diff options
| author | BlackDex <[email protected]> | 2023-02-28 23:09:51 +0100 |
|---|---|---|
| committer | BlackDex <[email protected]> | 2023-03-04 16:15:30 +0100 |
| commit | de157b26543172fe48aa44af578e229b1db65475 (patch) | |
| tree | 0344a62b1cee699842c02195840aaebed966f51f /src/static | |
| parent | 337cbfaf22ee28316ea09e859be0527416fe7da5 (diff) | |
| download | vaultwarden-de157b26543172fe48aa44af578e229b1db65475.tar.gz vaultwarden-de157b26543172fe48aa44af578e229b1db65475.zip | |
Admin token Argon2 hashing support
Added support for Argon2 hashing support for the `ADMIN_TOKEN` instead
of only supporting a plain text string.
The hash must be a PHC string which can be generated via the `argon2`
CLI **or** via the also built-in hash command in Vaultwarden.
You can simply run `vaultwarden hash` to generate a hash based upon a
password the user provides them self.
Added a warning during startup and within the admin settings panel is
the `ADMIN_TOKEN` is not an Argon2 hash.
Within the admin environment a user can ignore that warning and it will
not be shown for at least 30 days. After that the warning will appear
again unless the `ADMIN_TOKEN` has be converted to an Argon2 hash.
I have also tested this on my RaspberryPi 2b and there the `Bitwarden`
preset takes almost 4.5 seconds to generate/verify the Argon2 hash.
Using the `OWASP` preset it is below 1 second, which I think should be
fine for low-graded hardware. If it is needed people could use lower
memory settings, but in those cases I even doubt Vaultwarden it self
would run. They can always use the `argon2` CLI and generate a faster hash.
Diffstat (limited to 'src/static')
| -rw-r--r-- | src/static/scripts/admin_settings.js | 37 | ||||
| -rw-r--r-- | src/static/templates/admin/settings.hbs | 6 |
2 files changed, 43 insertions, 0 deletions
diff --git a/src/static/scripts/admin_settings.js b/src/static/scripts/admin_settings.js index 2e36795f..06f15e0a 100644 --- a/src/static/scripts/admin_settings.js +++ b/src/static/scripts/admin_settings.js @@ -157,6 +157,41 @@ function masterCheck(check_id, inputs_query) { } } +// This will check if the ADMIN_TOKEN is not a Argon2 hashed value. +// Else it will show a warning, unless someone has closed it. +// Then it will not show this warning for 30 days. +function checkAdminToken() { + const admin_token = document.getElementById("input_admin_token"); + const disable_admin_token = document.getElementById("input_disable_admin_token"); + if (!disable_admin_token.checked && !admin_token.value.startsWith("$argon2")) { + // Check if the warning has been closed before and 30 days have passed + const admin_token_warning_closed = localStorage.getItem("admin_token_warning_closed"); + if (admin_token_warning_closed !== null) { + const closed_date = new Date(parseInt(admin_token_warning_closed)); + const current_date = new Date(); + const thirtyDays = 1000*60*60*24*30; + if (current_date - closed_date < thirtyDays) { + return; + } + } + + // When closing the alert, store the current date/time in the browser + const admin_token_warning = document.getElementById("admin_token_warning"); + admin_token_warning.addEventListener("closed.bs.alert", function() { + const d = new Date(); + localStorage.setItem("admin_token_warning_closed", d.getTime()); + }); + + // Display the warning + admin_token_warning.classList.remove("d-none"); + } +} + +// This will check for specific configured values, and when needed will show a warning div +function showWarnings() { + checkAdminToken(); +} + const config_form = document.getElementById("config-form"); // onLoad events @@ -192,4 +227,6 @@ document.addEventListener("DOMContentLoaded", (/*event*/) => { } config_form.addEventListener("submit", saveConfig); + + showWarnings(); });
\ No newline at end of file diff --git a/src/static/templates/admin/settings.hbs b/src/static/templates/admin/settings.hbs index 50cd1a75..b8ee5f4b 100644 --- a/src/static/templates/admin/settings.hbs +++ b/src/static/templates/admin/settings.hbs @@ -1,4 +1,10 @@ <main class="container-xl"> + <div id="admin_token_warning" class="alert alert-warning alert-dismissible fade show d-none"> + <button type="button" class="btn-close" data-bs-target="admin_token_warning" data-bs-dismiss="alert" aria-label="Close"></button> + You are using a plain text `ADMIN_TOKEN` which is insecure.<br> + Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`.<br> + See: <a href="https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token" target="_blank" rel="noopener noreferrer">Enabling admin page - Secure the `ADMIN_TOKEN`</a> + </div> <div id="config-block" class="align-items-center p-3 mb-3 bg-secondary rounded shadow"> <div> <h6 class="text-white mb-3">Configuration</h6> |