MFA Enforcement on an Organization not working anymore?

[rbability]

I am on 1.30.5, but I can not say when the issue started, because we invite new users to those Organizations not very often.

Subject of the issue

After inviting a new user to an organization which has the "Enforce MFA" function enabled, I realized that this user has access, but was not enforced to enable MFA on his account. I am pretty sure that in the past, when I invited users to such an Organization, they were enforced to enable MFA first for their account before they were able to join.

Deployment environment

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.30.5
• Web-vault version: v2024.1.2b
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Environment settings overridden: true
• Uses a reverse proxy: false
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.44.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

**Environment settings which are overridden:** ADMIN_TOKEN ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": false, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://************", "domain_origin": "*****://************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": 365, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": false, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "********", "invitations_allowed": false, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "************************", "org_events_enabled": true, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***********************", "smtp_from_name": "****************", "smtp_host": "**************************************", "smtp_password": null, "smtp_port": 25, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ```

• Clients used: Only the Web Client was used in this process.

• Reverse proxy and version: None

Steps to reproduce

• Invite a new User to Vaultwarden and wait until he finished the Onboarding process. He does not enable MFA in this process.
• Invite him to an organization which has Enforce MFA enabled.
• He will be able to accept the invitation, the Admin can approve it and then the User can access the organization without being enforced to enable MFA.

Expected behaviour

I expected that the User, when trying to accept the invitation to the Organization, gets a prompt that he has to enable MFA on his account first. I am pretty sure this was the behavior previously, but unfortunately I can not say since which version it changed.

Actual behaviour

The user can just accept an invitation to a MFA protected Organization without having MFA enabled.

[rbability]

To add to this. When removing the Checkmark for MFA enforcement on an organization, all Users without MFA enabled get removed from this organization. So this is still working as intended.

[stefan0xC]

What role is the user invited as? (Admins and Owners are exempt from MFA.)

When removing the Checkmark for MFA enforcement on an organization, all Users without MFA enabled get removed from this organization. So this is still working as intended.

This sounds backwards. If you remove the checkmark you turn off the policy meaning the enforcement of that policy should not be enabled and thus also not affect users. https://github.com/dani-garcia/vaultwarden/blob/0fe93edea6cb8d4b30416a6d319164f8828ad8b7/src/db/models/org_policy.rs#L286-L289

[rbability]

Thank you @stefan0xC! I was indeed inviting the User as Admin. The first one ever... normally everyone has less permissions. This is why he was exempt from MFA! From now on I will invite the new Admins as regular Users first to make sure they are enabling MFA and then update their membership to Admin afterwards.

The addition I made to my post was not proof-read by me, sorry. We had the case that another person ADDED the checkmark to an Organization where it was not enforced and almost everyone lost access to that organization. So THIS is working as expected. I am sorry for the confusion.

In hindsight I should have created a new org first and test again before opening this issue. I would then have seen the dialogue you posted above (which I have not seen since a very long time, since we do not create new Organizations regularly). I'm sorry for the inconvenience. Everything is working as it should.

Thank you very much for your time!