Added web-vault v2.21.x support + some misc fixes

- The new web-vault v2.21.0+ has support for Master Password Reset. For this to work it generates a public/private key-pair which needs to be stored in the database. Currently the Master Password Reset is not fixed, but there are endpoints which are needed even if we do not support this feature (yet). This PR fixes those endpoints, and stores the keys already in the database. - There was an issue when you want to do a key-rotate when you change your password, it also called an Emergency Access endpoint, which we do not yet support. Because this endpoint failed to reply correctly produced some errors, and also prevent the user from being forced to logout. This resolves #1826 by adding at least that endpoint. Because of that extra endpoint check to Emergency Access is done using an old user stamp, i also modified the stamp exception to allow multiple rocket routes to be called, and added an expiration timestamp to it. During these tests i stumbled upon an issue that after my key-change was done, it triggered the websockets to try and reload my ciphers, because they were updated. This shouldn't happen when rotating they keys, since all access should be invalided. Now there will be no websocket notification for this, which also prevents error toasts. - Increased Send Size limit to 500MB (with a litle overhead) As a side note, i tested these changes on both v2.20.4 and v2.21.1 web-vault versions, all keeps working.
2025-06-03 01:13:57 +00:00 · 2021-07-04 23:02:56 +02:00 · 2021-07-04 23:02:56 +02:00 · 403f35b571
commit 403f35b571
parent 3968bc8016
18 changed files with 147 additions and 33 deletions
--- a/src/auth.rs
+++ b/src/auth.rs
@ -325,8 +325,19 @@ impl<'a, 'r> FromRequest<'a, 'r> for Headers {
                    _ => err_handler!("Error getting current route for stamp exception"),
                };

-                // Check if both match, if not this route is not allowed with the current security stamp.
-                if stamp_exception.route != current_route {
+                // Check if the stamp exception has expired first.
+                // Then, check if the current route matches any of the allowed routes.
+                // After that check the stamp in exception matches the one in the claims.
+                if Utc::now().naive_utc().timestamp() > stamp_exception.expire {
+                    // If the stamp exception has been expired remove it from the database.
+                    // This prevents checking this stamp exception for new requests.
+                    let mut user = user;
+                    user.reset_stamp_exception();
+                    if let Err(e) = user.save(&conn) {
+                        error!("Error updating user: {:#?}", e);
+                    }
+                    err_handler!("Stamp exception is expired")
+                } else if !stamp_exception.routes.contains(&current_route.to_string()) {
                    err_handler!("Invalid security stamp: Current route and exception route do not match")
                } else if stamp_exception.security_stamp != claims.sstamp {
                    err_handler!("Invalid security stamp for matched stamp exception")