vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

commit 4910b14d57b173c23a893fe778e1c24d2c617e16
parent d428120ec645ad5089833b405c2ee73d094e0e37
Author: Nick Fox <nick@foxsec.net>
Date:   Fri, 14 Dec 2018 21:56:00 -0500

Implement email invitations and registration workflow

Diffstat:
Msrc/api/core/accounts.rs | 25+++++++++++++++----------
Msrc/api/core/organizations.rs | 58+++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 72 insertions(+), 11 deletions(-)

diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs @@ -59,22 +59,27 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult { let mut user = match User::find_by_mail(&data.Email, &conn) { Some(user) => { - if Invitation::take(&data.Email, &conn) { - for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() { - user_org.status = UserOrgStatus::Accepted as i32; - if user_org.save(&conn).is_err() { - err!("Failed to accept user to organization") + if !CONFIG.email_invitations { + if Invitation::take(&data.Email, &conn) { + for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() { + user_org.status = UserOrgStatus::Accepted as i32; + if user_org.save(&conn).is_err() { + err!("Failed to accept user to organization") + } } + user + } else if CONFIG.signups_allowed { + err!("Account with this email already exists") + } else { + err!("Registration not allowed") } - user - } else if CONFIG.signups_allowed { - err!("Account with this email already exists") } else { - err!("Registration not allowed") + // User clicked email invite link, so they are already "accepted" in UserOrgs + user } } None => { - if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) { + if CONFIG.signups_allowed || (!CONFIG.email_invitations && Invitation::take(&data.Email, &conn)) { User::new(data.Email) } else { err!("Registration not allowed") diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs @@ -8,7 +8,7 @@ use crate::db::DbConn; use crate::db::models::*; use crate::api::{PasswordData, JsonResult, EmptyResult, NumberOrString, JsonUpcase, WebSocketUsers, UpdateType}; -use crate::auth::{Headers, AdminHeaders, OwnerHeaders}; +use crate::auth::{Headers, AdminHeaders, OwnerHeaders, encode_jwt, decode_invite_jwt, InviteJWTClaims, JWT_ISSUER}; use serde::{Deserialize, Deserializer}; @@ -38,6 +38,7 @@ pub fn routes() -> Vec<Route> { get_org_users, send_invite, confirm_invite, + accept_invite, get_user, edit_user, put_organization_user, @@ -477,6 +478,61 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade err!("Failed to add user to organization") } } + + if CONFIG.email_invitations { + use crate::mail; + use chrono::{Duration, Utc}; + let time_now = Utc::now().naive_utc(); + let claims = InviteJWTClaims { + nbf: time_now.timestamp(), + exp: (time_now + Duration::days(5)).timestamp(), + iss: JWT_ISSUER.to_string(), + sub: user.uuid.to_string(), + email: email.clone(), + }; + let org_name = match Organization::find_by_uuid(&org_id, &conn) { + Some(org) => org.name, + None => err!("Error looking up organization") + }; + let invite_token = encode_jwt(&claims); + let org_user_id = Organization::VIRTUAL_ID; + + if let Some(ref mail_config) = CONFIG.mail { + if let Err(e) = mail::send_invite(&email, &org_id, &org_user_id, &invite_token, &org_name, mail_config) { + err!(format!("There has been a problem sending the email: {}", e)) + } + } + } + } + + Ok(()) +} + +// TODO: Figure out how to make this redirect to the registration page +#[get("/organizations/<org_id>/users/<org_user_id>/accept?<token>")] +fn accept_invite(org_id: String, org_user_id: String, token: String, conn: DbConn) -> EmptyResult { + let invite_claims: InviteJWTClaims = match decode_invite_jwt(&token) { + Ok(claims) => claims, + Err(msg) => err!("Invalid claim: {:#?}", msg), + }; + + match User::find_by_mail(&invite_claims.email, &conn) { + Some(user) => { + if Invitation::take(&invite_claims.email, &conn) { + for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() { + user_org.status = UserOrgStatus::Accepted as i32; + if user_org.save(&conn).is_err() { + err!("Failed to accept user to organization") + } + } + //rocket::response::Redirect::to(format!("/#/register?email={}", invite_claims.email)) + } else { + err!("Invitation for user not found") + } + }, + None => { + err!("Invited user not found") + }, } Ok(())