diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
index fbe00796..a8132a7f 100644
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -4,7 +4,7 @@ use crate::db::models::*;
use crate::db::DbConn;
use crate::api::{EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData, UpdateType, WebSocketUsers};
-use crate::auth::Headers;
+use crate::auth::{Headers, decode_invite_jwt, InviteJWTClaims};
use crate::mail;
use crate::CONFIG;
@@ -44,6 +44,8 @@ struct RegisterData {
MasterPasswordHash: String,
MasterPasswordHint: Option<String>,
Name: Option<String>,
+ Token: Option<String>,
+ OrganizationUserId: Option<String>,
}
#[derive(Deserialize, Debug)]
@@ -59,22 +61,41 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
let mut user = match User::find_by_mail(&data.Email, &conn) {
Some(user) => {
- if Invitation::take(&data.Email, &conn) {
- for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
- user_org.status = UserOrgStatus::Accepted as i32;
- if user_org.save(&conn).is_err() {
- err!("Failed to accept user to organization")
+ if Invitation::find_by_mail(&data.Email, &conn).is_some() {
+ if CONFIG.mail.is_none() {
+ for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
+ user_org.status = UserOrgStatus::Accepted as i32;
+ if user_org.save(&conn).is_err() {
+ err!("Failed to accept user to organization")
+ }
+ }
+ if !Invitation::take(&data.Email, &conn) {
+ err!("Error accepting invitation")
+ }
+ user
+ } else {
+ let token = match &data.Token {
+ Some(token) => token,
+ None => err!("No valid invite token")
+ };
+ let claims: InviteJWTClaims = match decode_invite_jwt(&token) {
+ Ok(claims) => claims,
+ Err(msg) => err!("Invalid claim: {:#?}", msg),
+ };
+ if &claims.email == &data.Email {
+ user
+ } else {
+ err!("Registration email does not match invite email")
}
}
- user
} else if CONFIG.signups_allowed {
- err!("Account with this email already exists")
+ err!("Account with this email already exists")
} else {
err!("Registration not allowed")
}
}
None => {
- if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) {
+ if CONFIG.signups_allowed || (CONFIG.mail.is_none() && Invitation::take(&data.Email, &conn)) {
User::new(data.Email)
} else {
err!("Registration not allowed")
diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs
index 0350b2e1..59bfcedb 100644
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@@ -8,7 +8,7 @@ use crate::db::DbConn;
use crate::db::models::*;
use crate::api::{PasswordData, JsonResult, EmptyResult, NumberOrString, JsonUpcase, WebSocketUsers, UpdateType};
-use crate::auth::{Headers, AdminHeaders, OwnerHeaders};
+use crate::auth::{Headers, AdminHeaders, OwnerHeaders, encode_jwt, decode_invite_jwt, InviteJWTClaims, JWT_ISSUER};
use serde::{Deserialize, Deserializer};
@@ -38,6 +38,7 @@ pub fn routes() -> Vec<Route> {
get_org_users,
send_invite,
confirm_invite,
+ accept_invite,
get_user,
edit_user,
put_organization_user,
@@ -423,7 +424,10 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
}
for email in data.Emails.iter() {
- let mut user_org_status = UserOrgStatus::Accepted as i32;
+ let mut user_org_status = match CONFIG.mail {
+ Some(_) => UserOrgStatus::Invited as i32,
+ None => UserOrgStatus::Accepted as i32, // Automatically mark user as accepted if no email invites
+ };
let user = match User::find_by_mail(&email, &conn) {
None => if CONFIG.invitations_allowed { // Invite user if that's enabled
let mut invitation = Invitation::new(email.clone());
@@ -452,6 +456,7 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
};
// Don't create UserOrganization in virtual organization
+ let mut org_user_id = None;
if org_id != Organization::VIRTUAL_ID {
let mut new_user = UserOrganization::new(user.uuid.clone(), org_id.clone());
let access_all = data.AccessAll.unwrap_or(false);
@@ -476,7 +481,76 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
if new_user.save(&conn).is_err() {
err!("Failed to add user to organization")
}
+ org_user_id = Some(new_user.uuid.clone());
}
+
+ if CONFIG.mail.is_some() {
+ use crate::mail;
+ use chrono::{Duration, Utc};
+ let time_now = Utc::now().naive_utc();
+ let claims = InviteJWTClaims {
+ nbf: time_now.timestamp(),
+ exp: (time_now + Duration::days(5)).timestamp(),
+ iss: JWT_ISSUER.to_string(),
+ sub: user.uuid.to_string(),
+ email: email.clone(),
+ org_id: org_id.clone(),
+ user_org_id: org_user_id.clone(),
+ };
+ let org_name = match Organization::find_by_uuid(&org_id, &conn) {
+ Some(org) => org.name,
+ None => err!("Error looking up organization")
+ };
+ let invite_token = encode_jwt(&claims);
+ if let Some(ref mail_config) = CONFIG.mail {
+ if let Err(e) = mail::send_invite(&email, &org_id, &org_user_id.unwrap_or(Organization::VIRTUAL_ID.to_string()),
+ &invite_token, &org_name, mail_config) {
+ err!(format!("There has been a problem sending the email: {}", e))
+ }
+ }
+ }
+ }
+
+ Ok(())
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct AcceptData {
+ Token: String,
+}
+
+#[post("/organizations/<_org_id>/users/<_org_user_id>/accept", data = "<data>")]
+fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptData>, conn: DbConn) -> EmptyResult {
+// The web-vault passes org_id and org_user_id in the URL, but we are just reading them from the JWT instead
+ let data: AcceptData = data.into_inner().data;
+ let token = &data.Token;
+ let claims: InviteJWTClaims = match decode_invite_jwt(&token) {
+ Ok(claims) => claims,
+ Err(msg) => err!("Invalid claim: {:#?}", msg),
+ };
+
+ match User::find_by_mail(&claims.email, &conn) {
+ Some(_) => {
+ if Invitation::take(&claims.email, &conn) {
+ if claims.user_org_id.is_some() {
+ // If this isn't the virtual_org, mark userorg as accepted
+ let mut user_org = match UserOrganization::find_by_uuid_and_org(&claims.user_org_id.unwrap(), &claims.org_id, &conn) {
+ Some(user_org) => user_org,
+ None => err!("Error accepting the invitation")
+ };
+ user_org.status = UserOrgStatus::Accepted as i32;
+ if user_org.save(&conn).is_err() {
+ err!("Failed to accept user to organization")
+ }
+ }
+ } else {
+ err!("Invitation for user not found")
+ }
+ },
+ None => {
+ err!("Invited user not found")
+ },
}
Ok(())
diff --git a/src/auth.rs b/src/auth.rs
index 6f351431..0e851aa6 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -56,6 +56,27 @@ pub fn decode_jwt(token: &str) -> Result<JWTClaims, String> {
}
}
+pub fn decode_invite_jwt(token: &str) -> Result<InviteJWTClaims, String> {
+ let validation = jsonwebtoken::Validation {
+ leeway: 30, // 30 seconds
+ validate_exp: true,
+ validate_iat: false, // IssuedAt is the same as NotBefore
+ validate_nbf: true,
+ aud: None,
+ iss: Some(JWT_ISSUER.clone()),
+ sub: None,
+ algorithms: vec![JWT_ALGORITHM],
+ };
+
+ match jsonwebtoken::decode(token, &PUBLIC_RSA_KEY, &validation) {
+ Ok(decoded) => Ok(decoded.claims),
+ Err(msg) => {
+ error!("Error validating jwt - {:#?}", msg);
+ Err(msg.to_string())
+ }
+ }
+}
+
#[derive(Debug, Serialize, Deserialize)]
pub struct JWTClaims {
// Not before
@@ -87,6 +108,22 @@ pub struct JWTClaims {
pub amr: Vec<String>,
}
+#[derive(Debug, Serialize, Deserialize)]
+pub struct InviteJWTClaims {
+ // Not before
+ pub nbf: i64,
+ // Expiration time
+ pub exp: i64,
+ // Issuer
+ pub iss: String,
+ // Subject
+ pub sub: String,
+
+ pub email: String,
+ pub org_id: String,
+ pub user_org_id: Option<String>,
+}
+
///
/// Bearer token authentication
///
diff --git a/src/mail.rs b/src/mail.rs
index 8a64c24b..485e5c17 100644
--- a/src/mail.rs
+++ b/src/mail.rs
@@ -5,6 +5,7 @@ use lettre::smtp::authentication::Credentials;
use lettre_email::EmailBuilder;
use crate::MailConfig;
+use crate::CONFIG;
fn mailer(config: &MailConfig) -> SmtpTransport {
let client_security = if config.smtp_ssl {
@@ -60,3 +61,31 @@ pub fn send_password_hint(address: &str, hint: Option<String>, config: &MailConf
.map_err(|e| e.to_string())
.and(Ok(()))
}
+
+pub fn send_invite(address: &str, org_id: &str, org_user_id: &str, token: &str, org_name: &str, config: &MailConfig) -> Result<(), String> {
+ let (subject, body) = {
+ (format!("Join {}", &org_name),
+ format!(
+ "<html>
+ <p>You have been invited to join the <b>{}</b> organization.<br><br>
+ <a href=\"{}/#/accept-organization/?organizationId={}&organizationUserId={}&email={}&organizationName={}&token={}\">Click here to join</a></p>
+ <p>If you do not wish to join this organization, you can safely ignore this email.</p>
+ </html>",
+ org_name, CONFIG.domain, org_id, org_user_id, address, org_name, token
+ ))
+ };
+
+ let email = EmailBuilder::new()
+ .to(address)
+ .from((config.smtp_from.clone(), "Bitwarden-rs"))
+ .subject(subject)
+ .header(("Content-Type", "text/html"))
+ .body(body)
+ .build()
+ .map_err(|e| e.to_string())?;
+
+ mailer(config)
+ .send(email.into())
+ .map_err(|e| e.to_string())
+ .and(Ok(()))
+}
\ No newline at end of file