device.delete_twofactor_remember(); 301 } 302 Ok(None) 303 } 304 305 async fn _json_err_twofactor( 306 authn: bool, 307 totp: bool, 308 user_uuid: &str, 309 conn: &DbConn, 310 ) -> ApiResult<Value> { 311 use crate::api::core::two_factor; 312 let auth_num = i32::from(TwoFactorType::WebAuthn).to_string(); 313 let totp_num = i32::from(TwoFactorType::Totp).to_string(); 314 let providers = [auth_num.as_str(), totp_num.as_str()]; 315 let mut result = json!({ 316 "error" : "invalid_grant", 317 "error_description" : "Two factor required.", 318 "TwoFactorProviders" : if authn { if totp { providers.as_slice() } else { &providers[..1] } } else if totp { &providers[1..] } else { [].as_slice() }, 319 "TwoFactorProviders2" : {}, 320 "MasterPasswordPolicy": { 321 "Object": "masterPasswordPolicy" 322 } 323 }); 324 if authn { 325 let request = two_factor::webauthn::generate_webauthn_login(user_uuid, conn).await?; 326 result["TwoFactorProviders2"][auth_num] = request.0; 327 } 328 if totp { 329 result["TwoFactorProviders2"][totp_num] = Value::Null; 330 } 331 Ok(result) 332 } 333 334 #[post("/accounts/prelogin", data = "<data>")] 335 async fn prelogin(data: Json<PreloginData>, conn: DbConn) -> Json<Value> { 336 _prelogin(data, conn).await 337 } 338 339 #[allow(unused_variables, clippy::needless_pass_by_value)] 340 #[post("/accounts/register", data = "<data>")] 341 fn identity_register(data: Json<RegisterData>) -> Error { 342 const MSG: &str = "No more registerations allowed."; 343 Error::new(MSG, MSG) 344 } 345 346 // https://github.com/bitwarden/jslib/blob/master/common/src/models/request/tokenRequest.ts 347 // https://github.com/bitwarden/mobile/blob/master/src/Core/Models/Request/TokenRequest.cs 348 #[derive(Clone, Default, FromForm)] 349 struct ConnectData { 350 #[field(name = uncased("grant_type"))] 351 #[field(name = uncased("granttype"))] 352 grant_type: String, // refresh_token, password, client_credentials (API key) 353 // Needed for grant_type="refresh_token" 354 #[field(name = uncased("refresh_token"))] 355 #[field(name = uncased("refreshtoken"))] 356 refresh_token: Option<String>, 357 // Needed for grant_type = "password" | "client_credentials" 358 #[field(name = uncased("client_id"))] 359 #[field(name = uncased("clientid"))] 360 client_id: Option<String>, // web, cli, desktop, browser, mobile 361 #[field(name = uncased("client_secret"))] 362 #[field(name = uncased("clientsecret"))] 363 #[allow(dead_code)] 364 client_secret: Option<String>, 365 #[field(name = uncased("password"))] 366 password: Option<String>, 367 #[field(name = uncased("scope"))] 368 scope: Option<String>, 369 #[field(name = uncased("username"))] 370 username: Option<String>, 371 #[field(name = uncased("device_identifier"))] 372 #[field(name = uncased("deviceidentifier"))] 373 device_identifier: Option<String>, 374 #[field(name = uncased("device_name"))] 375 #[field(name = uncased("devicename"))] 376 device_name: Option<String>, 377 #[field(name = uncased("device_type"))] 378 #[field(name = uncased("devicetype"))] 379 device_type: Option<String>, 380 #[field(name = uncased("device_push_token"))] 381 #[field(name = uncased("devicepushtoken"))] 382 _device_push_token: Option<String>, // Unused; mobile device push not yet supported. 383 // Needed for two-factor auth 384 #[field(name = uncased("two_factor_provider"))] 385 #[field(name = uncased("twofactorprovider"))] 386 two_factor_provider: Option<i32>, 387 #[field(name = uncased("two_factor_token"))] 388 #[field(name = uncased("twofactortoken"))] 389 two_factor_token: Option<String>, 390 #[field(name = uncased("two_factor_remember"))] 391 #[field(name = uncased("twofactorremember"))] 392 #[allow(dead_code)] 393 two_factor_remember: Option<u32>, 394 #[field(name = uncased("authrequest"))] 395 auth_request: Option<String>, 396 } 397 398 fn _check_is_some<T>(value: Option<&T>, msg: &str) -> EmptyResult { 399 if value.is_none() { 400 err!(msg) 401 } 402 Ok(()) 403 }