diff options
author | Daniel GarcĂa <[email protected]> | 2024-11-15 11:25:51 +0100 |
---|---|---|
committer | GitHub <[email protected]> | 2024-11-15 11:25:51 +0100 |
commit | 0d16b38a68c702e7f300a64f9e55d897916ae238 (patch) | |
tree | 04111a3167d21affbf4148d2bfc943cf383cc704 | |
parent | ff33534c07ba05184fbb2adf562334ac56686c55 (diff) | |
download | vaultwarden-0d16b38a68c702e7f300a64f9e55d897916ae238.tar.gz vaultwarden-0d16b38a68c702e7f300a64f9e55d897916ae238.zip |
Some more authrequest changes (#5188)
-rw-r--r-- | src/api/core/accounts.rs | 10 | ||||
-rw-r--r-- | src/api/identity.rs | 4 |
2 files changed, 12 insertions, 2 deletions
diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs index 7c3919ad..1d3bcf37 100644 --- a/src/api/core/accounts.rs +++ b/src/api/core/accounts.rs @@ -1190,11 +1190,19 @@ async fn put_auth_request( err!("AuthRequest doesn't exist", "User uuid's do not match") } + if auth_request.approved.is_some() { + err!("An authentication request with the same device already exists") + } + + let response_date = Utc::now().naive_utc(); + let response_date_utc = format_date(&response_date); + if data.request_approved { auth_request.approved = Some(data.request_approved); auth_request.enc_key = Some(data.key); auth_request.master_password_hash = data.master_password_hash; auth_request.response_device_id = Some(data.device_identifier.clone()); + auth_request.response_date = Some(response_date); auth_request.save(&mut conn).await?; ant.send_auth_response(&auth_request.user_uuid, &auth_request.uuid).await; @@ -1204,8 +1212,6 @@ async fn put_auth_request( auth_request.delete(&mut conn).await?; } - let response_date_utc = auth_request.response_date.map(|response_date| format_date(&response_date)); - Ok(Json(json!({ "id": uuid, "publicKey": auth_request.public_key, diff --git a/src/api/identity.rs b/src/api/identity.rs index f2618164..445d61fd 100644 --- a/src/api/identity.rs +++ b/src/api/identity.rs @@ -190,8 +190,12 @@ async fn _password_login( ) }; + let expiration_time = auth_request.creation_date + chrono::Duration::minutes(5); + let request_expired = Utc::now().naive_utc() >= expiration_time; + if auth_request.user_uuid != user.uuid || !auth_request.approved.unwrap_or(false) + || request_expired || ip.ip.to_string() != auth_request.request_ip || !auth_request.check_access_code(password) { |