Duo WebSDK Token Provider

src/Api/settings.json

@@ -42,6 +42,9 @@
     "yubico": {
       "clientid": "SECRET",
       "key": "SECRET"
+    },
+    "duo": {
+      "aKey": "SECRET"
     }
   },
   "IpRateLimitOptions": {

src/Core/GlobalSettings.cs

@@ -16,6 +16,7 @@
         public virtual DocumentDbSettings DocumentDb { get; set; } = new DocumentDbSettings();
         public virtual NotificationHubSettings NotificationHub { get; set; } = new NotificationHubSettings();
         public virtual YubicoSettings Yubico { get; set; } = new YubicoSettings();
+        public virtual DuoSettings Duo { get; set; } = new DuoSettings();
 
         public class SqlServerSettings
         {
@@ -85,5 +86,10 @@
             public string ClientId { get; set; }
             public string Key { get; set; }
         }
+
+        public class DuoSettings
+        {
+            public string AKey { get; set; }
+        }
     }
 }

src/Core/Identity/DuoWebTokenProvider.cs

@@ -0,0 +1,66 @@
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Identity;
+using Bit.Core.Models.Table;
+using Bit.Core.Enums;
+using Bit.Core.Utilities.Duo;
+using System;
+using Bit.Core.Models;
+
+namespace Bit.Core.Identity
+{
+    public class DuoWebTokenProvider : IUserTwoFactorTokenProvider<User>
+    {
+        private readonly GlobalSettings _globalSettings;
+
+        public DuoWebTokenProvider(GlobalSettings globalSettings)
+        {
+            _globalSettings = globalSettings;
+        }
+
+        public Task<bool> CanGenerateTwoFactorTokenAsync(UserManager<User> manager, User user)
+        {
+            var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Duo);
+            var canGenerate = user.TwoFactorProviderIsEnabled(TwoFactorProviderType.Duo) && HasProperMetaData(provider);
+            return Task.FromResult(canGenerate);
+        }
+
+        public Task<string> GenerateAsync(string purpose, UserManager<User> manager, User user)
+        {
+            var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Duo);
+            if(!HasProperMetaData(provider))
+            {
+                return Task.FromResult<string>(null);
+            }
+
+            var signatureRequest = DuoWeb.SignRequest(provider.MetaData["IKey"], provider.MetaData["SKey"],
+                _globalSettings.Duo.AKey, user.Id.ToString());
+            return Task.FromResult(signatureRequest);
+        }
+
+        public Task<bool> ValidateAsync(string purpose, string token, UserManager<User> manager, User user)
+        {
+            var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Duo);
+            if(!HasProperMetaData(provider))
+            {
+                return Task.FromResult(false);
+            }
+
+            var response = DuoWeb.VerifyResponse(provider.MetaData["IKey"], provider.MetaData["SKey"],
+                _globalSettings.Duo.AKey, token);
+
+            Guid userId;
+            if(!Guid.TryParse(response, out userId))
+            {
+                return Task.FromResult(false);
+            }
+
+            return Task.FromResult(userId == user.Id);
+        }
+
+        private bool HasProperMetaData(TwoFactorProvider provider)
+        {
+            return provider?.MetaData != null && provider.MetaData.ContainsKey("IKey") &&
+                provider.MetaData.ContainsKey("SKey") && provider.MetaData.ContainsKey("Host");
+        }
+    }
+}

src/Core/Utilities/ServiceCollectionExtensions.cs

@@ -99,7 +99,7 @@ namespace Bit.Core.Utilities
                 .AddRoleStore<RoleStore>()
                 .AddTokenProvider<AuthenticatorTokenProvider>(TwoFactorProviderType.Authenticator.ToString())
                 .AddTokenProvider<YubicoOtpTokenProvider>(TwoFactorProviderType.YubiKey.ToString())
-                .AddTokenProvider<DuoTokenProvider>(TwoFactorProviderType.Duo.ToString())
+                .AddTokenProvider<DuoWebTokenProvider>(TwoFactorProviderType.Duo.ToString())
                 .AddTokenProvider<EmailTokenProvider<User>>(TokenOptions.DefaultEmailProvider);
 
             return identityBuilder;

src/Identity/settings.json

@@ -34,6 +34,13 @@
     "notificationHub": {
       "connectionString": "SECRET",
       "hubName": "SECRET"
+    },
+    "yubico": {
+      "clientid": "SECRET",
+      "key": "SECRET"
+    },
+    "duo": {
+      "aKey": "SECRET"
     }
   }
 }