topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge pull request #295 from njfox/invite_emails 

Add Email Invite Functionality
pull/308/head
Daniel García 7 years ago
committed by GitHub
parent
b3ec8f2611 2cd736ab81
commit
2b24b17609
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 172 additions and 11 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 39
      src/api/core/accounts.rs
  2. 78
      src/api/core/organizations.rs
  3. 37
      src/auth.rs
  4. 29
      src/mail.rs

39
src/api/core/accounts.rs
View File

@ -4,7 +4,7 @@ use crate::db::models::*;
use crate::db::DbConn; use crate::db::DbConn;
use crate::api::{EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData, UpdateType, WebSocketUsers}; use crate::api::{EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData, UpdateType, WebSocketUsers};
use crate::auth::Headers; use crate::auth::{Headers, decode_invite_jwt, InviteJWTClaims};
use crate::mail; use crate::mail;
use crate::CONFIG; use crate::CONFIG;
@ -44,6 +44,8 @@ struct RegisterData {
MasterPasswordHash: String, MasterPasswordHash: String,
MasterPasswordHint: Option<String>, MasterPasswordHint: Option<String>,
Name: Option<String>, Name: Option<String>,
Token: Option<String>,
OrganizationUserId: Option<String>,
} }
#[derive(Deserialize, Debug)] #[derive(Deserialize, Debug)]
@ -59,22 +61,41 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
let mut user = match User::find_by_mail(&data.Email, &conn) { let mut user = match User::find_by_mail(&data.Email, &conn) {
Some(user) => { Some(user) => {
if Invitation::take(&data.Email, &conn) { if Invitation::find_by_mail(&data.Email, &conn).is_some() {
for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() { if CONFIG.mail.is_none() {
user_org.status = UserOrgStatus::Accepted as i32; for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
if user_org.save(&conn).is_err() { user_org.status = UserOrgStatus::Accepted as i32;
err!("Failed to accept user to organization") if user_org.save(&conn).is_err() {
err!("Failed to accept user to organization")
}
}
if !Invitation::take(&data.Email, &conn) {
err!("Error accepting invitation")
}
user
} else {
let token = match &data.Token {
Some(token) => token,
None => err!("No valid invite token")
};
let claims: InviteJWTClaims = match decode_invite_jwt(&token) {
Ok(claims) => claims,
Err(msg) => err!("Invalid claim: {:#?}", msg),
};
if &claims.email == &data.Email {
user
} else {
err!("Registration email does not match invite email")
} }
} }
user
} else if CONFIG.signups_allowed { } else if CONFIG.signups_allowed {
err!("Account with this email already exists") err!("Account with this email already exists")
} else { } else {
err!("Registration not allowed") err!("Registration not allowed")
} }
} }
None => { None => {
if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) { if CONFIG.signups_allowed || (CONFIG.mail.is_none() && Invitation::take(&data.Email, &conn)) {
User::new(data.Email) User::new(data.Email)
} else { } else {
err!("Registration not allowed") err!("Registration not allowed")

78
src/api/core/organizations.rs
View File

@ -8,7 +8,7 @@ use crate::db::DbConn;
use crate::db::models::*; use crate::db::models::*;
use crate::api::{PasswordData, JsonResult, EmptyResult, NumberOrString, JsonUpcase, WebSocketUsers, UpdateType}; use crate::api::{PasswordData, JsonResult, EmptyResult, NumberOrString, JsonUpcase, WebSocketUsers, UpdateType};
use crate::auth::{Headers, AdminHeaders, OwnerHeaders}; use crate::auth::{Headers, AdminHeaders, OwnerHeaders, encode_jwt, decode_invite_jwt, InviteJWTClaims, JWT_ISSUER};
use serde::{Deserialize, Deserializer}; use serde::{Deserialize, Deserializer};
@ -38,6 +38,7 @@ pub fn routes() -> Vec<Route> {
get_org_users, get_org_users,
send_invite, send_invite,
confirm_invite, confirm_invite,
accept_invite,
get_user, get_user,
edit_user, edit_user,
put_organization_user, put_organization_user,
@ -423,7 +424,10 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
} }
for email in data.Emails.iter() { for email in data.Emails.iter() {
let mut user_org_status = UserOrgStatus::Accepted as i32; let mut user_org_status = match CONFIG.mail {
Some(_) => UserOrgStatus::Invited as i32,
None => UserOrgStatus::Accepted as i32, // Automatically mark user as accepted if no email invites
};
let user = match User::find_by_mail(&email, &conn) { let user = match User::find_by_mail(&email, &conn) {
None => if CONFIG.invitations_allowed { // Invite user if that's enabled None => if CONFIG.invitations_allowed { // Invite user if that's enabled
let mut invitation = Invitation::new(email.clone()); let mut invitation = Invitation::new(email.clone());
@ -452,6 +456,7 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
}; };
// Don't create UserOrganization in virtual organization // Don't create UserOrganization in virtual organization
let mut org_user_id = None;
if org_id != Organization::VIRTUAL_ID { if org_id != Organization::VIRTUAL_ID {
let mut new_user = UserOrganization::new(user.uuid.clone(), org_id.clone()); let mut new_user = UserOrganization::new(user.uuid.clone(), org_id.clone());
let access_all = data.AccessAll.unwrap_or(false); let access_all = data.AccessAll.unwrap_or(false);
@ -476,12 +481,81 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
if new_user.save(&conn).is_err() { if new_user.save(&conn).is_err() {
err!("Failed to add user to organization") err!("Failed to add user to organization")
} }
org_user_id = Some(new_user.uuid.clone());
}
if CONFIG.mail.is_some() {
use crate::mail;
use chrono::{Duration, Utc};
let time_now = Utc::now().naive_utc();
let claims = InviteJWTClaims {
nbf: time_now.timestamp(),
exp: (time_now + Duration::days(5)).timestamp(),
iss: JWT_ISSUER.to_string(),
sub: user.uuid.to_string(),
email: email.clone(),
org_id: org_id.clone(),
user_org_id: org_user_id.clone(),
};
let org_name = match Organization::find_by_uuid(&org_id, &conn) {
Some(org) => org.name,
None => err!("Error looking up organization")
};
let invite_token = encode_jwt(&claims);
if let Some(ref mail_config) = CONFIG.mail {
if let Err(e) = mail::send_invite(&email, &org_id, &org_user_id.unwrap_or(Organization::VIRTUAL_ID.to_string()),
&invite_token, &org_name, mail_config) {
err!(format!("There has been a problem sending the email: {}", e))
}
}
} }
} }
Ok(()) Ok(())
} }
#[derive(Deserialize)]
#[allow(non_snake_case)]
struct AcceptData {
Token: String,
}
#[post("/organizations/<_org_id>/users/<_org_user_id>/accept", data = "<data>")]
fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptData>, conn: DbConn) -> EmptyResult {
// The web-vault passes org_id and org_user_id in the URL, but we are just reading them from the JWT instead
let data: AcceptData = data.into_inner().data;
let token = &data.Token;
let claims: InviteJWTClaims = match decode_invite_jwt(&token) {
Ok(claims) => claims,
Err(msg) => err!("Invalid claim: {:#?}", msg),
};
match User::find_by_mail(&claims.email, &conn) {
Some(_) => {
if Invitation::take(&claims.email, &conn) {
if claims.user_org_id.is_some() {
// If this isn't the virtual_org, mark userorg as accepted
let mut user_org = match UserOrganization::find_by_uuid_and_org(&claims.user_org_id.unwrap(), &claims.org_id, &conn) {
Some(user_org) => user_org,
None => err!("Error accepting the invitation")
};
user_org.status = UserOrgStatus::Accepted as i32;
if user_org.save(&conn).is_err() {
err!("Failed to accept user to organization")
}
}
} else {
err!("Invitation for user not found")
}
},
None => {
err!("Invited user not found")
},
}
Ok(())
}
#[post("/organizations/<org_id>/users/<org_user_id>/confirm", data = "<data>")] #[post("/organizations/<org_id>/users/<org_user_id>/confirm", data = "<data>")]
fn confirm_invite(org_id: String, org_user_id: String, data: JsonUpcase<Value>, headers: AdminHeaders, conn: DbConn) -> EmptyResult { fn confirm_invite(org_id: String, org_user_id: String, data: JsonUpcase<Value>, headers: AdminHeaders, conn: DbConn) -> EmptyResult {
let data = data.into_inner().data; let data = data.into_inner().data;

37
src/auth.rs
View File

@ -56,6 +56,27 @@ pub fn decode_jwt(token: &str) -> Result<JWTClaims, String> {
} }
} }
pub fn decode_invite_jwt(token: &str) -> Result<InviteJWTClaims, String> {
let validation = jsonwebtoken::Validation {
leeway: 30, // 30 seconds
validate_exp: true,
validate_iat: false, // IssuedAt is the same as NotBefore
validate_nbf: true,
aud: None,
iss: Some(JWT_ISSUER.clone()),
sub: None,
algorithms: vec![JWT_ALGORITHM],
};
match jsonwebtoken::decode(token, &PUBLIC_RSA_KEY, &validation) {
Ok(decoded) => Ok(decoded.claims),
Err(msg) => {
error!("Error validating jwt - {:#?}", msg);
Err(msg.to_string())
}
}
}
#[derive(Debug, Serialize, Deserialize)] #[derive(Debug, Serialize, Deserialize)]
pub struct JWTClaims { pub struct JWTClaims {
// Not before // Not before
@ -87,6 +108,22 @@ pub struct JWTClaims {
pub amr: Vec<String>, pub amr: Vec<String>,
} }
#[derive(Debug, Serialize, Deserialize)]
pub struct InviteJWTClaims {
// Not before
pub nbf: i64,
// Expiration time
pub exp: i64,
// Issuer
pub iss: String,
// Subject
pub sub: String,
pub email: String,
pub org_id: String,
pub user_org_id: Option<String>,
}
/// ///
/// Bearer token authentication /// Bearer token authentication
/// ///

29
src/mail.rs
View File

@ -5,6 +5,7 @@ use lettre::smtp::authentication::Credentials;
use lettre_email::EmailBuilder; use lettre_email::EmailBuilder;
use crate::MailConfig; use crate::MailConfig;
use crate::CONFIG;
fn mailer(config: &MailConfig) -> SmtpTransport { fn mailer(config: &MailConfig) -> SmtpTransport {
let client_security = if config.smtp_ssl { let client_security = if config.smtp_ssl {
@ -60,3 +61,31 @@ pub fn send_password_hint(address: &str, hint: Option<String>, config: &MailConf
.map_err(|e| e.to_string()) .map_err(|e| e.to_string())
.and(Ok(())) .and(Ok(()))
} }
pub fn send_invite(address: &str, org_id: &str, org_user_id: &str, token: &str, org_name: &str, config: &MailConfig) -> Result<(), String> {
let (subject, body) = {
(format!("Join {}", &org_name),
format!(
"<html>
<p>You have been invited to join the <b>{}</b> organization.<br><br>
<a href=\"{}/#/accept-organization/?organizationId={}&organizationUserId={}&email={}&organizationName={}&token={}\">Click here to join</a></p>
<p>If you do not wish to join this organization, you can safely ignore this email.</p>
</html>",
org_name, CONFIG.domain, org_id, org_user_id, address, org_name, token
))
};
let email = EmailBuilder::new()
.to(address)
.from((config.smtp_from.clone(), "Bitwarden-rs"))
.subject(subject)
.header(("Content-Type", "text/html"))
.body(body)
.build()
.map_err(|e| e.to_string())?;
mailer(config)
.send(email.into())
.map_err(|e| e.to_string())
.and(Ok(()))
}
Write Preview
Loading…
Cancel
Save