diff --git a/src/api/identity.rs b/src/api/identity.rs index 3602dc97..0fbe77ed 100644 --- a/src/api/identity.rs +++ b/src/api/identity.rs @@ -15,6 +15,8 @@ use crate::api::{ApiResult, EmptyResult, JsonResult}; use crate::auth::ClientIp; +use crate::mail; + use crate::CONFIG; pub fn routes() -> Vec { @@ -99,27 +101,14 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: ClientIp) -> JsonResult ) } - // On iOS, device_type sends "iOS", on others it sends a number - let device_type = util::try_parse_string(data.device_type.as_ref()).unwrap_or(0); - let device_id = data.device_identifier.clone().expect("No device id provided"); - let device_name = data.device_name.clone().expect("No device name provided"); - - // Find device or create new - let mut device = match Device::find_by_uuid(&device_id, &conn) { - Some(device) => { - // Check if owned device, and recreate if not - if device.user_uuid != user.uuid { - info!("Device exists but is owned by another user. The old device will be discarded"); - Device::new(device_id, user.uuid.clone(), device_name, device_type) - } else { - device - } - } - None => Device::new(device_id, user.uuid.clone(), device_name, device_type), - }; + let (mut device, new_device) = get_device(&data, &conn, &user); let twofactor_token = twofactor_auth(&user.uuid, &data, &mut device, &conn)?; + if CONFIG.mail_enabled() && new_device { + mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), &device.updated_at, &device.name)? + } + // Common let user = User::find_by_uuid(&device.user_uuid, &conn).unwrap(); let orgs = UserOrganization::find_by_user(&user.uuid, &conn); @@ -134,7 +123,6 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: ClientIp) -> JsonResult "refresh_token": device.refresh_token, "Key": user.akey, "PrivateKey": user.private_key, - //"TwoFactorToken": "11122233333444555666777888999" }); if let Some(token) = twofactor_token { @@ -145,6 +133,35 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: ClientIp) -> JsonResult Ok(Json(result)) } +/// Retrieves an existing device or creates a new device from ConnectData and the User +fn get_device(data: &ConnectData, conn: &DbConn, user: &User) -> (Device, bool) { + // On iOS, device_type sends "iOS", on others it sends a number + let device_type = util::try_parse_string(data.device_type.as_ref()).unwrap_or(0); + let device_id = data.device_identifier.clone().expect("No device id provided"); + let device_name = data.device_name.clone().expect("No device name provided"); + + let mut new_device = false; + // Find device or create new + let device = match Device::find_by_uuid(&device_id, &conn) { + Some(device) => { + // Check if owned device, and recreate if not + if device.user_uuid != user.uuid { + info!("Device exists but is owned by another user. The old device will be discarded"); + new_device = true; + Device::new(device_id, user.uuid.clone(), device_name, device_type) + } else { + device + } + } + None => { + new_device = true; + Device::new(device_id, user.uuid.clone(), device_name, device_type) + } + }; + + (device, new_device) +} + fn twofactor_auth( user_uuid: &str, data: &ConnectData, diff --git a/src/config.rs b/src/config.rs index 91feb1c6..85d97511 100644 --- a/src/config.rs +++ b/src/config.rs @@ -526,6 +526,7 @@ fn load_templates(path: &str) -> Handlebars { // First register default templates here reg!("email/invite_accepted", ".html"); reg!("email/invite_confirmed", ".html"); + reg!("email/new_device_logged_in", ".html"); reg!("email/pw_hint_none", ".html"); reg!("email/pw_hint_some", ".html"); reg!("email/send_org_invite", ".html"); diff --git a/src/mail.rs b/src/mail.rs index 2b814b54..506c85eb 100644 --- a/src/mail.rs +++ b/src/mail.rs @@ -3,13 +3,14 @@ use lettre::smtp::ConnectionReuseParameters; use lettre::{ClientSecurity, ClientTlsParameters, SmtpClient, SmtpTransport, Transport}; use lettre_email::{EmailBuilder, MimeMultipartType, PartBuilder}; use native_tls::{Protocol, TlsConnector}; -use quoted_printable::encode_to_str; use percent_encoding::{percent_encode, DEFAULT_ENCODE_SET}; +use quoted_printable::encode_to_str; use crate::api::EmptyResult; use crate::auth::{encode_jwt, generate_invite_claims}; use crate::error::Error; use crate::CONFIG; +use chrono::NaiveDateTime; fn mailer() -> SmtpTransport { let host = CONFIG.smtp_host().unwrap(); @@ -136,6 +137,25 @@ pub fn send_invite_confirmed(address: &str, org_name: &str) -> EmptyResult { send_email(&address, &subject, &body_html, &body_text) } +pub fn send_new_device_logged_in(address: &str, ip: &str, dt: &NaiveDateTime, device: &str) -> EmptyResult { + use crate::util::upcase_first; + let device = upcase_first(device); + + let datetime = dt.format("%A, %B %_d, %Y at %H:%M").to_string(); + + let (subject, body_html, body_text) = get_text( + "email/new_device_logged_in", + json!({ + "url": CONFIG.domain(), + "ip": ip, + "device": device, + "datetime": datetime, + }), + )?; + + send_email(&address, &subject, &body_html, &body_text) +} + fn send_email(address: &str, subject: &str, body_html: &str, body_text: &str) -> EmptyResult { let html = PartBuilder::new() .body(encode_to_str(body_html)) diff --git a/src/static/templates/email/new_device_logged_in.hbs b/src/static/templates/email/new_device_logged_in.hbs new file mode 100644 index 00000000..0ef4bb26 --- /dev/null +++ b/src/static/templates/email/new_device_logged_in.hbs @@ -0,0 +1,14 @@ +New Device Logged In From {{device}} + + +

+ Your account was just logged into from a new device. + + Date: {{datetime}} + IP Address: {{ip}} + Device Type: {{device}} + + You can deauthorize all devices that have access to your account from the + web vault under Settings > My Account > Deauthorize Sessions. +

+ diff --git a/src/static/templates/email/new_device_logged_in.html.hbs b/src/static/templates/email/new_device_logged_in.html.hbs new file mode 100644 index 00000000..0bf1e7b8 --- /dev/null +++ b/src/static/templates/email/new_device_logged_in.html.hbs @@ -0,0 +1,144 @@ +New Device Logged In From {{device}} + + + + + + Bitwarden_rs + + + + + + + + + + +
+ + + + +
+ + + + +
+ + + + + + + + + + + + + + + + +
+ Your account was just logged into from a new device. +
+ Date: {{datetime}} +
+ IP Address: {{ip}} +
+ Device Type: {{device}} +
+ You can deauthorize all devices that have access to your account from the web vault under Settings > My Account > Deauthorize Sessions. +
+
+ + + + + +
+
+ +