Added web-vault v2.21.x support + some misc fixes

- The new web-vault v2.21.0+ has support for Master Password Reset. For
this to work it generates a public/private key-pair which needs to be
stored in the database. Currently the Master Password Reset is not
fixed, but there are endpoints which are needed even if we do not
support this feature (yet). This PR fixes those endpoints, and stores
the keys already in the database.

- There was an issue when you want to do a key-rotate when you change
your password, it also called an Emergency Access endpoint, which we do
not yet support. Because this endpoint failed to reply correctly
produced some errors, and also prevent the user from being forced to
logout. This resolves #1826 by adding at least that endpoint.

Because of that extra endpoint check to Emergency Access is done using
an old user stamp, i also modified the stamp exception to allow multiple
rocket routes to be called, and added an expiration timestamp to it.

During these tests i stumbled upon an issue that after my key-change was
done, it triggered the websockets to try and reload my ciphers, because
they were updated. This shouldn't happen when rotating they keys, since
all access should be invalided. Now there will be no websocket
notification for this, which also prevents error toasts.

- Increased Send Size limit to 500MB (with a litle overhead)

As a side note, i tested these changes on both v2.20.4 and v2.21.1 web-vault versions, all keeps working.

src/api/core/accounts.rs

@@ -231,7 +231,10 @@ fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, conn: DbCon
         err!("Invalid password")
     }
 
-    user.set_password(&data.NewMasterPasswordHash, Some("post_rotatekey"));
+    user.set_password(
+        &data.NewMasterPasswordHash,
+        Some(vec![String::from("post_rotatekey"), String::from("get_contacts")]),
+    );
     user.akey = data.Key;
     user.save(&conn)
 }
@@ -320,7 +323,9 @@ fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, conn: DbConn, nt:
             err!("The cipher is not owned by the user")
         }
 
-        update_cipher_from_data(&mut saved_cipher, cipher_data, &headers, false, &conn, &nt, UpdateType::CipherUpdate)?
+        // Prevent triggering cipher updates via WebSockets by settings UpdateType::None
+        // The user sessions are invalidated because all the ciphers were re-encrypted and thus triggering an update could cause issues.
+        update_cipher_from_data(&mut saved_cipher, cipher_data, &headers, false, &conn, &nt, UpdateType::None)?
     }
 
     // Update user data
@@ -329,7 +334,6 @@ fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, conn: DbConn, nt:
     user.akey = data.Key;
     user.private_key = Some(data.PrivateKey);
     user.reset_security_stamp();
-    user.reset_stamp_exception();
 
     user.save(&conn)
 }

src/api/core/emergency_access.rs

@@ -0,0 +1,24 @@
+use rocket::Route;
+use rocket_contrib::json::Json;
+
+use crate::{api::JsonResult, auth::Headers, db::DbConn};
+
+pub fn routes() -> Vec<Route> {
+    routes![get_contacts,]
+}
+
+/// This endpoint is expected to return at least something.
+/// If we return an error message that will trigger error toasts for the user.
+/// To prevent this we just return an empty json result with no Data.
+/// When this feature is going to be implemented it also needs to return this empty Data
+/// instead of throwing an error/4XX unless it really is an error.
+#[get("/emergency-access/trusted")]
+fn get_contacts(_headers: Headers, _conn: DbConn) -> JsonResult {
+    debug!("Emergency access is not supported.");
+
+    Ok(Json(json!({
+      "Data": [],
+      "Object": "list",
+      "ContinuationToken": null
+    })))
+}

src/api/core/mod.rs

@@ -1,5 +1,6 @@
 mod accounts;
 mod ciphers;
+mod emergency_access;
 mod folders;
 mod organizations;
 mod sends;
@@ -15,6 +16,7 @@ pub fn routes() -> Vec<Route> {
     let mut routes = Vec::new();
     routes.append(&mut accounts::routes());
     routes.append(&mut ciphers::routes());
+    routes.append(&mut emergency_access::routes());
     routes.append(&mut folders::routes());
     routes.append(&mut organizations::routes());
     routes.append(&mut two_factor::routes());

src/api/core/organizations.rs

@@ -51,6 +51,7 @@ pub fn routes() -> Vec<Route> {
         get_plans,
         get_plans_tax_rates,
         import,
+        post_org_keys,
     ]
 }
 
@@ -61,6 +62,7 @@ struct OrgData {
     CollectionName: String,
     Key: String,
     Name: String,
+    Keys: Option<OrgKeyData>,
     #[serde(rename = "PlanType")]
     _PlanType: NumberOrString, // Ignored, always use the same plan
 }
@@ -78,6 +80,13 @@ struct NewCollectionData {
     Name: String,
 }
 
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct OrgKeyData {
+    EncryptedPrivateKey: String,
+    PublicKey: String,
+}
+
 #[post("/organizations", data = "<data>")]
 fn create_organization(headers: Headers, data: JsonUpcase<OrgData>, conn: DbConn) -> JsonResult {
     if !CONFIG.is_org_creation_allowed(&headers.user.email) {
@@ -85,8 +94,14 @@ fn create_organization(headers: Headers, data: JsonUpcase<OrgData>, conn: DbConn
     }
 
     let data: OrgData = data.into_inner().data;
+    let (private_key, public_key) = if data.Keys.is_some() {
+        let keys: OrgKeyData = data.Keys.unwrap();
+        (Some(keys.EncryptedPrivateKey), Some(keys.PublicKey))
+    } else {
+        (None, None)
+    };
 
-    let org = Organization::new(data.Name, data.BillingEmail);
+    let org = Organization::new(data.Name, data.BillingEmail, private_key, public_key);
     let mut user_org = UserOrganization::new(headers.user.uuid, org.uuid.clone());
     let collection = Collection::new(org.uuid.clone(), data.CollectionName);
 
@@ -468,6 +483,32 @@ fn get_org_users(org_id: String, _headers: ManagerHeadersLoose, conn: DbConn) ->
     }))
 }
 
+#[post("/organizations/<org_id>/keys", data = "<data>")]
+fn post_org_keys(org_id: String, data: JsonUpcase<OrgKeyData>, _headers: AdminHeaders, conn: DbConn) -> JsonResult {
+    let data: OrgKeyData = data.into_inner().data;
+
+    let mut org = match Organization::find_by_uuid(&org_id, &conn) {
+        Some(organization) => {
+            if organization.private_key.is_some() && organization.public_key.is_some() {
+                err!("Organization Keys already exist")
+            }
+            organization
+        }
+        None => err!("Can't find organization details"),
+    };
+
+    org.private_key = Some(data.EncryptedPrivateKey);
+    org.public_key = Some(data.PublicKey);
+
+    org.save(&conn)?;
+
+    Ok(Json(json!({
+        "Object": "organizationKeys",
+        "PublicKey": org.public_key,
+        "PrivateKey": org.private_key,
+    })))
+}
+
 #[derive(Deserialize)]
 #[allow(non_snake_case)]
 struct CollectionData {

src/api/core/sends.rs

@@ -165,8 +165,8 @@ fn post_send_file(data: Data, content_type: &ContentType, headers: Headers, conn
     let data = serde_json::from_str::<crate::util::UpCase<SendData>>(&buf)?;
     enforce_disable_hide_email_policy(&data.data, &headers, &conn)?;
 
-    // Get the file length and add an extra 10% to avoid issues
-    const SIZE_110_MB: u64 = 115_343_360;
+    // Get the file length and add an extra 5% to avoid issues
+    const SIZE_525_MB: u64 = 550_502_400;
 
     let size_limit = match CONFIG.user_attachment_limit() {
         Some(0) => err!("File uploads are disabled"),
@@ -175,9 +175,9 @@ fn post_send_file(data: Data, content_type: &ContentType, headers: Headers, conn
             if left <= 0 {
                 err!("Attachment size limit reached! Delete some files to open space")
             }
-            std::cmp::Ord::max(left as u64, SIZE_110_MB)
+            std::cmp::Ord::max(left as u64, SIZE_525_MB)
         }
-        None => SIZE_110_MB,
+        None => SIZE_525_MB,
     };
 
     // Create the Send