Only create invitations when SMTP is disabled, and ignore invitations if we have a token.

Disallow users from accepting invitation twice
This commit is contained in:
Daniel García 2019-01-08 15:11:16 +01:00
parent f1161c65fb
commit 4309df8334
No known key found for this signature in database
GPG Key ID: FC8A7D14C3CD543A
3 changed files with 67 additions and 64 deletions

View File

@ -4,9 +4,9 @@ use serde_json::Value;
use crate::api::{JsonResult, JsonUpcase}; use crate::api::{JsonResult, JsonUpcase};
use crate::CONFIG; use crate::CONFIG;
use crate::mail;
use crate::db::models::*; use crate::db::models::*;
use crate::db::DbConn; use crate::db::DbConn;
use crate::mail;
use rocket::request::{self, FromRequest, Request}; use rocket::request::{self, FromRequest, Request};
use rocket::{Outcome, Route}; use rocket::{Outcome, Route};
@ -41,14 +41,14 @@ fn invite_user(data: JsonUpcase<InviteData>, _token: AdminToken, conn: DbConn) -
err!("Invitations are not allowed") err!("Invitations are not allowed")
} }
let mut invitation = Invitation::new(data.Email);
invitation.save(&conn)?;
if let Some(ref mail_config) = CONFIG.mail { if let Some(ref mail_config) = CONFIG.mail {
let mut user = User::new(email); let mut user = User::new(email);
user.save(&conn)?; user.save(&conn)?;
let org_name = "bitwarden_rs"; let org_name = "bitwarden_rs";
mail::send_invite(&user.email, &user.uuid, None, None, &org_name, None, mail_config)?; mail::send_invite(&user.email, &user.uuid, None, None, &org_name, None, mail_config)?;
} else {
let mut invitation = Invitation::new(data.Email);
invitation.save(&conn)?;
} }
Ok(Json(json!({}))) Ok(Json(json!({})))

View File

@ -61,29 +61,24 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
let mut user = match User::find_by_mail(&data.Email, &conn) { let mut user = match User::find_by_mail(&data.Email, &conn) {
Some(user) => { Some(user) => {
if Invitation::find_by_mail(&data.Email, &conn).is_some() { if !user.password_hash.is_empty() {
if CONFIG.mail.is_none() { err!("User already exists")
for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() { }
user_org.status = UserOrgStatus::Accepted as i32;
user_org.save(&conn)?; if let Some(token) = data.Token {
} let claims: InviteJWTClaims = decode_invite_jwt(&token)?;
if !Invitation::take(&data.Email, &conn) { if claims.email == data.Email {
err!("Error accepting invitation")
}
user user
} else { } else {
let token = match &data.Token { err!("Registration email does not match invite email")
Some(token) => token,
None => err!("No valid invite token"),
};
let claims: InviteJWTClaims = decode_invite_jwt(&token)?;
if claims.email == data.Email {
user
} else {
err!("Registration email does not match invite email")
}
} }
} else if Invitation::take(&data.Email, &conn) {
for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
user_org.status = UserOrgStatus::Accepted as i32;
user_org.save(&conn)?;
}
user
} else if CONFIG.signups_allowed { } else if CONFIG.signups_allowed {
err!("Account with this email already exists") err!("Account with this email already exists")
} else { } else {
@ -91,14 +86,17 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
} }
} }
None => { None => {
if CONFIG.signups_allowed || (CONFIG.mail.is_none() && Invitation::take(&data.Email, &conn)) { if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) {
User::new(data.Email) User::new(data.Email.clone())
} else { } else {
err!("Registration not allowed") err!("Registration not allowed")
} }
} }
}; };
// Make sure we don't leave a lingering invitation.
Invitation::take(&data.Email, &conn);
if let Some(client_kdf_iter) = data.KdfIterations { if let Some(client_kdf_iter) = data.KdfIterations {
user.client_kdf_iter = client_kdf_iter; user.client_kdf_iter = client_kdf_iter;
} }

View File

@ -460,17 +460,19 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
}; };
let user = match User::find_by_mail(&email, &conn) { let user = match User::find_by_mail(&email, &conn) {
None => { None => {
if CONFIG.invitations_allowed { if !CONFIG.invitations_allowed {
// Invite user if that's enabled
let mut invitation = Invitation::new(email.clone());
invitation.save(&conn)?;
let mut user = User::new(email.clone());
user.save(&conn)?;
user_org_status = UserOrgStatus::Invited as i32;
user
} else {
err!(format!("User email does not exist: {}", email)) err!(format!("User email does not exist: {}", email))
} }
if CONFIG.mail.is_none() {
let mut invitation = Invitation::new(email.clone());
invitation.save(&conn)?;
}
let mut user = User::new(email.clone());
user.save(&conn)?;
user_org_status = UserOrgStatus::Invited as i32;
user
} }
Some(user) => { Some(user) => {
if UserOrganization::find_by_user_and_org(&user.uuid, &org_id, &conn).is_some() { if UserOrganization::find_by_user_and_org(&user.uuid, &org_id, &conn).is_some() {
@ -506,16 +508,16 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
Some(org) => org.name, Some(org) => org.name,
None => err!("Error looking up organization"), None => err!("Error looking up organization"),
}; };
mail::send_invite( mail::send_invite(
&email, &email,
&user.uuid, &user.uuid,
Some(org_id.clone()), Some(org_id.clone()),
Some(new_user.uuid), Some(new_user.uuid),
&org_name, &org_name,
Some(headers.user.email.clone()), Some(headers.user.email.clone()),
mail_config mail_config,
)?; )?;
} }
} }
@ -546,9 +548,6 @@ fn reinvite_user(org_id: String, user_org: String, headers: AdminHeaders, conn:
None => err!("User not found."), None => err!("User not found."),
}; };
let mut invitation = Invitation::new(user.email.clone());
invitation.save(&conn)?;
let org_name = match Organization::find_by_uuid(&org_id, &conn) { let org_name = match Organization::find_by_uuid(&org_id, &conn) {
Some(org) => org.name, Some(org) => org.name,
None => err!("Error looking up organization."), None => err!("Error looking up organization."),
@ -556,14 +555,17 @@ fn reinvite_user(org_id: String, user_org: String, headers: AdminHeaders, conn:
if let Some(ref mail_config) = CONFIG.mail { if let Some(ref mail_config) = CONFIG.mail {
mail::send_invite( mail::send_invite(
&user.email, &user.email,
&user.uuid, &user.uuid,
Some(org_id), Some(org_id),
Some(user_org.uuid), Some(user_org.uuid),
&org_name, &org_name,
Some(headers.user.email), Some(headers.user.email),
mail_config, mail_config,
)?; )?;
} else {
let mut invitation = Invitation::new(user.email.clone());
invitation.save(&conn)?;
} }
Ok(()) Ok(())
@ -585,16 +587,19 @@ fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptD
match User::find_by_mail(&claims.email, &conn) { match User::find_by_mail(&claims.email, &conn) {
Some(_) => { Some(_) => {
Invitation::take(&claims.email, &conn); Invitation::take(&claims.email, &conn);
if claims.user_org_id.is_some() && claims.org_id.is_some() {
let mut user_org = if let (Some(user_org), Some(org)) = (&claims.user_org_id, &claims.org_id) {
match UserOrganization::find_by_uuid_and_org(&claims.user_org_id.unwrap(), &claims.org_id.clone().unwrap(), &conn) { let mut user_org = match UserOrganization::find_by_uuid_and_org(user_org, org, &conn) {
Some(user_org) => user_org, Some(user_org) => user_org,
None => err!("Error accepting the invitation"), None => err!("Error accepting the invitation"),
}; };
user_org.status = UserOrgStatus::Accepted as i32;
if user_org.save(&conn).is_err() { if user_org.status != UserOrgStatus::Invited as i32 {
err!("Failed to accept user to organization") err!("User already accepted the invitation")
} }
user_org.status = UserOrgStatus::Accepted as i32;
user_org.save(&conn)?;
} }
} }
None => err!("Invited user not found"), None => err!("Invited user not found"),
@ -605,7 +610,7 @@ fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptD
if let Some(org_id) = &claims.org_id { if let Some(org_id) = &claims.org_id {
org_name = match Organization::find_by_uuid(&org_id, &conn) { org_name = match Organization::find_by_uuid(&org_id, &conn) {
Some(org) => org.name, Some(org) => org.name,
None => err!("Organization not found.") None => err!("Organization not found."),
}; };
}; };
if let Some(invited_by_email) = &claims.invited_by_email { if let Some(invited_by_email) = &claims.invited_by_email {