topaLE/vaultwarden - vaultwarden - Gitea: Git with a cup of tea

Author	SHA1	Message	Date
Zaid Marji	2d59e7e631	playwright: implement fido2 + auto-pick 2FA provider in submitTwoFactor `submitTwoFactor` previously threw `Not Implemented` for `kind: 'fido2'`. Implement it: the bundled web vault's connector iframe on /#/2fa auto-fires `navigator.credentials.get()` as soon as it mounts and the page transitions to /vault on its own, so the helper just waits for that URL transition (caller is responsible for keeping a virtual authenticator attached with auto-presence enabled). Add `ensure2FAProvider`: when the user has multiple 2FA providers enrolled and the current page is showing a different provider's UI than the requested one, click "Select another method" → the labeled row for the requested kind. The label table is fixed per `TwoFactor.kind` (`/Authenticator app/i` for `totp`, `/Email/i` for `mail2fa`, `/Passkey\|FIDO2/i` for `fido2`), so callers don't have to know about it. No-op when the requested kind's input is already visible (single- provider case, or it was already the default). Pre-MP setup required to keep the page-default provider from auto-firing (e.g. CDP `setAutomaticPresenceSimulation(false)` for the WebAuthn-2FA default) remains the caller's responsibility — the CDP authenticator handle lives in the test spec, not in the shared 2FA helper. Also moves the post-submit `expect(page).toHaveURL(/vault/)` assertion inside `submitTwoFactor` so callers don't have to repeat it.	3 weeks ago
Zaid Marji	88ab51443a	playwright: centralize 2FA challenge handling 2FA challenge submission was inlined across the suite: `login.spec.ts`, `login.smtp.spec.ts` and `setups/sso.ts:logUser` each asserted the "Verify your Identity" heading, generated/retrieved the factor-specific verification code, then clicked Continue. The only piece that varied was the source of the code (TOTP generator vs. email-OTP retrieved from maildev). When the web vault changes the heading copy, the code-input label, or the Continue-button name, every duplicate has to be hunted down separately. Centralises the challenge flow in `setups/2fa.ts` behind a `TwoFactor` discriminated union and a `submitTwoFactor` dispatcher: type TwoFactor = \| { kind: 'totp', totp: OTPAuth.TOTP } \| { kind: 'mail2fa', mailBuffer: MailBuffer } \| { kind: 'fido2' }; Each variant carries exactly the state it needs. `submitTwoFactor` asserts the heading then `switch`es on `kind`: TOTP fills the next-period-boundary code (avoiding period-boundary expiry races near a 30-second tick) and mail2fa retrieves from the buffer; both then click Continue. The `fido2` variant is declared so the union covers every 2FA provider the bundled web vault exposes (the provider row labelled "FIDO2 WebAuthn" in en_GB / "Passkey" in en); no test currently drives the webauthn-connector iframe / CDP virtual-authenticator handshake, so the case throws `Not Implemented` rather than silently no-op'ing. `setups/user.ts:logUser` and `setups/sso.ts:logUser` now share an options bag `{ mailBuffer?, twoFactor? }` (the SSO variant's existing positional `totp` parameter is replaced) and delegate to `submitTwoFactor` when `twoFactor` is set, keeping the two login helpers in lock-step. Refactored consumers: - `login.spec.ts:Authenticator 2fa` -> the inline 2FA block collapses to `await logUser(test, page, user, { twoFactor: { kind: 'totp', totp } })`. - `login.smtp.spec.ts:2fa` -> ditto with `{ kind: 'mail2fa', mailBuffer }`. - `sso_login.spec.ts:SSO login with TOTP 2fa` -> same `totp` variant. - `sso_login.smtp.spec.ts:Log and disable` -> same `mail2fa` variant. - Positional-mailBuffer callers (`login.smtp.spec.ts:Login`, `organization.smtp.spec.ts:Confirm invited user` and `Organization is visible`) switch to options-bag `logUser(..., { mailBuffer })`. login.spec.ts loses no-longer-needed `expect` / `OTPAuth` imports; the factor-specific timestamp logic moves into `submitTwoFactor`. No behaviour change in any test; only structure.	3 weeks ago
Timshel	0182567a62	Playwright against abitrary web-vault (#6380 ) * Playwright improvements * Playwright fix for the extension setup --------- Co-authored-by: Timshel <timshel@users.noreply.github.com>	7 months ago
Timshel	cff6c2b3af	SSO using OpenID Connect (#3899 ) * Add SSO functionality using OpenID Connect Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools> Co-authored-by: Stuart Heap <sheap13@gmail.com> Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud> Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com> Co-authored-by: Jacques B. <timshel@github.com> * Improvements and error handling * Stop rolling device token * Add playwright tests * Activate PKCE by default * Ensure result order when searching for sso_user * add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION * Toggle SSO button in scss * Base64 encode state before sending it to providers * Prevent disabled User from SSO login * Review fixes * Remove unused UserOrganization.invited_by_email * Split SsoUser::find_by_identifier_or_email * api::Accounts::verify_password add the policy even if it's ignored * Disable signups if SSO_ONLY is activated * Add verifiedDate to organizations::get_org_domain_sso_details * Review fixes * Remove OrganizationId guard from get_master_password_policy * Add wrapper type OIDCCode OIDCState OIDCIdentifier * Membership::confirm_user_invitations fix and tests * Allow set-password only if account is unitialized * Review fixes * Prevent accepting another user invitation * Log password change event on SSO account creation * Unify master password policy resolution * Upgrade openidconnect to 4.0.0 * Revert "Remove unused UserOrganization.invited_by_email" This reverts commit 548e19995e141314af98a10d170ea7371f02fab4. * Process org enrollment in accounts::post_set_password * Improve tests * Pass the claim invited_by_email in case it was not in db * Add Slack configuration hints * Fix playwright tests * Skip broken tests * Add sso identifier in admin user panel * Remove duplicate expiration check, add a log * Augment mobile refresh_token validity * Rauthy configuration hints * Fix playwright tests * Playwright upgrade and conf improvement * Playwright tests improvements * 2FA email and device creation change * Fix and improve Playwright tests * Minor improvements * Fix enforceOnLogin org policies * Run playwright sso tests against correct db * PKCE should now work with Zitadel * Playwright upgrade maildev to use MailBuffer.expect * Upgrades playwright tests deps * Check email_verified in id_token and user_info * Add sso verified endpoint for v2025.6.0 * Fix playwright tests * Create a separate sso_client * Upgrade openidconnect to 4.0.1 * Server settings for login fields toggle * Use only css for login fields * Fix playwright test * Review fix * More review fix * Perform same checks when setting kdf --------- Co-authored-by: Felix Eckhofer <felix@eckhofer.com> Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools> Co-authored-by: Stuart Heap <sheap13@gmail.com> Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud> Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com> Co-authored-by: Jacques B. <timshel@github.com> Co-authored-by: Timshel <timshel@480s>	10 months ago