api::Accounts::verify_password add the policy even if it's ignored

dani-garcia · Jan 9, 2025 · 44045a8 · 44045a8
1 parent bee619f
commit 44045a8
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 3 deletions.
diff --git a/.env.template b/.env.template
@@ -475,7 +475,7 @@
 ## Set your Client ID and Client Key
 # SSO_CLIENT_ID=11111
 # SSO_CLIENT_SECRET=AAAAAAAAAAAAAAAAAAAAAAAA
-## Optional Master password policy (minComplexity=[0-4])
+## Optional Master password policy (minComplexity=[0-4]), `enforceOnLogin` is not supported at the moment.
 # SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
 ## Use sso only for authentication not the session lifecycle
 # SSO_AUTH_ONLY_NOT_SESSION=false

diff --git a/SSO.md b/SSO.md
@@ -25,7 +25,7 @@ The following configurations are available
  - `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`.
  - `SSO_CLIENT_ID` : Client Id
  - `SSO_CLIENT_SECRET` : Client Secret
- - `SSO_MASTER_PASSWORD_POLICY`: Optional Master password policy
+ - `SSO_MASTER_PASSWORD_POLICY`: Optional Master password policy (`enforceOnLogin` is not supported).
  - `SSO_AUTH_ONLY_NOT_SESSION`: Enable to use SSO only for authentication not session lifecycle
  - `SSO_CLIENT_CACHE_EXPIRATION`: Cache calls to the discovery endpoint, duration in seconds, `0` to disable (default `0`);
  - `SSO_DEBUG_TOKENS`: Log all tokens (default `false`, `LOG_LEVEL=debug` is required)

diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
@@ -1050,6 +1050,8 @@ pub async fn kdf_upgrade(user: &mut User, pwd_hash: &str, conn: &mut DbConn) ->
     Ok(())
 }
 
+// It appears that at the moment the return policy is required but ignored.
+// As such the `enforceOnLogin` part is not working.
 #[post("/accounts/verify-password", data = "<data>")]
 async fn verify_password(data: Json<SecretVerificationRequest>, headers: Headers, mut conn: DbConn) -> JsonResult {
     let data: SecretVerificationRequest = data.into_inner();
@@ -1061,8 +1063,14 @@ async fn verify_password(data: Json<SecretVerificationRequest>, headers: Headers
 
     kdf_upgrade(&mut user, &data.master_password_hash, &mut conn).await?;
 
+    let policy = if let Some(policy_str) = CONFIG.sso_master_password_policy().filter(|_| CONFIG.sso_enabled()) {
+        serde_json::from_str(&policy_str).unwrap_or(json!({}))
+    } else {
+        json!({})
+    };
+
     Ok(Json(json!({
-      "MasterPasswordPolicy": {}, // Required for SSO login with mobile apps
+      "MasterPasswordPolicy": policy,
     })))
 }