topaLE/vaultwarden - vaultwarden - Gitea: Git with a cup of tea

Author	SHA1	Message	Date
Zaid Marji	c489186e4f	Add playwright tests for passkey login `passkey.spec.ts` exercises the unauthenticated and authorization-required surface that doesn't need a virtual authenticator: - `GET /identity/accounts/webauthn/assertion-options` returns the documented shape (`Content-Type: application/json`, `options` + `userVerification` + a non-empty `token`). The token format is intentionally not pinned: Vaultwarden mints a UUID, upstream Bitwarden mints a `DataProtectorTokenable`; both are opaque from the client's view. - Five back-to-back calls return five distinct tokens AND five distinct challenges — a refactor that re-used either would let an attacker replay. - The `grant_type=webauthn` token endpoint returns a generic auth-failed message for an unknown token, a malformed deviceresponse, and a structurally-valid but unsignable assertion. The regex accepts both Vaultwarden's "Passkey authentication failed." and upstream Bitwarden's "Invalid credential." — the security contract is the byte-equality between failure branches (oracle defense), not the surface text. - Every webauthn-management endpoint (`GET /api/webauthn`, attestation / assertion options, finish, update, delete) rejects anonymous callers AND callers with a garbage Bearer with 401. - Missing-required-field requests to the webauthn grant are rejected before the handler body runs (token / deviceresponse / client_id / scope). The specific rejection text differs between projects so we only assert that the response is an error. - The web vault renders the "Log in with passkey" entry point. Security-gate coverage covers forged user-handle attempts against disabled and unverified accounts plus the SSO_ONLY webauthn grant gate. The forged-handle cases create real target users but submit intentionally unsignable assertions, asserting the response stays byte-equal to the unknown-user baseline before WebAuthn verification succeeds. Adds the docker-compose environment passthrough needed for per-describe vault restarts with SIGNUPS_VERIFY and SSO_ONLY test configs. README: document the Playwright image's bake-in behavior — the Dockerfile copies `tests/` in at build time, so local edits to `*.spec.ts` are not picked up by `docker compose run Playwright` until the image is rebuilt. Verified empirically: an in-place rename of a `test('…')` title is invisible to `run` until `build Playwright` is invoked, and absolute paths through the mounted `..:/project` volume don't override Playwright's config-derived `testDir`. Add a short note next to the existing "force a rebuild" command. The spec is Firefox-compatible and runs unmodified under the existing playwright project matrix.	3 weeks ago
Zaid Marji	88ab51443a	playwright: centralize 2FA challenge handling 2FA challenge submission was inlined across the suite: `login.spec.ts`, `login.smtp.spec.ts` and `setups/sso.ts:logUser` each asserted the "Verify your Identity" heading, generated/retrieved the factor-specific verification code, then clicked Continue. The only piece that varied was the source of the code (TOTP generator vs. email-OTP retrieved from maildev). When the web vault changes the heading copy, the code-input label, or the Continue-button name, every duplicate has to be hunted down separately. Centralises the challenge flow in `setups/2fa.ts` behind a `TwoFactor` discriminated union and a `submitTwoFactor` dispatcher: type TwoFactor = \| { kind: 'totp', totp: OTPAuth.TOTP } \| { kind: 'mail2fa', mailBuffer: MailBuffer } \| { kind: 'fido2' }; Each variant carries exactly the state it needs. `submitTwoFactor` asserts the heading then `switch`es on `kind`: TOTP fills the next-period-boundary code (avoiding period-boundary expiry races near a 30-second tick) and mail2fa retrieves from the buffer; both then click Continue. The `fido2` variant is declared so the union covers every 2FA provider the bundled web vault exposes (the provider row labelled "FIDO2 WebAuthn" in en_GB / "Passkey" in en); no test currently drives the webauthn-connector iframe / CDP virtual-authenticator handshake, so the case throws `Not Implemented` rather than silently no-op'ing. `setups/user.ts:logUser` and `setups/sso.ts:logUser` now share an options bag `{ mailBuffer?, twoFactor? }` (the SSO variant's existing positional `totp` parameter is replaced) and delegate to `submitTwoFactor` when `twoFactor` is set, keeping the two login helpers in lock-step. Refactored consumers: - `login.spec.ts:Authenticator 2fa` -> the inline 2FA block collapses to `await logUser(test, page, user, { twoFactor: { kind: 'totp', totp } })`. - `login.smtp.spec.ts:2fa` -> ditto with `{ kind: 'mail2fa', mailBuffer }`. - `sso_login.spec.ts:SSO login with TOTP 2fa` -> same `totp` variant. - `sso_login.smtp.spec.ts:Log and disable` -> same `mail2fa` variant. - Positional-mailBuffer callers (`login.smtp.spec.ts:Login`, `organization.smtp.spec.ts:Confirm invited user` and `Organization is visible`) switch to options-bag `logUser(..., { mailBuffer })`. login.spec.ts loses no-longer-needed `expect` / `OTPAuth` imports; the factor-specific timestamp logic moves into `submitTwoFactor`. No behaviour change in any test; only structure.	3 weeks ago
Zaid Marji	ad582b460a	playwright: centralize web-vault selectors into shared setup helpers The suite had several locator patterns scattered across helpers and specs; changes to the bundled web vault would require touching N call sites for each. This commit funnels them into shared helpers so the next web-vault update only touches one place per pattern. `setups/user.ts` additions: - `openAvatarMenu(page, userName)` — header avatar menu open, anchored on the user's display name (`{ exact: true }` to avoid cipher-name substring matches). - `fillNewMasterPassword(page, password)` — registration / MP-change form's `newPassword` + `newPasswordConfirm` `formcontrolname` inputs (the three labels containing "Master password" make label-based locators ambiguous). - `submitMasterPasswordVerification(page, mp)` — the in-dialog `app-user-verification` master-password gate (the `<input id="masterPassword">` inside any sensitive-operation dialog: 2FA enrol/disable, passkey enrol/remove, key rotation, KDF change). Presses Enter on the input to avoid the multi-`Continue`-button ambiguity that the current bundled vault renders. - `createAccount` switched to `fillNewMasterPassword`. `setups/2fa.ts` additions + refactor: - `gotoTwoStepLogin(page, userName)` — Settings → Security → Two-step login navigation, used by every 2FA enrol/disable function. - `clickTwoFactorProviderManage(page, providerLabel)` — `bit-item` provider row → Manage button. Accepts string or RegExp for the row's hasText. - `activateTOTP` / `disableTOTP` / `activateEmail` / `disableEmail` all rewritten to use the new helpers, removing the inline duplication. `setups/sso.ts:logNewUser` — uses `fillNewMasterPassword`. `organization.smtp.spec.ts` and `sso_organization.smtp.spec.ts` invited-with- new-account flows — use `fillNewMasterPassword`. Incidental fixes spotted while refactoring: - `disableTOTP` / `disableEmail` previously had `getByRole('button', { name: 'Test' })` hardcoded for the avatar menu — broke for any user not named "Test". Now `openAvatarMenu(page, user.name)`, parameterised. - `activateTOTP` declared its return type as `: OTPAuth.TOTP` (an async function actually returns `Promise<OTPAuth.TOTP>`); `retrieveEmailCode` similarly declared `: string` instead of `: Promise<string>`. Both fixed. Post-refactor scatter check (rg-confirmed): - `formcontrolname="newPassword"` outside setups/user.ts: 0 - `input#masterPassword` outside setups/user.ts: 0 - `bit-item` provider-row pattern outside setups/2fa.ts: 0 - Avatar-menu via `name: user.name` outside setups/user.ts: 0	3 weeks ago
Zaid Marji	0c009d679d	playwright: fix invitation-accepted toast text + SSO existing-account redirect The bundled web vault renames the org-invitation-acceptance toast from "Invitation accepted" to "Successfully accepted your invitation" in the post-MP-unlock flow used by both invited-with-new-account and invited-with-existing-account tests. Update both specs to match the new toast text. The SSO-side logNewUser flow still emits "Invitation accepted" for the SSO account-creation toast, so setups/sso.ts is left untouched. The SSO invited-with-existing-account flow also no longer auto-redirects to Keycloak — existing emails land on the email-prefilled login form and require an explicit "Use single sign-on" click. Add it before the Keycloak heading assertion.	3 weeks ago
Zaid Marji	9186ec245b	playwright: fix stale org-nav selectors against bundled web vault The product-switch links in the side nav ("Password Manager", "Admin Console", "Members") are icon-only on the current bundled web vault — the link element carries the accessible name but no visible text content. `locator('a').filter({ hasText: '…' })` therefore matches nothing, and every spec that calls into `setups/orgs.ts` (org create, member invite, policy edit, …) times out before doing anything. Switch to `getByRole('link', { name: '…' })` for the three navs. "Admin Console" appears twice once an org exists (in both `bit-nav-logo` and `navigation-product-switcher`); `.first()` picks the visible one. The "Members" entry inside an org also moved from a `<div>` to a `<link>`, so the `locator('div').filter(...).nth(2)` selector is replaced with the same role-based selector. The org-switcher row has a hover tooltip that intercepts the click on the bundled vault, so the click is forced past the overlay. Verified empirically: with these changes, `organization.spec.ts` (1/1) and `sso_organization.spec.ts` (4/5; the remaining failure is an unrelated server-side master-password-policy enforcement issue) run green where they previously failed before any helper step.	3 weeks ago
Zaid Marji	c02ced432d	playwright: fix TOTP setup flow against bundled web vault The `activateTOTP` helper had three issues against the current bundled web vault (v2026.4.1): 1. The master-password reprompt's Continue button click was racing form validation: the form uses Angular's `updateOn: 'blur'` so clicking immediately after `fill()` saw an "invalid" form and the click was silently no-op. Submitting via `mpInput.press('Enter')` triggers the form's `ngSubmit` directly, which validates and submits in one go. 2. `getByLabel('Key').innerText()` was ambiguous: the same page has a `<bit-svg aria-label="Yubico OTP security key">` providers entry whose accessible name contains "Key" as a substring. Strict-mode violation on Firefox. Anchor with `{ exact: true }` to pick only the `<code aria-label="Key">` element holding the base32 secret. 3. After clicking "Turn on", the original code was effectively a no-op (`await page.getByRole('heading', { name: 'Turned on' })` creates a Locator without awaiting visibility), then clicked the "Close" button which is `bit-aria-disable=true` until the dialog finishes its transition. Chromium happens to tolerate the early click; Firefox doesn't. Wait for `networkidle` after Turn on so the activation request completes; drop the Close click because the dialog auto-closes on success on this web vault. `disableTOTP` got the same reprompt-via-Enter fix for parity. Verified empirically: with these changes, `login.spec.ts`'s `Authenticator 2fa` test passes on Firefox against bundled web-vault v2026.4.1.	3 weeks ago
Zaid Marji	c0589bbd74	playwright: fix stale Master password selectors against bundled web vault The bundled web vault dropped the "(required)" suffix from the master-password input's label text (it likely became a separate visual indicator). Every test that drives a master-password reprompt — account creation, TOTP setup, email-2FA setup, SSO master-password flows, organization-policy management — has been failing on the current bundled vault because `getByLabel('Master password (required)', { exact: true })` no longer matches anything. Two-line change in most files: switch to `getByLabel('Master password')`, matching the pattern that `logUser` (setups/user.ts:46) and `login.spec.ts:40` already use successfully. Substring matching is case-sensitive in Playwright, so the selector is unambiguous against the confirm-field ("Confirm master password" has a lowercase 'm'). `createAccount` step 2 (setups/user.ts) and `logNewUser` step 3 (setups/sso.ts) are special: the registration / "Join organisation" form has three labels matching "Master password" as a case-insensitive substring ("Master password\n(required)", "Confirm master password\n (required)" which matches because Playwright's substring match is case-insensitive in practice, and "Master password hint" which also matches). Anchor those two fields by their stable `formcontrolname` attribute (`newPassword` / `newPasswordConfirm`) instead of label text. Verified empirically: with these changes, both `login.spec.ts` (3/3: Account creation, Master password login, Authenticator 2fa) and `sso_login.spec.ts` (8/8 including SSO Account creation, SSO login, SSO login with TOTP 2fa, Non-SSO login fallback, SSO_ONLY, no SSO) run green against bundled web-vault v2026.4.1.	3 weeks ago
Timshel	0182567a62	Playwright against abitrary web-vault (#6380 ) * Playwright improvements * Playwright fix for the extension setup --------- Co-authored-by: Timshel <timshel@users.noreply.github.com>	7 months ago
Timshel	de808c5ad9	Fix Playwright docker (#6206 )	10 months ago
Timshel	cff6c2b3af	SSO using OpenID Connect (#3899 ) * Add SSO functionality using OpenID Connect Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools> Co-authored-by: Stuart Heap <sheap13@gmail.com> Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud> Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com> Co-authored-by: Jacques B. <timshel@github.com> * Improvements and error handling * Stop rolling device token * Add playwright tests * Activate PKCE by default * Ensure result order when searching for sso_user * add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION * Toggle SSO button in scss * Base64 encode state before sending it to providers * Prevent disabled User from SSO login * Review fixes * Remove unused UserOrganization.invited_by_email * Split SsoUser::find_by_identifier_or_email * api::Accounts::verify_password add the policy even if it's ignored * Disable signups if SSO_ONLY is activated * Add verifiedDate to organizations::get_org_domain_sso_details * Review fixes * Remove OrganizationId guard from get_master_password_policy * Add wrapper type OIDCCode OIDCState OIDCIdentifier * Membership::confirm_user_invitations fix and tests * Allow set-password only if account is unitialized * Review fixes * Prevent accepting another user invitation * Log password change event on SSO account creation * Unify master password policy resolution * Upgrade openidconnect to 4.0.0 * Revert "Remove unused UserOrganization.invited_by_email" This reverts commit 548e19995e141314af98a10d170ea7371f02fab4. * Process org enrollment in accounts::post_set_password * Improve tests * Pass the claim invited_by_email in case it was not in db * Add Slack configuration hints * Fix playwright tests * Skip broken tests * Add sso identifier in admin user panel * Remove duplicate expiration check, add a log * Augment mobile refresh_token validity * Rauthy configuration hints * Fix playwright tests * Playwright upgrade and conf improvement * Playwright tests improvements * 2FA email and device creation change * Fix and improve Playwright tests * Minor improvements * Fix enforceOnLogin org policies * Run playwright sso tests against correct db * PKCE should now work with Zitadel * Playwright upgrade maildev to use MailBuffer.expect * Upgrades playwright tests deps * Check email_verified in id_token and user_info * Add sso verified endpoint for v2025.6.0 * Fix playwright tests * Create a separate sso_client * Upgrade openidconnect to 4.0.1 * Server settings for login fields toggle * Use only css for login fields * Fix playwright test * Review fix * More review fix * Perform same checks when setting kdf --------- Co-authored-by: Felix Eckhofer <felix@eckhofer.com> Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools> Co-authored-by: Stuart Heap <sheap13@gmail.com> Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud> Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com> Co-authored-by: Jacques B. <timshel@github.com> Co-authored-by: Timshel <timshel@480s>	10 months ago