[PR #4067] [MERGED] Add Protected Actions Check #2889

New Issue

Open

opened 2025-10-09 18:13:21 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2025-10-09 18:13:21 +03:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/4067
Author: @BlackDex
Created: 11/12/2023
Status: ✅ Merged
Merged: 11/13/2023
Merged by: @dani-garcia

Base: main ← Head: add_protected_actions_check

---

📝 Commits (1)

• a7abb44 Add Protected Actions Check

📊 Changes

16 files changed (+337 additions, -124 deletions)

View changed files

📝 src/api/core/accounts.rs (+13 -24)
📝 src/api/core/ciphers.rs (+4 -8)
📝 src/api/core/organizations.rs (+13 -17)
📝 src/api/core/two_factor/authenticator.rs (+11 -10)
📝 src/api/core/two_factor/duo.rs (+13 -10)
📝 src/api/core/two_factor/email.rs (+19 -12)
📝 src/api/core/two_factor/mod.rs (+14 -10)
➕ src/api/core/two_factor/protected_actions.rs (+142 -0)
📝 src/api/core/two_factor/webauthn.rs (+28 -18)
📝 src/api/core/two_factor/yubikey.rs (+11 -9)
📝 src/api/mod.rs (+26 -2)
📝 src/config.rs (+5 -4)
📝 src/db/models/two_factor.rs (+3 -0)
📝 src/mail.rs (+13 -0)
➕ src/static/templates/email/protected_action.hbs (+6 -0)
➕ src/static/templates/email/protected_action.html.hbs (+16 -0)

📄 Description

Since the feature Login with device some actions done via the web-vault need to be verified via an OTP instead of providing the MasterPassword.

This only happens if a user used the Login with device on a device which uses either Biometrics login or PIN. These actions prevent the athorizing device to send the MasterPasswordHash. When this happens, the web-vault requests an OTP to be filled-in and this OTP is send to the users email address which is the same as the email address to login.

The only way to bypass this is by logging in with the your password, in those cases a password is requested instead of an OTP.

In case SMTP is not enabled, it will show an error message telling to user to login using there password.

Fixes #4042

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/4067 **Author:** [@BlackDex](https://github.com/BlackDex) **Created:** 11/12/2023 **Status:** ✅ Merged **Merged:** 11/13/2023 **Merged by:** [@dani-garcia](https://github.com/dani-garcia) **Base:** `main` ← **Head:** `add_protected_actions_check` --- ### 📝 Commits (1) - [`a7abb44`](https://github.com/dani-garcia/vaultwarden/commit/a7abb44e2457512e92d2ccd9a0918d2fc6ea257f) Add Protected Actions Check ### 📊 Changes **16 files changed** (+337 additions, -124 deletions) <details> <summary>View changed files</summary> 📝 `src/api/core/accounts.rs` (+13 -24) 📝 `src/api/core/ciphers.rs` (+4 -8) 📝 `src/api/core/organizations.rs` (+13 -17) 📝 `src/api/core/two_factor/authenticator.rs` (+11 -10) 📝 `src/api/core/two_factor/duo.rs` (+13 -10) 📝 `src/api/core/two_factor/email.rs` (+19 -12) 📝 `src/api/core/two_factor/mod.rs` (+14 -10) ➕ `src/api/core/two_factor/protected_actions.rs` (+142 -0) 📝 `src/api/core/two_factor/webauthn.rs` (+28 -18) 📝 `src/api/core/two_factor/yubikey.rs` (+11 -9) 📝 `src/api/mod.rs` (+26 -2) 📝 `src/config.rs` (+5 -4) 📝 `src/db/models/two_factor.rs` (+3 -0) 📝 `src/mail.rs` (+13 -0) ➕ `src/static/templates/email/protected_action.hbs` (+6 -0) ➕ `src/static/templates/email/protected_action.html.hbs` (+16 -0) </details> ### 📄 Description Since the feature `Login with device` some actions done via the web-vault need to be verified via an OTP instead of providing the MasterPassword. This only happens if a user used the `Login with device` on a device which uses either Biometrics login or PIN. These actions prevent the athorizing device to send the MasterPasswordHash. When this happens, the web-vault requests an OTP to be filled-in and this OTP is send to the users email address which is the same as the email address to login. The only way to bypass this is by logging in with the your password, in those cases a password is requested instead of an OTP. In case SMTP is not enabled, it will show an error message telling to user to login using there password. Fixes #4042 --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

OVERLORD added the pull-request label 2025-10-09 18:13:21 +03:00

OVERLORD referenced this issue 2025-10-09 18:17:48 +03:00

[PR #2920] [MERGED] Added missing `register` endpoint to `identity` #3137

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#2889