[PR #941] [CLOSED] Added claims to the Headers to verify user type. #2833

New issue

Closed

opened 2026-03-03 08:53:17 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 08:53:17 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/941
Author: @BlackDex
Created: 3/31/2020
Status: ❌ Closed

Base: master ← Head: claims-to-headers

📝 Commits (1)

a0ad3b9 Added claims to the Headers to verify user type.

📊 Changes

2 files changed (+72 additions, -27 deletions)

View changed files

📝 src/api/core/organizations.rs (+5 -5)
📝 src/auth.rs (+67 -22)

📄 Description

-- NOTE: Let me know what you think of this.
-- It could be handy, but it can also be a pain if we really need to update the claims.
-- Somewhere i think we should invalidate the security stamp if we change the user rights because that is the safest way, and it would force the claims to refresh.

The claims contains the current rights of which orgs the user belongs
to and what rights it has. This is usefull for requests which do not
provide any organization ID in the requests, but we need it to verify if
that request is allowed to be executed. This saves complex database
calls since it is already in the claims.

There is one downside. If the user level has been changed, or is added
to a new org, the claims are not updated instantly. A user should log
out and back in to receive the correct claims/rights.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/941 **Author:** [@BlackDex](https://github.com/BlackDex) **Created:** 3/31/2020 **Status:** ❌ Closed **Base:** `master` ← **Head:** `claims-to-headers` --- ### 📝 Commits (1) - [`a0ad3b9`](https://github.com/dani-garcia/vaultwarden/commit/a0ad3b952b3d00307648776d333ad43628dd19f0) Added claims to the Headers to verify user type. ### 📊 Changes **2 files changed** (+72 additions, -27 deletions) <details> <summary>View changed files</summary> 📝 `src/api/core/organizations.rs` (+5 -5) 📝 `src/auth.rs` (+67 -22) </details> ### 📄 Description -- NOTE: Let me know what you think of this. -- It could be handy, but it can also be a pain if we really need to update the claims. -- Somewhere i think we should invalidate the security stamp if we change the user rights because that is the safest way, and it would force the claims to refresh. The claims contains the current rights of which orgs the user belongs to and what rights it has. This is usefull for requests which do not provide any organization ID in the requests, but we need it to verify if that request is allowed to be executed. This saves complex database calls since it is already in the claims. There is one downside. If the user level has been changed, or is added to a new org, the claims are not updated instantly. A user should log out and back in to receive the correct claims/rights. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>