Allow the Admin token to be disabled in the advanced menu
This commit is contained in:
parent
5ee04e31e5
commit
8b5b06c3d1
|
@ -69,6 +69,7 @@
|
||||||
## One option is to use 'openssl rand -base64 48'
|
## One option is to use 'openssl rand -base64 48'
|
||||||
## If not set, the admin panel is disabled
|
## If not set, the admin panel is disabled
|
||||||
# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
|
# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
|
||||||
|
# DISABLE_ADMIN_TOKEN=false
|
||||||
|
|
||||||
## Invitations org admins to invite users, even when signups are disabled
|
## Invitations org admins to invite users, even when signups are disabled
|
||||||
# INVITATIONS_ALLOWED=true
|
# INVITATIONS_ALLOWED=true
|
||||||
|
@ -110,4 +111,4 @@
|
||||||
# SMTP_PORT=587
|
# SMTP_PORT=587
|
||||||
# SMTP_SSL=true
|
# SMTP_SSL=true
|
||||||
# SMTP_USERNAME=username
|
# SMTP_USERNAME=username
|
||||||
# SMTP_PASSWORD=password
|
# SMTP_PASSWORD=password
|
||||||
|
|
|
@ -15,7 +15,7 @@ use crate::mail;
|
||||||
use crate::CONFIG;
|
use crate::CONFIG;
|
||||||
|
|
||||||
pub fn routes() -> Vec<Route> {
|
pub fn routes() -> Vec<Route> {
|
||||||
if CONFIG.admin_token().is_none() {
|
if CONFIG.admin_token().is_none() && !CONFIG.disable_admin_token() {
|
||||||
return routes![admin_disabled];
|
return routes![admin_disabled];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -194,25 +194,30 @@ impl<'a, 'r> FromRequest<'a, 'r> for AdminToken {
|
||||||
type Error = &'static str;
|
type Error = &'static str;
|
||||||
|
|
||||||
fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
|
fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
|
||||||
let mut cookies = request.cookies();
|
if CONFIG.disable_admin_token() {
|
||||||
|
Outcome::Success(AdminToken {})
|
||||||
let access_token = match cookies.get(COOKIE_NAME) {
|
|
||||||
Some(cookie) => cookie.value(),
|
|
||||||
None => return Outcome::Forward(()), // If there is no cookie, redirect to login
|
|
||||||
};
|
|
||||||
|
|
||||||
let ip = match request.guard::<ClientIp>() {
|
|
||||||
Outcome::Success(ip) => ip.ip,
|
|
||||||
_ => err_handler!("Error getting Client IP"),
|
|
||||||
};
|
|
||||||
|
|
||||||
if decode_admin(access_token).is_err() {
|
|
||||||
// Remove admin cookie
|
|
||||||
cookies.remove(Cookie::named(COOKIE_NAME));
|
|
||||||
error!("Invalid or expired admin JWT. IP: {}.", ip);
|
|
||||||
return Outcome::Forward(());
|
|
||||||
}
|
}
|
||||||
|
else {
|
||||||
|
let mut cookies = request.cookies();
|
||||||
|
|
||||||
Outcome::Success(AdminToken {})
|
let access_token = match cookies.get(COOKIE_NAME) {
|
||||||
|
Some(cookie) => cookie.value(),
|
||||||
|
None => return Outcome::Forward(()), // If there is no cookie, redirect to login
|
||||||
|
};
|
||||||
|
|
||||||
|
let ip = match request.guard::<ClientIp>() {
|
||||||
|
Outcome::Success(ip) => ip.ip,
|
||||||
|
_ => err_handler!("Error getting Client IP"),
|
||||||
|
};
|
||||||
|
|
||||||
|
if decode_admin(access_token).is_err() {
|
||||||
|
// Remove admin cookie
|
||||||
|
cookies.remove(Cookie::named(COOKIE_NAME));
|
||||||
|
error!("Invalid or expired admin JWT. IP: {}.", ip);
|
||||||
|
return Outcome::Forward(());
|
||||||
|
}
|
||||||
|
|
||||||
|
Outcome::Success(AdminToken {})
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -256,6 +256,9 @@ make_config! {
|
||||||
|
|
||||||
/// Enable DB WAL |> Turning this off might lead to worse performance, but might help if using bitwarden_rs on some exotic filesystems, that do not support WAL. Please make sure you read project wiki on the topic before changing this setting.
|
/// Enable DB WAL |> Turning this off might lead to worse performance, but might help if using bitwarden_rs on some exotic filesystems, that do not support WAL. Please make sure you read project wiki on the topic before changing this setting.
|
||||||
enable_db_wal: bool, false, def, true;
|
enable_db_wal: bool, false, def, true;
|
||||||
|
|
||||||
|
/// Disable Admin Token (Know the risks!) |> Disables the Admin Token for the admin page so you may use your own auth in-front
|
||||||
|
disable_admin_token: bool, true, def, false;
|
||||||
},
|
},
|
||||||
|
|
||||||
/// Yubikey settings
|
/// Yubikey settings
|
||||||
|
|
Loading…
Reference in New Issue