[SG-167] Implement Passwordless Authentication via Notifications (#2276)

* [SG-549] Commit Initial AuthRequest Repository (#2174) * Model Passwordless * Scaffold database for Passwordless * Implement SQL Repository * [SG-167] Base Passwordless API (#2185) * Implement Passwordless notifications * Implement Controller * Add documentation to BaseRequestValidator * Register AuthRequestRepo * Remove ExpirationDate from the AuthRequest table * [SG-407] Create job to delete expired requests (#2187) * chore: init * remove exp date * fix: log name * [SG-167] Added fingerprint phrase to response model. (#2233) * Remove FailedLoginAttempt logic * Block unknown devices * Add EF Support for passwordless * Got SignalR working for responses * Added delete job method to EF repo * Implement a GetMany API endpoint for AuthRequests * Ran dotnet format * Fix a merge issues * Redated migration scripts * tried sorting sqlproj * Remove FailedLoginAttempts from SQL * Groom Postgres script * Remove extra commas from migration script * Correct isSpent() * [SG-167] Adde identity validation for passwordless requests. Registered IAuthRepository. * [SG-167] Added origin of the request to response model * Use display name for device identifier in response * Add datetime conversions back to postgres migration script * [SG-655] Add anonymous endpoint for checking if a device & user combo match * [review] Consolidate error conditions Co-authored-by: Brandon Maharaj <107377945+BrandonM-Bitwarden@users.noreply.github.com> Co-authored-by: André Filipe da Silva Bispo <andrefsbispo@hotmail.com> Co-authored-by: André Bispo <abispo@bitwarden.com>
2025-07-01 16:12:49 -05:00 · 2022-09-26 13:21:13 -04:00
parent 7c3637c8ba
commit 02bea3c48d
56 changed files with 5853 additions and 61 deletions
--- a/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
+++ b/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
@ -20,6 +20,7 @@ public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwner
    private readonly IUserService _userService;
    private readonly ICurrentContext _currentContext;
    private readonly ICaptchaValidationService _captchaValidationService;
+    private readonly IAuthRequestRepository _authRequestRepository;
    public ResourceOwnerPasswordValidator(
        UserManager<User> userManager,
        IDeviceRepository deviceRepository,
@ -36,6 +37,7 @@ public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwner
        GlobalSettings globalSettings,
        IPolicyRepository policyRepository,
        ICaptchaValidationService captchaValidationService,
+        IAuthRequestRepository authRequestRepository,
        IUserRepository userRepository)
        : base(userManager, deviceRepository, deviceService, userService, eventService,
              organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
@ -46,6 +48,7 @@ public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwner
        _userService = userService;
        _currentContext = currentContext;
        _captchaValidationService = captchaValidationService;
+        _authRequestRepository = authRequestRepository;
    }

    public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
@ -104,12 +107,31 @@ public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwner
            return false;
        }

-        if (!await _userService.CheckPasswordAsync(validatorContext.User, context.Password))
+        var authRequestId = context.Request.Raw["AuthRequest"]?.ToString()?.ToLowerInvariant();
+        if (!string.IsNullOrWhiteSpace(authRequestId) && Guid.TryParse(authRequestId, out var authRequestGuid))
        {
+            var authRequest = await _authRequestRepository.GetByIdAsync(authRequestGuid);
+            if (authRequest != null)
+            {
+                var requestAge = DateTime.UtcNow - authRequest.CreationDate;
+                if (requestAge < TimeSpan.FromHours(1) && !authRequest.AuthenticationDate.HasValue &&
+                    CoreHelpers.FixedTimeEquals(authRequest.AccessCode, context.Password))
+                {
+                    authRequest.AuthenticationDate = DateTime.UtcNow;
+                    await _authRequestRepository.ReplaceAsync(authRequest);
+                    return true;
+                }
+            }
            return false;
        }
-
-        return true;
+        else
+        {
+            if (!await _userService.CheckPasswordAsync(validatorContext.User, context.Password))
+            {
+                return false;
+            }
+            return true;
+        }
    }

    protected override Task SetSuccessResult(ResourceOwnerPasswordValidationContext context, User user,