aboutsummaryrefslogtreecommitdiff
path: root/src/api/core/ciphers.rs
diff options
context:
space:
mode:
authorMathijs van Veluw <[email protected]>2023-11-12 22:15:44 +0100
committerGitHub <[email protected]>2023-11-12 22:15:44 +0100
commitf863ffb89a0f2a0a682c67110af32c731b5b9fcb (patch)
tree81627867c69a41640985ec71c2a4464f8d197e4a /src/api/core/ciphers.rs
parent03c6ed2e07a187bc70c8aa348546f25594cd38bd (diff)
downloadvaultwarden-f863ffb89a0f2a0a682c67110af32c731b5b9fcb.tar.gz
vaultwarden-f863ffb89a0f2a0a682c67110af32c731b5b9fcb.zip
Add Protected Actions Check (#4067)
Since the feature `Login with device` some actions done via the web-vault need to be verified via an OTP instead of providing the MasterPassword. This only happens if a user used the `Login with device` on a device which uses either Biometrics login or PIN. These actions prevent the athorizing device to send the MasterPasswordHash. When this happens, the web-vault requests an OTP to be filled-in and this OTP is send to the users email address which is the same as the email address to login. The only way to bypass this is by logging in with the your password, in those cases a password is requested instead of an OTP. In case SMTP is not enabled, it will show an error message telling to user to login using there password. Fixes #4042
Diffstat (limited to 'src/api/core/ciphers.rs')
-rw-r--r--src/api/core/ciphers.rs12
1 files changed, 4 insertions, 8 deletions
diff --git a/src/api/core/ciphers.rs b/src/api/core/ciphers.rs
index dc3f4dc7..2489337e 100644
--- a/src/api/core/ciphers.rs
+++ b/src/api/core/ciphers.rs
@@ -10,7 +10,7 @@ use rocket::{
use serde_json::Value;
use crate::{
- api::{self, core::log_event, EmptyResult, JsonResult, JsonUpcase, Notify, PasswordData, UpdateType},
+ api::{self, core::log_event, EmptyResult, JsonResult, JsonUpcase, Notify, PasswordOrOtpData, UpdateType},
auth::Headers,
crypto,
db::{models::*, DbConn, DbPool},
@@ -1457,19 +1457,15 @@ struct OrganizationId {
#[post("/ciphers/purge?<organization..>", data = "<data>")]
async fn delete_all(
organization: Option<OrganizationId>,
- data: JsonUpcase<PasswordData>,
+ data: JsonUpcase<PasswordOrOtpData>,
headers: Headers,
mut conn: DbConn,
nt: Notify<'_>,
) -> EmptyResult {
- let data: PasswordData = data.into_inner().data;
- let password_hash = data.MasterPasswordHash;
-
+ let data: PasswordOrOtpData = data.into_inner().data;
let mut user = headers.user;
- if !user.check_valid_password(&password_hash) {
- err!("Invalid password")
- }
+ data.validate(&user, true, &mut conn).await?;
match organization {
Some(org_data) => {