mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-10 18:24:43 -06:00
Merge 17eb54e0c5 into 169aa5efcc
This commit is contained in:
commit
851796a60b
@ -495,6 +495,9 @@
|
||||
## Prevent users from logging in directly without going through SSO
|
||||
# SSO_ONLY=false
|
||||
|
||||
## Allow SSO flow to create account. You probably want to disable it when using a public provider.
|
||||
# SSO_SIGNUPS_ALLOWED=true
|
||||
|
||||
## On SSO Signup if a user with a matching email already exists make the association
|
||||
# SSO_SIGNUPS_MATCH_EMAIL=true
|
||||
|
||||
|
||||
@ -233,6 +233,24 @@ async fn sso_login(
|
||||
}
|
||||
)
|
||||
}
|
||||
Some((user, None))
|
||||
if user.private_key.is_none()
|
||||
&& !CONFIG.sso_signups_allowed()
|
||||
&& !CONFIG.is_email_domain_allowed(&user.email)
|
||||
&& !CONFIG.mail_enabled()
|
||||
&& Invitation::find_by_mail(&user.email, conn).await.is_none() =>
|
||||
{
|
||||
error!(
|
||||
"Login failure ({}), no invitation with email ({}) was found",
|
||||
user_infos.identifier, user.email
|
||||
);
|
||||
err_silent!(
|
||||
"Missing invitation",
|
||||
ErrorEvent {
|
||||
event: EventType::UserFailedLogIn
|
||||
}
|
||||
)
|
||||
}
|
||||
Some((user, None)) if user.private_key.is_some() && !CONFIG.sso_signups_match_email() => {
|
||||
error!(
|
||||
"Login failure ({}), existing non SSO user ({}) with same email ({}) and association is disabled",
|
||||
@ -280,7 +298,15 @@ async fn sso_login(
|
||||
// Will trigger 2FA flow if needed
|
||||
let (user, mut device, twofactor_token, sso_user) = match user_with_sso {
|
||||
None => {
|
||||
if !CONFIG.is_email_domain_allowed(&user_infos.email) {
|
||||
if !CONFIG.is_sso_signup_allowed(&user_infos.email) {
|
||||
if CONFIG.signups_domains_whitelist().is_empty() {
|
||||
err!(
|
||||
"Signups are disabled. You will need an invitation",
|
||||
ErrorEvent {
|
||||
event: EventType::UserFailedLogIn
|
||||
}
|
||||
);
|
||||
}
|
||||
err!(
|
||||
"Email domain not allowed",
|
||||
ErrorEvent {
|
||||
|
||||
@ -801,6 +801,8 @@ make_config! {
|
||||
sso_enabled: bool, true, def, false;
|
||||
/// Only SSO login |> Disable Email+Master Password login
|
||||
sso_only: bool, true, def, false;
|
||||
/// Allow SSO flow to create account |> You probably want to disable it when using a public provider
|
||||
sso_signups_allowed: bool, true, def, true;
|
||||
/// Allow email association |> Associate existing non-SSO user based on email
|
||||
sso_signups_match_email: bool, true, def, true;
|
||||
/// Allow unknown email verification status |> Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover.
|
||||
@ -1516,6 +1518,17 @@ impl Config {
|
||||
}
|
||||
}
|
||||
|
||||
/// Tests whether SSO signup is allowed for an email address, taking into
|
||||
/// account the sso_signups_allowed and signups_domains_whitelist settings.
|
||||
pub fn is_sso_signup_allowed(&self, email: &str) -> bool {
|
||||
if self.signups_domains_whitelist().is_empty() {
|
||||
self.sso_signups_allowed()
|
||||
} else {
|
||||
// The whitelist setting overrides the signups_allowed setting.
|
||||
self.is_email_domain_allowed(email)
|
||||
}
|
||||
}
|
||||
|
||||
// The registration link should be hidden if
|
||||
// - Signup is not allowed and email whitelist is empty unless mail is disabled and invitations are allowed
|
||||
// - The SSO is activated and password login is disabled.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user