mirror of
https://github.com/bitwarden/server.git
synced 2024-11-22 12:15:36 +01:00
dont cycle security token on re-hash
This commit is contained in:
Kyle Spearrin
parent
6e7bc8369d
commit
e350ef650a
@ -25,7 +25,6 @@ namespace Bit.Api.Controllers
|
||||
private readonly ICipherService _cipherService;
|
||||
private readonly IOrganizationUserRepository _organizationUserRepository;
|
||||
private readonly ILicensingService _licenseService;
|
||||
private readonly UserManager<User> _userManager;
|
||||
private readonly GlobalSettings _globalSettings;
|
||||
|
||||
public AccountsController(
|
||||
@ -33,13 +32,11 @@ namespace Bit.Api.Controllers
|
||||
ICipherService cipherService,
|
||||
IOrganizationUserRepository organizationUserRepository,
|
||||
ILicensingService licenseService,
|
||||
UserManager<User> userManager,
|
||||
GlobalSettings globalSettings)
|
||||
{
|
||||
_userService = userService;
|
||||
_cipherService = cipherService;
|
||||
_organizationUserRepository = organizationUserRepository;
|
||||
_userManager = userManager;
|
||||
_licenseService = licenseService;
|
||||
_globalSettings = globalSettings;
|
||||
}
|
||||
@ -79,7 +76,7 @@ namespace Bit.Api.Controllers
|
||||
throw new UnauthorizedAccessException();
|
||||
}
|
||||
|
||||
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
|
||||
if(!await _userService.CheckPasswordAsync(user, model.MasterPasswordHash))
|
||||
{
|
||||
await Task.Delay(2000);
|
||||
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
|
||||
@ -323,7 +320,7 @@ namespace Bit.Api.Controllers
|
||||
throw new UnauthorizedAccessException();
|
||||
}
|
||||
|
||||
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
|
||||
if(!await _userService.CheckPasswordAsync(user, model.MasterPasswordHash))
|
||||
{
|
||||
ModelState.AddModelError("MasterPasswordHash", "Invalid password.");
|
||||
await Task.Delay(2000);
|
||||
|
||||
@ -25,7 +25,6 @@ namespace Bit.Api.Controllers
|
||||
private readonly ICollectionCipherRepository _collectionCipherRepository;
|
||||
private readonly ICipherService _cipherService;
|
||||
private readonly IUserService _userService;
|
||||
private readonly UserManager<User> _userManager;
|
||||
private readonly CurrentContext _currentContext;
|
||||
private readonly GlobalSettings _globalSettings;
|
||||
|
||||
@ -34,7 +33,6 @@ namespace Bit.Api.Controllers
|
||||
ICollectionCipherRepository collectionCipherRepository,
|
||||
ICipherService cipherService,
|
||||
IUserService userService,
|
||||
UserManager<User> userManager,
|
||||
CurrentContext currentContext,
|
||||
GlobalSettings globalSettings)
|
||||
{
|
||||
@ -42,7 +40,6 @@ namespace Bit.Api.Controllers
|
||||
_collectionCipherRepository = collectionCipherRepository;
|
||||
_cipherService = cipherService;
|
||||
_userService = userService;
|
||||
_userManager = userManager;
|
||||
_currentContext = currentContext;
|
||||
_globalSettings = globalSettings;
|
||||
}
|
||||
@ -381,7 +378,7 @@ namespace Bit.Api.Controllers
|
||||
throw new UnauthorizedAccessException();
|
||||
}
|
||||
|
||||
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
|
||||
if(!await _userService.CheckPasswordAsync(user, model.MasterPasswordHash))
|
||||
{
|
||||
ModelState.AddModelError("MasterPasswordHash", "Invalid password.");
|
||||
await Task.Delay(2000);
|
||||
|
||||
@ -32,7 +32,6 @@ namespace Bit.Api.Controllers
|
||||
private readonly CurrentContext _currentContext;
|
||||
private readonly GlobalSettings _globalSettings;
|
||||
private readonly ApiSettings _apiSettings;
|
||||
private readonly UserManager<User> _userManager;
|
||||
|
||||
public OrganizationsController(
|
||||
IOrganizationRepository organizationRepository,
|
||||
@ -41,15 +40,13 @@ namespace Bit.Api.Controllers
|
||||
IUserService userService,
|
||||
CurrentContext currentContext,
|
||||
GlobalSettings globalSettings,
|
||||
IOptions<ApiSettings> apiSettings,
|
||||
UserManager<User> userManager)
|
||||
IOptions<ApiSettings> apiSettings)
|
||||
{
|
||||
_organizationRepository = organizationRepository;
|
||||
_organizationUserRepository = organizationUserRepository;
|
||||
_organizationService = organizationService;
|
||||
_userService = userService;
|
||||
_currentContext = currentContext;
|
||||
_userManager = userManager;
|
||||
_globalSettings = globalSettings;
|
||||
_apiSettings = apiSettings.Value;
|
||||
}
|
||||
@ -359,7 +356,7 @@ namespace Bit.Api.Controllers
|
||||
throw new UnauthorizedAccessException();
|
||||
}
|
||||
|
||||
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
|
||||
if(!await _userService.CheckPasswordAsync(user, model.MasterPasswordHash))
|
||||
{
|
||||
await Task.Delay(2000);
|
||||
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
|
||||
|
||||
@ -246,7 +246,7 @@ namespace Bit.Api.Controllers
|
||||
var user = await _userManager.FindByEmailAsync(model.Email.ToLowerInvariant());
|
||||
if(user != null)
|
||||
{
|
||||
if(await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
|
||||
if(await _userService.CheckPasswordAsync(user, model.MasterPasswordHash))
|
||||
{
|
||||
await _userService.SendTwoFactorEmailAsync(user);
|
||||
return;
|
||||
@ -336,7 +336,7 @@ namespace Bit.Api.Controllers
|
||||
throw new UnauthorizedAccessException();
|
||||
}
|
||||
|
||||
if(!await _userManager.CheckPasswordAsync(user, masterPasswordHash))
|
||||
if(!await _userService.CheckPasswordAsync(user, masterPasswordHash))
|
||||
{
|
||||
await Task.Delay(2000);
|
||||
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
|
||||
|
||||
@ -69,7 +69,7 @@ namespace Bit.Core.IdentityServer
|
||||
}
|
||||
|
||||
var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
|
||||
if(user == null || !await _userManager.CheckPasswordAsync(user, context.Password))
|
||||
if(user == null || !await _userService.CheckPasswordAsync(user, context.Password))
|
||||
{
|
||||
await BuildErrorResultAsync(false, context, user);
|
||||
return;
|
||||
|
||||
@ -50,5 +50,6 @@ namespace Bit.Core.Services
|
||||
Task DisablePremiumAsync(User user, DateTime? expirationDate);
|
||||
Task UpdatePremiumExpirationAsync(Guid userId, DateTime? expirationDate);
|
||||
Task<UserLicense> GenerateLicenseAsync(User user, BillingInfo billingInfo = null);
|
||||
Task<bool> CheckPasswordAsync(User user, string password);
|
||||
}
|
||||
}
|
||||
|
||||
@ -411,7 +411,7 @@ namespace Bit.Core.Services
|
||||
throw new ArgumentNullException(nameof(user));
|
||||
}
|
||||
|
||||
if(await base.CheckPasswordAsync(user, masterPassword))
|
||||
if(await CheckPasswordAsync(user, masterPassword))
|
||||
{
|
||||
var result = await UpdatePasswordHash(user, newMasterPassword);
|
||||
if(!result.Succeeded)
|
||||
@ -440,7 +440,7 @@ namespace Bit.Core.Services
|
||||
throw new ArgumentNullException(nameof(user));
|
||||
}
|
||||
|
||||
if(await base.CheckPasswordAsync(user, masterPassword))
|
||||
if(await CheckPasswordAsync(user, masterPassword))
|
||||
{
|
||||
user.RevisionDate = user.AccountRevisionDate = DateTime.UtcNow;
|
||||
user.SecurityStamp = Guid.NewGuid().ToString();
|
||||
@ -469,7 +469,7 @@ namespace Bit.Core.Services
|
||||
throw new ArgumentNullException(nameof(user));
|
||||
}
|
||||
|
||||
if(await base.CheckPasswordAsync(user, masterPassword))
|
||||
if(await CheckPasswordAsync(user, masterPassword))
|
||||
{
|
||||
var result = await base.UpdateSecurityStampAsync(user);
|
||||
if(!result.Succeeded)
|
||||
@ -527,7 +527,7 @@ namespace Bit.Core.Services
|
||||
return false;
|
||||
}
|
||||
|
||||
if(!await base.CheckPasswordAsync(user, masterPassword))
|
||||
if(!await CheckPasswordAsync(user, masterPassword))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
@ -745,7 +745,31 @@ namespace Bit.Core.Services
|
||||
new UserLicense(user, billingInfo, _licenseService);
|
||||
}
|
||||
|
||||
private async Task<IdentityResult> UpdatePasswordHash(User user, string newPassword, bool validatePassword = true)
|
||||
public override async Task<bool> CheckPasswordAsync(User user, string password)
|
||||
{
|
||||
if(user == null)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
var result = await base.VerifyPasswordAsync(Store as IUserPasswordStore<User>, user, password);
|
||||
if(result == PasswordVerificationResult.SuccessRehashNeeded)
|
||||
{
|
||||
await UpdatePasswordHash(user, password, false, false);
|
||||
user.RevisionDate = DateTime.UtcNow;
|
||||
await _userRepository.ReplaceAsync(user);
|
||||
}
|
||||
|
||||
var success = result != PasswordVerificationResult.Failed;
|
||||
if(!success)
|
||||
{
|
||||
Logger.LogWarning(0, "Invalid password for user {userId}.", user.Id);
|
||||
}
|
||||
return success;
|
||||
}
|
||||
|
||||
private async Task<IdentityResult> UpdatePasswordHash(User user, string newPassword,
|
||||
bool validatePassword = true, bool refreshStamp = true)
|
||||
{
|
||||
if(validatePassword)
|
||||
{
|
||||
@ -757,7 +781,10 @@ namespace Bit.Core.Services
|
||||
}
|
||||
|
||||
user.MasterPassword = _passwordHasher.HashPassword(user, newPassword);
|
||||
user.SecurityStamp = Guid.NewGuid().ToString();
|
||||
if(refreshStamp)
|
||||
{
|
||||
user.SecurityStamp = Guid.NewGuid().ToString();
|
||||
}
|
||||
|
||||
return IdentityResult.Success;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user