jcs.org
commits
Bumps [addressable](https://github.com/sporkmonger/addressable) from 2.7.0 to 2.8.0.
- [Release notes](https://github.com/sporkmonger/addressable/releases)
- [Changelog](https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sporkmonger/addressable/compare/addressable-2.7.0...addressable-2.8.0)
---
updated-dependencies:
- dependency-name: addressable
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [activerecord](https://github.com/rails/rails) from 5.1.7 to 5.2.4.5.
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v6.1.3/activerecord/CHANGELOG.md)
- [Commits](https://github.com/rails/rails/compare/v5.1.7...v5.2.4.5)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
It used to be enough just to return these in /accounts/prelogin but
now, without them, the browser extension stores a null KDF iteration
count upon login and then on subsequent unlock attempts, it uses the
default KDF iteration count of 5000 which is probably not right (the
new default is 100,000). This causes it to generate a failed key,
making it impossible to unlock a logged-in vault without logging out
and logging back in.
See https://github.com/bitwarden/browser/issues/1456
Bumps [rack](https://github.com/rack/rack) from 2.0.9 to 2.1.4.
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rack/rack/compare/2.0.9...2.1.4)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
It's been almost 2 years since switching to AR, and the migration
script requires yaml_db which brings in all of Rails.
Bumps [loofah](https://github.com/flavorjones/loofah) from 2.2.3 to 2.3.1.
- [Release notes](https://github.com/flavorjones/loofah/releases)
- [Changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md)
- [Commits](https://github.com/flavorjones/loofah/compare/v2.2.3...v2.3.1)
Signed-off-by: dependabot[bot] <support@github.com>
The new Safari extension does OPTIONS requests for each
POST/PUT/DELETE and expects CORS headers to be in the response, so
give it what it asks for
Should fix #103
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.10.3 to 1.10.4.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.10.3...v1.10.4)
Signed-off-by: dependabot[bot] <support@github.com>
Set null kdf_iterations to 5000, which is what the old default used
to be. As the default changes in the future (or as it did in
5ccd4174b), this should still be 5000.
This matches at least the Firefox extension when creating a new
account.
The upstream clients may crash if this value is returned as null
Issue #100
This is just a simple array that the Bitwarden clients manage for
us, so just pass it through to the db.
Closes #89
Also stop storing the attachment URL in the database, it's not used
by anything and may change later depending on this variable
Prefix all of these with RUBYWARDEN_, but still honor ALLOW_SIGNUPS
Pass the full key to encrypt and decrypt, along with the algorithm
(now defaulting to TYPE_AESCBC256_HMACSHA256_B64). If the algorithm
is TYPE_AESCBC256_HMACSHA256_B64 but the key is only 32 bytes, use
HKDF to stretch it and separate it into encryption and MAC keys.
Ref: https://github.com/bitwarden/jslib/commit/0429c0557b293ca97ea684ad8bb500c036d88ae3
Ref #79
Explicitly load it by its UUID
Fixes occasional MAC failures in this test
We'll need multiple process access to it in the future.
Also disable ActiveRecord migration verbosity since it will run
every time.
Bitwarden::CipherString.parse will catch invalid keys
Closes #78
The constant `User::DEFAULT_KDF_ITERATIONS` is not defined in the master and therefore the migrations will fail.
Setting this causes sinatra-activerecord to do some configuration of
its own which ends up trying to look at RACK_ENV which we aren't
using anymore.
If RACK_ENV is not set, which it may not be since RUBYWARDEN_ENV now
has to be used, it will default to development, which will cause
Sinatra to print stack traces and things to the public.
Protect users by setting RACK_ENV to "deployment" when
RUBYWARDEN_ENV is set to "production".
Continue to honor RACK_ENV if RUBYWARDEN_ENV is not defined
Fixes #73
Bumps [addressable](https://github.com/sporkmonger/addressable) from 2.7.0 to 2.8.0.
- [Release notes](https://github.com/sporkmonger/addressable/releases)
- [Changelog](https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sporkmonger/addressable/compare/addressable-2.7.0...addressable-2.8.0)
---
updated-dependencies:
- dependency-name: addressable
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [activerecord](https://github.com/rails/rails) from 5.1.7 to 5.2.4.5.
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v6.1.3/activerecord/CHANGELOG.md)
- [Commits](https://github.com/rails/rails/compare/v5.1.7...v5.2.4.5)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
It used to be enough just to return these in /accounts/prelogin but
now, without them, the browser extension stores a null KDF iteration
count upon login and then on subsequent unlock attempts, it uses the
default KDF iteration count of 5000 which is probably not right (the
new default is 100,000). This causes it to generate a failed key,
making it impossible to unlock a logged-in vault without logging out
and logging back in.
See https://github.com/bitwarden/browser/issues/1456
Bumps [rack](https://github.com/rack/rack) from 2.0.9 to 2.1.4.
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rack/rack/compare/2.0.9...2.1.4)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [loofah](https://github.com/flavorjones/loofah) from 2.2.3 to 2.3.1.
- [Release notes](https://github.com/flavorjones/loofah/releases)
- [Changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md)
- [Commits](https://github.com/flavorjones/loofah/compare/v2.2.3...v2.3.1)
Signed-off-by: dependabot[bot] <support@github.com>
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.10.3 to 1.10.4.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.10.3...v1.10.4)
Signed-off-by: dependabot[bot] <support@github.com>
Pass the full key to encrypt and decrypt, along with the algorithm
(now defaulting to TYPE_AESCBC256_HMACSHA256_B64). If the algorithm
is TYPE_AESCBC256_HMACSHA256_B64 but the key is only 32 bytes, use
HKDF to stretch it and separate it into encryption and MAC keys.
Ref: https://github.com/bitwarden/jslib/commit/0429c0557b293ca97ea684ad8bb500c036d88ae3
Ref #79