dahjah/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-06-04 06:24:58 -06:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Fix: update OAuth2 state storage initialization and state token encoding

Browse Source
This commit is contained in:
hnolde 2025-11-04 16:11:51 +01:00
parent 96fe363ee5
commit 7e3acf26b4
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/api/admin.rs
View File

@ -106,7 +106,7 @@ static CAN_BACKUP: LazyLock<bool> =
static CAN_BACKUP: LazyLock<bool> = LazyLock::new(|| false); static CAN_BACKUP: LazyLock<bool> = LazyLock::new(|| false);
// OAuth2 state storage for CSRF protection (state -> expiration timestamp) // OAuth2 state storage for CSRF protection (state -> expiration timestamp)
static OAUTH2_STATES: LazyLock<RwLock<HashMap<String, u64>>> = static OAUTH2_STATES: LazyLock<RwLock<HashMap<String, u64>>> =
LazyLock::new(|| RwLock::new(HashMap::new())); LazyLock::new(|| RwLock::new(HashMap::new()));
#[get("/")] #[get("/")]
@ -370,7 +370,7 @@ fn oauth2_authorize(_token: AdminToken) -> Result<Redirect, Error> {
let scopes = CONFIG.smtp_oauth2_scopes(); let scopes = CONFIG.smtp_oauth2_scopes();
// Generate a random state token for CSRF protection // Generate a random state token for CSRF protection
let state = crate::crypto::encode_random_bytes::<32>(BASE64URL_NOPAD); let state = crate::crypto::encode_random_bytes::<32>(&BASE64URL_NOPAD);
// Store state with expiration (10 minutes from now) // Store state with expiration (10 minutes from now)
let expiration = SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() + 600; let expiration = SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() + 600;