[PM-3487] prevent account enumeration on auth request endpoint (#3239)

2025-02-18 02:11:22 +01:00 · 2023-09-11 10:23:32 -04:00 · 2023-09-11 10:23:32 -04:00 · f909563211
commit f909563211
parent 917c657439
2 changed files with 26 additions and 17 deletions
--- a/src/Core/Auth/Services/Implementations/AuthRequestService.cs
+++ b/src/Core/Auth/Services/Implementations/AuthRequestService.cs
@ -82,27 +82,32 @@ public class AuthRequestService : IAuthRequestService
    /// </remarks>
    public async Task<AuthRequest> CreateAuthRequestAsync(AuthRequestCreateRequestModel model)
    {
-        var user = await _userRepository.GetByEmailAsync(model.Email);
-        if (user == null)
-        {
-            throw new NotFoundException();
-        }
-
        if (!_currentContext.DeviceType.HasValue)
        {
            throw new BadRequestException("Device type not provided.");
        }

-        if (_globalSettings.PasswordlessAuth.KnownDevicesOnly)
+        var userNotFound = false;
+        var user = await _userRepository.GetByEmailAsync(model.Email);
+        if (user == null)
+        {
+            userNotFound = true;
+        }
+        else if (_globalSettings.PasswordlessAuth.KnownDevicesOnly)
        {
            var devices = await _deviceRepository.GetManyByUserIdAsync(user.Id);
            if (devices == null || !devices.Any(d => d.Identifier == model.DeviceIdentifier))
            {
-                throw new BadRequestException(
-                    "Login with device is only available on devices that have been previously logged in.");
+                userNotFound = true;
            }
        }

+        // Anonymous endpoints must not leak that a user exists or not
+        if (userNotFound)
+        {
+            throw new BadRequestException("User or known device not found.");
+        }
+
        // AdminApproval requests require correlating the user and their organization
        if (model.Type == AuthRequestType.AdminApproval)
        {
--- a/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
+++ b/test/Core.Test/Auth/Services/AuthRequestServiceTests.cs
@ -142,15 +142,19 @@ public class AuthRequestServiceTests
    }

    [Theory, BitAutoData]
-    public async Task CreateAuthRequestAsync_NoUser_ThrowsNotFound(
+    public async Task CreateAuthRequestAsync_NoUser_ThrowsBadRequest(
        SutProvider<AuthRequestService> sutProvider,
        AuthRequestCreateRequestModel createModel)
    {
+        sutProvider.GetDependency<ICurrentContext>()
+            .DeviceType
+            .Returns(DeviceType.Android);
+
        sutProvider.GetDependency<IUserRepository>()
            .GetByEmailAsync(createModel.Email)
            .Returns((User?)null);

-        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CreateAuthRequestAsync(createModel));
+        await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAuthRequestAsync(createModel));
    }

    [Theory, BitAutoData]