vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README
commit 2cd736ab817e2d1c717ec876978cd2623e62665a
parent 99256b9b3a53831367c0616ce834aeb65f53cbd2
Author: Nick Fox <nick@foxsec.net>
Date:   Thu, 20 Dec 2018 22:16:41 -0500

Validate JWT if a user registers with SMTP invites enabled

Diffstat:

Msrc/api/core/accounts.rs | 31++++++++++++++++++++++++-------


1 file changed, 24 insertions(+), 7 deletions(-)

diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
@@ -4,7 +4,7 @@ use crate::db::models::*;
 use crate::db::DbConn;
 
 use crate::api::{EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData, UpdateType, WebSocketUsers};
-use crate::auth::Headers;
+use crate::auth::{Headers, decode_invite_jwt, InviteJWTClaims};
 use crate::mail;
 
 use crate::CONFIG;
@@ -44,6 +44,8 @@ struct RegisterData {
     MasterPasswordHash: String,
     MasterPasswordHint: Option<String>,
     Name: Option<String>,
+    Token: Option<String>,
+    OrganizationUserId: Option<String>,
 }
 
 #[derive(Deserialize, Debug)]
@@ -59,22 +61,37 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
 
     let mut user = match User::find_by_mail(&data.Email, &conn) {
         Some(user) => {
-            if CONFIG.mail.is_none() {
-                if Invitation::take(&data.Email, &conn) {
+            if Invitation::find_by_mail(&data.Email, &conn).is_some() {
+                if CONFIG.mail.is_none() {
                     for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
                         user_org.status = UserOrgStatus::Accepted as i32;
                         if user_org.save(&conn).is_err() {
                             err!("Failed to accept user to organization")
                         }
                     }
+                    if !Invitation::take(&data.Email, &conn) {
+                        err!("Error accepting invitation")
+                    }
                     user
-                } else if CONFIG.signups_allowed {
-                    err!("Account with this email already exists")
                 } else {
-                    err!("Registration not allowed")
+                    let token = match &data.Token {
+                        Some(token) => token,
+                        None => err!("No valid invite token")
+                    };
+                    let claims: InviteJWTClaims = match decode_invite_jwt(&token) {
+                        Ok(claims) => claims,
+                        Err(msg) => err!("Invalid claim: {:#?}", msg),
+                    };
+                    if &claims.email == &data.Email {
+                        user
+                    } else {
+                        err!("Registration email does not match invite email")
+                    }
                 }
+            } else if CONFIG.signups_allowed {
+                    err!("Account with this email already exists")
             } else {
-                user
+                err!("Registration not allowed")
             }
         }
         None => {