Add Read-Only Mode #1029

New Issue

MrUnknownDE · 2026-04-06T01:34:10+02:00

MrUnknownDE commented

2026-04-06 01:34:10 +02:00

Originally created by @ssendev on 7/26/2024

Implementation of https://github.com/dani-garcia/vaultwarden/discussions/4780

This allows to set ENV variable READONLY=1 which forbids POST PUT DELETE requests with exceptions for stuff that's required to login.

First i wanted to create a middleware but rocket only has fairings which cannot respond on their own so i instead put a guard in all POST PUT DELETE requests. (this regexp lists all exceptions ^#\[(post|put|delete)\(([^{]|\n)*?\{\s*[^n ]\S )

I tested it with authenticator and email 2fa which still work the others i'm only 80% sure (for webauthn only 50%).

post("/accounts/api-key") is only forbidden if api_key.is_none() since that would cause a write.

In organisations some responses returned Json<Value> which i changed to JsonResult

Using a recovery token to login is not allowed since that would permanently disable 2fa which is a write. The rationale for disallowing 2fa changes is that it may cause people to think "ok i don't need that 2nd factor anymore" and then delete it only to come back and find the 2fa is still enabled since the data on that instance was overwritten from the primary one which still hat 2fa enabled.

On the admin interface there is an info popup announcing the Read-Only Mode but config changes are still allowed.

I don't know how to get a popup for the Vault especially one that's visible on arbitrary clients.

*Originally created by @ssendev on 7/26/2024* Implementation of https://github.com/dani-garcia/vaultwarden/discussions/4780 This allows to set ENV variable `READONLY=1` which forbids `POST` `PUT` `DELETE` requests with exceptions for stuff that's required to login. First i wanted to create a middleware but rocket only has fairings which cannot respond on their own so i instead put a guard in all `POST` `PUT` `DELETE` requests. (this regexp lists all exceptions `^#\[(post|put|delete)\(([^{]|\n)*?\{\s*[^n ]\S` ) I tested it with authenticator and email 2fa which still work the others i'm only 80% sure (for webauthn only 50%). `post("/accounts/api-key")` is only forbidden if `api_key.is_none()` since that would cause a write. In organisations some responses returned `Json<Value>` which i changed to `JsonResult` Using a recovery token to login is not allowed since that would permanently disable 2fa which is a write. The rationale for disallowing 2fa changes is that it may cause people to think "ok i don't need that 2nd factor anymore" and then delete it only to come back and find the 2fa is still enabled since the data on that instance was overwritten from the primary one which still hat 2fa enabled. On the admin interface there is an info popup announcing the Read-Only Mode but config changes are still allowed. I don't know how to get a popup for the Vault especially one that's visible on arbitrary clients.

MrUnknownDE closed this issue

2026-04-06 01:34:10 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1029