Remove web3 functionality from frontend, update docs links (#857)

* remove web3 stuff, update links

* fix tests

.github/pull_request_template.md

@@ -5,28 +5,28 @@
 
 ### 🛠️ Dev Branch Merge Checklist:
 
-#### Documentation ###
+#### Documentation
 
-- [ ] If testing requires changes in the environment or deployment, please **update the documentation** (https://defguard.gitbook.io) first and **attach the link to the documentation** section in this pool request
+- [ ] If testing requires changes in the environment or deployment, please **update the documentation** (https://docs.defguard.net/) first and **attach the link to the documentation** section in this pool request
 - [ ] I have commented on my code, particularly in hard-to-understand areas
 
-#### Testing ### 
+#### Testing
 
 - [ ] I have prepared end-to-end tests for all new functionalities
 - [ ] I have performed end-to-end tests manually and they work
 - [ ] New and existing unit tests pass locally with my changes
 
-#### Deployment ###
+#### Deployment
 
 - [ ] If deployment is affected I have made corresponding/required changes to [deployment](https://github.com/defguard/deployment) (Docker, Kubernetes, one-line install)
 
 ### 🏚️ Main Branch Merge Checklist:
 
-#### Testing ### 
+#### Testing
 
 - [ ] I have merged my changes before to dev and the dev checklist is done
 - [ ] I have tested all functionalities on the dev instance and they work
 
-#### Documentation ###
+#### Documentation
 
 - [ ] I have made corresponding changes to the **user & admin documentation** and added new features documentation with screenshots for users/admins

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "defguard"
-version = "1.0.0"
+version = "1.1.0"
 edition = "2021"
 license = "Apache-2.0"
 homepage = "https://defguard.net/"

README.md

@@ -13,20 +13,21 @@
 ### Comprehensive Access Control
 
 - **[WireGuard® VPN with 2FA/MFA](https://docs.defguard.net/admin-and-features/wireguard/multi-factor-authentication-mfa-2fa/architecture)** - not 2FA to "access application" like most solutions
-    - The only solution with [automatic and real-time synchronization](https://docs.defguard.net/enterprise/automatic-real-time-desktop-client-configuration) for users' desktop client settings (including all VPNs/locations).
-    - Control users [ability to manage devices and VPN options](https://docs.defguard.net/enterprise/behavior-customization)
-- [Integrated SSO based on OpenID Connect](https://docs.defguard.net/admin-and-features/openid-connect): 
-    - significant cost saving, simplifying deployment and maintenance
-    - enabling features unavailable to VPN platforms relying upon 3rd party SSO integration
+  - The only solution with [automatic and real-time synchronization](https://docs.defguard.net/enterprise/automatic-real-time-desktop-client-configuration) for users' desktop client settings (including all VPNs/locations).
+  - Control users [ability to manage devices and VPN options](https://docs.defguard.net/enterprise/behavior-customization)
+- [Integrated SSO based on OpenID Connect](https://docs.defguard.net/admin-and-features/openid-connect):
+  - significant cost saving, simplifying deployment and maintenance
+  - enabling features unavailable to VPN platforms relying upon 3rd party SSO integration
 - Already using Google/Microsoft or other OpenID Provider? - [external OpenID provider support](https://docs.defguard.net/enterprise/external-openid-providers)
 - Only solution with [secure remote user Enrollment & Onboarding](https://docs.defguard.net/help/enrollment)
 - Yubico YubiKey Hardware [security key management and provisioning](https://docs.defguard.net/admin-and-features/yubikey-provisioning)
-- Secure and robust architecture, featuring components and micro-services seamlessly deployable in diverse network setups (eg. utilizing  network segments like Demilitarized Zones, Intranet with no external access, etc), ensuring a secure environment.
+- Secure and robust architecture, featuring components and micro-services seamlessly deployable in diverse network setups (eg. utilizing network segments like Demilitarized Zones, Intranet with no external access, etc), ensuring a secure environment.
 - Enterprise ready (multiple Locations/Gateways/Kubernetes deployment, etc..)
 - Built on WireGuard® protocol which is faster than IPSec, and significantly faster than OpenVPN
 - Built with Rust for speed and security
 
 See:
+
 - [full list of features](https://github.com/defguard/defguard#features)
 - [enterprise only features](https://docs.defguard.net/enterprise/all-enteprise-features)
 
@@ -61,6 +62,7 @@ Better quality video can [be viewed here](https://github.com/DefGuard/docs/raw/d
 ![defguard WireGuard MFA](https://github.com/DefGuard/docs/blob/docs/releases/0.9/mfa.png?raw=true)
 
 [Desktop client](https://github.com/DefGuard/client):
+
 - **2FA / Multi-Factor Authentication** with TOTP or email based tokens & WireGuard PSK
 - [automatic and real-time synchronization](https://docs.defguard.net/enterprise/automatic-real-time-desktop-client-configuration) for users' desktop client settings (including all VPNs/locations).
 - Control users [ability to manage devices and VPN options](https://docs.defguard.net/enterprise/behavior-customization)
@@ -82,6 +84,7 @@ curl --proto '=https' --tlsv1.2 -sSf -L https://raw.githubusercontent.com/DefGua
 ```
 
 Here is a step-by-step video about this process:
+
 <div align="center">
  <p align="center">
 
@@ -98,9 +101,9 @@ Just follow [this tutorial](http://bit.ly/defguard-setup)
 
 ## Manual deployment examples
 
-* [Standalone system package based install](https://docs.defguard.net/admin-and-features/setting-up-your-instance/standalone-package-based-installation)
-* Using [Docker Compose](https://docs.defguard.net/features/setting-up-your-instance/docker-compose)
-* Using [Kubernetes](https://docs.defguard.net/features/setting-up-your-instance/kubernetes)
+- [Standalone system package based install](https://docs.defguard.net/admin-and-features/setting-up-your-instance/standalone-package-based-installation)
+- Using [Docker Compose](https://docs.defguard.net/features/setting-up-your-instance/docker-compose)
+- Using [Kubernetes](https://docs.defguard.net/features/setting-up-your-instance/kubernetes)
 
 ## Roadmap & Development backlog
 
@@ -116,7 +119,7 @@ The story and motivation behind defguard [can be found here: https://teonite.com
 
 ## Features
 
-* Remote Access: [WireGuard® VPN](https://www.wireguard.com/) server with:
+- Remote Access: [WireGuard® VPN](https://www.wireguard.com/) server with:
   - [Multi-Factor Authentication](https://docs.defguard.net/help/desktop-client/multi-factor-authentication-mfa-2fa) with TOTP/Email & Pre-Shared Session Keys
   - multiple VPN Locations (networks/sites) - with defined access (all users or only Admin group)
   - multiple [Gateways](https://github.com/DefGuard/gateway) for each VPN Location (**high availability/failover**) - supported on a cluster of routers/firewalls for Linux, FreeBSD/PFSense/OPNSense
@@ -127,37 +130,37 @@ The story and motivation behind defguard [can be found here: https://teonite.com
   - control users [ability to manage devices and VPN options](https://docs.defguard.net/enterprise/behavior-customization)
   - kernel (Linux, FreeBSD/OPNSense/PFSense) & userspace WireGuard® support with [our Rust library](https://github.com/defguard/wireguard-rs)
   - dashboard and statistics overview of connected users/devices for admins
-  - *defguard is not an official WireGuard® project, and WireGuard is a registered trademark of Jason A. Donenfeld.*
-* Identity & Account Management:
+  - _defguard is not an official WireGuard® project, and WireGuard is a registered trademark of Jason A. Donenfeld._
+- Identity & Account Management:
   - SSO based on OpenID Connect](https://openid.net/developers/how-connect-works/)
   - Extenal SSO: [external OpenID provider support](https://docs.defguard.net/enterprise/external-openid-providers)
   - [Multi-Factor/2FA](https://en.wikipedia.org/wiki/Multi-factor_authentication) Authentication:
-   - [Time-based One-Time Password Algorithm](https://en.wikipedia.org/wiki/Time-based_one-time_password) (TOTP - e.g. Google Authenticator)
-   - WebAuthn / FIDO2 - for hardware key authentication support (eg. YubiKey, FaceID, TouchID, ...)
-   - Email based TOTP
+  - [Time-based One-Time Password Algorithm](https://en.wikipedia.org/wiki/Time-based_one-time_password) (TOTP - e.g. Google Authenticator)
+  - WebAuthn / FIDO2 - for hardware key authentication support (eg. YubiKey, FaceID, TouchID, ...)
+  - Email based TOTP
   - LDAP (tested on [OpenLDAP](https://www.openldap.org/)) synchronization
   - [forward auth](https://docs.defguard.net/features/forward-auth) for reverse proxies (tested with Traefik and Caddy)
   - nice UI to manage users
   - Users **self-service** (besides typical data management, users can revoke access to granted apps, MFA, WireGuard®, etc.)
-* Account Lifecycle Management:
+- Account Lifecycle Management:
   - Secure remote (over the Internet) [user enrollment](https://docs.defguard.net/help/remote-user-enrollment) - on public web / Desktop Client
   - User [onboarding after enrollment](https://docs.defguard.net/help/remote-user-enrollment/user-onboarding-after-enrollment)
-* SSH & GPG public key management in user profile - with [SSH keys authentication for servers](https://docs.defguard.net/admin-and-features/ssh-authentication)
-* [Yubikey hardware keys](https://www.yubico.com/) provisioning for users by *one click*
-* [Email/SMTP support](https://docs.defguard.net/help/setting-up-smtp-for-email-notifications) for notifications, remote enrollment and onboarding
-* Easy support with [sending debug/support information](https://docs.defguard.net/help/sending-support-info)
-* Webhooks & REST API
-* Built with [Rust](https://www.rust-lang.org/) for portability, security, and speed
-* [UI Library](https://github.com/defguard/ui) - our beautiful React/TypeScript UI is a collection of React components:
+- SSH & GPG public key management in user profile - with [SSH keys authentication for servers](https://docs.defguard.net/admin-and-features/ssh-authentication)
+- [Yubikey hardware keys](https://www.yubico.com/) provisioning for users by _one click_
+- [Email/SMTP support](https://docs.defguard.net/help/setting-up-smtp-for-email-notifications) for notifications, remote enrollment and onboarding
+- Easy support with [sending debug/support information](https://docs.defguard.net/help/sending-support-info)
+- Webhooks & REST API
+- Built with [Rust](https://www.rust-lang.org/) for portability, security, and speed
+- [UI Library](https://github.com/defguard/ui) - our beautiful React/TypeScript UI is a collection of React components:
   - a set of custom and beautiful components for the layout
   - Responsive Web Design (supporting mobile phones, tablets, etc..)
   - [iOS Web App](https://www.macrumors.com/how-to/use-web-apps-iphone-ipad/)
-* **Checked by professional security researchers** (see [comprehensive security report](https://defguard.net/images/decap/isec-defguard.pdf))
-* End2End tests
+- **Checked by professional security researchers** (see [comprehensive security report](https://defguard.net/images/decap/isec-defguard.pdf))
+- End2End tests
 
 ## Documentation
 
-See the [documentation](https://defguard.gitbook.io) for more information.
+See the [documentation](https://docs.defguard.net/) for more information.
 
 ## Community and Support
 
@@ -181,4 +184,5 @@ Please review the [Contributing guide](https://docs.defguard.net/for-developers/
 </p>
 
 # Legal
+
 WireGuard® is [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.

defguard.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=defguard core service
-Documentation=https://defguard.gitbook.io/defguard/
+Documentation=https://docs.defguard.net/
 Wants=network-online.target
 After=network-online.target
 

migrations/20241119105926_disable_wallet_mfa.up.sql

@@ -0,0 +1 @@
+UPDATE wallet SET use_for_mfa = false;

src/enterprise/handlers/openid_login.rs

@@ -375,7 +375,7 @@ pub(crate) async fn auth_callback(
         .remove(Cookie::from(CSRF_COOKIE_NAME));
 
     let config = server_config();
-    let user = user_from_claims(
+    let mut user = user_from_claims(
         &appstate.pool,
         Nonce::new(cookie_nonce),
         payload.code,
@@ -389,7 +389,7 @@ pub(crate) async fn auth_callback(
         &appstate.mail_tx,
         ip_address,
         user_agent.as_str(),
-        &user,
+        &mut user,
     )
     .await?;
 

src/handlers/auth.rs

@@ -54,7 +54,7 @@ pub(crate) async fn create_session(
     mail_tx: &UnboundedSender<Mail>,
     ip_address: IpAddr,
     user_agent: &str,
-    user: &User<Id>,
+    user: &mut User<Id>,
 ) -> Result<(Session, Option<UserInfo>, Option<MFAInfo>), WebError> {
     let agent = USER_AGENT_PARSER.parse(user_agent);
     let device_info = get_user_agent_device(&agent);
@@ -74,6 +74,9 @@ pub(crate) async fn create_session(
 
     let login_event_type = "AUTHENTICATION".to_string();
 
+    // Check that MFA state is correct before proceeding further
+    user.verify_mfa_state(pool).await?;
+
     info!("Authenticated user {}", user.username);
     if user.mfa_enabled {
         debug!(
@@ -85,7 +88,7 @@ pub(crate) async fn create_session(
                 pool,
                 mail_tx,
                 &session,
-                &user,
+                user,
                 ip_address.to_string(),
                 login_event_type,
                 agent,
@@ -104,13 +107,13 @@ pub(crate) async fn create_session(
             "User {} has MFA disabled, returning user info for login.",
             user.username
         );
-        let user_info = UserInfo::from_user(pool, &user).await?;
+        let user_info = UserInfo::from_user(pool, user).await?;
 
         check_new_device_login(
             pool,
             mail_tx,
             &session,
-            &user,
+            user,
             ip_address.to_string(),
             login_event_type,
             agent,
@@ -138,7 +141,7 @@ pub(crate) async fn authenticate(
     // check if user can proceed with login
     check_username(&appstate.failed_logins, &username)?;
 
-    let user = match User::find_by_username(&appstate.pool, &username).await {
+    let mut user = match User::find_by_username(&appstate.pool, &username).await {
         Ok(Some(user)) => match user.verify_password(&data.password) {
             Ok(()) => {
                 if user.is_active {
@@ -202,7 +205,7 @@ pub(crate) async fn authenticate(
         &appstate.mail_tx,
         ip_address,
         user_agent.as_str(),
-        &user,
+        &mut user,
     )
     .await?;
 

src/handlers/openid_flow.rs

@@ -405,9 +405,14 @@ pub async fn authorization(
                                     let _result = session.delete(&appstate.pool).await;
                                     Ok(login_redirect(&data, private_cookies))
                                 } else {
-                                    let user = User::find_by_id(&appstate.pool, session.user_id)
-                                        .await?
-                                        .ok_or(WebError::Authorization("User not found".into()))?;
+                                    let mut user =
+                                        User::find_by_id(&appstate.pool, session.user_id)
+                                            .await?
+                                            .ok_or(WebError::Authorization(
+                                                "User not found".into(),
+                                            ))?;
+
+                                    user.verify_mfa_state(&appstate.pool).await?;
 
                                     // Session exists even if user hasn't completed MFA verification yet,
                                     // thus we need to check if MFA is enabled and the verification is done.

templates/mail_enrollment_start.tera

@@ -7,7 +7,7 @@ token -> enrollment token
 {% extends "base.tera" %}
 {% import "macros.tera" as macros %}
 {% block mail_content %}
-{% set client_docs_url="https://defguard.gitbook.io/defguard/features/desktop-client" %}
+{% set client_docs_url="https://docs.defguard.net/help/desktop-client" %}
 {% set client_docs_link=macros::link(content=client_docs_url, href=client_docs_url) %}
 {% set release_url="https://defguard.net/download/" %}
 {% set release_link=macros::link(content=release_url, href=release_url) %}

templates/mail_password_reset_start.tera

@@ -7,9 +7,9 @@ token -> enrollment token
 {% extends "base.tera" %}
 {% import "macros.tera" as macros %}
 {% block mail_content %}
-{% set client_docs_url="https://defguard.gitbook.io/defguard/features/desktop-client" %}
+{% set client_docs_url="https://docs.defguard.net/help/desktop-client" %}
 {% set client_docs_link=macros::link(content=client_docs_url, href=client_docs_url) %}
-{% set release_url="https://github.com/DefGuard/client/releases/latest" %}
+{% set release_url="https://defguard.net/download/" %}
 {% set release_link=macros::link(content=release_url, href=release_url) %}
 {% set section_content = [
 macros::paragraph(content="<b>Password reset</b>"),

web/src/i18n/en/index.ts

@@ -376,7 +376,7 @@ const en: BaseTranslation = {
           },
           enableEnrollment: {
             label: 'Use user self-enrollment process',
-            link: '<a href="https://defguard.gitbook.io/defguard/help/enrollment" target="_blank">more information here</a>',
+            link: '<a href="https://docs.defguard.net/help/enrollment" target="_blank">more information here</a>',
           },
         },
       },
@@ -443,7 +443,7 @@ const en: BaseTranslation = {
     title: 'Add device',
     helpers: {
       setupOpt: `You can add a device using this wizard. Opt for our native application "defguard" or any other WireGuard client. If you're unsure, we recommend using defguard for simplicity.`,
-      client: `Please download defguard desktop client <a href="https://defguard.net/download" target="_blank">here</a> and then follow <a href="https://defguard.gitbook.io/defguard/help/configuring-vpn/add-new-instance" target="_blank">this guide</a>.`,
+      client: `Please download defguard desktop client <a href="https://defguard.net/download" target="_blank">here</a> and then follow <a href="https://docs.defguard.net/help/configuring-vpn/add-new-instance" target="_blank">this guide</a>.`,
     },
     messages: {
       deviceAdded: 'Device added',
@@ -1595,7 +1595,7 @@ const en: BaseTranslation = {
       noConnection: `No connection established, please run provided command.`,
       connected: `Gateway connected.`,
       statusError: 'Failed to get gateway status',
-      oneLineInstall: `If you are doing one line install: https://defguard.gitbook.io/defguard/admin-and-features/setting-up-your-instance/one-line-install
+      oneLineInstall: `If you are doing one line install: https://docs.defguard.net/admin-and-features/setting-up-your-instance/one-line-install
           you don't need to do anything.`,
       fromPackage: `Install the package available at https://github.com/DefGuard/gateway/releases/latest and configure \`/etc/defguard/gateway.toml\`
           according to the [documentation]({setupGatewayDocs:string}).`,
@@ -1821,7 +1821,7 @@ If you need assistance or you were asked to generate support data by our team (f
     supportCard: {
       title: 'Support',
       body: `
-Before contacting or submitting any issues to GitHub please get familiar with Defguard documentation available at [defguard.gitbook.io/defguard](https://defguard.gitbook.io/defguard/)
+Before contacting or submitting any issues to GitHub please get familiar with Defguard documentation available at [docs.defguard.net](https://docs.defguard.net/)
 
 To submit:
 * Bugs - please go to [GitHub](https://github.com/DefGuard/defguard/issues/new?assignees=&labels=bug&template=bug_report.md&title=)