Merge pull request #295 from njfox/invite_emails

Add Email Invite Functionality
2024-11-10 15:26:39 +00:00 · 2018-12-21 16:04:19 +01:00 · 2018-12-21 16:04:19 +01:00 · 2b24b17609
commit 2b24b17609
parent b3ec8f2611 2cd736ab81
4 changed files with 172 additions and 11 deletions
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@ -4,7 +4,7 @@ use crate::db::models::*;
 use crate::db::DbConn;

 use crate::api::{EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData, UpdateType, WebSocketUsers};
-use crate::auth::Headers;
+use crate::auth::{Headers, decode_invite_jwt, InviteJWTClaims};
 use crate::mail;

 use crate::CONFIG;
@ -44,6 +44,8 @@ struct RegisterData {
    MasterPasswordHash: String,
    MasterPasswordHint: Option<String>,
    Name: Option<String>,
+    Token: Option<String>,
+    OrganizationUserId: Option<String>,
 }

 #[derive(Deserialize, Debug)]
@ -59,22 +61,41 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {

    let mut user = match User::find_by_mail(&data.Email, &conn) {
        Some(user) => {
-            if Invitation::take(&data.Email, &conn) {
-                for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
-                    user_org.status = UserOrgStatus::Accepted as i32;
-                    if user_org.save(&conn).is_err() {
-                        err!("Failed to accept user to organization")
+            if Invitation::find_by_mail(&data.Email, &conn).is_some() {
+                if CONFIG.mail.is_none() {
+                    for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
+                        user_org.status = UserOrgStatus::Accepted as i32;
+                        if user_org.save(&conn).is_err() {
+                            err!("Failed to accept user to organization")
+                        }
+                    }
+                    if !Invitation::take(&data.Email, &conn) {
+                        err!("Error accepting invitation")
+                    }
+                    user
+                } else {
+                    let token = match &data.Token {
+                        Some(token) => token,
+                        None => err!("No valid invite token")
+                    };
+                    let claims: InviteJWTClaims = match decode_invite_jwt(&token) {
+                        Ok(claims) => claims,
+                        Err(msg) => err!("Invalid claim: {:#?}", msg),
+                    };
+                    if &claims.email == &data.Email {
+                        user
+                    } else {
+                        err!("Registration email does not match invite email")
                    }
                }
-                user
            } else if CONFIG.signups_allowed {
-                err!("Account with this email already exists")
+                    err!("Account with this email already exists")
            } else {
                err!("Registration not allowed")
            }
        }
        None => {
-            if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) {
+            if CONFIG.signups_allowed || (CONFIG.mail.is_none() && Invitation::take(&data.Email, &conn)) {
                User::new(data.Email)
            } else {
                err!("Registration not allowed")
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@ -8,7 +8,7 @@ use crate::db::DbConn;
 use crate::db::models::*;

 use crate::api::{PasswordData, JsonResult, EmptyResult, NumberOrString, JsonUpcase, WebSocketUsers, UpdateType};
-use crate::auth::{Headers, AdminHeaders, OwnerHeaders};
+use crate::auth::{Headers, AdminHeaders, OwnerHeaders, encode_jwt, decode_invite_jwt, InviteJWTClaims, JWT_ISSUER};

 use serde::{Deserialize, Deserializer};

@ -38,6 +38,7 @@ pub fn routes() -> Vec<Route> {
        get_org_users,
        send_invite,
        confirm_invite,
+        accept_invite,
        get_user,
        edit_user,
        put_organization_user,
@ -423,7 +424,10 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
    }

    for email in data.Emails.iter() {
-        let mut user_org_status = UserOrgStatus::Accepted as i32;
+        let mut user_org_status = match CONFIG.mail {
+            Some(_) => UserOrgStatus::Invited as i32,
+            None => UserOrgStatus::Accepted as i32, // Automatically mark user as accepted if no email invites
+        };
        let user = match User::find_by_mail(&email, &conn) {
            None => if CONFIG.invitations_allowed { // Invite user if that's enabled
                let mut invitation = Invitation::new(email.clone());
@ -452,6 +456,7 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
        };

        // Don't create UserOrganization in virtual organization
+        let mut org_user_id = None;
        if org_id != Organization::VIRTUAL_ID {
            let mut new_user = UserOrganization::new(user.uuid.clone(), org_id.clone());
            let access_all = data.AccessAll.unwrap_or(false);
@ -476,7 +481,76 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
            if new_user.save(&conn).is_err() {
                err!("Failed to add user to organization")
            }
+            org_user_id = Some(new_user.uuid.clone());
        }
+
+        if CONFIG.mail.is_some() {
+            use crate::mail;
+            use chrono::{Duration, Utc};
+            let time_now = Utc::now().naive_utc();
+            let claims = InviteJWTClaims {
+                nbf: time_now.timestamp(),
+                exp: (time_now + Duration::days(5)).timestamp(),
+                iss: JWT_ISSUER.to_string(),
+                sub: user.uuid.to_string(),
+                email: email.clone(),
+                org_id: org_id.clone(),
+                user_org_id: org_user_id.clone(),
+            };
+            let org_name = match Organization::find_by_uuid(&org_id, &conn) {
+                Some(org) => org.name,
+                None => err!("Error looking up organization")
+            };
+            let invite_token = encode_jwt(&claims);
+            if let Some(ref mail_config) = CONFIG.mail {
+                if let Err(e) = mail::send_invite(&email, &org_id, &org_user_id.unwrap_or(Organization::VIRTUAL_ID.to_string()), 
+                                                  &invite_token, &org_name, mail_config) {
+                    err!(format!("There has been a problem sending the email: {}", e))
+                }
+            }
+        }
+    }
+
+    Ok(())
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct AcceptData {
+    Token: String,
+}
+
+#[post("/organizations/<_org_id>/users/<_org_user_id>/accept", data = "<data>")]
+fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptData>, conn: DbConn) -> EmptyResult {
+// The web-vault passes org_id and org_user_id in the URL, but we are just reading them from the JWT instead
+    let data: AcceptData = data.into_inner().data;
+    let token = &data.Token;
+    let claims: InviteJWTClaims = match decode_invite_jwt(&token) {
+            Ok(claims) => claims,
+            Err(msg) => err!("Invalid claim: {:#?}", msg),
+    };
+
+    match User::find_by_mail(&claims.email, &conn) {
+        Some(_) => {
+            if Invitation::take(&claims.email, &conn) {
+                if claims.user_org_id.is_some() {
+                    // If this isn't the virtual_org, mark userorg as accepted
+                    let mut user_org = match UserOrganization::find_by_uuid_and_org(&claims.user_org_id.unwrap(), &claims.org_id, &conn) {
+                        Some(user_org) => user_org,
+                        None => err!("Error accepting the invitation") 
+                    };
+                    user_org.status = UserOrgStatus::Accepted as i32;
+                    if user_org.save(&conn).is_err() {
+                        err!("Failed to accept user to organization")
+                    }
+                }
+            } else {
+                err!("Invitation for user not found")
+            }
+        },
+        None => {
+            err!("Invited user not found")
+        },
    }

    Ok(())
--- a/src/auth.rs
+++ b/src/auth.rs
@ -56,6 +56,27 @@ pub fn decode_jwt(token: &str) -> Result<JWTClaims, String> {
    }
 }

+pub fn decode_invite_jwt(token: &str) -> Result<InviteJWTClaims, String> {
+    let validation = jsonwebtoken::Validation {
+        leeway: 30, // 30 seconds
+        validate_exp: true,
+        validate_iat: false, // IssuedAt is the same as NotBefore
+        validate_nbf: true,
+        aud: None,
+        iss: Some(JWT_ISSUER.clone()),
+        sub: None,
+        algorithms: vec![JWT_ALGORITHM],
+    };
+
+    match jsonwebtoken::decode(token, &PUBLIC_RSA_KEY, &validation) {
+        Ok(decoded) => Ok(decoded.claims),
+        Err(msg) => {
+            error!("Error validating jwt - {:#?}", msg);
+            Err(msg.to_string())
+        }
+    }
+}
+
 #[derive(Debug, Serialize, Deserialize)]
 pub struct JWTClaims {
    // Not before
@ -87,6 +108,22 @@ pub struct JWTClaims {
    pub amr: Vec<String>,
 }

+#[derive(Debug, Serialize, Deserialize)]
+pub struct InviteJWTClaims {
+    // Not before
+    pub nbf: i64,
+    // Expiration time
+    pub exp: i64,
+    // Issuer
+    pub iss: String,
+    // Subject
+    pub sub: String,
+
+    pub email: String,
+    pub org_id: String,
+    pub user_org_id: Option<String>,
+}
+
 ///
 /// Bearer token authentication
 ///
--- a/src/mail.rs
+++ b/src/mail.rs
@ -5,6 +5,7 @@ use lettre::smtp::authentication::Credentials;
 use lettre_email::EmailBuilder;

 use crate::MailConfig;
+use crate::CONFIG;

 fn mailer(config: &MailConfig) -> SmtpTransport {
    let client_security = if config.smtp_ssl {
@ -60,3 +61,31 @@ pub fn send_password_hint(address: &str, hint: Option<String>, config: &MailConf
        .map_err(|e| e.to_string())
        .and(Ok(()))
 }
+
+pub fn send_invite(address: &str, org_id: &str, org_user_id: &str, token: &str, org_name: &str, config: &MailConfig) -> Result<(), String> {
+    let (subject, body) =  {
+        (format!("Join {}", &org_name),
+        format!(
+            "<html>
+             <p>You have been invited to join the <b>{}</b> organization.<br><br>
+             <a href=\"{}/#/accept-organization/?organizationId={}&organizationUserId={}&email={}&organizationName={}&token={}\">Click here to join</a></p>
+             <p>If you do not wish to join this organization, you can safely ignore this email.</p>
+             </html>",
+            org_name, CONFIG.domain, org_id, org_user_id, address, org_name, token
+        ))
+    };
+
+    let email = EmailBuilder::new()
+        .to(address)
+        .from((config.smtp_from.clone(), "Bitwarden-rs"))
+        .subject(subject)
+        .header(("Content-Type", "text/html"))
+        .body(body)
+        .build()
+        .map_err(|e| e.to_string())?;
+
+    mailer(config)
+        .send(email.into())
+        .map_err(|e| e.to_string())
+        .and(Ok(()))
+}