added new user setting option to disable authentication

nodemailer · Nov 15, 2019 · 188f4dc · 188f4dc
1 parent abe3729
commit 188f4dc
Show file tree

Hide file tree

Showing 6 changed files with 46 additions and 11 deletions.
diff --git a/docs/api_data.js b/docs/api_data.js
diff --git a/docs/api_data.json b/docs/api_data.json
diff --git a/docs/api_project.js b/docs/api_project.js
diff --git a/docs/api_project.json b/docs/api_project.json
@@ -1 +1 @@
-{  "name": "wildduck",  "version": "1.0.0",  "description": "WildDuck API docs",  "title": "WildDuck API",  "url": "https://api.wildduck.email",  "sampleUrl": false,  "defaultVersion": "0.0.0",  "apidoc": "0.3.0",  "generator": {    "name": "apidoc",    "time": "2019-10-10T10:54:16.836Z",    "url": "http://apidocjs.com",    "version": "0.17.7"  }}
+{  "name": "wildduck",  "version": "1.0.0",  "description": "WildDuck API docs",  "title": "WildDuck API",  "url": "https://api.wildduck.email",  "sampleUrl": false,  "defaultVersion": "0.0.0",  "apidoc": "0.3.0",  "generator": {    "name": "apidoc",    "time": "2019-11-15T07:16:25.789Z",    "url": "http://apidocjs.com",    "version": "0.17.7"  }}

diff --git a/lib/api/users.js b/lib/api/users.js
@@ -55,6 +55,7 @@ module.exports = (db, server, userHandler) => {
      * @apiSuccess {Boolean} results.hasPasswordSet If <code>true</code> then the User has a password set and can authenticate
      * @apiSuccess {Boolean} results.activated Is the account activated
      * @apiSuccess {Boolean} results.disabled If <code>true</code> then the user can not authenticate or receive any new mail
+     * @apiSuccess {Boolean} results.suspended If <code>true</code> then the user can not authenticate
      *
      * @apiError error Description of the error
      *
@@ -87,7 +88,8 @@ module.exports = (db, server, userHandler) => {
      *           },
      *           "hasPasswordSet": true,
      *           "activated": true,
-     *           "disabled": false
+     *           "disabled": false,
+     *           "suspended": false
      *         }
      *       ]
      *     }
@@ -251,6 +253,7 @@ module.exports = (db, server, userHandler) => {
                         quota: true,
                         activated: true,
                         disabled: true,
+                        suspended: true,
                         password: true,
                         encryptMessages: true,
                         encryptForwarded: true
@@ -306,8 +309,9 @@ module.exports = (db, server, userHandler) => {
                             used: Math.max(Number(userData.storageUsed) || 0, 0)
                         },
                         hasPasswordSet: !!userData.password || !!userData.tempPassword,
-                        activated: userData.activated,
-                        disabled: userData.disabled
+                        activated: !!userData.activated,
+                        disabled: !!userData.disabled,
+                        suspended: !!userData.suspended
                     })
                 )
             };
@@ -914,6 +918,7 @@ module.exports = (db, server, userHandler) => {
      * @apiSuccess {Boolean} hasPasswordSet If <code>true</code> then the User has a password set and can authenticate
      * @apiSuccess {Boolean} activated Is the account activated
      * @apiSuccess {Boolean} disabled If <code>true</code> then the user can not authenticate or receive any new mail
+     * @apiSuccess {Boolean} suspended If <code>true</code> then the user can not authenticate
      *
      * @apiError error Description of the error
      *
@@ -959,7 +964,8 @@ module.exports = (db, server, userHandler) => {
      *       "disabledScopes": ["pop3"],
      *       "hasPasswordSet": true,
      *       "activated": true,
-     *       "disabled": false
+     *       "disabled": false,
+     *       "suspended": false
      *     }
      *
      * @apiErrorExample {json} Error-Response:
@@ -1179,8 +1185,9 @@ module.exports = (db, server, userHandler) => {
                     disabledScopes: userData.disabledScopes || [],
 
                     hasPasswordSet: !!userData.password || !!userData.tempPassword,
-                    activated: userData.activated,
-                    disabled: userData.disabled
+                    activated: !!userData.activated,
+                    disabled: !!userData.disabled,
+                    suspended: !!userData.suspended
                 })
             );
 
@@ -1225,6 +1232,7 @@ module.exports = (db, server, userHandler) => {
      * @apiParam {Boolean} [disable2fa] If true, then disables 2FA for this user
      * @apiParam {String[]} disabledScopes List of scopes that are disabled for this user ("imap", "pop3", "smtp")
      * @apiParam {Boolean} [disabled] If true then disables user account (can not login, can not receive messages)
+     * @apiParam {Boolean} [suspended] If true then disables authentication
      * @apiParam {String} [sess] Session identifier for the logs
      * @apiParam {String} [ip] IP address for the logs
      *
@@ -1353,6 +1361,12 @@ module.exports = (db, server, userHandler) => {
                     .empty('')
                     .truthy(['Y', 'true', 'yes', 'on', '1', 1])
                     .falsy(['N', 'false', 'no', 'off', '0', 0, '']),
+
+                suspended: Joi.boolean()
+                    .empty('')
+                    .truthy(['Y', 'true', 'yes', 'on', '1', 1])
+                    .falsy(['N', 'false', 'no', 'off', '0', 0, '']),
+
                 sess: Joi.string().max(255),
                 ip: Joi.string().ip({
                     version: ['ipv4', 'ipv6'],

diff --git a/lib/user-handler.js b/lib/user-handler.js
@@ -230,7 +230,8 @@ class UserHandler {
             _id: true,
             quota: true,
             storageUsed: true,
-            disabled: true
+            disabled: true,
+            suspended: true
         };
 
         Object.keys(extraFields || {}).forEach(field => {
@@ -476,6 +477,7 @@ class UserHandler {
                     enabled2fa: true,
                     u2f: true,
                     disabled: true,
+                    suspended: true,
                     disabledScopes: true
                 },
                 maxTimeMS: consts.DB_MAX_TIME_USERS
@@ -607,6 +609,24 @@ class UserHandler {
             return [false, userData._id];
         }
 
+        if (userData.suspended) {
+            // disabled users can not log in
+            meta.result = 'suspended';
+            // TODO: should we send some specific error message?
+            this.loggelf({
+                short_message: '[AUTHFAIL] ' + username,
+                _error: 'User is suspended',
+                _auth_result: 'suspended',
+                _username: username,
+                _domain: userDomain,
+                _user: userData._id,
+                _scope: requiredScope,
+                _ip: meta.ip
+            });
+            await this.logAuthEvent(userData._id, meta);
+            return [false, userData._id];
+        }
+
         try {
             let authSuccess = async authResponse => {
                 // clear rate limit counter on success
@@ -1320,6 +1340,7 @@ class UserHandler {
             // until setup value is not true, this account is not usable
             activated: false,
             disabled: true,
+            suspended: false,
 
             created: new Date()
         };