mirror of
https://github.com/dani-garcia/vaultwarden
synced 2024-12-14 17:43:46 +01:00
Merge pull request #295 from njfox/invite_emails
Add Email Invite Functionality
This commit is contained in:
commit
2b24b17609
4 changed files with 172 additions and 11 deletions
|
@ -4,7 +4,7 @@ use crate::db::models::*;
|
|||
use crate::db::DbConn;
|
||||
|
||||
use crate::api::{EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData, UpdateType, WebSocketUsers};
|
||||
use crate::auth::Headers;
|
||||
use crate::auth::{Headers, decode_invite_jwt, InviteJWTClaims};
|
||||
use crate::mail;
|
||||
|
||||
use crate::CONFIG;
|
||||
|
@ -44,6 +44,8 @@ struct RegisterData {
|
|||
MasterPasswordHash: String,
|
||||
MasterPasswordHint: Option<String>,
|
||||
Name: Option<String>,
|
||||
Token: Option<String>,
|
||||
OrganizationUserId: Option<String>,
|
||||
}
|
||||
|
||||
#[derive(Deserialize, Debug)]
|
||||
|
@ -59,22 +61,41 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
|
|||
|
||||
let mut user = match User::find_by_mail(&data.Email, &conn) {
|
||||
Some(user) => {
|
||||
if Invitation::take(&data.Email, &conn) {
|
||||
for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
|
||||
user_org.status = UserOrgStatus::Accepted as i32;
|
||||
if user_org.save(&conn).is_err() {
|
||||
err!("Failed to accept user to organization")
|
||||
if Invitation::find_by_mail(&data.Email, &conn).is_some() {
|
||||
if CONFIG.mail.is_none() {
|
||||
for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
|
||||
user_org.status = UserOrgStatus::Accepted as i32;
|
||||
if user_org.save(&conn).is_err() {
|
||||
err!("Failed to accept user to organization")
|
||||
}
|
||||
}
|
||||
if !Invitation::take(&data.Email, &conn) {
|
||||
err!("Error accepting invitation")
|
||||
}
|
||||
user
|
||||
} else {
|
||||
let token = match &data.Token {
|
||||
Some(token) => token,
|
||||
None => err!("No valid invite token")
|
||||
};
|
||||
let claims: InviteJWTClaims = match decode_invite_jwt(&token) {
|
||||
Ok(claims) => claims,
|
||||
Err(msg) => err!("Invalid claim: {:#?}", msg),
|
||||
};
|
||||
if &claims.email == &data.Email {
|
||||
user
|
||||
} else {
|
||||
err!("Registration email does not match invite email")
|
||||
}
|
||||
}
|
||||
user
|
||||
} else if CONFIG.signups_allowed {
|
||||
err!("Account with this email already exists")
|
||||
err!("Account with this email already exists")
|
||||
} else {
|
||||
err!("Registration not allowed")
|
||||
}
|
||||
}
|
||||
None => {
|
||||
if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) {
|
||||
if CONFIG.signups_allowed || (CONFIG.mail.is_none() && Invitation::take(&data.Email, &conn)) {
|
||||
User::new(data.Email)
|
||||
} else {
|
||||
err!("Registration not allowed")
|
||||
|
|
|
@ -8,7 +8,7 @@ use crate::db::DbConn;
|
|||
use crate::db::models::*;
|
||||
|
||||
use crate::api::{PasswordData, JsonResult, EmptyResult, NumberOrString, JsonUpcase, WebSocketUsers, UpdateType};
|
||||
use crate::auth::{Headers, AdminHeaders, OwnerHeaders};
|
||||
use crate::auth::{Headers, AdminHeaders, OwnerHeaders, encode_jwt, decode_invite_jwt, InviteJWTClaims, JWT_ISSUER};
|
||||
|
||||
use serde::{Deserialize, Deserializer};
|
||||
|
||||
|
@ -38,6 +38,7 @@ pub fn routes() -> Vec<Route> {
|
|||
get_org_users,
|
||||
send_invite,
|
||||
confirm_invite,
|
||||
accept_invite,
|
||||
get_user,
|
||||
edit_user,
|
||||
put_organization_user,
|
||||
|
@ -423,7 +424,10 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
|
|||
}
|
||||
|
||||
for email in data.Emails.iter() {
|
||||
let mut user_org_status = UserOrgStatus::Accepted as i32;
|
||||
let mut user_org_status = match CONFIG.mail {
|
||||
Some(_) => UserOrgStatus::Invited as i32,
|
||||
None => UserOrgStatus::Accepted as i32, // Automatically mark user as accepted if no email invites
|
||||
};
|
||||
let user = match User::find_by_mail(&email, &conn) {
|
||||
None => if CONFIG.invitations_allowed { // Invite user if that's enabled
|
||||
let mut invitation = Invitation::new(email.clone());
|
||||
|
@ -452,6 +456,7 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
|
|||
};
|
||||
|
||||
// Don't create UserOrganization in virtual organization
|
||||
let mut org_user_id = None;
|
||||
if org_id != Organization::VIRTUAL_ID {
|
||||
let mut new_user = UserOrganization::new(user.uuid.clone(), org_id.clone());
|
||||
let access_all = data.AccessAll.unwrap_or(false);
|
||||
|
@ -476,7 +481,76 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
|
|||
if new_user.save(&conn).is_err() {
|
||||
err!("Failed to add user to organization")
|
||||
}
|
||||
org_user_id = Some(new_user.uuid.clone());
|
||||
}
|
||||
|
||||
if CONFIG.mail.is_some() {
|
||||
use crate::mail;
|
||||
use chrono::{Duration, Utc};
|
||||
let time_now = Utc::now().naive_utc();
|
||||
let claims = InviteJWTClaims {
|
||||
nbf: time_now.timestamp(),
|
||||
exp: (time_now + Duration::days(5)).timestamp(),
|
||||
iss: JWT_ISSUER.to_string(),
|
||||
sub: user.uuid.to_string(),
|
||||
email: email.clone(),
|
||||
org_id: org_id.clone(),
|
||||
user_org_id: org_user_id.clone(),
|
||||
};
|
||||
let org_name = match Organization::find_by_uuid(&org_id, &conn) {
|
||||
Some(org) => org.name,
|
||||
None => err!("Error looking up organization")
|
||||
};
|
||||
let invite_token = encode_jwt(&claims);
|
||||
if let Some(ref mail_config) = CONFIG.mail {
|
||||
if let Err(e) = mail::send_invite(&email, &org_id, &org_user_id.unwrap_or(Organization::VIRTUAL_ID.to_string()),
|
||||
&invite_token, &org_name, mail_config) {
|
||||
err!(format!("There has been a problem sending the email: {}", e))
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[derive(Deserialize)]
|
||||
#[allow(non_snake_case)]
|
||||
struct AcceptData {
|
||||
Token: String,
|
||||
}
|
||||
|
||||
#[post("/organizations/<_org_id>/users/<_org_user_id>/accept", data = "<data>")]
|
||||
fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptData>, conn: DbConn) -> EmptyResult {
|
||||
// The web-vault passes org_id and org_user_id in the URL, but we are just reading them from the JWT instead
|
||||
let data: AcceptData = data.into_inner().data;
|
||||
let token = &data.Token;
|
||||
let claims: InviteJWTClaims = match decode_invite_jwt(&token) {
|
||||
Ok(claims) => claims,
|
||||
Err(msg) => err!("Invalid claim: {:#?}", msg),
|
||||
};
|
||||
|
||||
match User::find_by_mail(&claims.email, &conn) {
|
||||
Some(_) => {
|
||||
if Invitation::take(&claims.email, &conn) {
|
||||
if claims.user_org_id.is_some() {
|
||||
// If this isn't the virtual_org, mark userorg as accepted
|
||||
let mut user_org = match UserOrganization::find_by_uuid_and_org(&claims.user_org_id.unwrap(), &claims.org_id, &conn) {
|
||||
Some(user_org) => user_org,
|
||||
None => err!("Error accepting the invitation")
|
||||
};
|
||||
user_org.status = UserOrgStatus::Accepted as i32;
|
||||
if user_org.save(&conn).is_err() {
|
||||
err!("Failed to accept user to organization")
|
||||
}
|
||||
}
|
||||
} else {
|
||||
err!("Invitation for user not found")
|
||||
}
|
||||
},
|
||||
None => {
|
||||
err!("Invited user not found")
|
||||
},
|
||||
}
|
||||
|
||||
Ok(())
|
||||
|
|
37
src/auth.rs
37
src/auth.rs
|
@ -56,6 +56,27 @@ pub fn decode_jwt(token: &str) -> Result<JWTClaims, String> {
|
|||
}
|
||||
}
|
||||
|
||||
pub fn decode_invite_jwt(token: &str) -> Result<InviteJWTClaims, String> {
|
||||
let validation = jsonwebtoken::Validation {
|
||||
leeway: 30, // 30 seconds
|
||||
validate_exp: true,
|
||||
validate_iat: false, // IssuedAt is the same as NotBefore
|
||||
validate_nbf: true,
|
||||
aud: None,
|
||||
iss: Some(JWT_ISSUER.clone()),
|
||||
sub: None,
|
||||
algorithms: vec![JWT_ALGORITHM],
|
||||
};
|
||||
|
||||
match jsonwebtoken::decode(token, &PUBLIC_RSA_KEY, &validation) {
|
||||
Ok(decoded) => Ok(decoded.claims),
|
||||
Err(msg) => {
|
||||
error!("Error validating jwt - {:#?}", msg);
|
||||
Err(msg.to_string())
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Serialize, Deserialize)]
|
||||
pub struct JWTClaims {
|
||||
// Not before
|
||||
|
@ -87,6 +108,22 @@ pub struct JWTClaims {
|
|||
pub amr: Vec<String>,
|
||||
}
|
||||
|
||||
#[derive(Debug, Serialize, Deserialize)]
|
||||
pub struct InviteJWTClaims {
|
||||
// Not before
|
||||
pub nbf: i64,
|
||||
// Expiration time
|
||||
pub exp: i64,
|
||||
// Issuer
|
||||
pub iss: String,
|
||||
// Subject
|
||||
pub sub: String,
|
||||
|
||||
pub email: String,
|
||||
pub org_id: String,
|
||||
pub user_org_id: Option<String>,
|
||||
}
|
||||
|
||||
///
|
||||
/// Bearer token authentication
|
||||
///
|
||||
|
|
29
src/mail.rs
29
src/mail.rs
|
@ -5,6 +5,7 @@ use lettre::smtp::authentication::Credentials;
|
|||
use lettre_email::EmailBuilder;
|
||||
|
||||
use crate::MailConfig;
|
||||
use crate::CONFIG;
|
||||
|
||||
fn mailer(config: &MailConfig) -> SmtpTransport {
|
||||
let client_security = if config.smtp_ssl {
|
||||
|
@ -60,3 +61,31 @@ pub fn send_password_hint(address: &str, hint: Option<String>, config: &MailConf
|
|||
.map_err(|e| e.to_string())
|
||||
.and(Ok(()))
|
||||
}
|
||||
|
||||
pub fn send_invite(address: &str, org_id: &str, org_user_id: &str, token: &str, org_name: &str, config: &MailConfig) -> Result<(), String> {
|
||||
let (subject, body) = {
|
||||
(format!("Join {}", &org_name),
|
||||
format!(
|
||||
"<html>
|
||||
<p>You have been invited to join the <b>{}</b> organization.<br><br>
|
||||
<a href=\"{}/#/accept-organization/?organizationId={}&organizationUserId={}&email={}&organizationName={}&token={}\">Click here to join</a></p>
|
||||
<p>If you do not wish to join this organization, you can safely ignore this email.</p>
|
||||
</html>",
|
||||
org_name, CONFIG.domain, org_id, org_user_id, address, org_name, token
|
||||
))
|
||||
};
|
||||
|
||||
let email = EmailBuilder::new()
|
||||
.to(address)
|
||||
.from((config.smtp_from.clone(), "Bitwarden-rs"))
|
||||
.subject(subject)
|
||||
.header(("Content-Type", "text/html"))
|
||||
.body(body)
|
||||
.build()
|
||||
.map_err(|e| e.to_string())?;
|
||||
|
||||
mailer(config)
|
||||
.send(email.into())
|
||||
.map_err(|e| e.to_string())
|
||||
.and(Ok(()))
|
||||
}
|
Loading…
Reference in a new issue