Merge remote-tracking branch 'upstream/master' into email-codes

2025-06-12 13:17:43 +02:00 · 2019-08-26 21:38:45 +02:00
parent c99df1c310 026f9da035
commit 5d50b1ee3c
12 changed files with 273 additions and 211 deletions
--- a/src/api/core/mod.rs
+++ b/src/api/core/mod.rs
@ -132,18 +132,33 @@ fn put_eq_domains(data: JsonUpcase<EquivDomainData>, headers: Headers, conn: DbC

 #[get("/hibp/breach?<username>")]
 fn hibp_breach(username: String) -> JsonResult {
-    let url = format!("https://haveibeenpwned.com/api/v2/breachedaccount/{}", username);
    let user_agent = "Bitwarden_RS";
+    let url = format!(
+        "https://haveibeenpwned.com/api/v3/breachedaccount/{}?truncateResponse=false&includeUnverified=false",
+        username
+    );

    use reqwest::{header::USER_AGENT, Client};

-    let res = Client::new().get(&url).header(USER_AGENT, user_agent).send()?;
+    if let Some(api_key) = crate::CONFIG.hibp_api_key() {
+        let res = Client::new()
+            .get(&url)
+            .header(USER_AGENT, user_agent)
+            .header("hibp-api-key", api_key)
+            .send()?;

-    // If we get a 404, return a 404, it means no breached accounts
-    if res.status() == 404 {
-        return Err(Error::empty().with_code(404));
+        // If we get a 404, return a 404, it means no breached accounts
+        if res.status() == 404 {
+            return Err(Error::empty().with_code(404));
+        }
+
+        let value: Value = res.error_for_status()?.json()?;
+        Ok(Json(value))
+    } else {
+        Ok(Json(json!([{
+            "title": "--- Error! ---",
+            "description": "HaveIBeenPwned API key not set! Go to https://haveibeenpwned.com/API/Key",
+            "logopath": "/bwrs_images/error-x.svg"
+        }])))
    }
-
-    let value: Value = res.error_for_status()?.json()?;
-    Ok(Json(value))
 }
--- a/src/api/core/two_factor/mod.rs
+++ b/src/api/core/two_factor/mod.rs
@ -94,9 +94,7 @@ fn recover(data: JsonUpcase<RecoverTwoFactor>, conn: DbConn) -> JsonResult {
    }

    // Remove all twofactors from the user
-    for twofactor in TwoFactor::find_by_user(&user.uuid, &conn) {
-        twofactor.delete(&conn)?;
-    }
+    TwoFactor::delete_all_by_user(&user.uuid, &conn)?;

    // Remove the recovery code, not needed without twofactors
    user.totp_recover = None;