aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel García <[email protected]>2024-11-12 20:04:46 +0100
committerDaniel García <[email protected]>2024-11-12 20:12:55 +0100
commit71eaddf1bd45957431bf342b979e8d3235ae2ccc (patch)
treeca1d26cd5b85ad9f0dc49c5a765e591003939b1a
parente927b8aa5ec8f0352bfb2ff95a996a89389959ff (diff)
downloadvaultwarden-71eaddf1bd45957431bf342b979e8d3235ae2ccc.tar.gz
vaultwarden-71eaddf1bd45957431bf342b979e8d3235ae2ccc.zip
Some more authrequest changes
-rw-r--r--src/api/core/accounts.rs10
-rw-r--r--src/api/identity.rs4
2 files changed, 12 insertions, 2 deletions
diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
index 4e566bc9..4229179a 100644
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -1190,11 +1190,19 @@ async fn put_auth_request(
err!("AuthRequest doesn't exist", "User uuid's do not match")
}
+ if auth_request.approved.is_some() {
+ err!("An authentication request with the same device already exists")
+ }
+
+ let response_date = Utc::now().naive_utc();
+ let response_date_utc = format_date(&response_date);
+
if data.request_approved {
auth_request.approved = Some(data.request_approved);
auth_request.enc_key = Some(data.key);
auth_request.master_password_hash = data.master_password_hash;
auth_request.response_device_id = Some(data.device_identifier.clone());
+ auth_request.response_date = Some(response_date);
auth_request.save(&mut conn).await?;
ant.send_auth_response(&auth_request.user_uuid, &auth_request.uuid).await;
@@ -1204,8 +1212,6 @@ async fn put_auth_request(
auth_request.delete(&mut conn).await?;
}
- let response_date_utc = auth_request.response_date.map(|response_date| format_date(&response_date));
-
Ok(Json(json!({
"id": uuid,
"publicKey": auth_request.public_key,
diff --git a/src/api/identity.rs b/src/api/identity.rs
index f2618164..445d61fd 100644
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -190,8 +190,12 @@ async fn _password_login(
)
};
+ let expiration_time = auth_request.creation_date + chrono::Duration::minutes(5);
+ let request_expired = Utc::now().naive_utc() >= expiration_time;
+
if auth_request.user_uuid != user.uuid
|| !auth_request.approved.unwrap_or(false)
+ || request_expired
|| ip.ip.to_string() != auth_request.request_ip
|| !auth_request.check_access_code(password)
{