topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add SSO_SIGNUPS_ALLOWED

pull/7272/head
Timshel 2 weeks ago
parent
d626ea81ab
commit
9b60e7681f
3 changed files with 39 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      .env.template
  2. 41
      src/api/identity.rs
  3. 2
      src/config.rs

3
.env.template
View File

@ -494,6 +494,9 @@
## Prevent users from logging in directly without going through SSO ## Prevent users from logging in directly without going through SSO
# SSO_ONLY=false # SSO_ONLY=false
## Allow SSO flow to create account. You probably want to disable it when using a public provider.
# SSO_SIGNUPS_ALLOWED=true
## On SSO Signup if a user with a matching email already exists make the association ## On SSO Signup if a user with a matching email already exists make the association
# SSO_SIGNUPS_MATCH_EMAIL=true # SSO_SIGNUPS_MATCH_EMAIL=true

41
src/api/identity.rs
View File

@ -220,6 +220,24 @@ async fn sso_login(
} }
) )
} }
Some((user, None))
if user.private_key.is_none()
&& !CONFIG.sso_signups_allowed()
&& !CONFIG.is_email_domain_allowed(&user.email)
&& !CONFIG.mail_enabled()
&& Invitation::find_by_mail(&user.email, conn).await.is_none() =>
{
error!(
"Login failure ({}), no invitation with email ({}) was found",
user_infos.identifier, user.email
);
err_silent!(
"Missing invitation",
ErrorEvent {
event: EventType::UserFailedLogIn
}
)
}
Some((user, None)) if user.private_key.is_some() && !CONFIG.sso_signups_match_email() => { Some((user, None)) if user.private_key.is_some() && !CONFIG.sso_signups_match_email() => {
error!( error!(
"Login failure ({}), existing non SSO user ({}) with same email ({}) and association is disabled", "Login failure ({}), existing non SSO user ({}) with same email ({}) and association is disabled",
@ -267,13 +285,22 @@ async fn sso_login(
// Will trigger 2FA flow if needed // Will trigger 2FA flow if needed
let (user, mut device, twofactor_token, sso_user) = match user_with_sso { let (user, mut device, twofactor_token, sso_user) = match user_with_sso {
None => { None => {
if !CONFIG.is_email_domain_allowed(&user_infos.email) { if !CONFIG.sso_signups_allowed() {
err!( if CONFIG.signups_domains_whitelist().is_empty() {
"Email domain not allowed", err!(
ErrorEvent { "Signups are disabled. You will need an invitation",
event: EventType::UserFailedLogIn ErrorEvent {
} event: EventType::UserFailedLogIn
); }
);
} else if !CONFIG.is_email_domain_allowed(&user_infos.email) {
err!(
"Email domain not allowed",
ErrorEvent {
event: EventType::UserFailedLogIn
}
);
}
} }
match user_infos.email_verified { match user_infos.email_verified {

2
src/config.rs
View File

@ -801,6 +801,8 @@ make_config! {
sso_enabled: bool, true, def, false; sso_enabled: bool, true, def, false;
/// Only SSO login |> Disable Email+Master Password login /// Only SSO login |> Disable Email+Master Password login
sso_only: bool, true, def, false; sso_only: bool, true, def, false;
/// Allow SSO flow to create account |> You probably want to disable it when using a public provider
sso_signups_allowed: bool, true, def, true;
/// Allow email association |> Associate existing non-SSO user based on email /// Allow email association |> Associate existing non-SSO user based on email
sso_signups_match_email: bool, true, def, true; sso_signups_match_email: bool, true, def, true;
/// Allow unknown email verification status |> Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover. /// Allow unknown email verification status |> Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover.

Write Preview
Loading…
Cancel
Save