Modifications for easier testing

This reverts commit ce5b4df289defefb8802a74d125a2bdd08a6c509.

.dockerignore

@@ -39,5 +39,5 @@ web-vault
 # Vaultwarden Resources
 resources
 
-# Playwright tests
+# Playwrights
 playwright

.env.template

@@ -447,7 +447,7 @@
 # SSO_AUTH_ONLY_NOT_SESSION=false
 ## Client cache for discovery endpoint. Duration in seconds (0 to disable).
 # SSO_CLIENT_CACHE_EXPIRATION=0
-## Log all the tokens, LOG_LEVEL=debug is required
+## Log all the tokens, `LOG_LEVEL=debug` or `LOG_LEVEL_OVERRIDE=vaultwarden::sso=debug` need to be set
 # SSO_DEBUG_TOKENS=false
 
 ########################

.github/FUNDING.yml

@@ -1,3 +1 @@
-github: dani-garcia
-liberapay: dani-garcia
-custom: ["https://paypal.me/DaniGG"]
+github: Timshel

.github/workflows/release.yml

@@ -14,7 +14,7 @@ jobs:
   # We will skip this check if we are creating a tag, because that has the same hash as a previous run already.
   skip_check:
     runs-on: ubuntu-22.04
-    if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
+    if: ${{ github.repository == 'timshel/vaultwarden' }}
     outputs:
       should_skip: ${{ steps.skip_check.outputs.should_skip }}
     steps:
@@ -28,9 +28,10 @@ jobs:
 
   docker-build:
     runs-on: ubuntu-22.04
+    environment: main
     timeout-minutes: 120
     needs: skip_check
-    if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
+    if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'timshel/vaultwarden' }}
     # Start a local docker registry to extract the final Alpine static build binaries
     services:
       registry:
@@ -162,7 +163,7 @@ jobs:
         if: ${{ matrix.base_image == 'alpine' }}
         shell: bash
         run: |
-          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}"
+          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/timshel/vaultwarden" | tee -a "${GITHUB_ENV}"
 
       - name: Bake ${{ matrix.base_image }} containers
         uses: docker/bake-action@1c5f18a523c4c68524cfbc5161494d8bb5b29d20 # v5.0.1
@@ -198,28 +199,28 @@ jobs:
           # This is needed because using different platforms doesn't trigger a new pull/download
 
           # Extract amd64 binary
-          docker create --name amd64 --platform=linux/amd64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker create --name amd64 --platform=linux/amd64 "localhost:5000/timshel/vaultwarden:${EXTRACT_TAG}-alpine"
           docker cp amd64:/vaultwarden vaultwarden-amd64
           docker rm --force amd64
-          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker rmi --force "localhost:5000/timshel/vaultwarden:${EXTRACT_TAG}-alpine"
 
           # Extract arm64 binary
-          docker create --name arm64 --platform=linux/arm64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker create --name arm64 --platform=linux/arm64 "localhost:5000/timshel/vaultwarden:${EXTRACT_TAG}-alpine"
           docker cp arm64:/vaultwarden vaultwarden-arm64
           docker rm --force arm64
-          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker rmi --force "localhost:5000/timshel/vaultwarden:${EXTRACT_TAG}-alpine"
 
           # Extract armv7 binary
-          docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/timshel/vaultwarden:${EXTRACT_TAG}-alpine"
           docker cp armv7:/vaultwarden vaultwarden-armv7
           docker rm --force armv7
-          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker rmi --force "localhost:5000/timshel/vaultwarden:${EXTRACT_TAG}-alpine"
 
           # Extract armv6 binary
-          docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/timshel/vaultwarden:${EXTRACT_TAG}-alpine"
           docker cp armv6:/vaultwarden vaultwarden-armv6
           docker rm --force armv6
-          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker rmi --force "localhost:5000/timshel/vaultwarden:${EXTRACT_TAG}-alpine"
 
       # Upload artifacts to Github Actions
       - name: "Upload amd64 artifact"

CHANGELOG.md

@@ -0,0 +1,123 @@
+# Changelog
+
+## 1.31.0-1
+
+  - Rebased on `1.31.0` from `dani-garcia/vaultwarden`
+  - Upgrade [oidc_web_builds](https://github.com/Timshel/oidc_web_builds) version to `v2024.5.1-3`
+  - Use `WEB_VAULT_FOLDER` to switch front-end without modifying the FS
+
+## 1.30.5-9
+
+  - Fix organization invitation when SMTP is disabled.
+  - Add `SSO_ORGANIZATIONS_ALL_COLLECTIONS` config to allow to grant or not access to all collections (default `true`)
+
+## 1.30.5-8
+
+  - Rebased on top dani-garcia/vaultwarden latest `main`.
+  - Update [oidc_web_builds](https://github.com/Timshel/oidc_web_builds) version to `v2024.3.1-1` which introduce new layout.
+  - Stop rolling the device token (too many issues with refresh token calls in parallel).
+
+## 1.30.5-7
+
+  - Fix mysql sso_users.identifier key creation error.
+
+## 1.30.5-6
+
+  - Fix lower case issue which generated invalid "your email has changed" (thx @tribut).
+
+## 1.30.5-5
+
+  - Add `SSO_ORGANIZATIONS_ID_MAPPING` to map a Provider group `id` to a Vaultwarden organization `uuid`.
+
+## 1.30.5-4
+
+  - Rebased on latest from [dani-garcia:main](https://github.com/dani-garcia/vaultwarden/tree/main)
+  - Move docker release to [timshel](https://hub.docker.com/repository/docker/timshel/vaultwarden/general)
+  - Split the `experimental` version to a separate [repository](https://hub.docker.com/repository/docker/timshel/oidcwarden/general).
+
+## 1.30.5-3
+
+  - Fix `ForeignKeyViolation` when trying to delete sso user.
+
+## 1.30.5-2
+
+  - Store SSO identifier to prevent account takeover
+
+## 1.30.5-1
+
+  - Rebased on latest from `dani-garcia/vaultwarden`
+
+## 1.30.3-2
+
+  - Add `SSO_CLIENT_CACHE_EXPIRATION` config, to optionally cache the calls to the OpenID discovery endpoint.
+  - Add a `scope` and `iss` in the oidc redirection to try to fix the IOS login failure.
+
+## 1.30.3-1
+
+  - Add `SSO_PKCE` config, disabled for now will probably be activated by defaut in next release.
+
+## 1.30.2-7
+
+ - Reduce default `refresh_validity` to 7 days (reset with each `access_token` refresh, so act as an idle timer).
+   Apply to non sso login and SSO which return a non JWT token with no expiration information.
+ - Roll the already present `Device.refresh_token` which will invalidate past `refresh_token` (SSO and non SSO login).
+ - Remove the `openidconnect` cache since it's not [recommended](https://github.com/ramosbugs/openidconnect-rs/issues/25).
+
+## 1.30.2-6
+
+ - Add `SSO_AUDIENCE_TRUSTED` config to allow to trust additionnal audience.
+
+## 1.30.2-5
+
+ - Fix mysql migration `2024-02-14-170000_add_state_to_sso_nonce`
+
+## 1.30.2-4
+
+ - Upgrade [oidc_web_builds](https://github.com/Timshel/oidc_web_builds) version to `v2024.1.2-6`
+ - Use `openidconnect` to validate Id Token claims
+ - Remove `SSO_KEY_FILEPATH` should not be useful now
+ - Add `SSO_DEBUG_TOKENS` to log Id/Access/Refresh token to debug
+ - Hardcoded redircetion url
+ - Switch to reading the roles and groups Claims from the Id Token
+
+## 1.30.2-3
+
+ - Add `SSO_AUTHORIZE_EXTRA_PARAMS` to add extra parameter to the authorize redirection (needed to obtain a `refresh_token` with Google Auth).
+
+## 1.30.2-2
+
+ - Fix non jwt `acess_token` check when there is no `refresh_token`
+ - Add `SSO_AUTH_ONLY_NOT_SESSION` to use SSO only for auth not the session lifecycle.
+
+## 1.30.2-1
+
+ - Update [oidc_web_builds](https://github.com/Timshel/oidc_web_builds) version to `v2024.1.2-4` which move the org invite patch to the `button` release (which is expected to be merged in VW).
+ - Remove the `sso_acceptall_invites` setting
+ - Allow to override log level for specific target
+
+## 1.30.1-11
+
+ - Encode redirect url parameters and add `debug` logging.
+
+## 1.30.1-10
+
+ - Keep old prevalidate endpoint for Mobile apps
+
+## 1.30.1-9
+
+ - Add non jwt access_token support
+
+## 1.30.1-8
+
+ - Prevalidate endpoint change in Bitwarden WebVault [web-v2024.1.2](https://github.com/bitwarden/clients/tree/web-v2024.1.2/apps/web)
+ - Add support for `experimental` front-end which stop sending the Master password hash to the server
+ - Fix the in docker images
+
+## 1.30.1-7
+
+ - Switch user invitation status to `Confirmed` on when user login not before (cf https://github.com/Timshel/vaultwarden/issues/17)
+ - Return a 404 when user has no `public_key`, will prevent confirming the user in case previous fix is insufficient.
+
+## 1.30.1-6
+
+ - Ensure the token endpoint always return a `refresh_token` (cf https://github.com/Timshel/vaultwarden/issues/16)

README.md

@@ -1,102 +1,59 @@
-### Alternative implementation of the Bitwarden server API written in Rust and compatible with [upstream Bitwarden clients](https://bitwarden.com/download/)*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
+# Fork from [dani-garcia/vaultwarden](https://github.com/dani-garcia/vaultwarden)
 
-📢 Note: This project was known as Bitwarden_RS and has been renamed to separate itself from the official Bitwarden server in the hopes of avoiding confusion and trademark/branding issues. Please see [#1642](https://github.com/dani-garcia/vaultwarden/discussions/1642) for more explanation.
+Goal is to help testing code for the SSO [PR](https://github.com/dani-garcia/vaultwarden/pull/3899).
+Based on [Timshel/sso-support](https://github.com/Timshel/vaultwarden/tree/sso-support)
 
----
-[![Build](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml/badge.svg)](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml)
-[![ghcr.io](https://img.shields.io/badge/ghcr.io-download-blue)](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden)
-[![Docker Pulls](https://img.shields.io/docker/pulls/vaultwarden/server.svg)](https://hub.docker.com/r/vaultwarden/server)
-[![Quay.io](https://img.shields.io/badge/Quay.io-download-blue)](https://quay.io/repository/vaultwarden/server)
-[![Dependency Status](https://deps.rs/repo/github/dani-garcia/vaultwarden/status.svg)](https://deps.rs/repo/github/dani-garcia/vaultwarden)
-[![GitHub Release](https://img.shields.io/github/release/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/releases/latest)
-[![AGPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt)
-[![Matrix Chat](https://img.shields.io/matrix/vaultwarden:matrix.org.svg?logo=matrix)](https://matrix.to/#/#vaultwarden:matrix.org)
+:warning: Branch will be rebased and forced-pushed from time to time. :warning:
 
-Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/vaultwarden).
+### Experimental Version
 
-**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor Bitwarden, Inc.**
+Made a version which allow to run the server without storing the master password (it's still required just not sent to the server).
+It´s experimental, more information in [timshel/experimental](https://github.com/Timshel/vaultwarden/tree/experimental).
 
-#### ⚠️**IMPORTANT**⚠️: When using this server, please report any bugs or suggestions to us directly (look at the bottom of this page for ways to get in touch), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.
+## Docker
 
----
+Change the docker files to package both front-end from [Timshel/oidc_web_builds](https://github.com/Timshel/oidc_web_builds/releases).
+\
+By default it will use the release which only make the `sso` button visible.
 
-## Features
+If you want to use the version which additionally change the default redirection to `/sso` and fix organization invitation to persist.
+You need to pass an env variable: `-e SSO_FRONTEND='override'` (cf [start.sh](docker/start.sh)).
 
-Basically full implementation of Bitwarden API is provided including:
+Docker images available at:
 
- * Organizations support
- * Attachments and Send
- * Vault API support
- * Serving the static files for Vault interface
- * Website icons API
- * Authenticator and U2F support
- * YubiKey and Duo support
- * Emergency Access
+ - Docker hub [hub.docker.com/r/timshel/vaultwarden](https://hub.docker.com/r/timshel/vaultwarden/tags)
+ - Github container registry [ghcr.io/timshel/vaultwarden](https://github.com/Timshel/vaultwarden/pkgs/container/vaultwarden)
 
-## Installation
-Pull the docker image and mount a volume from the host for persistent storage:
+### Front-end version
 
-```sh
-docker pull vaultwarden/server:latest
-docker run -d --name vaultwarden -v /vw-data/:/data/ --restart unless-stopped -p 80:80 vaultwarden/server:latest
+By default front-end version is fixed to prevent regression (check [CHANGELOG.md](CHANGELOG.md)).
+\
+When building the docker image it can be overrided by passing the `OIDC_WEB_RELEASE` arg.
+\
+Ex to build with latest: `--build-arg OIDC_WEB_RELEASE="https://github.com/Timshel/oidc_web_builds/releases/latest/download"`
+
+## To test VaultWarden with Keycloak
+
+[Readme](docker/keycloak/README.md)
+
+## DB Migration
+
+ATM The migrations add two tables `sso_nonce`, `sso_users` and a column `invited_by_email` to `users_organizations`.
+
+### Revert to default VW
+
+Reverting to the default VW DB state can easily be done manually (Make a backup :) :
+
+```psql
+>BEGIN;
+BEGIN
+>DELETE FROM __diesel_schema_migrations WHERE version in ('20230910133000', '20230914133000', '20240214170000', '20240226170000', '20240306170000', '20240313170000');
+DELETE 5
+>DROP TABLE sso_nonce;
+DROP TABLE
+>DROP TABLE sso_users;
+DROP TABLE
+>ALTER TABLE users_organizations DROP COLUMN invited_by_email;
+ALTER TABLE
+> COMMIT / ROLLBACK;
 ```
-This will preserve any persistent data under /vw-data/, you can adapt the path to whatever suits you.
-
-**IMPORTANT**: Most modern web browsers disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault via HTTPS or localhost.
-
-This can be configured in [vaultwarden directly](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)).
-
-If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy (see examples linked above).
-
-## Usage
-See the [vaultwarden wiki](https://github.com/dani-garcia/vaultwarden/wiki) for more information on how to configure and run the vaultwarden server.
-
-## Get in touch
-To ask a question, offer suggestions or new features or to get help configuring or installing the software, please use [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions) or [the forum](https://vaultwarden.discourse.group/).
-
-If you spot any bugs or crashes with vaultwarden itself, please [create an issue](https://github.com/dani-garcia/vaultwarden/issues/). Make sure you are on the latest version and there aren't any similar issues open, though!
-
-If you prefer to chat, we're usually hanging around at [#vaultwarden:matrix.org](https://matrix.to/#/#vaultwarden:matrix.org) room on Matrix. Feel free to join us!
-
-### Sponsors
-Thanks for your contribution to the project!
-
-<!--
-<table>
-  <tr>
-    <td align="center">
-      <a href="https://github.com/username">
-        <img src="https://avatars.githubusercontent.com/u/725423?s=75&v=4" width="75px;" alt="username"/>
-        <br />
-        <sub><b>username</b></sub>
-      </a>
-  </td>
-  </tr>
-</table>
-
-<br/>
--->
-
-<table>
-  <tr>
-    <td align="center">
-       <a href="https://github.com/themightychris" style="width: 75px">
-        <sub><b>Chris Alfano</b></sub>
-      </a>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-      <a href="https://github.com/numberly" style="width: 75px">
-        <sub><b>Numberly</b></sub>
-      </a>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-      <a href="https://github.com/IQ333777" style="width: 75px">
-        <sub><b>IQ333777</b></sub>
-      </a>
-    </td>
-  </tr>
-</table>

SSO.md

@@ -27,7 +27,7 @@ The following configurations are available
  - `SSO_MASTER_PASSWORD_POLICY`: Optional Master password policy
  - `SSO_AUTH_ONLY_NOT_SESSION`: Enable to use SSO only for authentication not session lifecycle
  - `SSO_CLIENT_CACHE_EXPIRATION`: Cache calls to the discovery endpoint, duration in seconds, `0` to disable (default `0`);
- - `SSO_DEBUG_TOKENS`: Log all tokens (default `false`, `LOG_LEVEL=debug` is required)
+ - `SSO_DEBUG_TOKENS`: Log all tokens for easier debugging (default `false`, `LOG_LEVEL=debug` or `LOG_LEVEL_OVERRIDE=vaultwarden::sso=debug` need to be set)
 
 The callback url is : `https://your.domain/identity/connect/oidc-signin`
 

docker/DockerSettings.yaml

@@ -1,12 +1,11 @@
 ---
-vault_version: "v2024.5.1b"
-vault_image_digest: "sha256:1a867b4b175e85fc8602314bd83bc263c76c49787031704f16a2915567725375"
 # Cross Compile Docker Helper Scripts v1.4.0
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 xx_image_digest: "sha256:0cd3f05c72d6c9b038eb135f91376ee1169ef3a330d34e418e65e2a5c2e9c0d4"
 rust_version: 1.79.0 # Rust version to be used
 debian_version: bookworm # Debian release name to be used
 alpine_version: "3.20" # Alpine version to be used
+oidc_web_release: https://github.com/Timshel/oidc_web_builds/releases/download/v2024.5.1-3
 # For which platforms/architectures will we try to build images
 platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"]
 # Determine the build images per OS/Arch