check user has 2fa enabled when confirming

2024-11-22 12:15:36 +01:00 · 2020-03-09 15:13:40 -04:00 · 2020-03-09 15:13:40 -04:00 · 0f9ec8d64f
commit 0f9ec8d64f
parent 218fec52f1
3 changed files with 12 additions and 5 deletions
--- a/src/Api/Controllers/OrganizationUsersController.cs
+++ b/src/Api/Controllers/OrganizationUsersController.cs
@ -133,7 +133,8 @@ namespace Bit.Api.Controllers
            }

            var userId = _userService.GetProperUserId(User);
-            var result = await _organizationService.ConfirmUserAsync(orgGuidId, new Guid(id), model.Key, userId.Value);
+            var result = await _organizationService.ConfirmUserAsync(orgGuidId, new Guid(id), model.Key, userId.Value,
+                _userService);
        }

        [HttpPut("{id}")]
--- a/src/Core/Services/IOrganizationService.cs
+++ b/src/Core/Services/IOrganizationService.cs
@ -38,7 +38,7 @@ namespace Bit.Core.Services
        Task<OrganizationUser> AcceptUserAsync(Guid organizationUserId, User user, string token,
            IUserService userService);
        Task<OrganizationUser> ConfirmUserAsync(Guid organizationId, Guid organizationUserId, string key,
-            Guid confirmingUserId);
+            Guid confirmingUserId, IUserService userService);
        Task SaveUserAsync(OrganizationUser user, Guid? savingUserId, IEnumerable<SelectionReadOnly> collections);
        Task DeleteUserAsync(Guid organizationId, Guid organizationUserId, Guid? deletingUserId);
        Task DeleteUserAsync(Guid organizationId, Guid userId);
--- a/src/Core/Services/Implementations/OrganizationService.cs
+++ b/src/Core/Services/Implementations/OrganizationService.cs
@ -1028,7 +1028,7 @@ namespace Bit.Core.Services
        }

        public async Task<OrganizationUser> ConfirmUserAsync(Guid organizationId, Guid organizationUserId, string key,
-            Guid confirmingUserId)
+            Guid confirmingUserId, IUserService userService)
        {
            var orgUser = await _organizationUserRepository.GetByIdAsync(organizationUserId);
            if(orgUser == null || orgUser.Status != OrganizationUserStatusType.Accepted ||
@ -1049,13 +1049,19 @@ namespace Bit.Core.Services
                }
            }

+            var user = await _userRepository.GetByIdAsync(orgUser.UserId.Value);
+            var policies = await _policyRepository.GetManyByOrganizationIdAsync(organizationId);
+            var usingTwoFactorPolicy = policies.Any(p => p.Type == PolicyType.TwoFactorAuthentication && p.Enabled);
+            if(usingTwoFactorPolicy && !(await userService.TwoFactorIsEnabledAsync(user)))
+            {
+                throw new BadRequestException("User does not have two-step login enabled.");
+            }
+
            orgUser.Status = OrganizationUserStatusType.Confirmed;
            orgUser.Key = key;
            orgUser.Email = null;
            await _organizationUserRepository.ReplaceAsync(orgUser);
            await _eventService.LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_Confirmed);
-
-            var user = await _userRepository.GetByIdAsync(orgUser.UserId.Value);
            await _mailService.SendOrganizationConfirmedEmailAsync(org.Name, user.Email);

            // push