From 3ffd240287008d34252b32ee5825af92ae55e5a9 Mon Sep 17 00:00:00 2001 From: Kyle Spearrin Date: Mon, 9 May 2022 12:25:13 -0400 Subject: [PATCH] captcha scores (#1967) * captcha scores * some api fixes * check bot on captcha attribute * Update src/Core/Services/Implementations/HCaptchaValidationService.cs Co-authored-by: e271828- Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- --- .../IdentityServer/BaseRequestValidator.cs | 39 +++++++---- .../CustomTokenRequestValidator.cs | 13 ++-- .../CustomValidatorRequestContext.cs | 12 ++++ .../ResourceOwnerPasswordValidator.cs | 36 +++++----- src/Core/Models/Business/CaptchaResponse.cs | 9 +++ .../Services/ICaptchaValidationService.cs | 8 +-- .../HCaptchaValidationService.cs | 67 +++++++++++++------ .../NoopCaptchaValidationService.cs | 10 +-- src/Core/Settings/GlobalSettings.cs | 2 + .../Utilities/CaptchaProtectedAttribute.cs | 8 +-- 10 files changed, 138 insertions(+), 66 deletions(-) create mode 100644 src/Core/IdentityServer/CustomValidatorRequestContext.cs create mode 100644 src/Core/Models/Business/CaptchaResponse.cs diff --git a/src/Core/IdentityServer/BaseRequestValidator.cs b/src/Core/IdentityServer/BaseRequestValidator.cs index 63dd15e749..d9d544c119 100644 --- a/src/Core/IdentityServer/BaseRequestValidator.cs +++ b/src/Core/IdentityServer/BaseRequestValidator.cs @@ -12,6 +12,7 @@ using Bit.Core.Enums; using Bit.Core.Identity; using Bit.Core.Models; using Bit.Core.Models.Api; +using Bit.Core.Models.Business; using Bit.Core.Models.Data; using Bit.Core.Repositories; using Bit.Core.Services; @@ -78,18 +79,25 @@ namespace Bit.Core.IdentityServer _captchaValidationService = captchaValidationService; } - protected async Task ValidateAsync(T context, ValidatedTokenRequest request, bool unknownDevice = false) + protected async Task ValidateAsync(T context, ValidatedTokenRequest request, + CustomValidatorRequestContext validatorContext) { + var isBot = (validatorContext.CaptchaResponse?.IsBot ?? false); + var twoFactorToken = request.Raw["TwoFactorToken"]?.ToString(); var twoFactorProvider = request.Raw["TwoFactorProvider"]?.ToString(); var twoFactorRemember = request.Raw["TwoFactorRemember"]?.ToString() == "1"; var twoFactorRequest = !string.IsNullOrWhiteSpace(twoFactorToken) && !string.IsNullOrWhiteSpace(twoFactorProvider); - var (user, valid) = await ValidateContextAsync(context); + var valid = await ValidateContextAsync(context, validatorContext); + var user = validatorContext.User; if (!valid) { - await UpdateFailedAuthDetailsAsync(user, false, unknownDevice); + await UpdateFailedAuthDetailsAsync(user, false, !validatorContext.KnownDevice); + } + if (!valid || isBot) + { await BuildErrorResultAsync("Username or password is incorrect. Try again.", false, context, user); return; } @@ -112,13 +120,13 @@ namespace Bit.Core.IdentityServer AfterVerifyTwoFactor(user, twoFactorProviderType, requires2FABecauseNewDevice); - if (!verified && twoFactorProviderType != TwoFactorProviderType.Remember) + if ((!verified || isBot) && twoFactorProviderType != TwoFactorProviderType.Remember) { - await UpdateFailedAuthDetailsAsync(user, true, unknownDevice); + await UpdateFailedAuthDetailsAsync(user, true, !validatorContext.KnownDevice); await BuildErrorResultAsync("Two-step token is invalid. Try again.", true, context, user); return; } - else if (!verified && twoFactorProviderType == TwoFactorProviderType.Remember) + else if ((!verified || isBot) && twoFactorProviderType == TwoFactorProviderType.Remember) { // Delay for brute force. await Task.Delay(2000); @@ -153,7 +161,7 @@ namespace Bit.Core.IdentityServer } } - protected abstract Task<(User, bool)> ValidateContextAsync(T context); + protected abstract Task ValidateContextAsync(T context, CustomValidatorRequestContext validatorContext); protected async Task BuildSuccessResultAsync(User user, T context, Device device, bool sendRememberToken) { @@ -407,9 +415,7 @@ namespace Bit.Core.IdentityServer private void BeforeVerifyTwoFactor(User user, TwoFactorProviderType type, bool requires2FABecauseNewDevice) { - if (type == TwoFactorProviderType.Email - && - requires2FABecauseNewDevice) + if (type == TwoFactorProviderType.Email && requires2FABecauseNewDevice) { user.SetTwoFactorProviders(new Dictionary { @@ -424,9 +430,7 @@ namespace Bit.Core.IdentityServer private void AfterVerifyTwoFactor(User user, TwoFactorProviderType type, bool requires2FABecauseNewDevice) { - if (type == TwoFactorProviderType.Email - && - requires2FABecauseNewDevice) + if (type == TwoFactorProviderType.Email && requires2FABecauseNewDevice) { user.ClearTwoFactorProviders(); } @@ -595,7 +599,7 @@ namespace Bit.Core.IdentityServer user.LastFailedLoginDate = user.RevisionDate = utcNow; await _userRepository.ReplaceAsync(user); - if (_captchaValidationService.ValidateFailedAuthEmailConditions(unknownDevice, user.FailedLoginCount)) + if (ValidateFailedAuthEmailConditions(unknownDevice, user)) { if (twoFactorInvalid) { @@ -607,5 +611,12 @@ namespace Bit.Core.IdentityServer } } } + + private bool ValidateFailedAuthEmailConditions(bool unknownDevice, User user) + { + var failedLoginCeiling = _globalSettings.Captcha.MaximumFailedLoginAttempts; + var failedLoginCount = user?.FailedLoginCount ?? 0; + return unknownDevice && failedLoginCeiling > 0 && failedLoginCount == failedLoginCeiling; + } } } diff --git a/src/Core/IdentityServer/CustomTokenRequestValidator.cs b/src/Core/IdentityServer/CustomTokenRequestValidator.cs index e673c3ff55..cea01ba01a 100644 --- a/src/Core/IdentityServer/CustomTokenRequestValidator.cs +++ b/src/Core/IdentityServer/CustomTokenRequestValidator.cs @@ -63,15 +63,20 @@ namespace Bit.Core.IdentityServer { return; } - await ValidateAsync(context, context.Result.ValidatedRequest); + await ValidateAsync(context, context.Result.ValidatedRequest, + new CustomValidatorRequestContext { KnownDevice = true }); } - protected async override Task<(User, bool)> ValidateContextAsync(CustomTokenRequestValidationContext context) + protected async override Task ValidateContextAsync(CustomTokenRequestValidationContext context, + CustomValidatorRequestContext validatorContext) { var email = context.Result.ValidatedRequest.Subject?.GetDisplayName() ?? context.Result.ValidatedRequest.ClientClaims?.FirstOrDefault(claim => claim.Type == JwtClaimTypes.Email)?.Value; - var user = string.IsNullOrWhiteSpace(email) ? null : await _userManager.FindByEmailAsync(email); - return (user, user != null); + if (!string.IsNullOrWhiteSpace(email)) + { + validatorContext.User = await _userManager.FindByEmailAsync(email); + } + return validatorContext.User != null; } protected override async Task SetSuccessResult(CustomTokenRequestValidationContext context, User user, diff --git a/src/Core/IdentityServer/CustomValidatorRequestContext.cs b/src/Core/IdentityServer/CustomValidatorRequestContext.cs new file mode 100644 index 0000000000..f5e95aaa8c --- /dev/null +++ b/src/Core/IdentityServer/CustomValidatorRequestContext.cs @@ -0,0 +1,12 @@ +using Bit.Core.Entities; +using Bit.Core.Models.Business; + +namespace Bit.Core.IdentityServer +{ + public class CustomValidatorRequestContext + { + public User User { get; set; } + public bool KnownDevice { get; set; } + public CaptchaResponse CaptchaResponse { get; set; } + } +} diff --git a/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs b/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs index dca11723b4..508bd8ad91 100644 --- a/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs +++ b/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs @@ -59,25 +59,31 @@ namespace Bit.Core.IdentityServer return; } - string bypassToken = null; var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant()); - var unknownDevice = !await KnownDeviceAsync(user, context.Request); - if (unknownDevice && _captchaValidationService.RequireCaptchaValidation(_currentContext, user?.FailedLoginCount ?? 0)) + var validatorContext = new CustomValidatorRequestContext + { + User = user, + KnownDevice = await KnownDeviceAsync(user, context.Request) + }; + string bypassToken = null; + if (!validatorContext.KnownDevice && + _captchaValidationService.RequireCaptchaValidation(_currentContext, user)) { var captchaResponse = context.Request.Raw["captchaResponse"]?.ToString(); if (string.IsNullOrWhiteSpace(captchaResponse)) { context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Captcha required.", - new Dictionary { + new Dictionary + { { _captchaValidationService.SiteKeyResponseKeyName, _captchaValidationService.SiteKey }, }); return; } - var captchaValid = _captchaValidationService.ValidateCaptchaBypassToken(captchaResponse, user) || - await _captchaValidationService.ValidateCaptchaResponseAsync(captchaResponse, _currentContext.IpAddress); - if (!captchaValid) + validatorContext.CaptchaResponse = await _captchaValidationService.ValidateCaptchaResponseAsync( + captchaResponse, _currentContext.IpAddress, null); + if (!validatorContext.CaptchaResponse.Success) { await BuildErrorResultAsync("Captcha is invalid. Please refresh and try again", false, context, null); return; @@ -85,27 +91,27 @@ namespace Bit.Core.IdentityServer bypassToken = _captchaValidationService.GenerateCaptchaBypassToken(user); } - await ValidateAsync(context, context.Request, unknownDevice); + await ValidateAsync(context, context.Request, validatorContext); if (context.Result.CustomResponse != null && bypassToken != null) { context.Result.CustomResponse["CaptchaBypassToken"] = bypassToken; } } - protected async override Task<(User, bool)> ValidateContextAsync(ResourceOwnerPasswordValidationContext context) + protected async override Task ValidateContextAsync(ResourceOwnerPasswordValidationContext context, + CustomValidatorRequestContext validatorContext) { - if (string.IsNullOrWhiteSpace(context.UserName)) + if (string.IsNullOrWhiteSpace(context.UserName) || validatorContext.User == null) { - return (null, false); + return false; } - var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant()); - if (user == null || !await _userService.CheckPasswordAsync(user, context.Password)) + if (!await _userService.CheckPasswordAsync(validatorContext.User, context.Password)) { - return (user, false); + return false; } - return (user, true); + return true; } protected override Task SetSuccessResult(ResourceOwnerPasswordValidationContext context, User user, diff --git a/src/Core/Models/Business/CaptchaResponse.cs b/src/Core/Models/Business/CaptchaResponse.cs new file mode 100644 index 0000000000..e1d791647f --- /dev/null +++ b/src/Core/Models/Business/CaptchaResponse.cs @@ -0,0 +1,9 @@ +namespace Bit.Core.Models.Business +{ + public class CaptchaResponse + { + public bool Success { get; set; } + public bool MaybeBot { get; set; } + public bool IsBot { get; set; } + } +} diff --git a/src/Core/Services/ICaptchaValidationService.cs b/src/Core/Services/ICaptchaValidationService.cs index 8b983ebedf..3816fbf0b4 100644 --- a/src/Core/Services/ICaptchaValidationService.cs +++ b/src/Core/Services/ICaptchaValidationService.cs @@ -1,6 +1,7 @@ using System.Threading.Tasks; using Bit.Core.Context; using Bit.Core.Entities; +using Bit.Core.Models.Business; namespace Bit.Core.Services { @@ -8,10 +9,9 @@ namespace Bit.Core.Services { string SiteKey { get; } string SiteKeyResponseKeyName { get; } - bool RequireCaptchaValidation(ICurrentContext currentContext, int failedLoginCount = 0); - Task ValidateCaptchaResponseAsync(string captchResponse, string clientIpAddress); + bool RequireCaptchaValidation(ICurrentContext currentContext, User user = null); + Task ValidateCaptchaResponseAsync(string captchResponse, string clientIpAddress, + User user = null); string GenerateCaptchaBypassToken(User user); - bool ValidateCaptchaBypassToken(string encryptedToken, User user); - bool ValidateFailedAuthEmailConditions(bool unknownDevice, int failedLoginCount); } } diff --git a/src/Core/Services/Implementations/HCaptchaValidationService.cs b/src/Core/Services/Implementations/HCaptchaValidationService.cs index e066d62c83..5902aeec33 100644 --- a/src/Core/Services/Implementations/HCaptchaValidationService.cs +++ b/src/Core/Services/Implementations/HCaptchaValidationService.cs @@ -2,10 +2,11 @@ using System.Collections.Generic; using System.Net.Http; using System.Net.Http.Json; -using System.Text.Json; +using System.Text.Json.Serialization; using System.Threading.Tasks; using Bit.Core.Context; using Bit.Core.Entities; +using Bit.Core.Models.Business; using Bit.Core.Models.Business.Tokenables; using Bit.Core.Settings; using Bit.Core.Tokens; @@ -37,14 +38,19 @@ namespace Bit.Core.Services public string GenerateCaptchaBypassToken(User user) => _tokenizer.Protect(new HCaptchaTokenable(user)); - public bool ValidateCaptchaBypassToken(string bypassToken, User user) => - TokenIsApiKey(bypassToken, user) || TokenIsCaptchaBypassToken(bypassToken, user); - - public async Task ValidateCaptchaResponseAsync(string captchaResponse, string clientIpAddress) + public async Task ValidateCaptchaResponseAsync(string captchaResponse, string clientIpAddress, + User user = null) { + var response = new CaptchaResponse { Success = false }; if (string.IsNullOrWhiteSpace(captchaResponse)) { - return false; + return response; + } + + if (user != null && ValidateCaptchaBypassToken(captchaResponse, user)) + { + response.Success = true; + return response; } var httpClient = _httpClientFactory.CreateClient("HCaptchaValidationService"); @@ -70,39 +76,60 @@ namespace Bit.Core.Services catch (Exception e) { _logger.LogError(11389, e, "Unable to verify with HCaptcha."); - return false; + return response; } if (!responseMessage.IsSuccessStatusCode) { - return false; + return response; } - using var jsonDocument = await responseMessage.Content.ReadFromJsonAsync(); - var root = jsonDocument.RootElement; - return root.GetProperty("success").GetBoolean(); + using var hcaptchaResponse = await responseMessage.Content.ReadFromJsonAsync(); + response.Success = hcaptchaResponse.Success; + var score = hcaptchaResponse.Score.GetValueOrDefault(); + response.MaybeBot = score >= _globalSettings.Captcha.MaybeBotScoreThreshold; + response.IsBot = score >= _globalSettings.Captcha.IsBotScoreThreshold; + return response; } - public bool RequireCaptchaValidation(ICurrentContext currentContext, int failedLoginCount = 0) + public bool RequireCaptchaValidation(ICurrentContext currentContext, User user = null) { + if (user == null) + { + return currentContext.IsBot || _globalSettings.Captcha.ForceCaptchaRequired; + } + var failedLoginCeiling = _globalSettings.Captcha.MaximumFailedLoginAttempts; + var failedLoginCount = user?.FailedLoginCount ?? 0; + var cloudEmailUnverified = !_globalSettings.SelfHosted && !user.EmailVerified; return currentContext.IsBot || _globalSettings.Captcha.ForceCaptchaRequired || + cloudEmailUnverified || failedLoginCeiling > 0 && failedLoginCount >= failedLoginCeiling; } - public bool ValidateFailedAuthEmailConditions(bool unknownDevice, int failedLoginCount) - { - var failedLoginCeiling = _globalSettings.Captcha.MaximumFailedLoginAttempts; - return unknownDevice && failedLoginCeiling > 0 && failedLoginCount == failedLoginCeiling; - } - - private static bool TokenIsApiKey(string bypassToken, User user) => + private static bool TokenIsValidApiKey(string bypassToken, User user) => !string.IsNullOrWhiteSpace(bypassToken) && user != null && user.ApiKey == bypassToken; - private bool TokenIsCaptchaBypassToken(string encryptedToken, User user) + + private bool TokenIsValidCaptchaBypassToken(string encryptedToken, User user) { return _tokenizer.TryUnprotect(encryptedToken, out var data) && data.Valid && data.TokenIsValid(user); } + + private bool ValidateCaptchaBypassToken(string bypassToken, User user) => + TokenIsValidApiKey(bypassToken, user) || TokenIsValidCaptchaBypassToken(bypassToken, user); + + public class HCaptchaResponse : IDisposable + { + [JsonPropertyName("success")] + public bool Success { get; set; } + [JsonPropertyName("score")] + public double? Score { get; set; } + [JsonPropertyName("score_reason")] + public List ScoreReason { get; set; } + + public void Dispose() { } + } } } diff --git a/src/Core/Services/NoopImplementations/NoopCaptchaValidationService.cs b/src/Core/Services/NoopImplementations/NoopCaptchaValidationService.cs index bf62368ec3..de68cc490a 100644 --- a/src/Core/Services/NoopImplementations/NoopCaptchaValidationService.cs +++ b/src/Core/Services/NoopImplementations/NoopCaptchaValidationService.cs @@ -1,6 +1,7 @@ using System.Threading.Tasks; using Bit.Core.Context; using Bit.Core.Entities; +using Bit.Core.Models.Business; namespace Bit.Core.Services { @@ -8,13 +9,12 @@ namespace Bit.Core.Services { public string SiteKeyResponseKeyName => null; public string SiteKey => null; - public bool RequireCaptchaValidation(ICurrentContext currentContext, int failedLoginCount = 0) => false; - public bool ValidateFailedAuthEmailConditions(bool unknownDevice, int failedLoginCount) => false; + public bool RequireCaptchaValidation(ICurrentContext currentContext, User user = null) => false; public string GenerateCaptchaBypassToken(User user) => ""; - public bool ValidateCaptchaBypassToken(string encryptedToken, User user) => false; - public Task ValidateCaptchaResponseAsync(string captchResponse, string clientIpAddress) + public Task ValidateCaptchaResponseAsync(string captchaResponse, string clientIpAddress, + User user = null) { - return Task.FromResult(true); + return Task.FromResult(new CaptchaResponse { Success = true }); } } } diff --git a/src/Core/Settings/GlobalSettings.cs b/src/Core/Settings/GlobalSettings.cs index 1f6c242038..342a3e57b3 100644 --- a/src/Core/Settings/GlobalSettings.cs +++ b/src/Core/Settings/GlobalSettings.cs @@ -469,6 +469,8 @@ namespace Bit.Core.Settings public string HCaptchaSecretKey { get; set; } public string HCaptchaSiteKey { get; set; } public int MaximumFailedLoginAttempts { get; set; } + public double MaybeBotScoreThreshold { get; set; } = double.MaxValue; + public double IsBotScoreThreshold { get; set; } = double.MaxValue; } public class StripeSettings diff --git a/src/Core/Utilities/CaptchaProtectedAttribute.cs b/src/Core/Utilities/CaptchaProtectedAttribute.cs index 27dabb3bb4..102f1f175a 100644 --- a/src/Core/Utilities/CaptchaProtectedAttribute.cs +++ b/src/Core/Utilities/CaptchaProtectedAttribute.cs @@ -16,7 +16,7 @@ namespace Bit.Core.Utilities var currentContext = context.HttpContext.RequestServices.GetRequiredService(); var captchaValidationService = context.HttpContext.RequestServices.GetRequiredService(); - if (captchaValidationService.RequireCaptchaValidation(currentContext)) + if (captchaValidationService.RequireCaptchaValidation(currentContext, null)) { var captchaResponse = (context.ActionArguments[ModelParameterName] as ICaptchaProtectedModel)?.CaptchaResponse; @@ -25,9 +25,9 @@ namespace Bit.Core.Utilities throw new BadRequestException(captchaValidationService.SiteKeyResponseKeyName, captchaValidationService.SiteKey); } - var captchaValid = captchaValidationService.ValidateCaptchaResponseAsync(captchaResponse, - currentContext.IpAddress).GetAwaiter().GetResult(); - if (!captchaValid) + var captchaValidationResponse = captchaValidationService.ValidateCaptchaResponseAsync(captchaResponse, + currentContext.IpAddress, null).GetAwaiter().GetResult(); + if (!captchaValidationResponse.Success || captchaValidationResponse.IsBot) { throw new BadRequestException("Captcha is invalid. Please refresh and try again"); }