1. 25 Jul, 2021 3 commits
  2. 15 Jul, 2021 14 commits
  3. 13 Jul, 2021 1 commit
    • BlackDex's avatar
      Updated attachment limit descriptions · 6ea95d1e
      BlackDex authored
      The user and org attachment limit use `size` as wording while it should
      have been `storage` since it isn't per attachment, but the sum of all attachments.
      - Changed the wording in the config/env
      - Changed the wording of the error messages.
      Resolves #1818
  4. 10 Jul, 2021 2 commits
    • Jeremy Lin's avatar
      Prevent user enumeration via password hints · 88bea44d
      Jeremy Lin authored
      When `show_password_hint` is enabled but mail is not configured, the previous
      implementation returned a differentiable response for non-existent email
      Even if mail is enabled, there is a timing side channel since mail is sent
      synchronously. Add a randomized sleep to mitigate this somewhat.
    • Jeremy Lin's avatar
      Disable `show_password_hint` by default · 8ee5d51b
      Jeremy Lin authored
      A setting that provides unauthenticated access to potentially sensitive data
      shouldn't be enabled by default.
  5. 07 Jul, 2021 3 commits
  6. 04 Jul, 2021 4 commits
    • BlackDex's avatar
      Added web-vault v2.21.x support + some misc fixes · 403f35b5
      BlackDex authored
      - The new web-vault v2.21.0+ has support for Master Password Reset. For
      this to work it generates a public/private key-pair which needs to be
      stored in the database. Currently the Master Password Reset is not
      fixed, but there are endpoints which are needed even if we do not
      support this feature (yet). This PR fixes those endpoints, and stores
      the keys already in the database.
      - There was an issue when you want to do a key-rotate when you change
      your password, it also called an Emergency Access endpoint, which we do
      not yet support. Because this endpoint failed to reply correctly
      produced some errors, and also prevent the user from being forced to
      logout. This resolves #1826 by adding at least that endpoint.
      Because of that extra endpoint check to Emergency Access is done using
      an old user stamp, i also modified the stamp exception to allow multiple
      rocket routes to be called, and added an expiration timestamp to it.
      During these tests i stumbled upon an issue that after my key-change was
      done, it triggered the websockets to try and reload my ciphers, because
      they were updated. This shouldn't happen when rotating they keys, since
      all access should be invalided. Now there will be no websocket
      notification for this, which also prevents error toasts.
      - Increased Send Size limit to 500MB (with a litle overhead)
      As a side note, i tested these changes on both v2.20.4 and v2.21.1 web-vault versions, all keeps working.
    • Daniel García's avatar
      Merge pull request #1800 from BlackDex/pre-commit · 3968bc80
      Daniel García authored
      Adding pre-commit config
    • Daniel García's avatar
      Merge pull request #1830 from BlackDex/vaultwarden-logo · ff66368c
      Daniel García authored
      Storing the original Vaultwarden svg images
    • BlackDex's avatar
      Storing the original Vaultwarden svg images · 3fb419e7
      BlackDex authored
  7. 29 Jun, 2021 2 commits
  8. 27 Jun, 2021 3 commits
  9. 26 Jun, 2021 6 commits
  10. 25 Jun, 2021 2 commits