Browse Source

Allow the Admin token to be disabled in the advanced menu

pull/406/head
Shane Faulkner 6 years ago
parent
commit
8b5b06c3d1
  1. 3
      .env.template
  2. 45
      src/api/admin.rs
  3. 3
      src/config.rs

3
.env.template

@ -69,6 +69,7 @@
## One option is to use 'openssl rand -base64 48' ## One option is to use 'openssl rand -base64 48'
## If not set, the admin panel is disabled ## If not set, the admin panel is disabled
# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
# DISABLE_ADMIN_TOKEN=false
## Invitations org admins to invite users, even when signups are disabled ## Invitations org admins to invite users, even when signups are disabled
# INVITATIONS_ALLOWED=true # INVITATIONS_ALLOWED=true
@ -110,4 +111,4 @@
# SMTP_PORT=587 # SMTP_PORT=587
# SMTP_SSL=true # SMTP_SSL=true
# SMTP_USERNAME=username # SMTP_USERNAME=username
# SMTP_PASSWORD=password # SMTP_PASSWORD=password

45
src/api/admin.rs

@ -15,7 +15,7 @@ use crate::mail;
use crate::CONFIG; use crate::CONFIG;
pub fn routes() -> Vec<Route> { pub fn routes() -> Vec<Route> {
if CONFIG.admin_token().is_none() { if CONFIG.admin_token().is_none() && !CONFIG.disable_admin_token() {
return routes![admin_disabled]; return routes![admin_disabled];
} }
@ -194,25 +194,30 @@ impl<'a, 'r> FromRequest<'a, 'r> for AdminToken {
type Error = &'static str; type Error = &'static str;
fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> { fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
let mut cookies = request.cookies(); if CONFIG.disable_admin_token() {
Outcome::Success(AdminToken {})
let access_token = match cookies.get(COOKIE_NAME) { }
Some(cookie) => cookie.value(), else {
None => return Outcome::Forward(()), // If there is no cookie, redirect to login let mut cookies = request.cookies();
};
let access_token = match cookies.get(COOKIE_NAME) {
let ip = match request.guard::<ClientIp>() { Some(cookie) => cookie.value(),
Outcome::Success(ip) => ip.ip, None => return Outcome::Forward(()), // If there is no cookie, redirect to login
_ => err_handler!("Error getting Client IP"), };
};
let ip = match request.guard::<ClientIp>() {
if decode_admin(access_token).is_err() { Outcome::Success(ip) => ip.ip,
// Remove admin cookie _ => err_handler!("Error getting Client IP"),
cookies.remove(Cookie::named(COOKIE_NAME)); };
error!("Invalid or expired admin JWT. IP: {}.", ip);
return Outcome::Forward(()); if decode_admin(access_token).is_err() {
// Remove admin cookie
cookies.remove(Cookie::named(COOKIE_NAME));
error!("Invalid or expired admin JWT. IP: {}.", ip);
return Outcome::Forward(());
}
Outcome::Success(AdminToken {})
} }
Outcome::Success(AdminToken {})
} }
} }

3
src/config.rs

@ -256,6 +256,9 @@ make_config! {
/// Enable DB WAL |> Turning this off might lead to worse performance, but might help if using bitwarden_rs on some exotic filesystems, that do not support WAL. Please make sure you read project wiki on the topic before changing this setting. /// Enable DB WAL |> Turning this off might lead to worse performance, but might help if using bitwarden_rs on some exotic filesystems, that do not support WAL. Please make sure you read project wiki on the topic before changing this setting.
enable_db_wal: bool, false, def, true; enable_db_wal: bool, false, def, true;
/// Disable Admin Token (Know the risks!) |> Disables the Admin Token for the admin page so you may use your own auth in-front
disable_admin_token: bool, true, def, false;
}, },
/// Yubikey settings /// Yubikey settings

Loading…
Cancel
Save