diff --git a/.env.template b/.env.template
index 51494c5d3254899e358ce9907b87f997bb8ef5f0..eda99d78dd520feb52a402da7778dcb613edf23d 100644
--- a/.env.template
+++ b/.env.template
@@ -69,6 +69,7 @@
## One option is to use 'openssl rand -base64 48'
## If not set, the admin panel is disabled
# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
+# DISABLE_ADMIN_TOKEN=false
## Invitations org admins to invite users, even when signups are disabled
# INVITATIONS_ALLOWED=true
@@ -110,4 +111,4 @@
# SMTP_PORT=587
# SMTP_SSL=true
# SMTP_USERNAME=username
-# SMTP_PASSWORD=password
\ No newline at end of file
+# SMTP_PASSWORD=password
diff --git a/src/api/admin.rs b/src/api/admin.rs
index 68a01387493a76dff247e99c69ec68609fc9b71f..7f9136401edff5535979213d6224d57ec20b325c 100644
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@@ -15,7 +15,7 @@ use crate::mail;
use crate::CONFIG;
pub fn routes() -> Vec<Route> {
- if CONFIG.admin_token().is_none() {
+ if CONFIG.admin_token().is_none() && !CONFIG.disable_admin_token() {
return routes![admin_disabled];
}
@@ -194,25 +194,30 @@ impl<'a, 'r> FromRequest<'a, 'r> for AdminToken {
type Error = &'static str;
fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
- let mut cookies = request.cookies();
-
- let access_token = match cookies.get(COOKIE_NAME) {
- Some(cookie) => cookie.value(),
- None => return Outcome::Forward(()), // If there is no cookie, redirect to login
- };
-
- let ip = match request.guard::<ClientIp>() {
- Outcome::Success(ip) => ip.ip,
- _ => err_handler!("Error getting Client IP"),
- };
-
- if decode_admin(access_token).is_err() {
- // Remove admin cookie
- cookies.remove(Cookie::named(COOKIE_NAME));
- error!("Invalid or expired admin JWT. IP: {}.", ip);
- return Outcome::Forward(());
+ if CONFIG.disable_admin_token() {
+ Outcome::Success(AdminToken {})
+ }
+ else {
+ let mut cookies = request.cookies();
+
+ let access_token = match cookies.get(COOKIE_NAME) {
+ Some(cookie) => cookie.value(),
+ None => return Outcome::Forward(()), // If there is no cookie, redirect to login
+ };
+
+ let ip = match request.guard::<ClientIp>() {
+ Outcome::Success(ip) => ip.ip,
+ _ => err_handler!("Error getting Client IP"),
+ };
+
+ if decode_admin(access_token).is_err() {
+ // Remove admin cookie
+ cookies.remove(Cookie::named(COOKIE_NAME));
+ error!("Invalid or expired admin JWT. IP: {}.", ip);
+ return Outcome::Forward(());
+ }
+
+ Outcome::Success(AdminToken {})
}
-
- Outcome::Success(AdminToken {})
}
}
diff --git a/src/config.rs b/src/config.rs
index a0facd0d2945f2170a8986a9d0dd224098540efb..c354c976283fab5ad68b557958f2bc7dc3ed0ef0 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -256,6 +256,9 @@ make_config! {
/// Enable DB WAL |> Turning this off might lead to worse performance, but might help if using bitwarden_rs on some exotic filesystems, that do not support WAL. Please make sure you read project wiki on the topic before changing this setting.
enable_db_wal: bool, false, def, true;
+
+ /// Disable Admin Token (Know the risks!) |> Disables the Admin Token for the admin page so you may use your own auth in-front
+ disable_admin_token: bool, true, def, false;
},
/// Yubikey settings