Commit Graph

1742 Commits

Author SHA1 Message Date
Jeremy Lin b7eedbcddc Add config option to set the HTTP redirect code for external icons
The default code is 307 (temporary) to make it easier to test different icon
services, but once a service has been decided on, users should ideally switch
to using permanent redirects for cacheability.
2021-12-30 23:06:52 -08:00
Daniel García 920371929b
Merge pull request #2182 from RealOrangeOne/cache-expires-header
Set `Expires` header when caching responses
2021-12-30 01:38:39 +01:00
Jake Howard 6ddbe84bde
Remove unnecessary return 2021-12-29 16:29:42 +00:00
Jake Howard 690d0ed1bb
Add our own HTTP date formatter 2021-12-29 16:21:28 +00:00
Jake Howard 248e7dabc2
Collapse field name definition
Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
2021-12-28 21:54:09 +00:00
Jake Howard 4584cfe3c1
Additionally set expires header when caching responses
Browsers are rather smart, but also dumb. This uses the `Expires` header
alongside `cache-control` to better prompt the browser to actually
cache.

Unfortunately, firefox still tries to "race" its own cache, in an
attempt to respond to requests faster, so still ends up making a bunch
of requests which could have been cached. Doesn't appear there's any way
around this.
2021-12-28 16:24:47 +00:00
Daniel García cc646b1519
Merge branch 'BlackDex-multi-db-dockers' into main 2021-12-27 21:55:36 +01:00
Daniel García e501dc6d0e
Merge branch 'multi-db-dockers' of https://github.com/BlackDex/vaultwarden into BlackDex-multi-db-dockers 2021-12-27 21:55:28 +01:00
Daniel García 85ac9783f0
Merge branch 'ratelimit' into main 2021-12-27 21:55:15 +01:00
BlackDex 5b430f22bc
Support all DB's for Alpine and Debian
- Using my own rust-musl build containers we now support all database
types for both Debian and Alpine.
- Added new Alpine containers for armv6 and arm64/aarch64
- The Debian builds can also be done wihout dpkg magic stuff, probably
some fixes in Rust regarding linking (Or maybe OpenSSL or Diesel), in
any case, it works now without hacking dpkg and apt.
- Updated toolchain and crates
2021-12-26 21:59:28 +01:00
Daniel García d4eb21c2d9
Better document the new rate limiting 2021-12-25 01:12:09 +01:00
Daniel García 6bf8a9d93d
Merge pull request #2171 from jjlin/global-domains
Sync global_domains.json
2021-12-25 00:55:50 +01:00
Jeremy Lin 605419ae1b Sync global_domains.json to bitwarden/server@5a8f334 (TransferWise) 2021-12-24 13:25:16 -08:00
Daniel García b89ffb2731
Merge pull request #2170 from BlackDex/issue-2136
Small changes to icon log messages.
2021-12-24 20:40:30 +01:00
Daniel García bda123b1eb
Merge pull request #2169 from BlackDex/issue-2151
Fixed #2151
2021-12-24 20:40:07 +01:00
BlackDex 2c94ea075c
Small changes to icon log messages.
As requested in #2136, some small changes on the type of log messages
and wording used.

Resolves #2136
2021-12-24 18:24:25 +01:00
BlackDex 4bd8eae07e
Fixed #2151 2021-12-24 17:59:12 +01:00
Daniel García 5529264c3f
Basic ratelimit for user login (including 2FA) and admin login 2021-12-22 21:48:49 +01:00
Daniel García 0a5df06e77
Merge pull request #2158 from jjlin/icons
Add support for external icon services
2021-12-22 15:46:30 +01:00
Jeremy Lin 2f9ac61a4e Add support for external icon services
If an external icon service is configured, icon requests return an HTTP
redirect to the corresponding icon at the external service.

An external service may be useful for various reasons, such as if:

* The Vaultwarden instance has no external network connectivity.
* The Vaultwarden instance has trouble handling large bursts of icon requests.
* There are concerns that an attacker may probe the instance to try to detect
  whether icons for certain sites have been cached, which would suggest that
  the instance contains entries for those sites.
* The external icon service does a better job of providing icons than the
  built-in fetcher.
2021-12-20 01:34:31 -08:00
Daniel García 840cf8740a
Merge pull request #2156 from jjlin/global-domains
Sync global_domains.json
2021-12-19 17:39:45 +01:00
Jeremy Lin d8869adf52 Sync global_domains.json to bitwarden/server@224bfb6 (Wells Fargo) 2021-12-18 16:19:05 -08:00
Jeremy Lin a631fc0077 Sync global_domains.json to bitwarden/server@2f518fb (Ubisoft) 2021-12-18 16:19:05 -08:00
Daniel García 9e4d372213
Update web vault to 2.25.0 2021-12-13 00:02:13 +01:00
Daniel García d0bf0ab237
Merge pull request #2125 from BlackDex/trust-dns
Enabled trust-dns and some updates.
2021-12-08 00:26:31 +01:00
BlackDex e327583aa5
Enabled trust-dns and some updates.
- Enabled trust-dns feature which seems to help a bit when DNS is
causing long timeouts. Though in the blocking version it is less visible
then on the async branch.
- Updated crates
- Removed some redundant code
- Updated javascript/css libraries

Resolves #2118
Resolves #2119
2021-12-01 19:01:55 +01:00
Daniel García ead2f02cbd
Merge pull request #2084 from BlackDex/minimize-macro-recursion
Macro recursion decrease and other optimizations
2021-11-06 22:00:37 +01:00
BlackDex c453528dc1
Macro recursion decrease and other optimizations
- Decreased `recursion_limit` from 512 to 87
  Mainly done by optimizing the config macro's.
  This fixes an issue with the rust-analyzer which doesn't go beyond 128
- Removed Regex for masking sensitive values and replaced it with a map()
  This is much faster then using a Regex.
- Refactored the get_support_json macro's
- All items above also lowered the binary size and possibly compile-time
- Removed `_conn: DbConn` from several functions, these caused unnecessary database connections for functions who didn't used that at all
- Decreased json response for `/plans`
- Updated libraries and where needed some code changes
  This also fixes some rare issues with SMTP https://github.com/lettre/lettre/issues/678
- Using Rust 2021 instead of 2018
- Updated rust nightly
2021-11-06 17:44:53 +01:00
Daniel García 6ae48aa8c2
Merge pull request #2080 from jjlin/fix-postgres-migration
Fix PostgreSQL migration
2021-11-01 14:33:47 +01:00
Daniel García 88643fd9d5
Merge pull request #2078 from jjlin/fix-ea-reject
Fix missing encrypted key after emergency access reject
2021-11-01 14:33:39 +01:00
Daniel García 73e0002219
Merge pull request #2073 from jjlin/fix-access-logic
Fix conflict resolution logic for `read_only` and `hide_passwords` flags
2021-11-01 14:33:29 +01:00
Jeremy Lin c49ee47de0 Fix PostgreSQL migration
The PostgreSQL migration should have used `TIMESTAMP` rather than `DATETIME`.
2021-10-31 17:50:00 -07:00
Jeremy Lin 14408396bb Fix missing encrypted key after emergency access reject
Rejecting an emergency access request should transition the grantor/grantee
relationship back into the `Confirmed` state, and the grantor's encrypted key
should remain in escrow rather than being cleared, or else future emergency
access requsts from that grantee will fail.
2021-10-31 02:14:18 -07:00
Jeremy Lin 6cbb724069 Fix conflict resolution logic for `read_only` and `hide_passwords` flags
For one of these flags to be in effect for a cipher, upstream requires all of
(rather than any of) the collections the cipher is in to have that flag set.

Also, some of the logic for loading access restrictions was wrong. I think
that only malicious clients that also had knowledge of the UUIDs of ciphers
they didn't have access to would have been able to take advantage of that.
2021-10-29 13:47:56 -07:00
Daniel García a2316ca091
Merge pull request #2067 from jjlin/incomplete-2fa
Add email notifications for incomplete 2FA logins
2021-10-28 18:00:03 +02:00
Jeremy Lin c476e19796 Add email notifications for incomplete 2FA logins
An incomplete 2FA login is one where the correct master password was provided,
but the 2FA token or action required to complete the login was not provided
within the configured time limit. This potentially indicates that the user's
master password has been compromised, but the login was blocked by 2FA.

Be aware that the 2FA step can usually still be completed after the email
notification has already been sent out, which could be confusing. Therefore,
the incomplete 2FA time limit should be long enough that this situation would
be unlikely. This feature can also be disabled entirely if desired.
2021-10-28 00:19:43 -07:00
Daniel García 9f393cfd9d
Formatting 2021-10-27 23:00:26 +02:00
Daniel García 450c4d4d97
Update web vault to 2.24.1 2021-10-27 22:46:12 +02:00
Daniel García 75e62abed0
Move database_max_conns 2021-10-24 22:22:28 +02:00
Daniel García 97f9eb1320
Update dependencies 2021-10-24 21:50:26 +02:00
Daniel García 53cc8a65af
Add doc comments to the functions in Config, and remove some unneeded pubs 2021-10-23 20:47:05 +02:00
Daniel García f94ac6ca61
Merge pull request #2044 from jjlin/emergency-access-cleanup
Emergency Access cleanup
2021-10-19 20:14:29 +02:00
Jeremy Lin cee3fd5ba2 Emergency Access cleanup
This commit contains mostly superficial user-facing cleanup, to be followed up
with more extensive cleanup and fixes in the API implementation.
2021-10-19 02:22:44 -07:00
Daniel García 016fe2269e
Update dependencies 2021-10-18 22:14:29 +02:00
Daniel García 03c0a5e405
Update web vault image to v2.23.0c 2021-10-18 22:06:35 +02:00
Daniel García cbbed79036
Merge branch 'domdomegg-domdomegg/2fa-check-accepted' into main 2021-10-18 21:13:57 +02:00
Daniel García 4af81ec50e
Merge branch 'domdomegg/2fa-check-accepted' of https://github.com/domdomegg/vaultwarden into domdomegg-domdomegg/2fa-check-accepted 2021-10-18 21:13:50 +02:00
Daniel García a5ba67fef2
Merge branch 'BlackDex-alive-db-check' into main 2021-10-18 21:13:29 +02:00
Adam Jones 4cebe1fff4
cargo fmt 2021-10-09 15:42:06 +01:00
Adam Jones a984dbbdf3
2FA org policy: do not enforce on invited (not accepted) users 2021-10-09 13:54:30 +01:00