topaLE/vaultwarden - vaultwarden - Gitea: Git with a cup of tea

Author	SHA1	Message	Date
Zaid Marji	6522923cdb	playwright: account lifecycle test + host-iteration config Add a 23-step single-session lifecycle test covering every code path a real PRF-passkey user exercises: register → enrol passkey #1 → enrol passkey #2 on a second virtual authenticator → log in with passkey → lock + unlock with passkey → register a second-device context + "Log in with device" approval flow → enrol WebAuthn-2FA + TOTP-2FA → log in with passkey (server skips 2FA on webauthn grant) → log in with MP + WebAuthn-2FA → lock + unlock → remove passkey #1 → bump KDF iterations (auto-logout) → re-login with WebAuthn-2FA → rotate account encryption keys (auto-logout) → re-login with MP + TOTP-2FA → lock + unlock with passkey #2 → remove passkey #2 → log in with WebAuthn-2FA (post-login sync refreshes the client cache so the lock-screen assertion sees the credential-free state) → unlock with MP → disable both 2FA providers → log in with MP alone. A sibling `account-lifecycle-sso` project runs the same 23-step lifecycle under `SSO_ENABLED=true`. Login flows that previously typed MP at the prompt go through Keycloak + the bundled "Unlock vault" MP-decrypt step instead, exercising the SSO + WebAuthn-2FA + PRF passkey composition the original MP-only project couldn't cover. The body of the lifecycle is shared between both projects via mode- dispatch (`modeOps(sso)`); CDP virtual-authenticator wrangling, passkey enrol/remove, lock/unlock, KDF + MP rotation, and the second-device auth-request flow are extracted into `tests/setups/account_lifecycle_helpers.ts`. Notable wire-shape coverage: * `userDecryption.webAuthnPrfOptions` is populated only after PRF enrolment and emptied after passkey removal. * Rotation re-wraps each PRF credential's stored encryptedUserKey/encryptedPrivateKey; passkey #2 still unlocks the rotated user key. * KDF change auto-logs out via security-stamp rotation. * "Log in with device" is gated on `isKnownDevice` in the bundled web vault — the test asserts the affordance is absent on a fresh second-device context and surfaces after that context's first MP login. Reuses `logUser`/`submitTwoFactor` from `setups/`; the only spec-local helpers are CDP-specific (virtual-authenticator creation, `withAuthenticatorDisabled` callback wrapper) or test-local expectations (`expectLockScreenButtons`, `expectPostEmailPageNoPasskey`, etc.). Supporting changes for SSO mode: - `enterEmailOnLoginPage`: SSO branch fills `.vw-email-sso` and clicks "Other" to reveal the MP-continue flow — the standard email-label selector matches the SCSS-hidden `.vw-email-continue` input under `SSO_ENABLED=true`. - `sso.ts#logUser`: accepts a separate `kcPassword` for cases where vault MP and the IdP credential diverge (post-MP-rotation); accepts either /#/lock or /#/vault after 2FA so PRF auto-unlock via the lock screen's `promptBiometric=true` redirect is tolerated; uses `name: 'Unlock', exact: true` to disambiguate from the "Unlock with passkey" affordance when PRF is enrolled. The "Join organi[sz]ation" heading match is locale-tolerant (en vs en_GB). - `2fa.ts#submitTwoFactor`: post-2FA URL waiter accepts /#/lock too; TOTP submission tracks its own `last_used` time-step and waits for the next period boundary when a repeat would land on a consumed step, so consecutive TOTP submissions in the same period don't trip vw's `last_used > current` rejection. - `2fa.ts#ensure2FAProvider`: 5s probe (was 1s) for the default provider's input before falling through to the picker — under SSO mode the extra Keycloak round-trip can delay the connector iframe mount enough to race the switcher. - `global-utils.ts#cleanLanding`: swallow "navigation interrupted" / `net::ERR_ABORTED` from `page.goto('/')` — the bundled web vault's `/` → `/#/login` hash-route redirect occasionally fires while the initial nav is still resolving under docker's slower I/O. - `global-utils.ts#startVault`/`dbConfig`: register `account-lifecycle-sso` as a sqlite-backed project. - `user.ts#logUser`: accepts `kcPassword` for option-shape parity with `sso.ts#logUser`. Ignored in MP-only mode. - `global-setup.ts`: short-circuits the docker-compose build when `PW_USE_EXTERNAL_VAULT=1` — host-iteration runs against a cargo-run vw don't need the multi-minute release rebuild. In SSO mode, login-with-passkey is left as MP-mode-only coverage (the SSO project skips the two wire-shape probes for the same reason); the two smaller tests check the same server endpoint shape and are mode- invariant. The SSO lifecycle uses TOTP-2FA with `withAuthenticatorDisabled` at the MP-fresh-required logins so the lock screen waits for manual MP entry instead of auto-firing PRF unlock. Plumbing changes that come with this spec: * `playwright.config.ts` threads `PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH` into the `account-lifecycle` project's `launchOptions.executablePath` so the spec can run locally against a host-running Vaultwarden on systems where `npx playwright install chromium` is unsupported. * `compose/playwright/Dockerfile` installs Chromium alongside Firefox so the docker harness can run the `account-lifecycle` project too. * `account_lifecycle.spec.ts` honors `PW_USE_EXTERNAL_VAULT=1` to skip the docker startVault/stopVault hooks (host-mode iteration only; CI leaves it unset). Run requires `LOGIN_RATELIMIT_MAX_BURST` raised above the 10/60s default — multiple `connect/token` POSTs during the auth-request approval + back-to-back 2FA cycles exhaust the limit otherwise. Runtime: ~1.5min MP-mode, ~2min SSO-mode in docker; both well under the 180s test budget.	3 weeks ago
Zaid Marji	88ab51443a	playwright: centralize 2FA challenge handling 2FA challenge submission was inlined across the suite: `login.spec.ts`, `login.smtp.spec.ts` and `setups/sso.ts:logUser` each asserted the "Verify your Identity" heading, generated/retrieved the factor-specific verification code, then clicked Continue. The only piece that varied was the source of the code (TOTP generator vs. email-OTP retrieved from maildev). When the web vault changes the heading copy, the code-input label, or the Continue-button name, every duplicate has to be hunted down separately. Centralises the challenge flow in `setups/2fa.ts` behind a `TwoFactor` discriminated union and a `submitTwoFactor` dispatcher: type TwoFactor = \| { kind: 'totp', totp: OTPAuth.TOTP } \| { kind: 'mail2fa', mailBuffer: MailBuffer } \| { kind: 'fido2' }; Each variant carries exactly the state it needs. `submitTwoFactor` asserts the heading then `switch`es on `kind`: TOTP fills the next-period-boundary code (avoiding period-boundary expiry races near a 30-second tick) and mail2fa retrieves from the buffer; both then click Continue. The `fido2` variant is declared so the union covers every 2FA provider the bundled web vault exposes (the provider row labelled "FIDO2 WebAuthn" in en_GB / "Passkey" in en); no test currently drives the webauthn-connector iframe / CDP virtual-authenticator handshake, so the case throws `Not Implemented` rather than silently no-op'ing. `setups/user.ts:logUser` and `setups/sso.ts:logUser` now share an options bag `{ mailBuffer?, twoFactor? }` (the SSO variant's existing positional `totp` parameter is replaced) and delegate to `submitTwoFactor` when `twoFactor` is set, keeping the two login helpers in lock-step. Refactored consumers: - `login.spec.ts:Authenticator 2fa` -> the inline 2FA block collapses to `await logUser(test, page, user, { twoFactor: { kind: 'totp', totp } })`. - `login.smtp.spec.ts:2fa` -> ditto with `{ kind: 'mail2fa', mailBuffer }`. - `sso_login.spec.ts:SSO login with TOTP 2fa` -> same `totp` variant. - `sso_login.smtp.spec.ts:Log and disable` -> same `mail2fa` variant. - Positional-mailBuffer callers (`login.smtp.spec.ts:Login`, `organization.smtp.spec.ts:Confirm invited user` and `Organization is visible`) switch to options-bag `logUser(..., { mailBuffer })`. login.spec.ts loses no-longer-needed `expect` / `OTPAuth` imports; the factor-specific timestamp logic moves into `submitTwoFactor`. No behaviour change in any test; only structure.	3 weeks ago
Zaid Marji	ad582b460a	playwright: centralize web-vault selectors into shared setup helpers The suite had several locator patterns scattered across helpers and specs; changes to the bundled web vault would require touching N call sites for each. This commit funnels them into shared helpers so the next web-vault update only touches one place per pattern. `setups/user.ts` additions: - `openAvatarMenu(page, userName)` — header avatar menu open, anchored on the user's display name (`{ exact: true }` to avoid cipher-name substring matches). - `fillNewMasterPassword(page, password)` — registration / MP-change form's `newPassword` + `newPasswordConfirm` `formcontrolname` inputs (the three labels containing "Master password" make label-based locators ambiguous). - `submitMasterPasswordVerification(page, mp)` — the in-dialog `app-user-verification` master-password gate (the `<input id="masterPassword">` inside any sensitive-operation dialog: 2FA enrol/disable, passkey enrol/remove, key rotation, KDF change). Presses Enter on the input to avoid the multi-`Continue`-button ambiguity that the current bundled vault renders. - `createAccount` switched to `fillNewMasterPassword`. `setups/2fa.ts` additions + refactor: - `gotoTwoStepLogin(page, userName)` — Settings → Security → Two-step login navigation, used by every 2FA enrol/disable function. - `clickTwoFactorProviderManage(page, providerLabel)` — `bit-item` provider row → Manage button. Accepts string or RegExp for the row's hasText. - `activateTOTP` / `disableTOTP` / `activateEmail` / `disableEmail` all rewritten to use the new helpers, removing the inline duplication. `setups/sso.ts:logNewUser` — uses `fillNewMasterPassword`. `organization.smtp.spec.ts` and `sso_organization.smtp.spec.ts` invited-with- new-account flows — use `fillNewMasterPassword`. Incidental fixes spotted while refactoring: - `disableTOTP` / `disableEmail` previously had `getByRole('button', { name: 'Test' })` hardcoded for the avatar menu — broke for any user not named "Test". Now `openAvatarMenu(page, user.name)`, parameterised. - `activateTOTP` declared its return type as `: OTPAuth.TOTP` (an async function actually returns `Promise<OTPAuth.TOTP>`); `retrieveEmailCode` similarly declared `: string` instead of `: Promise<string>`. Both fixed. Post-refactor scatter check (rg-confirmed): - `formcontrolname="newPassword"` outside setups/user.ts: 0 - `input#masterPassword` outside setups/user.ts: 0 - `bit-item` provider-row pattern outside setups/2fa.ts: 0 - Avatar-menu via `name: user.name` outside setups/user.ts: 0	3 weeks ago
Zaid Marji	c0589bbd74	playwright: fix stale Master password selectors against bundled web vault The bundled web vault dropped the "(required)" suffix from the master-password input's label text (it likely became a separate visual indicator). Every test that drives a master-password reprompt — account creation, TOTP setup, email-2FA setup, SSO master-password flows, organization-policy management — has been failing on the current bundled vault because `getByLabel('Master password (required)', { exact: true })` no longer matches anything. Two-line change in most files: switch to `getByLabel('Master password')`, matching the pattern that `logUser` (setups/user.ts:46) and `login.spec.ts:40` already use successfully. Substring matching is case-sensitive in Playwright, so the selector is unambiguous against the confirm-field ("Confirm master password" has a lowercase 'm'). `createAccount` step 2 (setups/user.ts) and `logNewUser` step 3 (setups/sso.ts) are special: the registration / "Join organisation" form has three labels matching "Master password" as a case-insensitive substring ("Master password\n(required)", "Confirm master password\n (required)" which matches because Playwright's substring match is case-insensitive in practice, and "Master password hint" which also matches). Anchor those two fields by their stable `formcontrolname` attribute (`newPassword` / `newPasswordConfirm`) instead of label text. Verified empirically: with these changes, both `login.spec.ts` (3/3: Account creation, Master password login, Authenticator 2fa) and `sso_login.spec.ts` (8/8 including SSO Account creation, SSO login, SSO login with TOTP 2fa, Non-SSO login fallback, SSO_ONLY, no SSO) run green against bundled web-vault v2026.4.1.	3 weeks ago
Timshel	0182567a62	Playwright against abitrary web-vault (#6380 ) * Playwright improvements * Playwright fix for the extension setup --------- Co-authored-by: Timshel <timshel@users.noreply.github.com>	7 months ago
Timshel	cff6c2b3af	SSO using OpenID Connect (#3899 ) * Add SSO functionality using OpenID Connect Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools> Co-authored-by: Stuart Heap <sheap13@gmail.com> Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud> Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com> Co-authored-by: Jacques B. <timshel@github.com> * Improvements and error handling * Stop rolling device token * Add playwright tests * Activate PKCE by default * Ensure result order when searching for sso_user * add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION * Toggle SSO button in scss * Base64 encode state before sending it to providers * Prevent disabled User from SSO login * Review fixes * Remove unused UserOrganization.invited_by_email * Split SsoUser::find_by_identifier_or_email * api::Accounts::verify_password add the policy even if it's ignored * Disable signups if SSO_ONLY is activated * Add verifiedDate to organizations::get_org_domain_sso_details * Review fixes * Remove OrganizationId guard from get_master_password_policy * Add wrapper type OIDCCode OIDCState OIDCIdentifier * Membership::confirm_user_invitations fix and tests * Allow set-password only if account is unitialized * Review fixes * Prevent accepting another user invitation * Log password change event on SSO account creation * Unify master password policy resolution * Upgrade openidconnect to 4.0.0 * Revert "Remove unused UserOrganization.invited_by_email" This reverts commit 548e19995e141314af98a10d170ea7371f02fab4. * Process org enrollment in accounts::post_set_password * Improve tests * Pass the claim invited_by_email in case it was not in db * Add Slack configuration hints * Fix playwright tests * Skip broken tests * Add sso identifier in admin user panel * Remove duplicate expiration check, add a log * Augment mobile refresh_token validity * Rauthy configuration hints * Fix playwright tests * Playwright upgrade and conf improvement * Playwright tests improvements * 2FA email and device creation change * Fix and improve Playwright tests * Minor improvements * Fix enforceOnLogin org policies * Run playwright sso tests against correct db * PKCE should now work with Zitadel * Playwright upgrade maildev to use MailBuffer.expect * Upgrades playwright tests deps * Check email_verified in id_token and user_info * Add sso verified endpoint for v2025.6.0 * Fix playwright tests * Create a separate sso_client * Upgrade openidconnect to 4.0.1 * Server settings for login fields toggle * Use only css for login fields * Fix playwright test * Review fix * More review fix * Perform same checks when setting kdf --------- Co-authored-by: Felix Eckhofer <felix@eckhofer.com> Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools> Co-authored-by: Stuart Heap <sheap13@gmail.com> Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud> Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com> Co-authored-by: Jacques B. <timshel@github.com> Co-authored-by: Timshel <timshel@480s>	10 months ago