validate master password on purge

2025-02-23 03:01:23 +01:00 · 2017-10-25 21:38:54 -04:00 · 2017-10-25 21:38:54 -04:00 · a989a800f7
commit a989a800f7
parent a042fd10f1
2 changed files with 30 additions and 3 deletions
--- a/src/Api/Controllers/CiphersController.cs
+++ b/src/Api/Controllers/CiphersController.cs
@ -12,6 +12,8 @@ using Bit.Api.Utilities;
 using Bit.Core.Utilities;
 using Core.Models.Data;
 using System.Collections.Generic;
+using Microsoft.AspNetCore.Identity;
+using Bit.Core.Models.Table;

 namespace Bit.Api.Controllers
 {
@ -23,6 +25,7 @@ namespace Bit.Api.Controllers
        private readonly ICollectionCipherRepository _collectionCipherRepository;
        private readonly ICipherService _cipherService;
        private readonly IUserService _userService;
+        private readonly UserManager<User> _userManager;
        private readonly CurrentContext _currentContext;
        private readonly GlobalSettings _globalSettings;

@ -31,6 +34,7 @@ namespace Bit.Api.Controllers
            ICollectionCipherRepository collectionCipherRepository,
            ICipherService cipherService,
            IUserService userService,
+            UserManager<User> userManager,
            CurrentContext currentContext,
            GlobalSettings globalSettings)
        {
@ -38,6 +42,7 @@ namespace Bit.Api.Controllers
            _collectionCipherRepository = collectionCipherRepository;
            _cipherService = cipherService;
            _userService = userService;
+            _userManager = userManager;
            _currentContext = currentContext;
            _globalSettings = globalSettings;
        }
@ -354,10 +359,22 @@ namespace Bit.Api.Controllers
        }

        [HttpPost("purge")]
-        public async Task PostPurge()
+        public async Task PostPurge([FromBody]CipherPurgeRequestModel model)
        {
-            var userId = _userService.GetProperUserId(User).Value;
-            await _cipherRepository.DeleteByUserIdAsync(userId);
+            var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
+            if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
+            {
+                ModelState.AddModelError("MasterPasswordHash", "Invalid password.");
+                await Task.Delay(2000);
+                throw new BadRequestException(ModelState);
+            }
+
+            await _cipherRepository.DeleteByUserIdAsync(user.Id);
        }

        [HttpPost("{id}/attachment")]
--- a/src/Core/Models/Api/Request/CipherPurgeRequestModel.cs
+++ b/src/Core/Models/Api/Request/CipherPurgeRequestModel.cs
@ -0,0 +1,10 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Core.Models.Api
+{
+    public class CipherPurgeRequestModel
+    {
+        [Required]
+        public string MasterPasswordHash { get; set; }
+    }
+}