diff --git a/chatmaild/src/chatmaild/config.py b/chatmaild/src/chatmaild/config.py index ae5f4423..332c1029 100644 --- a/chatmaild/src/chatmaild/config.py +++ b/chatmaild/src/chatmaild/config.py @@ -31,6 +31,7 @@ class Config: self.username_min_length = int(params["username_min_length"]) self.username_max_length = int(params["username_max_length"]) self.password_min_length = int(params["password_min_length"]) + self.invite_token = params["invite_token"] self.passthrough_senders = params["passthrough_senders"].split() self.passthrough_recipients = params["passthrough_recipients"].split() self.www_folder = params.get("www_folder", "") diff --git a/chatmaild/src/chatmaild/doveauth.py b/chatmaild/src/chatmaild/doveauth.py index e6292a36..70589214 100644 --- a/chatmaild/src/chatmaild/doveauth.py +++ b/chatmaild/src/chatmaild/doveauth.py @@ -24,10 +24,11 @@ def encrypt_password(password: str): def is_allowed_to_create(config: Config, user, cleartext_password) -> bool: """Return True if user and password are admissable.""" if os.path.exists(NOCREATE_FILE): - logging.warning(f"blocked account creation because {NOCREATE_FILE!r} exists.") - return False + if config.invite_token and config.invite_token not in cleartext_password: + logging.warning(f"blocked account creation because {NOCREATE_FILE!r} exists.") + return False - if len(cleartext_password) < config.password_min_length: + if len(cleartext_password.replace(config.invite_token, "")) < config.password_min_length: logging.warning( "Password needs to be at least %s characters long", config.password_min_length, diff --git a/chatmaild/src/chatmaild/newemail.py b/chatmaild/src/chatmaild/newemail.py index fbf976af..cf483ff2 100644 --- a/chatmaild/src/chatmaild/newemail.py +++ b/chatmaild/src/chatmaild/newemail.py @@ -3,6 +3,7 @@ """CGI script for creating new accounts.""" import json +import os import random import secrets import string @@ -20,7 +21,9 @@ def create_newemail_dict(config: Config): secrets.choice(ALPHANUMERIC_PUNCT) for _ in range(config.password_min_length + 3) ) - return dict(email=f"{user}@{config.mail_domain}", password=f"{password}") + redirect_uri = os.getenv("REQUEST_URI") + invite_token = redirect_uri[5:] if redirect_uri != "/new" else "" + return dict(email=f"{user}@{config.mail_domain}", password=f"{invite_token}{password}") def print_new_account(): diff --git a/cmdeploy/src/cmdeploy/nginx/nginx.conf.j2 b/cmdeploy/src/cmdeploy/nginx/nginx.conf.j2 index 8d27394c..7e72093f 100644 --- a/cmdeploy/src/cmdeploy/nginx/nginx.conf.j2 +++ b/cmdeploy/src/cmdeploy/nginx/nginx.conf.j2 @@ -90,6 +90,7 @@ http { fastcgi_pass unix:/run/fcgiwrap.socket; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/newemail.py; + fastcgi_param QUERY_STRING $query_string; } # Old URL for compatibility with e.g. printed QR codes.