Allow the Admin token to be disabled in the advanced menu

8b5b06c3 · Shane Faulkner · 5ee04e31 · 8b5b06c3 · 8b5b06c3 · 8b5b06c3
Commit 8b5b06c3 authored 6 years ago by Shane Faulkner
--- a/.env.template
+++ b/.env.template
@@ -69,6 +69,7 @@
 ## One option is to use 'openssl rand -base64 48'
 ## If not set, the admin panel is disabled
 # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
+# DISABLE_ADMIN_TOKEN=false
 ## Invitations org admins to invite users, even when signups are disabled
 # INVITATIONS_ALLOWED=true
@@ -110,4 +111,4 @@
 # SMTP_PORT=587
 # SMTP_SSL=true
 # SMTP_USERNAME=username
 # SMTP_PASSWORD=password
\ No newline at end of file
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@@ -15,7 +15,7 @@ use crate::mail;
 use crate::CONFIG;
 pub fn routes() -> Vec<Route> {
-    if CONFIG.admin_token().is_none() {
+    if CONFIG.admin_token().is_none() && !CONFIG.disable_admin_token() {
        return routes![admin_disabled];
    }
@@ -194,25 +194,30 @@ impl<'a, 'r> FromRequest<'a, 'r> for AdminToken {
    type Error = &'static str;
    fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
-        let mut cookies = request.cookies();
+        if CONFIG.disable_admin_token() {
+            Outcome::Success(AdminToken {})
-        let access_token = match cookies.get(COOKIE_NAME) {
+        }
-            Some(cookie) => cookie.value(),
+        else {
-            None => return Outcome::Forward(()), // If there is no cookie, redirect to login
+            let mut cookies = request.cookies();
-        };
+            let access_token = match cookies.get(COOKIE_NAME) {
-        let ip = match request.guard::<ClientIp>() {
+                Some(cookie) => cookie.value(),
-            Outcome::Success(ip) => ip.ip,
+                None => return Outcome::Forward(()), // If there is no cookie, redirect to login
-            _ => err_handler!("Error getting Client IP"),
+            };
-        };
+            let ip = match request.guard::<ClientIp>() {
-        if decode_admin(access_token).is_err() {
+                Outcome::Success(ip) => ip.ip,
-            // Remove admin cookie
+                _ => err_handler!("Error getting Client IP"),
-            cookies.remove(Cookie::named(COOKIE_NAME));
+            };
-            error!("Invalid or expired admin JWT. IP: {}.", ip);
-            return Outcome::Forward(());
+            if decode_admin(access_token).is_err() {
+                // Remove admin cookie
+                cookies.remove(Cookie::named(COOKIE_NAME));
+                error!("Invalid or expired admin JWT. IP: {}.", ip);
+                return Outcome::Forward(());
+            }
+            Outcome::Success(AdminToken {})
        }
-        Outcome::Success(AdminToken {})
    }
 }
--- a/src/config.rs
+++ b/src/config.rs
@@ -256,6 +256,9 @@ make_config! {
        /// Enable DB WAL |> Turning this off might lead to worse performance, but might help if using bitwarden_rs on some exotic filesystems, that do not support WAL. Please make sure you read project wiki on the topic before changing this setting.
        enable_db_wal:          bool,   false,  def,    true;
+        /// Disable Admin Token (Know the risks!) |> Disables the Admin Token for the admin page so you may use your own auth in-front
+        disable_admin_token:    bool,   true,   def,    false;
    },
    /// Yubikey settings