Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2024-11-28 13:15:12 +01:00
Code Issues Projects Releases Wiki Activity

CSA-1 - adding master password authentication when enrolling in passw… (#1940)

Browse Source 
* CSA-2 - adding master password authentication when enrolling in password reset

* Getting user by principal rather than ID

* Removing unnecessary userId call

* Use secret verification for re-auth api requests

Co-authored-by: Matt Gibson <mgibson@bitwarden.com>
This commit is contained in:
Carlos J. Muentes 2022-05-19 15:55:42 -04:00 committed by GitHub
parent 60e36a8f0f
commit 452472deab
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/Api/Controllers/OrganizationUsersController.cs
View File

@ -271,8 +271,23 @@ namespace Bit.Api.Controllers
[HttpPut("{userId}/reset-password-enrollment")] [HttpPut("{userId}/reset-password-enrollment")]
public async Task PutResetPasswordEnrollment(string orgId, string userId, [FromBody] OrganizationUserResetPasswordEnrollmentRequestModel model) public async Task PutResetPasswordEnrollment(string orgId, string userId, [FromBody] OrganizationUserResetPasswordEnrollmentRequestModel model)
{ {
var callingUserId = _userService.GetProperUserId(User); var user = await _userService.GetUserByPrincipalAsync(User);
await _organizationService.UpdateUserResetPasswordEnrollmentAsync(new Guid(orgId), new Guid(userId), model.ResetPasswordKey, callingUserId); if (user == null)
{
throw new UnauthorizedAccessException();
}
if (!await _userService.VerifySecretAsync(user, model.Secret))
{
await Task.Delay(2000);
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
}
else
{
var callingUserId = user.Id;
await _organizationService.UpdateUserResetPasswordEnrollmentAsync(
new Guid(orgId), new Guid(userId), model.ResetPasswordKey, callingUserId);
}
} }
[HttpPut("{id}/reset-password")] [HttpPut("{id}/reset-password")]

3
src/Api/Models/Request/Organizations/OrganizationUserRequestModels.cs
View File

@ -3,6 +3,7 @@ using System.Collections.Generic;
using System.ComponentModel.DataAnnotations; using System.ComponentModel.DataAnnotations;
using System.Linq; using System.Linq;
using System.Text.Json; using System.Text.Json;
using Bit.Api.Models.Request.Accounts;
using Bit.Core.Entities; using Bit.Core.Entities;
using Bit.Core.Enums; using Bit.Core.Enums;
using Bit.Core.Models.Data; using Bit.Core.Models.Data;
@ -92,7 +93,7 @@ namespace Bit.Api.Models.Request.Organizations
public IEnumerable<string> GroupIds { get; set; } public IEnumerable<string> GroupIds { get; set; }
} }
public class OrganizationUserResetPasswordEnrollmentRequestModel public class OrganizationUserResetPasswordEnrollmentRequestModel : SecretVerificationRequestModel
{ {
public string ResetPasswordKey { get; set; } public string ResetPasswordKey { get; set; }
} }