From 621192b701a7ad9b6ca240bae409607ff068e05b Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Fri, 28 Feb 2020 09:14:33 -0500
Subject: [PATCH] enable email 2fa if joining an org with policy (#658)

---
 .../Services/Implementations/UserService.cs   | 56 ++++++++++++++-----
 1 file changed, 42 insertions(+), 14 deletions(-)

diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index 0ccdfffbf..f61e96d9c 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -261,6 +261,29 @@ namespace Bit.Core.Services
                 throw new BadRequestException("Open registration has been disabled by the system administrator.");
             }
 
+            if(orgUserId.HasValue)
+            {
+                var orgUser = await _organizationUserRepository.GetByIdAsync(orgUserId.Value);
+                if(orgUser != null)
+                {
+                    var twoFactorPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(orgUser.OrganizationId,
+                        PolicyType.TwoFactorAuthentication);
+                    if(twoFactorPolicy != null && twoFactorPolicy.Enabled)
+                    {
+                        user.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+                        {
+
+                            [TwoFactorProviderType.Email] = new TwoFactorProvider
+                            {
+                                MetaData = new Dictionary<string, object> { ["Email"] = user.Email.ToLowerInvariant() },
+                                Enabled = true
+                            }
+                        });
+                        SetTwoFactorProvider(user, TwoFactorProviderType.Email);
+                    }
+                }
+            }
+
             var result = await base.CreateAsync(user, masterPassword);
             if(result == IdentityResult.Success)
             {
@@ -624,19 +647,7 @@ namespace Bit.Core.Services
 
         public async Task UpdateTwoFactorProviderAsync(User user, TwoFactorProviderType type)
         {
-            var providers = user.GetTwoFactorProviders();
-            if(!providers?.ContainsKey(type) ?? true)
-            {
-                return;
-            }
-
-            providers[type].Enabled = true;
-            user.SetTwoFactorProviders(providers);
-
-            if(string.IsNullOrWhiteSpace(user.TwoFactorRecoveryCode))
-            {
-                user.TwoFactorRecoveryCode = CoreHelpers.SecureRandomString(32, upper: false, special: false);
-            }
+            SetTwoFactorProvider(user, type);
             await SaveUserAsync(user);
             await _eventService.LogUserEventAsync(user.Id, EventType.User_Updated2fa);
         }
@@ -663,7 +674,7 @@ namespace Bit.Core.Services
                 {
                     var userOrgs = await _organizationUserRepository.GetManyByUserAsync(user.Id);
                     var ownerOrgs = userOrgs.Where(o => o.Type == OrganizationUserType.Owner)
-                        .Select(o => o.Id).ToHashSet();
+                        .Select(o => o.OrganizationId).ToHashSet();
                     foreach(var policy in twoFactorPolicies)
                     {
                         if(!ownerOrgs.Contains(policy.OrganizationId))
@@ -1066,5 +1077,22 @@ namespace Bit.Core.Services
 
             return IdentityResult.Success;
         }
+
+        public void SetTwoFactorProvider(User user, TwoFactorProviderType type)
+        {
+            var providers = user.GetTwoFactorProviders();
+            if(!providers?.ContainsKey(type) ?? true)
+            {
+                return;
+            }
+
+            providers[type].Enabled = true;
+            user.SetTwoFactorProviders(providers);
+
+            if(string.IsNullOrWhiteSpace(user.TwoFactorRecoveryCode))
+            {
+                user.TwoFactorRecoveryCode = CoreHelpers.SecureRandomString(32, upper: false, special: false);
+            }
+        }
     }
 }