Admin reset not working #3388
Comments
|
Seems to work fine for me. |
|
/identity/connect/token 400 (Bad Request) |
|
I actually mean during the password reset, not during login. |
|
the account that i did restart was an account that already excists before this update to the latest version. I enabled rest master password and reset it. The old one and new one arnt working. I just created a new account and added it to the same organization. and this one is auto added to the enrollment. and i also did a reset on this account but for this one it works. I tried it again on the old one and it does not work. |
|
Can you tell us more? E.g. by posting the generated support string of the diagnostics page in the admin panel? And by also providing the logs when you try to change the password of the old user if there might be some indication what happens? |
|
I just tried multiple scenarios, including the one you did with an existing account. From which version did you come? |
Your environment (Generated via diagnostics page)
Config (Generated via diagnostics page)Show Running ConfigEnvironment settings which are overridden: ADMIN_TOKEN {
"_duo_akey": null,
"_enable_duo": false,
"_enable_email_2fa": false,
"_enable_smtp": true,
"_enable_yubico": true,
"_icon_service_csp": "",
"_icon_service_url": "",
"_ip_header_enabled": true,
"_smtp_img_src": "cid:",
"admin_ratelimit_max_burst": 3,
"admin_ratelimit_seconds": 300,
"admin_session_lifetime": 20,
"admin_token": "***",
"allowed_iframe_ancestors": "",
"attachments_folder": "data/attachments",
"authenticator_disable_time_drift": false,
"data_folder": "data",
"database_conn_init": "",
"database_max_conns": 10,
"database_timeout": 30,
"database_url": "***************",
"db_connection_retries": 15,
"disable_2fa_remember": false,
"disable_admin_token": false,
"disable_icon_download": true,
"domain": "*****://***************",
"domain_origin": "*****://***************",
"domain_path": "",
"domain_set": true,
"duo_host": null,
"duo_ikey": null,
"duo_skey": null,
"email_attempts_limit": 3,
"email_expiration_time": 600,
"email_token_size": 6,
"emergency_access_allowed": true,
"emergency_notification_reminder_schedule": "0 3 * * * *",
"emergency_request_timeout_schedule": "0 7 * * * *",
"enable_db_wal": true,
"event_cleanup_schedule": "0 10 0 * * *",
"events_days_retain": null,
"extended_logging": true,
"helo_name": null,
"hibp_api_key": null,
"icon_blacklist_non_global_ips": true,
"icon_blacklist_regex": null,
"icon_cache_folder": "data/icon_cache",
"icon_cache_negttl": 259200,
"icon_cache_ttl": 2592000,
"icon_download_timeout": 10,
"icon_redirect_code": 302,
"icon_service": "internal",
"incomplete_2fa_schedule": "30 * * * * *",
"incomplete_2fa_time_limit": 3,
"invitation_expiration_hours": 120,
"invitation_org_name": "Vaultwarden",
"invitations_allowed": true,
"ip_header": "X-Real-IP",
"job_poll_interval_ms": 30000,
"log_file": null,
"log_level": "Info",
"log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
"login_ratelimit_max_burst": 10,
"login_ratelimit_seconds": 60,
"org_attachment_limit": null,
"org_creation_users": "",
"org_events_enabled": false,
"org_groups_enabled": false,
"password_hints_allowed": true,
"password_iterations": 2000000,
"reload_templates": false,
"require_device_email": false,
"rsa_key_filename": "data/rsa_key",
"send_purge_schedule": "0 5 * * * *",
"sendmail_command": null,
"sends_allowed": true,
"sends_folder": "data/sends",
"show_password_hint": false,
"signups_allowed": false,
"signups_domains_whitelist": "*****************,************,********,******************",
"signups_verify": false,
"signups_verify_resend_limit": 6,
"signups_verify_resend_time": 3600,
"smtp_accept_invalid_certs": false,
"smtp_accept_invalid_hostnames": false,
"smtp_auth_mechanism": null,
"smtp_debug": false,
"smtp_embed_images": true,
"smtp_explicit_tls": null,
"smtp_from": "*****************************",
"smtp_from_name": "Vaultwarden",
"smtp_host": "***********",
"smtp_password": null,
"smtp_port": 25,
"smtp_security": "off",
"smtp_ssl": null,
"smtp_timeout": 15,
"smtp_username": null,
"templates_folder": "data/templates",
"tmp_folder": "data/tmp",
"trash_auto_delete_days": null,
"trash_purge_schedule": "0 5 0 * * *",
"use_sendmail": false,
"use_syslog": false,
"user_attachment_limit": null,
"web_vault_enabled": true,
"web_vault_folder": "web-vault/",
"websocket_address": "0.0.0.0",
"websocket_enabled": true,
"websocket_port": 3012,
"yubico_client_id": "85784",
"yubico_secret_key": "***",
"yubico_server": null
} |
|
1.27 the previous version |
|
First, i would suggest to try and use a reverse proxy to handle the TLS/Cert errors I see. |
This is a live setup. so i cant really just put the whole vaultwarden on testing. This is only for internal usage. a reverse proxy in our network is harder to fix. |
|
Well. there is nothing changed in testing except that issues. |
will check on that. Because this is a VM with debian /docker installed. need to move the VM it self to a different system. |
|
I think i have found the issue. |
|
Yes. The issue is that for some reason the mail which needs to be sent to the user isn't sent, which causes a delay/timeout and causes a 504 for me at least. And for some reason it breaks the reset. Which is strange, since it should break/exit/return if sending the mail doesn't work, and should not reset the users password at that point. |
BlackDex
added
bug
|
@R-DGS Can you verify that that specific account did not receive a mail about the password reset? |
When i reset the password i get a email saying that the master password is reset. |
|
Hmm... Also for the user for which it is not working? |
Yes. Every time i do a reset i get an email. |
|
Could you try to login with a different browser or in an Private/Incognito mode for that user? |
I have tried it in firefox / firefox private chrome / chrome private i did start up a old copy of the VM and updated that one also. As far as i know not much is changed except in the other one is all users and passwords and different org and the one 1 started is a initiele setup of vaultwarden. on my test copy which is running the latest nog the testing it is working on the old account that is there. Maybe due to al the testing and changing it might have corrupted that user account. So maybe i will see if i can maybe a copy of the live version and do some tests with that one. |
|
In theory, you should be able to overwrite the users record which includes they key's and hashed master-password-hash. Also. you could try to do a database check. sqlite3 db.sqlite3 'PRAGMA integrity_check;'If that results in all ok, a database corruption is probably not the issue. |
it did give the status ok |
|
What i do remember and i was looking in the sqlite db. that on the account where i reset the admin password i had changed the Keys to Argon2id. Standard that isnt used yet but also wanted to test that out on that account. I tried it again with a new account and changed the keys to Argon2ID and change the master password and now it fails again. |
|
Ai. We need to check if this also happens on Bitwarden it self! If that is the case, we can't fix this our self. |
I Quickly tried this my self. And I do not see the same issue unfortunately |
|
I managed to reproduce this by setting the Adding my test account to the organization and enrolling to the feature worked. But when I tried to change the password via the admin password reset function, I could not login with this account anymore (neither old nor new password). I could get the login for my test account working by manually reducing these values directly in the database and then resetting the password again: UPDATE users SET client_kdf_memory = 64, client_kdf_iter = 3, client_kdf_parallelism = 4 WHERE email = 'testuser@example.com';Not sure if this has any unintended side consequences (so far it looks good but I have not tested this extensively). |
|
That kinda looks the same as my mail timeout issue i just got once. Is this more a client side issue or server? And what happens when you use the PR i created with the error fix? |
|
I got a mail network issue (once), my firefox also froze by the second time (but might have been unrelated) and once it looked like it worked (but without any error messages). I will test your PR tomorrow (sorry, it's getting late). But if the client can't handle it, then it might be out of our control. |
|
But, it shouldn't break, or render the login invalid. Unless the argon2 code part freezes and breaks for some reason. But the data in the db should still be valid. We only store the new key/pw-hash. |
Yes i also had it set a little higher than the standard 128 5 7 or 7 5 for the last 2 values. |
|
I think I found the problem in |
Ah!. I did not changed anything, and used the default settings. Which is probably what will be used if nothing is returned. I'm Quickly testing this right now :) |
|
@stefan0xC Yes, it looks like it just used the defaults set for Argon2id. That is why it worked for me in my test. |
There was used a wrong macro to produce an error message when mailing the user his password was reset failed. It was using `error!()` which does not return an `Err` and aborts the rest of the code. This resulted in the users password still being resetted, but not being notified. This PR fixes this by using `err!()`. Also, do not set the user object as mutable until it really is needed. Second, when a user was using the new Argon2id KDF with custom values like memory and parallelism, that would have rendered the password incorrect. The endpoint which should return all the data did not returned all the new Argon2id values. Fixes dani-garcia#3388 Co-authored-by: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com>
BlackDex
removed
the
troubleshooting
|
Thanks @R-DGS for reporting this issue. There is a PR now which should fix this. |
* Fix remaning inline format * Use more modern meta tag for charset encoding * fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory * Optimize CipherSyncData for very large vaults As mentioned in dani-garcia#3111, using a very very large vault causes some issues. Mainly because of a SQLite limit, but, it could also cause issue on MariaDB/MySQL or PostgreSQL. It also uses a lot of memory, and memory allocations. This PR solves this by removing the need of all the cipher_uuid's just to gather the correct attachments. It will use the user_uuid and org_uuid's to get all attachments linked to both, weither the user has access to them or not. This isn't an issue, since the matching is done per cipher and the attachment data is only returned if there is a matching cipher to where the user has access to. I also modified some code to be able to use `::with_capacity(n)` where possible. This prevents re-allocations if the `Vec` increases size, which will happen a lot if there are a lot of ciphers. According to my tests measuring the time it takes to sync, it seems to have lowered the duration a bit more. Fixes dani-garcia#3111 * Add MFA icon to org member overview The Organization member overview supports showing an icon if the user has MFA enabled or not. This PR adds this feature. This is very useful if you want to enable force mfa for example. * Add avatar color support The new web-vault v2023.1.0 supports a custom color for the avatar. bitwarden/server#2330 This PR adds this feature. * Update Rust to v1.66.1 to patch CVE This PR sets Rust to v1.66.1 to fix a CVE. https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html https://blog.rust-lang.org/2023/01/10/Rust-1.66.1.html Also updated some packages while at it. * Use more modern meta tag for charset encoding * Use more modern meta tag for charset encoding * Fix remaning inline format * Use more modern meta tag for charset encoding * Fix remaning inline format * fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory * Use more modern meta tag for charset encoding * Fix remaning inline format * fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory * Add MFA icon to org member overview The Organization member overview supports showing an icon if the user has MFA enabled or not. This PR adds this feature. This is very useful if you want to enable force mfa for example. * Use more modern meta tag for charset encoding * Fix remaning inline format * fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory * Add MFA icon to org member overview The Organization member overview supports showing an icon if the user has MFA enabled or not. This PR adds this feature. This is very useful if you want to enable force mfa for example. * Update Rust to v1.66.1 to patch CVE This PR sets Rust to v1.66.1 to fix a CVE. https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html https://blog.rust-lang.org/2023/01/10/Rust-1.66.1.html Also updated some packages while at it. * Use more modern meta tag for charset encoding * Fix remaning inline format * fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory * Add MFA icon to org member overview The Organization member overview supports showing an icon if the user has MFA enabled or not. This PR adds this feature. This is very useful if you want to enable force mfa for example. * Update Rust to v1.66.1 to patch CVE This PR sets Rust to v1.66.1 to fix a CVE. https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html https://blog.rust-lang.org/2023/01/10/Rust-1.66.1.html Also updated some packages while at it. * Add avatar color support The new web-vault v2023.1.0 supports a custom color for the avatar. bitwarden/server#2330 This PR adds this feature. * Update web vault to 2023.1.0 * include key into user.set_password * include key into user.set_password * Validate note sizes on key-rotation. We also need to validate the note sizes on key-rotation. If we do not validate them before we store them, that could lead to a partial or total loss of the password vault. Validating these restrictions before actually processing them to store/replace the existing ciphers should prevent this. There was also a small bug when using web-sockets. The client which is triggering the password/key-rotation change should not be forced to logout via a web-socket request. That is something the client will handle it self. Refactored the logout notification to either send the device uuid or not on specific actions. Fixes dani-garcia#3152 * include key into user.set_password * Update KDF Configuration and processing - Change default Password Hash KDF Storage from 100_000 to 600_000 iterations - Update Password Hash when the default iteration value is different - Validate password_iterations - Validate client-side KDF to prevent it from being set lower than 100_000 * include key into user.set_password * Validate note sizes on key-rotation. We also need to validate the note sizes on key-rotation. If we do not validate them before we store them, that could lead to a partial or total loss of the password vault. Validating these restrictions before actually processing them to store/replace the existing ciphers should prevent this. There was also a small bug when using web-sockets. The client which is triggering the password/key-rotation change should not be forced to logout via a web-socket request. That is something the client will handle it self. Refactored the logout notification to either send the device uuid or not on specific actions. Fixes dani-garcia#3152 * Updated web vault to 2023.1.1 and rust dependencies * Re-License Vaultwarden to AGPLv3 This commit prepares Vaultwarden for the Re-Licensing to AGPLv3 Solves #2450 * Remove `arm32v6`-specific tag This section of code seems to be breaking the Docker release workflow as of a few days ago, though it's unclear why. This tag only existed to work around an issue with Docker pulling the wrong image for ARMv6 platforms; that issue was resolved in Docker 20.10.0, which has been out for a few years now, so it seems like a reasonable time to drop this tag. * Rename `.buildx` Dockerfiles to `.buildkit` This is a more accurate name, since these Dockerfiles require BuildKit, not Buildx. * Disable Hadolint check for consecutive `RUN` instructions (DL3059) This check doesn't seem to add enough value to justify the difficulties it tends to create when generating `RUN` instructions from a template. * added database migration * working implementation * fixes for current upstream main * "Spell-Jacking" mitigation ~ prevent sensitive data leak from spell checker. @see https://www.otto-js.com/news/article/chrome-and-edge-enhanced-spellcheck-features-expose-pii-even-your-passwords * Fix Javascript issue on non sqlite databases When a non sqlite database is used, loading the admin interface fails because the backup button is not generated. This PR is solves it by checking if the elements are valid. Also made some other changes and fixed some eslint errors. Showing `_post` errors is better now. Update jquery to latest version. Fixes dani-garcia#3166 * Allow listening on privileged ports (below 1024) as non-root This is done by running `setcap cap_net_bind_service=+ep` on the executable in the build stage (doing it in the runtime stage creates an extra copy of the executable that bloats the image). This only works when using the BuildKit-based builder, since the `COPY` instruction doesn't copy capabilities on the legacy builder. * don't nullify key when editing emergency access the client does not send the key on every update of an emergency access contact so the field would be emptied on a change of the wait days or access level. * Replaced wrong mysql column type * improved security, disabling policy usage on email-disabled clients and some refactoring * rust lang specific improvements * completly hide reset password policy on email disabled instances * change description of domain configuration Vaultwarden send won't work if the domain includes a trailing slash. This should be documented, as it may lead to confusion amoung users. * improve wording of domain description * Generate distinct log messages for regex vs. IP blacklisting. When an icon will not be downloaded due to matching a configured blacklist, ensure that the log message indicates the type of blacklist that was matched. * Ensure that all results from check_domain_blacklist_reason are cached. * remove documentation of bug since I'm fixing it * fix trailing slash not being removed from domain * allow editing/unhiding by group Fixes dani-garcia#2989 Signed-off-by: Jan Jansen <jan.jansen@gdata.de> * Revert "fix trailing slash not being removed from domain" This reverts commit 679bc7a. * fix trailing slash in configuration builder * remove warn when sanitizing domain * add argon2 kdf fields * Add support for sendmail as a mail transport * check if SENDMAIL_COMMAND is valid using 'which' crate * add EXE_SUFFIX to sendmail executable when not specified * Updated Rust and crates - Updated Rust to v1.67.0 - Updated all crates except for `cookies` and `webauthn` * docs: add build status badge in readme * Fix Organization delete when groups are configured With existing groups configured within an org, deleting that org would fail because of Foreign Key issues. This PR fixes this by making sure the groups get deleted before the org does. Fixes dani-garcia#3247 * Fix Collection Read Only access for groups I messed up with identation sorry it's my first PR Fix Collection Read Only access for groups Fix Collection Read Only access for groups With indentation modification * Validate all needed fields for client API login During the client API login we need to have a `device_identifier`, `device_name` and `device_type`. When these were not provided Vaultwarden would panic. This PR add checks for these fields and makes sure it returns a better error message instead of causing a panic. * Make the admin cookie lifetime adjustable * Add function to fetch user by email address * Apply Admin Session Lifetime to JWT * Apply rewording * docs: add build status badge in readme * docs: add build status badge in readme * Validate all needed fields for client API login During the client API login we need to have a `device_identifier`, `device_name` and `device_type`. When these were not provided Vaultwarden would panic. This PR add checks for these fields and makes sure it returns a better error message instead of causing a panic. * docs: add build status badge in readme * Validate all needed fields for client API login During the client API login we need to have a `device_identifier`, `device_name` and `device_type`. When these were not provided Vaultwarden would panic. This PR add checks for these fields and makes sure it returns a better error message instead of causing a panic. * Fix Organization delete when groups are configured With existing groups configured within an org, deleting that org would fail because of Foreign Key issues. This PR fixes this by making sure the groups get deleted before the org does. Fixes dani-garcia#3247 * docs: add build status badge in readme * Validate all needed fields for client API login During the client API login we need to have a `device_identifier`, `device_name` and `device_type`. When these were not provided Vaultwarden would panic. This PR add checks for these fields and makes sure it returns a better error message instead of causing a panic. * Fix Organization delete when groups are configured With existing groups configured within an org, deleting that org would fail because of Foreign Key issues. This PR fixes this by making sure the groups get deleted before the org does. Fixes dani-garcia#3247 * Fix Collection Read Only access for groups I messed up with identation sorry it's my first PR Fix Collection Read Only access for groups Fix Collection Read Only access for groups With indentation modification * docs: add build status badge in readme * Validate all needed fields for client API login During the client API login we need to have a `device_identifier`, `device_name` and `device_type`. When these were not provided Vaultwarden would panic. This PR add checks for these fields and makes sure it returns a better error message instead of causing a panic. * Fix Organization delete when groups are configured With existing groups configured within an org, deleting that org would fail because of Foreign Key issues. This PR fixes this by making sure the groups get deleted before the org does. Fixes dani-garcia#3247 * Fix Collection Read Only access for groups I messed up with identation sorry it's my first PR Fix Collection Read Only access for groups Fix Collection Read Only access for groups With indentation modification * Make the admin cookie lifetime adjustable * Apply Admin Session Lifetime to JWT * Apply rewording * Add missing collections/details endpoint, based on the existing one * Update web vault to v2023.2.0 and dependencies * Fix vault item display in org vault view In the org vault view, the Bitwarden web vault currently tries to fetch the groups for an org regardless of whether it claims to have group support. If this errors out, no vault items are displayed. * Add confirmation for removing 2FA and deauth sessions in admin panel * Fix the web-vault v2023.2.0 API calls - Supports the new Collection/Group/User editing UI's - Support `/partial` endpoint for cipher updating to allow folder and favorite update for read-only ciphers. - Prevent `Favorite`, `Folder`, `read-only` and `hide-passwords` from being added to the organizational sync. - Added and corrected some `Object` key's to the output json. Fixes dani-garcia#3279 * Some Admin Interface updates - Updated datatables - Added NTP Time check - Added Collections, Groups and Events count for orgs - Renamed `Items` to `Ciphers` - Some small style updates * Fix confirmation for removing 2FA and deauthing sessions in admin panel * Admin token Argon2 hashing support Added support for Argon2 hashing support for the `ADMIN_TOKEN` instead of only supporting a plain text string. The hash must be a PHC string which can be generated via the `argon2` CLI **or** via the also built-in hash command in Vaultwarden. You can simply run `vaultwarden hash` to generate a hash based upon a password the user provides them self. Added a warning during startup and within the admin settings panel is the `ADMIN_TOKEN` is not an Argon2 hash. Within the admin environment a user can ignore that warning and it will not be shown for at least 30 days. After that the warning will appear again unless the `ADMIN_TOKEN` has be converted to an Argon2 hash. I have also tested this on my RaspberryPi 2b and there the `Bitwarden` preset takes almost 4.5 seconds to generate/verify the Argon2 hash. Using the `OWASP` preset it is below 1 second, which I think should be fine for low-graded hardware. If it is needed people could use lower memory settings, but in those cases I even doubt Vaultwarden it self would run. They can always use the `argon2` CLI and generate a faster hash. * Add HEAD routes to avoid spurious error messages Rocket automatically implements a HEAD route when there's a matching GET route, but relying on this behavior also means a spurious error gets logged due to <rwf2/Rocket#1098>. Add explicit HEAD routes for `/` and `/alive` to prevent uptime monitoring services from generating error messages like `No matching routes for HEAD /`. With these new routes, `HEAD /` only checks that the server can respond over the network, while `HEAD /alive` also checks that the database connection is alive, similar to `GET /alive`. * Fix web-vault Member UI show/edit/save There was a small bug left in regards to the web-vault v2023.2.0 fixes. This PR fixes the left items. I think all should be addressed now. When editing a User, you were not able to see or edit groups, or see wich collections a user bellonged to. Fixes dani-garcia#3311 * Upd Crates, Rust, MSRV, GHA and remove Backtrace - Changed MSRV to v1.65. Discussed this with @dani-garcia, and we will support **N-2**. This is/will be the same as for the `time` crate we use. Also updated the wiki regarding this https://github.com/dani-garcia/vaultwarden/wiki/Building-binary - Removed backtrace crate in favor of `std::backtrace` stable since v1.65 - Updated Rust to v1.67.1 - Updated all the crates - Updated the GHA action versions - Adjusted the GHA MSRV build to extract the MSRV from `Cargo.toml` * Merge ClientIp with Headers. Since we now use the `ClientIp` Guard on a lot more places, it also increases the size of binary, and the macro generated code because of this extra Guard. By merging the `ClientIp` Guard with the several `Header` guards we have it reduces the amount of code generated (including LLVM IR), but also a small speedup in build time. I also spotted some small `json!()` optimizations which also reduced the amount of code generated. * Add support for `/api/devices/knowndevice` with HTTP header params Upstream PR: bitwarden/server#2682 * Update Rust, MSRV and Crates - Updated all the crates - Updated Rust and MSRV * Update web vault to v2023.3.0 and dependencies * add endpoint to bulk delete groups * add endpoint to bulk delete collections * don't use `assert()` in production code Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com> * Add support for Quay.io and GHCR.io as registries - Added support for Quay.io - Added support for GHCR.io To enable support for these container image registries the following needs to be added. As `Actions secrets and variables` - `Secrets` - `DOCKERHUB_TOKEN` and `DOCKERHUB_USERNAME` - `QUAY_TOKEN` and `QUAY_USERNAME` As `Actions secrets and variables` - `Variables` - `Repository Variables` - `DOCKERHUB_REPO` - `GHCR_REPO` - `QUAY_REPO` The `DOCKERHUB_REPO` currently configured in `Secrets` can be removed if wanted, probably best after this PR has been merged. If one of the vars/secrets are not configured it will skip that specific registry! * Some small fixes and updates - Updated workflows to use new checkout version This probably fixes the curl download for hadolint also. - Updated crates including Rocket to the latest rc3 :party: - Applied 2 nightly clippy lints to prevent future clippy issues. * Update web vault to v2023.3.0b * Decode knowndevice `X-Request-Email` as base64url with no padding The clients end up removing the padding characters [1][2]. [1] https://github.com/bitwarden/clients/blob/web-v2023.3.0/libs/common/src/misc/utils.ts#L141-L143 [2] https://github.com/bitwarden/mobile/blob/v2023.3.1/src/Core/Utilities/CoreHelpers.cs#L227-L234 * Fix password reset issues There was used a wrong macro to produce an error message when mailing the user his password was reset failed. It was using `error!()` which does not return an `Err` and aborts the rest of the code. This resulted in the users password still being resetted, but not being notified. This PR fixes this by using `err!()`. Also, do not set the user object as mutable until it really is needed. Second, when a user was using the new Argon2id KDF with custom values like memory and parallelism, that would have rendered the password incorrect. The endpoint which should return all the data did not returned all the new Argon2id values. Fixes dani-garcia#3388 Co-authored-by: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com> * support `/users/<uuid>/invite/resend` admin api * fmt * always return KdfMemory and KdfParallelism the client will ignore the value of theses fields in case of `PBKDF2` (whether they are unset or left from trying out `Argon2id` as KDF). with `Argon2id` those fields should never be `null` but always in a valid state. if they are `null` (how would that even happen?) the client still assumes default values for `Argon2id` (i.e. m=64 and p=4) and if they are set to something else login will fail anyway. * clear kdf memory and parallelism with pbkdf2 when changing back from argon2id to PBKDF2 the unused parameters should be set to 0. also fix small bug in _register * add mail check * add check user state * Revert setcap, update rust and crates - Revert dani-garcia#3170 as discussed in #3387 In hindsight it's better to not have this feature - Update Dockerfile.j2 for easy version changes. Just change it in one place instead of multiple - Updated to Rust to latest patched version - Updated crates to latest available - Pinned mimalloc to an older version, as it breaks on musl builds * Fix sending out multiple websocket notifications For some reason I encountered a strange bug which resulted in sending out multiple websocket notifications for the exact same user. Added a `distinct()` for the query to filter out multiple uuid's. --------- Signed-off-by: Jan Jansen <jan.jansen@gdata.de> Co-authored-by: BlackDex <black.dex@gmail.com> Co-authored-by: Rychart Redwerkz <redwerkz@users.noreply.github.com> Co-authored-by: GeekCorner <45696571+GeekCornerGH@users.noreply.github.com> Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com> Co-authored-by: sirux88 <sirux88@gmail.com> Co-authored-by: Jeremy Lin <jjlin@users.noreply.github.com> Co-authored-by: Daniel Hammer <daniel.hammer+oss@gmail.com> Co-authored-by: Stefan Melmuk <stefan.melmuk@gmail.com> Co-authored-by: BlockListed <44610569+BlockListed@users.noreply.github.com> Co-authored-by: Kevin P. Fleming <kevin@km6g.us> Co-authored-by: Jan Jansen <jan.jansen@gdata.de> Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx> Co-authored-by: soruh <mail@soruh.de> Co-authored-by: r3drun3 <simone.ragonesi@kiratech.it> Co-authored-by: Misterbabou <58564168+Misterbabou@users.noreply.github.com> Co-authored-by: Nils Mittler <nmittler@bcf-pc03.desktop> Co-authored-by: Jeremy Lin <jeremy.lin@gmail.com> Co-authored-by: Jonathan Elias Caicedo <jonathan@jcaicedo.com> Co-authored-by: Dylan Pinsonneault <dylanp2222@gmail.com> Co-authored-by: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com> Co-authored-by: Nikolay Nikolaev <nikolaevn.home@gmail.com>
Subject of the issue
Enabled admin reset for a organization. Master-password reset.
i used it on a test user to test it how how it works etc and if it works.
When i reset the password and try to login with that account it just fails the login says username / password wrong.
i tried to change the password multiple times but the same Error.
Deployment environment
The text was updated successfully, but these errors were encountered: