New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[META] Feature Requests #246

Open
dani-garcia opened this Issue Nov 9, 2018 · 15 comments

Comments

Projects
None yet
9 participants
@dani-garcia
Copy link
Owner

dani-garcia commented Nov 9, 2018

To avoid cluttering the issue tracker with feature requests, please comment any requests here and we'll keep a list.

When available, I've linked a related issue or comment to add context to the request.

Authentication

These requests would add a new authentication method to bitwarden_rs

  • Multiple U2F key support #244 (comment)
  • LDAP #122
  • OAuth #94
  • Email #113
  • Duo
  • Allow organizations to require 2FA for their members

Database support

These requests would require recreating the migrations.sql for each new database and making sure that all the diesel code is compatible with all of them.

Admin page

  • Send email to check correct mailing config
  • 2FA support
  • Show more user info? (organizations and their user status in them, last connected date...)
  • Bitwarden_rs version info and update notification?

Security

  • Option to force 2FA for all logins, ignoring remember checkbox
  • Set a configurable limit for the 2FA remember token, upstream uses 30 days (Maybe use JWT?).
  • Lock accounts after X login failures, configurable.

Other

  • Batch all the bulk database operations in the same transaction (import ciphers, move selected ciphers, purge vault, etc.)
  • Make email and U2F use the same domain-guessing used by attachments
  • Better email templates
  • Groups support #245
    • Workaround: Organizations seem to provide the same functionality, more or less
  • Manager support
  • Log rotation / management #305
  • Run bitwarden_rs at suburl #241
  • Audit log #229
  • Push notifications #126
    • Workaround: WebSockets provide notifications in web vault and browser extensions (maybe desktop app too?)

If anyone wants to help implementing these features, we are available here or on the matrix channel to help guide you as much as we can.

@quthla

This comment has been minimized.

Copy link

quthla commented Dec 22, 2018

What is needed for #241? Seems somebody already posted the needed changes in the corresponding issue so that could maybe be integrated?

@dani-garcia

This comment has been minimized.

Copy link
Owner Author

dani-garcia commented Dec 22, 2018

Yes, someone would have to check those changes, see what can be integrated into the project directly (possibly a config option for the mount point) and create the documentation on how to configure the vault, proxy, etc.

@dpffxhad

This comment has been minimized.

Copy link

dpffxhad commented Jan 14, 2019

pass path to .env
./bitwarden_rs -c /path/to/config.env

@mprasil

This comment has been minimized.

Copy link
Collaborator

mprasil commented Jan 15, 2019

@dpffxhad added it to the list

@Peneheals

This comment has been minimized.

Copy link

Peneheals commented Jan 16, 2019

It would be great to see an (admin) feature which can help sysops to test mailing functionality. Maybe somewhere a button which can send a test e-mail to the actual user's address and which gives back a fail/success message after the action.

@mprasil

This comment has been minimized.

Copy link
Collaborator

mprasil commented Jan 16, 2019

Good idea @Peneheals, @njfox what do you think?

@p-rintz

This comment has been minimized.

Copy link

p-rintz commented Jan 16, 2019

Would it be possible to introduce 2FA auth to the /admin panel as well?

@njfox

This comment has been minimized.

Copy link
Contributor

njfox commented Jan 16, 2019

Good idea @Peneheals, @njfox what do you think?

I also think that's a good idea, and it shouldn't be too difficult to implement. I can look at adding the necessary API endpoints once I find some time, or knowing @dani-garcia he'll probably get to it first

@dani-garcia

This comment has been minimized.

Copy link
Owner Author

dani-garcia commented Jan 16, 2019

About 2fa:
To do this, we'll need to implement it separately from the already existing 2fa code. I'm not sure if for this case it's worth it to implement multiple 2fa systems, so I would think just totp and maybe email would be good enough.

That said, this would require some changes to the admin page to input the 2fa code: we can't just ask for it at the start because it changes every 30 seconds .

Edit: About the email, as a workaround, you can invite yourself to test if it works for now, but it would be great to add

@dani-garcia dani-garcia pinned this issue Jan 25, 2019

@chinenual

This comment has been minimized.

Copy link

chinenual commented Feb 2, 2019

I am having trouble getting an Apache reverse-proxy to work in my organization. For various reasons, I can't create a new subdomain for bitwarden - i need to run it as https://my.proxy.domain/bitwarden forwarding to localhost running http on a non-standard port. However I cannot find a way to get Apache's mod_proxy to proxy from /bitwarden context to root context. For other applications I'm able to create proxies to as long as the target application uses a non-root context.

I.e. I want to do this:

https://my.proxy/bitwarden <-> http:/localhost:1234

I can get other apps to work if the internal app uses non-root context -- e.g.

https://my.proxy/acontext <-> http:/localhost:1234/anothercontext

Can bitwarden_rs be configured to listen to /bitwarden_rs or /bitwarden instead of / ? If not, can someone help in constructing apache mod_proxy / mod_rewrite rules to proxy the bitwarden_rs root context from a non-root proxy context?

@mprasil

This comment has been minimized.

Copy link
Collaborator

mprasil commented Feb 2, 2019

@chinenual see #71. The TL/DR is that while bitwarden_rs doesn't mind serving from a sub path, client apps don't support that. There was some effort modifying the Vault code to allow this, but I haven't seen anyone reporting that they got it working.

@chinenual

This comment has been minimized.

Copy link

chinenual commented Feb 2, 2019

Thanks @mprasil - I'll keep my eye on upstream client support and check back here if/when it's supportable.

@quthla

This comment has been minimized.

Copy link

quthla commented Feb 2, 2019

@mprasil I think only the web vault needs some patching (which has already been done?)

#241 (comment)

I changed the path in the android app and it'll correctly call api at that path.

"POST /bw/api/accounts/prelogin HTTP/1.1"

@mprasil

This comment has been minimized.

Copy link
Collaborator

mprasil commented Feb 3, 2019

Good to know @quthla, are you sure all functionality is present in the mobile client apps - like attachments. (also this probably still rules out using the official desktop app?)

@pdarcos

This comment has been minimized.

Copy link

pdarcos commented Feb 21, 2019

Awesome project guys!
+1 for Postgresql and/or MariaDB support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment