diff --git a/src/Api/Controllers/OrganizationUsersController.cs b/src/Api/Controllers/OrganizationUsersController.cs index e900fa559..82f910957 100644 --- a/src/Api/Controllers/OrganizationUsersController.cs +++ b/src/Api/Controllers/OrganizationUsersController.cs @@ -271,8 +271,23 @@ namespace Bit.Api.Controllers [HttpPut("{userId}/reset-password-enrollment")] public async Task PutResetPasswordEnrollment(string orgId, string userId, [FromBody] OrganizationUserResetPasswordEnrollmentRequestModel model) { - var callingUserId = _userService.GetProperUserId(User); - await _organizationService.UpdateUserResetPasswordEnrollmentAsync(new Guid(orgId), new Guid(userId), model.ResetPasswordKey, callingUserId); + var user = await _userService.GetUserByPrincipalAsync(User); + if (user == null) + { + throw new UnauthorizedAccessException(); + } + + if (!await _userService.VerifySecretAsync(user, model.Secret)) + { + await Task.Delay(2000); + throw new BadRequestException("MasterPasswordHash", "Invalid password."); + } + else + { + var callingUserId = user.Id; + await _organizationService.UpdateUserResetPasswordEnrollmentAsync( + new Guid(orgId), new Guid(userId), model.ResetPasswordKey, callingUserId); + } } [HttpPut("{id}/reset-password")] diff --git a/src/Api/Models/Request/Organizations/OrganizationUserRequestModels.cs b/src/Api/Models/Request/Organizations/OrganizationUserRequestModels.cs index 86bb2acb1..e2e5adf8d 100644 --- a/src/Api/Models/Request/Organizations/OrganizationUserRequestModels.cs +++ b/src/Api/Models/Request/Organizations/OrganizationUserRequestModels.cs @@ -3,6 +3,7 @@ using System.Collections.Generic; using System.ComponentModel.DataAnnotations; using System.Linq; using System.Text.Json; +using Bit.Api.Models.Request.Accounts; using Bit.Core.Entities; using Bit.Core.Enums; using Bit.Core.Models.Data; @@ -92,7 +93,7 @@ namespace Bit.Api.Models.Request.Organizations public IEnumerable GroupIds { get; set; } } - public class OrganizationUserResetPasswordEnrollmentRequestModel + public class OrganizationUserResetPasswordEnrollmentRequestModel : SecretVerificationRequestModel { public string ResetPasswordKey { get; set; } }