Merge branch '2fa_enforcement' of https://github.com/olivierIllogika/bitwarden_rs into olivierIllogika-2fa_enforcement

2025-05-30 23:43:56 +00:00 · 2021-07-15 19:27:36 +02:00 · 2021-07-15 19:27:36 +02:00 · 4f08167d6f
commit 4f08167d6f
parent fef76e2f6f 39167d333a
9 changed files with 223 additions and 7 deletions
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@ -646,6 +646,19 @@ fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptD
                    err!("User already accepted the invitation")
                }

+                let user_twofactor_disabled = TwoFactor::find_by_user(&user_org.user_uuid, &conn).is_empty();
+
+                let policy = OrgPolicyType::TwoFactorAuthentication as i32;
+                let org_twofactor_policy_enabled =
+                    match OrgPolicy::find_by_org_and_type(&user_org.org_uuid, policy, &conn) {
+                        Some(p) => p.enabled,
+                        None => false,
+                    };
+
+                if org_twofactor_policy_enabled && user_twofactor_disabled {
+                    err!("You cannot join this organization until you enable two-step login on your user account.")
+                }
+
                user_org.status = UserOrgStatus::Accepted as i32;
                user_org.save(&conn)?;
            }
@ -998,6 +1011,24 @@ fn put_policy(
        None => err!("Invalid policy type"),
    };

+    if pol_type_enum == OrgPolicyType::TwoFactorAuthentication && data.enabled {
+        let org_list = UserOrganization::find_by_org(&org_id, &conn);
+
+        for user_org in org_list.into_iter() {
+            let user_twofactor_disabled = TwoFactor::find_by_user(&user_org.user_uuid, &conn).is_empty();
+
+            if user_twofactor_disabled && user_org.atype < UserOrgType::Admin {
+                if CONFIG.mail_enabled() {
+                    let org = Organization::find_by_uuid(&user_org.org_uuid, &conn).unwrap();
+                    let user = User::find_by_uuid(&user_org.user_uuid, &conn).unwrap();
+
+                    mail::send_2fa_removed_from_org(&user.email, &org.name)?;
+                }
+                user_org.delete(&conn)?;
+            }
+        }
+    }
+
    let mut policy = match OrgPolicy::find_by_org_and_type(&org_id, pol_type, &conn) {
        Some(p) => p,
        None => OrgPolicy::new(org_id, pol_type_enum, "{}".to_string()),