0
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden synced 2024-12-13 17:22:58 +01:00

More authrequest fixes (#5176)

This commit is contained in:
Daniel García 2024-11-11 20:13:02 +01:00 committed by GitHub
parent d0581da638
commit 37c14c3c69
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 47 additions and 36 deletions

View file

@ -1136,15 +1136,15 @@ async fn post_auth_request(
#[get("/auth-requests/<uuid>")] #[get("/auth-requests/<uuid>")]
async fn get_auth_request(uuid: &str, headers: Headers, mut conn: DbConn) -> JsonResult { async fn get_auth_request(uuid: &str, headers: Headers, mut conn: DbConn) -> JsonResult {
if headers.user.uuid != uuid {
err!("AuthRequest doesn't exist", "User uuid's do not match")
}
let auth_request = match AuthRequest::find_by_uuid(uuid, &mut conn).await { let auth_request = match AuthRequest::find_by_uuid(uuid, &mut conn).await {
Some(auth_request) => auth_request, Some(auth_request) => auth_request,
None => err!("AuthRequest doesn't exist", "Record not found"), None => err!("AuthRequest doesn't exist", "Record not found"),
}; };
if headers.user.uuid != auth_request.user_uuid {
err!("AuthRequest doesn't exist", "User uuid's do not match")
}
let response_date_utc = auth_request.response_date.map(|response_date| format_date(&response_date)); let response_date_utc = auth_request.response_date.map(|response_date| format_date(&response_date));
Ok(Json(json!({ Ok(Json(json!({
@ -1190,15 +1190,18 @@ async fn put_auth_request(
err!("AuthRequest doesn't exist", "User uuid's do not match") err!("AuthRequest doesn't exist", "User uuid's do not match")
} }
auth_request.approved = Some(data.request_approved); if data.request_approved {
auth_request.enc_key = Some(data.key); auth_request.approved = Some(data.request_approved);
auth_request.master_password_hash = data.master_password_hash; auth_request.enc_key = Some(data.key);
auth_request.response_device_id = Some(data.device_identifier.clone()); auth_request.master_password_hash = data.master_password_hash;
auth_request.save(&mut conn).await?; auth_request.response_device_id = Some(data.device_identifier.clone());
auth_request.save(&mut conn).await?;
if auth_request.approved.unwrap_or(false) {
ant.send_auth_response(&auth_request.user_uuid, &auth_request.uuid).await; ant.send_auth_response(&auth_request.user_uuid, &auth_request.uuid).await;
nt.send_auth_response(&auth_request.user_uuid, &auth_request.uuid, data.device_identifier, &mut conn).await; nt.send_auth_response(&auth_request.user_uuid, &auth_request.uuid, data.device_identifier, &mut conn).await;
} else {
// If denied, there's no reason to keep the request
auth_request.delete(&mut conn).await?;
} }
let response_date_utc = auth_request.response_date.map(|response_date| format_date(&response_date)); let response_date_utc = auth_request.response_date.map(|response_date| format_date(&response_date));

View file

@ -165,20 +165,22 @@ async fn _password_login(
// Set the user_uuid here to be passed back used for event logging. // Set the user_uuid here to be passed back used for event logging.
*user_uuid = Some(user.uuid.clone()); *user_uuid = Some(user.uuid.clone());
// Check password // Check if the user is disabled
let password = data.password.as_ref().unwrap(); if !user.enabled {
if let Some(auth_request_uuid) = data.auth_request.clone() { err!(
if let Some(auth_request) = AuthRequest::find_by_uuid(auth_request_uuid.as_str(), conn).await { "This user has been disabled",
if !auth_request.check_access_code(password) { format!("IP: {}. Username: {}.", ip.ip, username),
err!( ErrorEvent {
"Username or access code is incorrect. Try again", event: EventType::UserFailedLogIn
format!("IP: {}. Username: {}.", ip.ip, username),
ErrorEvent {
event: EventType::UserFailedLogIn,
}
)
} }
} else { )
}
let password = data.password.as_ref().unwrap();
// If we get an auth request, we don't check the user's password, but the access code of the auth request
if let Some(ref auth_request_uuid) = data.auth_request {
let Some(auth_request) = AuthRequest::find_by_uuid(auth_request_uuid.as_str(), conn).await else {
err!( err!(
"Auth request not found. Try again.", "Auth request not found. Try again.",
format!("IP: {}. Username: {}.", ip.ip, username), format!("IP: {}. Username: {}.", ip.ip, username),
@ -186,6 +188,23 @@ async fn _password_login(
event: EventType::UserFailedLogIn, event: EventType::UserFailedLogIn,
} }
) )
};
// Delete the request after we used it
auth_request.delete(conn).await?;
if auth_request.user_uuid != user.uuid
|| !auth_request.approved.unwrap_or(false)
|| ip.ip.to_string() != auth_request.request_ip
|| !auth_request.check_access_code(password)
{
err!(
"Username or access code is incorrect. Try again",
format!("IP: {}. Username: {}.", ip.ip, username),
ErrorEvent {
event: EventType::UserFailedLogIn,
}
)
} }
} else if !user.check_valid_password(password) { } else if !user.check_valid_password(password) {
err!( err!(
@ -197,8 +216,8 @@ async fn _password_login(
) )
} }
// Change the KDF Iterations // Change the KDF Iterations (only when not logging in with an auth request)
if user.password_iterations != CONFIG.password_iterations() { if data.auth_request.is_none() && user.password_iterations != CONFIG.password_iterations() {
user.password_iterations = CONFIG.password_iterations(); user.password_iterations = CONFIG.password_iterations();
user.set_password(password, None, false, None); user.set_password(password, None, false, None);
@ -207,17 +226,6 @@ async fn _password_login(
} }
} }
// Check if the user is disabled
if !user.enabled {
err!(
"This user has been disabled",
format!("IP: {}. Username: {}.", ip.ip, username),
ErrorEvent {
event: EventType::UserFailedLogIn
}
)
}
let now = Utc::now().naive_utc(); let now = Utc::now().naive_utc();
if user.verified_at.is_none() && CONFIG.mail_enabled() && CONFIG.signups_verify() { if user.verified_at.is_none() && CONFIG.mail_enabled() && CONFIG.signups_verify() {