Backup_Repos/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-06 08:27:18 +01:00
Code Issues Projects Releases Wiki Activity

Merge b3fc25ecac into 07569a06da

Browse source
This commit is contained in:
Momi-V 2025-12-01 09:14:03 +01:00 committed by GitHub
commit cf7de6762a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 19 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/api/identity.rs
View file

@ -433,7 +433,7 @@ async fn _password_login(
let twofactor_token = twofactor_auth(&mut user, &data, &mut device, ip, client_version, conn).await?; let twofactor_token = twofactor_auth(&mut user, &data, &mut device, ip, client_version, conn).await?;
let auth_tokens = auth::AuthTokens::new(&device, &user, AuthMethod::Password, data.client_id); let auth_tokens = auth::AuthTokens::new(&device, &user, AuthMethod::Password, data.client_id, None);
authenticated_response(&user, &mut device, auth_tokens, twofactor_token, &now, conn, ip).await authenticated_response(&user, &mut device, auth_tokens, twofactor_token, &now, conn, ip).await
} }

19
src/auth.rs
View file

@ -1129,13 +1129,13 @@ impl AuthMethod {
} }
} }
#[derive(Debug, Serialize, Deserialize)] #[derive(Clone, Debug, Serialize, Deserialize)]
pub enum TokenWrapper { pub enum TokenWrapper {
Access(String), Access(String),
Refresh(String), Refresh(String),
} }
#[derive(Debug, Serialize, Deserialize)] #[derive(Clone, Debug, Serialize, Deserialize)]
pub struct RefreshJwtClaims { pub struct RefreshJwtClaims {
// Not before // Not before
pub nbf: i64, pub nbf: i64,
@ -1175,7 +1175,7 @@ impl AuthTokens {
} }
// Create refresh_token and access_token with default validity // Create refresh_token and access_token with default validity
pub fn new(device: &Device, user: &User, sub: AuthMethod, client_id: Option<String>) -> Self { pub fn new(device: &Device, user: &User, sub: AuthMethod, client_id: Option<String>, existing_refresh_claims: Option<&RefreshJwtClaims>) -> Self {
let time_now = Utc::now(); let time_now = Utc::now();
let access_claims = LoginJwtClaims::default(device, user, &sub, client_id); let access_claims = LoginJwtClaims::default(device, user, &sub, client_id);
@ -1186,7 +1186,7 @@ impl AuthTokens {
*DEFAULT_REFRESH_VALIDITY *DEFAULT_REFRESH_VALIDITY
}; };
let refresh_claims = RefreshJwtClaims { let default_refresh_claims = RefreshJwtClaims {
nbf: time_now.timestamp(), nbf: time_now.timestamp(),
exp: (time_now + validity).timestamp(), exp: (time_now + validity).timestamp(),
iss: JWT_LOGIN_ISSUER.to_string(), iss: JWT_LOGIN_ISSUER.to_string(),
@ -1195,6 +1195,13 @@ impl AuthTokens {
token: None, token: None,
}; };
let refresh_claims = if CONFIG.disable_refresh_token_renewal() {
// Use existing_refresh_claims if passed and config is enabled
existing_refresh_claims.cloned().unwrap_or(default_refresh_claims)
} else {
default_refresh_claims
};
Self { Self {
refresh_claims, refresh_claims,
access_claims, access_claims,
@ -1232,14 +1239,14 @@ pub async fn refresh_tokens(
let auth_tokens = match refresh_claims.sub { let auth_tokens = match refresh_claims.sub {
AuthMethod::Sso if CONFIG.sso_enabled() && CONFIG.sso_auth_only_not_session() => { AuthMethod::Sso if CONFIG.sso_enabled() && CONFIG.sso_auth_only_not_session() => {
AuthTokens::new(&device, &user, refresh_claims.sub, client_id) AuthTokens::new(&device, &user, refresh_claims.sub.clone(), client_id, Some(&refresh_claims))
} }
AuthMethod::Sso if CONFIG.sso_enabled() => { AuthMethod::Sso if CONFIG.sso_enabled() => {
sso::exchange_refresh_token(&device, &user, client_id, refresh_claims).await? sso::exchange_refresh_token(&device, &user, client_id, refresh_claims).await?
} }
AuthMethod::Sso => err!("SSO is now disabled, Login again using email and master password"), AuthMethod::Sso => err!("SSO is now disabled, Login again using email and master password"),
AuthMethod::Password if CONFIG.sso_enabled() && CONFIG.sso_only() => err!("SSO is now required, Login again"), AuthMethod::Password if CONFIG.sso_enabled() && CONFIG.sso_only() => err!("SSO is now required, Login again"),
AuthMethod::Password => AuthTokens::new(&device, &user, refresh_claims.sub, client_id), AuthMethod::Password => AuthTokens::new(&device, &user, refresh_claims.sub.clone(), client_id, Some(&refresh_claims)),
_ => err!("Invalid auth method, cannot refresh token"), _ => err!("Invalid auth method, cannot refresh token"),
}; };

4
src/config.rs
View file

@ -706,6 +706,10 @@ make_config! {
/// Note that the checkbox would still be present, but ignored. /// Note that the checkbox would still be present, but ignored.
disable_2fa_remember: bool, true, def, false; disable_2fa_remember: bool, true, def, false;
/// Disable refresh token renewal |> If true, disables sliding window for refresh token expiry.
/// This only renews the token on a full login (Password (+2FA), SSO, etc.) forcing a full reauth every 30 days (90 for the native app)
disable_refresh_token_renewal: bool, true, def, false;
/// Disable authenticator time drifted codes to be valid |> Enabling this only allows the current TOTP code to be valid /// Disable authenticator time drifted codes to be valid |> Enabling this only allows the current TOTP code to be valid
/// TOTP codes of the previous and next 30 seconds will be invalid. /// TOTP codes of the previous and next 30 seconds will be invalid.
authenticator_disable_time_drift: bool, true, def, false; authenticator_disable_time_drift: bool, true, def, false;

2
src/sso.rs
View file

@ -377,7 +377,7 @@ pub fn create_auth_tokens(
_create_auth_tokens(device, refresh_token, access_claims, access_token) _create_auth_tokens(device, refresh_token, access_claims, access_token)
} else { } else {
Ok(AuthTokens::new(device, user, AuthMethod::Sso, client_id)) Ok(AuthTokens::new(device, user, AuthMethod::Sso, client_id, None))
} }
} }