From 452472deabdf2bca6f86ab6d04791cae8d7fcb45 Mon Sep 17 00:00:00 2001
From: "Carlos J. Muentes" <42616259+cmuentes@users.noreply.github.com>
Date: Thu, 19 May 2022 15:55:42 -0400
Subject: [PATCH] =?UTF-8?q?CSA-1=20-=20adding=20master=20password=20authen?=
 =?UTF-8?q?tication=20when=20enrolling=20in=20passw=E2=80=A6=20(#1940)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* CSA-2 - adding master password authentication when enrolling in password reset

* Getting user by principal rather than ID

* Removing unnecessary userId call

* Use secret verification for re-auth api requests

Co-authored-by: Matt Gibson <mgibson@bitwarden.com>
---
 .../OrganizationUsersController.cs            | 19 +++++++++++++++++--
 .../OrganizationUserRequestModels.cs          |  3 ++-
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/src/Api/Controllers/OrganizationUsersController.cs b/src/Api/Controllers/OrganizationUsersController.cs
index e900fa559..82f910957 100644
--- a/src/Api/Controllers/OrganizationUsersController.cs
+++ b/src/Api/Controllers/OrganizationUsersController.cs
@@ -271,8 +271,23 @@ namespace Bit.Api.Controllers
         [HttpPut("{userId}/reset-password-enrollment")]
         public async Task PutResetPasswordEnrollment(string orgId, string userId, [FromBody] OrganizationUserResetPasswordEnrollmentRequestModel model)
         {
-            var callingUserId = _userService.GetProperUserId(User);
-            await _organizationService.UpdateUserResetPasswordEnrollmentAsync(new Guid(orgId), new Guid(userId), model.ResetPasswordKey, callingUserId);
+            var user = await _userService.GetUserByPrincipalAsync(User);
+            if (user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
+            if (!await _userService.VerifySecretAsync(user, model.Secret))
+            {
+                await Task.Delay(2000);
+                throw new BadRequestException("MasterPasswordHash", "Invalid password.");
+            }
+            else
+            {
+                var callingUserId = user.Id;
+                await _organizationService.UpdateUserResetPasswordEnrollmentAsync(
+                   new Guid(orgId), new Guid(userId), model.ResetPasswordKey, callingUserId);
+            }
         }
 
         [HttpPut("{id}/reset-password")]
diff --git a/src/Api/Models/Request/Organizations/OrganizationUserRequestModels.cs b/src/Api/Models/Request/Organizations/OrganizationUserRequestModels.cs
index 86bb2acb1..e2e5adf8d 100644
--- a/src/Api/Models/Request/Organizations/OrganizationUserRequestModels.cs
+++ b/src/Api/Models/Request/Organizations/OrganizationUserRequestModels.cs
@@ -3,6 +3,7 @@ using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
 using System.Linq;
 using System.Text.Json;
+using Bit.Api.Models.Request.Accounts;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
@@ -92,7 +93,7 @@ namespace Bit.Api.Models.Request.Organizations
         public IEnumerable<string> GroupIds { get; set; }
     }
 
-    public class OrganizationUserResetPasswordEnrollmentRequestModel
+    public class OrganizationUserResetPasswordEnrollmentRequestModel : SecretVerificationRequestModel
     {
         public string ResetPasswordKey { get; set; }
     }