Invite Emergency Contact fails when grantee email is not already registered with an account

[tam1m]

Subject of the issue

When inviting an emergency contact, the invite fails with
Webinterface:

An error has occurred.
Grantee user does not exist: grantee@email.com.

Docker log:

vaultwarden                  | [2021-12-16 17:25:36.262][request][INFO] POST /api/emergency-access/invite
vaultwarden                  | [2021-12-16 17:25:36.264][vaultwarden::api::core::emergency_access][ERROR] Grantee user does not exist: grantee@email.com
vaultwarden                  | [2021-12-16 17:25:36.264][response][INFO] POST /api/emergency-access/invite (send_invite) => 400 Bad Request

This is not how it is supposed to work as the webinterface states that If they do not have a Bitwarden account already, they will be prompted to create a new account.

Deployment environment

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.23.1
• Web-vault version: v2.25.0
• Running within Docker: true (Base: Debian)
• Environment settings overridden: false
• Uses a reverse proxy: false
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Time Check: true
• Domain Configuration Check: false
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.35.4
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_ip_header_enabled": true,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**.********.**",
  "domain_origin": "*****://**.********.**",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 5 * * * *",
  "emergency_request_timeout_schedule": "0 5 * * * *",
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_org_name": "vw.baschour.de",
  "invitations_allowed": true,
  "ip_header": "CF-Connecting-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/vaultwarden.log",
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": 2000000,
  "org_creation_users": "",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": true,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "**@**.********.**",
  "smtp_from_name": "Vaultwarden VPS",
  "smtp_host": "****.*****.***",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "*.********@*****.***",
  "templates_folder": "data/templates",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": 2000000,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Steps to reproduce

Add emergency contact via webinterface, where the grantees email, is not already registered with an account

Expected behaviour

Vaultwarden sends an email invitation to the grantees email address. Same behaviour as invite to organization

Actual behaviour

Vaultwarden gives the following error message

Webinterface:

An error has occurred.
Grantee user does not exist: grantee@email.com.

Docker log:

vaultwarden                  | [2021-12-16 17:25:36.262][request][INFO] POST /api/emergency-access/invite
vaultwarden                  | [2021-12-16 17:25:36.264][vaultwarden::api::core::emergency_access][ERROR] Grantee user does not exist: grantee@email.com
vaultwarden                  | [2021-12-16 17:25:36.264][response][INFO] POST /api/emergency-access/invite (send_invite) => 400 Bad Request

[BlackDex]

Confirmed. It should check if INVITATIONS_ALLOWED is enabled. Though i could even argue that we may need a different config item for this. Since this would allow anybody who has an account to create new accounts/invites for everybody. While this feature first was only able to be used by Organization Managers, Admins and Owners. Though, basic users were already able to create organizations them selfs, and then invite other uses if this was set to true.

What do you think @dani-garcia and @jjlin ? Should this be a separate config item like EMERGENCY_INVITATIONS_ALLOWED or just use the main one.