[PM-19883] Add untrust devices endpoint (#5619)

* Add untrust devices endpoint * Fix tests * Update src/Core/Auth/UserFeatures/DeviceTrust/UntrustDevicesCommand.cs Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com> * Fix whitespace --------- Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
2025-07-03 00:52:49 -05:00 · 2025-04-09 14:26:06 +02:00
parent 19b5431177
commit 0a4f97b50e
7 changed files with 141 additions and 0 deletions
--- a/src/Core/Auth/UserFeatures/DeviceTrust/Interfaces/IUntrustDevicesCommand.cs
+++ b/src/Core/Auth/UserFeatures/DeviceTrust/Interfaces/IUntrustDevicesCommand.cs
@ -0,0 +1,8 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.Auth.UserFeatures.DeviceTrust;
+
+public interface IUntrustDevicesCommand
+{
+    public Task UntrustDevices(User user, IEnumerable<Guid> devicesToUntrust);
+}
--- a/src/Core/Auth/UserFeatures/DeviceTrust/UntrustDevicesCommand.cs
+++ b/src/Core/Auth/UserFeatures/DeviceTrust/UntrustDevicesCommand.cs
@ -0,0 +1,39 @@
+using Bit.Core.Entities;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.Auth.UserFeatures.DeviceTrust;
+
+public class UntrustDevicesCommand : IUntrustDevicesCommand
+{
+    private readonly IDeviceRepository _deviceRepository;
+
+    public UntrustDevicesCommand(
+        IDeviceRepository deviceRepository)
+    {
+        _deviceRepository = deviceRepository;
+    }
+
+    public async Task UntrustDevices(User user, IEnumerable<Guid> devicesToUntrust)
+    {
+        var userDevices = await _deviceRepository.GetManyByUserIdAsync(user.Id);
+        var deviceIdDict = userDevices.ToDictionary(device => device.Id);
+
+        // Validate that the user owns all devices that they passed in
+        foreach (var deviceId in devicesToUntrust)
+        {
+            if (!deviceIdDict.ContainsKey(deviceId))
+            {
+                throw new UnauthorizedAccessException($"User {user.Id} does not have access to device {deviceId}");
+            }
+        }
+
+        foreach (var deviceId in devicesToUntrust)
+        {
+            var device = deviceIdDict[deviceId];
+            device.EncryptedPrivateKey = null;
+            device.EncryptedPublicKey = null;
+            device.EncryptedUserKey = null;
+            await _deviceRepository.UpsertAsync(device);
+        }
+    }
+}
--- a/src/Core/Auth/UserFeatures/UserServiceCollectionExtensions.cs
+++ b/src/Core/Auth/UserFeatures/UserServiceCollectionExtensions.cs
@ -1,5 +1,6 @@


+using Bit.Core.Auth.UserFeatures.DeviceTrust;
 using Bit.Core.Auth.UserFeatures.Registration;
 using Bit.Core.Auth.UserFeatures.Registration.Implementations;
 using Bit.Core.Auth.UserFeatures.TdeOffboardingPassword.Interfaces;
@ -22,6 +23,7 @@ public static class UserServiceCollectionExtensions
    public static void AddUserServices(this IServiceCollection services, IGlobalSettings globalSettings)
    {
        services.AddScoped<IUserService, UserService>();
+        services.AddDeviceTrustCommands();
        services.AddUserPasswordCommands();
        services.AddUserRegistrationCommands();
        services.AddWebAuthnLoginCommands();
@ -29,6 +31,11 @@ public static class UserServiceCollectionExtensions
        services.AddTwoFactorQueries();
    }

+    public static void AddDeviceTrustCommands(this IServiceCollection services)
+    {
+        services.AddScoped<IUntrustDevicesCommand, UntrustDevicesCommand>();
+    }
+
    public static void AddUserKeyCommands(this IServiceCollection services, IGlobalSettings globalSettings)
    {
        services.AddScoped<IRotateUserKeyCommand, RotateUserKeyCommand>();