Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-02-19 02:21:21 +01:00
Code Issues Projects Releases Wiki Activity

[PM-3487] prevent account enumeration on auth request endpoint (#3239)

Browse Source
This commit is contained in:
Jake Fink 2023-09-11 10:23:32 -04:00 committed by GitHub
parent 917c657439
commit f909563211
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 26 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/Core/Auth/Services/Implementations/AuthRequestService.cs
View File

@ -82,27 +82,32 @@ public class AuthRequestService : IAuthRequestService
/// </remarks> /// </remarks>
public async Task<AuthRequest> CreateAuthRequestAsync(AuthRequestCreateRequestModel model) public async Task<AuthRequest> CreateAuthRequestAsync(AuthRequestCreateRequestModel model)
{ {
var user = await _userRepository.GetByEmailAsync(model.Email);
if (user == null)
{
throw new NotFoundException();
}
if (!_currentContext.DeviceType.HasValue) if (!_currentContext.DeviceType.HasValue)
{ {
throw new BadRequestException("Device type not provided."); throw new BadRequestException("Device type not provided.");
} }
if (_globalSettings.PasswordlessAuth.KnownDevicesOnly) var userNotFound = false;
var user = await _userRepository.GetByEmailAsync(model.Email);
if (user == null)
{
userNotFound = true;
}
else if (_globalSettings.PasswordlessAuth.KnownDevicesOnly)
{ {
var devices = await _deviceRepository.GetManyByUserIdAsync(user.Id); var devices = await _deviceRepository.GetManyByUserIdAsync(user.Id);
if (devices == null || !devices.Any(d => d.Identifier == model.DeviceIdentifier)) if (devices == null || !devices.Any(d => d.Identifier == model.DeviceIdentifier))
{ {
throw new BadRequestException( userNotFound = true;
"Login with device is only available on devices that have been previously logged in.");
} }
} }
// Anonymous endpoints must not leak that a user exists or not
if (userNotFound)
{
throw new BadRequestException("User or known device not found.");
}
// AdminApproval requests require correlating the user and their organization // AdminApproval requests require correlating the user and their organization
if (model.Type == AuthRequestType.AdminApproval) if (model.Type == AuthRequestType.AdminApproval)
{ {

8
test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
View File

@ -142,15 +142,19 @@ public class AuthRequestServiceTests
} }
[Theory, BitAutoData] [Theory, BitAutoData]
public async Task CreateAuthRequestAsync_NoUser_ThrowsNotFound( public async Task CreateAuthRequestAsync_NoUser_ThrowsBadRequest(
SutProvider<AuthRequestService> sutProvider, SutProvider<AuthRequestService> sutProvider,
AuthRequestCreateRequestModel createModel) AuthRequestCreateRequestModel createModel)
{ {
sutProvider.GetDependency<ICurrentContext>()
.DeviceType
.Returns(DeviceType.Android);
sutProvider.GetDependency<IUserRepository>() sutProvider.GetDependency<IUserRepository>()
.GetByEmailAsync(createModel.Email) .GetByEmailAsync(createModel.Email)
.Returns((User?)null); .Returns((User?)null);
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CreateAuthRequestAsync(createModel)); await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAuthRequestAsync(createModel));
} }
[Theory, BitAutoData] [Theory, BitAutoData]