| Age | Commit message (Collapse) | Author |
|---|
|
* Improved HTTP client
* Change config compat to use auto, rename blacklist
* Fix wrong doc references
|
|
* Change API inputs/outputs and structs to camelCase
* Fix fields and password history
* Use convert_json_key_lcase_first
* Make sends lowercase
* Update admin and templates
* Update org revoke
* Fix sends expecting size to be a string on mobile
* Convert two-factor providers to string
|
|
|
|
* Remove custom WebSocket code
Remove our custom WebSocket code and only use the Rocket code.
Removed all options in regards to WebSockets
Added a new option `WEBSOCKET_DISABLED` which defaults too `false`.
This can be used to disable WebSockets if you really do not want to use it.
* Addressed remarks given and some updates
- Addressed comments given during review
- Updated crates, including Rocket to the latest merged v0.5 changes
- Removed an extra header which should not be sent for websocket connections
* Updated suggestions and crates
- Addressed the suggestions
- Updated Rocket to latest rc4
Also made the needed code changes
- Updated all other crates
Pinned `openssl` and `openssl-sys`
---------
Co-authored-by: Daniel García <[email protected]>
|
|
* Improve file limit handling
* Oops
* Update PostgreSQL migration
* Review comments
---------
Co-authored-by: BlackDex <[email protected]>
|
|
Since the feature `Login with device` some actions done via the
web-vault need to be verified via an OTP instead of providing the MasterPassword.
This only happens if a user used the `Login with device` on a device
which uses either Biometrics login or PIN. These actions prevent the
athorizing device to send the MasterPasswordHash. When this happens, the
web-vault requests an OTP to be filled-in and this OTP is send to the
users email address which is the same as the email address to login.
The only way to bypass this is by logging in with the your password, in
those cases a password is requested instead of an OTP.
In case SMTP is not enabled, it will show an error message telling to
user to login using there password.
Fixes #4042
|
|
|
|
Co-authored-by: samb-devel <[email protected]>
Co-authored-by: Zoruk <[email protected]>
|
|
This PR adds event/audit logging support for organizations.
By default this feature is disabled, since it does log a lot and adds
extra database transactions.
All events are touched except a few, since we do not support those
features (yet), like SSO for example.
This feature is tested with multiple clients and all database types.
Fixes #229
|
|
currently, if the admin guard fails the user will get a 404 page.
and when the session times out after 20 minutes post methods will
give the reason "undefined" as a response while generating the support
string will fail without any user feedback.
this commit changes the error handling on admin pages
* by removing the reliance on Rockets forwarding and making the login
page an explicit route that can be redirected to from all admin pages
* by removing the obsolete and mostly unused Referer struct we can
redirect the user back to the requested admin page directley
* by providing an error message for json requests the
`get_diagnostics_config` and all post methods can return a more
comprehensible message and the user can be alerted
* the `admin_url()` function can be simplified because rfc2616 has been
obsoleted by rfc7231 in 2014 (and also by the recently released
rfc9110) which allows relative urls in the Location header.
c.f. https://www.rfc-editor.org/rfc/rfc7231#section-7.1.2 and
https://www.rfc-editor.org/rfc/rfc9110#section-10.2.2
|
|
|
|
Apply suggestions from code review
Co-authored-by: Mathijs van Veluw <[email protected]>
|
|
|
|
|
|
that are currently blocking
|
|
An incomplete 2FA login is one where the correct master password was provided,
but the 2FA token or action required to complete the login was not provided
within the configured time limit. This potentially indicates that the user's
master password has been compromised, but the login was blocked by 2FA.
Be aware that the 2FA step can usually still be completed after the email
notification has already been sent out, which could be confusing. Therefore,
the incomplete 2FA time limit should be long enough that this situation would
be unlikely. This feature can also be disabled entirely if desired.
|
|
Signed-off-by: thelittlefireman <[email protected]>
|
|
|
|
|
|
|
|
|
|
Upstream will soon auto-delete trashed items after 30 days, but some people
use the trash as an archive folder, so to avoid unexpected data loss, this
implementation requires the user to explicitly enable auto-deletion.
|
|
Also rewrite deletion of old sends using the job scheduler.
|
|
|
|
|
|
some clippy lints
|
|
|
|
|
|
|
|
works.
In the future, maybe we can do the same with the `find_by_id` methods that return an Option.
|
|
serious auth method yet, password is 'token123'
|
|
|
|
|
|
For now only folder notifications are sent (create, rename, delete).
The notifications are only tested between two web-vault sessions in different browsers, mobile apps and browser extensions are untested.
The websocket server is exposed in port 3012, while the rocket server is exposed in another port (8000 by default). To make notifications work, both should be accessible in the same port, which requires a reverse proxy.
My testing is done with Caddy server, and the following config:
```
localhost {
# The negotiation endpoint is also proxied to Rocket
proxy /notifications/hub/negotiate 0.0.0.0:8000 {
transparent
}
# Notifications redirected to the websockets server
proxy /notifications/hub 0.0.0.0:3012 {
websocket
}
# Proxy the Root directory to Rocket
proxy / 0.0.0.0:8000 {
transparent
}
}
```
This exposes the service in port 2015.
|
|
|
|
0 for a successfull registration
|
|
device and authentication should work. Works on Chrome on MacOS with a virtual device.
|
|
|
|
upstream seems to prefer most of the time)
|
|
|
|
accessAll == false, and implemented find_collection when user has access_all in Org
|
|
Value, and fixed some warnings
|
|
|
|
|
