https://telecominfraproject.atlassian.net/browse/WIFI-12094

Signed-off-by: stephb9959 <stephane.bourque@gmail.com>
2025-10-29 18:02:29 +00:00 · 2023-01-24 21:33:00 -08:00
parent b0f1ecbbe4
commit acdb617d35
20 changed files with 340 additions and 113 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -175,7 +175,7 @@ add_executable( owsec
        src/TotpCache.h
        src/RESTAPI/RESTAPI_subtotp_handler.cpp src/RESTAPI/RESTAPI_subtotp_handler.h
        src/RESTAPI/RESTAPI_signup_handler.cpp src/RESTAPI/RESTAPI_signup_handler.h
-        src/MessagingTemplates.cpp src/MessagingTemplates.h src/RESTAPI/RESTAPI_apiKey_handler.cpp src/RESTAPI/RESTAPI_apiKey_handler.h src/storage/orm_apikeys.cpp src/storage/orm_apikeys.h src/RESTAPI/RESTAPI_validate_apikey.cpp src/RESTAPI/RESTAPI_validate_apikey.h)
+        src/MessagingTemplates.h src/RESTAPI/RESTAPI_apiKey_handler.cpp src/RESTAPI/RESTAPI_apiKey_handler.h src/storage/orm_apikeys.cpp src/storage/orm_apikeys.h src/RESTAPI/RESTAPI_validate_apikey.cpp src/RESTAPI/RESTAPI_validate_apikey.h)

 if(NOT SMALL_BUILD)
    target_link_libraries(owsec PUBLIC
--- a/2
+++ b/2
@@ -1 +1 @@
-3
+6
--- a/openpapi/owsec.yaml
+++ b/openpapi/owsec.yaml
@@ -71,7 +71,8 @@ components:
                  - 11    # BAD_MFA_TRANSACTION
                  - 12    # MFA_FAILURE
                  - 13    # SECURITY_SERVICE_UNREACHABLE
-                  - 14    # CANNOT REFRESH TOKEN
+                  - 14    # CANNOT_REFRESH_TOKEN
+                  - 15    # ACCOUNT_SUSPENDED
              ErrorDetails:
                type: string
              ErrorDescription:
--- a/src/ActionLinkManager.cpp
+++ b/src/ActionLinkManager.cpp
@@ -67,7 +67,7 @@ namespace OpenWifi {

                switch(i.action) {
                    case OpenWifi::SecurityObjects::LinkActions::FORGOT_PASSWORD: {
-                            if(AuthService::SendEmailToUser(i.id, UInfo.email, MessagingTemplates::FORGOT_PASSWORD)) {
+                            if(AuthService()->SendEmailToUser(i.id, UInfo.email, MessagingTemplates::FORGOT_PASSWORD)) {
                                poco_information(Logger(),fmt::format("Send password reset link to {}",UInfo.email));
                            }
                            StorageService()->ActionLinksDB().SentAction(i.id);
@@ -75,7 +75,7 @@ namespace OpenWifi {
                        break;

                    case OpenWifi::SecurityObjects::LinkActions::VERIFY_EMAIL: {
-                            if(AuthService::SendEmailToUser(i.id, UInfo.email, MessagingTemplates::EMAIL_VERIFICATION)) {
+                            if(AuthService()->SendEmailToUser(i.id, UInfo.email, MessagingTemplates::EMAIL_VERIFICATION)) {
                                poco_information(Logger(),fmt::format("Send email verification link to {}",UInfo.email));
                            }
                            StorageService()->ActionLinksDB().SentAction(i.id);
@@ -83,7 +83,7 @@ namespace OpenWifi {
                        break;

                    case OpenWifi::SecurityObjects::LinkActions::EMAIL_INVITATION: {
-                            if(AuthService::SendEmailToUser(i.id, UInfo.email, MessagingTemplates::EMAIL_INVITATION)) {
+                            if(AuthService()->SendEmailToUser(i.id, UInfo.email, MessagingTemplates::EMAIL_INVITATION)) {
                                poco_information(Logger(),fmt::format("Send new subscriber email invitation link to {}",UInfo.email));
                            }
                            StorageService()->ActionLinksDB().SentAction(i.id);
@@ -92,7 +92,7 @@ namespace OpenWifi {

                    case OpenWifi::SecurityObjects::LinkActions::SUB_FORGOT_PASSWORD: {
                            auto Signup = Poco::StringTokenizer(UInfo.signingUp,":");
-                            if(AuthService::SendEmailToSubUser(i.id, UInfo.email,MessagingTemplates::SUB_FORGOT_PASSWORD, Signup.count()==1 ? "" : Signup[0])) {
+                            if(AuthService()->SendEmailToSubUser(i.id, UInfo.email,MessagingTemplates::SUB_FORGOT_PASSWORD, Signup.count()==1 ? "" : Signup[0])) {
                                poco_information(Logger(),fmt::format("Send subscriber password reset link to {}",UInfo.email));
                            }
                            StorageService()->ActionLinksDB().SentAction(i.id);
@@ -101,7 +101,7 @@ namespace OpenWifi {

                    case OpenWifi::SecurityObjects::LinkActions::SUB_VERIFY_EMAIL: {
                            auto Signup = Poco::StringTokenizer(UInfo.signingUp,":");
-                            if(AuthService::SendEmailToSubUser(i.id, UInfo.email, MessagingTemplates::SUB_EMAIL_VERIFICATION, Signup.count()==1 ? "" : Signup[0])) {
+                            if(AuthService()->SendEmailToSubUser(i.id, UInfo.email, MessagingTemplates::SUB_EMAIL_VERIFICATION, Signup.count()==1 ? "" : Signup[0])) {
                                poco_information(Logger(),fmt::format("Send subscriber email verification link to {}",UInfo.email));
                            }
                            StorageService()->ActionLinksDB().SentAction(i.id);
@@ -110,7 +110,7 @@ namespace OpenWifi {

                    case OpenWifi::SecurityObjects::LinkActions::SUB_SIGNUP: {
                        auto Signup = Poco::StringTokenizer(UInfo.signingUp,":");
-                        if(AuthService::SendEmailToSubUser(i.id, UInfo.email, MessagingTemplates::SUB_SIGNUP_VERIFICATION, Signup.count()==1 ? "" : Signup[0])) {
+                        if(AuthService()->SendEmailToSubUser(i.id, UInfo.email, MessagingTemplates::SUB_SIGNUP_VERIFICATION, Signup.count()==1 ? "" : Signup[0])) {
                            poco_information(Logger(),fmt::format("Send new subscriber email verification link to {}",UInfo.email));
                        }
                        StorageService()->ActionLinksDB().SentAction(i.id);
--- a/src/AuthService.cpp
+++ b/src/AuthService.cpp
@@ -65,6 +65,21 @@ namespace OpenWifi {
        SubAccessPolicy_ = MicroServiceConfigGetString("subscriber.policy.access", "/wwwassets/access_policy.html");
        SubPasswordPolicy_ = MicroServiceConfigGetString("subscriber.policy.password", "/wwwassets/password_policy.html");

+        HelperEmail_ = MicroServiceConfigGetString("helper.user.email", "openwifi@telecominfraproject.com");
+        SubHelperEmail_ = MicroServiceConfigGetString("helper.sub.email", "openwifi@telecominfraproject.com");
+
+        GlobalHelperEmail_ = MicroServiceConfigGetString("helper.user.global.email", "openwifi@telecominfraproject.com");
+        GlobalSubHelperEmail_ = MicroServiceConfigGetString("helper.sub.global.email", "openwifi@telecominfraproject.com");
+
+        HelperSite_ = MicroServiceConfigGetString("helper.user.site", "telecominfraproject.com");
+        SubHelperSite_ = MicroServiceConfigGetString("helper.sub.site", "telecominfraproject.com");
+
+        SystemLoginSite_ = MicroServiceConfigGetString("helper.user.login", "telecominfraproject.com");
+        SubSystemLoginSite_ = MicroServiceConfigGetString("helper.sub.login", "telecominfraproject.com");
+
+        UserSignature_ = MicroServiceConfigGetString("helper.user.signature", "Telecom Infra Project");
+        SubSignature_ = MicroServiceConfigGetString("helper.sub.signature", "Telecom Infra Project");
+
        return 0;
    }

@@ -508,6 +523,11 @@ namespace OpenWifi {
        Poco::toLowerInPlace(UserName);

        if(StorageService()->UserDB().GetUserByEmail(UserName,UInfo.userinfo)) {
+
+            if(UInfo.userinfo.suspended) {
+                return ACCOUNT_SUSPENDED;
+            }
+
            if(UInfo.userinfo.waitingForEmailCheck) {
                return USERNAME_PENDING_VERIFICATION;
            }
@@ -553,6 +573,11 @@ namespace OpenWifi {
        Poco::toLowerInPlace(UserName);

        if(StorageService()->SubDB().GetUserByEmail(UserName,UInfo.userinfo)) {
+
+            if(UInfo.userinfo.suspended) {
+                return ACCOUNT_SUSPENDED;
+            }
+
            if(UInfo.userinfo.waitingForEmailCheck) {
                return USERNAME_PENDING_VERIFICATION;
            }
@@ -594,19 +619,33 @@ namespace OpenWifi {

    bool AuthService::SendEmailChallengeCode(const SecurityObjects::UserInfoAndPolicy &UInfo, const std::string &Challenge) {
        auto OperatorParts = Poco::StringTokenizer(UInfo.userinfo.signingUp,":");
+
+        bool IsSub = UInfo.userinfo.userRole==SecurityObjects::SUBSCRIBER;
+
        if(UInfo.userinfo.signingUp.empty() || OperatorParts.count()!=2) {
            MessageAttributes Attrs;
            Attrs[RECIPIENT_EMAIL] = UInfo.userinfo.email;
            Attrs[LOGO] = AuthService::GetLogoAssetURI();
            Attrs[SUBJECT] = "Login validation code";
            Attrs[CHALLENGE_CODE] = Challenge;
-            return SMTPMailerService()->SendMessage(UInfo.userinfo.email, MessagingTemplates::TemplateName(MessagingTemplates::VERIFICATION_CODE), Attrs, false);
+            if(!IsSub) {
+                SMTPMailerService()->AddUserVars(Attrs);
+            } else {
+                SMTPMailerService()->AddSubVars(Attrs);
+            }
+            return SMTPMailerService()->SendMessage(UInfo.userinfo.email, MessagingTemplates::TemplateName(
+                    MessagingTemplates::VERIFICATION_CODE), Attrs, false);
        } else {
            MessageAttributes Attrs;
            Attrs[RECIPIENT_EMAIL] = UInfo.userinfo.email;
            Attrs[LOGO] = AuthService::GetSubLogoAssetURI();
            Attrs[SUBJECT] = "Login validation code";
            Attrs[CHALLENGE_CODE] = Challenge;
+            if(!IsSub) {
+                SMTPMailerService()->AddUserVars(Attrs);
+            } else {
+                SMTPMailerService()->AddSubVars(Attrs);
+            }
            return SMTPMailerService()->SendMessage(UInfo.userinfo.email, MessagingTemplates::TemplateName(MessagingTemplates::SUB_VERIFICATION_CODE,OperatorParts[0]), Attrs, true );
        }
    }
@@ -624,6 +663,7 @@ namespace OpenWifi {
                        Attrs[SUBJECT] = "Password reset link";
                        Attrs[ACTION_LINK] = MicroServiceGetPublicAPIEndPoint() + "/actionLink?action=password_reset&id=" + LinkId ;
                        Attrs[ACTION_LINK_HTML] = "/api/v1/actionLink?action=password_reset&id=" + LinkId ;
+                        SMTPMailerService()->AddUserVars(Attrs);
                        SMTPMailerService()->SendMessage(UInfo.email, MessagingTemplates::TemplateName(MessagingTemplates::FORGOT_PASSWORD), Attrs, false);
                    }
                    break;
@@ -635,20 +675,22 @@ namespace OpenWifi {
                        Attrs[SUBJECT] = "e-mail Address Verification";
                        Attrs[ACTION_LINK] = MicroServiceGetPublicAPIEndPoint() + "/actionLink?action=email_verification&id=" + LinkId ;
                        Attrs[ACTION_LINK_HTML] = "/api/v1/actionLink?action=email_verification&id=" + LinkId ;
+                        SMTPMailerService()->AddUserVars(Attrs);
                        SMTPMailerService()->SendMessage(UInfo.email, MessagingTemplates::TemplateName(MessagingTemplates::EMAIL_VERIFICATION), Attrs, false);
                        UInfo.waitingForEmailCheck = true;
                    }
                    break;

                case MessagingTemplates::EMAIL_INVITATION: {
-                    MessageAttributes Attrs;
-                    Attrs[RECIPIENT_EMAIL] = UInfo.email;
-                    Attrs[LOGO] = GetLogoAssetURI();
-                    Attrs[SUBJECT] = "e-mail Invitation";
-                    Attrs[ACTION_LINK] = MicroServiceGetPublicAPIEndPoint() + "/actionLink?action=email_invitation&id=" + LinkId ;
-                    Attrs[ACTION_LINK_HTML] = "/api/v1/actionLink?action=email_invitation&id=" + LinkId ;
-                    SMTPMailerService()->SendMessage(UInfo.email, MessagingTemplates::TemplateName(MessagingTemplates::EMAIL_INVITATION), Attrs, false);
-                    UInfo.waitingForEmailCheck = true;
+                        MessageAttributes Attrs;
+                        Attrs[RECIPIENT_EMAIL] = UInfo.email;
+                        Attrs[LOGO] = GetLogoAssetURI();
+                        Attrs[SUBJECT] = "e-mail Invitation";
+                        Attrs[ACTION_LINK] = MicroServiceGetPublicAPIEndPoint() + "/actionLink?action=email_invitation&id=" + LinkId ;
+                        Attrs[ACTION_LINK_HTML] = "/api/v1/actionLink?action=email_invitation&id=" + LinkId ;
+                        SMTPMailerService()->AddUserVars(Attrs);
+                        SMTPMailerService()->SendMessage(UInfo.email, MessagingTemplates::TemplateName(MessagingTemplates::EMAIL_INVITATION), Attrs, false);
+                        UInfo.waitingForEmailCheck = true;
                    }
                    break;

@@ -673,6 +715,7 @@ namespace OpenWifi {
                    Attrs[SUBJECT] = "Password reset link";
                    Attrs[ACTION_LINK] = MicroServiceGetPublicAPIEndPoint() + "/actionLink?action=sub_password_reset&id=" + LinkId ;
                    Attrs[ACTION_LINK_HTML] = "/api/v1/actionLink?action=sub_password_reset&id=" + LinkId ;
+                    SMTPMailerService()->AddSubVars(Attrs);
                    SMTPMailerService()->SendMessage(UInfo.email, MessagingTemplates::TemplateName(MessagingTemplates::SUB_FORGOT_PASSWORD, OperatorName), Attrs, true);
                }
                break;
@@ -684,6 +727,7 @@ namespace OpenWifi {
                    Attrs[SUBJECT] = "e-mail Address Verification";
                    Attrs[ACTION_LINK] = MicroServiceGetPublicAPIEndPoint() + "/actionLink?action=sub_email_verification&id=" + LinkId ;
                    Attrs[ACTION_LINK_HTML] = "/api/v1/actionLink?action=sub_email_verification&id=" + LinkId ;
+                    SMTPMailerService()->AddSubVars(Attrs);
                    SMTPMailerService()->SendMessage(UInfo.email, MessagingTemplates::TemplateName(MessagingTemplates::SUB_EMAIL_VERIFICATION, OperatorName), Attrs, true);
                    UInfo.waitingForEmailCheck = true;
                }
@@ -696,6 +740,7 @@ namespace OpenWifi {
                    Attrs[SUBJECT] = "Signup e-mail Address Verification";
                    Attrs[ACTION_LINK] = MicroServiceGetPublicAPIEndPoint() + "/actionLink?action=signup_verification&id=" + LinkId ;
                    Attrs[ACTION_LINK_HTML] = "/api/v1/actionLink?action=signup_verification&id=" + LinkId ;
+                    SMTPMailerService()->AddSubVars(Attrs);
                    SMTPMailerService()->SendMessage(UInfo.email, MessagingTemplates::TemplateName(MessagingTemplates::SUB_SIGNUP_VERIFICATION, OperatorName), Attrs, true);
                    UInfo.waitingForEmailCheck = true;
                }
@@ -779,10 +824,12 @@ namespace OpenWifi {
    }

    bool AuthService::IsValidApiKey(const std::string &ApiKey, SecurityObjects::WebToken &WebToken,
-                                    SecurityObjects::UserInfo &UserInfo, bool &Expired, std::uint64_t &expiresOn) {
+                                    SecurityObjects::UserInfo &UserInfo, bool &Expired, std::uint64_t &expiresOn,
+                                    bool & Suspended) {

        std::lock_guard G(Mutex_);

+        Suspended = false;
        std::string UserId;
        SecurityObjects::WebToken   WT;
        SecurityObjects::ApiKeyEntry    ApiKeyEntry;
@@ -792,6 +839,10 @@ namespace OpenWifi {
            if(Expired)
                return false;
            if(StorageService()->UserDB().GetUserById(ApiKeyEntry.userUuid,UserInfo)) {
+                if(UserInfo.suspended) {
+                    Suspended=true;
+                    return false;
+                }
                WebToken = WT;
                ApiKeyEntry.lastUse = Utils::Now();
                StorageService()->ApiKeyDB().UpdateRecord("id", ApiKeyEntry.id, ApiKeyEntry);
--- a/src/AuthService.h
+++ b/src/AuthService.h
@@ -77,7 +77,7 @@ namespace OpenWifi{
        [[nodiscard]] std::string GenerateTokenJWT(const std::string & UserName, ACCESS_TYPE Type);
        [[nodiscard]] std::string GenerateTokenHMAC(const std::string & UserName, ACCESS_TYPE Type);

-        [[nodiscard]] bool IsValidApiKey(const std::string &ApiKey, SecurityObjects::WebToken &WebToken, SecurityObjects::UserInfo &UserInfo, bool & Expired, std::uint64_t & expiresOn);
+        [[nodiscard]] bool IsValidApiKey(const std::string &ApiKey, SecurityObjects::WebToken &WebToken, SecurityObjects::UserInfo &UserInfo, bool & Expired, std::uint64_t & expiresOn, bool & Suspended);
        [[nodiscard]] std::string ComputeNewPasswordHash(const std::string &UserName, const std::string &Password);
        [[nodiscard]] bool ValidatePasswordHash(const std::string & UserName, const std::string & Password, const std::string &StoredPassword);
        [[nodiscard]] bool ValidateSubPasswordHash(const std::string & UserName, const std::string & Password, const std::string &StoredPassword);
@@ -91,8 +91,8 @@ namespace OpenWifi{
        [[nodiscard]] static bool VerifyEmail(SecurityObjects::UserInfo &UInfo);
        [[nodiscard]] static bool VerifySubEmail(SecurityObjects::UserInfo &UInfo);

-        [[nodiscard]] static bool SendEmailToUser(const std::string &LinkId, std::string &Email, MessagingTemplates::EMAIL_REASON Reason);
-        [[nodiscard]] static bool SendEmailToSubUser(const std::string &LinkId, std::string &Email, MessagingTemplates::EMAIL_REASON Reason, const std::string &OperatorName);
+        [[nodiscard]] bool SendEmailToUser(const std::string &LinkId, std::string &Email, MessagingTemplates::EMAIL_REASON Reason);
+        [[nodiscard]] bool SendEmailToSubUser(const std::string &LinkId, std::string &Email, MessagingTemplates::EMAIL_REASON Reason, const std::string &OperatorName);
        [[nodiscard]] bool RequiresMFA(const SecurityObjects::UserInfoAndPolicy &UInfo);

        [[nodiscard]] bool SendEmailChallengeCode(const SecurityObjects::UserInfoAndPolicy &UInfo, const std::string &code);
@@ -127,6 +127,17 @@ namespace OpenWifi{
        bool RefreshUserToken(Poco::Net::HTTPServerRequest & Request, const std::string & RefreshToken, SecurityObjects::UserInfoAndPolicy & UI);
        bool RefreshSubToken(Poco::Net::HTTPServerRequest & Request, const std::string & RefreshToken, SecurityObjects::UserInfoAndPolicy & UI);

+        [[nodiscard]] inline auto HelperEmail() const { return HelperEmail_; };
+        [[nodiscard]] inline auto SubHelperEmail() const { return SubHelperEmail_; };
+        [[nodiscard]] inline auto GlobalHelperEmail() const { return GlobalHelperEmail_; };
+        [[nodiscard]] inline auto GlobalSubHelperEmail() const { return GlobalSubHelperEmail_; };
+        [[nodiscard]] inline auto HelperSite() const { return HelperSite_; };
+        [[nodiscard]] inline auto SubHelperSite() const { return SubHelperSite_;};
+        [[nodiscard]] inline auto SystemLoginSite() const { return SystemLoginSite_;};
+        [[nodiscard]] inline auto SubSystemLoginSite() const { return SubSystemLoginSite_; };
+        [[nodiscard]] inline auto UserSignature() const { return UserSignature_;};
+        [[nodiscard]] inline auto SubSignature() const { return SubSignature_; };
+
    private:
 		Poco::SHA2Engine	SHA2_;

@@ -143,6 +154,17 @@ namespace OpenWifi{
        uint64_t            HowManyOldPassword_=5;
        uint64_t            RefreshTokenLifeSpan_ = 90 * 24 * 60 * 60 ;

+        std::string         HelperEmail_;
+        std::string         SubHelperEmail_;
+        std::string         GlobalHelperEmail_;
+        std::string         GlobalSubHelperEmail_;
+        std::string         HelperSite_;
+        std::string         SubHelperSite_;
+        std::string         SystemLoginSite_;
+        std::string         SubSystemLoginSite_;
+        std::string         UserSignature_;
+        std::string         SubSignature_;
+
        class SHA256Engine : public Poco::Crypto::DigestEngine
                {
                public:
--- a/src/MessagingTemplates.cpp
+++ b/src/MessagingTemplates.cpp
@@ -1,8 +0,0 @@
-//
-// Created by stephane bourque on 2022-07-25.
-//
-
-#include "MessagingTemplates.h"
-
-namespace OpenWifi {
-} // OpenWifi
--- a/src/MessagingTemplates.h
+++ b/src/MessagingTemplates.h
@@ -24,7 +24,14 @@ namespace OpenWifi {
            VERIFICATION_CODE,
            SUB_FORGOT_PASSWORD,
            SUB_EMAIL_VERIFICATION,
-            SUB_VERIFICATION_CODE
+            SUB_VERIFICATION_CODE,
+            CERTIFICATE_TRANSFER_NOTIFICATION,
+            CERTIFICATE_TRANSFER_AUTHORIZATION,
+            CERTIFICATE_DISPUTE_SUCCESS,
+            CERTIFICATE_DISPUTE_REJECTED,
+            CERTIFICATE_TRANSFER_CANCELED,
+            CERTIFICATE_TRANSFER_ACCEPTED,
+            CERTIFICATE_TRANSFER_REJECTED
        };

        static std::string AddOperator(const std::string & filename, const std::string &OperatorName) {
@@ -43,6 +50,13 @@ namespace OpenWifi {
                case SUB_FORGOT_PASSWORD: return AddOperator(EmailTemplateNames[SUB_FORGOT_PASSWORD],OperatorName);
                case SUB_EMAIL_VERIFICATION: return AddOperator(EmailTemplateNames[SUB_EMAIL_VERIFICATION],OperatorName);
                case SUB_VERIFICATION_CODE: return AddOperator(EmailTemplateNames[SUB_VERIFICATION_CODE],OperatorName);
+                case CERTIFICATE_TRANSFER_NOTIFICATION: return AddOperator(EmailTemplateNames[CERTIFICATE_TRANSFER_NOTIFICATION],OperatorName);
+                case CERTIFICATE_TRANSFER_AUTHORIZATION: return AddOperator(EmailTemplateNames[CERTIFICATE_TRANSFER_AUTHORIZATION],OperatorName);
+                case CERTIFICATE_DISPUTE_SUCCESS: return AddOperator(EmailTemplateNames[CERTIFICATE_DISPUTE_SUCCESS],OperatorName);
+                case CERTIFICATE_DISPUTE_REJECTED: return AddOperator(EmailTemplateNames[CERTIFICATE_DISPUTE_REJECTED],OperatorName);
+                case CERTIFICATE_TRANSFER_CANCELED: return AddOperator(EmailTemplateNames[CERTIFICATE_TRANSFER_CANCELED],OperatorName);
+                case CERTIFICATE_TRANSFER_ACCEPTED: return AddOperator(EmailTemplateNames[CERTIFICATE_TRANSFER_ACCEPTED],OperatorName);
+                case CERTIFICATE_TRANSFER_REJECTED: return AddOperator(EmailTemplateNames[CERTIFICATE_TRANSFER_REJECTED],OperatorName);
                default:
                    return "";
            }
@@ -65,7 +79,14 @@ namespace OpenWifi {
                "verification_code",
                "sub_password_reset",
                "sub_email_verification",
-                "sub_verification_code"
+                "sub_verification_code",
+                "certificate_transfer_notification",
+                "certificate_transfer_authorization",
+                "certificate_dispute_success",
+                "certificate_dispute_rejected",
+                "certificate_transfer_canceled",
+                "certificate_transfer_accepted",
+                "certificate_transfer_rejected"
        };
    };

--- a/src/RESTAPI/RESTAPI_action_links.cpp
+++ b/src/RESTAPI/RESTAPI_action_links.cpp
@@ -14,11 +14,21 @@

 namespace OpenWifi {

+#if defined(TIP_CERT_SERVICE)
+    bool ProcessExternalActionLinks(RESTAPIHandler &handler,const std::string &Id, const std::string &Action);
+#endif
+
    void RESTAPI_action_links::DoGet() {

        auto Action = GetParameter("action","");
        auto Id = GetParameter("id","");

+#if defined(TIP_CERT_SERVICE)
+        if(!OpenWifi::ProcessExternalActionLinks(*this,Id,Action)) {
+            return;
+        }
+#endif
+
        SecurityObjects::ActionLink Link;
        if(!StorageService()->ActionLinksDB().GetActionLink(Id,Link))
            return DoReturnA404();
@@ -52,11 +62,25 @@ namespace OpenWifi {
            return DoReturnA404();
    }

+    void RESTAPI_action_links::AddGlobalVars(Types::StringPairVec & Vars) {
+        Vars.push_back(std::make_pair("USER_HELPER_EMAIL",AuthService()->HelperEmail()));
+        Vars.push_back(std::make_pair("SUB_HELPER_EMAIL",AuthService()->SubHelperEmail()));
+        Vars.push_back(std::make_pair("GLOBAL_USER_HELPER_EMAIL",AuthService()->GlobalHelperEmail()));
+        Vars.push_back(std::make_pair("GLOBAL_SUB_HELPER_EMAIL",AuthService()->GlobalSubHelperEmail()));
+        Vars.push_back(std::make_pair("USER_HELPER_SITE",AuthService()->HelperSite()));
+        Vars.push_back(std::make_pair("SUB_HELPER_SITE",AuthService()->SubHelperSite()));
+        Vars.push_back(std::make_pair("USER_SYSTEM_LOGIN",AuthService()->SystemLoginSite()));
+        Vars.push_back(std::make_pair("SUB_SYSTEM_LOGIN",AuthService()->SubSystemLoginSite()));
+        Vars.push_back(std::make_pair("USER_SIGNATURE",AuthService()->UserSignature()));
+        Vars.push_back(std::make_pair("SUB_SIGNATURE",AuthService()->SubSignature()));
+    }
+
    void RESTAPI_action_links::RequestResetPassword(SecurityObjects::ActionLink &Link) {
        Logger_.information(fmt::format("REQUEST-PASSWORD-RESET({}): For ID={}", Request->clientAddress().toString(), Link.userId));
        Poco::File  FormFile{ Daemon()->AssetDir() + "/password_reset.html"};
        Types::StringPairVec    FormVars{ {"UUID", Link.id},
                                          {"PASSWORD_VALIDATION", AuthService()->PasswordValidationExpression()}};
+        AddGlobalVars(FormVars);
        SendHTMLFileBack(FormFile,FormVars);
    }

@@ -65,6 +89,7 @@ namespace OpenWifi {
        Poco::File  FormFile{ Daemon()->AssetDir() + "/sub_signup_verification.html"};
        Types::StringPairVec    FormVars{ {"UUID", Link.id},
                                          {"PASSWORD_VALIDATION", AuthService()->PasswordValidationExpression()}};
+        AddGlobalVars(FormVars);
        SendHTMLFileBack(FormFile,FormVars);
    }

@@ -95,6 +120,7 @@ namespace OpenWifi {
                                                                 " accepted password creation restrictions. Please consult our on-line help"
                                                                 " to look at the our password policy. If you would like to contact us, please mention"
                                                                 " id(" + Id + ")"}};
+                AddGlobalVars(FormVars);
                return SendHTMLFileBack(FormFile,FormVars);
            }

@@ -105,6 +131,7 @@ namespace OpenWifi {
                Poco::File  FormFile{ Daemon()->AssetDir() + "/password_reset_error.html"};
                Types::StringPairVec    FormVars{ {"UUID", Id},
                                                  {"ERROR_TEXT", "This request does not contain a valid user ID. Please contact your system administrator."}};
+                AddGlobalVars(FormVars);
                return SendHTMLFileBack(FormFile,FormVars);
            }

@@ -112,6 +139,7 @@ namespace OpenWifi {
                Poco::File  FormFile{ Daemon()->AssetDir() + "/password_reset_error.html"};
                Types::StringPairVec    FormVars{ {"UUID", Id},
                                                  {"ERROR_TEXT", "Please contact our system administrators. We have identified an error in your account that must be resolved first."}};
+                AddGlobalVars(FormVars);
                return SendHTMLFileBack(FormFile,FormVars);
            }

@@ -120,6 +148,7 @@ namespace OpenWifi {
                Poco::File  FormFile{ Daemon()->AssetDir() + "/password_reset_error.html"};
                Types::StringPairVec    FormVars{ {"UUID", Id},
                                                  {"ERROR_TEXT", "You cannot reuse one of your recent passwords."}};
+                AddGlobalVars(FormVars);
                return SendHTMLFileBack(FormFile,FormVars);
            }

@@ -133,6 +162,7 @@ namespace OpenWifi {
            Types::StringPairVec    FormVars{ {"UUID", Id},
                                              {"USERNAME", UInfo.email},
                                              {"ACTION_LINK",MicroService::instance().GetUIURI()}};
+            AddGlobalVars(FormVars);
            StorageService()->ActionLinksDB().CompleteAction(Id);
            SendHTMLFileBack(FormFile,FormVars);
        } else {
@@ -167,6 +197,7 @@ namespace OpenWifi {
                                                                 " accepted password creation restrictions. Please consult our on-line help"
                                                                 " to look at the our password policy. If you would like to contact us, please mention"
                                                                 " id(" + Id + ")"}};
+                AddGlobalVars(FormVars);
                return SendHTMLFileBack(FormFile,FormVars);
            }

@@ -176,6 +207,7 @@ namespace OpenWifi {
                Poco::File  FormFile{ Daemon()->AssetDir() + "/sub_signup_verification_error.html"};
                Types::StringPairVec    FormVars{ {"UUID", Id},
                                                  {"ERROR_TEXT", "This request does not contain a valid user ID. Please contact your system administrator."}};
+                AddGlobalVars(FormVars);
                return SendHTMLFileBack(FormFile,FormVars);
            }

@@ -183,6 +215,7 @@ namespace OpenWifi {
                Poco::File  FormFile{ Daemon()->AssetDir() + "/sub_signup_verification_error.html"};
                Types::StringPairVec    FormVars{ {"UUID", Id},
                                                  {"ERROR_TEXT", "Please contact our system administrators. We have identified an error in your account that must be resolved first."}};
+                AddGlobalVars(FormVars);
                return SendHTMLFileBack(FormFile,FormVars);
            }

@@ -191,6 +224,7 @@ namespace OpenWifi {
                Poco::File  FormFile{ Daemon()->AssetDir() + "/sub_signup_verification_error.html"};
                Types::StringPairVec    FormVars{ {"UUID", Id},
                                                  {"ERROR_TEXT", "You cannot reuse one of your recent passwords."}};
+                AddGlobalVars(FormVars);
                return SendHTMLFileBack(FormFile,FormVars);
            }

@@ -225,6 +259,7 @@ namespace OpenWifi {
                Response->stringify(ooo);
            Logger().information(fmt::format("({}): Completed subscriber e-mail verification. Provisioning notified, Error={}.",
                                             UInfo.email, Status));
+            AddGlobalVars(FormVars);
            SendHTMLFileBack(FormFile,FormVars);
            Logger().information(fmt::format("({}): Completed subscriber e-mail verification. FORM notified.",UInfo.email));
        } else {
@@ -246,6 +281,7 @@ namespace OpenWifi {
            Types::StringPairVec FormVars{{"UUID",       Link.id},
                                          {"ERROR_TEXT", "This does not appear to be a valid email verification link.."}};
            Poco::File FormFile{Daemon()->AssetDir() + "/email_verification_error.html"};
+            AddGlobalVars(FormVars);
            return SendHTMLFileBack(FormFile, FormVars);
        }

@@ -264,6 +300,7 @@ namespace OpenWifi {
                                      {"USERNAME", UInfo.email},
                                      {"ACTION_LINK",MicroService::instance().GetUIURI()}};
        Poco::File FormFile{Daemon()->AssetDir() + "/email_verification_success.html"};
+        AddGlobalVars(FormVars);
        StorageService()->ActionLinksDB().CompleteAction(Link.id);
        SendHTMLFileBack(FormFile, FormVars);
    }
@@ -271,6 +308,7 @@ namespace OpenWifi {
    void RESTAPI_action_links::DoReturnA404() {
        Types::StringPairVec FormVars;
        Poco::File FormFile{Daemon()->AssetDir() + "/404_error.html"};
+        AddGlobalVars(FormVars);
        SendHTMLFileBack(FormFile, FormVars);
    }

--- a/src/RESTAPI/RESTAPI_action_links.h
+++ b/src/RESTAPI/RESTAPI_action_links.h
@@ -30,6 +30,7 @@ namespace OpenWifi {
        void DoReturnA404();
        void DoNewSubVerification(SecurityObjects::ActionLink &Link);
        void CompleteEmailInvitation();
+        static void AddGlobalVars(Types::StringPairVec & Vars);

        void DoGet() final;
        void DoPost() final;
--- a/src/RESTAPI/RESTAPI_oauth2_handler.cpp
+++ b/src/RESTAPI/RESTAPI_oauth2_handler.cpp
@@ -12,11 +12,10 @@
 #include "RESTAPI_oauth2_handler.h"
 #include "MFAServer.h"
 #include "framework/ow_constants.h"
+#include "framework/MicroService.h"
 #include "StorageService.h"
 #include "RESTAPI_db_helpers.h"

-#include "framework/MicroServiceFuncs.h"
-
 namespace OpenWifi {

    void RESTAPI_oauth2_handler::DoGet() {
@@ -100,7 +99,7 @@ namespace OpenWifi {
                SecurityObjects::ActionLink NewLink;

                NewLink.action = OpenWifi::SecurityObjects::LinkActions::FORGOT_PASSWORD;
-                NewLink.id = MicroServiceCreateUUID();
+                NewLink.id = MicroService::CreateUUID();
                NewLink.userId = UInfo1.id;
                NewLink.created = OpenWifi::Now();
                NewLink.expires = NewLink.created + (24*60*60);
@@ -147,33 +146,33 @@ namespace OpenWifi {
        SecurityObjects::UserInfoAndPolicy UInfo;
        bool Expired=false;
        auto Code=AuthService()->Authorize(userId, password, newPassword, UInfo, Expired);
-        if (Code==SUCCESS) {
-            Poco::JSON::Object ReturnObj;
-            if(AuthService()->RequiresMFA(UInfo)) {
-                if(MFAServer()->StartMFAChallenge(UInfo, ReturnObj)) {
+        switch(Code) {
+            case SUCCESS:
+                {
+                    Poco::JSON::Object ReturnObj;
+                    if(AuthService()->RequiresMFA(UInfo)) {
+                        if(MFAServer()->StartMFAChallenge(UInfo, ReturnObj)) {
+                            return ReturnObject(ReturnObj);
+                        }
+                        Logger_.warning("MFA Seems to be broken. Please fix. Disabling MFA checking for now.");
+                    }
+                    UInfo.webtoken.to_json(ReturnObj);
                    return ReturnObject(ReturnObj);
                }
-                Logger_.warning("MFA Seems to be broken. Please fix. Disabling MFA checking for now.");
-            }
-            UInfo.webtoken.to_json(ReturnObj);
-            return ReturnObject(ReturnObj);
-        } else {
-
-            switch(Code) {
-                case INVALID_CREDENTIALS:
-                    return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
-                case PASSWORD_INVALID:
-                    return UnAuthorized(RESTAPI::Errors::PASSWORD_INVALID);
-                case PASSWORD_ALREADY_USED:
-                    return UnAuthorized(RESTAPI::Errors::PASSWORD_ALREADY_USED);
-                case USERNAME_PENDING_VERIFICATION:
-                    return UnAuthorized(RESTAPI::Errors::USERNAME_PENDING_VERIFICATION);
-                case PASSWORD_CHANGE_REQUIRED:
-                    return UnAuthorized(RESTAPI::Errors::PASSWORD_CHANGE_REQUIRED);
-                default:
-                    return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
-            }
-            return;
+            case INVALID_CREDENTIALS:
+                return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
+            case PASSWORD_INVALID:
+                return UnAuthorized(RESTAPI::Errors::PASSWORD_INVALID);
+            case PASSWORD_ALREADY_USED:
+                return UnAuthorized(RESTAPI::Errors::PASSWORD_ALREADY_USED);
+            case USERNAME_PENDING_VERIFICATION:
+                return UnAuthorized(RESTAPI::Errors::USERNAME_PENDING_VERIFICATION);
+            case PASSWORD_CHANGE_REQUIRED:
+                return UnAuthorized(RESTAPI::Errors::PASSWORD_CHANGE_REQUIRED);
+            case ACCOUNT_SUSPENDED:
+                return UnAuthorized(RESTAPI::Errors::ACCOUNT_SUSPENDED);
+            default:
+                return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
        }
 	}
 }
--- a/src/RESTAPI/RESTAPI_suboauth2_handler.cpp
+++ b/src/RESTAPI/RESTAPI_suboauth2_handler.cpp
@@ -133,32 +133,33 @@ namespace OpenWifi {
        SecurityObjects::UserInfoAndPolicy UInfo;
        bool Expired=false;
        auto Code=AuthService()->AuthorizeSub(userId, password, newPassword, UInfo, Expired);
-        if (Code==SUCCESS) {
-            Poco::JSON::Object ReturnObj;
-            if(AuthService()->RequiresMFA(UInfo)) {
-                if(MFAServer()->StartMFAChallenge(UInfo, ReturnObj)) {
-                    return ReturnObject(ReturnObj);
+        switch(Code) {
+            case SUCCESS:
+            {
+                Poco::JSON::Object ReturnObj;
+                if(AuthService()->RequiresMFA(UInfo)) {
+                    if(MFAServer()->StartMFAChallenge(UInfo, ReturnObj)) {
+                        return ReturnObject(ReturnObj);
+                    }
+                    Logger_.warning("MFA Seems to be broken. Please fix. Disabling MFA checking for now.");
                }
-                Logger_.warning("MFA Seems to be broken. Please fix. Disabling MFA checking for now.");
+                UInfo.webtoken.to_json(ReturnObj);
+                return ReturnObject(ReturnObj);
            }
-            UInfo.webtoken.to_json(ReturnObj);
-            return ReturnObject(ReturnObj);
-        } else {
-            switch(Code) {
-                case INVALID_CREDENTIALS:
-                    return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
-                case PASSWORD_INVALID:
-                    return UnAuthorized(RESTAPI::Errors::PASSWORD_INVALID);
-                case PASSWORD_ALREADY_USED:
-                    return UnAuthorized(RESTAPI::Errors::PASSWORD_ALREADY_USED);
-                case USERNAME_PENDING_VERIFICATION:
-                    return UnAuthorized(RESTAPI::Errors::USERNAME_PENDING_VERIFICATION);
-                case PASSWORD_CHANGE_REQUIRED:
-                    return UnAuthorized(RESTAPI::Errors::PASSWORD_CHANGE_REQUIRED);
-                default:
-                    return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS); break;
-            }
-            return;
+            case INVALID_CREDENTIALS:
+                return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
+            case PASSWORD_INVALID:
+                return UnAuthorized(RESTAPI::Errors::PASSWORD_INVALID);
+            case PASSWORD_ALREADY_USED:
+                return UnAuthorized(RESTAPI::Errors::PASSWORD_ALREADY_USED);
+            case USERNAME_PENDING_VERIFICATION:
+                return UnAuthorized(RESTAPI::Errors::USERNAME_PENDING_VERIFICATION);
+            case PASSWORD_CHANGE_REQUIRED:
+                return UnAuthorized(RESTAPI::Errors::PASSWORD_CHANGE_REQUIRED);
+            case ACCOUNT_SUSPENDED:
+                return UnAuthorized(RESTAPI::Errors::ACCOUNT_SUSPENDED);
+            default:
+                return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
        }
    }
 }
--- a/src/RESTAPI/RESTAPI_validate_apikey.cpp
+++ b/src/RESTAPI/RESTAPI_validate_apikey.cpp
@@ -15,13 +15,16 @@ namespace OpenWifi {
                //  can we find this token?
                SecurityObjects::UserInfoAndPolicy SecObj;
                bool Expired = false;
+                bool Suspended = false;
                std::uint64_t expiresOn=0;
-                if (AuthService()->IsValidApiKey(i.second, SecObj.webtoken, SecObj.userinfo, Expired, expiresOn)) {
+                if (AuthService()->IsValidApiKey(i.second, SecObj.webtoken, SecObj.userinfo, Expired, expiresOn, Suspended)) {
                    Poco::JSON::Object Answer;
                    SecObj.to_json(Answer);
                    Answer.set("expiresOn", expiresOn);
                    return ReturnObject(Answer);
                }
+                if(Suspended)
+                    return UnAuthorized(RESTAPI::Errors::ACCOUNT_SUSPENDED);
                return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
            }
        }
--- a/src/SMTPMailerService.cpp
+++ b/src/SMTPMailerService.cpp
@@ -40,6 +40,22 @@ namespace OpenWifi {
        }
    }

+    void SMTPMailerService::AddUserVars(MessageAttributes & Attrs) {
+        Attrs[USER_HELPER_EMAIL] = AuthService()->HelperEmail();
+        Attrs[USER_SYSTEM_LOGIN] = AuthService()->SystemLoginSite();
+        Attrs[USER_HELPER_SITE] = AuthService()->HelperSite();
+        Attrs[GLOBAL_USER_HELPER_EMAIL] = AuthService()->GlobalHelperEmail();
+        Attrs[USER_SIGNATURE] = AuthService()->UserSignature();
+    }
+
+    void SMTPMailerService::AddSubVars(MessageAttributes & Attrs) {
+        Attrs[SUB_HELPER_EMAIL] = AuthService()->SubHelperEmail();
+        Attrs[SUB_SYSTEM_LOGIN] = AuthService()->SubSystemLoginSite();
+        Attrs[SUB_HELPER_SITE] = AuthService()->SubHelperSite();
+        Attrs[GLOBAL_SUB_HELPER_EMAIL] = AuthService()->GlobalSubHelperEmail();
+        Attrs[SUB_SIGNATURE] = AuthService()->SubSignature();
+    }
+
    int SMTPMailerService::Start() {
        LoadMyConfig();
        SenderThr_.start(*this);
--- a/src/SMTPMailerService.h
+++ b/src/SMTPMailerService.h
@@ -27,26 +27,63 @@ namespace OpenWifi {
        TEXT,
        CHALLENGE_CODE,
        SENDER,
-        ACTION_LINK_HTML
+        ACTION_LINK_HTML,
+        USER_HELPER_EMAIL,
+        SUB_HELPER_EMAIL,
+        GLOBAL_USER_HELPER_EMAIL,
+        GLOBAL_SUB_HELPER_EMAIL,
+        USER_HELPER_SITE,
+        SUB_HELPER_SITE,
+        USER_SYSTEM_LOGIN,
+        SUB_SYSTEM_LOGIN,
+        USER_SIGNATURE,
+        SUB_SIGNATURE,
+        TRANSFER_REQUESTER,
+        TRANSFER_ENTITY,
+        ORIGINAL_REDIRECTOR,
+        NEW_REDIRECTOR,
+        TRANSFER_REASON,
+        SERIAL_NUMBER,
+        ORIGINAL_ENTITY_NAME,
+        UUID
    };

    static const std::map<MESSAGE_ATTRIBUTES,const std::string>
-            MessageAttributeMap{ {  RECIPIENT_EMAIL,"RECIPIENT_EMAIL"},
-                                 {  RECIPIENT_FIRST_NAME, "RECIPIENT_FIRST_NAME"},
-                                 {  RECIPIENT_LAST_NAME, "RECIPIENT_LAST_NAME"},
-                                 {  RECIPIENT_INITIALS, "RECIPIENT_INITIALS"},
-                                 {  RECIPIENT_FULL_NAME, "RECIPIENT_FULL_NAME"},
-                                 {  RECIPIENT_SALUTATION, "RECIPIENT_SALUTATION"},
-                                 {  ACTION_LINK, "ACTION_LINK"},
-                                 {  SUBJECT, "SUBJECT"},
-                                 {  TEMPLATE_TXT, "TEMPLATE_TXT"},
-                                 {  TEMPLATE_HTML, "TEMPLATE_HTML"},
-                                 {  LOGO, "LOGO"},
-                                 {  TEXT, "TEXT"},
-                                 {  CHALLENGE_CODE, "CHALLENGE_CODE"},
-                                 {  SENDER, "SENDER"},
-                                 {  ACTION_LINK_HTML, "ACTION_LINK_HTML"},
-                                 };
+            MessageAttributeMap{
+        {  RECIPIENT_EMAIL,"RECIPIENT_EMAIL"},
+        {  RECIPIENT_FIRST_NAME, "RECIPIENT_FIRST_NAME"},
+        {  RECIPIENT_LAST_NAME, "RECIPIENT_LAST_NAME"},
+        {  RECIPIENT_INITIALS, "RECIPIENT_INITIALS"},
+        {  RECIPIENT_FULL_NAME, "RECIPIENT_FULL_NAME"},
+        {  RECIPIENT_SALUTATION, "RECIPIENT_SALUTATION"},
+        {  ACTION_LINK, "ACTION_LINK"},
+        {  SUBJECT, "SUBJECT"},
+        {  TEMPLATE_TXT, "TEMPLATE_TXT"},
+        {  TEMPLATE_HTML, "TEMPLATE_HTML"},
+        {  LOGO, "LOGO"},
+        {  TEXT, "TEXT"},
+        {  CHALLENGE_CODE, "CHALLENGE_CODE"},
+        {  SENDER, "SENDER"},
+        {  ACTION_LINK_HTML, "SUB_SYSTEM_LOGIN"},
+        {  USER_HELPER_EMAIL, "USER_HELPER_EMAIL"},
+        {  SUB_HELPER_EMAIL, "SUB_HELPER_EMAIL"},
+        {  GLOBAL_USER_HELPER_EMAIL, "GLOBAL_USER_HELPER_EMAIL"},
+        {  GLOBAL_SUB_HELPER_EMAIL, "GLOBAL_SUB_HELPER_EMAIL"},
+        {  USER_HELPER_SITE, "USER_HELPER_SITE"},
+        {  SUB_HELPER_SITE, "SUB_USER_HELPER_SITE"},
+        {  USER_SYSTEM_LOGIN, "USER_SYSTEM_LOGIN"},
+        {  SUB_SYSTEM_LOGIN, "SUB_SYSTEM_LOGIN"},
+        {  USER_SIGNATURE, "USER_SIGNATURE" },
+        {  SUB_SIGNATURE, "SUB_USER_SIGNATURE"},
+        {  TRANSFER_REQUESTER, "TRANSFER_REQUESTER" },
+        {  TRANSFER_ENTITY, "TRANSFER_ENTITY"},
+        {  ORIGINAL_REDIRECTOR, "ORIGINAL_REDIRECTOR"},
+        {  NEW_REDIRECTOR, "NEW_REDIRECTOR" },
+        {  TRANSFER_REASON, "TRANSFER_REASON"},
+        {  SERIAL_NUMBER, "SERIAL_NUMBER"},
+        {  ORIGINAL_ENTITY_NAME, "ORIGINAL_ENTITY_NAME"},
+        {  UUID, "UUID" }
+    };

    inline const std::string & MessageAttributeToVar(MESSAGE_ATTRIBUTES Attr) {
        static const std::string EmptyString{};
@@ -89,6 +126,9 @@ namespace OpenWifi {
            void reinitialize(Poco::Util::Application &self) override;
            bool Enabled() const { return Enabled_; }

+            void AddUserVars(MessageAttributes & Attrs);
+            void AddSubVars(MessageAttributes & Attrs);
+
        private:
            std::string             MailHost_;
            std::string             Sender_;
--- a/src/framework/AuthClient.cpp
+++ b/src/framework/AuthClient.cpp
@@ -76,7 +76,7 @@ namespace OpenWifi {
    bool AuthClient::RetrieveApiKeyInformation(const std::string & SessionToken,
                                              SecurityObjects::UserInfoAndPolicy & UInfo,
                                              std::uint64_t TID,
-                                              bool & Expired, bool & Contacted) {
+                                              bool & Expired, bool & Contacted, [[maybe_unused]] bool & Suspended) {
        try {
            Types::StringPairVec QueryData;
            QueryData.push_back(std::make_pair("apikey",SessionToken));
@@ -113,7 +113,7 @@ namespace OpenWifi {
    }

    bool AuthClient::IsValidApiKey(const std::string &SessionToken, SecurityObjects::UserInfoAndPolicy &UInfo,
-                                   std::uint64_t TID, bool &Expired, bool &Contacted) {
+                                   std::uint64_t TID, bool &Expired, bool &Contacted, bool & Suspended) {
        auto User = ApiKeyCache_.get(SessionToken);
        if (!User.isNull()) {
            if(User->ExpiresOn < Utils::Now()) {
@@ -123,7 +123,7 @@ namespace OpenWifi {
            }
 			ApiKeyCache_.remove(SessionToken);
        }
-        return RetrieveApiKeyInformation(SessionToken, UInfo, TID, Expired, Contacted);
+        return RetrieveApiKeyInformation(SessionToken, UInfo, TID, Expired, Contacted, Suspended);
    }

 } // namespace OpenWifi
--- a/src/framework/AuthClient.h
+++ b/src/framework/AuthClient.h
@@ -57,7 +57,7 @@ namespace OpenWifi {
        bool RetrieveApiKeyInformation(const std::string & SessionToken,
                                      SecurityObjects::UserInfoAndPolicy & UInfo,
                                      std::uint64_t TID,
-                                      bool & Expired, bool & Contacted);
+                                      bool & Expired, bool & Contacted, bool & Suspended);

 		bool IsAuthorized(const std::string &SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo,
 								 std::uint64_t TID,
@@ -65,7 +65,7 @@ namespace OpenWifi {

        bool IsValidApiKey(const std::string &SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo,
                          std::uint64_t TID,
-                          bool & Expired, bool & Contacted);
+                          bool & Expired, bool & Contacted, bool & Suspended) ;

 	  private:

--- a/src/framework/RESTAPI_Handler.h
+++ b/src/framework/RESTAPI_Handler.h
@@ -705,11 +705,12 @@ namespace OpenWifi {
 			return Allowed;
 		} else if(!Internal_ && Request->has("X-API-KEY")) {
            SessionToken_ = Request->get("X-API-KEY", "");
+            bool suspended=false;
 #ifdef    TIP_SECURITY_SERVICE
            std::uint64_t expiresOn;
-            if (AuthService()->IsValidApiKey(SessionToken_, UserInfo_.webtoken, UserInfo_.userinfo, Expired, expiresOn)) {
+            if (AuthService()->IsValidApiKey(SessionToken_, UserInfo_.webtoken, UserInfo_.userinfo, Expired, expiresOn, suspended)) {
 #else
-            if (AuthClient()->IsValidApiKey( SessionToken_, UserInfo_, TransactionId_, Expired, Contacted)) {
+            if (AuthClient()->IsValidApiKey( SessionToken_, UserInfo_, TransactionId_, Expired, Contacted, suspended)) {
 #endif
                REST_Requester_ = UserInfo_.userinfo.email;
                if(Server_.LogIt(Request->getMethod(),true)) {
--- a/src/framework/orm.h
+++ b/src/framework/orm.h
@@ -139,7 +139,7 @@ namespace ORM {
        return Result;
    }

-    template <typename T, typename... Args> std::string WHERE_AND_(std::string Result, const char *fieldName, const T &Value, Args... args) {
+    template <typename T, typename... Args> std::string WHERE_AND_(std::string Result, const char *fieldName, const T & Value, Args... args) {
        if constexpr(std::is_same_v<T,std::string>)
        {
            if(!Value.empty()) {
@@ -152,6 +152,24 @@ namespace ORM {
                Result += "'";
            }
            return WHERE_AND_(Result,args...);
+        } else if constexpr(std::is_same_v<T, const char *>) {
+            if(*Value!=0) {
+                if(!Result.empty())
+                    Result += " and ";
+                Result += fieldName;
+                Result += '=';
+                Result += "'";
+                Result += Escape(Value);
+                Result += "'";
+            }
+            return WHERE_AND_(Result,args...);
+        } else if constexpr (std::is_same_v<T,bool>) {
+            if(!Result.empty())
+                Result += " and ";
+            Result += fieldName;
+            Result += '=';
+            Result += Value ? "true" : "false";
+            return WHERE_AND_(Result,args...);
        } else if constexpr (std::is_arithmetic_v<T>) {
            if(!Result.empty())
                Result += " and ";
@@ -159,6 +177,8 @@ namespace ORM {
            Result += '=';
            Result += std::to_string(Value);
            return WHERE_AND_(Result,args...);
+        } else {
+            assert(false);
        }
        return WHERE_AND_(Result,args...);
    }
--- a/src/framework/ow_constants.h
+++ b/src/framework/ow_constants.h
@@ -35,7 +35,8 @@ namespace OpenWifi {
 		BAD_MFA_TRANSACTION,
 		MFA_FAILURE,
 		SECURITY_SERVICE_UNREACHABLE,
-		CANNOT_REFRESH_TOKEN
+		CANNOT_REFRESH_TOKEN,
+        ACCOUNT_SUSPENDED
 	};
 }

@@ -58,6 +59,7 @@ namespace OpenWifi::RESTAPI::Errors {
    static const struct msg MFA_FAILURE{12,"MFA failure."};
    static const struct msg SECURITY_SERVICE_UNREACHABLE{13,"Security service is unreachable, try again later."};
    static const struct msg CANNOT_REFRESH_TOKEN{14,"Cannot refresh token."};
+    static const struct msg ACCOUNT_SUSPENDED{15,"Account has been suspended."};

    static const struct msg MissingUUID{1000,"Missing UUID."};
    static const struct msg MissingSerialNumber{1001,"Missing Serial Number."};
@@ -240,6 +242,15 @@ namespace OpenWifi::RESTAPI::Errors {
    static const struct msg RelocationDisabledForThisDevice{1159,"Relocation disabled for this device."};
    static const struct msg CannotModifyServerCertificates{1160,"Server certificates cannot be modified."};

+    static const struct msg TransferNotInDispute{1161,"The specified transfer is not being disputed."};
+    static const struct msg MissingComment{1162,"Missing comment."};
+    static const struct msg EntityNotAllowedToTransfer{1163,"Entity is not allowed to transfer devices."};
+    static const struct msg DailyTransferQuotaExceeded{1164,"Entity has exceeded its daily quota."};
+    static const struct msg CertificateWasNotRevoked{1165,"Certificate was not revoked, so it may not be re-created."};
+    static const struct msg CertificateTransferNoLongerExists{1166,"The device certificate associated with this transfer no longer seem to exist."};
+    static const struct msg CertificateTransferEntityNoLongerExists{1167,"The entity tied to this transfer no longer seems to exist."};
+    static const struct msg CannotRollBackDueToDigiCert{1168,"The change could not be rolled back at this time. Please try later."};
+    static const struct msg CertificateTransferAlreadyRolledBack{1169,"The certificate has already been rolled back."};

 	}

@@ -493,6 +504,7 @@ namespace OpenWifi::uCentralProtocol::Events {
    static const char *TELEMETRY = "telemetry";
    static const char *DEVICEUPDATE = "deviceupdate";
 	static const char *VENUE_BROADCAST = "venue_broadcast";
+	static const char *ALARM = "alarm";

    enum EVENT_MSG {
 		ET_UNKNOWN,
@@ -506,7 +518,10 @@ namespace OpenWifi::uCentralProtocol::Events {
 		ET_RECOVERY,
 		ET_DEVICEUPDATE,
 		ET_TELEMETRY,
-		ET_VENUEBROADCAST
+		ET_VENUEBROADCAST,
+		ET_EVENT,
+		ET_WIFISCAN,
+		ET_ALARM
 	};

 	inline EVENT_MSG EventFromString(const std::string & Method) {
@@ -532,7 +547,13 @@ namespace OpenWifi::uCentralProtocol::Events {
 			return ET_TELEMETRY;
 		else if(strcmp(VENUE_BROADCAST,Method.c_str())==0)
 			return ET_VENUEBROADCAST;
-		return ET_UNKNOWN;
+		else if(strcmp(EVENT,Method.c_str())==0)
+			return ET_EVENT;
+		else if(strcmp(WIFISCAN,Method.c_str())==0)
+			return ET_WIFISCAN;
+		else if(strcmp(ALARM,Method.c_str())==0)
+			return ET_WIFISCAN;
+		return ET_ALARM;
 	};
 }