From 2cd736ab817e2d1c717ec876978cd2623e62665a Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Thu, 20 Dec 2018 22:16:41 -0500 Subject: [PATCH] Validate JWT if a user registers with SMTP invites enabled --- src/api/core/accounts.rs | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs index 9aea3ef2..a8132a7f 100644 --- a/src/api/core/accounts.rs +++ b/src/api/core/accounts.rs @@ -4,7 +4,7 @@ use crate::db::models::*; use crate::db::DbConn; use crate::api::{EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData, UpdateType, WebSocketUsers}; -use crate::auth::Headers; +use crate::auth::{Headers, decode_invite_jwt, InviteJWTClaims}; use crate::mail; use crate::CONFIG; @@ -44,6 +44,8 @@ struct RegisterData { MasterPasswordHash: String, MasterPasswordHint: Option, Name: Option, + Token: Option, + OrganizationUserId: Option, } #[derive(Deserialize, Debug)] @@ -59,22 +61,37 @@ fn register(data: JsonUpcase, conn: DbConn) -> EmptyResult { let mut user = match User::find_by_mail(&data.Email, &conn) { Some(user) => { - if CONFIG.mail.is_none() { - if Invitation::take(&data.Email, &conn) { + if Invitation::find_by_mail(&data.Email, &conn).is_some() { + if CONFIG.mail.is_none() { for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() { user_org.status = UserOrgStatus::Accepted as i32; if user_org.save(&conn).is_err() { err!("Failed to accept user to organization") } } + if !Invitation::take(&data.Email, &conn) { + err!("Error accepting invitation") + } user - } else if CONFIG.signups_allowed { - err!("Account with this email already exists") } else { - err!("Registration not allowed") + let token = match &data.Token { + Some(token) => token, + None => err!("No valid invite token") + }; + let claims: InviteJWTClaims = match decode_invite_jwt(&token) { + Ok(claims) => claims, + Err(msg) => err!("Invalid claim: {:#?}", msg), + }; + if &claims.email == &data.Email { + user + } else { + err!("Registration email does not match invite email") + } } + } else if CONFIG.signups_allowed { + err!("Account with this email already exists") } else { - user + err!("Registration not allowed") } } None => {