Closed rbability closed 2 months ago
To add to this. When removing the Checkmark for MFA enforcement on an organization, all Users without MFA enabled get removed from this organization. So this is still working as intended.
What role is the user invited as? (Admins and Owners are exempt from MFA.)
When removing the Checkmark for MFA enforcement on an organization, all Users without MFA enabled get removed from this organization. So this is still working as intended.
This sounds backwards. If you remove the checkmark you turn off the policy meaning the enforcement of that policy should not be enabled and thus also not affect users. https://github.com/dani-garcia/vaultwarden/blob/0fe93edea6cb8d4b30416a6d319164f8828ad8b7/src/db/models/org_policy.rs#L286-L289
Thank you @stefan0xC! I was indeed inviting the User as Admin. The first one ever... normally everyone has less permissions. This is why he was exempt from MFA! From now on I will invite the new Admins as regular Users first to make sure they are enabling MFA and then update their membership to Admin afterwards.
The addition I made to my post was not proof-read by me, sorry. We had the case that another person ADDED the checkmark to an Organization where it was not enforced and almost everyone lost access to that organization. So THIS is working as expected. I am sorry for the confusion.
In hindsight I should have created a new org first and test again before opening this issue. I would then have seen the dialogue you posted above (which I have not seen since a very long time, since we do not create new Organizations regularly). I'm sorry for the inconvenience. Everything is working as it should.
Thank you very much for your time!
I am on 1.30.5, but I can not say when the issue started, because we invite new users to those Organizations not very often.
Subject of the issue
After inviting a new user to an organization which has the "Enforce MFA" function enabled, I realized that this user has access, but was not enforced to enable MFA on his account. I am pretty sure that in the past, when I invited users to such an Organization, they were enforced to enable MFA first for their account before they were able to join.
Deployment environment
Your environment (Generated via diagnostics page)
Config (Generated via diagnostics page)
Show Running Config
**Environment settings which are overridden:** ADMIN_TOKEN ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": false, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://************", "domain_origin": "*****://************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": 365, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": false, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "********", "invitations_allowed": false, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "************************", "org_events_enabled": true, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***********************", "smtp_from_name": "****************", "smtp_host": "**************************************", "smtp_password": null, "smtp_port": 25, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ```Clients used: Only the Web Client was used in this process.
Reverse proxy and version: None
Steps to reproduce
Expected behaviour
I expected that the User, when trying to accept the invitation to the Organization, gets a prompt that he has to enable MFA on his account first. I am pretty sure this was the behavior previously, but unfortunately I can not say since which version it changed.
Actual behaviour
The user can just accept an invitation to a MFA protected Organization without having MFA enabled.