mirror of
https://github.com/dani-garcia/vaultwarden
synced 2024-11-28 06:40:20 +00:00
Fixed delete user when 2FA is enabled, implemented delete user for admin panel, and the front-end part for invite user. Secured admin panel behind a configurable token.
This commit is contained in:
parent
5fecf09631
commit
1b5134dfe2
6 changed files with 154 additions and 71 deletions
14
.env
14
.env
|
@ -34,15 +34,23 @@
|
||||||
## It's recommended to also set 'ROCKET_CLI_COLORS=off'
|
## It's recommended to also set 'ROCKET_CLI_COLORS=off'
|
||||||
# LOG_FILE=/path/to/log
|
# LOG_FILE=/path/to/log
|
||||||
|
|
||||||
## Controls if new users can register
|
|
||||||
# SIGNUPS_ALLOWED=true
|
|
||||||
|
|
||||||
## Use a local favicon extractor
|
## Use a local favicon extractor
|
||||||
## Set to false to use bitwarden's official icon servers
|
## Set to false to use bitwarden's official icon servers
|
||||||
## Set to true to use the local version, which is not as smart,
|
## Set to true to use the local version, which is not as smart,
|
||||||
## but it doesn't send the cipher domains to bitwarden's servers
|
## but it doesn't send the cipher domains to bitwarden's servers
|
||||||
# LOCAL_ICON_EXTRACTOR=false
|
# LOCAL_ICON_EXTRACTOR=false
|
||||||
|
|
||||||
|
## Controls if new users can register
|
||||||
|
# SIGNUPS_ALLOWED=true
|
||||||
|
|
||||||
|
## Token for the admin interface, preferably use a long random string
|
||||||
|
## One option is to use 'openssl rand -base64 48'
|
||||||
|
## If not set, the admin panel is disabled
|
||||||
|
# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
|
||||||
|
|
||||||
|
## Invitations org admins to invite users, even when signups are disabled
|
||||||
|
# INVITATIONS_ALLOWED=true
|
||||||
|
|
||||||
## Controls the PBBKDF password iterations to apply on the server
|
## Controls the PBBKDF password iterations to apply on the server
|
||||||
## The change only applies when the password is changed
|
## The change only applies when the password is changed
|
||||||
# PASSWORD_ITERATIONS=100000
|
# PASSWORD_ITERATIONS=100000
|
||||||
|
|
|
@ -1,20 +1,17 @@
|
||||||
use rocket_contrib::json::Json;
|
use rocket_contrib::json::Json;
|
||||||
use serde_json::Value;
|
use serde_json::Value;
|
||||||
|
|
||||||
|
use crate::api::{JsonResult, JsonUpcase};
|
||||||
|
use crate::CONFIG;
|
||||||
|
|
||||||
use crate::db::models::*;
|
use crate::db::models::*;
|
||||||
use crate::db::DbConn;
|
use crate::db::DbConn;
|
||||||
|
|
||||||
use crate::api::{EmptyResult, JsonResult, JsonUpcase};
|
use rocket::request::{self, FromRequest, Request};
|
||||||
|
use rocket::{Outcome, Route};
|
||||||
use rocket::{Route, Outcome};
|
|
||||||
use rocket::request::{self, Request, FromRequest};
|
|
||||||
|
|
||||||
pub fn routes() -> Vec<Route> {
|
pub fn routes() -> Vec<Route> {
|
||||||
routes![
|
routes![get_users, invite_user, delete_user]
|
||||||
get_users,
|
|
||||||
invite_user,
|
|
||||||
delete_user,
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Deserialize, Debug)]
|
#[derive(Deserialize, Debug)]
|
||||||
|
@ -31,8 +28,8 @@ fn get_users(_token: AdminToken, conn: DbConn) -> JsonResult {
|
||||||
Ok(Json(Value::Array(users_json)))
|
Ok(Json(Value::Array(users_json)))
|
||||||
}
|
}
|
||||||
|
|
||||||
#[post("/users", data="<data>")]
|
#[post("/invite", data = "<data>")]
|
||||||
fn invite_user(data: JsonUpcase<InviteData>, _token: AdminToken, conn: DbConn) -> EmptyResult {
|
fn invite_user(data: JsonUpcase<InviteData>, _token: AdminToken, conn: DbConn) -> JsonResult {
|
||||||
let data: InviteData = data.into_inner().data;
|
let data: InviteData = data.into_inner().data;
|
||||||
|
|
||||||
if User::find_by_mail(&data.Email, &conn).is_some() {
|
if User::find_by_mail(&data.Email, &conn).is_some() {
|
||||||
|
@ -42,30 +39,30 @@ fn invite_user(data: JsonUpcase<InviteData>, _token: AdminToken, conn: DbConn) -
|
||||||
err!("Unimplemented")
|
err!("Unimplemented")
|
||||||
}
|
}
|
||||||
|
|
||||||
#[delete("/users/<uuid>")]
|
#[post("/users/<uuid>/delete")]
|
||||||
fn delete_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
|
fn delete_user(uuid: String, _token: AdminToken, conn: DbConn) -> JsonResult {
|
||||||
let _user = match User::find_by_uuid(&uuid, &conn) {
|
let user = match User::find_by_uuid(&uuid, &conn) {
|
||||||
Some(user) => user,
|
Some(user) => user,
|
||||||
None => err!("User doesn't exist")
|
None => err!("User doesn't exist"),
|
||||||
};
|
};
|
||||||
|
|
||||||
// TODO: Enable this once we have a more secure auth method
|
|
||||||
err!("Unimplemented")
|
|
||||||
/*
|
|
||||||
match user.delete(&conn) {
|
match user.delete(&conn) {
|
||||||
Ok(_) => Ok(()),
|
Ok(_) => Ok(Json(json!({}))),
|
||||||
Err(e) => err!("Error deleting user", e)
|
Err(e) => err!("Error deleting user", e),
|
||||||
}
|
}
|
||||||
*/
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
pub struct AdminToken {}
|
pub struct AdminToken {}
|
||||||
|
|
||||||
impl<'a, 'r> FromRequest<'a, 'r> for AdminToken {
|
impl<'a, 'r> FromRequest<'a, 'r> for AdminToken {
|
||||||
type Error = &'static str;
|
type Error = &'static str;
|
||||||
|
|
||||||
fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
|
fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
|
||||||
|
let config_token = match CONFIG.admin_token.as_ref() {
|
||||||
|
Some(token) => token,
|
||||||
|
None => err_handler!("Admin panel is disabled"),
|
||||||
|
};
|
||||||
|
|
||||||
// Get access_token
|
// Get access_token
|
||||||
let access_token: &str = match request.headers().get_one("Authorization") {
|
let access_token: &str = match request.headers().get_one("Authorization") {
|
||||||
Some(a) => match a.rsplit("Bearer ").next() {
|
Some(a) => match a.rsplit("Bearer ").next() {
|
||||||
|
@ -81,7 +78,7 @@ impl<'a, 'r> FromRequest<'a, 'r> for AdminToken {
|
||||||
// Option 2a: Send it to admin email, like upstream
|
// Option 2a: Send it to admin email, like upstream
|
||||||
// Option 2b: Print in console or save to data dir, so admin can check
|
// Option 2b: Print in console or save to data dir, so admin can check
|
||||||
|
|
||||||
if access_token != "token123" {
|
if access_token != config_token {
|
||||||
err_handler!("Invalid admin token")
|
err_handler!("Invalid admin token")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -107,4 +107,12 @@ impl TwoFactor {
|
||||||
.filter(twofactor::type_.eq(type_))
|
.filter(twofactor::type_.eq(type_))
|
||||||
.first::<Self>(&**conn).ok()
|
.first::<Self>(&**conn).ok()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> QueryResult<usize> {
|
||||||
|
diesel::delete(
|
||||||
|
twofactor::table.filter(
|
||||||
|
twofactor::user_uuid.eq(user_uuid)
|
||||||
|
)
|
||||||
|
).execute(&**conn)
|
||||||
|
}
|
||||||
}
|
}
|
|
@ -113,7 +113,7 @@ use diesel;
|
||||||
use diesel::prelude::*;
|
use diesel::prelude::*;
|
||||||
use crate::db::DbConn;
|
use crate::db::DbConn;
|
||||||
use crate::db::schema::{users, invitations};
|
use crate::db::schema::{users, invitations};
|
||||||
use super::{Cipher, Folder, Device, UserOrganization, UserOrgType};
|
use super::{Cipher, Folder, Device, UserOrganization, UserOrgType, TwoFactor};
|
||||||
|
|
||||||
/// Database methods
|
/// Database methods
|
||||||
impl User {
|
impl User {
|
||||||
|
@ -168,6 +168,7 @@ impl User {
|
||||||
Cipher::delete_all_by_user(&self.uuid, &*conn)?;
|
Cipher::delete_all_by_user(&self.uuid, &*conn)?;
|
||||||
Folder::delete_all_by_user(&self.uuid, &*conn)?;
|
Folder::delete_all_by_user(&self.uuid, &*conn)?;
|
||||||
Device::delete_all_by_user(&self.uuid, &*conn)?;
|
Device::delete_all_by_user(&self.uuid, &*conn)?;
|
||||||
|
TwoFactor::delete_all_by_user(&self.uuid, &*conn)?;
|
||||||
Invitation::take(&self.email, &*conn); // Delete invitation if any
|
Invitation::take(&self.email, &*conn); // Delete invitation if any
|
||||||
|
|
||||||
diesel::delete(users::table.filter(
|
diesel::delete(users::table.filter(
|
||||||
|
|
|
@ -272,6 +272,7 @@ pub struct Config {
|
||||||
local_icon_extractor: bool,
|
local_icon_extractor: bool,
|
||||||
signups_allowed: bool,
|
signups_allowed: bool,
|
||||||
invitations_allowed: bool,
|
invitations_allowed: bool,
|
||||||
|
admin_token: Option<String>,
|
||||||
server_admin_email: Option<String>,
|
server_admin_email: Option<String>,
|
||||||
password_iterations: i32,
|
password_iterations: i32,
|
||||||
show_password_hint: bool,
|
show_password_hint: bool,
|
||||||
|
@ -325,7 +326,8 @@ impl Config {
|
||||||
|
|
||||||
local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false),
|
local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false),
|
||||||
signups_allowed: get_env_or("SIGNUPS_ALLOWED", true),
|
signups_allowed: get_env_or("SIGNUPS_ALLOWED", true),
|
||||||
server_admin_email: get_env("SERVER_ADMIN_EMAIL"),
|
admin_token: get_env("ADMIN_TOKEN"),
|
||||||
|
server_admin_email:None, // TODO: Delete this
|
||||||
invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true),
|
invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true),
|
||||||
password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000),
|
password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000),
|
||||||
show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true),
|
show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true),
|
||||||
|
|
|
@ -20,13 +20,12 @@
|
||||||
<style>
|
<style>
|
||||||
body { padding-top: 70px; }
|
body { padding-top: 70px; }
|
||||||
img { width: 48px; height: 48px; }
|
img { width: 48px; height: 48px; }
|
||||||
#logo { width: 48px; height: 48px; }
|
|
||||||
</style>
|
</style>
|
||||||
|
|
||||||
<script>
|
<script>
|
||||||
let key = null;
|
let key = null;
|
||||||
|
|
||||||
function getIdenticon(email) {
|
function identicon(email) {
|
||||||
const data = new Identicon(md5(email), {
|
const data = new Identicon(md5(email), {
|
||||||
size: 48,
|
size: 48,
|
||||||
format: 'svg'
|
format: 'svg'
|
||||||
|
@ -35,41 +34,97 @@
|
||||||
return "data:image/svg+xml;base64," + data;
|
return "data:image/svg+xml;base64," + data;
|
||||||
}
|
}
|
||||||
|
|
||||||
function loadUsers() {
|
function setVis(elem, vis) {
|
||||||
$("#users-list").empty();
|
if (vis) { $(elem).removeClass('d-none'); }
|
||||||
|
else { $(elem).addClass('d-none'); }
|
||||||
|
}
|
||||||
|
|
||||||
$.ajax({
|
function updateVis() {
|
||||||
type: "GET",
|
setVis("#no-key-form", !key);
|
||||||
url: "/admin/users",
|
setVis("#users-block", key);
|
||||||
headers: { "Authorization": "Bearer " + key }
|
setVis("#invite-form", key);
|
||||||
}).done(function (data) {
|
}
|
||||||
|
|
||||||
|
function setKey() {
|
||||||
|
key = $('#key').val() || window.location.hash.slice(1);
|
||||||
|
updateVis();
|
||||||
|
if (key) { loadUsers(); }
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
function resetKey() {
|
||||||
|
key = null;
|
||||||
|
updateVis();
|
||||||
|
}
|
||||||
|
|
||||||
|
function fillRow(data) {
|
||||||
for (i in data) {
|
for (i in data) {
|
||||||
let user = data[i];
|
const user = data[i];
|
||||||
let row = $("#tmp-user-row").clone();
|
const row = $("#tmp-row").clone();
|
||||||
|
|
||||||
row.attr("id", "user-row:" + user.Id);
|
row.attr("id", "user-row:" + user.Id);
|
||||||
row.find(".tmp-user-name").text(user.Name);
|
row.find(".tmp-name").text(user.Name);
|
||||||
row.find(".tmp-user-mail").text(user.Email);
|
row.find(".tmp-mail").text(user.Email);
|
||||||
row.find(".tmp-user-icon").attr("src", getIdenticon(user.Email))
|
row.find(".tmp-icon").attr("src", identicon(user.Email))
|
||||||
|
|
||||||
row.find(".tmp-user-del").on("click", function (e) {
|
row.find(".tmp-del").on("click", function (e) {
|
||||||
alert("Not Implemented: Deleting UUID " + user.Id);
|
if (confirm("Delete User '" + user.Name + "'?")) {
|
||||||
|
deleteUser(user.Id);
|
||||||
|
}
|
||||||
|
return false;
|
||||||
});
|
});
|
||||||
|
|
||||||
row.appendTo("#users-list");
|
row.appendTo("#users-list");
|
||||||
row.removeClass('d-none');
|
setVis(row, true);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function _headers() { return { "Authorization": "Bearer " + key }; }
|
||||||
|
|
||||||
|
function loadUsers() {
|
||||||
|
$("#users-list").empty();
|
||||||
|
$.get({ url: "/admin/users", headers: _headers() })
|
||||||
|
.done(fillRow)
|
||||||
|
.fail(resetKey);
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
function _post(url, successMsg, errMsg, resetOnErr, data) {
|
||||||
|
$.post({ url: url, headers: _headers(), data: data })
|
||||||
|
.done(() => {
|
||||||
|
alert(successMsg);
|
||||||
|
loadUsers();
|
||||||
})
|
})
|
||||||
|
.fail((e) => {
|
||||||
|
const msg = e.responseJSON ?
|
||||||
|
e.responseJSON.ErrorModel.Message
|
||||||
|
: "Unknown error";
|
||||||
|
alert(errMsg + ": " + msg);
|
||||||
|
if (resetOnErr) { resetKey(); }
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
function deleteUser(id) {
|
||||||
|
_post("/admin/users/" + id + "/delete",
|
||||||
|
"User deleted correctly",
|
||||||
|
"Error deleting user", true);
|
||||||
|
}
|
||||||
|
|
||||||
|
function inviteUser() {
|
||||||
|
data = JSON.stringify({ "Email": $("#email-invite").val() });
|
||||||
|
|
||||||
|
_post("/admin/invite/",
|
||||||
|
"User invited correctly",
|
||||||
|
"Error inviting user", false, data);
|
||||||
}
|
}
|
||||||
|
|
||||||
$(window).on('load', function () {
|
$(window).on('load', function () {
|
||||||
key = new URLSearchParams(window.location.search).get('key');
|
setKey();
|
||||||
if (key) {
|
|
||||||
$("#no-key-form").addClass('d-none');
|
$("#key-form").submit(setKey);
|
||||||
loadUsers();
|
$("#reload-btn").on("click", loadUsers);
|
||||||
} else {
|
$("#invite-form").submit(inviteUser);
|
||||||
$("#users-block").addClass('d-none');
|
|
||||||
}
|
|
||||||
});
|
});
|
||||||
</script>
|
</script>
|
||||||
</head>
|
</head>
|
||||||
|
@ -89,36 +144,48 @@
|
||||||
</div>
|
</div>
|
||||||
</nav>
|
</nav>
|
||||||
<main class="container">
|
<main class="container">
|
||||||
<div id="no-key-form" class="align-items-center p-3 mb-3 text-white-50 bg-danger rounded shadow">
|
<div id="no-key-form" class="d-none align-items-center p-3 mb-3 text-white-50 bg-danger rounded shadow">
|
||||||
<div>
|
<div>
|
||||||
<h6 class="mb-0 text-white">Authentication key needed to continue</h6>
|
<h6 class="mb-0 text-white">Authentication key needed to continue</h6>
|
||||||
<small>Please provide it below:</small>
|
<small>Please provide it below:</small>
|
||||||
|
|
||||||
<form class="form-inline" method="get">
|
<form class="form-inline" id="key-form">
|
||||||
<input type="text" class="form-control mr-2" id="key" name="key" placeholder="Enter admin key">
|
<input type="password" class="form-control w-50 mr-2" id="key" placeholder="Enter admin key">
|
||||||
<button type="submit" class="btn btn-primary">Submit</button>
|
<button type="submit" class="btn btn-primary">Save</button>
|
||||||
</form>
|
</form>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div id="users-block" class="my-3 p-3 bg-white rounded shadow">
|
<div id="users-block" class="d-none my-3 p-3 bg-white rounded shadow">
|
||||||
<h6 class="border-bottom pb-2 mb-0">Registered Users</h6>
|
<h6 class="border-bottom pb-2 mb-0">Registered Users</h6>
|
||||||
|
|
||||||
<div id="users-list"></div>
|
<div id="users-list"></div>
|
||||||
|
|
||||||
<small class="d-block text-right mt-3">
|
<small class="d-block text-right mt-3">
|
||||||
<a href="#" onclick="loadUsers();">Reload users</a>
|
<a id="reload-btn" href="#">Reload users</a>
|
||||||
</small>
|
</small>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div id="tmp-user-row" class="d-none media pt-3">
|
<div id="invite-form" class="d-none align-items-center p-3 mb-3 text-white-50 bg-secondary rounded shadow">
|
||||||
<img src="#" alt="identicon" class="mr-2 rounded tmp-user-icon">
|
<div>
|
||||||
|
<h6 class="mb-0 text-white">Invite User</h6>
|
||||||
|
<small>Email:</small>
|
||||||
|
|
||||||
|
<form class="form-inline" id="invite-form">
|
||||||
|
<input type="email" class="form-control w-50 mr-2" id="email-invite" placeholder="Enter email">
|
||||||
|
<button type="submit" class="btn btn-primary">Invite</button>
|
||||||
|
</form>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<div id="tmp-row" class="d-none media pt-3">
|
||||||
|
<img class="mr-2 rounded tmp-icon">
|
||||||
<div class="media-body pb-3 mb-0 small border-bottom">
|
<div class="media-body pb-3 mb-0 small border-bottom">
|
||||||
<div class="d-flex justify-content-between">
|
<div class="d-flex justify-content-between">
|
||||||
<strong class="tmp-user-name">Full Name</strong>
|
<strong class="tmp-name">Full Name</strong>
|
||||||
<a class="tmp-user-del mr-3" href="#">Delete User</a>
|
<a class="tmp-del mr-3" href="#">Delete User</a>
|
||||||
</div>
|
</div>
|
||||||
<span class="d-block tmp-user-mail">Email</span>
|
<span class="d-block tmp-mail">Email</span>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</main>
|
</main>
|
||||||
|
|
Loading…
Reference in a new issue