[SG-698] Refactored 2fa send email and identity to cater for passwordless (#2346)

* Allow for auth request validation for sending two factor emails * Refactored 2fa send email and identity to cater for passwordless * Refactored 2fa send email and identity to cater for passwordless Signed-off-by: gbubemismith <gsmithwalter@gmail.com> * Inform that we track issues outside of Github (#2331) * Inform that we track issues outside of Github * Use checkboxes for info acknowledgement Signed-off-by: gbubemismith <gsmithwalter@gmail.com> * Refactored 2fa send email and identity to cater for passwordless * ran dotnet format Signed-off-by: gbubemismith <gsmithwalter@gmail.com> Co-authored-by: addison <addisonbeck1@gmail.com>
2024-11-23 12:25:16 +01:00 · 2022-10-18 14:50:48 -04:00 · 2022-10-18 14:50:48 -04:00 · 4a26c55599
commit 4a26c55599
parent 864ab5231d
8 changed files with 92 additions and 20 deletions
--- a/src/Api/Controllers/TwoFactorController.cs
+++ b/src/Api/Controllers/TwoFactorController.cs
@ -6,6 +6,7 @@ using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.LoginFeatures.PasswordlessLogin.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
@ -28,6 +29,7 @@ public class TwoFactorController : Controller
    private readonly GlobalSettings _globalSettings;
    private readonly UserManager<User> _userManager;
    private readonly ICurrentContext _currentContext;
    private readonly IVerifyAuthRequestCommand _verifyAuthRequestCommand;
    public TwoFactorController(
        IUserService userService,
@ -35,7 +37,8 @@ public class TwoFactorController : Controller
        IOrganizationService organizationService,
        GlobalSettings globalSettings,
        UserManager<User> userManager,
-        ICurrentContext currentContext)
+        ICurrentContext currentContext,
        IVerifyAuthRequestCommand verifyAuthRequestCommand)
    {
        _userService = userService;
        _organizationRepository = organizationRepository;
@ -43,6 +46,7 @@ public class TwoFactorController : Controller
        _globalSettings = globalSettings;
        _userManager = userManager;
        _currentContext = currentContext;
        _verifyAuthRequestCommand = verifyAuthRequestCommand;
    }
    [HttpGet("")]
@ -285,19 +289,27 @@ public class TwoFactorController : Controller
        var user = await _userManager.FindByEmailAsync(model.Email.ToLowerInvariant());
        if (user != null)
        {
-            if (await _userService.VerifySecretAsync(user, model.Secret))
+            // check if 2FA email is from passwordless
            if (!string.IsNullOrEmpty(model.AuthRequestAccessCode))
            {
-                var isBecauseNewDeviceLogin = false;
+                if (await _verifyAuthRequestCommand
-                if (user.GetTwoFactorProvider(TwoFactorProviderType.Email) is null
+                        .VerifyAuthRequestAsync(model.AuthRequestId, model.AuthRequestAccessCode))
                    &&
                    await _userService.Needs2FABecauseNewDeviceAsync(user, model.DeviceIdentifier, null))
                {
-                    model.ToUser(user);
+                    var isBecauseNewDeviceLogin = await IsNewDeviceLoginAsync(user, model);
                    isBecauseNewDeviceLogin = true;
                }
-                await _userService.SendTwoFactorEmailAsync(user, isBecauseNewDeviceLogin);
+                    await _userService.SendTwoFactorEmailAsync(user, isBecauseNewDeviceLogin);
-                return;
+                    return;
                }
            }
            else
            {
                if (await _userService.VerifySecretAsync(user, model.Secret))
                {
                    var isBecauseNewDeviceLogin = await IsNewDeviceLoginAsync(user, model);
                    await _userService.SendTwoFactorEmailAsync(user, isBecauseNewDeviceLogin);
                    return;
                }
            }
        }
@ -455,4 +467,17 @@ public class TwoFactorController : Controller
            await Task.Delay(500);
        }
    }
    private async Task<bool> IsNewDeviceLoginAsync(User user, TwoFactorEmailRequestModel model)
    {
        if (user.GetTwoFactorProvider(TwoFactorProviderType.Email) is null
            &&
            await _userService.Needs2FABecauseNewDeviceAsync(user, model.DeviceIdentifier, null))
        {
            model.ToUser(user);
            return true;
        }
        return false;
    }
 }
--- a/src/Api/Models/Request/Accounts/SecretVerificationRequestModel.cs
+++ b/src/Api/Models/Request/Accounts/SecretVerificationRequestModel.cs
@ -7,13 +7,14 @@ public class SecretVerificationRequestModel : IValidatableObject
    [StringLength(300)]
    public string MasterPasswordHash { get; set; }
    public string OTP { get; set; }
    public string AuthRequestAccessCode { get; set; }
    public string Secret => !string.IsNullOrEmpty(MasterPasswordHash) ? MasterPasswordHash : OTP;
    public virtual IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
    {
-        if (string.IsNullOrEmpty(Secret))
+        if (string.IsNullOrEmpty(Secret) && string.IsNullOrEmpty(AuthRequestAccessCode))
        {
-            yield return new ValidationResult("MasterPasswordHash or OTP must be supplied.");
+            yield return new ValidationResult("MasterPasswordHash, OTP or AccessCode must be supplied.");
        }
    }
 }
--- a/src/Api/Models/Request/TwoFactorRequestModels.cs
+++ b/src/Api/Models/Request/TwoFactorRequestModels.cs
@ -204,6 +204,8 @@ public class TwoFactorEmailRequestModel : SecretVerificationRequestModel
    public string DeviceIdentifier { get; set; }
    public Guid AuthRequestId { get; set; }
    public User ToUser(User extistingUser)
    {
        var providers = extistingUser.GetTwoFactorProviders();
--- a/src/Core/LoginFeatures/LoginServiceCollectionExtensions.cs
+++ b/src/Core/LoginFeatures/LoginServiceCollectionExtensions.cs
@ -0,0 +1,14 @@
 using Bit.Core.LoginFeatures.PasswordlessLogin;
 using Bit.Core.LoginFeatures.PasswordlessLogin.Interfaces;
 using Microsoft.Extensions.DependencyInjection;
 namespace Bit.Core.LoginFeatures;
 public static class LoginServiceCollectionExtensions
 {
    public static void AddLoginServices(this IServiceCollection services)
    {
        services.AddScoped<IVerifyAuthRequestCommand, VerifyAuthRequestCommand>();
    }
 }
--- a/src/Core/LoginFeatures/PasswordlessLogin/Interfaces/IVerifyAuthRequest.cs
+++ b/src/Core/LoginFeatures/PasswordlessLogin/Interfaces/IVerifyAuthRequest.cs
@ -0,0 +1,6 @@
 namespace Bit.Core.LoginFeatures.PasswordlessLogin.Interfaces;
 public interface IVerifyAuthRequestCommand
 {
    Task<bool> VerifyAuthRequestAsync(Guid authRequestId, string accessCode);
 }
--- a/src/Core/LoginFeatures/PasswordlessLogin/VerifyAuthRequest.cs
+++ b/src/Core/LoginFeatures/PasswordlessLogin/VerifyAuthRequest.cs
@ -0,0 +1,24 @@
 using Bit.Core.LoginFeatures.PasswordlessLogin.Interfaces;
 using Bit.Core.Repositories;
 namespace Bit.Core.LoginFeatures.PasswordlessLogin;
 public class VerifyAuthRequestCommand : IVerifyAuthRequestCommand
 {
    private readonly IAuthRequestRepository _authRequestRepository;
    public VerifyAuthRequestCommand(IAuthRequestRepository authRequestRepository)
    {
        _authRequestRepository = authRequestRepository;
    }
    public async Task<bool> VerifyAuthRequestAsync(Guid authRequestId, string accessCode)
    {
        var authRequest = await _authRequestRepository.GetByIdAsync(authRequestId);
        if (authRequest == null || authRequest.AccessCode != accessCode)
        {
            return false;
        }
        return true;
    }
 }
--- a/src/Identity/IdentityServer/ResourceOwnerPasswordValidator.cs
+++ b/src/Identity/IdentityServer/ResourceOwnerPasswordValidator.cs
@ -113,7 +113,7 @@ public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwner
            if (authRequest != null)
            {
                var requestAge = DateTime.UtcNow - authRequest.CreationDate;
-                if (requestAge < TimeSpan.FromHours(1) && !authRequest.AuthenticationDate.HasValue &&
+                if (requestAge < TimeSpan.FromHours(1) &&
                    CoreHelpers.FixedTimeEquals(authRequest.AccessCode, context.Password))
                {
                    authRequest.AuthenticationDate = DateTime.UtcNow;
@ -123,14 +123,12 @@ public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwner
            }
            return false;
        }
-        else
+
        if (!await _userService.CheckPasswordAsync(validatorContext.User, context.Password))
        {
-            if (!await _userService.CheckPasswordAsync(validatorContext.User, context.Password))
+            return false;
            {
                return false;
            }
            return true;
        }
        return true;
    }
    protected override Task SetSuccessResult(ResourceOwnerPasswordValidationContext context, User user,
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@ -7,6 +7,7 @@ using Bit.Core.Enums;
 using Bit.Core.HostedServices;
 using Bit.Core.Identity;
 using Bit.Core.IdentityServer;
 using Bit.Core.LoginFeatures;
 using Bit.Core.Models.Business.Tokenables;
 using Bit.Core.OrganizationFeatures;
 using Bit.Core.Repositories;
@ -108,6 +109,7 @@ public static class ServiceCollectionExtensions
        services.AddSingleton<IAppleIapService, AppleIapService>();
        services.AddScoped<ISsoConfigService, SsoConfigService>();
        services.AddScoped<ISendService, SendService>();
        services.AddLoginServices();
    }
    public static void AddTokenizers(this IServiceCollection services)