Merge branch 'main' into dependabot/npm_and_yarn/frontend/graphql-codegen-97975e453b

Author: sandhose

Cargo.lock

@@ -93,7 +93,7 @@ version = "1.6.0"
 
 # Packed bitfields
 [workspace.dependencies.bitflags]
-version = "2.8.0"
+version = "2.9.0"
 
 # Bytes
 [workspace.dependencies.bytes]

Cargo.toml

@@ -6,18 +6,75 @@
 
 use anyhow::Context as _;
 use async_graphql::{Context, Description, Enum, ID, InputObject, Object};
+use mas_data_model::SiteConfig;
 use mas_i18n::DataLocale;
 use mas_storage::{
-    RepositoryAccess,
+    BoxRepository, RepositoryAccess,
     queue::{ProvisionUserJob, QueueJobRepositoryExt as _, SendEmailAuthenticationCodeJob},
     user::{UserEmailFilter, UserEmailRepository, UserRepository},
 };
+use zeroize::Zeroizing;
 
-use crate::graphql::{
-    model::{NodeType, User, UserEmail, UserEmailAuthentication},
-    state::ContextExt,
+use crate::{
+    graphql::{
+        Requester,
+        model::{NodeType, User, UserEmail, UserEmailAuthentication},
+        state::ContextExt,
+    },
+    passwords::PasswordManager,
 };
 
+/// Check the password if neeed
+///
+/// Returns true if password verification is not needed, or if the password is
+/// correct. Returns false if the password is incorrect or missing.
+async fn verify_password_if_needed(
+    requester: &Requester,
+    config: &SiteConfig,
+    password_manager: &PasswordManager,
+    password: Option<String>,
+    user: &mas_data_model::User,
+    repo: &mut BoxRepository,
+) -> Result<bool, async_graphql::Error> {
+    // If the requester is admin, they don't need to provide a password
+    if requester.is_admin() {
+        return Ok(true);
+    }
+
+    // If password login is disabled, assume we don't want the user to reauth
+    if !config.password_login_enabled {
+        return Ok(true);
+    }
+
+    // Else we need to check if the user has a password
+    let Some(user_password) = repo
+        .user_password()
+        .active(user)
+        .await
+        .context("Failed to load user password")?
+    else {
+        // User has no password, so we don't need to verify the password
+        return Ok(true);
+    };
+
+    let Some(password) = password else {
+        // There is a password on the user, but not provided in the input
+        return Ok(false);
+    };
+
+    let password = Zeroizing::new(password.into_bytes());
+
+    let res = password_manager
+        .verify(
+            user_password.version,
+            password,
+            user_password.hashed_password,
+        )
+        .await;
+
+    Ok(res.is_ok())
+}
+
 #[derive(Default)]
 pub struct UserEmailMutations {
     _private: (),
@@ -120,6 +177,10 @@ impl AddEmailPayload {
 struct RemoveEmailInput {
     /// The ID of the email address to remove
     user_email_id: ID,
+
+    /// The user's current password. This is required if the user is not an
+    /// admin and it has a password on its account.
+    password: Option<String>,
 }
 
 /// The status of the `removeEmail` mutation
@@ -130,13 +191,17 @@ enum RemoveEmailStatus {
 
     /// The email address was not found
     NotFound,
+
+    /// The password provided is incorrect
+    IncorrectPassword,
 }
 
 /// The payload of the `removeEmail` mutation
 #[derive(Description)]
 enum RemoveEmailPayload {
     Removed(mas_data_model::UserEmail),
     NotFound,
+    IncorrectPassword,
 }
 
 #[Object(use_type_description)]
@@ -146,27 +211,31 @@ impl RemoveEmailPayload {
         match self {
             RemoveEmailPayload::Removed(_) => RemoveEmailStatus::Removed,
             RemoveEmailPayload::NotFound => RemoveEmailStatus::NotFound,
+            RemoveEmailPayload::IncorrectPassword => RemoveEmailStatus::IncorrectPassword,
         }
     }
 
     /// The email address that was removed
     async fn email(&self) -> Option<UserEmail> {
         match self {
             RemoveEmailPayload::Removed(email) => Some(UserEmail(email.clone())),
-            RemoveEmailPayload::NotFound => None,
+            RemoveEmailPayload::NotFound | RemoveEmailPayload::IncorrectPassword => None,
         }
     }
 
     /// The user to whom the email address belonged
     async fn user(&self, ctx: &Context<'_>) -> Result<Option<User>, async_graphql::Error> {
         let state = ctx.state();
-        let mut repo = state.repository().await?;
 
         let user_id = match self {
             RemoveEmailPayload::Removed(email) => email.user_id,
-            RemoveEmailPayload::NotFound => return Ok(None),
+            RemoveEmailPayload::NotFound | RemoveEmailPayload::IncorrectPassword => {
+                return Ok(None);
+            }
         };
 
+        let mut repo = state.repository().await?;
+
         let user = repo
             .user()
             .lookup(user_id)
@@ -226,6 +295,10 @@ struct StartEmailAuthenticationInput {
     /// The email address to add to the account
     email: String,
 
+    /// The user's current password. This is required if the user has a password
+    /// on its account.
+    password: Option<String>,
+
     /// The language to use for the email
     #[graphql(default = "en")]
     language: String,
@@ -244,6 +317,8 @@ enum StartEmailAuthenticationStatus {
     Denied,
     /// The email address is already in use on this account
     InUse,
+    /// The password provided is incorrect
+    IncorrectPassword,
 }
 
 /// The payload of the `startEmailAuthentication` mutation
@@ -256,6 +331,7 @@ enum StartEmailAuthenticationPayload {
         violations: Vec<mas_policy::Violation>,
     },
     InUse,
+    IncorrectPassword,
 }
 
 #[Object(use_type_description)]
@@ -268,16 +344,19 @@ impl StartEmailAuthenticationPayload {
             Self::RateLimited => StartEmailAuthenticationStatus::RateLimited,
             Self::Denied { .. } => StartEmailAuthenticationStatus::Denied,
             Self::InUse => StartEmailAuthenticationStatus::InUse,
+            Self::IncorrectPassword => StartEmailAuthenticationStatus::IncorrectPassword,
         }
     }
 
     /// The email authentication session that was started
     async fn authentication(&self) -> Option<&UserEmailAuthentication> {
         match self {
             Self::Started(authentication) => Some(authentication),
-            Self::InvalidEmailAddress | Self::RateLimited | Self::Denied { .. } | Self::InUse => {
-                None
-            }
+            Self::InvalidEmailAddress
+            | Self::RateLimited
+            | Self::Denied { .. }
+            | Self::InUse
+            | Self::IncorrectPassword => None,
         }
     }
 
@@ -494,6 +573,20 @@ impl UserEmailMutations {
             .await?
             .context("Failed to load user")?;
 
+        // Validate the password input if needed
+        if !verify_password_if_needed(
+            requester,
+            state.site_config(),
+            &state.password_manager(),
+            input.password,
+            &user,
+            &mut repo,
+        )
+        .await?
+        {
+            return Ok(RemoveEmailPayload::IncorrectPassword);
+        }
+
         // TODO: don't allow removing the last email address
 
         repo.user_email().remove(user_email.clone()).await?;
@@ -627,6 +720,20 @@ impl UserEmailMutations {
             });
         }
 
+        // Validate the password input if needed
+        if !verify_password_if_needed(
+            requester,
+            state.site_config(),
+            &state.password_manager(),
+            input.password,
+            &browser_session.user,
+            &mut repo,
+        )
+        .await?
+        {
+            return Ok(StartEmailAuthenticationPayload::IncorrectPassword);
+        }
+
         // Create a new authentication session
         let authentication = repo
             .user_email()

crates/handlers/src/graphql/mutations/user_email.rs

@@ -15,7 +15,7 @@ workspace = true
 anyhow.workspace = true
 async-trait.workspace = true
 camino.workspace = true
-convert_case = "0.7.1"
+convert_case = "0.8.0"
 csv = "1.3.1"
 reqwest.workspace = true
 serde.workspace = true

crates/iana-codegen/Cargo.toml

@@ -26,7 +26,7 @@ opentelemetry-semantic-conventions.workspace = true
 rand.workspace = true
 rand_chacha.workspace = true
 url.workspace = true
-uuid = "1.14.0"
+uuid = "1.15.1"
 ulid = { workspace = true, features = ["uuid"] }
 
 oauth2-types.workspace = true

crates/storage-pg/Cargo.toml

@@ -25,7 +25,7 @@ tracing.workspace = true
 futures-util = "0.3.31"
 
 rand.workspace = true
-uuid = "1.14.0"
+uuid = "1.15.1"
 ulid = { workspace = true, features = ["uuid"] }
 
 mas-config.workspace = true

crates/syn2mas/Cargo.toml

@@ -172,14 +172,15 @@ const MAX_CONCURRENT_JOBS: usize = 10;
 const MAX_JOBS_TO_FETCH: usize = 5;
 
 // How many attempts a job should be retried
-const MAX_ATTEMPTS: usize = 5;
+const MAX_ATTEMPTS: usize = 10;
 
 /// Returns the delay to wait before retrying a job
 ///
-/// Uses an exponential backoff: 1s, 2s, 4s, 8s, 16s
+/// Uses an exponential backoff: 5s, 10s, 20s, 40s, 1m20s, 2m40s, 5m20s, 10m50s,
+/// 21m40s, 43m20s
 fn retry_delay(attempt: usize) -> Duration {
     let attempt = u32::try_from(attempt).unwrap_or(u32::MAX);
-    Duration::milliseconds(2_i64.saturating_pow(attempt) * 1000)
+    Duration::milliseconds(2_i64.saturating_pow(attempt) * 5_000)
 }
 
 type JobResult = Result<(), JobError>;

crates/tasks/src/new_queue.rs

@@ -14,6 +14,14 @@ ignore = [
     # RSA key extraction "Marvin Attack". This is only relevant when using
     # PKCS#1 v1.5 encryption, which we don't
     "RUSTSEC-2023-0071",
+
+    # `paste`, as used by `aws-lc-rs` is unmaintained, but we're not concerned
+    # about it having a security vulnerability
+    "RUSTSEC-2024-0436",
+
+    # rust-protobuf has an infinite recursion issue when parsing inputs. We only
+    # use protobuf for opentelemetry output, so we are not affected
+    "RUSTSEC-2024-0437",
 ]
 
 [licenses]

deny.toml

@@ -5,6 +5,7 @@
     "clear": "Clear",
     "close": "Close",
     "collapse": "Collapse",
+    "confirm": "Confirm",
     "continue": "Continue",
     "edit": "Edit",
     "expand": "Expand",
@@ -27,6 +28,7 @@
     "e2ee": "End-to-end encryption",
     "loading": "Loading…",
     "next": "Next",
+    "password": "Password",
     "previous": "Previous",
     "saved": "Saved",
     "saving": "Saving…"
@@ -57,7 +59,9 @@
       "email_field_help": "Add an alternative email you can use to access this account.",
       "email_field_label": "Add email",
       "email_in_use_error": "The entered email is already in use",
-      "email_invalid_error": "The entered email is invalid"
+      "email_invalid_error": "The entered email is invalid",
+      "incorrect_password_error": "Incorrect password, please try again",
+      "password_confirmation": "Confirm your account password to add this email address"
     },
     "browser_session_details": {
       "current_badge": "Current"
@@ -258,7 +262,9 @@
     "user_email": {
       "delete_button_confirmation_modal": {
         "action": "Delete email",
-        "body": "Delete this email?"
+        "body": "Delete this email?",
+        "incorrect_password": "Incorrect password, please try again",
+        "password_confirmation": "Confirm your account password to delete this email address"
       },
       "delete_button_title": "Remove email address",
       "email": "Email"