|
|
@ -43,6 +43,13 @@ fn login(data: Form<ConnectData>, conn: DbConn, ip: ClientIp) -> JsonResult { |
|
|
|
|
|
|
|
_password_login(data, conn, &ip) |
|
|
|
} |
|
|
|
"client_credentials" => { |
|
|
|
_check_is_some(&data.client_id, "client_id cannot be blank")?; |
|
|
|
_check_is_some(&data.client_secret, "client_secret cannot be blank")?; |
|
|
|
_check_is_some(&data.scope, "scope cannot be blank")?; |
|
|
|
|
|
|
|
_api_key_login(data, conn, &ip) |
|
|
|
} |
|
|
|
t => err!("Invalid type", t), |
|
|
|
} |
|
|
|
} |
|
|
@ -178,6 +185,75 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: &ClientIp) -> JsonResult |
|
|
|
Ok(Json(result)) |
|
|
|
} |
|
|
|
|
|
|
|
fn _api_key_login(data: ConnectData, conn: DbConn, ip: &ClientIp) -> JsonResult { |
|
|
|
// Validate scope
|
|
|
|
let scope = data.scope.as_ref().unwrap(); |
|
|
|
if scope != "api" { |
|
|
|
err!("Scope not supported") |
|
|
|
} |
|
|
|
|
|
|
|
// Ratelimit the login
|
|
|
|
crate::ratelimit::check_limit_login(&ip.ip)?; |
|
|
|
|
|
|
|
// Get the user via the client_id
|
|
|
|
let client_id = data.client_id.as_ref().unwrap(); |
|
|
|
let user_uuid = match client_id.strip_prefix("user.") { |
|
|
|
Some(uuid) => uuid, |
|
|
|
None => err!("Malformed client_id", format!("IP: {}.", ip.ip)), |
|
|
|
}; |
|
|
|
let user = match User::find_by_uuid(user_uuid, &conn) { |
|
|
|
Some(user) => user, |
|
|
|
None => err!("Invalid client_id", format!("IP: {}.", ip.ip)), |
|
|
|
}; |
|
|
|
|
|
|
|
// Check if the user is disabled
|
|
|
|
if !user.enabled { |
|
|
|
err!("This user has been disabled (API key login)", format!("IP: {}. Username: {}.", ip.ip, user.email)) |
|
|
|
} |
|
|
|
|
|
|
|
// Check API key. Note that API key logins bypass 2FA.
|
|
|
|
let client_secret = data.client_secret.as_ref().unwrap(); |
|
|
|
if !user.check_valid_api_key(client_secret) { |
|
|
|
err!("Incorrect client_secret", format!("IP: {}. Username: {}.", ip.ip, user.email)) |
|
|
|
} |
|
|
|
|
|
|
|
let (mut device, new_device) = get_device(&data, &conn, &user); |
|
|
|
|
|
|
|
if CONFIG.mail_enabled() && new_device { |
|
|
|
let now = Utc::now().naive_utc(); |
|
|
|
if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), &now, &device.name) { |
|
|
|
error!("Error sending new device email: {:#?}", e); |
|
|
|
|
|
|
|
if CONFIG.require_device_email() { |
|
|
|
err!("Could not send login notification email. Please contact your administrator.") |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
// Common
|
|
|
|
let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, &conn); |
|
|
|
|
|
|
|
let (access_token, expires_in) = device.refresh_tokens(&user, orgs); |
|
|
|
device.save(&conn)?; |
|
|
|
|
|
|
|
info!("User {} logged in successfully via API key. IP: {}", user.email, ip.ip); |
|
|
|
|
|
|
|
Ok(Json(json!({ |
|
|
|
"access_token": access_token, |
|
|
|
"expires_in": expires_in, |
|
|
|
"token_type": "Bearer", |
|
|
|
"refresh_token": device.refresh_token, |
|
|
|
"Key": user.akey, |
|
|
|
"PrivateKey": user.private_key, |
|
|
|
|
|
|
|
"Kdf": user.client_kdf_type, |
|
|
|
"KdfIterations": user.client_kdf_iter, |
|
|
|
"ResetMasterPassword": false, // TODO: Same as above
|
|
|
|
"scope": "api", |
|
|
|
"unofficialServer": true, |
|
|
|
}))) |
|
|
|
} |
|
|
|
|
|
|
|
/// Retrieves an existing device or creates a new device from ConnectData and the User
|
|
|
|
fn get_device(data: &ConnectData, conn: &DbConn, user: &User) -> (Device, bool) { |
|
|
|
// On iOS, device_type sends "iOS", on others it sends a number
|
|
|
@ -374,17 +450,20 @@ fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> Api |
|
|
|
Ok(result) |
|
|
|
} |
|
|
|
|
|
|
|
// https://github.com/bitwarden/jslib/blob/master/common/src/models/request/tokenRequest.ts
|
|
|
|
// https://github.com/bitwarden/mobile/blob/master/src/Core/Models/Request/TokenRequest.cs
|
|
|
|
#[derive(Debug, Clone, Default)] |
|
|
|
#[allow(non_snake_case)] |
|
|
|
struct ConnectData { |
|
|
|
grant_type: String, // refresh_token, password
|
|
|
|
// refresh_token, password, client_credentials (API key)
|
|
|
|
grant_type: String, |
|
|
|
|
|
|
|
// Needed for grant_type="refresh_token"
|
|
|
|
refresh_token: Option<String>, |
|
|
|
|
|
|
|
// Needed for grant_type="password"
|
|
|
|
client_id: Option<String>, // web, cli, desktop, browser, mobile
|
|
|
|
// Needed for grant_type = "password" | "client_credentials"
|
|
|
|
client_id: Option<String>, // web, cli, desktop, browser, mobile
|
|
|
|
client_secret: Option<String>, // API key login (cli only)
|
|
|
|
password: Option<String>, |
|
|
|
scope: Option<String>, |
|
|
|
username: Option<String>, |
|
|
@ -414,6 +493,7 @@ impl<'f> FromForm<'f> for ConnectData { |
|
|
|
"granttype" => form.grant_type = value, |
|
|
|
"refreshtoken" => form.refresh_token = Some(value), |
|
|
|
"clientid" => form.client_id = Some(value), |
|
|
|
"clientsecret" => form.client_secret = Some(value), |
|
|
|
"password" => form.password = Some(value), |
|
|
|
"scope" => form.scope = Some(value), |
|
|
|
"username" => form.username = Some(value), |
|
|
|