It was possible to disable the admin security via the admin interface.
This is kinda insecure as mentioned in #2761.
This PR set this value as read-only and admin's need to set the correct ENV variable.
Currently saved settings which do override this are still valid though.
If an admin want's this removed, they either need to reset the config,
or change the value in the `config.json` file.
Fixes#2761
Added a new endpoint which the currently beta client for at least
Android v2022.10.1 seems to be calling, and crashes with the response we
currently provide
Fixes#2890Fixes#2891Fixes#2892
Since v2022.9.x the org export uses a different endpoint.
But, since v2022.11.x this endpoint will return a different format.
See: https://github.com/bitwarden/clients/pull/3641 and https://github.com/bitwarden/server/pull/2316
To support both version in the case of users having an older client
either web-vault or cli this PR checks the version and responds using
the correct format. If no version can be determined it will use the new
format as a default.
if `SIGNUPS_VERIFY` is enabled new users that have been invited have
their onboarding flow interrupted because they have to first verify
their mail address before they can join an organization.
we can skip the extra verication of the email address when signing up
because a valid invitation token already means that the email address is
working and we don't allow invited users to signup with a different
address.
unfortunately, this is not possible with emergency access invitations
at the moment as they are handled differently.
Set SMTP_EMBED_IMAGES option to false if you don't want to attach images
to the mail.
NOTE: If you have customized the template files `email_header.hbs` and
`email_footer.hbs` you can replace `{url}/vw_static/` to `{img_url}`
to support both URL schemes
If you add a new user that has already been Invited to another
organization they will be Accepted automatically. This should not be
possible because they cannot be Confirmed until they have completed
their registration. It is also not necessary because their invitation
will be accepted automatically once they register.
- The Master Password Hint input has changed it's location to the
password update form. This PR updates the the code to process this.
- Also changed the `ProfileData` struct to exclude `Culture` and
`MasterPasswordHint`, since both are not used at all, and when not
defined they will also not be allocated.
Fixes#2833
configure the number of hours after which organization invites,
emergency access invites, email verification emails and account deletion
requests expire (defaults to 5 days or 120 hours and must be atleast 1)
Since v2022.9.x it seems they changed the export endpoint and way of working.
This PR fixes this by adding the export endpoint.
Also, it looks like the clients can't handle uppercase first JSON key's.
Because of this there now is a function which converts all the key's to lowercase first.
I have an issue reported at Bitwarden if this is expected behavior: https://github.com/bitwarden/clients/issues/3606Fixes#2760Fixes#2764
This PR adds support for the Send v2 API.
It should prevent 404 errors which could cause some issues with some
configurations on some reverse proxies.
In the long run, we can probably remove the old file upload API, but for
now lets leave it there, since Bitwarden also still has this endpoint in
the code.
Might fixes#2753
In web-vault v2022.9.x it seems the endpoints changed.
- activate > restore
- deactivate > revoke
This PR adds those endpoints and renames the functions.
It also keeps the previous endpoints for now to be compatible with
previous vault verions for now, just in case.
There was a small oversight on upgrading to v2022.9.0 web-vault version.
It seems the call to the /plans/ endpoint doesn't provide authentication anymore.
Removed this check and it seems to work again.
Fixes#2737
- The new web-vault version supports fastmail.com anon email, add the
correct api host to support it.
- Removed Firefox Relay, this seems only to be supported on SaaS.
- Added a function to the two-factor api to prevent 404 errors.
Previously FlashMessage was used to provide an error message during login.
This PR changes that flow to not use redirect for this, but renders the HTML and responds using the correct status code where needed. This should solve some issues which were reported in the past.
Thanks to @RealOrangeOne, for initiating this with a PR.
Fixes#2448Fixes#2712Closes#2715
Co-authored-by: Jake Howard <git@theorangeone.net>
This PR adds a the new v2022.8.x revoke feature which allows an
organization owner or admin to revoke access for one or more users.
This PR also fixes several permissions and policy checks which were faulty.
- Modified some functions to use DB Count features instead of iter/count aftwards.
- Rearanged some if statements (faster matching or just one if instead of nested if's)
- Added and fixed several policy checks where needed
- Some small updates on some response models
- Made some functions require an enum instead of an i32
This PR attends to mitigate (not fix) #2644.
There seems to be an issue when uploading files either as attachment or
via send via the mobile (Android) client.
The binary data gets transfered correctly to Vaultwarden (Checked via
Wireshark), but the data is not parsed correctly for some reason.
Since the parsing is not done by Vaultwarden it self, i think we should
at least try to prevent saving the data and letting users think all
fine.
Further investigation is needed to actually fix this issue.
This is just a quick patch.
The previous persistent folder check worked by checking if a file
exists. If you used a bind-mount, then this file is not there. But when
using a docker/podman volume those files are copied, and caused the
container to not start.
This change checks the `/proc/self/mountinfo` for a specific patern to
see if the data folder is persistent or not.
Fixes#2622