dahjah/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-16 04:09:03 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Fix some issues/comments

Browse Source 
Signed-off-by: BlackDex <black.dex@gmail.com>
This commit is contained in:
BlackDex 2025-11-23 11:03:45 +01:00
parent 4675661964
commit f4068e99af
No known key found for this signature in database
GPG Key ID: 58C80A2AA6C765E1
3 changed files with 25 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/api/core/sends.rs
View File

@ -568,7 +568,7 @@ async fn post_access_file(
async fn download_url(host: &Host, send_id: &SendId, file_id: &SendFileId) -> Result<String, crate::Error> { async fn download_url(host: &Host, send_id: &SendId, file_id: &SendFileId) -> Result<String, crate::Error> {
let operator = CONFIG.opendal_operator_for_path_type(&PathType::Sends)?; let operator = CONFIG.opendal_operator_for_path_type(&PathType::Sends)?;
if operator.info().scheme() == String::from(opendal::Scheme::Fs) { if operator.info().scheme() == <&'static str>::from(opendal::Scheme::Fs) {
let token_claims = crate::auth::generate_send_claims(send_id, file_id); let token_claims = crate::auth::generate_send_claims(send_id, file_id);
let token = crate::auth::encode_jwt(&token_claims); let token = crate::auth::encode_jwt(&token_claims);

2
src/db/models/attachment.rs
View File

@ -46,7 +46,7 @@ impl Attachment {
pub async fn get_url(&self, host: &str) -> Result<String, crate::Error> { pub async fn get_url(&self, host: &str) -> Result<String, crate::Error> {
let operator = CONFIG.opendal_operator_for_path_type(&PathType::Attachments)?; let operator = CONFIG.opendal_operator_for_path_type(&PathType::Attachments)?;
if operator.info().scheme() == String::from(opendal::Scheme::Fs) { if operator.info().scheme() == <&'static str>::from(opendal::Scheme::Fs) {
let token = encode_jwt(&generate_file_download_claims(self.cipher_uuid.clone(), self.id.clone())); let token = encode_jwt(&generate_file_download_claims(self.cipher_uuid.clone(), self.id.clone()));
Ok(format!("{host}/attachments/{}/{}?token={token}", self.cipher_uuid, self.id)) Ok(format!("{host}/attachments/{}/{}?token={token}", self.cipher_uuid, self.id))
} else { } else {

25
src/sso.rs
View File

@ -132,6 +132,12 @@ struct BasicTokenClaims {
exp: i64, exp: i64,
} }
#[derive(Deserialize)]
struct BasicTokenClaimsValidation {
exp: u64,
iss: String,
}
impl BasicTokenClaims { impl BasicTokenClaims {
fn nbf(&self) -> i64 { fn nbf(&self) -> i64 {
self.nbf.or(self.iat).unwrap_or_else(|| Utc::now().timestamp()) self.nbf.or(self.iat).unwrap_or_else(|| Utc::now().timestamp())
@ -139,8 +145,23 @@ impl BasicTokenClaims {
} }
fn decode_token_claims(token_name: &str, token: &str) -> ApiResult<BasicTokenClaims> { fn decode_token_claims(token_name: &str, token: &str) -> ApiResult<BasicTokenClaims> {
match jsonwebtoken::dangerous::insecure_decode(token) { // We need to manually validate this token, since `insecure_decode` does not do this
Ok(btc) => Ok(btc.claims), match jsonwebtoken::dangerous::insecure_decode::<BasicTokenClaimsValidation>(token) {
Ok(btcv) => {
let now = jsonwebtoken::get_current_timestamp();
let validate_claim = btcv.claims;
// Validate the exp in the claim with a leeway of 60 seconds, same as jsonwebtoken does
if validate_claim.exp < now - 60 {
err_silent!(format!("Expired Signature for base token claim from {token_name}"))
}
if validate_claim.iss.ne(&CONFIG.sso_authority()) {
err_silent!(format!("Invalid Issuer for base token claim from {token_name}"))
}
// All is validated and ok, lets decode again using the wanted struct
let btc = jsonwebtoken::dangerous::insecure_decode::<BasicTokenClaims>(token).unwrap();
Ok(btc.claims)
}
Err(err) => err_silent!(format!("Failed to decode basic token claims from {token_name}: {err}")), Err(err) => err_silent!(format!("Failed to decode basic token claims from {token_name}: {err}")),
} }
} }