CSA-1 - adding master password authentication when enrolling in passw… (#1940)

* CSA-2 - adding master password authentication when enrolling in password reset * Getting user by principal rather than ID * Removing unnecessary userId call * Use secret verification for re-auth api requests Co-authored-by: Matt Gibson <mgibson@bitwarden.com>
2024-11-21 12:05:42 +01:00 · 2022-05-19 15:55:42 -04:00 · 2022-05-19 15:55:42 -04:00 · 452472deab
commit 452472deab
parent 60e36a8f0f
2 changed files with 19 additions and 3 deletions
--- a/src/Api/Controllers/OrganizationUsersController.cs
+++ b/src/Api/Controllers/OrganizationUsersController.cs
@ -271,8 +271,23 @@ namespace Bit.Api.Controllers
        [HttpPut("{userId}/reset-password-enrollment")]
        public async Task PutResetPasswordEnrollment(string orgId, string userId, [FromBody] OrganizationUserResetPasswordEnrollmentRequestModel model)
        {
-            var callingUserId = _userService.GetProperUserId(User);
-            await _organizationService.UpdateUserResetPasswordEnrollmentAsync(new Guid(orgId), new Guid(userId), model.ResetPasswordKey, callingUserId);
+            var user = await _userService.GetUserByPrincipalAsync(User);
+            if (user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
+            if (!await _userService.VerifySecretAsync(user, model.Secret))
+            {
+                await Task.Delay(2000);
+                throw new BadRequestException("MasterPasswordHash", "Invalid password.");
+            }
+            else
+            {
+                var callingUserId = user.Id;
+                await _organizationService.UpdateUserResetPasswordEnrollmentAsync(
+                   new Guid(orgId), new Guid(userId), model.ResetPasswordKey, callingUserId);
+            }
        }

        [HttpPut("{id}/reset-password")]
--- a/src/Api/Models/Request/Organizations/OrganizationUserRequestModels.cs
+++ b/src/Api/Models/Request/Organizations/OrganizationUserRequestModels.cs
@ -3,6 +3,7 @@ using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
 using System.Linq;
 using System.Text.Json;
+using Bit.Api.Models.Request.Accounts;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
@ -92,7 +93,7 @@ namespace Bit.Api.Models.Request.Organizations
        public IEnumerable<string> GroupIds { get; set; }
    }

-    public class OrganizationUserResetPasswordEnrollmentRequestModel
+    public class OrganizationUserResetPasswordEnrollmentRequestModel : SecretVerificationRequestModel
    {
        public string ResetPasswordKey { get; set; }
    }