nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-03 17:12:49 -05:00
Code Activity

CSA-1 - adding master password authentication when enrolling in passw… (#1940)

Browse Source 
* CSA-2 - adding master password authentication when enrolling in password reset

* Getting user by principal rather than ID

* Removing unnecessary userId call

* Use secret verification for re-auth api requests

Co-authored-by: Matt Gibson <mgibson@bitwarden.com>
This commit is contained in:
Carlos J. Muentes
2022-05-19 15:55:42 -04:00
committed by GitHub
parent 60e36a8f0f
commit 452472deab
2 changed files with 19 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/Api/Controllers/OrganizationUsersController.cs
View File

@ -271,8 +271,23 @@ namespace Bit.Api.Controllers
[HttpPut("{userId}/reset-password-enrollment")]
public async Task PutResetPasswordEnrollment(string orgId, string userId, [FromBody] OrganizationUserResetPasswordEnrollmentRequestModel model)
{
var callingUserId = _userService.GetProperUserId(User);
await _organizationService.UpdateUserResetPasswordEnrollmentAsync(new Guid(orgId), new Guid(userId), model.ResetPasswordKey, callingUserId);
var user = await _userService.GetUserByPrincipalAsync(User);
if (user == null)
{
throw new UnauthorizedAccessException();
}
if (!await _userService.VerifySecretAsync(user, model.Secret))
{
await Task.Delay(2000);
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
}
else
{
var callingUserId = user.Id;
await _organizationService.UpdateUserResetPasswordEnrollmentAsync(
new Guid(orgId), new Guid(userId), model.ResetPasswordKey, callingUserId);
}
}
[HttpPut("{id}/reset-password")]