From c78887a06333635093483dab55d50e705bbcc2e1 Mon Sep 17 00:00:00 2001
From: BlackDex <black.dex@gmail.com>
Date: Mon, 23 Mar 2026 15:07:50 +0100
Subject: [PATCH] Split vault org/personal purge endpoints

Signed-off-by: BlackDex <black.dex@gmail.com>
---
 src/api/core/ciphers.rs | 103 ++++++++++++++++++++++------------------
 src/auth.rs             |  44 ++++++++++++-----
 2 files changed, 88 insertions(+), 59 deletions(-)

diff --git a/src/api/core/ciphers.rs b/src/api/core/ciphers.rs
index f7bf5cd3..8696b50a 100644
--- a/src/api/core/ciphers.rs
+++ b/src/api/core/ciphers.rs
@@ -14,7 +14,7 @@ use crate::auth::ClientVersion;
 use crate::util::{save_temp_file, NumberOrString};
 use crate::{
     api::{self, core::log_event, EmptyResult, JsonResult, Notify, PasswordOrOtpData, UpdateType},
-    auth::Headers,
+    auth::{Headers, OrgIdGuard, OwnerHeaders},
     config::PathType,
     crypto,
     db::{
@@ -86,7 +86,8 @@ pub fn routes() -> Vec<Route> {
         restore_cipher_put_admin,
         restore_cipher_selected,
         restore_cipher_selected_admin,
-        delete_all,
+        purge_org_vault,
+        purge_personal_vault,
         move_cipher_selected,
         move_cipher_selected_put,
         put_collections2_update,
@@ -1642,65 +1643,73 @@ struct OrganizationIdData {
     org_id: OrganizationId,
 }
 
+// Use the OrgIdGuard here, to ensure there an organization id present.
+// If there is no organization id present, it should be forwarded to purge_personal_vault.
+// This guard needs to be the first argument, else OwnerHeaders will be triggered which will logout the user.
 #[post("/ciphers/purge?<organization..>", data = "<data>")]
-async fn delete_all(
-    organization: Option<OrganizationIdData>,
+async fn purge_org_vault(
+    _org_id_guard: OrgIdGuard,
+    organization: OrganizationIdData,
     data: Json<PasswordOrOtpData>,
-    headers: Headers,
+    headers: OwnerHeaders,
     conn: DbConn,
     nt: Notify<'_>,
 ) -> EmptyResult {
+    if organization.org_id != headers.org_id {
+        err!("Organization not found", "Organization id's do not match");
+    }
+
     let data: PasswordOrOtpData = data.into_inner();
-    let mut user = headers.user;
+    let user = headers.user;
 
     data.validate(&user, true, &conn).await?;
 
-    match organization {
-        Some(org_data) => {
-            // Organization ID in query params, purging organization vault
-            match Membership::find_by_user_and_org(&user.uuid, &org_data.org_id, &conn).await {
-                None => err!("You don't have permission to purge the organization vault"),
-                Some(member) => {
-                    if member.atype == MembershipType::Owner {
-                        Cipher::delete_all_by_organization(&org_data.org_id, &conn).await?;
-                        nt.send_user_update(UpdateType::SyncVault, &user, &headers.device.push_uuid, &conn).await;
-
-                        log_event(
-                            EventType::OrganizationPurgedVault as i32,
-                            &org_data.org_id,
-                            &org_data.org_id,
-                            &user.uuid,
-                            headers.device.atype,
-                            &headers.ip.ip,
-                            &conn,
-                        )
-                        .await;
-
-                        Ok(())
-                    } else {
-                        err!("You don't have permission to purge the organization vault");
-                    }
-                }
-            }
-        }
-        None => {
-            // No organization ID in query params, purging user vault
-            // Delete ciphers and their attachments
-            for cipher in Cipher::find_owned_by_user(&user.uuid, &conn).await {
-                cipher.delete(&conn).await?;
-            }
-
-            // Delete folders
-            for f in Folder::find_by_user(&user.uuid, &conn).await {
-                f.delete(&conn).await?;
-            }
-
-            user.update_revision(&conn).await?;
+    match Membership::find_confirmed_by_user_and_org(&user.uuid, &organization.org_id, &conn).await {
+        Some(member) if member.atype == MembershipType::Owner => {
+            Cipher::delete_all_by_organization(&organization.org_id, &conn).await?;
             nt.send_user_update(UpdateType::SyncVault, &user, &headers.device.push_uuid, &conn).await;
 
+            log_event(
+                EventType::OrganizationPurgedVault as i32,
+                &organization.org_id,
+                &organization.org_id,
+                &user.uuid,
+                headers.device.atype,
+                &headers.ip.ip,
+                &conn,
+            )
+            .await;
+
             Ok(())
         }
+        _ => err!("You don't have permission to purge the organization vault"),
+    }
+}
+
+#[post("/ciphers/purge", data = "<data>")]
+async fn purge_personal_vault(
+    data: Json<PasswordOrOtpData>,
+    headers: Headers,
+    conn: DbConn,
+    nt: Notify<'_>,
+) -> EmptyResult {
+    let data: PasswordOrOtpData = data.into_inner();
+    let mut user = headers.user;
+
+    data.validate(&user, true, &conn).await?;
+
+    for cipher in Cipher::find_owned_by_user(&user.uuid, &conn).await {
+        cipher.delete(&conn).await?;
+    }
+
+    for f in Folder::find_by_user(&user.uuid, &conn).await {
+        f.delete(&conn).await?;
     }
+
+    user.update_revision(&conn).await?;
+    nt.send_user_update(UpdateType::SyncVault, &user, &headers.device.push_uuid, &conn).await;
+
+    Ok(())
 }
 
 #[derive(PartialEq)]
diff --git a/src/auth.rs b/src/auth.rs
index 99741277..224bcba5 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -720,6 +720,36 @@ impl OrgHeaders {
     }
 }
 
+// org_id is usually the second path param ("/organizations/<org_id>"),
+// but there are cases where it is a query value.
+// First check the path, if this is not a valid uuid, try the query values.
+fn get_org_id(request: &Request<'_>) -> Option<OrganizationId> {
+    if let Some(Ok(org_id)) = request.param::<OrganizationId>(1) {
+        Some(org_id)
+    } else if let Some(Ok(org_id)) = request.query_value::<OrganizationId>("organizationId") {
+        Some(org_id)
+    } else {
+        None
+    }
+}
+
+// Special Guard to ensure that there is an organization id present
+// If there is no org id trigger the Outcome::Forward.
+// This is useful for endpoints which work for both organization and personal vaults, like purge.
+pub struct OrgIdGuard;
+
+#[rocket::async_trait]
+impl<'r> FromRequest<'r> for OrgIdGuard {
+    type Error = &'static str;
+
+    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
+        match get_org_id(request) {
+            Some(_) => Outcome::Success(OrgIdGuard),
+            None => Outcome::Forward(rocket::http::Status::NotFound),
+        }
+    }
+}
+
 #[rocket::async_trait]
 impl<'r> FromRequest<'r> for OrgHeaders {
     type Error = &'static str;
@@ -727,18 +757,8 @@ impl<'r> FromRequest<'r> for OrgHeaders {
     async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
         let headers = try_outcome!(Headers::from_request(request).await);
 
-        // org_id is usually the second path param ("/organizations/<org_id>"),
-        // but there are cases where it is a query value.
-        // First check the path, if this is not a valid uuid, try the query values.
-        let url_org_id: Option<OrganizationId> = {
-            if let Some(Ok(org_id)) = request.param::<OrganizationId>(1) {
-                Some(org_id)
-            } else if let Some(Ok(org_id)) = request.query_value::<OrganizationId>("organizationId") {
-                Some(org_id)
-            } else {
-                None
-            }
-        };
+        // Extract the org_id from the request
+        let url_org_id = get_org_id(request);
 
         match url_org_id {
             Some(org_id) if uuid::Uuid::parse_str(&org_id).is_ok() => {