Merge remote-tracking branch 'upstream/master' into email-codes

2025-06-12 21:27:37 +02:00 · 2019-08-26 21:38:45 +02:00
parent c99df1c310 026f9da035
commit 5d50b1ee3c
12 changed files with 273 additions and 211 deletions
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@ -28,6 +28,7 @@ pub fn routes() -> Vec<Route> {
        invite_user,
        delete_user,
        deauth_user,
+        remove_2fa,
        update_revision_users,
        post_config,
        delete_config,
@ -196,6 +197,18 @@ fn deauth_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
    user.save(&conn)
 }

+#[post("/users/<uuid>/remove-2fa")]
+fn remove_2fa(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
+    let mut user = match User::find_by_uuid(&uuid, &conn) {
+        Some(user) => user,
+        None => err!("User doesn't exist"),
+    };
+
+    TwoFactor::delete_all_by_user(&user.uuid, &conn)?;
+    user.totp_recover = None;
+    user.save(&conn)
+}
+
 #[post("/users/update_revision")]
 fn update_revision_users(_token: AdminToken, conn: DbConn) -> EmptyResult {
    User::update_all_revisions(&conn)
--- a/src/api/core/mod.rs
+++ b/src/api/core/mod.rs
@ -132,18 +132,33 @@ fn put_eq_domains(data: JsonUpcase<EquivDomainData>, headers: Headers, conn: DbC

 #[get("/hibp/breach?<username>")]
 fn hibp_breach(username: String) -> JsonResult {
-    let url = format!("https://haveibeenpwned.com/api/v2/breachedaccount/{}", username);
    let user_agent = "Bitwarden_RS";
+    let url = format!(
+        "https://haveibeenpwned.com/api/v3/breachedaccount/{}?truncateResponse=false&includeUnverified=false",
+        username
+    );

    use reqwest::{header::USER_AGENT, Client};

-    let res = Client::new().get(&url).header(USER_AGENT, user_agent).send()?;
+    if let Some(api_key) = crate::CONFIG.hibp_api_key() {
+        let res = Client::new()
+            .get(&url)
+            .header(USER_AGENT, user_agent)
+            .header("hibp-api-key", api_key)
+            .send()?;

-    // If we get a 404, return a 404, it means no breached accounts
-    if res.status() == 404 {
-        return Err(Error::empty().with_code(404));
+        // If we get a 404, return a 404, it means no breached accounts
+        if res.status() == 404 {
+            return Err(Error::empty().with_code(404));
+        }
+
+        let value: Value = res.error_for_status()?.json()?;
+        Ok(Json(value))
+    } else {
+        Ok(Json(json!([{
+            "title": "--- Error! ---",
+            "description": "HaveIBeenPwned API key not set! Go to https://haveibeenpwned.com/API/Key",
+            "logopath": "/bwrs_images/error-x.svg"
+        }])))
    }
-
-    let value: Value = res.error_for_status()?.json()?;
-    Ok(Json(value))
 }
--- a/src/api/core/two_factor/mod.rs
+++ b/src/api/core/two_factor/mod.rs
@ -94,9 +94,7 @@ fn recover(data: JsonUpcase<RecoverTwoFactor>, conn: DbConn) -> JsonResult {
    }

    // Remove all twofactors from the user
-    for twofactor in TwoFactor::find_by_user(&user.uuid, &conn) {
-        twofactor.delete(&conn)?;
-    }
+    TwoFactor::delete_all_by_user(&user.uuid, &conn)?;

    // Remove the recovery code, not needed without twofactors
    user.totp_recover = None;
--- a/src/api/icons.rs
+++ b/src/api/icons.rs
@ -27,6 +27,7 @@ const ALLOWED_CHARS: &str = "_-.";
 lazy_static! {
    // Reuse the client between requests
    static ref CLIENT: Client = Client::builder()
+        .use_sys_proxy()
        .gzip(true)
        .timeout(Duration::from_secs(CONFIG.icon_download_timeout()))
        .default_headers(_header_map())
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@ -101,7 +101,13 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: ClientIp) -> JsonResult
    let twofactor_token = twofactor_auth(&user.uuid, &data, &mut device, &conn)?;

    if CONFIG.mail_enabled() && new_device {
-        mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), &device.updated_at, &device.name)?
+        if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), &device.updated_at, &device.name) {
+            error!("Error sending new device email: {:#?}", e);
+
+            if CONFIG.require_device_email() {
+                err!("Could not send login notification email. Please contact your administrator.")
+            }
+        }
    }

    // Common
--- a/src/api/web.rs
+++ b/src/api/web.rs
@ -65,11 +65,11 @@ fn alive() -> Json<String> {
 }

 #[get("/bwrs_images/<filename>")]
-fn images(filename: String) -> Result<Content<Vec<u8>>, Error> {
-    let image_type = ContentType::new("image", "png");
+fn images(filename: String) -> Result<Content<&'static [u8]>, Error> {
    match filename.as_ref() {
-        "mail-github.png" => Ok(Content(image_type , include_bytes!("../static/images/mail-github.png").to_vec())),
-        "logo-gray.png" => Ok(Content(image_type, include_bytes!("../static/images/logo-gray.png").to_vec())),
-        _ => err!("Image not found")
+        "mail-github.png" => Ok(Content(ContentType::PNG, include_bytes!("../static/images/mail-github.png"))),
+        "logo-gray.png" => Ok(Content(ContentType::PNG, include_bytes!("../static/images/logo-gray.png"))),
+        "error-x.svg" => Ok(Content(ContentType::SVG, include_bytes!("../static/images/error-x.svg"))),
+        _ => err!("Image not found"),
    }
 }