From 680f5e83d802e69b5ee890fd9be42d745a0cd43c Mon Sep 17 00:00:00 2001
From: Nick Fox <nick@foxsec.net>
Date: Fri, 14 Dec 2018 21:52:16 -0500
Subject: [PATCH 01/10] Add Invite JWT struct and supporting functions

---
 src/auth.rs | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/src/auth.rs b/src/auth.rs
index 6f35143..57c13e8 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -56,6 +56,27 @@ pub fn decode_jwt(token: &str) -> Result<JWTClaims, String> {
     }
 }
 
+pub fn decode_invite_jwt(token: &str) -> Result<InviteJWTClaims, String> {
+    let validation = jsonwebtoken::Validation {
+        leeway: 30, // 30 seconds
+        validate_exp: true,
+        validate_iat: false, // IssuedAt is the same as NotBefore
+        validate_nbf: true,
+        aud: None,
+        iss: Some(JWT_ISSUER.clone()),
+        sub: None,
+        algorithms: vec![JWT_ALGORITHM],
+    };
+
+    match jsonwebtoken::decode(token, &PUBLIC_RSA_KEY, &validation) {
+        Ok(decoded) => Ok(decoded.claims),
+        Err(msg) => {
+            error!("Error validating jwt - {:#?}", msg);
+            Err(msg.to_string())
+        }
+    }
+}
+
 #[derive(Debug, Serialize, Deserialize)]
 pub struct JWTClaims {
     // Not before
@@ -87,6 +108,20 @@ pub struct JWTClaims {
     pub amr: Vec<String>,
 }
 
+#[derive(Debug, Serialize, Deserialize)]
+pub struct InviteJWTClaims {
+    // Not before
+    pub nbf: i64,
+    // Expiration time
+    pub exp: i64,
+    // Issuer
+    pub iss: String,
+    // Subject
+    pub sub: String,
+
+    pub email: String,
+}
+
 ///
 /// Bearer token authentication
 ///

From e2907f4250b41ffcb00135ecc6b96e3c58d21ff4 Mon Sep 17 00:00:00 2001
From: Nick Fox <nick@foxsec.net>
Date: Fri, 14 Dec 2018 21:54:03 -0500
Subject: [PATCH 02/10] Add invite email functionality

---
 src/mail.rs | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/src/mail.rs b/src/mail.rs
index 8a64c24..2c62006 100644
--- a/src/mail.rs
+++ b/src/mail.rs
@@ -5,6 +5,7 @@ use lettre::smtp::authentication::Credentials;
 use lettre_email::EmailBuilder;
 
 use crate::MailConfig;
+use crate::CONFIG;
 
 fn mailer(config: &MailConfig) -> SmtpTransport {
     let client_security = if config.smtp_ssl {
@@ -60,3 +61,31 @@ pub fn send_password_hint(address: &str, hint: Option<String>, config: &MailConf
         .map_err(|e| e.to_string())
         .and(Ok(()))
 }
+
+pub fn send_invite(address: &str, org_id: &str, org_user_id: &str, token: &str, org_name: &str, config: &MailConfig) -> Result<(), String> {
+    let (subject, body) =  {
+        (format!("Join {}", &org_name),
+        format!(
+            "<html>
+             <p>You have been invited to join the <b>{}</b> organization.<br><br>
+             <a href=\"https://{}/api/organizations/{}/users/{}/accept?token={}\">Click here to join</a></p>
+             <p>If you do not wish to join this organization, you can safely ignore this email.</p>
+             </html>",
+            org_name, CONFIG.domain, org_id, org_user_id, token
+        ))
+    };
+
+    let email = EmailBuilder::new()
+        .to(address)
+        .from((config.smtp_from.clone(), "Bitwarden-rs"))
+        .subject(subject)
+        .header(("Content-Type", "text/html"))
+        .body(body)
+        .build()
+        .map_err(|e| e.to_string())?;
+
+    mailer(config)
+        .send(email.into())
+        .map_err(|e| e.to_string())
+        .and(Ok(()))
+}
\ No newline at end of file

From d428120ec645ad5089833b405c2ee73d094e0e37 Mon Sep 17 00:00:00 2001
From: Nick Fox <nick@foxsec.net>
Date: Fri, 14 Dec 2018 21:54:44 -0500
Subject: [PATCH 03/10] Add email_invitations config option

---
 src/main.rs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main.rs b/src/main.rs
index 963f82f..001f828 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -271,6 +271,7 @@ pub struct Config {
     local_icon_extractor: bool,
     signups_allowed: bool,
     invitations_allowed: bool,
+    email_invitations: bool,
     server_admin_email: Option<String>,
     password_iterations: i32,
     show_password_hint: bool,
@@ -321,6 +322,7 @@ impl Config {
             signups_allowed: get_env_or("SIGNUPS_ALLOWED", true),
             server_admin_email: get_env("SERVER_ADMIN_EMAIL"),
             invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true),
+            email_invitations: get_env_or("EMAIL_INVITATIONS", false),
             password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000),
             show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true),
 

From 4910b14d57b173c23a893fe778e1c24d2c617e16 Mon Sep 17 00:00:00 2001
From: Nick Fox <nick@foxsec.net>
Date: Fri, 14 Dec 2018 21:56:00 -0500
Subject: [PATCH 04/10] Implement email invitations and registration workflow

---
 src/api/core/accounts.rs      | 25 +++++++++------
 src/api/core/organizations.rs | 58 ++++++++++++++++++++++++++++++++++-
 2 files changed, 72 insertions(+), 11 deletions(-)

diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
index fbe0079..6b77d40 100644
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -59,22 +59,27 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
 
     let mut user = match User::find_by_mail(&data.Email, &conn) {
         Some(user) => {
-            if Invitation::take(&data.Email, &conn) {
-                for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
-                    user_org.status = UserOrgStatus::Accepted as i32;
-                    if user_org.save(&conn).is_err() {
-                        err!("Failed to accept user to organization")
+            if !CONFIG.email_invitations {
+                if Invitation::take(&data.Email, &conn) {
+                    for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
+                        user_org.status = UserOrgStatus::Accepted as i32;
+                        if user_org.save(&conn).is_err() {
+                            err!("Failed to accept user to organization")
+                        }
                     }
+                    user
+                } else if CONFIG.signups_allowed {
+                    err!("Account with this email already exists")
+                } else {
+                    err!("Registration not allowed")
                 }
-                user
-            } else if CONFIG.signups_allowed {
-                err!("Account with this email already exists")
             } else {
-                err!("Registration not allowed")
+                // User clicked email invite link, so they are already "accepted" in UserOrgs
+                user
             }
         }
         None => {
-            if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) {
+            if CONFIG.signups_allowed || (!CONFIG.email_invitations && Invitation::take(&data.Email, &conn)) {
                 User::new(data.Email)
             } else {
                 err!("Registration not allowed")
diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs
index 0350b2e..7a3c002 100644
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@@ -8,7 +8,7 @@ use crate::db::DbConn;
 use crate::db::models::*;
 
 use crate::api::{PasswordData, JsonResult, EmptyResult, NumberOrString, JsonUpcase, WebSocketUsers, UpdateType};
-use crate::auth::{Headers, AdminHeaders, OwnerHeaders};
+use crate::auth::{Headers, AdminHeaders, OwnerHeaders, encode_jwt, decode_invite_jwt, InviteJWTClaims, JWT_ISSUER};
 
 use serde::{Deserialize, Deserializer};
 
@@ -38,6 +38,7 @@ pub fn routes() -> Vec<Route> {
         get_org_users,
         send_invite,
         confirm_invite,
+        accept_invite,
         get_user,
         edit_user,
         put_organization_user,
@@ -477,6 +478,61 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
                 err!("Failed to add user to organization")
             }
         }
+
+        if CONFIG.email_invitations {
+            use crate::mail;
+            use chrono::{Duration, Utc};
+            let time_now = Utc::now().naive_utc();
+            let claims = InviteJWTClaims {
+                nbf: time_now.timestamp(),
+                exp: (time_now + Duration::days(5)).timestamp(),
+                iss: JWT_ISSUER.to_string(),
+                sub: user.uuid.to_string(),
+                email: email.clone(),
+            };
+            let org_name = match Organization::find_by_uuid(&org_id, &conn) {
+                Some(org) => org.name,
+                None => err!("Error looking up organization")
+            };
+            let invite_token = encode_jwt(&claims);
+            let org_user_id = Organization::VIRTUAL_ID;
+
+            if let Some(ref mail_config) = CONFIG.mail {
+                if let Err(e) = mail::send_invite(&email, &org_id, &org_user_id, &invite_token, &org_name, mail_config) {
+                    err!(format!("There has been a problem sending the email: {}", e))
+                }
+            }
+        }
+    }
+
+    Ok(())
+}
+
+// TODO: Figure out how to make this redirect to the registration page
+#[get("/organizations/<org_id>/users/<org_user_id>/accept?<token>")]
+fn accept_invite(org_id: String, org_user_id: String, token: String, conn: DbConn) -> EmptyResult {
+    let invite_claims: InviteJWTClaims = match decode_invite_jwt(&token) {
+            Ok(claims) => claims,
+            Err(msg) => err!("Invalid claim: {:#?}", msg),
+    };
+
+    match User::find_by_mail(&invite_claims.email, &conn) {
+        Some(user) => {
+            if Invitation::take(&invite_claims.email, &conn) {
+                for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
+                    user_org.status = UserOrgStatus::Accepted as i32;
+                    if user_org.save(&conn).is_err() {
+                        err!("Failed to accept user to organization")
+                    }
+                }
+                //rocket::response::Redirect::to(format!("/#/register?email={}", invite_claims.email))
+            } else {
+                err!("Invitation for user not found")
+            }
+        },
+        None => {
+            err!("Invited user not found")
+        },
     }
 
     Ok(())

From e245e965baaef161c7407f5eead1115641d27a4f Mon Sep 17 00:00:00 2001
From: Nick Fox <nick@foxsec.net>
Date: Sat, 15 Dec 2018 22:45:39 -0500
Subject: [PATCH 05/10] Fix broken rebase

---
 BUILD.md          | 3 +++
 Dockerfile.alpine | 4 +++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/BUILD.md b/BUILD.md
index 89bac2d..1e35113 100644
--- a/BUILD.md
+++ b/BUILD.md
@@ -21,6 +21,8 @@ A compiled version of the web vault can be downloaded from [dani-garcia/bw_web_b
 
 If you prefer to compile it manually, follow these steps:
 
+*Note: building the Vault needs ~1.5GB of RAM. On systems like a RaspberryPI with 1GB or less, please [enable swapping](https://www.tecmint.com/create-a-linux-swap-file/) or build it on a more powerful machine and copy the directory from there. This much memory is only needed for building it, running bitwarden_rs with vault needs only about 10MB of RAM.*
+
 - Clone the git repository at [bitwarden/web](https://github.com/bitwarden/web) and checkout the latest release tag (e.g. v2.1.1):
 ```sh
 # clone the repository
@@ -37,6 +39,7 @@ git apply /path/to/bitwarden_rs/docker/set-vault-baseurl.patch
 ```
 
 - Then, build the Vault:
+
 ```sh
 npm run sub:init
 npm install
diff --git a/Dockerfile.alpine b/Dockerfile.alpine
index ddc8549..ff098a1 100644
--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@@ -20,7 +20,7 @@ RUN ls
 
 ########################## BUILD IMAGE  ##########################
 # Musl build image for statically compiled binary
-FROM clux/muslrust:nightly-2018-11-30 as build
+FROM clux/muslrust:nightly-2018-12-01 as build
 
 ENV USER "root"
 
@@ -30,6 +30,8 @@ WORKDIR /app
 # To avoid copying unneeded files, use .dockerignore
 COPY . .
 
+RUN rustup target add x86_64-unknown-linux-musl
+
 # Build
 RUN cargo build --release
 

From 042c1072d9f35003348815288693324028646a5d Mon Sep 17 00:00:00 2001
From: Nick Fox <nick@foxsec.net>
Date: Mon, 17 Dec 2018 17:02:15 -0500
Subject: [PATCH 06/10] Remove CONFIG.email_invitation option

---
 src/api/core/organizations.rs | 2 +-
 src/main.rs                   | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs
index 7a3c002..2c1c601 100644
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@@ -479,7 +479,7 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
             }
         }
 
-        if CONFIG.email_invitations {
+        if CONFIG.mail.is_some() {
             use crate::mail;
             use chrono::{Duration, Utc};
             let time_now = Utc::now().naive_utc();
diff --git a/src/main.rs b/src/main.rs
index 001f828..963f82f 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -271,7 +271,6 @@ pub struct Config {
     local_icon_extractor: bool,
     signups_allowed: bool,
     invitations_allowed: bool,
-    email_invitations: bool,
     server_admin_email: Option<String>,
     password_iterations: i32,
     show_password_hint: bool,
@@ -322,7 +321,6 @@ impl Config {
             signups_allowed: get_env_or("SIGNUPS_ALLOWED", true),
             server_admin_email: get_env("SERVER_ADMIN_EMAIL"),
             invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true),
-            email_invitations: get_env_or("EMAIL_INVITATIONS", false),
             password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000),
             show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true),
 

From 9479108fb7861b2abf67be9c7825c6b7f3e4fa3d Mon Sep 17 00:00:00 2001
From: Nick Fox <nick@foxsec.net>
Date: Mon, 17 Dec 2018 17:10:09 -0500
Subject: [PATCH 07/10] Remove CONFIG.email_invitations

---
 src/api/core/accounts.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
index 6b77d40..9f47bd1 100644
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -59,7 +59,7 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
 
     let mut user = match User::find_by_mail(&data.Email, &conn) {
         Some(user) => {
-            if !CONFIG.email_invitations {
+            if CONFIG.mail.is_none() {
                 if Invitation::take(&data.Email, &conn) {
                     for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
                         user_org.status = UserOrgStatus::Accepted as i32;
@@ -79,7 +79,7 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
             }
         }
         None => {
-            if CONFIG.signups_allowed || (!CONFIG.email_invitations && Invitation::take(&data.Email, &conn)) {
+            if CONFIG.signups_allowed || (CONFIG.mail.is_none() && Invitation::take(&data.Email, &conn)) {
                 User::new(data.Email)
             } else {
                 err!("Registration not allowed")

From 26bf7bc12f9d6eda0426a545d52a7236a39cf5a7 Mon Sep 17 00:00:00 2001
From: Nick Fox <nick@foxsec.net>
Date: Tue, 18 Dec 2018 23:16:03 -0500
Subject: [PATCH 08/10] Use upstream jslib invite/registration workflow

---
 src/api/core/accounts.rs      |  1 -
 src/api/core/organizations.rs | 43 ++++++++++++++++++++++++-----------
 src/auth.rs                   |  2 ++
 src/mail.rs                   |  4 ++--
 4 files changed, 34 insertions(+), 16 deletions(-)

diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
index 9f47bd1..9aea3ef 100644
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -74,7 +74,6 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
                     err!("Registration not allowed")
                 }
             } else {
-                // User clicked email invite link, so they are already "accepted" in UserOrgs
                 user
             }
         }
diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs
index 2c1c601..7110e56 100644
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@@ -424,7 +424,10 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
     }
 
     for email in data.Emails.iter() {
-        let mut user_org_status = UserOrgStatus::Accepted as i32;
+        let mut user_org_status = match CONFIG.mail {
+            Some(_) => UserOrgStatus::Invited as i32,
+            None => UserOrgStatus::Accepted as i32, // Automatically mark user as accepted if no email invites
+        };
         let user = match User::find_by_mail(&email, &conn) {
             None => if CONFIG.invitations_allowed { // Invite user if that's enabled
                 let mut invitation = Invitation::new(email.clone());
@@ -453,6 +456,7 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
         };
 
         // Don't create UserOrganization in virtual organization
+        let mut org_user_id = None;
         if org_id != Organization::VIRTUAL_ID {
             let mut new_user = UserOrganization::new(user.uuid.clone(), org_id.clone());
             let access_all = data.AccessAll.unwrap_or(false);
@@ -477,6 +481,7 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
             if new_user.save(&conn).is_err() {
                 err!("Failed to add user to organization")
             }
+            org_user_id = Some(new_user.uuid.clone());
         }
 
         if CONFIG.mail.is_some() {
@@ -489,16 +494,17 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
                 iss: JWT_ISSUER.to_string(),
                 sub: user.uuid.to_string(),
                 email: email.clone(),
+                org_id: org_id.clone(),
+                user_org_id: org_user_id.clone(),
             };
             let org_name = match Organization::find_by_uuid(&org_id, &conn) {
                 Some(org) => org.name,
                 None => err!("Error looking up organization")
             };
             let invite_token = encode_jwt(&claims);
-            let org_user_id = Organization::VIRTUAL_ID;
-
             if let Some(ref mail_config) = CONFIG.mail {
-                if let Err(e) = mail::send_invite(&email, &org_id, &org_user_id, &invite_token, &org_name, mail_config) {
+                if let Err(e) = mail::send_invite(&email, &org_id, &org_user_id.unwrap_or(Organization::VIRTUAL_ID.to_string()), 
+                                                  &invite_token, &org_name, mail_config) {
                     err!(format!("There has been a problem sending the email: {}", e))
                 }
             }
@@ -508,24 +514,35 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
     Ok(())
 }
 
-// TODO: Figure out how to make this redirect to the registration page
-#[get("/organizations/<org_id>/users/<org_user_id>/accept?<token>")]
-fn accept_invite(org_id: String, org_user_id: String, token: String, conn: DbConn) -> EmptyResult {
-    let invite_claims: InviteJWTClaims = match decode_invite_jwt(&token) {
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct AcceptData {
+    Token: String,
+}
+
+#[post("/organizations/<org_id>/users/<org_user_id>/accept", data = "<data>")]
+fn accept_invite(org_id: String, org_user_id: String, data: JsonUpcase<AcceptData>, conn: DbConn) -> EmptyResult {
+    let data: AcceptData = data.into_inner().data;
+    let token = &data.Token;
+    let claims: InviteJWTClaims = match decode_invite_jwt(&token) {
             Ok(claims) => claims,
             Err(msg) => err!("Invalid claim: {:#?}", msg),
     };
 
-    match User::find_by_mail(&invite_claims.email, &conn) {
-        Some(user) => {
-            if Invitation::take(&invite_claims.email, &conn) {
-                for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
+    match User::find_by_mail(&claims.email, &conn) {
+        Some(_) => {
+            if Invitation::take(&claims.email, &conn) {
+                if claims.user_org_id.is_some() {
+                    // If this isn't the virtual_org, mark userorg as accepted
+                    let mut user_org = match UserOrganization::find_by_uuid_and_org(&claims.user_org_id.unwrap(), &claims.org_id, &conn) {
+                        Some(user_org) => user_org,
+                        None => err!("Error accepting the invitation") 
+                    };
                     user_org.status = UserOrgStatus::Accepted as i32;
                     if user_org.save(&conn).is_err() {
                         err!("Failed to accept user to organization")
                     }
                 }
-                //rocket::response::Redirect::to(format!("/#/register?email={}", invite_claims.email))
             } else {
                 err!("Invitation for user not found")
             }
diff --git a/src/auth.rs b/src/auth.rs
index 57c13e8..0e851aa 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -120,6 +120,8 @@ pub struct InviteJWTClaims {
     pub sub: String,
 
     pub email: String,
+    pub org_id: String,
+    pub user_org_id: Option<String>,
 }
 
 ///
diff --git a/src/mail.rs b/src/mail.rs
index 2c62006..485e5c1 100644
--- a/src/mail.rs
+++ b/src/mail.rs
@@ -68,10 +68,10 @@ pub fn send_invite(address: &str, org_id: &str, org_user_id: &str, token: &str,
         format!(
             "<html>
              <p>You have been invited to join the <b>{}</b> organization.<br><br>
-             <a href=\"https://{}/api/organizations/{}/users/{}/accept?token={}\">Click here to join</a></p>
+             <a href=\"{}/#/accept-organization/?organizationId={}&organizationUserId={}&email={}&organizationName={}&token={}\">Click here to join</a></p>
              <p>If you do not wish to join this organization, you can safely ignore this email.</p>
              </html>",
-            org_name, CONFIG.domain, org_id, org_user_id, token
+            org_name, CONFIG.domain, org_id, org_user_id, address, org_name, token
         ))
     };
 

From 99256b9b3a53831367c0616ce834aeb65f53cbd2 Mon Sep 17 00:00:00 2001
From: Nick Fox <nick@foxsec.net>
Date: Thu, 20 Dec 2018 21:37:03 -0500
Subject: [PATCH 09/10] Prefix unused params with underscore

---
 src/api/core/organizations.rs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs
index 7110e56..59bfced 100644
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@@ -520,8 +520,9 @@ struct AcceptData {
     Token: String,
 }
 
-#[post("/organizations/<org_id>/users/<org_user_id>/accept", data = "<data>")]
-fn accept_invite(org_id: String, org_user_id: String, data: JsonUpcase<AcceptData>, conn: DbConn) -> EmptyResult {
+#[post("/organizations/<_org_id>/users/<_org_user_id>/accept", data = "<data>")]
+fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptData>, conn: DbConn) -> EmptyResult {
+// The web-vault passes org_id and org_user_id in the URL, but we are just reading them from the JWT instead
     let data: AcceptData = data.into_inner().data;
     let token = &data.Token;
     let claims: InviteJWTClaims = match decode_invite_jwt(&token) {

From 2cd736ab817e2d1c717ec876978cd2623e62665a Mon Sep 17 00:00:00 2001
From: Nick Fox <nick@foxsec.net>
Date: Thu, 20 Dec 2018 22:16:41 -0500
Subject: [PATCH 10/10] Validate JWT if a user registers with SMTP invites
 enabled

---
 src/api/core/accounts.rs | 31 ++++++++++++++++++++++++-------
 1 file changed, 24 insertions(+), 7 deletions(-)

diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
index 9aea3ef..a8132a7 100644
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -4,7 +4,7 @@ use crate::db::models::*;
 use crate::db::DbConn;
 
 use crate::api::{EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData, UpdateType, WebSocketUsers};
-use crate::auth::Headers;
+use crate::auth::{Headers, decode_invite_jwt, InviteJWTClaims};
 use crate::mail;
 
 use crate::CONFIG;
@@ -44,6 +44,8 @@ struct RegisterData {
     MasterPasswordHash: String,
     MasterPasswordHint: Option<String>,
     Name: Option<String>,
+    Token: Option<String>,
+    OrganizationUserId: Option<String>,
 }
 
 #[derive(Deserialize, Debug)]
@@ -59,22 +61,37 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
 
     let mut user = match User::find_by_mail(&data.Email, &conn) {
         Some(user) => {
-            if CONFIG.mail.is_none() {
-                if Invitation::take(&data.Email, &conn) {
+            if Invitation::find_by_mail(&data.Email, &conn).is_some() {
+                if CONFIG.mail.is_none() {
                     for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
                         user_org.status = UserOrgStatus::Accepted as i32;
                         if user_org.save(&conn).is_err() {
                             err!("Failed to accept user to organization")
                         }
                     }
+                    if !Invitation::take(&data.Email, &conn) {
+                        err!("Error accepting invitation")
+                    }
                     user
-                } else if CONFIG.signups_allowed {
-                    err!("Account with this email already exists")
                 } else {
-                    err!("Registration not allowed")
+                    let token = match &data.Token {
+                        Some(token) => token,
+                        None => err!("No valid invite token")
+                    };
+                    let claims: InviteJWTClaims = match decode_invite_jwt(&token) {
+                        Ok(claims) => claims,
+                        Err(msg) => err!("Invalid claim: {:#?}", msg),
+                    };
+                    if &claims.email == &data.Email {
+                        user
+                    } else {
+                        err!("Registration email does not match invite email")
+                    }
                 }
+            } else if CONFIG.signups_allowed {
+                    err!("Account with this email already exists")
             } else {
-                user
+                err!("Registration not allowed")
             }
         }
         None => {