aboutsummaryrefslogtreecommitdiff
path: root/src/main.rs
diff options
context:
space:
mode:
author0x0fbc <[email protected]>2024-07-24 09:50:35 -0500
committerGitHub <[email protected]>2024-07-24 16:50:35 +0200
commitb4b2701905752f90080dd46ba10a90c5c584a38e (patch)
tree5e24bde1efd339e8401451e49a945319238be60b /src/main.rs
parentde66e56b6c951192bcb47987b34ac21e2bcea43a (diff)
downloadvaultwarden-b4b2701905752f90080dd46ba10a90c5c584a38e.tar.gz
vaultwarden-b4b2701905752f90080dd46ba10a90c5c584a38e.zip
Add support for MFA with Duo's Universal Prompt (#4637)
* Add initial working Duo Universal Prompt support. * Add db schema and models for Duo 2FA state storage * store duo states in the database and validate during authentication * cleanup & comments * bump state/nonce length * replace stray use of TimeDelta * more cleanup * bind Duo oauth flow to device id, drop redundant device type handling * drop redundant alphanum string generation code * error handling cleanup * directly use JWT_VALIDITY_SECS constant instead of copying it to DuoClient instances * remove redundant explicit returns, rustfmt * rearrange constants, update comments, error message * override charset on duo state column to ascii for mysql * Reduce twofactor_duo_ctx state/nonce column size in postgres and maria * Add fixes suggested by clippy * rustfmt * Update to use the make_http_request * Don't handle OrganizationDuo * move Duo API endpoint fmt strings out of macros and into format! calls * Add missing indentation Co-authored-by: Daniel García <[email protected]> * remove redundant expiry check when purging Duo contexts --------- Co-authored-by: BlackDex <[email protected]> Co-authored-by: Daniel García <[email protected]>
Diffstat (limited to 'src/main.rs')
-rw-r--r--src/main.rs8
1 files changed, 8 insertions, 0 deletions
diff --git a/src/main.rs b/src/main.rs
index ca39c502..9f96dc60 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -53,6 +53,7 @@ mod mail;
mod ratelimit;
mod util;
+use crate::api::core::two_factor::duo_oidc::purge_duo_contexts;
use crate::api::purge_auth_requests;
use crate::api::{WS_ANONYMOUS_SUBSCRIPTIONS, WS_USERS};
pub use config::CONFIG;
@@ -626,6 +627,13 @@ fn schedule_jobs(pool: db::DbPool) {
}));
}
+ // Clean unused, expired Duo authentication contexts.
+ if !CONFIG.duo_context_purge_schedule().is_empty() && CONFIG._enable_duo() && !CONFIG.duo_use_iframe() {
+ sched.add(Job::new(CONFIG.duo_context_purge_schedule().parse().unwrap(), || {
+ runtime.spawn(purge_duo_contexts(pool.clone()));
+ }));
+ }
+
// Cleanup the event table of records x days old.
if CONFIG.org_events_enabled()
&& !CONFIG.event_cleanup_schedule().is_empty()