diff --git a/src/Core/Auth/Models/Api/Request/Accounts/RegisterVerificationEmailClickedRequestModel.cs b/src/Core/Auth/Models/Api/Request/Accounts/RegisterVerificationEmailClickedRequestModel.cs new file mode 100644 index 0000000000..4de8d563c8 --- /dev/null +++ b/src/Core/Auth/Models/Api/Request/Accounts/RegisterVerificationEmailClickedRequestModel.cs @@ -0,0 +1,17 @@ +#nullable enable +using System.ComponentModel.DataAnnotations; +using Bit.Core.Utilities; + +namespace Bit.Core.Auth.Models.Api.Request.Accounts; + +public class RegisterVerificationEmailClickedRequestModel +{ + [Required] + [StrictEmailAddress] + [StringLength(256)] + public string Email { get; set; } + + [Required] + public string EmailVerificationToken { get; set; } + +} diff --git a/src/Core/Auth/Models/Business/Tokenables/RegistrationEmailVerificationTokenable.cs b/src/Core/Auth/Models/Business/Tokenables/RegistrationEmailVerificationTokenable.cs index 7d1a5832b3..006da70080 100644 --- a/src/Core/Auth/Models/Business/Tokenables/RegistrationEmailVerificationTokenable.cs +++ b/src/Core/Auth/Models/Business/Tokenables/RegistrationEmailVerificationTokenable.cs @@ -55,4 +55,12 @@ public class RegistrationEmailVerificationTokenable : ExpiringTokenable && !string.IsNullOrWhiteSpace(Email); + public static bool ValidateToken(IDataProtectorTokenFactory dataProtectorTokenFactory, string token, string userEmail) + { + return dataProtectorTokenFactory.TryUnprotect(token, out var tokenable) + && tokenable.Valid + && tokenable.TokenIsValid(userEmail); + } + + } diff --git a/src/Core/Tools/Enums/ReferenceEventSource.cs b/src/Core/Tools/Enums/ReferenceEventSource.cs index 6030cb201b..87a71cf450 100644 --- a/src/Core/Tools/Enums/ReferenceEventSource.cs +++ b/src/Core/Tools/Enums/ReferenceEventSource.cs @@ -10,6 +10,6 @@ public enum ReferenceEventSource User, [EnumMember(Value = "provider")] Provider, - [EnumMember(Value = "registrationStart")] - RegistrationStart, + [EnumMember(Value = "registration")] + Registration, } diff --git a/src/Core/Tools/Enums/ReferenceEventType.cs b/src/Core/Tools/Enums/ReferenceEventType.cs index 17d86e7172..a1446b9fc4 100644 --- a/src/Core/Tools/Enums/ReferenceEventType.cs +++ b/src/Core/Tools/Enums/ReferenceEventType.cs @@ -6,6 +6,8 @@ public enum ReferenceEventType { [EnumMember(Value = "signup-email-submit")] SignupEmailSubmit, + [EnumMember(Value = "signup-email-clicked")] + SignupEmailClicked, [EnumMember(Value = "signup")] Signup, [EnumMember(Value = "upgrade-plan")] diff --git a/src/Core/Tools/Models/Business/ReferenceEvent.cs b/src/Core/Tools/Models/Business/ReferenceEvent.cs index 9b4befdbc5..a93817ca44 100644 --- a/src/Core/Tools/Models/Business/ReferenceEvent.cs +++ b/src/Core/Tools/Models/Business/ReferenceEvent.cs @@ -256,7 +256,19 @@ public class ReferenceEvent public string? PlanUpgradePath { get; set; } /// - /// Used for the sign up event to determine if the user has opted in to marketing emails. + /// Used for the event to determine if the user has opted in to marketing emails. /// public bool? ReceiveMarketingEmails { get; set; } + + /// + /// Used for the event to indicate if the user + /// landed on the registration finish screen with a valid or invalid email verification token. + /// + public bool? EmailVerificationTokenValid { get; set; } + + /// + /// Used for the event to indicate if the user + /// landed on the registration finish screen after re-clicking an already used link. + /// + public bool? UserAlreadyExists { get; set; } } diff --git a/src/Identity/Controllers/AccountsController.cs b/src/Identity/Controllers/AccountsController.cs index 37a18bb9a5..c3cad4a4a7 100644 --- a/src/Identity/Controllers/AccountsController.cs +++ b/src/Identity/Controllers/AccountsController.cs @@ -41,6 +41,7 @@ public class AccountsController : Controller private readonly ISendVerificationEmailForRegistrationCommand _sendVerificationEmailForRegistrationCommand; private readonly IReferenceEventService _referenceEventService; private readonly IFeatureService _featureService; + private readonly IDataProtectorTokenFactory _registrationEmailVerificationTokenDataFactory; public AccountsController( ICurrentContext currentContext, @@ -52,7 +53,8 @@ public class AccountsController : Controller IGetWebAuthnLoginCredentialAssertionOptionsCommand getWebAuthnLoginCredentialAssertionOptionsCommand, ISendVerificationEmailForRegistrationCommand sendVerificationEmailForRegistrationCommand, IReferenceEventService referenceEventService, - IFeatureService featureService + IFeatureService featureService, + IDataProtectorTokenFactory registrationEmailVerificationTokenDataFactory ) { _currentContext = currentContext; @@ -65,6 +67,7 @@ public class AccountsController : Controller _sendVerificationEmailForRegistrationCommand = sendVerificationEmailForRegistrationCommand; _referenceEventService = referenceEventService; _featureService = featureService; + _registrationEmailVerificationTokenDataFactory = registrationEmailVerificationTokenDataFactory; } [HttpPost("register")] @@ -90,7 +93,7 @@ public class AccountsController : Controller Type = ReferenceEventType.SignupEmailSubmit, ClientId = _currentContext.ClientId, ClientVersion = _currentContext.ClientVersion, - Source = ReferenceEventSource.RegistrationStart + Source = ReferenceEventSource.Registration }; await _referenceEventService.RaiseEventAsync(refEvent); @@ -102,6 +105,39 @@ public class AccountsController : Controller return NoContent(); } + [RequireFeature(FeatureFlagKeys.EmailVerification)] + [HttpPost("register/verification-email-clicked")] + public async Task PostRegisterVerificationEmailClicked([FromBody] RegisterVerificationEmailClickedRequestModel model) + { + var tokenValid = RegistrationEmailVerificationTokenable.ValidateToken(_registrationEmailVerificationTokenDataFactory, model.EmailVerificationToken, model.Email); + + // Check to see if the user already exists - this is just to catch the unlikely but possible case + // where a user finishes registration and then clicks the email verification link again. + var user = await _userRepository.GetByEmailAsync(model.Email); + var userExists = user != null; + + var refEvent = new ReferenceEvent + { + Type = ReferenceEventType.SignupEmailClicked, + ClientId = _currentContext.ClientId, + ClientVersion = _currentContext.ClientVersion, + Source = ReferenceEventSource.Registration, + EmailVerificationTokenValid = tokenValid, + UserAlreadyExists = userExists + }; + + await _referenceEventService.RaiseEventAsync(refEvent); + + if (!tokenValid || userExists) + { + throw new BadRequestException("Expired link. Please restart registration or try logging in. You may already have an account"); + } + + return Ok(); + + + } + [RequireFeature(FeatureFlagKeys.EmailVerification)] [HttpPost("register/finish")] public async Task PostRegisterFinish([FromBody] RegisterFinishRequestModel model) diff --git a/test/Identity.IntegrationTest/Controllers/AccountsControllerTests.cs b/test/Identity.IntegrationTest/Controllers/AccountsControllerTests.cs index 13ab748e4f..36d5891d78 100644 --- a/test/Identity.IntegrationTest/Controllers/AccountsControllerTests.cs +++ b/test/Identity.IntegrationTest/Controllers/AccountsControllerTests.cs @@ -268,6 +268,43 @@ public class AccountsControllerTests : IClassFixture Assert.Equal(kdfParallelism, user.KdfParallelism); } + [Theory, BitAutoData] + public async Task PostRegisterVerificationEmailClicked_Success( + [Required, StringLength(20)] string name, + string emailVerificationToken) + { + // Arrange + // Localize substitutions to this test. + var localFactory = new IdentityApplicationFactory(); + + var email = $"test+register+{name}@email.com"; + var registrationEmailVerificationTokenable = new RegistrationEmailVerificationTokenable(email); + + localFactory.SubstituteService>(emailVerificationTokenDataProtectorFactory => + { + emailVerificationTokenDataProtectorFactory.TryUnprotect(Arg.Is(emailVerificationToken), out Arg.Any()) + .Returns(callInfo => + { + callInfo[1] = registrationEmailVerificationTokenable; + return true; + }); + }); + + var requestModel = new RegisterVerificationEmailClickedRequestModel + { + Email = email, + EmailVerificationToken = emailVerificationToken + }; + + // Act + var httpContext = await localFactory.PostRegisterVerificationEmailClicked(requestModel); + + var body = await httpContext.ReadBodyAsStringAsync(); + + // Assert + Assert.Equal(StatusCodes.Status200OK, httpContext.Response.StatusCode); + } + private async Task CreateUserAsync(string email, string name, IdentityApplicationFactory factory = null) { var factoryToUse = factory ?? _factory; diff --git a/test/Identity.Test/Controllers/AccountsControllerTests.cs b/test/Identity.Test/Controllers/AccountsControllerTests.cs index 594679ca02..8de0282bb4 100644 --- a/test/Identity.Test/Controllers/AccountsControllerTests.cs +++ b/test/Identity.Test/Controllers/AccountsControllerTests.cs @@ -41,6 +41,8 @@ public class AccountsControllerTests : IDisposable private readonly ISendVerificationEmailForRegistrationCommand _sendVerificationEmailForRegistrationCommand; private readonly IReferenceEventService _referenceEventService; private readonly IFeatureService _featureService; + private readonly IDataProtectorTokenFactory _registrationEmailVerificationTokenDataFactory; + public AccountsControllerTests() { @@ -54,6 +56,8 @@ public class AccountsControllerTests : IDisposable _sendVerificationEmailForRegistrationCommand = Substitute.For(); _referenceEventService = Substitute.For(); _featureService = Substitute.For(); + _registrationEmailVerificationTokenDataFactory = Substitute.For>(); + _sut = new AccountsController( _currentContext, _logger, @@ -64,7 +68,8 @@ public class AccountsControllerTests : IDisposable _getWebAuthnLoginCredentialAssertionOptionsCommand, _sendVerificationEmailForRegistrationCommand, _referenceEventService, - _featureService + _featureService, + _registrationEmailVerificationTokenDataFactory ); } @@ -380,4 +385,105 @@ public class AccountsControllerTests : IDisposable Assert.Equal(duplicateUserEmailErrorDesc, modelError.ErrorMessage); } + + [Theory, BitAutoData] + public async Task PostRegisterVerificationEmailClicked_WhenTokenIsValid_ShouldReturnOk(string email, string emailVerificationToken) + { + // Arrange + var registrationEmailVerificationTokenable = new RegistrationEmailVerificationTokenable(email); + _registrationEmailVerificationTokenDataFactory + .TryUnprotect(emailVerificationToken, out Arg.Any()) + .Returns(callInfo => + { + callInfo[1] = registrationEmailVerificationTokenable; + return true; + }); + + _userRepository.GetByEmailAsync(email).ReturnsNull(); // no existing user + + var requestModel = new RegisterVerificationEmailClickedRequestModel + { + Email = email, + EmailVerificationToken = emailVerificationToken + }; + + // Act + var result = await _sut.PostRegisterVerificationEmailClicked(requestModel); + + // Assert + var okResult = Assert.IsType(result); + Assert.Equal(200, okResult.StatusCode); + + await _referenceEventService.Received(1).RaiseEventAsync(Arg.Is(e => + e.Type == ReferenceEventType.SignupEmailClicked + && e.EmailVerificationTokenValid == true + && e.UserAlreadyExists == false + )); + } + + [Theory, BitAutoData] + public async Task PostRegisterVerificationEmailClicked_WhenTokenIsInvalid_ShouldReturnBadRequest(string email, string emailVerificationToken) + { + // Arrange + var registrationEmailVerificationTokenable = new RegistrationEmailVerificationTokenable("wrongEmail"); + _registrationEmailVerificationTokenDataFactory + .TryUnprotect(emailVerificationToken, out Arg.Any()) + .Returns(callInfo => + { + callInfo[1] = registrationEmailVerificationTokenable; + return true; + }); + + _userRepository.GetByEmailAsync(email).ReturnsNull(); // no existing user + + var requestModel = new RegisterVerificationEmailClickedRequestModel + { + Email = email, + EmailVerificationToken = emailVerificationToken + }; + + // Act & assert + await Assert.ThrowsAsync(() => _sut.PostRegisterVerificationEmailClicked(requestModel)); + + await _referenceEventService.Received(1).RaiseEventAsync(Arg.Is(e => + e.Type == ReferenceEventType.SignupEmailClicked + && e.EmailVerificationTokenValid == false + && e.UserAlreadyExists == false + )); + } + + + [Theory, BitAutoData] + public async Task PostRegisterVerificationEmailClicked_WhenTokenIsValidButExistingUser_ShouldReturnBadRequest(string email, string emailVerificationToken, User existingUser) + { + // Arrange + var registrationEmailVerificationTokenable = new RegistrationEmailVerificationTokenable(email); + _registrationEmailVerificationTokenDataFactory + .TryUnprotect(emailVerificationToken, out Arg.Any()) + .Returns(callInfo => + { + callInfo[1] = registrationEmailVerificationTokenable; + return true; + }); + + _userRepository.GetByEmailAsync(email).Returns(existingUser); + + var requestModel = new RegisterVerificationEmailClickedRequestModel + { + Email = email, + EmailVerificationToken = emailVerificationToken + }; + + // Act & assert + await Assert.ThrowsAsync(() => _sut.PostRegisterVerificationEmailClicked(requestModel)); + + await _referenceEventService.Received(1).RaiseEventAsync(Arg.Is(e => + e.Type == ReferenceEventType.SignupEmailClicked + && e.EmailVerificationTokenValid == true + && e.UserAlreadyExists == true + )); + } + + + } diff --git a/test/IntegrationTestCommon/Factories/IdentityApplicationFactory.cs b/test/IntegrationTestCommon/Factories/IdentityApplicationFactory.cs index 8d645798ed..b16a366153 100644 --- a/test/IntegrationTestCommon/Factories/IdentityApplicationFactory.cs +++ b/test/IntegrationTestCommon/Factories/IdentityApplicationFactory.cs @@ -29,6 +29,11 @@ public class IdentityApplicationFactory : WebApplicationFactoryBase return await Server.PostAsync("/accounts/register/finish", JsonContent.Create(model)); } + public async Task PostRegisterVerificationEmailClicked(RegisterVerificationEmailClickedRequestModel model) + { + return await Server.PostAsync("/accounts/register/verification-email-clicked", JsonContent.Create(model)); + } + public async Task<(string Token, string RefreshToken)> TokenFromPasswordAsync(string username, string password, string deviceIdentifier = DefaultDeviceIdentifier,