Merge pull request #295 from njfox/invite_emails
Add Email Invite Functionality
This commit is contained in:
commit
2b24b17609
|
@ -4,7 +4,7 @@ use crate::db::models::*;
|
||||||
use crate::db::DbConn;
|
use crate::db::DbConn;
|
||||||
|
|
||||||
use crate::api::{EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData, UpdateType, WebSocketUsers};
|
use crate::api::{EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData, UpdateType, WebSocketUsers};
|
||||||
use crate::auth::Headers;
|
use crate::auth::{Headers, decode_invite_jwt, InviteJWTClaims};
|
||||||
use crate::mail;
|
use crate::mail;
|
||||||
|
|
||||||
use crate::CONFIG;
|
use crate::CONFIG;
|
||||||
|
@ -44,6 +44,8 @@ struct RegisterData {
|
||||||
MasterPasswordHash: String,
|
MasterPasswordHash: String,
|
||||||
MasterPasswordHint: Option<String>,
|
MasterPasswordHint: Option<String>,
|
||||||
Name: Option<String>,
|
Name: Option<String>,
|
||||||
|
Token: Option<String>,
|
||||||
|
OrganizationUserId: Option<String>,
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Deserialize, Debug)]
|
#[derive(Deserialize, Debug)]
|
||||||
|
@ -59,14 +61,33 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
|
||||||
|
|
||||||
let mut user = match User::find_by_mail(&data.Email, &conn) {
|
let mut user = match User::find_by_mail(&data.Email, &conn) {
|
||||||
Some(user) => {
|
Some(user) => {
|
||||||
if Invitation::take(&data.Email, &conn) {
|
if Invitation::find_by_mail(&data.Email, &conn).is_some() {
|
||||||
|
if CONFIG.mail.is_none() {
|
||||||
for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
|
for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
|
||||||
user_org.status = UserOrgStatus::Accepted as i32;
|
user_org.status = UserOrgStatus::Accepted as i32;
|
||||||
if user_org.save(&conn).is_err() {
|
if user_org.save(&conn).is_err() {
|
||||||
err!("Failed to accept user to organization")
|
err!("Failed to accept user to organization")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if !Invitation::take(&data.Email, &conn) {
|
||||||
|
err!("Error accepting invitation")
|
||||||
|
}
|
||||||
user
|
user
|
||||||
|
} else {
|
||||||
|
let token = match &data.Token {
|
||||||
|
Some(token) => token,
|
||||||
|
None => err!("No valid invite token")
|
||||||
|
};
|
||||||
|
let claims: InviteJWTClaims = match decode_invite_jwt(&token) {
|
||||||
|
Ok(claims) => claims,
|
||||||
|
Err(msg) => err!("Invalid claim: {:#?}", msg),
|
||||||
|
};
|
||||||
|
if &claims.email == &data.Email {
|
||||||
|
user
|
||||||
|
} else {
|
||||||
|
err!("Registration email does not match invite email")
|
||||||
|
}
|
||||||
|
}
|
||||||
} else if CONFIG.signups_allowed {
|
} else if CONFIG.signups_allowed {
|
||||||
err!("Account with this email already exists")
|
err!("Account with this email already exists")
|
||||||
} else {
|
} else {
|
||||||
|
@ -74,7 +95,7 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
None => {
|
None => {
|
||||||
if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) {
|
if CONFIG.signups_allowed || (CONFIG.mail.is_none() && Invitation::take(&data.Email, &conn)) {
|
||||||
User::new(data.Email)
|
User::new(data.Email)
|
||||||
} else {
|
} else {
|
||||||
err!("Registration not allowed")
|
err!("Registration not allowed")
|
||||||
|
|
|
@ -8,7 +8,7 @@ use crate::db::DbConn;
|
||||||
use crate::db::models::*;
|
use crate::db::models::*;
|
||||||
|
|
||||||
use crate::api::{PasswordData, JsonResult, EmptyResult, NumberOrString, JsonUpcase, WebSocketUsers, UpdateType};
|
use crate::api::{PasswordData, JsonResult, EmptyResult, NumberOrString, JsonUpcase, WebSocketUsers, UpdateType};
|
||||||
use crate::auth::{Headers, AdminHeaders, OwnerHeaders};
|
use crate::auth::{Headers, AdminHeaders, OwnerHeaders, encode_jwt, decode_invite_jwt, InviteJWTClaims, JWT_ISSUER};
|
||||||
|
|
||||||
use serde::{Deserialize, Deserializer};
|
use serde::{Deserialize, Deserializer};
|
||||||
|
|
||||||
|
@ -38,6 +38,7 @@ pub fn routes() -> Vec<Route> {
|
||||||
get_org_users,
|
get_org_users,
|
||||||
send_invite,
|
send_invite,
|
||||||
confirm_invite,
|
confirm_invite,
|
||||||
|
accept_invite,
|
||||||
get_user,
|
get_user,
|
||||||
edit_user,
|
edit_user,
|
||||||
put_organization_user,
|
put_organization_user,
|
||||||
|
@ -423,7 +424,10 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
|
||||||
}
|
}
|
||||||
|
|
||||||
for email in data.Emails.iter() {
|
for email in data.Emails.iter() {
|
||||||
let mut user_org_status = UserOrgStatus::Accepted as i32;
|
let mut user_org_status = match CONFIG.mail {
|
||||||
|
Some(_) => UserOrgStatus::Invited as i32,
|
||||||
|
None => UserOrgStatus::Accepted as i32, // Automatically mark user as accepted if no email invites
|
||||||
|
};
|
||||||
let user = match User::find_by_mail(&email, &conn) {
|
let user = match User::find_by_mail(&email, &conn) {
|
||||||
None => if CONFIG.invitations_allowed { // Invite user if that's enabled
|
None => if CONFIG.invitations_allowed { // Invite user if that's enabled
|
||||||
let mut invitation = Invitation::new(email.clone());
|
let mut invitation = Invitation::new(email.clone());
|
||||||
|
@ -452,6 +456,7 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
|
||||||
};
|
};
|
||||||
|
|
||||||
// Don't create UserOrganization in virtual organization
|
// Don't create UserOrganization in virtual organization
|
||||||
|
let mut org_user_id = None;
|
||||||
if org_id != Organization::VIRTUAL_ID {
|
if org_id != Organization::VIRTUAL_ID {
|
||||||
let mut new_user = UserOrganization::new(user.uuid.clone(), org_id.clone());
|
let mut new_user = UserOrganization::new(user.uuid.clone(), org_id.clone());
|
||||||
let access_all = data.AccessAll.unwrap_or(false);
|
let access_all = data.AccessAll.unwrap_or(false);
|
||||||
|
@ -476,7 +481,76 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
|
||||||
if new_user.save(&conn).is_err() {
|
if new_user.save(&conn).is_err() {
|
||||||
err!("Failed to add user to organization")
|
err!("Failed to add user to organization")
|
||||||
}
|
}
|
||||||
|
org_user_id = Some(new_user.uuid.clone());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if CONFIG.mail.is_some() {
|
||||||
|
use crate::mail;
|
||||||
|
use chrono::{Duration, Utc};
|
||||||
|
let time_now = Utc::now().naive_utc();
|
||||||
|
let claims = InviteJWTClaims {
|
||||||
|
nbf: time_now.timestamp(),
|
||||||
|
exp: (time_now + Duration::days(5)).timestamp(),
|
||||||
|
iss: JWT_ISSUER.to_string(),
|
||||||
|
sub: user.uuid.to_string(),
|
||||||
|
email: email.clone(),
|
||||||
|
org_id: org_id.clone(),
|
||||||
|
user_org_id: org_user_id.clone(),
|
||||||
|
};
|
||||||
|
let org_name = match Organization::find_by_uuid(&org_id, &conn) {
|
||||||
|
Some(org) => org.name,
|
||||||
|
None => err!("Error looking up organization")
|
||||||
|
};
|
||||||
|
let invite_token = encode_jwt(&claims);
|
||||||
|
if let Some(ref mail_config) = CONFIG.mail {
|
||||||
|
if let Err(e) = mail::send_invite(&email, &org_id, &org_user_id.unwrap_or(Organization::VIRTUAL_ID.to_string()),
|
||||||
|
&invite_token, &org_name, mail_config) {
|
||||||
|
err!(format!("There has been a problem sending the email: {}", e))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
|
#[derive(Deserialize)]
|
||||||
|
#[allow(non_snake_case)]
|
||||||
|
struct AcceptData {
|
||||||
|
Token: String,
|
||||||
|
}
|
||||||
|
|
||||||
|
#[post("/organizations/<_org_id>/users/<_org_user_id>/accept", data = "<data>")]
|
||||||
|
fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptData>, conn: DbConn) -> EmptyResult {
|
||||||
|
// The web-vault passes org_id and org_user_id in the URL, but we are just reading them from the JWT instead
|
||||||
|
let data: AcceptData = data.into_inner().data;
|
||||||
|
let token = &data.Token;
|
||||||
|
let claims: InviteJWTClaims = match decode_invite_jwt(&token) {
|
||||||
|
Ok(claims) => claims,
|
||||||
|
Err(msg) => err!("Invalid claim: {:#?}", msg),
|
||||||
|
};
|
||||||
|
|
||||||
|
match User::find_by_mail(&claims.email, &conn) {
|
||||||
|
Some(_) => {
|
||||||
|
if Invitation::take(&claims.email, &conn) {
|
||||||
|
if claims.user_org_id.is_some() {
|
||||||
|
// If this isn't the virtual_org, mark userorg as accepted
|
||||||
|
let mut user_org = match UserOrganization::find_by_uuid_and_org(&claims.user_org_id.unwrap(), &claims.org_id, &conn) {
|
||||||
|
Some(user_org) => user_org,
|
||||||
|
None => err!("Error accepting the invitation")
|
||||||
|
};
|
||||||
|
user_org.status = UserOrgStatus::Accepted as i32;
|
||||||
|
if user_org.save(&conn).is_err() {
|
||||||
|
err!("Failed to accept user to organization")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
err!("Invitation for user not found")
|
||||||
|
}
|
||||||
|
},
|
||||||
|
None => {
|
||||||
|
err!("Invited user not found")
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
|
|
37
src/auth.rs
37
src/auth.rs
|
@ -56,6 +56,27 @@ pub fn decode_jwt(token: &str) -> Result<JWTClaims, String> {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub fn decode_invite_jwt(token: &str) -> Result<InviteJWTClaims, String> {
|
||||||
|
let validation = jsonwebtoken::Validation {
|
||||||
|
leeway: 30, // 30 seconds
|
||||||
|
validate_exp: true,
|
||||||
|
validate_iat: false, // IssuedAt is the same as NotBefore
|
||||||
|
validate_nbf: true,
|
||||||
|
aud: None,
|
||||||
|
iss: Some(JWT_ISSUER.clone()),
|
||||||
|
sub: None,
|
||||||
|
algorithms: vec![JWT_ALGORITHM],
|
||||||
|
};
|
||||||
|
|
||||||
|
match jsonwebtoken::decode(token, &PUBLIC_RSA_KEY, &validation) {
|
||||||
|
Ok(decoded) => Ok(decoded.claims),
|
||||||
|
Err(msg) => {
|
||||||
|
error!("Error validating jwt - {:#?}", msg);
|
||||||
|
Err(msg.to_string())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#[derive(Debug, Serialize, Deserialize)]
|
#[derive(Debug, Serialize, Deserialize)]
|
||||||
pub struct JWTClaims {
|
pub struct JWTClaims {
|
||||||
// Not before
|
// Not before
|
||||||
|
@ -87,6 +108,22 @@ pub struct JWTClaims {
|
||||||
pub amr: Vec<String>,
|
pub amr: Vec<String>,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[derive(Debug, Serialize, Deserialize)]
|
||||||
|
pub struct InviteJWTClaims {
|
||||||
|
// Not before
|
||||||
|
pub nbf: i64,
|
||||||
|
// Expiration time
|
||||||
|
pub exp: i64,
|
||||||
|
// Issuer
|
||||||
|
pub iss: String,
|
||||||
|
// Subject
|
||||||
|
pub sub: String,
|
||||||
|
|
||||||
|
pub email: String,
|
||||||
|
pub org_id: String,
|
||||||
|
pub user_org_id: Option<String>,
|
||||||
|
}
|
||||||
|
|
||||||
///
|
///
|
||||||
/// Bearer token authentication
|
/// Bearer token authentication
|
||||||
///
|
///
|
||||||
|
|
29
src/mail.rs
29
src/mail.rs
|
@ -5,6 +5,7 @@ use lettre::smtp::authentication::Credentials;
|
||||||
use lettre_email::EmailBuilder;
|
use lettre_email::EmailBuilder;
|
||||||
|
|
||||||
use crate::MailConfig;
|
use crate::MailConfig;
|
||||||
|
use crate::CONFIG;
|
||||||
|
|
||||||
fn mailer(config: &MailConfig) -> SmtpTransport {
|
fn mailer(config: &MailConfig) -> SmtpTransport {
|
||||||
let client_security = if config.smtp_ssl {
|
let client_security = if config.smtp_ssl {
|
||||||
|
@ -60,3 +61,31 @@ pub fn send_password_hint(address: &str, hint: Option<String>, config: &MailConf
|
||||||
.map_err(|e| e.to_string())
|
.map_err(|e| e.to_string())
|
||||||
.and(Ok(()))
|
.and(Ok(()))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub fn send_invite(address: &str, org_id: &str, org_user_id: &str, token: &str, org_name: &str, config: &MailConfig) -> Result<(), String> {
|
||||||
|
let (subject, body) = {
|
||||||
|
(format!("Join {}", &org_name),
|
||||||
|
format!(
|
||||||
|
"<html>
|
||||||
|
<p>You have been invited to join the <b>{}</b> organization.<br><br>
|
||||||
|
<a href=\"{}/#/accept-organization/?organizationId={}&organizationUserId={}&email={}&organizationName={}&token={}\">Click here to join</a></p>
|
||||||
|
<p>If you do not wish to join this organization, you can safely ignore this email.</p>
|
||||||
|
</html>",
|
||||||
|
org_name, CONFIG.domain, org_id, org_user_id, address, org_name, token
|
||||||
|
))
|
||||||
|
};
|
||||||
|
|
||||||
|
let email = EmailBuilder::new()
|
||||||
|
.to(address)
|
||||||
|
.from((config.smtp_from.clone(), "Bitwarden-rs"))
|
||||||
|
.subject(subject)
|
||||||
|
.header(("Content-Type", "text/html"))
|
||||||
|
.body(body)
|
||||||
|
.build()
|
||||||
|
.map_err(|e| e.to_string())?;
|
||||||
|
|
||||||
|
mailer(config)
|
||||||
|
.send(email.into())
|
||||||
|
.map_err(|e| e.to_string())
|
||||||
|
.and(Ok(()))
|
||||||
|
}
|
Loading…
Reference in New Issue