[PM-9826] Remove validation from 2fa GET and mask sensitive data (#4526)

* remove validation from 2fa GET and mask sensitive data * skip verification check on put email * disable verification on send-email and reenable on put email * validate authenticator on set instead of get * Revert "validate authenticator on set instead of get" This reverts commit 7bf2084531. * fix tests * fix more tests * Narrow scope of verify bypass * Defaulted to false on VerifySecretAsync * fix default param value --------- Co-authored-by: Ike Kottlowski <ikottlowski@bitwarden.com> Co-authored-by: Todd Martin <tmartin@bitwarden.com>
2025-07-01 08:02:49 -05:00 · 2024-07-22 11:21:14 -04:00
parent 4f4750a0a6
commit 091c03a90c
6 changed files with 49 additions and 28 deletions
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@ -1342,7 +1342,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
            "otp:" + user.Email, token);
    }

-    public async Task<bool> VerifySecretAsync(User user, string secret)
+    public async Task<bool> VerifySecretAsync(User user, string secret, bool isSettingMFA = false)
    {
        bool isVerified;
        if (user.HasMasterPassword())
@ -1354,6 +1354,12 @@ public class UserService : UserManager<User>, IUserService, IDisposable
            isVerified = await CheckPasswordAsync(user, secret) ||
                await VerifyOTPAsync(user, secret);
        }
+        else if (isSettingMFA)
+        {
+            // this is temporary to allow users to view their MFA settings without invalidating email TOTP
+            // Will be removed with PM-9925
+            isVerified = true;
+        }
        else
        {
            // If they don't have a password at all they can only do OTP