Merge pull request #6386 from mailcow/staging

Automatic PR to nightly from 2025-03-24T08:36:34Z
2026-01-06 13:39:16 +00:00 · 2025-03-27 07:45:25 +01:00
parent 986b0afbfa 1c9d80f554
commit 9351cf24fe
8 changed files with 47 additions and 15 deletions
--- a/data/conf/nginx/templates/nginx.conf.j2
+++ b/data/conf/nginx/templates/nginx.conf.j2
@@ -182,6 +182,8 @@ http {
        }
    }

+    include /etc/nginx/conf.d/*.conf;
+
    {% for cert in valid_cert_dirs %}
    server {
        {% if not HTTP_REDIRECT %}
@@ -206,6 +208,4 @@ http {
        include /etc/nginx/includes/sites-default.conf;
    }
    {% endfor %}
-
-    include /etc/nginx/conf.d/*.conf;
 }
--- a/data/web/api/openapi.yaml
+++ b/data/web/api/openapi.yaml
@@ -346,7 +346,8 @@ paths:
                  description: the domain which emails should be forwarded
                  type: string
                type:
-                  description: the type of bcc map can be `sender` or `recipient`
+                  description: the type of bcc map can be `sender` or `rcpt`
+                  enum: [sender, rcpt]
                  type: string
              type: object
      summary: Create BCC Map
--- a/data/web/css/build/007-languages.min.css
+++ b/data/web/css/build/007-languages.min.css
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1385,6 +1385,7 @@ function fido2($_data) {
      );
    break;
    case "verify":
+      $role = "";
      $tokenData = json_decode($_data['token']);
      $clientDataJSON = base64_decode($tokenData->clientDataJSON);
      $authenticatorData = base64_decode($tokenData->authenticatorData);
@@ -1418,17 +1419,17 @@ function fido2($_data) {
      $stmt->execute(array(':username' => $process_fido2['username']));
      $obj_props = $stmt->fetch(PDO::FETCH_ASSOC);
      if ($obj_props['superadmin'] === 1 && (!$_data['user'] || $_data['user'] == "admin")) {
-        $_SESSION["mailcow_cc_role"] = "admin";
+        $role = "admin";
      }
      elseif ($obj_props['superadmin'] === 0 && (!$_data['user'] || $_data['user'] == "domainadmin")) {
-        $_SESSION["mailcow_cc_role"] = "domainadmin";
+        $role = "domainadmin";
      }
      elseif (!isset($obj_props['superadmin']) && (!$_data['user'] || $_data['user'] == "user")) {
        $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username");
        $stmt->execute(array(':username' => $process_fido2['username']));
        $row = $stmt->fetch(PDO::FETCH_ASSOC);
        if ($row['username'] == $process_fido2['username']) {
-          $_SESSION["mailcow_cc_role"] = "user";
+          $role = "user";
        }
      }
      else {
@@ -1439,7 +1440,7 @@ function fido2($_data) {
        );
        return false;
      }
-      if (empty($_SESSION["mailcow_cc_role"])) {
+      if (empty($role)) {
        session_unset();
        session_destroy();
        $_SESSION['return'][] =  array(
@@ -1449,15 +1450,17 @@ function fido2($_data) {
        );
        return false;
      }
-      $_SESSION["mailcow_cc_username"] = $process_fido2['username'];
-      $_SESSION["fido2_cid"] = $process_fido2['cid'];
      unset($_SESSION["challenge"]);
      $_SESSION['return'][] =  array(
        'type' => 'success',
        'log' => array("fido2_login", $_data['user'], $process_fido2['username']),
        'msg' => array('logged_in_as', $process_fido2['username'])
      );
-      return true;
+      return array(
+        "role" => $role,
+        "username" => $process_fido2['username'],
+        "cid" => $process_fido2['cid']
+      );
    break;
  }
 }
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -3324,7 +3324,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
          }

          $is_now = mailbox('get', 'mailbox_details', $old_username);
-          if (empty($is_now)) {
+          if (empty($is_now) || ($is_now['active'] != '1' && $is_now['active'] != '2')) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
--- a/data/web/inc/triggers.admin.inc.php
+++ b/data/web/inc/triggers.admin.inc.php
@@ -19,11 +19,16 @@ if (isset($_POST["verify_tfa_login"])) {
  unset($_SESSION['pending_tfa_methods']);
 }
 if (isset($_POST["verify_fido2_login"])) {
-  fido2(array(
+  $res = fido2(array(
    "action" => "verify",
    "token" => $_POST["token"],
    "user" => "admin"
  ));
+  if (is_array($res) && $res['role'] == "admin" && !empty($res['username'])){
+    $_SESSION["mailcow_cc_username"] = $res['username'];
+    $_SESSION["mailcow_cc_role"] = $res['role'];
+    $_SESSION["fido2_cid"] = $res['cid'];
+  }
  exit;
 }

--- a/data/web/inc/triggers.domainadmin.inc.php
+++ b/data/web/inc/triggers.domainadmin.inc.php
@@ -30,11 +30,16 @@ if (isset($_POST["verify_tfa_login"])) {
  unset($_SESSION['pending_tfa_methods']);
 }
 if (isset($_POST["verify_fido2_login"])) {
-  fido2(array(
+  $res = fido2(array(
    "action" => "verify",
    "token" => $_POST["token"],
    "user" => "domainadmin"
  ));
+  if (is_array($res) && $res['role'] == "domainadmin" && !empty($res['username'])){
+    $_SESSION["mailcow_cc_username"] = $res['username'];
+    $_SESSION["mailcow_cc_role"] = $res['role'];
+    $_SESSION["fido2_cid"] = $res['cid'];
+  }
  exit;
 }

--- a/data/web/inc/triggers.user.inc.php
+++ b/data/web/inc/triggers.user.inc.php
@@ -66,6 +66,14 @@ if (isset($_POST["verify_tfa_login"])) {
        die();
      } else {
        set_user_loggedin_session($_SESSION['pending_mailcow_cc_username']);
+
+        if (isset($_SESSION['oauth2_request'])) {
+          $oauth2_request = $_SESSION['oauth2_request'];
+          unset($_SESSION['oauth2_request']);
+          header('Location: ' . $oauth2_request);
+          die();
+        }
+
        $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
        $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
        if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
@@ -84,11 +92,15 @@ if (isset($_POST["verify_tfa_login"])) {
  unset($_SESSION['pending_tfa_methods']);
 }
 if (isset($_POST["verify_fido2_login"])) {
-  fido2(array(
+  $res = fido2(array(
    "action" => "verify",
    "token" => $_POST["token"],
    "user" => "user"
  ));
+  if (is_array($res) && $res['role'] == "user" && !empty($res['username'])){
+    set_user_loggedin_session($res['username']);
+    $_SESSION["fido2_cid"] = $res['cid'];
+  }
  exit;
 }

@@ -118,6 +130,12 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
        header("Location: /mobileconfig.php");
        die();
    }
+    if (isset($_SESSION['oauth2_request'])) {
+      $oauth2_request = $_SESSION['oauth2_request'];
+      unset($_SESSION['oauth2_request']);
+      header('Location: ' . $oauth2_request);
+      die();
+    }

    $user_details = mailbox("get", "mailbox_details", $login_user);
    $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;