api::Accounts::verify_password add the policy even if it's ignored

3 months ago · 44045a865b
3 changed files with 11 additions and 3 deletions
--- a/.env.template
+++ b/.env.template
@ -475,7 +475,7 @@
 ## Set your Client ID and Client Key
 # SSO_CLIENT_ID=11111
 # SSO_CLIENT_SECRET=AAAAAAAAAAAAAAAAAAAAAAAA
-## Optional Master password policy (minComplexity=[0-4])
+## Optional Master password policy (minComplexity=[0-4]), `enforceOnLogin` is not supported at the moment.
 # SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
 ## Use sso only for authentication not the session lifecycle
 # SSO_AUTH_ONLY_NOT_SESSION=false
--- a/SSO.md
+++ b/SSO.md
@ -25,7 +25,7 @@ The following configurations are available
 - `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`.
 - `SSO_CLIENT_ID` : Client Id
 - `SSO_CLIENT_SECRET` : Client Secret
- - `SSO_MASTER_PASSWORD_POLICY`: Optional Master password policy
+ - `SSO_MASTER_PASSWORD_POLICY`: Optional Master password policy (`enforceOnLogin` is not supported).
 - `SSO_AUTH_ONLY_NOT_SESSION`: Enable to use SSO only for authentication not session lifecycle
 - `SSO_CLIENT_CACHE_EXPIRATION`: Cache calls to the discovery endpoint, duration in seconds, `0` to disable (default `0`);
 - `SSO_DEBUG_TOKENS`: Log all tokens (default `false`, `LOG_LEVEL=debug` is required)
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@ -1050,6 +1050,8 @@ pub async fn kdf_upgrade(user: &mut User, pwd_hash: &str, conn: &mut DbConn) ->
    Ok(())
 }

+// It appears that at the moment the return policy is required but ignored.
+// As such the `enforceOnLogin` part is not working.
 #[post("/accounts/verify-password", data = "<data>")]
 async fn verify_password(data: Json<SecretVerificationRequest>, headers: Headers, mut conn: DbConn) -> JsonResult {
    let data: SecretVerificationRequest = data.into_inner();
@ -1061,8 +1063,14 @@ async fn verify_password(data: Json<SecretVerificationRequest>, headers: Headers

    kdf_upgrade(&mut user, &data.master_password_hash, &mut conn).await?;

+    let policy = if let Some(policy_str) = CONFIG.sso_master_password_policy().filter(|_| CONFIG.sso_enabled()) {
+        serde_json::from_str(&policy_str).unwrap_or(json!({}))
+    } else {
+        json!({})
+    };
+
    Ok(Json(json!({
-      "MasterPasswordPolicy": {}, // Required for SSO login with mobile apps
+      "MasterPasswordPolicy": policy,
    })))
 }