security stamp validation for passwordless login

2024-11-22 12:15:36 +01:00 · 2019-01-17 16:07:24 -05:00 · 2019-01-17 16:07:24 -05:00 · e7e0d17ac6
commit e7e0d17ac6
parent 82ba3e4c30
2 changed files with 32 additions and 11 deletions
--- a/src/Admin/Startup.cs
+++ b/src/Admin/Startup.cs
@ -5,6 +5,7 @@ using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.HttpOverrides;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
@ -48,6 +49,10 @@ namespace Bit.Admin

            // Identity
            services.AddPasswordlessIdentityServices<ReadOnlyEnvIdentityUserStore>(globalSettings);
+            services.Configure<SecurityStampValidatorOptions>(options =>
+            {
+                options.ValidationInterval = TimeSpan.FromMinutes(5);
+            });
            if(globalSettings.SelfHosted)
            {
                services.ConfigureApplicationCookie(options =>
--- a/src/Core/Identity/ReadOnlyEnvIdentityUserStore.cs
+++ b/src/Core/Identity/ReadOnlyEnvIdentityUserStore.cs
@ -1,4 +1,4 @@
-using System.Linq;
+using System.Collections.Generic;
 using System.Threading;
 using System.Threading.Tasks;
 using Bit.Core.Utilities;
@ -26,22 +26,38 @@ namespace Bit.Core.Identity
            }

            var users = usersCsv.ToLowerInvariant().Split(',');
-            var user = users.Where(a => a.Trim() == normalizedEmail).FirstOrDefault();
-            if(user == null || !user.Contains("@"))
+            var usersDict = new Dictionary<string, string>();
+            foreach(var u in users)
+            {
+                var parts = u.Split(':');
+                if(parts.Length == 2)
+                {
+                    var email = parts[0].Trim();
+                    var stamp = parts[1].Trim();
+                    usersDict.Add(email, stamp);
+                }
+                else
+                {
+                    var email = parts[0].Trim();
+                    usersDict.Add(email, email);
+                }
+            }
+
+            var userStamp = usersDict.ContainsKey(normalizedEmail) ? usersDict[normalizedEmail] : null;
+            if(userStamp == null)
            {
                return Task.FromResult<IdentityUser>(null);
            }
-
-            user = user.Trim();
+            
            return Task.FromResult(new IdentityUser
            {
-                Id = user,
-                Email = user,
-                NormalizedEmail = user,
+                Id = normalizedEmail,
+                Email = normalizedEmail,
+                NormalizedEmail = normalizedEmail,
                EmailConfirmed = true,
-                UserName = user,
-                NormalizedUserName = user,
-                SecurityStamp = user
+                UserName = normalizedEmail,
+                NormalizedUserName = normalizedEmail,
+                SecurityStamp = userStamp
            });
        }