enhance cipher and identity handling with new fields and rate limit adjustments

2026-06-20 13:00:39 +00:00 · 2026-02-07 03:48:08 +08:00
parent 91800f41c5
commit ec9d3b889d
14 changed files with 102 additions and 132 deletions
@@ -1,36 +0,0 @@
 # 自动同步上游更新
 这个 GitHub Actions 工作流会自动将上游仓库（shuaiplus/nodewarden）的更新同步到你的 fork。
 ## 功能特性
 - ✅ 每天自动检查并同步上游更新
 - ✅ 支持手动触发同步
 - ✅ 自动处理简单的合并
 - ⚠️ 遇到冲突时会提醒你手动处理
 ## 如何启用
 1. 在你 fork 的仓库中，进入 **Actions** 标签页
 2. 点击 **I understand my workflows, go ahead and enable them**
 3. 完成！工作流会自动运行
 ## 手动触发
 1. 进入 **Actions** 标签页
 2. 选择 **Sync Fork with Upstream**
 3. 点击 **Run workflow** → **Run workflow**
 ## 注意事项
 - 如果你修改了代码，可能会产生合并冲突
 - 遇到冲突时，工作流会失败，需要你手动解决
 - 建议不要修改核心代码，只修改配置文件
 ## 禁用自动同步
 如果你不想自动同步：
 1. 进入 **Actions** 标签页
 2. 选择 **Sync Fork with Upstream**
 3. 点击右上角的 **···** → **Disable workflow**
@@ -1,60 +0,0 @@
 name: Sync Fork with Upstream
 on:
  schedule:
    # Run every day at 2:00 AM UTC
    - cron: '0 2 * * *'
  workflow_dispatch:
    # Allow manual trigger
 jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          fetch-depth: 0
      - name: Configure Git
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
      - name: Sync with upstream
        run: |
          # Add upstream repository
          git remote add upstream https://github.com/shuaiplus/nodewarden.git || true
          # Fetch upstream changes
          git fetch upstream
          # Check if there are updates
          BEHIND=$(git rev-list --count HEAD..upstream/main)
          if [ "$BEHIND" -gt 0 ]; then
            echo "Found $BEHIND commits behind upstream. Syncing..."
            # Try to merge upstream/main into current branch
            if git merge upstream/main --no-edit; then
              echo "Merge successful!"
              git push origin main
            else
              echo "Merge conflict detected. Please resolve manually."
              echo "::warning::Failed to auto-sync due to merge conflicts. Manual intervention required."
              exit 1
            fi
          else
            echo "Already up to date with upstream."
          fi
      - name: Create summary
        if: always()
        run: |
          echo "## Sync Summary" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "- **Upstream**: shuaiplus/nodewarden" >> $GITHUB_STEP_SUMMARY
          echo "- **Branch**: main" >> $GITHUB_STEP_SUMMARY
          echo "- **Status**: ${{ job.status }}" >> $GITHUB_STEP_SUMMARY
@@ -4,6 +4,7 @@ node_modules/
 # Wrangler
 .wrangler/
 .dev.vars
 wrangler.my.toml
 RELEASE_NOTES.md
 # Build output
@@ -27,9 +27,9 @@ A **Bitwarden-compatible** server that runs on **Cloudflare Workers**, designed
 ## Tested clients / platforms
- ✅ Windows desktop client
+- ✅ Windows desktop client（v2026.1.0）
- ✅ Mobile app (Android / iOS)
+- ✅ Android app （v2026.1.0）
- ✅ Browser extension
+- ✅ Browser extension（v2026.1.0）
 - ⬜ macOS desktop client (not tested)
 - ⬜ Linux desktop client (not tested)
@@ -27,9 +27,9 @@ English：[`README.md`](./README.md)
 - ✅ 兼容常见的 Bitwarden 官方客户端
 ## 测试情况：
- ✅ Windows 客户端
+- ✅ Windows 客户端（v2026.1.0）
- ✅ 手机 App（Android / iOS）
+- ✅ Android App（v2026.1.0）
- ✅ 浏览器扩展
+- ✅ 浏览器扩展（v2026.1.0）
 - ⬜ macOS 客户端（未测试）
 - ⬜ Linux 客户端（未测试）
 ---
@@ -7,8 +7,9 @@
  "main": "src/index.ts",
  "type": "module",
  "scripts": {
-    "dev": "wrangler dev",
+    "dev": "wrangler dev -c wrangler.dev.toml",
-    "deploy": "wrangler deploy"
+    "deploymy": "wrangler deploy -c wrangler.my.toml",
    "deploy":  "wrangler deploy "
  },
  "keywords": [
    "bitwarden",
@@ -97,6 +97,7 @@ export async function handleGetProfile(request: Request, env: Env, userId: strin
    twoFactorEnabled: false,
    key: user.key,
    privateKey: user.privateKey,
    accountKeys: null,
    securityStamp: user.securityStamp || user.id,
    organizations: [],
    providers: [],
@@ -304,7 +304,7 @@ function formatCipherResponse(cipher: Cipher, attachments: Attachment[]): any {
    id: cipher.id,
    organizationId: null,
    folderId: cipher.folderId,
-    type: cipher.type,
+    type: Number(cipher.type) || 1,
    name: cipher.name,
    notes: cipher.notes,
    favorite: cipher.favorite,
@@ -312,6 +312,7 @@ function formatCipherResponse(cipher: Cipher, attachments: Attachment[]): any {
    card: cipher.card,
    identity: cipher.identity,
    secureNote: cipher.secureNote,
    sshKey: cipher.sshKey,
    fields: cipher.fields,
    passwordHistory: cipher.passwordHistory,
    reprompt: cipher.reprompt,
@@ -319,9 +320,13 @@ function formatCipherResponse(cipher: Cipher, attachments: Attachment[]): any {
    creationDate: cipher.createdAt,
    revisionDate: cipher.updatedAt,
    deletedDate: cipher.deletedAt,
    archivedDate: null,
    edit: true,
    viewPassword: true,
-    permissions: null,
+    permissions: {
      delete: true,
      restore: true,
    },
    object: 'cipher',
    collectionIds: [],
    attachments: attachments.length > 0 ? attachments.map(a => ({
@@ -330,8 +335,11 @@ function formatCipherResponse(cipher: Cipher, attachments: Attachment[]): any {
      size: String(a.size),
      sizeName: a.sizeName,
      key: a.key,
      url: null,
      object: 'attachment',
    })) : null,
    key: cipher.key,
    encryptedFor: null,
  };
 }
@@ -13,6 +13,7 @@ function formatAttachments(attachments: Attachment[]): any[] | null {
    size: String(a.size),
    sizeName: a.sizeName,
    key: a.key,
    url: null,
    object: 'attachment',
  }));
 }
@@ -23,7 +24,7 @@ function cipherToResponse(cipher: Cipher, attachments: Attachment[] = []): Ciphe
    id: cipher.id,
    organizationId: null,
    folderId: cipher.folderId,
-    type: cipher.type,
+    type: Number(cipher.type) || 1,
    name: cipher.name,
    notes: cipher.notes,
    favorite: cipher.favorite,
@@ -31,6 +32,7 @@ function cipherToResponse(cipher: Cipher, attachments: Attachment[] = []): Ciphe
    card: cipher.card,
    identity: cipher.identity,
    secureNote: cipher.secureNote,
    sshKey: cipher.sshKey,
    fields: cipher.fields,
    passwordHistory: cipher.passwordHistory,
    reprompt: cipher.reprompt,
@@ -38,16 +40,18 @@ function cipherToResponse(cipher: Cipher, attachments: Attachment[] = []): Ciphe
    creationDate: cipher.createdAt,
    revisionDate: cipher.updatedAt,
    deletedDate: cipher.deletedAt,
    archivedDate: null,
    edit: true,
    viewPassword: true,
    permissions: {
      delete: true,
      restore: true,
      edit: true,
    },
    object: 'cipher',
    collectionIds: [],
    attachments: formatAttachments(attachments),
    key: cipher.key,
    encryptedFor: null,
  };
 }
@@ -103,13 +107,14 @@ export async function handleCreateCipher(request: Request, env: Env, userId: str
  }
  // Handle nested cipher object (from some clients)
-  const cipherData = body.cipher || body;
+  // Android client sends PascalCase "Cipher" for organization ciphers
  const cipherData = body.Cipher || body.cipher || body;
  const now = new Date().toISOString();
  const cipher: Cipher = {
    id: generateUUID(),
    userId: userId,
-    type: cipherData.type,
+    type: Number(cipherData.type) || 1,
    folderId: cipherData.folderId || null,
    name: cipherData.name,
    notes: cipherData.notes || null,
@@ -118,9 +123,11 @@ export async function handleCreateCipher(request: Request, env: Env, userId: str
    card: cipherData.card || null,
    identity: cipherData.identity || null,
    secureNote: cipherData.secureNote || null,
    sshKey: cipherData.sshKey || null,
    fields: cipherData.fields || null,
    passwordHistory: cipherData.passwordHistory || null,
    reprompt: cipherData.reprompt || 0,
    key: cipherData.key || null,
    createdAt: now,
    updatedAt: now,
    deletedAt: null,
@@ -149,11 +156,12 @@ export async function handleUpdateCipher(request: Request, env: Env, userId: str
  }
  // Handle nested cipher object
-  const cipherData = body.cipher || body;
+  // Android client sends PascalCase "Cipher" for organization ciphers
  const cipherData = body.Cipher || body.cipher || body;
  const cipher: Cipher = {
    ...existingCipher,
-    type: cipherData.type ?? existingCipher.type,
+    type: Number(cipherData.type) || existingCipher.type,
    folderId: cipherData.folderId !== undefined ? cipherData.folderId : existingCipher.folderId,
    name: cipherData.name ?? existingCipher.name,
    notes: cipherData.notes !== undefined ? cipherData.notes : existingCipher.notes,
@@ -162,9 +170,11 @@ export async function handleUpdateCipher(request: Request, env: Env, userId: str
    card: cipherData.card !== undefined ? cipherData.card : existingCipher.card,
    identity: cipherData.identity !== undefined ? cipherData.identity : existingCipher.identity,
    secureNote: cipherData.secureNote !== undefined ? cipherData.secureNote : existingCipher.secureNote,
    sshKey: cipherData.sshKey !== undefined ? cipherData.sshKey : existingCipher.sshKey,
    fields: cipherData.fields !== undefined ? cipherData.fields : existingCipher.fields,
    passwordHistory: cipherData.passwordHistory !== undefined ? cipherData.passwordHistory : existingCipher.passwordHistory,
    reprompt: cipherData.reprompt ?? existingCipher.reprompt,
    key: cipherData.key !== undefined ? cipherData.key : existingCipher.key,
    updatedAt: new Date().toISOString(),
  };
@@ -31,22 +31,21 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
      return errorResponse('Email and password are required', 400);
    }
    // Check if login is rate limited
    const loginCheck = await rateLimit.checkLoginAttempt(email);
    if (!loginCheck.allowed) {
      return errorResponse(
        `Too many failed login attempts. Try again in ${Math.ceil(loginCheck.retryAfterSeconds! / 60)} minutes.`,
        429
      );
    }
    const user = await storage.getUser(email);
    if (!user) {
      // Record failed attempt even for non-existent user (prevent enumeration)
      await rateLimit.recordFailedLogin(email);
      return identityErrorResponse('Username or password is incorrect. Try again', 'invalid_grant', 400);
    }
    // Check if login is rate limited (only after confirming user exists)
    const loginCheck = await rateLimit.checkLoginAttempt(email);
    if (!loginCheck.allowed) {
      return identityErrorResponse(
        `Too many failed login attempts. Try again in ${Math.ceil(loginCheck.retryAfterSeconds! / 60)} minutes.`,
        'TooManyRequests',
        429
      );
    }
    const valid = await auth.verifyPassword(passwordHash, user.masterPasswordHash);
    if (!valid) {
      // Record failed login attempt
@@ -136,6 +135,16 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
      UserDecryptionOptions: {
        HasMasterPassword: true,
        Object: 'userDecryptionOptions',
        MasterPasswordUnlock: {
          Kdf: {
            KdfType: user.kdfType,
            Iterations: user.kdfIterations,
            Memory: user.kdfMemory || null,
            Parallelism: user.kdfParallelism || null,
          },
          MasterKeyEncryptedUserKey: user.key,
          Salt: user.email.toLowerCase(),
        },
      },
    };
@@ -134,6 +134,8 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st
        totp: c.login.totp || null,
        autofillOnPageLoad: null,
        fido2Credentials: null,
        uri: null,
        passwordRevisionDate: null,
      } : null,
      card: c.card ? {
        cardholderName: c.card.cardholderName || null,
@@ -172,6 +174,8 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st
      })) || null,
      passwordHistory: c.passwordHistory || null,
      reprompt: c.reprompt || 0,
      sshKey: null,
      key: null,
      createdAt: now,
      updatedAt: now,
      deletedAt: null,
@@ -11,6 +11,7 @@ function formatAttachments(attachments: Attachment[]): any[] | null {
    size: String(a.size),
    sizeName: a.sizeName,
    key: a.key,
    url: null,
    object: 'attachment',
  }));
 }
@@ -41,6 +42,7 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
    twoFactorEnabled: false,
    key: user.key,
    privateKey: user.privateKey,
    accountKeys: null,
    securityStamp: user.securityStamp || user.id,
    organizations: [],
    providers: [],
@@ -59,7 +61,7 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
      id: cipher.id,
      organizationId: null,
      folderId: cipher.folderId,
-      type: cipher.type,
+      type: Number(cipher.type) || 1,
      name: cipher.name,
      notes: cipher.notes,
      favorite: cipher.favorite,
@@ -67,6 +69,7 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
      card: cipher.card,
      identity: cipher.identity,
      secureNote: cipher.secureNote,
      sshKey: cipher.sshKey,
      fields: cipher.fields,
      passwordHistory: cipher.passwordHistory,
      reprompt: cipher.reprompt,
@@ -74,16 +77,18 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
      creationDate: cipher.createdAt,
      revisionDate: cipher.updatedAt,
      deletedDate: cipher.deletedAt,
      archivedDate: null,
      edit: true,
      viewPassword: true,
      permissions: {
        delete: true,
        restore: true,
        edit: true,
      },
      object: 'cipher',
      collectionIds: [],
      attachments: formatAttachments(attachments),
      key: cipher.key,
      encryptedFor: null,
    });
  };
@@ -107,6 +112,18 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
    },
    policies: [],
    sends: [],
    userDecryption: {
      masterPasswordUnlock: {
        salt: user.email,
        kdf: {
          kdfType: user.kdfType,
          iterations: user.kdfIterations,
          memory: user.kdfMemory || null,
          parallelism: user.kdfParallelism || null,
        },
        masterKeyEncryptedUserKey: user.key,
      },
    },
    object: 'sync',
  };
@@ -3,11 +3,11 @@ import { Env } from '../types';
 // Rate limit configuration
 const CONFIG = {
  // Login attempt limits
-  LOGIN_MAX_ATTEMPTS: 5,           // Max failed login attempts
+  LOGIN_MAX_ATTEMPTS: 15,          // Max failed login attempts
-  LOGIN_LOCKOUT_MINUTES: 15,       // Lockout duration after max attempts
+  LOGIN_LOCKOUT_MINUTES: 5,        // Lockout duration after max attempts
  // API rate limits (per minute)
-  API_REQUESTS_PER_MINUTE: 60,     // General API rate limit
+  API_REQUESTS_PER_MINUTE: 300,    // General API rate limit
  API_WINDOW_SECONDS: 60,          // Rate limit window
 };
@@ -54,6 +54,8 @@ export interface CipherLogin {
  totp: string | null;
  autofillOnPageLoad: boolean | null;
  fido2Credentials: any[] | null;
  uri: string | null;
  passwordRevisionDate: string | null;
 }
 export interface CipherCard {
@@ -65,6 +67,12 @@ export interface CipherCard {
  code: string | null;
 }
 export interface CipherSshKey {
  publicKey: string;
  privateKey: string;
  keyFingerprint: string;
 }
 export interface CipherIdentity {
  title: string | null;
  firstName: string | null;
@@ -114,9 +122,11 @@ export interface Cipher {
  card: CipherCard | null;
  identity: CipherIdentity | null;
  secureNote: CipherSecureNote | null;
  sshKey: CipherSshKey | null;
  fields: CipherField[] | null;
  passwordHistory: PasswordHistory[] | null;
  reprompt: number;
  key: string | null;
  createdAt: string;
  updatedAt: string;
  deletedAt: string | null;
@@ -190,20 +200,21 @@ export interface ProfileResponse {
  email: string;
  emailVerified: boolean;
  premium: boolean;
-  premiumFromOrganization: boolean;  // required by mobile client
+  premiumFromOrganization: boolean;
-  usesKeyConnector: boolean;  // required by mobile client
+  usesKeyConnector: boolean;
  masterPasswordHint: string | null;
  culture: string;
  twoFactorEnabled: boolean;
  key: string;
  privateKey: string | null;
  accountKeys: any | null;
  securityStamp: string;
  organizations: any[];
  providers: any[];
  providerOrganizations: any[];
  forcePasswordReset: boolean;
  avatarColor: string | null;
-  creationDate: string;  // required by mobile client
+  creationDate: string;
  object: string;
 }
@@ -219,6 +230,7 @@ export interface CipherResponse {
  card: CipherCard | null;
  identity: CipherIdentity | null;
  secureNote: CipherSecureNote | null;
  sshKey: CipherSshKey | null;
  fields: CipherField[] | null;
  passwordHistory: PasswordHistory[] | null;
  reprompt: number;
@@ -226,18 +238,20 @@ export interface CipherResponse {
  creationDate: string;
  revisionDate: string;
  deletedDate: string | null;
  archivedDate: string | null;
  edit: boolean;
  viewPassword: boolean;
  permissions: CipherPermissions | null;
  object: string;
  collectionIds: string[];
  attachments: any[] | null;
  key: string | null;
  encryptedFor: string | null;
 }
 export interface CipherPermissions {
  delete: boolean;
  restore: boolean;
  edit: boolean;
 }
 export interface FolderResponse {
@@ -255,5 +269,6 @@ export interface SyncResponse {
  domains: any;
  policies: any[];
  sends: any[];
  userDecryption: any | null;
  object: string;
 }