forked from dani-garcia/vaultwarden
-
-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
35 changed files
with
18,749 additions
and
223 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -39,5 +39,5 @@ web-vault | |
# Vaultwarden Resources | ||
resources | ||
|
||
# Playwright tests | ||
# Playwrights | ||
playwright |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1 @@ | ||
github: dani-garcia | ||
liberapay: dani-garcia | ||
custom: ["https://paypal.me/DaniGG"] | ||
github: Timshel |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
# Changelog | ||
|
||
## 1.31.0-1 | ||
|
||
- Rebased on `1.31.0` from `dani-garcia/vaultwarden` | ||
- Upgrade [oidc_web_builds](https://github.com/Timshel/oidc_web_builds) version to `v2024.5.1-3` | ||
- Use `WEB_VAULT_FOLDER` to switch front-end without modifying the FS | ||
|
||
## 1.30.5-9 | ||
|
||
- Fix organization invitation when SMTP is disabled. | ||
- Add `SSO_ORGANIZATIONS_ALL_COLLECTIONS` config to allow to grant or not access to all collections (default `true`) | ||
|
||
## 1.30.5-8 | ||
|
||
- Rebased on top dani-garcia/vaultwarden latest `main`. | ||
- Update [oidc_web_builds](https://github.com/Timshel/oidc_web_builds) version to `v2024.3.1-1` which introduce new layout. | ||
- Stop rolling the device token (too many issues with refresh token calls in parallel). | ||
|
||
## 1.30.5-7 | ||
|
||
- Fix mysql sso_users.identifier key creation error. | ||
|
||
## 1.30.5-6 | ||
|
||
- Fix lower case issue which generated invalid "your email has changed" (thx @tribut). | ||
|
||
## 1.30.5-5 | ||
|
||
- Add `SSO_ORGANIZATIONS_ID_MAPPING` to map a Provider group `id` to a Vaultwarden organization `uuid`. | ||
|
||
## 1.30.5-4 | ||
|
||
- Rebased on latest from [dani-garcia:main](https://github.com/dani-garcia/vaultwarden/tree/main) | ||
- Move docker release to [timshel](https://hub.docker.com/repository/docker/timshel/vaultwarden/general) | ||
- Split the `experimental` version to a separate [repository](https://hub.docker.com/repository/docker/timshel/oidcwarden/general). | ||
|
||
## 1.30.5-3 | ||
|
||
- Fix `ForeignKeyViolation` when trying to delete sso user. | ||
|
||
## 1.30.5-2 | ||
|
||
- Store SSO identifier to prevent account takeover | ||
|
||
## 1.30.5-1 | ||
|
||
- Rebased on latest from `dani-garcia/vaultwarden` | ||
|
||
## 1.30.3-2 | ||
|
||
- Add `SSO_CLIENT_CACHE_EXPIRATION` config, to optionally cache the calls to the OpenID discovery endpoint. | ||
- Add a `scope` and `iss` in the oidc redirection to try to fix the IOS login failure. | ||
|
||
## 1.30.3-1 | ||
|
||
- Add `SSO_PKCE` config, disabled for now will probably be activated by defaut in next release. | ||
|
||
## 1.30.2-7 | ||
|
||
- Reduce default `refresh_validity` to 7 days (reset with each `access_token` refresh, so act as an idle timer). | ||
Apply to non sso login and SSO which return a non JWT token with no expiration information. | ||
- Roll the already present `Device.refresh_token` which will invalidate past `refresh_token` (SSO and non SSO login). | ||
- Remove the `openidconnect` cache since it's not [recommended](https://github.com/ramosbugs/openidconnect-rs/issues/25). | ||
|
||
## 1.30.2-6 | ||
|
||
- Add `SSO_AUDIENCE_TRUSTED` config to allow to trust additionnal audience. | ||
|
||
## 1.30.2-5 | ||
|
||
- Fix mysql migration `2024-02-14-170000_add_state_to_sso_nonce` | ||
|
||
## 1.30.2-4 | ||
|
||
- Upgrade [oidc_web_builds](https://github.com/Timshel/oidc_web_builds) version to `v2024.1.2-6` | ||
- Use `openidconnect` to validate Id Token claims | ||
- Remove `SSO_KEY_FILEPATH` should not be useful now | ||
- Add `SSO_DEBUG_TOKENS` to log Id/Access/Refresh token to debug | ||
- Hardcoded redircetion url | ||
- Switch to reading the roles and groups Claims from the Id Token | ||
|
||
## 1.30.2-3 | ||
|
||
- Add `SSO_AUTHORIZE_EXTRA_PARAMS` to add extra parameter to the authorize redirection (needed to obtain a `refresh_token` with Google Auth). | ||
|
||
## 1.30.2-2 | ||
|
||
- Fix non jwt `acess_token` check when there is no `refresh_token` | ||
- Add `SSO_AUTH_ONLY_NOT_SESSION` to use SSO only for auth not the session lifecycle. | ||
|
||
## 1.30.2-1 | ||
|
||
- Update [oidc_web_builds](https://github.com/Timshel/oidc_web_builds) version to `v2024.1.2-4` which move the org invite patch to the `button` release (which is expected to be merged in VW). | ||
- Remove the `sso_acceptall_invites` setting | ||
- Allow to override log level for specific target | ||
|
||
## 1.30.1-11 | ||
|
||
- Encode redirect url parameters and add `debug` logging. | ||
|
||
## 1.30.1-10 | ||
|
||
- Keep old prevalidate endpoint for Mobile apps | ||
|
||
## 1.30.1-9 | ||
|
||
- Add non jwt access_token support | ||
|
||
## 1.30.1-8 | ||
|
||
- Prevalidate endpoint change in Bitwarden WebVault [web-v2024.1.2](https://github.com/bitwarden/clients/tree/web-v2024.1.2/apps/web) | ||
- Add support for `experimental` front-end which stop sending the Master password hash to the server | ||
- Fix the in docker images | ||
|
||
## 1.30.1-7 | ||
|
||
- Switch user invitation status to `Confirmed` on when user login not before (cf https://github.com/Timshel/vaultwarden/issues/17) | ||
- Return a 404 when user has no `public_key`, will prevent confirming the user in case previous fix is insufficient. | ||
|
||
## 1.30.1-6 | ||
|
||
- Ensure the token endpoint always return a `refresh_token` (cf https://github.com/Timshel/vaultwarden/issues/16) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,102 +1,65 @@ | ||
### Alternative implementation of the Bitwarden server API written in Rust and compatible with [upstream Bitwarden clients](https://bitwarden.com/download/)*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. | ||
# Fork from [dani-garcia/vaultwarden](https://github.com/dani-garcia/vaultwarden) | ||
|
||
📢 Note: This project was known as Bitwarden_RS and has been renamed to separate itself from the official Bitwarden server in the hopes of avoiding confusion and trademark/branding issues. Please see [#1642](https://github.com/dani-garcia/vaultwarden/discussions/1642) for more explanation. | ||
Goal is to help testing code for the SSO [PR](https://github.com/dani-garcia/vaultwarden/pull/3899). | ||
Based on [Timshel/sso-support](https://github.com/Timshel/vaultwarden/tree/sso-support) | ||
|
||
--- | ||
[![Build](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml/badge.svg)](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml) | ||
[![ghcr.io](https://img.shields.io/badge/ghcr.io-download-blue)](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden) | ||
[![Docker Pulls](https://img.shields.io/docker/pulls/vaultwarden/server.svg)](https://hub.docker.com/r/vaultwarden/server) | ||
[![Quay.io](https://img.shields.io/badge/Quay.io-download-blue)](https://quay.io/repository/vaultwarden/server) | ||
[![Dependency Status](https://deps.rs/repo/github/dani-garcia/vaultwarden/status.svg)](https://deps.rs/repo/github/dani-garcia/vaultwarden) | ||
[![GitHub Release](https://img.shields.io/github/release/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/releases/latest) | ||
[![AGPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt) | ||
[![Matrix Chat](https://img.shields.io/matrix/vaultwarden:matrix.org.svg?logo=matrix)](https://matrix.to/#/#vaultwarden:matrix.org) | ||
#### :warning: Branch will be rebased and forced-pushed when updated. :warning: | ||
|
||
Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/vaultwarden). | ||
## Versions | ||
|
||
**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor Bitwarden, Inc.** | ||
Tagged version are based on Vaultwarden releases, Ex: `1.31.0-1` is the first release based on Vaultwarden `1.31.0`. | ||
\ | ||
See [changelog](CHANGELOG.md) for more details. | ||
|
||
#### ⚠️**IMPORTANT**⚠️: When using this server, please report any bugs or suggestions to us directly (look at the bottom of this page for ways to get in touch), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels. | ||
## Experimental Version | ||
|
||
--- | ||
Made a version which allow to run the server without storing the master password (it's still required just not sent to the server). | ||
It´s experimental, more information in [timshel/experimental](https://github.com/Timshel/vaultwarden/tree/experimental). | ||
|
||
## Features | ||
## Docker | ||
|
||
Basically full implementation of Bitwarden API is provided including: | ||
Change the docker files to package both front-end from [Timshel/oidc_web_builds](https://github.com/Timshel/oidc_web_builds/releases). | ||
\ | ||
By default it will use the release which only make the `sso` button visible. | ||
|
||
* Organizations support | ||
* Attachments and Send | ||
* Vault API support | ||
* Serving the static files for Vault interface | ||
* Website icons API | ||
* Authenticator and U2F support | ||
* YubiKey and Duo support | ||
* Emergency Access | ||
If you want to use the version which additionally change the default redirection to `/sso` and fix organization invitation to persist. | ||
You need to pass an env variable: `-e SSO_FRONTEND='override'` (cf [start.sh](docker/start.sh)). | ||
|
||
## Installation | ||
Pull the docker image and mount a volume from the host for persistent storage: | ||
Docker images available at: | ||
|
||
```sh | ||
docker pull vaultwarden/server:latest | ||
docker run -d --name vaultwarden -v /vw-data/:/data/ --restart unless-stopped -p 80:80 vaultwarden/server:latest | ||
- Docker hub [hub.docker.com/r/timshel/vaultwarden](https://hub.docker.com/r/timshel/vaultwarden/tags) | ||
- Github container registry [ghcr.io/timshel/vaultwarden](https://github.com/Timshel/vaultwarden/pkgs/container/vaultwarden) | ||
|
||
### Front-end version | ||
|
||
By default front-end version is fixed to prevent regression (check [CHANGELOG.md](CHANGELOG.md)). | ||
\ | ||
When building the docker image it can be overrided by passing the `OIDC_WEB_RELEASE` arg. | ||
\ | ||
Ex to build with latest: `--build-arg OIDC_WEB_RELEASE="https://github.com/Timshel/oidc_web_builds/releases/latest/download"` | ||
|
||
## To test VaultWarden with Keycloak | ||
|
||
[Readme](docker/keycloak/README.md) | ||
|
||
## DB Migration | ||
|
||
ATM The migrations add two tables `sso_nonce`, `sso_users` and a column `invited_by_email` to `users_organizations`. | ||
|
||
### Revert to default VW | ||
|
||
Reverting to the default VW DB state can easily be done manually (Make a backup :) : | ||
|
||
```psql | ||
>BEGIN; | ||
BEGIN | ||
>DELETE FROM __diesel_schema_migrations WHERE version in ('20230910133000', '20230914133000', '20240214170000', '20240226170000', '20240306170000', '20240313170000'); | ||
DELETE 5 | ||
>DROP TABLE sso_nonce; | ||
DROP TABLE | ||
>DROP TABLE sso_users; | ||
DROP TABLE | ||
>ALTER TABLE users_organizations DROP COLUMN invited_by_email; | ||
ALTER TABLE | ||
> COMMIT / ROLLBACK; | ||
``` | ||
This will preserve any persistent data under /vw-data/, you can adapt the path to whatever suits you. | ||
|
||
**IMPORTANT**: Most modern web browsers disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault via HTTPS or localhost. | ||
|
||
This can be configured in [vaultwarden directly](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)). | ||
|
||
If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy (see examples linked above). | ||
|
||
## Usage | ||
See the [vaultwarden wiki](https://github.com/dani-garcia/vaultwarden/wiki) for more information on how to configure and run the vaultwarden server. | ||
|
||
## Get in touch | ||
To ask a question, offer suggestions or new features or to get help configuring or installing the software, please use [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions) or [the forum](https://vaultwarden.discourse.group/). | ||
|
||
If you spot any bugs or crashes with vaultwarden itself, please [create an issue](https://github.com/dani-garcia/vaultwarden/issues/). Make sure you are on the latest version and there aren't any similar issues open, though! | ||
|
||
If you prefer to chat, we're usually hanging around at [#vaultwarden:matrix.org](https://matrix.to/#/#vaultwarden:matrix.org) room on Matrix. Feel free to join us! | ||
|
||
### Sponsors | ||
Thanks for your contribution to the project! | ||
|
||
<!-- | ||
<table> | ||
<tr> | ||
<td align="center"> | ||
<a href="https://github.com/username"> | ||
<img src="https://avatars.githubusercontent.com/u/725423?s=75&v=4" width="75px;" alt="username"/> | ||
<br /> | ||
<sub><b>username</b></sub> | ||
</a> | ||
</td> | ||
</tr> | ||
</table> | ||
<br/> | ||
--> | ||
|
||
<table> | ||
<tr> | ||
<td align="center"> | ||
<a href="https://github.com/themightychris" style="width: 75px"> | ||
<sub><b>Chris Alfano</b></sub> | ||
</a> | ||
</td> | ||
</tr> | ||
<tr> | ||
<td align="center"> | ||
<a href="https://github.com/numberly" style="width: 75px"> | ||
<sub><b>Numberly</b></sub> | ||
</a> | ||
</td> | ||
</tr> | ||
<tr> | ||
<td align="center"> | ||
<a href="https://github.com/IQ333777" style="width: 75px"> | ||
<sub><b>IQ333777</b></sub> | ||
</a> | ||
</td> | ||
</tr> | ||
</table> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.