Merge pull request #295 from njfox/invite_emails

Add Email Invite Functionality
This commit is contained in:
Daniel García 2018-12-21 16:04:19 +01:00 committed by GitHub
commit 2b24b17609
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 172 additions and 11 deletions

View File

@ -4,7 +4,7 @@ use crate::db::models::*;
use crate::db::DbConn;
use crate::api::{EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData, UpdateType, WebSocketUsers};
use crate::auth::Headers;
use crate::auth::{Headers, decode_invite_jwt, InviteJWTClaims};
use crate::mail;
use crate::CONFIG;
@ -44,6 +44,8 @@ struct RegisterData {
MasterPasswordHash: String,
MasterPasswordHint: Option<String>,
Name: Option<String>,
Token: Option<String>,
OrganizationUserId: Option<String>,
}
#[derive(Deserialize, Debug)]
@ -59,14 +61,33 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
let mut user = match User::find_by_mail(&data.Email, &conn) {
Some(user) => {
if Invitation::take(&data.Email, &conn) {
if Invitation::find_by_mail(&data.Email, &conn).is_some() {
if CONFIG.mail.is_none() {
for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
user_org.status = UserOrgStatus::Accepted as i32;
if user_org.save(&conn).is_err() {
err!("Failed to accept user to organization")
}
}
if !Invitation::take(&data.Email, &conn) {
err!("Error accepting invitation")
}
user
} else {
let token = match &data.Token {
Some(token) => token,
None => err!("No valid invite token")
};
let claims: InviteJWTClaims = match decode_invite_jwt(&token) {
Ok(claims) => claims,
Err(msg) => err!("Invalid claim: {:#?}", msg),
};
if &claims.email == &data.Email {
user
} else {
err!("Registration email does not match invite email")
}
}
} else if CONFIG.signups_allowed {
err!("Account with this email already exists")
} else {
@ -74,7 +95,7 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
}
}
None => {
if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) {
if CONFIG.signups_allowed || (CONFIG.mail.is_none() && Invitation::take(&data.Email, &conn)) {
User::new(data.Email)
} else {
err!("Registration not allowed")

View File

@ -8,7 +8,7 @@ use crate::db::DbConn;
use crate::db::models::*;
use crate::api::{PasswordData, JsonResult, EmptyResult, NumberOrString, JsonUpcase, WebSocketUsers, UpdateType};
use crate::auth::{Headers, AdminHeaders, OwnerHeaders};
use crate::auth::{Headers, AdminHeaders, OwnerHeaders, encode_jwt, decode_invite_jwt, InviteJWTClaims, JWT_ISSUER};
use serde::{Deserialize, Deserializer};
@ -38,6 +38,7 @@ pub fn routes() -> Vec<Route> {
get_org_users,
send_invite,
confirm_invite,
accept_invite,
get_user,
edit_user,
put_organization_user,
@ -423,7 +424,10 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
}
for email in data.Emails.iter() {
let mut user_org_status = UserOrgStatus::Accepted as i32;
let mut user_org_status = match CONFIG.mail {
Some(_) => UserOrgStatus::Invited as i32,
None => UserOrgStatus::Accepted as i32, // Automatically mark user as accepted if no email invites
};
let user = match User::find_by_mail(&email, &conn) {
None => if CONFIG.invitations_allowed { // Invite user if that's enabled
let mut invitation = Invitation::new(email.clone());
@ -452,6 +456,7 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
};
// Don't create UserOrganization in virtual organization
let mut org_user_id = None;
if org_id != Organization::VIRTUAL_ID {
let mut new_user = UserOrganization::new(user.uuid.clone(), org_id.clone());
let access_all = data.AccessAll.unwrap_or(false);
@ -476,7 +481,76 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
if new_user.save(&conn).is_err() {
err!("Failed to add user to organization")
}
org_user_id = Some(new_user.uuid.clone());
}
if CONFIG.mail.is_some() {
use crate::mail;
use chrono::{Duration, Utc};
let time_now = Utc::now().naive_utc();
let claims = InviteJWTClaims {
nbf: time_now.timestamp(),
exp: (time_now + Duration::days(5)).timestamp(),
iss: JWT_ISSUER.to_string(),
sub: user.uuid.to_string(),
email: email.clone(),
org_id: org_id.clone(),
user_org_id: org_user_id.clone(),
};
let org_name = match Organization::find_by_uuid(&org_id, &conn) {
Some(org) => org.name,
None => err!("Error looking up organization")
};
let invite_token = encode_jwt(&claims);
if let Some(ref mail_config) = CONFIG.mail {
if let Err(e) = mail::send_invite(&email, &org_id, &org_user_id.unwrap_or(Organization::VIRTUAL_ID.to_string()),
&invite_token, &org_name, mail_config) {
err!(format!("There has been a problem sending the email: {}", e))
}
}
}
}
Ok(())
}
#[derive(Deserialize)]
#[allow(non_snake_case)]
struct AcceptData {
Token: String,
}
#[post("/organizations/<_org_id>/users/<_org_user_id>/accept", data = "<data>")]
fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptData>, conn: DbConn) -> EmptyResult {
// The web-vault passes org_id and org_user_id in the URL, but we are just reading them from the JWT instead
let data: AcceptData = data.into_inner().data;
let token = &data.Token;
let claims: InviteJWTClaims = match decode_invite_jwt(&token) {
Ok(claims) => claims,
Err(msg) => err!("Invalid claim: {:#?}", msg),
};
match User::find_by_mail(&claims.email, &conn) {
Some(_) => {
if Invitation::take(&claims.email, &conn) {
if claims.user_org_id.is_some() {
// If this isn't the virtual_org, mark userorg as accepted
let mut user_org = match UserOrganization::find_by_uuid_and_org(&claims.user_org_id.unwrap(), &claims.org_id, &conn) {
Some(user_org) => user_org,
None => err!("Error accepting the invitation")
};
user_org.status = UserOrgStatus::Accepted as i32;
if user_org.save(&conn).is_err() {
err!("Failed to accept user to organization")
}
}
} else {
err!("Invitation for user not found")
}
},
None => {
err!("Invited user not found")
},
}
Ok(())

View File

@ -56,6 +56,27 @@ pub fn decode_jwt(token: &str) -> Result<JWTClaims, String> {
}
}
pub fn decode_invite_jwt(token: &str) -> Result<InviteJWTClaims, String> {
let validation = jsonwebtoken::Validation {
leeway: 30, // 30 seconds
validate_exp: true,
validate_iat: false, // IssuedAt is the same as NotBefore
validate_nbf: true,
aud: None,
iss: Some(JWT_ISSUER.clone()),
sub: None,
algorithms: vec![JWT_ALGORITHM],
};
match jsonwebtoken::decode(token, &PUBLIC_RSA_KEY, &validation) {
Ok(decoded) => Ok(decoded.claims),
Err(msg) => {
error!("Error validating jwt - {:#?}", msg);
Err(msg.to_string())
}
}
}
#[derive(Debug, Serialize, Deserialize)]
pub struct JWTClaims {
// Not before
@ -87,6 +108,22 @@ pub struct JWTClaims {
pub amr: Vec<String>,
}
#[derive(Debug, Serialize, Deserialize)]
pub struct InviteJWTClaims {
// Not before
pub nbf: i64,
// Expiration time
pub exp: i64,
// Issuer
pub iss: String,
// Subject
pub sub: String,
pub email: String,
pub org_id: String,
pub user_org_id: Option<String>,
}
///
/// Bearer token authentication
///

View File

@ -5,6 +5,7 @@ use lettre::smtp::authentication::Credentials;
use lettre_email::EmailBuilder;
use crate::MailConfig;
use crate::CONFIG;
fn mailer(config: &MailConfig) -> SmtpTransport {
let client_security = if config.smtp_ssl {
@ -60,3 +61,31 @@ pub fn send_password_hint(address: &str, hint: Option<String>, config: &MailConf
.map_err(|e| e.to_string())
.and(Ok(()))
}
pub fn send_invite(address: &str, org_id: &str, org_user_id: &str, token: &str, org_name: &str, config: &MailConfig) -> Result<(), String> {
let (subject, body) = {
(format!("Join {}", &org_name),
format!(
"<html>
<p>You have been invited to join the <b>{}</b> organization.<br><br>
<a href=\"{}/#/accept-organization/?organizationId={}&organizationUserId={}&email={}&organizationName={}&token={}\">Click here to join</a></p>
<p>If you do not wish to join this organization, you can safely ignore this email.</p>
</html>",
org_name, CONFIG.domain, org_id, org_user_id, address, org_name, token
))
};
let email = EmailBuilder::new()
.to(address)
.from((config.smtp_from.clone(), "Bitwarden-rs"))
.subject(subject)
.header(("Content-Type", "text/html"))
.body(body)
.build()
.map_err(|e| e.to_string())?;
mailer(config)
.send(email.into())
.map_err(|e| e.to_string())
.and(Ok(()))
}