If the `YUBICO_SERVER` is defined to an empty string, the whole yubikey
implementation doesn't work anymore.
This PR adds a check for this variable that it at least starts with `https://`.
Resolves#3003
- Removed `unsafe-inline` for javascript from CSP.
The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
The `config` was always added, but only used at one page.
Same goes for `can_backup` and `version`.
- Also inlined CSS.
We can't remove the `unsafe-inline` from css, because that seems to
break the web-vault currently. That might need some further checks.
But for now the 404 page and all the admin pages are clear of inline scripts and styles.
As kinda discussed here #3090, the messages regarding loading the
configuration files is a bit strange or unclear. There have been some
other reports regarding this in the past, but wasn't that big a of a
deal.
But to make the whole process it bit more nice, this PR adjusts the way
it reports issues and some small changes to the messages to make it all
a bit more clear.
- Do not report a missing `.env` file, but only send a message when using one.
- Exit instead of Panic, a panic causes a stacktrace, which isn't needed
here. I'm using a exit code 255 here so it is different to the other
exit's we use.
- Exit on more issues, since if we continue, it could cause
configuration issues if the user thinks all is fine.
- Use the actual env file used in the messages instead of `.env`.
- Added a **INFO** message when loading the `config.json`.
This makes it consistent with the info message for loading the env file.
Resolves#3090
If the `YUBICO_SERVER` is defined to an empty string, the whole yubikey
implementation doesn't work anymore.
This PR adds a check for this variable that it at least starts with `https://`.
Resolves#3003
- Removed `unsafe-inline` for javascript from CSP.
The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
The `config` was always added, but only used at one page.
Same goes for `can_backup` and `version`.
- Also inlined CSS.
We can't remove the `unsafe-inline` from css, because that seems to
break the web-vault currently. That might need some further checks.
But for now the 404 page and all the admin pages are clear of inline scripts and styles.
As kinda discussed here #3090, the messages regarding loading the
configuration files is a bit strange or unclear. There have been some
other reports regarding this in the past, but wasn't that big a of a
deal.
But to make the whole process it bit more nice, this PR adjusts the way
it reports issues and some small changes to the messages to make it all
a bit more clear.
- Do not report a missing `.env` file, but only send a message when using one.
- Exit instead of Panic, a panic causes a stacktrace, which isn't needed
here. I'm using a exit code 255 here so it is different to the other
exit's we use.
- Exit on more issues, since if we continue, it could cause
configuration issues if the user thinks all is fine.
- Use the actual env file used in the messages instead of `.env`.
- Added a **INFO** message when loading the `config.json`.
This makes it consistent with the info message for loading the env file.
Resolves#3090
If the `YUBICO_SERVER` is defined to an empty string, the whole yubikey
implementation doesn't work anymore.
This PR adds a check for this variable that it at least starts with `https://`.
Resolves#3003
- Removed `unsafe-inline` for javascript from CSP.
The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
The `config` was always added, but only used at one page.
Same goes for `can_backup` and `version`.
- Also inlined CSS.
We can't remove the `unsafe-inline` from css, because that seems to
break the web-vault currently. That might need some further checks.
But for now the 404 page and all the admin pages are clear of inline scripts and styles.
If the `YUBICO_SERVER` is defined to an empty string, the whole yubikey
implementation doesn't work anymore.
This PR adds a check for this variable that it at least starts with `https://`.
Resolves#3003
- Removed `unsafe-inline` for javascript from CSP.
The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
The `config` was always added, but only used at one page.
Same goes for `can_backup` and `version`.
- Also inlined CSS.
We can't remove the `unsafe-inline` from css, because that seems to
break the web-vault currently. That might need some further checks.
But for now the 404 page and all the admin pages are clear of inline scripts and styles.
If the `YUBICO_SERVER` is defined to an empty string, the whole yubikey
implementation doesn't work anymore.
This PR adds a check for this variable that it at least starts with `https://`.
Resolves#3003
- Removed `unsafe-inline` for javascript from CSP.
The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
The `config` was always added, but only used at one page.
Same goes for `can_backup` and `version`.
- Also inlined CSS.
We can't remove the `unsafe-inline` from css, because that seems to
break the web-vault currently. That might need some further checks.
But for now the 404 page and all the admin pages are clear of inline scripts and styles.
If the `YUBICO_SERVER` is defined to an empty string, the whole yubikey
implementation doesn't work anymore.
This PR adds a check for this variable that it at least starts with `https://`.
Resolves#3003
- Removed `unsafe-inline` for javascript from CSP.
The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
The `config` was always added, but only used at one page.
Same goes for `can_backup` and `version`.
- Also inlined CSS.
We can't remove the `unsafe-inline` from css, because that seems to
break the web-vault currently. That might need some further checks.
But for now the 404 page and all the admin pages are clear of inline scripts and styles.
- Removed `unsafe-inline` for javascript from CSP.
The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
The `config` was always added, but only used at one page.
Same goes for `can_backup` and `version`.
- Also inlined CSS.
We can't remove the `unsafe-inline` from css, because that seems to
break the web-vault currently. That might need some further checks.
But for now the 404 page and all the admin pages are clear of inline scripts and styles.
As kinda discussed here #3090, the messages regarding loading the
configuration files is a bit strange or unclear. There have been some
other reports regarding this in the past, but wasn't that big a of a
deal.
But to make the whole process it bit more nice, this PR adjusts the way
it reports issues and some small changes to the messages to make it all
a bit more clear.
- Do not report a missing `.env` file, but only send a message when using one.
- Exit instead of Panic, a panic causes a stacktrace, which isn't needed
here. I'm using a exit code 255 here so it is different to the other
exit's we use.
- Exit on more issues, since if we continue, it could cause
configuration issues if the user thinks all is fine.
- Use the actual env file used in the messages instead of `.env`.
- Added a **INFO** message when loading the `config.json`.
This makes it consistent with the info message for loading the env file.
Resolves#3090
- Removed `unsafe-inline` for javascript from CSP.
The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
The `config` was always added, but only used at one page.
Same goes for `can_backup` and `version`.
- Also inlined CSS.
We can't remove the `unsafe-inline` from css, because that seems to
break the web-vault currently. That might need some further checks.
But for now the 404 page and all the admin pages are clear of inline scripts and styles.
If the `YUBICO_SERVER` is defined to an empty string, the whole yubikey
implementation doesn't work anymore.
This PR adds a check for this variable that it at least starts with `https://`.
Resolves#3003
- Put groups support behind a feature flag, and disabled by default.
The reason is that it has some known issues, but we want to keep
optimizing this feature. Putting it behind a feature flag could help
some users, and the developers into optimizing this feature without to
much trouble.
Further:
- Updates Rust to v1.66.0
- Updated GHA workflows
- Updated Alpine to 3.17
- Updated jquery to v3.6.2
- Moved jdenticon.js to load at the bottom, fixes an issue on chromium
- Added autocomplete attribute to admin login password field
- Added some extra CSP options (Tested this on Safari, Firefox, Chrome, Bitwarden Desktop)
- Moved uppercase convertion from runtime to compile-time using `paste`
for building the environment variables, lowers heap allocations.
- Put groups support behind a feature flag, and disabled by default.
The reason is that it has some known issues, but we want to keep
optimizing this feature. Putting it behind a feature flag could help
some users, and the developers into optimizing this feature without to
much trouble.
Further:
- Updates Rust to v1.66.0
- Updated GHA workflows
- Updated Alpine to 3.17
- Updated jquery to v3.6.2
- Moved jdenticon.js to load at the bottom, fixes an issue on chromium
- Added autocomplete attribute to admin login password field
- Added some extra CSP options (Tested this on Safari, Firefox, Chrome, Bitwarden Desktop)
- Moved uppercase convertion from runtime to compile-time using `paste`
for building the environment variables, lowers heap allocations.
This changes the masking function to hide a bit more information from
the generated support string. It will still keep showing the `://` for
example, and `,`, but other characters will be hidden.
Also did some small changes on some key's which all showed up as
`Internal` on the Settings page.
Fixes#2929
This changes the masking function to hide a bit more information from
the generated support string. It will still keep showing the `://` for
example, and `,`, but other characters will be hidden.
Also did some small changes on some key's which all showed up as
`Internal` on the Settings page.
Fixes#2929
This changes the masking function to hide a bit more information from
the generated support string. It will still keep showing the `://` for
example, and `,`, but other characters will be hidden.
Also did some small changes on some key's which all showed up as
`Internal` on the Settings page.
Fixes#2929
This changes the masking function to hide a bit more information from
the generated support string. It will still keep showing the `://` for
example, and `,`, but other characters will be hidden.
Also did some small changes on some key's which all showed up as
`Internal` on the Settings page.
Fixes#2929
This changes the masking function to hide a bit more information from
the generated support string. It will still keep showing the `://` for
example, and `,`, but other characters will be hidden.
Also did some small changes on some key's which all showed up as
`Internal` on the Settings page.
Fixes#2929
This changes the masking function to hide a bit more information from
the generated support string. It will still keep showing the `://` for
example, and `,`, but other characters will be hidden.
Also did some small changes on some key's which all showed up as
`Internal` on the Settings page.
Fixes#2929
- Several cleanups and code optimizations for Emergency Access
- Fixed a race-condition regarding jobs for Emergency Access
- Some other small changes like `allow(clippy::)` removals
Fixes#2925
- Several cleanups and code optimizations for Emergency Access
- Fixed a race-condition regarding jobs for Emergency Access
- Some other small changes like `allow(clippy::)` removals
Fixes#2925
- Several cleanups and code optimizations for Emergency Access
- Fixed a race-condition regarding jobs for Emergency Access
- Some other small changes like `allow(clippy::)` removals
Fixes#2925
- Several cleanups and code optimizations for Emergency Access
- Fixed a race-condition regarding jobs for Emergency Access
- Some other small changes like `allow(clippy::)` removals
Fixes#2925
- Several cleanups and code optimizations for Emergency Access
- Fixed a race-condition regarding jobs for Emergency Access
- Some other small changes like `allow(clippy::)` removals
Fixes#2925
instead of creating the parent folders to a sqlite database
vaultwarden should just exit if it does not.
this should fix issues like #2835 when a wrongly configured
`DATABASE_URL` falls back to using sqlite
This PR adds event/audit logging support for organizations.
By default this feature is disabled, since it does log a lot and adds
extra database transactions.
All events are touched except a few, since we do not support those
features (yet), like SSO for example.
This feature is tested with multiple clients and all database types.
Fixes#229
This PR adds event/audit logging support for organizations.
By default this feature is disabled, since it does log a lot and adds
extra database transactions.
All events are touched except a few, since we do not support those
features (yet), like SSO for example.
This feature is tested with multiple clients and all database types.
Fixes#229
instead of creating the parent folders to a sqlite database
vaultwarden should just exit if it does not.
this should fix issues like #2835 when a wrongly configured
`DATABASE_URL` falls back to using sqlite
This PR adds event/audit logging support for organizations.
By default this feature is disabled, since it does log a lot and adds
extra database transactions.
All events are touched except a few, since we do not support those
features (yet), like SSO for example.
This feature is tested with multiple clients and all database types.
Fixes#229
It was possible to disable the admin security via the admin interface.
This is kinda insecure as mentioned in #2761.
This PR set this value as read-only and admin's need to set the correct ENV variable.
Currently saved settings which do override this are still valid though.
If an admin want's this removed, they either need to reset the config,
or change the value in the `config.json` file.
Fixes#2761
pjsier
BlackDex
Stefan Melmuk
Karbob
Samuel Tardieu