mirror of
https://github.com/bitwarden/browser.git
synced 2025-01-18 20:41:31 +01:00
Implement User-based API Keys (#197)
* Added support for authenticating with an API key * added api service methods for user api keys * fixed a copy/pasted api endpoint url * Let toIdentityToken() use a a prestored client_id in place of the application client_id if one exists * Allowed for api key auth in the cli * Removed some commented out code commited for apiKey auth * Cleanup for ApiKey auth in the CLI * Removed cli prefix from client_crendential auth types * Removed ClientPrefix conditional from decoded token getters * Update src/services/api.service.ts Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com> * formatting * changed command from login --apiKey to login --apikey Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com>
This commit is contained in:
Addison Beck
GitHub
parent
9aa3cbf73d
commit
79b856cb6e
@ -153,6 +153,8 @@ export abstract class ApiService {
|
||||
postAccountRecoverDeleteToken: (request: VerifyDeleteRecoverRequest) => Promise<any>;
|
||||
postAccountKdf: (request: KdfRequest) => Promise<any>;
|
||||
getEnterprisePortalSignInToken: () => Promise<string>;
|
||||
postUserApiKey: (id: string, request: PasswordVerificationRequest) => Promise<ApiKeyResponse>;
|
||||
postUserRotateApiKey: (id: string, request: PasswordVerificationRequest) => Promise<ApiKeyResponse>;
|
||||
|
||||
getFolder: (id: string) => Promise<FolderResponse>;
|
||||
postFolder: (request: FolderRequest) => Promise<FolderResponse>;
|
||||
|
||||
@ -9,21 +9,27 @@ export abstract class AuthService {
|
||||
code: string;
|
||||
codeVerifier: string;
|
||||
ssoRedirectUrl: string;
|
||||
clientId: string;
|
||||
clientSecret: string;
|
||||
twoFactorProvidersData: Map<TwoFactorProviderType, { [key: string]: string; }>;
|
||||
selectedTwoFactorProviderType: TwoFactorProviderType;
|
||||
|
||||
logIn: (email: string, masterPassword: string) => Promise<AuthResult>;
|
||||
logInSso: (code: string, codeVerifier: string, redirectUrl: string) => Promise<AuthResult>;
|
||||
logInApiKey: (clientId: string, clientSecret: string) => Promise<AuthResult>;
|
||||
logInTwoFactor: (twoFactorProvider: TwoFactorProviderType, twoFactorToken: string,
|
||||
remember?: boolean) => Promise<AuthResult>;
|
||||
logInComplete: (email: string, masterPassword: string, twoFactorProvider: TwoFactorProviderType,
|
||||
twoFactorToken: string, remember?: boolean) => Promise<AuthResult>;
|
||||
logInSsoComplete: (code: string, codeVerifier: string, redirectUrl: string,
|
||||
twoFactorProvider: TwoFactorProviderType, twoFactorToken: string, remember?: boolean) => Promise<AuthResult>;
|
||||
logInApiKeyComplete: (clientId: string, clientSecret: string, twoFactorProvider: TwoFactorProviderType,
|
||||
twoFactorToken: string, remember?: boolean) => Promise<AuthResult>;
|
||||
logOut: (callback: Function) => void;
|
||||
getSupportedTwoFactorProviders: (win: Window) => any[];
|
||||
getDefaultTwoFactorProvider: (u2fSupported: boolean) => TwoFactorProviderType;
|
||||
makePreloginKey: (masterPassword: string, email: string) => Promise<SymmetricCryptoKey>;
|
||||
authingWithApiKey: () => boolean;
|
||||
authingWithSso: () => boolean;
|
||||
authingWithPassword: () => boolean;
|
||||
}
|
||||
|
||||
@ -8,7 +8,6 @@ import {
|
||||
Router,
|
||||
} from '@angular/router';
|
||||
|
||||
import { DeviceType } from '../../enums/deviceType';
|
||||
import { TwoFactorProviderType } from '../../enums/twoFactorProviderType';
|
||||
|
||||
import { TwoFactorEmailRequest } from '../../models/request/twoFactorEmailRequest';
|
||||
@ -59,8 +58,7 @@ export class TwoFactorComponent implements OnInit, OnDestroy {
|
||||
}
|
||||
|
||||
async ngOnInit() {
|
||||
if ((!this.authService.authingWithSso() && !this.authService.authingWithPassword()) ||
|
||||
this.authService.twoFactorProvidersData == null) {
|
||||
if (!this.authing || this.authService.twoFactorProvidersData == null) {
|
||||
this.router.navigate([this.loginRoute]);
|
||||
return;
|
||||
}
|
||||
@ -75,7 +73,7 @@ export class TwoFactorComponent implements OnInit, OnDestroy {
|
||||
}
|
||||
});
|
||||
|
||||
if (this.authService.authingWithSso()) {
|
||||
if (this.needsLock) {
|
||||
this.successRoute = 'lock';
|
||||
}
|
||||
|
||||
@ -246,4 +244,12 @@ export class TwoFactorComponent implements OnInit, OnDestroy {
|
||||
this.u2f.cleanup();
|
||||
}
|
||||
}
|
||||
|
||||
get authing(): boolean {
|
||||
return this.authService.authingWithPassword() || this.authService.authingWithSso() || this.authService.authingWithApiKey()
|
||||
}
|
||||
|
||||
get needsLock(): boolean {
|
||||
return this.authService.authingWithSso() || this.authService.authingWithApiKey();
|
||||
}
|
||||
}
|
||||
|
||||
@ -46,7 +46,38 @@ export class LoginCommand {
|
||||
|
||||
let ssoCodeVerifier: string = null;
|
||||
let ssoCode: string = null;
|
||||
if (cmd.sso != null && this.canInteract) {
|
||||
|
||||
let clientId: string = null;
|
||||
let clientSecret: string = null;
|
||||
|
||||
if (cmd.apikey != null) {
|
||||
const storedClientId: string = process.env.BW_CLIENTID;
|
||||
const storedClientSecret: string = process.env.BW_CLIENTSECRET;
|
||||
if (storedClientId == null) {
|
||||
if (this.canInteract) {
|
||||
const answer: inquirer.Answers = await inquirer.createPromptModule({ output: process.stderr })({
|
||||
type: 'input',
|
||||
name: 'clientId',
|
||||
message: 'client_id:',
|
||||
});
|
||||
clientId = answer.clientId;
|
||||
} else {
|
||||
clientId = null;
|
||||
}
|
||||
} else {
|
||||
clientId = storedClientId;
|
||||
}
|
||||
if (this.canInteract && storedClientSecret == null) {
|
||||
const answer: inquirer.Answers = await inquirer.createPromptModule({ output: process.stderr })({
|
||||
type: 'input',
|
||||
name: 'clientSecret',
|
||||
message: 'client_secret:',
|
||||
});
|
||||
clientSecret = answer.clientSecret;
|
||||
} else {
|
||||
clientSecret = storedClientSecret;
|
||||
}
|
||||
} else if (cmd.sso != null && this.canInteract) {
|
||||
const passwordOptions: any = {
|
||||
type: 'password',
|
||||
length: 64,
|
||||
@ -117,7 +148,10 @@ export class LoginCommand {
|
||||
|
||||
let response: AuthResult = null;
|
||||
if (twoFactorToken != null && twoFactorMethod != null) {
|
||||
if (ssoCode != null && ssoCodeVerifier != null) {
|
||||
if (clientId != null && clientSecret != null) {
|
||||
response = await this.authService.logInApiKeyComplete(clientId, clientSecret, twoFactorMethod,
|
||||
twoFactorToken, false);
|
||||
} else if (ssoCode != null && ssoCodeVerifier != null) {
|
||||
response = await this.authService.logInSsoComplete(ssoCode, ssoCodeVerifier, this.ssoRedirectUri,
|
||||
twoFactorMethod, twoFactorToken, false);
|
||||
} else {
|
||||
@ -125,9 +159,10 @@ export class LoginCommand {
|
||||
twoFactorToken, false);
|
||||
}
|
||||
} else {
|
||||
if (ssoCode != null && ssoCodeVerifier != null) {
|
||||
if (clientId != null && clientSecret != null) {
|
||||
response = await this.authService.logInApiKey(clientId, clientSecret);
|
||||
} else if (ssoCode != null && ssoCodeVerifier != null) {
|
||||
response = await this.authService.logInSso(ssoCode, ssoCodeVerifier, this.ssoRedirectUri);
|
||||
|
||||
} else {
|
||||
response = await this.authService.logIn(email, password);
|
||||
}
|
||||
|
||||
@ -8,12 +8,14 @@ export class TokenRequest {
|
||||
code: string;
|
||||
codeVerifier: string;
|
||||
redirectUri: string;
|
||||
clientId: string;
|
||||
clientSecret: string;
|
||||
token: string;
|
||||
provider: TwoFactorProviderType;
|
||||
remember: boolean;
|
||||
device?: DeviceRequest;
|
||||
|
||||
constructor(credentials: string[], codes: string[], provider: TwoFactorProviderType,
|
||||
constructor(credentials: string[], codes: string[], clientIdClientSecret: string[], provider: TwoFactorProviderType,
|
||||
token: string, remember: boolean, device?: DeviceRequest) {
|
||||
if (credentials != null && credentials.length > 1) {
|
||||
this.email = credentials[0];
|
||||
@ -22,6 +24,9 @@ export class TokenRequest {
|
||||
this.code = codes[0];
|
||||
this.codeVerifier = codes[1];
|
||||
this.redirectUri = codes[2];
|
||||
} else if (clientIdClientSecret != null && clientIdClientSecret.length > 1) {
|
||||
this.clientId = clientIdClientSecret[0]
|
||||
this.clientSecret = clientIdClientSecret[1]
|
||||
}
|
||||
this.token = token;
|
||||
this.provider = provider;
|
||||
@ -35,7 +40,11 @@ export class TokenRequest {
|
||||
client_id: clientId,
|
||||
};
|
||||
|
||||
if (this.masterPasswordHash != null && this.email != null) {
|
||||
if (this.clientSecret != null) {
|
||||
obj.scope = 'api';
|
||||
obj.grant_type = 'client_credentials';
|
||||
obj.client_secret = this.clientSecret;
|
||||
} else if (this.masterPasswordHash != null && this.email != null) {
|
||||
obj.grant_type = 'password';
|
||||
obj.username = this.email;
|
||||
obj.password = this.masterPasswordHash;
|
||||
|
||||
@ -179,7 +179,7 @@ export class ApiService implements ApiServiceAbstraction {
|
||||
headers.set('User-Agent', this.customUserAgent);
|
||||
}
|
||||
const response = await this.fetch(new Request(this.identityBaseUrl + '/connect/token', {
|
||||
body: this.qsStringify(request.toIdentityToken(this.platformUtilsService.identityClientId)),
|
||||
body: this.qsStringify(request.toIdentityToken(request.clientId ?? this.platformUtilsService.identityClientId)),
|
||||
credentials: this.getCredentials(),
|
||||
cache: 'no-store',
|
||||
headers: headers,
|
||||
@ -360,6 +360,16 @@ export class ApiService implements ApiServiceAbstraction {
|
||||
return this.send('GET', '/accounts/sso/user-identifier', null, true, true);
|
||||
}
|
||||
|
||||
async postUserApiKey(id: string, request: PasswordVerificationRequest): Promise<ApiKeyResponse> {
|
||||
const r = await this.send('POST', '/accounts/api-key', request, true, true);
|
||||
return new ApiKeyResponse(r);
|
||||
}
|
||||
|
||||
async postUserRotateApiKey(id: string, request: PasswordVerificationRequest): Promise<ApiKeyResponse> {
|
||||
const r = await this.send('POST', '/accounts/rotate-api-key', request, true, true);
|
||||
return new ApiKeyResponse(r);
|
||||
}
|
||||
|
||||
// Folder APIs
|
||||
|
||||
async getFolder(id: string): Promise<FolderResponse> {
|
||||
|
||||
@ -9,7 +9,6 @@ import { KeysRequest } from '../models/request/keysRequest';
|
||||
import { PreloginRequest } from '../models/request/preloginRequest';
|
||||
import { TokenRequest } from '../models/request/tokenRequest';
|
||||
|
||||
import { ErrorResponse } from '../models/response/errorResponse';
|
||||
import { IdentityTokenResponse } from '../models/response/identityTokenResponse';
|
||||
import { IdentityTwoFactorResponse } from '../models/response/identityTwoFactorResponse';
|
||||
|
||||
@ -81,6 +80,8 @@ export class AuthService implements AuthServiceAbstraction {
|
||||
code: string;
|
||||
codeVerifier: string;
|
||||
ssoRedirectUrl: string;
|
||||
clientId: string;
|
||||
clientSecret: string;
|
||||
twoFactorProvidersData: Map<TwoFactorProviderType, { [key: string]: string; }>;
|
||||
selectedTwoFactorProviderType: TwoFactorProviderType = null;
|
||||
|
||||
@ -118,19 +119,27 @@ export class AuthService implements AuthServiceAbstraction {
|
||||
this.selectedTwoFactorProviderType = null;
|
||||
const key = await this.makePreloginKey(masterPassword, email);
|
||||
const hashedPassword = await this.cryptoService.hashPassword(masterPassword, key);
|
||||
return await this.logInHelper(email, hashedPassword, null, null, null, key,
|
||||
null, null, null);
|
||||
return await this.logInHelper(email, hashedPassword, null, null, null, null, null,
|
||||
key, null, null, null);
|
||||
}
|
||||
|
||||
async logInSso(code: string, codeVerifier: string, redirectUrl: string): Promise<AuthResult> {
|
||||
this.selectedTwoFactorProviderType = null;
|
||||
return await this.logInHelper(null, null, code, codeVerifier, redirectUrl, null, null, null, null);
|
||||
return await this.logInHelper(null, null, code, codeVerifier, redirectUrl, null, null,
|
||||
null, null, null, null);
|
||||
}
|
||||
|
||||
async logInApiKey(clientId: string, clientSecret: string): Promise<AuthResult> {
|
||||
this.selectedTwoFactorProviderType = null;
|
||||
return await this.logInHelper(null, null, null, null, null, clientId, clientSecret,
|
||||
null, null, null, null);
|
||||
}
|
||||
|
||||
async logInTwoFactor(twoFactorProvider: TwoFactorProviderType, twoFactorToken: string,
|
||||
remember?: boolean): Promise<AuthResult> {
|
||||
return await this.logInHelper(this.email, this.masterPasswordHash, this.code, this.codeVerifier,
|
||||
this.ssoRedirectUrl, this.key, twoFactorProvider, twoFactorToken, remember);
|
||||
this.ssoRedirectUrl, this.clientId, this.clientSecret, this.key, twoFactorProvider,
|
||||
twoFactorToken, remember);
|
||||
}
|
||||
|
||||
async logInComplete(email: string, masterPassword: string, twoFactorProvider: TwoFactorProviderType,
|
||||
@ -138,14 +147,21 @@ export class AuthService implements AuthServiceAbstraction {
|
||||
this.selectedTwoFactorProviderType = null;
|
||||
const key = await this.makePreloginKey(masterPassword, email);
|
||||
const hashedPassword = await this.cryptoService.hashPassword(masterPassword, key);
|
||||
return await this.logInHelper(email, hashedPassword, null, null, null, key, twoFactorProvider, twoFactorToken,
|
||||
remember);
|
||||
return await this.logInHelper(email, hashedPassword, null, null, null, null, null, key,
|
||||
twoFactorProvider, twoFactorToken, remember);
|
||||
}
|
||||
|
||||
async logInSsoComplete(code: string, codeVerifier: string, redirectUrl: string,
|
||||
twoFactorProvider: TwoFactorProviderType, twoFactorToken: string, remember?: boolean): Promise<AuthResult> {
|
||||
this.selectedTwoFactorProviderType = null;
|
||||
return await this.logInHelper(null, null, code, codeVerifier, redirectUrl, null,
|
||||
null, null, twoFactorProvider, twoFactorToken, remember);
|
||||
}
|
||||
|
||||
async logInApiKeyComplete(clientId: string, clientSecret: string, twoFactorProvider: TwoFactorProviderType,
|
||||
twoFactorToken: string, remember?: boolean): Promise<AuthResult> {
|
||||
this.selectedTwoFactorProviderType = null;
|
||||
return await this.logInHelper(null, null, null, null, null, clientId, clientSecret, null,
|
||||
twoFactorProvider, twoFactorToken, remember);
|
||||
}
|
||||
|
||||
@ -233,6 +249,10 @@ export class AuthService implements AuthServiceAbstraction {
|
||||
return this.cryptoService.makeKey(masterPassword, email, kdf, kdfIterations);
|
||||
}
|
||||
|
||||
authingWithApiKey(): boolean {
|
||||
return this.clientId != null && this.clientSecret != null;
|
||||
}
|
||||
|
||||
authingWithSso(): boolean {
|
||||
return this.code != null && this.codeVerifier != null && this.ssoRedirectUrl != null;
|
||||
}
|
||||
@ -242,14 +262,16 @@ export class AuthService implements AuthServiceAbstraction {
|
||||
}
|
||||
|
||||
private async logInHelper(email: string, hashedPassword: string, code: string, codeVerifier: string,
|
||||
redirectUrl: string, key: SymmetricCryptoKey, twoFactorProvider?: TwoFactorProviderType,
|
||||
twoFactorToken?: string, remember?: boolean): Promise<AuthResult> {
|
||||
redirectUrl: string, clientId: string, clientSecret: string, key: SymmetricCryptoKey,
|
||||
twoFactorProvider?: TwoFactorProviderType, twoFactorToken?: string, remember?: boolean): Promise<AuthResult> {
|
||||
const storedTwoFactorToken = await this.tokenService.getTwoFactorToken(email);
|
||||
const appId = await this.appIdService.getAppId();
|
||||
const deviceRequest = new DeviceRequest(appId, this.platformUtilsService);
|
||||
|
||||
let emailPassword: string[] = [];
|
||||
let codeCodeVerifier: string[] = [];
|
||||
let clientIdClientSecret: string[] = [];
|
||||
|
||||
if (email != null && hashedPassword != null) {
|
||||
emailPassword = [email, hashedPassword];
|
||||
} else {
|
||||
@ -260,16 +282,22 @@ export class AuthService implements AuthServiceAbstraction {
|
||||
} else {
|
||||
codeCodeVerifier = null;
|
||||
}
|
||||
if (clientId != null && clientSecret != null) {
|
||||
clientIdClientSecret = [clientId, clientSecret]
|
||||
} else {
|
||||
clientIdClientSecret = null;
|
||||
}
|
||||
|
||||
let request: TokenRequest;
|
||||
if (twoFactorToken != null && twoFactorProvider != null) {
|
||||
request = new TokenRequest(emailPassword, codeCodeVerifier, twoFactorProvider, twoFactorToken, remember,
|
||||
deviceRequest);
|
||||
request = new TokenRequest(emailPassword, codeCodeVerifier, clientIdClientSecret, twoFactorProvider,
|
||||
twoFactorToken, remember, deviceRequest);
|
||||
} else if (storedTwoFactorToken != null) {
|
||||
request = new TokenRequest(emailPassword, codeCodeVerifier, TwoFactorProviderType.Remember,
|
||||
request = new TokenRequest(emailPassword, codeCodeVerifier, clientIdClientSecret, TwoFactorProviderType.Remember,
|
||||
storedTwoFactorToken, false, deviceRequest);
|
||||
} else {
|
||||
request = new TokenRequest(emailPassword, codeCodeVerifier, null, null, false, deviceRequest);
|
||||
request = new TokenRequest(emailPassword, codeCodeVerifier, clientIdClientSecret, null,
|
||||
null, false, deviceRequest);
|
||||
}
|
||||
|
||||
const response = await this.apiService.postIdentityToken(request);
|
||||
@ -286,6 +314,8 @@ export class AuthService implements AuthServiceAbstraction {
|
||||
this.code = code;
|
||||
this.codeVerifier = codeVerifier;
|
||||
this.ssoRedirectUrl = redirectUrl;
|
||||
this.clientId = clientId;
|
||||
this.clientSecret = clientSecret;
|
||||
this.key = this.setCryptoKeys ? key : null;
|
||||
this.twoFactorProvidersData = twoFactorResponse.twoFactorProviders2;
|
||||
result.twoFactorProviders = twoFactorResponse.twoFactorProviders2;
|
||||
@ -343,6 +373,8 @@ export class AuthService implements AuthServiceAbstraction {
|
||||
this.code = null;
|
||||
this.codeVerifier = null;
|
||||
this.ssoRedirectUrl = null;
|
||||
this.clientId = null;
|
||||
this.clientSecret = null;
|
||||
this.twoFactorProvidersData = null;
|
||||
this.selectedTwoFactorProviderType = null;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user