From b0ac640d8b7150ba98ef20acd9fa695764440088 Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Sun, 23 Dec 2018 15:15:44 -0500 Subject: [PATCH 1/3] Use JWT to validate existing user invites --- src/api/core/organizations.rs | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index 59bfcedb..c2683830 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -532,20 +532,17 @@ fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase { - if Invitation::take(&claims.email, &conn) { - if claims.user_org_id.is_some() { - // If this isn't the virtual_org, mark userorg as accepted - let mut user_org = match UserOrganization::find_by_uuid_and_org(&claims.user_org_id.unwrap(), &claims.org_id, &conn) { - Some(user_org) => user_org, - None => err!("Error accepting the invitation") - }; - user_org.status = UserOrgStatus::Accepted as i32; - if user_org.save(&conn).is_err() { - err!("Failed to accept user to organization") - } + Invitation::take(&claims.email, &conn); + if claims.user_org_id.is_some() { + // If this isn't the virtual_org, mark userorg as accepted + let mut user_org = match UserOrganization::find_by_uuid_and_org(&claims.user_org_id.unwrap(), &claims.org_id, &conn) { + Some(user_org) => user_org, + None => err!("Error accepting the invitation") + }; + user_org.status = UserOrgStatus::Accepted as i32; + if user_org.save(&conn).is_err() { + err!("Failed to accept user to organization") } - } else { - err!("Invitation for user not found") } }, None => { From cb78ba9bb2c8c97643e85085790fa89e9be89eab Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Sun, 23 Dec 2018 15:21:19 -0500 Subject: [PATCH 2/3] Document domain/email invitation requirements --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index f374bd78..43645686 100644 --- a/README.md +++ b/README.md @@ -385,6 +385,15 @@ docker run -d --name bitwarden \ When `SMTP_SSL` is set to `true`(this is the default), only TLSv1.1 and TLSv1.2 protocols will be accepted and `SMTP_PORT` will default to `587`. If set to `false`, `SMTP_PORT` will default to `25` and the connection won't be encrypted. This can be very insecure, use this setting only if you know what you're doing. +Note that if SMTP and invitations are enabled, invitations will be sent to new users via email. You must set the `DOMAIN` configuration option with the base URL of your bitwarden_rs instance for the invite link to be generated correctly: + +```sh +docker run -d --name bitwarden \ +... +-e DOMAIN=https://vault.example.com +... +``` + ### Password hint display Usually, password hints are sent by email. But as bitwarden_rs is made with small or personal deployment in mind, hints are also available from the password hint page, so you don't have to configure an email service. If you want to disable this feature, you can use the `SHOW_PASSWORD_HINT` variable: From e3395ee91078a8568bf0b09fb159115ca19211e1 Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Sun, 23 Dec 2018 15:25:05 -0500 Subject: [PATCH 3/3] Mention that invite links are valid for 5 days only --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 43645686..24e7cc52 100644 --- a/README.md +++ b/README.md @@ -394,6 +394,8 @@ docker run -d --name bitwarden \ ... ``` +User invitation links are valid for 5 days, after which a new invitation will need to be sent. + ### Password hint display Usually, password hints are sent by email. But as bitwarden_rs is made with small or personal deployment in mind, hints are also available from the password hint page, so you don't have to configure an email service. If you want to disable this feature, you can use the `SHOW_PASSWORD_HINT` variable: