MirrorHub/bitwarden_rs
0
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden synced 2024-11-05 15:18:57 +01:00
Code Issues Releases Wiki Activity
bitwarden_rs/src/api/core/sends.rs

657 lines
20 KiB
Rust
Raw Normal View History

Update to rocket 0.5 and made code async, missing updating all db calls, that are currently blocking
2021-11-07 18:53:39 +01:00
use std::path::Path;
Send API
2021-03-14 23:35:55 +01:00
use chrono::{DateTime, Duration, Utc};
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
use num_traits::ToPrimitive;
Update to rocket 0.5 and made code async, missing updating all db calls, that are currently blocking
2021-11-07 18:53:39 +01:00
use rocket::form::Form;
use rocket::fs::NamedFile;
use rocket::fs::TempFile;
use rocket::serde::json::Json;
Send API
2021-03-14 23:35:55 +01:00
use serde_json::Value;
use crate::{
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
api::{ApiResult, EmptyResult, JsonResult, JsonUpcase, Notify, UpdateType},
Add IP address to missing/invalid password message for Sends
2022-02-13 13:06:52 +01:00
auth::{ClientIp, Headers, Host},
Apply rustfmt. Because apparently CLion's default formatting is not the same as rustfmt for some reason.
2022-07-09 04:49:51 +02:00
db::{models::*, DbConn, DbPool},
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
util::{NumberOrString, SafeString},
Apply rustfmt. Because apparently CLion's default formatting is not the same as rustfmt for some reason.
2022-07-09 04:49:51 +02:00
CONFIG,
Send API
2021-03-14 23:35:55 +01:00
};
Use constant for the "inaccessible" error message
2021-03-25 12:40:32 +01:00
const SEND_INACCESSIBLE_MSG: &str = "Send does not exist or is no longer available";
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
// The max file size allowed by Bitwarden clients and add an extra 5% to avoid issues
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
const SIZE_525_MB: i64 = 550_502_400;
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
Send API
2021-03-14 23:35:55 +01:00
pub fn routes() -> Vec<rocket::Route> {
Add token with short expiration time to send url
2021-06-25 20:33:51 +02:00
routes![
Send create, update and delete notifications for `Send`s in the correct format. Add endpoints to get all sends or a specific send by its uuid.
2021-08-03 17:33:59 +02:00
get_sends,
get_send,
Add token with short expiration time to send url
2021-06-25 20:33:51 +02:00
post_send,
post_send_file,
post_access,
post_access_file,
put_send,
delete_send,
put_remove_password,
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
download_send,
post_send_file_v2,
post_send_file_v2_data
Add token with short expiration time to send url
2021-06-25 20:33:51 +02:00
]
Send API
2021-03-14 23:35:55 +01:00
}
Update to rocket 0.5 and made code async, missing updating all db calls, that are currently blocking
2021-11-07 18:53:39 +01:00
pub async fn purge_sends(pool: DbPool) {
Add a generic job scheduler Also rewrite deletion of old sends using the job scheduler.
2021-04-03 05:16:49 +02:00
debug!("Purging sends");
Update to diesel2
2022-05-20 23:39:47 +02:00
if let Ok(mut conn) = pool.get().await {
Send::purge(&mut conn).await;
Add a generic job scheduler Also rewrite deletion of old sends using the job scheduler.
2021-04-03 05:16:49 +02:00
} else {
error!("Failed to get DB connection while purging sends")
}
Send deletion thread and updated users revision
2021-03-22 19:57:35 +01:00
}
Send API
2021-03-14 23:35:55 +01:00
#[derive(Deserialize)]
#[allow(non_snake_case)]
Fix issue with Bitwarden CLI. The CLI seems to send a String instead of an Integer for the maximum access count. It now accepts both types and converts it to an i32 in all cases. Fixes #2196
2021-12-31 15:59:58 +01:00
struct SendData {
Type: i32,
Key: String,
Password: Option<String>,
MaxAccessCount: Option<NumberOrString>,
ExpirationDate: Option<DateTime<Utc>>,
DeletionDate: DateTime<Utc>,
Disabled: bool,
HideEmail: Option<bool>,
Send API
2021-03-14 23:35:55 +01:00
// Data field
Fix issue with Bitwarden CLI. The CLI seems to send a String instead of an Integer for the maximum access count. It now accepts both types and converts it to an i32 in all cases. Fixes #2196
2021-12-31 15:59:58 +01:00
Name: String,
Notes: Option<String>,
Text: Option<Value>,
File: Option<Value>,
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
FileLength: Option<NumberOrString>,
Send API
2021-03-14 23:35:55 +01:00
}
Add support for the Disable Send policy Upstream refs: * https://github.com/bitwarden/server/pull/1130 * https://bitwarden.com/help/article/policies/#disable-send
2021-03-16 10:07:45 +01:00
/// Enforces the `Disable Send` policy. A non-owner/admin user belonging to
/// an org with this policy enabled isn't allowed to create new Sends or
/// modify existing ones, but is allowed to delete them.
///
/// Ref: https://bitwarden.com/help/article/policies/#disable-send
Add `sends_allowed` config setting This provides global control over whether users can create Bitwarden Sends.
2021-05-12 05:07:32 +02:00
///
/// There is also a Vaultwarden-specific `sends_allowed` config setting that
/// controls this policy globally.
Update to diesel2
2022-05-20 23:39:47 +02:00
async fn enforce_disable_send_policy(headers: &Headers, conn: &mut DbConn) -> EmptyResult {
Add support for the Disable Send policy Upstream refs: * https://github.com/bitwarden/server/pull/1130 * https://bitwarden.com/help/article/policies/#disable-send
2021-03-16 10:07:45 +01:00
let user_uuid = &headers.user.uuid;
Add Org user revoke feature This PR adds a the new v2022.8.x revoke feature which allows an organization owner or admin to revoke access for one or more users. This PR also fixes several permissions and policy checks which were faulty. - Modified some functions to use DB Count features instead of iter/count aftwards. - Rearanged some if statements (faster matching or just one if instead of nested if's) - Added and fixed several policy checks where needed - Some small updates on some response models - Made some functions require an enum instead of an i32
2022-08-20 16:42:36 +02:00
if !CONFIG.sends_allowed()
|| OrgPolicy::is_applicable_to_user(user_uuid, OrgPolicyType::DisableSend, None, conn).await
{
Add support for the Disable Send policy Upstream refs: * https://github.com/bitwarden/server/pull/1130 * https://bitwarden.com/help/article/policies/#disable-send
2021-03-16 10:07:45 +01:00
err!("Due to an Enterprise Policy, you are only able to delete an existing Send.")
}
Ok(())
}
Add support for the `Send Options` policy Upstream refs: * https://github.com/bitwarden/server/pull/1234 * https://bitwarden.com/help/article/policies/#send-options
2021-05-12 09:54:28 +02:00
/// Enforces the `DisableHideEmail` option of the `Send Options` policy.
/// A non-owner/admin user belonging to an org with this option enabled isn't
/// allowed to hide their email address from the recipient of a Bitwarden Send,
/// but is allowed to remove this option from an existing Send.
///
/// Ref: https://bitwarden.com/help/article/policies/#send-options
Update to diesel2
2022-05-20 23:39:47 +02:00
async fn enforce_disable_hide_email_policy(data: &SendData, headers: &Headers, conn: &mut DbConn) -> EmptyResult {
Add support for the `Send Options` policy Upstream refs: * https://github.com/bitwarden/server/pull/1234 * https://bitwarden.com/help/article/policies/#send-options
2021-05-12 09:54:28 +02:00
let user_uuid = &headers.user.uuid;
let hide_email = data.HideEmail.unwrap_or(false);
Async/Awaited all db methods This is a rather large PR which updates the async branch to have all the database methods as an async fn. Some iter/map logic needed to be changed to a stream::iter().then(), but besides that most changes were just adding async/await where needed.
2021-11-16 17:07:55 +01:00
if hide_email && OrgPolicy::is_hide_email_disabled(user_uuid, conn).await {
Add support for the `Send Options` policy Upstream refs: * https://github.com/bitwarden/server/pull/1234 * https://bitwarden.com/help/article/policies/#send-options
2021-05-12 09:54:28 +02:00
err!(
"Due to an Enterprise Policy, you are not allowed to hide your email address \
from recipients when creating or editing a Send."
)
}
Ok(())
}
Add more clippy checks for better code/readability A bit inspired by @paolobarbolini from this commit at lettre https://github.com/lettre/lettre/pull/784 . I added a few more clippy lints here, and fixed the resulted issues. Overall i think this could help in preventing future issues, and maybe even peformance problems. It also makes some code a bit more clear. We could always add more if we want to, i left a few out which i think arn't that huge of an issue. Some like the `unused_async` are nice, which resulted in a few `async` removals. Some others are maybe a bit more estatic, like `string_to_string`, but i think it looks better to use `clone` in those cases instead of `to_string` while they already are a string.
2022-07-10 16:39:38 +02:00
fn create_send(data: SendData, user_uuid: String) -> ApiResult<Send> {
Send API
2021-03-14 23:35:55 +01:00
let data_val = if data.Type == SendType::Text as i32 {
data.Text
} else if data.Type == SendType::File as i32 {
data.File
} else {
err!("Invalid Send type")
};
let data_str = if let Some(mut d) = data_val {
d.as_object_mut().and_then(|o| o.remove("Response"));
serde_json::to_string(&d)?
} else {
err!("Send data not provided");
};
if data.DeletionDate > Utc::now() + Duration::days(31) {
err!(
"You cannot have a Send with a deletion date that far into the future. Adjust the Deletion Date to a value less than 31 days from now and try again."
);
}
Add more clippy checks for better code/readability A bit inspired by @paolobarbolini from this commit at lettre https://github.com/lettre/lettre/pull/784 . I added a few more clippy lints here, and fixed the resulted issues. Overall i think this could help in preventing future issues, and maybe even peformance problems. It also makes some code a bit more clear. We could always add more if we want to, i left a few out which i think arn't that huge of an issue. Some like the `unused_async` are nice, which resulted in a few `async` removals. Some others are maybe a bit more estatic, like `string_to_string`, but i think it looks better to use `clone` in those cases instead of `to_string` while they already are a string.
2022-07-10 16:39:38 +02:00
let mut send = Send::new(data.Type, data.Name, data_str, data.Key, data.DeletionDate.naive_utc());
Send API
2021-03-14 23:35:55 +01:00
send.user_uuid = Some(user_uuid);
send.notes = data.Notes;
Fix issue with Bitwarden CLI. The CLI seems to send a String instead of an Integer for the maximum access count. It now accepts both types and converts it to an i32 in all cases. Fixes #2196
2021-12-31 15:59:58 +01:00
send.max_access_count = match data.MaxAccessCount {
Some(m) => Some(m.into_i32()?),
_ => None,
};
Send API
2021-03-14 23:35:55 +01:00
send.expiration_date = data.ExpirationDate.map(|d| d.naive_utc());
send.disabled = data.Disabled;
Add support for hiding the sender's email address in Bitwarden Sends Note: The original Vaultwarden implementation of Bitwarden Send would always hide the email address, while the upstream implementation would always show it. Upstream PR: https://github.com/bitwarden/server/pull/1234
2021-05-12 07:51:12 +02:00
send.hide_email = data.HideEmail;
Send API
2021-03-14 23:35:55 +01:00
send.atype = data.Type;
send.set_password(data.Password.as_deref());
Ok(send)
}
Send create, update and delete notifications for `Send`s in the correct format. Add endpoints to get all sends or a specific send by its uuid.
2021-08-03 17:33:59 +02:00
#[get("/sends")]
Update to diesel2
2022-05-20 23:39:47 +02:00
async fn get_sends(headers: Headers, mut conn: DbConn) -> Json<Value> {
let sends = Send::find_by_user(&headers.user.uuid, &mut conn);
Async/Awaited all db methods This is a rather large PR which updates the async branch to have all the database methods as an async fn. Some iter/map logic needed to be changed to a stream::iter().then(), but besides that most changes were just adding async/await where needed.
2021-11-16 17:07:55 +01:00
let sends_json: Vec<Value> = sends.await.iter().map(|s| s.to_json()).collect();
Send create, update and delete notifications for `Send`s in the correct format. Add endpoints to get all sends or a specific send by its uuid.
2021-08-03 17:33:59 +02:00
Json(json!({
"Data": sends_json,
"Object": "list",
"ContinuationToken": null
}))
}
#[get("/sends/<uuid>")]
Change `String` to `&str` for all Rocket functions During setting the latest commit hash for Rocket and updating all the other crates, there were some messages regarding the usage of `String` for the Rocket endpoint function calls. I acted upon this message and changed all `String` types to `&str` and modified the code where needed. This ended up in less alloc calls, and probably also a bit less memory usage. - Updated all the crates and commit hashes - Modified all `String` to `&str` where applicable
2023-04-30 17:18:12 +02:00
async fn get_send(uuid: &str, headers: Headers, mut conn: DbConn) -> JsonResult {
let send = match Send::find_by_uuid(uuid, &mut conn).await {
Send create, update and delete notifications for `Send`s in the correct format. Add endpoints to get all sends or a specific send by its uuid.
2021-08-03 17:33:59 +02:00
Some(send) => send,
None => err!("Send not found"),
};
if send.user_uuid.as_ref() != Some(&headers.user.uuid) {
err!("Send is not owned by user")
}
Ok(Json(send.to_json()))
}
Send API
2021-03-14 23:35:55 +01:00
#[post("/sends", data = "<data>")]
Update to diesel2
2022-05-20 23:39:47 +02:00
async fn post_send(data: JsonUpcase<SendData>, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> JsonResult {
enforce_disable_send_policy(&headers, &mut conn).await?;
Add support for the Disable Send policy Upstream refs: * https://github.com/bitwarden/server/pull/1130 * https://bitwarden.com/help/article/policies/#disable-send
2021-03-16 10:07:45 +01:00
Send API
2021-03-14 23:35:55 +01:00
let data: SendData = data.into_inner().data;
Update to diesel2
2022-05-20 23:39:47 +02:00
enforce_disable_hide_email_policy(&data, &headers, &mut conn).await?;
Send API
2021-03-14 23:35:55 +01:00
if data.Type == SendType::File as i32 {
err!("File sends should use /api/sends/file")
}
Add more clippy checks for better code/readability A bit inspired by @paolobarbolini from this commit at lettre https://github.com/lettre/lettre/pull/784 . I added a few more clippy lints here, and fixed the resulted issues. Overall i think this could help in preventing future issues, and maybe even peformance problems. It also makes some code a bit more clear. We could always add more if we want to, i left a few out which i think arn't that huge of an issue. Some like the `unused_async` are nice, which resulted in a few `async` removals. Some others are maybe a bit more estatic, like `string_to_string`, but i think it looks better to use `clone` in those cases instead of `to_string` while they already are a string.
2022-07-10 16:39:38 +02:00
let mut send = create_send(data, headers.user.uuid)?;
Update to diesel2
2022-05-20 23:39:47 +02:00
send.save(&mut conn).await?;
Fix mobile push blocking requests and spamming push server
2023-06-16 23:34:16 +02:00
nt.send_send_update(
UpdateType::SyncSendCreate,
&send,
&send.update_users_revision(&mut conn).await,
&headers.device.uuid,
&mut conn,
)
.await;
Send API
2021-03-14 23:35:55 +01:00
Ok(Json(send.to_json()))
}
Update to rocket 0.5 and made code async, missing updating all db calls, that are currently blocking
2021-11-07 18:53:39 +01:00
#[derive(FromForm)]
struct UploadData<'f> {
model: Json<crate::util::UpCase<SendData>>,
data: TempFile<'f>,
}
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
#[derive(FromForm)]
struct UploadDataV2<'f> {
data: TempFile<'f>,
}
// @deprecated Mar 25 2021: This method has been deprecated in favor of direct uploads (v2).
// This method still exists to support older clients, probably need to remove it sometime.
// Upstream: https://github.com/bitwarden/server/blob/d0c793c95181dfb1b447eb450f85ba0bfd7ef643/src/Api/Controllers/SendsController.cs#L164-L167
Send API
2021-03-14 23:35:55 +01:00
#[post("/sends/file", format = "multipart/form-data", data = "<data>")]
Update to diesel2
2022-05-20 23:39:47 +02:00
async fn post_send_file(data: Form<UploadData<'_>>, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> JsonResult {
enforce_disable_send_policy(&headers, &mut conn).await?;
Add support for the Disable Send policy Upstream refs: * https://github.com/bitwarden/server/pull/1130 * https://bitwarden.com/help/article/policies/#disable-send
2021-03-16 10:07:45 +01:00
Update to rocket 0.5 and made code async, missing updating all db calls, that are currently blocking
2021-11-07 18:53:39 +01:00
let UploadData {
model,
mut data,
} = data.into_inner();
let model = model.into_inner().data;
Send API
2021-03-14 23:35:55 +01:00
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
let Some(size) = data.len().to_i64() else {
err!("Invalid send size");
};
if size < 0 {
err!("Send size can't be negative")
}
Update to diesel2
2022-05-20 23:39:47 +02:00
enforce_disable_hide_email_policy(&model, &headers, &mut conn).await?;
Send API
2021-03-14 23:35:55 +01:00
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
let size_limit = match CONFIG.user_send_limit() {
Send API
2021-03-14 23:35:55 +01:00
Some(0) => err!("File uploads are disabled"),
Some(limit_kb) => {
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
let Some(already_used) = Send::size_by_user(&headers.user.uuid, &mut conn).await else {
err!("Existing sends overflow")
};
let Some(left) = limit_kb.checked_mul(1024).and_then(|l| l.checked_sub(already_used)) else {
err!("Send size overflow");
};
Send API
2021-03-14 23:35:55 +01:00
if left <= 0 {
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
err!("Send storage limit reached! Delete some sends to free up space")
Send API
2021-03-14 23:35:55 +01:00
}
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
i64::clamp(left, 0, SIZE_525_MB)
Send API
2021-03-14 23:35:55 +01:00
}
Added web-vault v2.21.x support + some misc fixes - The new web-vault v2.21.0+ has support for Master Password Reset. For this to work it generates a public/private key-pair which needs to be stored in the database. Currently the Master Password Reset is not fixed, but there are endpoints which are needed even if we do not support this feature (yet). This PR fixes those endpoints, and stores the keys already in the database. - There was an issue when you want to do a key-rotate when you change your password, it also called an Emergency Access endpoint, which we do not yet support. Because this endpoint failed to reply correctly produced some errors, and also prevent the user from being forced to logout. This resolves #1826 by adding at least that endpoint. Because of that extra endpoint check to Emergency Access is done using an old user stamp, i also modified the stamp exception to allow multiple rocket routes to be called, and added an expiration timestamp to it. During these tests i stumbled upon an issue that after my key-change was done, it triggered the websockets to try and reload my ciphers, because they were updated. This shouldn't happen when rotating they keys, since all access should be invalided. Now there will be no websocket notification for this, which also prevents error toasts. - Increased Send Size limit to 500MB (with a litle overhead) As a side note, i tested these changes on both v2.20.4 and v2.21.1 web-vault versions, all keeps working.
2021-07-04 23:02:56 +02:00
None => SIZE_525_MB,
Send API
2021-03-14 23:35:55 +01:00
};
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
if size > size_limit {
err!("Send storage limit exceeded with this file");
}
Add more clippy checks for better code/readability A bit inspired by @paolobarbolini from this commit at lettre https://github.com/lettre/lettre/pull/784 . I added a few more clippy lints here, and fixed the resulted issues. Overall i think this could help in preventing future issues, and maybe even peformance problems. It also makes some code a bit more clear. We could always add more if we want to, i left a few out which i think arn't that huge of an issue. Some like the `unused_async` are nice, which resulted in a few `async` removals. Some others are maybe a bit more estatic, like `string_to_string`, but i think it looks better to use `clone` in those cases instead of `to_string` while they already are a string.
2022-07-10 16:39:38 +02:00
let mut send = create_send(model, headers.user.uuid)?;
Send API
2021-03-14 23:35:55 +01:00
if send.atype != SendType::File as i32 {
err!("Send content is not a file");
}
Update to rocket 0.5 and made code async, missing updating all db calls, that are currently blocking
2021-11-07 18:53:39 +01:00
let file_id = crate::crypto::generate_send_id();
let folder_path = tokio::fs::canonicalize(&CONFIG.sends_folder()).await?.join(&send.uuid);
let file_path = folder_path.join(&file_id);
tokio::fs::create_dir_all(&folder_path).await?;
Add option to make file uploads use move_copy_to instead of persist_to This is to support scenarios where the attachments and sends folder are to be stored on a separate device from the tmp_folder (i.e. fuse-mounted S3 storage), due to having the tmp_dir on the same device being undesirable. Example being fuse-mounted S3 storage with the reasoning that because S3 basically requires a copy+delete operations to rename files, it's inefficient to rename files on device, if it's even allowed.
2022-07-08 19:19:00 +02:00
Use if let instead of a match with empty block.
2022-07-09 05:41:53 +02:00
if let Err(_err) = data.persist_to(&file_path).await {
data.move_copy_to(file_path).await?
Use match to avoid ownership issues on the TempFile / file_path variables in closures.
2022-07-09 04:33:27 +02:00
}
Send API
2021-03-14 23:35:55 +01:00
let mut data_value: Value = serde_json::from_str(&send.data)?;
if let Some(o) = data_value.as_object_mut() {
o.insert(String::from("Id"), Value::String(file_id));
o.insert(String::from("Size"), Value::Number(size.into()));
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
o.insert(String::from("SizeName"), Value::String(crate::util::get_display_size(size)));
Send API
2021-03-14 23:35:55 +01:00
}
send.data = serde_json::to_string(&data_value)?;
// Save the changes in the database
Update to diesel2
2022-05-20 23:39:47 +02:00
send.save(&mut conn).await?;
Fix mobile push blocking requests and spamming push server
2023-06-16 23:34:16 +02:00
nt.send_send_update(
UpdateType::SyncSendCreate,
&send,
&send.update_users_revision(&mut conn).await,
&headers.device.uuid,
&mut conn,
)
.await;
Send API
2021-03-14 23:35:55 +01:00
Ok(Json(send.to_json()))
}
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
// Upstream: https://github.com/bitwarden/server/blob/d0c793c95181dfb1b447eb450f85ba0bfd7ef643/src/Api/Controllers/SendsController.cs#L190
#[post("/sends/file/v2", data = "<data>")]
Update to diesel2
2022-05-20 23:39:47 +02:00
async fn post_send_file_v2(data: JsonUpcase<SendData>, headers: Headers, mut conn: DbConn) -> JsonResult {
enforce_disable_send_policy(&headers, &mut conn).await?;
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
let data = data.into_inner().data;
if data.Type != SendType::File as i32 {
err!("Send content is not a file");
}
Update to diesel2
2022-05-20 23:39:47 +02:00
enforce_disable_hide_email_policy(&data, &headers, &mut conn).await?;
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
let file_length = match &data.FileLength {
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
Some(m) => m.into_i64()?,
_ => err!("Invalid send length"),
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
};
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
if file_length < 0 {
err!("Send size can't be negative")
}
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
let size_limit = match CONFIG.user_send_limit() {
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
Some(0) => err!("File uploads are disabled"),
Some(limit_kb) => {
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
let Some(already_used) = Send::size_by_user(&headers.user.uuid, &mut conn).await else {
err!("Existing sends overflow")
};
let Some(left) = limit_kb.checked_mul(1024).and_then(|l| l.checked_sub(already_used)) else {
err!("Send size overflow");
};
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
if left <= 0 {
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
err!("Send storage limit reached! Delete some sends to free up space")
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
}
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
i64::clamp(left, 0, SIZE_525_MB)
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
}
None => SIZE_525_MB,
};
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
if file_length > size_limit {
err!("Send storage limit exceeded with this file");
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
}
let mut send = create_send(data, headers.user.uuid)?;
let file_id = crate::crypto::generate_send_id();
let mut data_value: Value = serde_json::from_str(&send.data)?;
if let Some(o) = data_value.as_object_mut() {
o.insert(String::from("Id"), Value::String(file_id.clone()));
Improve file limit handling (#4242) * Improve file limit handling * Oops * Update PostgreSQL migration * Review comments --------- Co-authored-by: BlackDex <black.dex@gmail.com>
2024-01-27 02:43:26 +01:00
o.insert(String::from("Size"), Value::Number(file_length.into()));
o.insert(String::from("SizeName"), Value::String(crate::util::get_display_size(file_length)));
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
}
send.data = serde_json::to_string(&data_value)?;
Update to diesel2
2022-05-20 23:39:47 +02:00
send.save(&mut conn).await?;
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
Ok(Json(json!({
"fileUploadType": 0, // 0 == Direct | 1 == Azure
"object": "send-fileUpload",
"url": format!("/sends/{}/file/{}", send.uuid, file_id),
"sendResponse": send.to_json()
})))
}
// https://github.com/bitwarden/server/blob/d0c793c95181dfb1b447eb450f85ba0bfd7ef643/src/Api/Controllers/SendsController.cs#L243
#[post("/sends/<send_uuid>/file/<file_id>", format = "multipart/form-data", data = "<data>")]
async fn post_send_file_v2_data(
Change `String` to `&str` for all Rocket functions During setting the latest commit hash for Rocket and updating all the other crates, there were some messages regarding the usage of `String` for the Rocket endpoint function calls. I acted upon this message and changed all `String` types to `&str` and modified the code where needed. This ended up in less alloc calls, and probably also a bit less memory usage. - Updated all the crates and commit hashes - Modified all `String` to `&str` where applicable
2023-04-30 17:18:12 +02:00
send_uuid: &str,
file_id: &str,
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
data: Form<UploadDataV2<'_>>,
headers: Headers,
Update to diesel2
2022-05-20 23:39:47 +02:00
mut conn: DbConn,
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
nt: Notify<'_>,
) -> EmptyResult {
Update to diesel2
2022-05-20 23:39:47 +02:00
enforce_disable_send_policy(&headers, &mut conn).await?;
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
let mut data = data.into_inner();
Update Rust and Crates - Updated Rust to v1.72.0 - Updated all the crates Including a CVE https://github.com/dani-garcia/vaultwarden/security/dependabot/21 - Updated GitHub Workflows - Run `cargo fmt` which has some new fmt's - Moved from `rust-toolchain` to `rust-toolchain.toml`
2023-08-28 16:48:42 +02:00
let Some(send) = Send::find_by_uuid(send_uuid, &mut conn).await else {
err!("Send not found. Unable to save the file.")
};
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
Update Rust and Crates - Updated Rust to v1.72.0 - Updated all the crates Including a CVE https://github.com/dani-garcia/vaultwarden/security/dependabot/21 - Updated GitHub Workflows - Run `cargo fmt` which has some new fmt's - Moved from `rust-toolchain` to `rust-toolchain.toml`
2023-08-28 16:48:42 +02:00
let Some(send_user_id) = &send.user_uuid else {
err!("Sends are only supported for users at the moment")
};
Add some extra access checks for attachments and groups
2023-07-03 19:58:14 +02:00
if send_user_id != &headers.user.uuid {
err!("Send doesn't belong to user");
}
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
Add some extra access checks for attachments and groups
2023-07-03 19:58:14 +02:00
let folder_path = tokio::fs::canonicalize(&CONFIG.sends_folder()).await?.join(send_uuid);
let file_path = folder_path.join(file_id);
tokio::fs::create_dir_all(&folder_path).await?;
if let Err(_err) = data.data.persist_to(&file_path).await {
data.data.move_copy_to(file_path).await?
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
}
Add some extra access checks for attachments and groups
2023-07-03 19:58:14 +02:00
nt.send_send_update(
UpdateType::SyncSendCreate,
&send,
&send.update_users_revision(&mut conn).await,
&headers.device.uuid,
&mut conn,
)
.await;
Add support for send v2 API endpoints This PR adds support for the Send v2 API. It should prevent 404 errors which could cause some issues with some configurations on some reverse proxies. In the long run, we can probably remove the old file upload API, but for now lets leave it there, since Bitwarden also still has this endpoint in the code. Might fixes #2753
2022-09-22 19:40:04 +02:00
Ok(())
}
Send API
2021-03-14 23:35:55 +01:00
#[derive(Deserialize)]
#[allow(non_snake_case)]
pub struct SendAccessData {
pub Password: Option<String>,
}
#[post("/sends/access/<access_id>", data = "<data>")]
Update to diesel2
2022-05-20 23:39:47 +02:00
async fn post_access(
Change `String` to `&str` for all Rocket functions During setting the latest commit hash for Rocket and updating all the other crates, there were some messages regarding the usage of `String` for the Rocket endpoint function calls. I acted upon this message and changed all `String` types to `&str` and modified the code where needed. This ended up in less alloc calls, and probably also a bit less memory usage. - Updated all the crates and commit hashes - Modified all `String` to `&str` where applicable
2023-04-30 17:18:12 +02:00
access_id: &str,
Update to diesel2
2022-05-20 23:39:47 +02:00
data: JsonUpcase<SendAccessData>,
mut conn: DbConn,
ip: ClientIp,
Update WebSocket Notifications Previously the websocket notifications were using `app_id` as the `ContextId`. This was incorrect and should have been the device_uuid from the client device executing the request. The clients will ignore the websocket request if the uuid matches. This also fixes some issues with the Desktop client which is able to modify attachments within the same screen and causes an issue when saving the attachment afterwards. Also changed the way to handle removed attachments, since that causes an error saving the vault cipher afterwards, complaining about a missing attachment. Bitwarden ignores this, and continues with the remaining attachments (if any). This also fixes #2591 . Further some more websocket notifications have been added to some other functions which enhance the user experience. - Logout users when deauthed, changed password, rotated keys - Trigger OrgSyncKeys on user confirm and removal - Added some extra to the send feature Also renamed UpdateTypes to match Bitwarden naming.
2022-12-30 21:23:55 +01:00
nt: Notify<'_>,
Update to diesel2
2022-05-20 23:39:47 +02:00
) -> JsonResult {
Change `String` to `&str` for all Rocket functions During setting the latest commit hash for Rocket and updating all the other crates, there were some messages regarding the usage of `String` for the Rocket endpoint function calls. I acted upon this message and changed all `String` types to `&str` and modified the code where needed. This ended up in less alloc calls, and probably also a bit less memory usage. - Updated all the crates and commit hashes - Modified all `String` to `&str` where applicable
2023-04-30 17:18:12 +02:00
let mut send = match Send::find_by_access_id(access_id, &mut conn).await {
Send API
2021-03-14 23:35:55 +01:00
Some(s) => s,
Use constant for the "inaccessible" error message
2021-03-25 12:40:32 +01:00
None => err_code!(SEND_INACCESSIBLE_MSG, 404),
Send API
2021-03-14 23:35:55 +01:00
};
if let Some(max_access_count) = send.max_access_count {
Send access check fixes Adjust checks for max access count, expiration date, and deletion date. The date checks aren't that important, but the access count check currently allows one more access than it should.
2021-03-15 07:20:49 +01:00
if send.access_count >= max_access_count {
Use constant for the "inaccessible" error message
2021-03-25 12:40:32 +01:00
err_code!(SEND_INACCESSIBLE_MSG, 404);
Send API
2021-03-14 23:35:55 +01:00
}
}
if let Some(expiration) = send.expiration_date {
Send access check fixes Adjust checks for max access count, expiration date, and deletion date. The date checks aren't that important, but the access count check currently allows one more access than it should.
2021-03-15 07:20:49 +01:00
if Utc::now().naive_utc() >= expiration {
Use constant for the "inaccessible" error message
2021-03-25 12:40:32 +01:00
err_code!(SEND_INACCESSIBLE_MSG, 404)
Send API
2021-03-14 23:35:55 +01:00
}
}
Send access check fixes Adjust checks for max access count, expiration date, and deletion date. The date checks aren't that important, but the access count check currently allows one more access than it should.
2021-03-15 07:20:49 +01:00
if Utc::now().naive_utc() >= send.deletion_date {
Use constant for the "inaccessible" error message
2021-03-25 12:40:32 +01:00
err_code!(SEND_INACCESSIBLE_MSG, 404)
Send API
2021-03-14 23:35:55 +01:00
}
if send.disabled {
Use constant for the "inaccessible" error message
2021-03-25 12:40:32 +01:00
err_code!(SEND_INACCESSIBLE_MSG, 404)
Send API
2021-03-14 23:35:55 +01:00
}
if send.password_hash.is_some() {
match data.into_inner().data.Password {
Some(ref p) if send.check_password(p) => { /* Nothing to do here */ }
Add IP address to missing/invalid password message for Sends
2022-02-13 13:06:52 +01:00
Some(_) => err!("Invalid password", format!("IP: {}.", ip.ip)),
None => err_code!("Password not provided", format!("IP: {}.", ip.ip), 401),
Send API
2021-03-14 23:35:55 +01:00
}
}
// Files are incremented during the download
if send.atype == SendType::Text as i32 {
send.access_count += 1;
}
Update to diesel2
2022-05-20 23:39:47 +02:00
send.save(&mut conn).await?;
Send API
2021-03-14 23:35:55 +01:00
Fix mobile push blocking requests and spamming push server
2023-06-16 23:34:16 +02:00
nt.send_send_update(
UpdateType::SyncSendUpdate,
&send,
&send.update_users_revision(&mut conn).await,
Fix send access regression In a previous commit push notifications for mobile were added, but this introduced a header guard which caused issues with anonymous endpoints. This PR fixes this by using a uuid with only 0's. Fixes #3607
2023-06-22 16:40:26 +02:00
&String::from("00000000-0000-0000-0000-000000000000"),
Fix mobile push blocking requests and spamming push server
2023-06-16 23:34:16 +02:00
&mut conn,
)
.await;
Update WebSocket Notifications Previously the websocket notifications were using `app_id` as the `ContextId`. This was incorrect and should have been the device_uuid from the client device executing the request. The clients will ignore the websocket request if the uuid matches. This also fixes some issues with the Desktop client which is able to modify attachments within the same screen and causes an issue when saving the attachment afterwards. Also changed the way to handle removed attachments, since that causes an error saving the vault cipher afterwards, complaining about a missing attachment. Bitwarden ignores this, and continues with the remaining attachments (if any). This also fixes #2591 . Further some more websocket notifications have been added to some other functions which enhance the user experience. - Logout users when deauthed, changed password, rotated keys - Trigger OrgSyncKeys on user confirm and removal - Added some extra to the send feature Also renamed UpdateTypes to match Bitwarden naming.
2022-12-30 21:23:55 +01:00
Update to diesel2
2022-05-20 23:39:47 +02:00
Ok(Json(send.to_json_access(&mut conn).await))
Send API
2021-03-14 23:35:55 +01:00
}
#[post("/sends/<send_id>/access/file/<file_id>", data = "<data>")]
Async/Awaited all db methods This is a rather large PR which updates the async branch to have all the database methods as an async fn. Some iter/map logic needed to be changed to a stream::iter().then(), but besides that most changes were just adding async/await where needed.
2021-11-16 17:07:55 +01:00
async fn post_access_file(
Change `String` to `&str` for all Rocket functions During setting the latest commit hash for Rocket and updating all the other crates, there were some messages regarding the usage of `String` for the Rocket endpoint function calls. I acted upon this message and changed all `String` types to `&str` and modified the code where needed. This ended up in less alloc calls, and probably also a bit less memory usage. - Updated all the crates and commit hashes - Modified all `String` to `&str` where applicable
2023-04-30 17:18:12 +02:00
send_id: &str,
file_id: &str,
Send API
2021-03-14 23:35:55 +01:00
data: JsonUpcase<SendAccessData>,
host: Host,
Update to diesel2
2022-05-20 23:39:47 +02:00
mut conn: DbConn,
Update WebSocket Notifications Previously the websocket notifications were using `app_id` as the `ContextId`. This was incorrect and should have been the device_uuid from the client device executing the request. The clients will ignore the websocket request if the uuid matches. This also fixes some issues with the Desktop client which is able to modify attachments within the same screen and causes an issue when saving the attachment afterwards. Also changed the way to handle removed attachments, since that causes an error saving the vault cipher afterwards, complaining about a missing attachment. Bitwarden ignores this, and continues with the remaining attachments (if any). This also fixes #2591 . Further some more websocket notifications have been added to some other functions which enhance the user experience. - Logout users when deauthed, changed password, rotated keys - Trigger OrgSyncKeys on user confirm and removal - Added some extra to the send feature Also renamed UpdateTypes to match Bitwarden naming.
2022-12-30 21:23:55 +01:00
nt: Notify<'_>,
Send API
2021-03-14 23:35:55 +01:00
) -> JsonResult {
Change `String` to `&str` for all Rocket functions During setting the latest commit hash for Rocket and updating all the other crates, there were some messages regarding the usage of `String` for the Rocket endpoint function calls. I acted upon this message and changed all `String` types to `&str` and modified the code where needed. This ended up in less alloc calls, and probably also a bit less memory usage. - Updated all the crates and commit hashes - Modified all `String` to `&str` where applicable
2023-04-30 17:18:12 +02:00
let mut send = match Send::find_by_uuid(send_id, &mut conn).await {
Send API
2021-03-14 23:35:55 +01:00
Some(s) => s,
Use constant for the "inaccessible" error message
2021-03-25 12:40:32 +01:00
None => err_code!(SEND_INACCESSIBLE_MSG, 404),
Send API
2021-03-14 23:35:55 +01:00
};
if let Some(max_access_count) = send.max_access_count {
Send access check fixes Adjust checks for max access count, expiration date, and deletion date. The date checks aren't that important, but the access count check currently allows one more access than it should.
2021-03-15 07:20:49 +01:00
if send.access_count >= max_access_count {
Use constant for the "inaccessible" error message
2021-03-25 12:40:32 +01:00
err_code!(SEND_INACCESSIBLE_MSG, 404)
Send API
2021-03-14 23:35:55 +01:00
}
}
if let Some(expiration) = send.expiration_date {
Send access check fixes Adjust checks for max access count, expiration date, and deletion date. The date checks aren't that important, but the access count check currently allows one more access than it should.
2021-03-15 07:20:49 +01:00
if Utc::now().naive_utc() >= expiration {
Use constant for the "inaccessible" error message
2021-03-25 12:40:32 +01:00
err_code!(SEND_INACCESSIBLE_MSG, 404)
Send API
2021-03-14 23:35:55 +01:00
}
}
Send access check fixes Adjust checks for max access count, expiration date, and deletion date. The date checks aren't that important, but the access count check currently allows one more access than it should.
2021-03-15 07:20:49 +01:00
if Utc::now().naive_utc() >= send.deletion_date {
Use constant for the "inaccessible" error message
2021-03-25 12:40:32 +01:00
err_code!(SEND_INACCESSIBLE_MSG, 404)
Send API
2021-03-14 23:35:55 +01:00
}
if send.disabled {
Use constant for the "inaccessible" error message
2021-03-25 12:40:32 +01:00
err_code!(SEND_INACCESSIBLE_MSG, 404)
Send API
2021-03-14 23:35:55 +01:00
}
if send.password_hash.is_some() {
match data.into_inner().data.Password {
Some(ref p) if send.check_password(p) => { /* Nothing to do here */ }
Some(_) => err!("Invalid password."),
None => err_code!("Password not provided", 401),
}
}
send.access_count += 1;
Update to diesel2
2022-05-20 23:39:47 +02:00
send.save(&mut conn).await?;
Send API
2021-03-14 23:35:55 +01:00
Fix mobile push blocking requests and spamming push server
2023-06-16 23:34:16 +02:00
nt.send_send_update(
UpdateType::SyncSendUpdate,
&send,
&send.update_users_revision(&mut conn).await,
Fix send access regression In a previous commit push notifications for mobile were added, but this introduced a header guard which caused issues with anonymous endpoints. This PR fixes this by using a uuid with only 0's. Fixes #3607
2023-06-22 16:40:26 +02:00
&String::from("00000000-0000-0000-0000-000000000000"),
Fix mobile push blocking requests and spamming push server
2023-06-16 23:34:16 +02:00
&mut conn,
)
.await;
Update WebSocket Notifications Previously the websocket notifications were using `app_id` as the `ContextId`. This was incorrect and should have been the device_uuid from the client device executing the request. The clients will ignore the websocket request if the uuid matches. This also fixes some issues with the Desktop client which is able to modify attachments within the same screen and causes an issue when saving the attachment afterwards. Also changed the way to handle removed attachments, since that causes an error saving the vault cipher afterwards, complaining about a missing attachment. Bitwarden ignores this, and continues with the remaining attachments (if any). This also fixes #2591 . Further some more websocket notifications have been added to some other functions which enhance the user experience. - Logout users when deauthed, changed password, rotated keys - Trigger OrgSyncKeys on user confirm and removal - Added some extra to the send feature Also renamed UpdateTypes to match Bitwarden naming.
2022-12-30 21:23:55 +01:00
Change `String` to `&str` for all Rocket functions During setting the latest commit hash for Rocket and updating all the other crates, there were some messages regarding the usage of `String` for the Rocket endpoint function calls. I acted upon this message and changed all `String` types to `&str` and modified the code where needed. This ended up in less alloc calls, and probably also a bit less memory usage. - Updated all the crates and commit hashes - Modified all `String` to `&str` where applicable
2023-04-30 17:18:12 +02:00
let token_claims = crate::auth::generate_send_claims(send_id, file_id);
Add token with short expiration time to send url
2021-06-25 20:33:51 +02:00
let token = crate::auth::encode_jwt(&token_claims);
Send API
2021-03-14 23:35:55 +01:00
Ok(Json(json!({
"Object": "send-fileDownload",
"Id": file_id,
Add token with short expiration time to send url
2021-06-25 20:33:51 +02:00
"Url": format!("{}/api/sends/{}/{}?t={}", &host.host, send_id, file_id, token)
Send API
2021-03-14 23:35:55 +01:00
})))
}
Add token with short expiration time to send url
2021-06-25 20:33:51 +02:00
#[get("/sends/<send_id>/<file_id>?<t>")]
Change `String` to `&str` for all Rocket functions During setting the latest commit hash for Rocket and updating all the other crates, there were some messages regarding the usage of `String` for the Rocket endpoint function calls. I acted upon this message and changed all `String` types to `&str` and modified the code where needed. This ended up in less alloc calls, and probably also a bit less memory usage. - Updated all the crates and commit hashes - Modified all `String` to `&str` where applicable
2023-04-30 17:18:12 +02:00
async fn download_send(send_id: SafeString, file_id: SafeString, t: &str) -> Option<NamedFile> {
if let Ok(claims) = crate::auth::decode_send(t) {
Resolve uninlined_format_args clippy warnings The upcomming release of Rust 1.67.0 will warn on `uninlined_format_args`. This PR resolves that by inlining all these items. It also looks nicer.
2022-12-29 14:11:52 +01:00
if claims.sub == format!("{send_id}/{file_id}") {
Update to rocket 0.5 and made code async, missing updating all db calls, that are currently blocking
2021-11-07 18:53:39 +01:00
return NamedFile::open(Path::new(&CONFIG.sends_folder()).join(send_id).join(file_id)).await.ok();
Add token with short expiration time to send url
2021-06-25 20:33:51 +02:00
}
}
None
}
Send API
2021-03-14 23:35:55 +01:00
#[put("/sends/<id>", data = "<data>")]
Async/Awaited all db methods This is a rather large PR which updates the async branch to have all the database methods as an async fn. Some iter/map logic needed to be changed to a stream::iter().then(), but besides that most changes were just adding async/await where needed.
2021-11-16 17:07:55 +01:00
async fn put_send(
Change `String` to `&str` for all Rocket functions During setting the latest commit hash for Rocket and updating all the other crates, there were some messages regarding the usage of `String` for the Rocket endpoint function calls. I acted upon this message and changed all `String` types to `&str` and modified the code where needed. This ended up in less alloc calls, and probably also a bit less memory usage. - Updated all the crates and commit hashes - Modified all `String` to `&str` where applicable
2023-04-30 17:18:12 +02:00
id: &str,
Async/Awaited all db methods This is a rather large PR which updates the async branch to have all the database methods as an async fn. Some iter/map logic needed to be changed to a stream::iter().then(), but besides that most changes were just adding async/await where needed.
2021-11-16 17:07:55 +01:00
data: JsonUpcase<SendData>,
headers: Headers,
Update to diesel2
2022-05-20 23:39:47 +02:00
mut conn: DbConn,
Async/Awaited all db methods This is a rather large PR which updates the async branch to have all the database methods as an async fn. Some iter/map logic needed to be changed to a stream::iter().then(), but besides that most changes were just adding async/await where needed.
2021-11-16 17:07:55 +01:00
nt: Notify<'_>,
) -> JsonResult {
Update to diesel2
2022-05-20 23:39:47 +02:00
enforce_disable_send_policy(&headers, &mut conn).await?;
Add support for the Disable Send policy Upstream refs: * https://github.com/bitwarden/server/pull/1130 * https://bitwarden.com/help/article/policies/#disable-send
2021-03-16 10:07:45 +01:00
Send API
2021-03-14 23:35:55 +01:00
let data: SendData = data.into_inner().data;
Update to diesel2
2022-05-20 23:39:47 +02:00
enforce_disable_hide_email_policy(&data, &headers, &mut conn).await?;
Send API
2021-03-14 23:35:55 +01:00
Change `String` to `&str` for all Rocket functions During setting the latest commit hash for Rocket and updating all the other crates, there were some messages regarding the usage of `String` for the Rocket endpoint function calls. I acted upon this message and changed all `String` types to `&str` and modified the code where needed. This ended up in less alloc calls, and probably also a bit less memory usage. - Updated all the crates and commit hashes - Modified all `String` to `&str` where applicable
2023-04-30 17:18:12 +02:00
let mut send = match Send::find_by_uuid(id, &mut conn).await {
Send API
2021-03-14 23:35:55 +01:00
Some(s) => s,
None => err!("Send not found"),
};
if send.user_uuid.as_ref() != Some(&headers.user.uuid) {
err!("Send is not owned by user")
}
if send.atype != data.Type {
err!("Sends can't change type")
}
Fix updating file send
2021-03-17 19:39:48 +01:00
// When updating a file Send, we receive nulls in the File field, as it's immutable,
// so we only need to update the data field in the Text case
if data.Type == SendType::Text as i32 {
let data_str = if let Some(mut d) = data.Text {
d.as_object_mut().and_then(|d| d.remove("Response"));
serde_json::to_string(&d)?
} else {
err!("Send data not provided");
};
send.data = data_str;
}
Send API
2021-03-14 23:35:55 +01:00
if data.DeletionDate > Utc::now() + Duration::days(31) {
err!(
"You cannot have a Send with a deletion date that far into the future. Adjust the Deletion Date to a value less than 31 days from now and try again."
);
}
send.name = data.Name;
rename send key -> akey
2021-03-15 16:42:20 +01:00
send.akey = data.Key;
Send API
2021-03-14 23:35:55 +01:00
send.deletion_date = data.DeletionDate.naive_utc();
send.notes = data.Notes;
Fix issue with Bitwarden CLI. The CLI seems to send a String instead of an Integer for the maximum access count. It now accepts both types and converts it to an i32 in all cases. Fixes #2196
2021-12-31 15:59:58 +01:00
send.max_access_count = match data.MaxAccessCount {
Some(m) => Some(m.into_i32()?),
_ => None,
};
Send API
2021-03-14 23:35:55 +01:00
send.expiration_date = data.ExpirationDate.map(|d| d.naive_utc());
Add support for hiding the sender's email address in Bitwarden Sends Note: The original Vaultwarden implementation of Bitwarden Send would always hide the email address, while the upstream implementation would always show it. Upstream PR: https://github.com/bitwarden/server/pull/1234
2021-05-12 07:51:12 +02:00
send.hide_email = data.HideEmail;
Send API
2021-03-14 23:35:55 +01:00
send.disabled = data.Disabled;
// Only change the value if it's present
if let Some(password) = data.Password {
send.set_password(Some(&password));
}
Update to diesel2
2022-05-20 23:39:47 +02:00
send.save(&mut conn).await?;
Fix mobile push blocking requests and spamming push server
2023-06-16 23:34:16 +02:00
nt.send_send_update(
UpdateType::SyncSendUpdate,
&send,
&send.update_users_revision(&mut conn).await,
&headers.device.uuid,
&mut conn,
)
.await;
Send API
2021-03-14 23:35:55 +01:00
Ok(Json(send.to_json()))
}
#[delete("/sends/<id>")]
Change `String` to `&str` for all Rocket functions During setting the latest commit hash for Rocket and updating all the other crates, there were some messages regarding the usage of `String` for the Rocket endpoint function calls. I acted upon this message and changed all `String` types to `&str` and modified the code where needed. This ended up in less alloc calls, and probably also a bit less memory usage. - Updated all the crates and commit hashes - Modified all `String` to `&str` where applicable
2023-04-30 17:18:12 +02:00
async fn delete_send(id: &str, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
let send = match Send::find_by_uuid(id, &mut conn).await {
Send API
2021-03-14 23:35:55 +01:00
Some(s) => s,
None => err!("Send not found"),
};
if send.user_uuid.as_ref() != Some(&headers.user.uuid) {
err!("Send is not owned by user")
}
Update to diesel2
2022-05-20 23:39:47 +02:00
send.delete(&mut conn).await?;
Fix mobile push blocking requests and spamming push server
2023-06-16 23:34:16 +02:00
nt.send_send_update(
UpdateType::SyncSendDelete,
&send,
&send.update_users_revision(&mut conn).await,
&headers.device.uuid,
&mut conn,
)
.await;
Send API
2021-03-14 23:35:55 +01:00
Ok(())
}
#[put("/sends/<id>/remove-password")]
Change `String` to `&str` for all Rocket functions During setting the latest commit hash for Rocket and updating all the other crates, there were some messages regarding the usage of `String` for the Rocket endpoint function calls. I acted upon this message and changed all `String` types to `&str` and modified the code where needed. This ended up in less alloc calls, and probably also a bit less memory usage. - Updated all the crates and commit hashes - Modified all `String` to `&str` where applicable
2023-04-30 17:18:12 +02:00
async fn put_remove_password(id: &str, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> JsonResult {
Update to diesel2
2022-05-20 23:39:47 +02:00
enforce_disable_send_policy(&headers, &mut conn).await?;
Add support for the Disable Send policy Upstream refs: * https://github.com/bitwarden/server/pull/1130 * https://bitwarden.com/help/article/policies/#disable-send
2021-03-16 10:07:45 +01:00
Change `String` to `&str` for all Rocket functions During setting the latest commit hash for Rocket and updating all the other crates, there were some messages regarding the usage of `String` for the Rocket endpoint function calls. I acted upon this message and changed all `String` types to `&str` and modified the code where needed. This ended up in less alloc calls, and probably also a bit less memory usage. - Updated all the crates and commit hashes - Modified all `String` to `&str` where applicable
2023-04-30 17:18:12 +02:00
let mut send = match Send::find_by_uuid(id, &mut conn).await {
Send API
2021-03-14 23:35:55 +01:00
Some(s) => s,
None => err!("Send not found"),
};
if send.user_uuid.as_ref() != Some(&headers.user.uuid) {
err!("Send is not owned by user")
}
send.set_password(None);
Update to diesel2
2022-05-20 23:39:47 +02:00
send.save(&mut conn).await?;
Fix mobile push blocking requests and spamming push server
2023-06-16 23:34:16 +02:00
nt.send_send_update(
UpdateType::SyncSendUpdate,
&send,
&send.update_users_revision(&mut conn).await,
&headers.device.uuid,
&mut conn,
)
.await;
Send API
2021-03-14 23:35:55 +01:00
Ok(Json(send.to_json()))
}
Reference in a new issue Copy permalink