mirror of
https://github.com/bitwarden/server.git
synced 2024-11-25 12:45:18 +01:00
CSA-1 - adding master password authentication when enrolling in passw… (#1940)
* CSA-2 - adding master password authentication when enrolling in password reset * Getting user by principal rather than ID * Removing unnecessary userId call * Use secret verification for re-auth api requests Co-authored-by: Matt Gibson <mgibson@bitwarden.com>
This commit is contained in:
parent
60e36a8f0f
commit
452472deab
@ -271,8 +271,23 @@ namespace Bit.Api.Controllers
|
||||
[HttpPut("{userId}/reset-password-enrollment")]
|
||||
public async Task PutResetPasswordEnrollment(string orgId, string userId, [FromBody] OrganizationUserResetPasswordEnrollmentRequestModel model)
|
||||
{
|
||||
var callingUserId = _userService.GetProperUserId(User);
|
||||
await _organizationService.UpdateUserResetPasswordEnrollmentAsync(new Guid(orgId), new Guid(userId), model.ResetPasswordKey, callingUserId);
|
||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||
if (user == null)
|
||||
{
|
||||
throw new UnauthorizedAccessException();
|
||||
}
|
||||
|
||||
if (!await _userService.VerifySecretAsync(user, model.Secret))
|
||||
{
|
||||
await Task.Delay(2000);
|
||||
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
|
||||
}
|
||||
else
|
||||
{
|
||||
var callingUserId = user.Id;
|
||||
await _organizationService.UpdateUserResetPasswordEnrollmentAsync(
|
||||
new Guid(orgId), new Guid(userId), model.ResetPasswordKey, callingUserId);
|
||||
}
|
||||
}
|
||||
|
||||
[HttpPut("{id}/reset-password")]
|
||||
|
@ -3,6 +3,7 @@ using System.Collections.Generic;
|
||||
using System.ComponentModel.DataAnnotations;
|
||||
using System.Linq;
|
||||
using System.Text.Json;
|
||||
using Bit.Api.Models.Request.Accounts;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Models.Data;
|
||||
@ -92,7 +93,7 @@ namespace Bit.Api.Models.Request.Organizations
|
||||
public IEnumerable<string> GroupIds { get; set; }
|
||||
}
|
||||
|
||||
public class OrganizationUserResetPasswordEnrollmentRequestModel
|
||||
public class OrganizationUserResetPasswordEnrollmentRequestModel : SecretVerificationRequestModel
|
||||
{
|
||||
public string ResetPasswordKey { get; set; }
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user