Merge pull request #6386 from mailcow/staging

Automatic PR to nightly from 2025-03-24T08:36:34Z

data/conf/nginx/templates/nginx.conf.j2

@@ -182,6 +182,8 @@ http {
         }
     }
 
+    include /etc/nginx/conf.d/*.conf;
+
     {% for cert in valid_cert_dirs %}
     server {
         {% if not HTTP_REDIRECT %}
@@ -206,6 +208,4 @@ http {
         include /etc/nginx/includes/sites-default.conf;
     }
     {% endfor %}
-
-    include /etc/nginx/conf.d/*.conf;
 }

data/web/api/openapi.yaml

@@ -346,7 +346,8 @@ paths:
                   description: the domain which emails should be forwarded
                   type: string
                 type:
-                  description: the type of bcc map can be `sender` or `recipient`
+                  description: the type of bcc map can be `sender` or `rcpt`
+                  enum: [sender, rcpt]
                   type: string
               type: object
       summary: Create BCC Map

data/web/inc/functions.inc.php

@@ -1385,6 +1385,7 @@ function fido2($_data) {
       );
     break;
     case "verify":
+      $role = "";
       $tokenData = json_decode($_data['token']);
       $clientDataJSON = base64_decode($tokenData->clientDataJSON);
       $authenticatorData = base64_decode($tokenData->authenticatorData);
@@ -1418,17 +1419,17 @@ function fido2($_data) {
       $stmt->execute(array(':username' => $process_fido2['username']));
       $obj_props = $stmt->fetch(PDO::FETCH_ASSOC);
       if ($obj_props['superadmin'] === 1 && (!$_data['user'] || $_data['user'] == "admin")) {
-        $_SESSION["mailcow_cc_role"] = "admin";
+        $role = "admin";
       }
       elseif ($obj_props['superadmin'] === 0 && (!$_data['user'] || $_data['user'] == "domainadmin")) {
-        $_SESSION["mailcow_cc_role"] = "domainadmin";
+        $role = "domainadmin";
       }
       elseif (!isset($obj_props['superadmin']) && (!$_data['user'] || $_data['user'] == "user")) {
         $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username");
         $stmt->execute(array(':username' => $process_fido2['username']));
         $row = $stmt->fetch(PDO::FETCH_ASSOC);
         if ($row['username'] == $process_fido2['username']) {
-          $_SESSION["mailcow_cc_role"] = "user";
+          $role = "user";
         }
       }
       else {
@@ -1439,7 +1440,7 @@ function fido2($_data) {
         );
         return false;
       }
-      if (empty($_SESSION["mailcow_cc_role"])) {
+      if (empty($role)) {
         session_unset();
         session_destroy();
         $_SESSION['return'][] =  array(
@@ -1449,15 +1450,17 @@ function fido2($_data) {
         );
         return false;
       }
-      $_SESSION["mailcow_cc_username"] = $process_fido2['username'];
-      $_SESSION["fido2_cid"] = $process_fido2['cid'];
       unset($_SESSION["challenge"]);
       $_SESSION['return'][] =  array(
         'type' => 'success',
         'log' => array("fido2_login", $_data['user'], $process_fido2['username']),
         'msg' => array('logged_in_as', $process_fido2['username'])
       );
-      return true;
+      return array(
+        "role" => $role,
+        "username" => $process_fido2['username'],
+        "cid" => $process_fido2['cid']
+      );
     break;
   }
 }

data/web/inc/functions.mailbox.inc.php

@@ -3324,7 +3324,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           }
 
           $is_now = mailbox('get', 'mailbox_details', $old_username);
-          if (empty($is_now)) {
+          if (empty($is_now) || ($is_now['active'] != '1' && $is_now['active'] != '2')) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),

data/web/inc/triggers.admin.inc.php

@@ -19,11 +19,16 @@ if (isset($_POST["verify_tfa_login"])) {
   unset($_SESSION['pending_tfa_methods']);
 }
 if (isset($_POST["verify_fido2_login"])) {
-  fido2(array(
+  $res = fido2(array(
     "action" => "verify",
     "token" => $_POST["token"],
     "user" => "admin"
   ));
+  if (is_array($res) && $res['role'] == "admin" && !empty($res['username'])){
+    $_SESSION["mailcow_cc_username"] = $res['username'];
+    $_SESSION["mailcow_cc_role"] = $res['role'];
+    $_SESSION["fido2_cid"] = $res['cid'];
+  }
   exit;
 }
 

data/web/inc/triggers.domainadmin.inc.php

@@ -30,11 +30,16 @@ if (isset($_POST["verify_tfa_login"])) {
   unset($_SESSION['pending_tfa_methods']);
 }
 if (isset($_POST["verify_fido2_login"])) {
-  fido2(array(
+  $res = fido2(array(
     "action" => "verify",
     "token" => $_POST["token"],
     "user" => "domainadmin"
   ));
+  if (is_array($res) && $res['role'] == "domainadmin" && !empty($res['username'])){
+    $_SESSION["mailcow_cc_username"] = $res['username'];
+    $_SESSION["mailcow_cc_role"] = $res['role'];
+    $_SESSION["fido2_cid"] = $res['cid'];
+  }
   exit;
 }
 

data/web/inc/triggers.user.inc.php

@@ -66,6 +66,14 @@ if (isset($_POST["verify_tfa_login"])) {
         die();
       } else {
         set_user_loggedin_session($_SESSION['pending_mailcow_cc_username']);
+
+        if (isset($_SESSION['oauth2_request'])) {
+          $oauth2_request = $_SESSION['oauth2_request'];
+          unset($_SESSION['oauth2_request']);
+          header('Location: ' . $oauth2_request);
+          die();
+        }
+
         $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
         $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
         if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
@@ -84,11 +92,15 @@ if (isset($_POST["verify_tfa_login"])) {
   unset($_SESSION['pending_tfa_methods']);
 }
 if (isset($_POST["verify_fido2_login"])) {
-  fido2(array(
+  $res = fido2(array(
     "action" => "verify",
     "token" => $_POST["token"],
     "user" => "user"
   ));
+  if (is_array($res) && $res['role'] == "user" && !empty($res['username'])){
+    set_user_loggedin_session($res['username']);
+    $_SESSION["fido2_cid"] = $res['cid'];
+  }
   exit;
 }
 
@@ -118,6 +130,12 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
         header("Location: /mobileconfig.php");
         die();
     }
+    if (isset($_SESSION['oauth2_request'])) {
+      $oauth2_request = $_SESSION['oauth2_request'];
+      unset($_SESSION['oauth2_request']);
+      header('Location: ' . $oauth2_request);
+      die();
+    }
 
     $user_details = mailbox("get", "mailbox_details", $login_user);
     $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;