Admin password reset

[sirux88]

Since i'd like to use the admin reset password functionality within my instance I implemented the missing "Reset Master Password" policy and the needed functions

There are two points that (maybe) need improvment:

• Auto-enrollment won't work for instances without email enabled
• Bitwarden's reference implementation logs out the user to reset after resetting the password. I haven't found a api/method for this and also don't know how to implement

As i'm not used to programming in rust please feel free to comment and throw any improvements concering syntax.
All other improvements are welcome aswell

[BlackDex]

Thanks for the contribution.
In general, since i haven't looked at the code that good yet.

You mentioned that it will not work without email being enabled.
In that case, please add restrictions and check if mail is enabled with if CONFIG.mail_enabled() {
and prevent this policy from being activated at all.
And, also check if the policy is enabled when an admin tries to use this feature, mail is still enabled, and not turned of afterwards. Maybe even prevent this policy from being active in that case?
That way we can prevent issue reports, and you can return an error message stating mail has to be enabled.

In regards to logging the user out. I have a PR open which helps with that for at least the web-socket enabled clients (#3076). But other then that, depending on if they need a hard logout/refresh from the user, you can use the user.reset_security_stamp() that will invalidate there security stamp, and will prevent any further valid communication from any client.

[sirux88]

Concerning logging out:

In regards to logging the user out. I have a PR open which helps with that for at least the web-socket enabled clients (#3076). But other then that, depending on if they need a hard logout/refresh from the user, you can use the user.reset_security_stamp() that will invalidate there security stamp, and will prevent any further valid communication from any client.

1. Since resetting the password relies on user.set_password user.reset_security_stamp() is already been executed. Therefore this should be fine for non-websocket-enabled clients
2. I added your mentioned web-socket logout within my latest commit.
   Seems to me like the default behavior of at least web-vault

[BlackDex]

2. I added your mentioned web-socket logout within my latest commit.
   Seems to me like the default behavior of at least web-vault

That is true for the one you are currently using. But desktop client and browser extensions will now also receive the logout request, else they would in the end act upon the reset of the security stamp, but this is a bit nicer i think.

[sirux88]

You mentioned that it will not work without email being enabled.
In that case, please add restrictions and check if mail is enabled with if CONFIG.mail_enabled() {
and prevent this policy from being activated at all.

Let me clarify a bit what I ment with "auto-enrollment":
The restriction I mentioned is only about auto-enrollment-feature. Auto-enrollment means newly invited users get enrolled automatically while accepting the invation. This is implemented within org-endpoint /organizations/<org_id>/users/<_org_user_id>/accept
On email-disabled-instances this endpoint is never gone to be hit. As a consequence reset-password can't be enrolled

Manual enrollment can always be done. Also in email-disabled instances.
So there's no need to disable the policy at all for email-disabled instances.

[GeekCornerGH]

You should rebase your PR

[sirux88]

Rebase done @GeekCornerGH

[BlackDex]

Some small changes on items i see right now.
I haven't tested the code yet.

[BlackDex]

Some quick items i saw just now. Will try to further test and check later today.

[BlackDex]

Great! Looks nice, and seems to work fine during my tests.
Thanks for the contribution!

[dani-garcia]

Thanks!