nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-16 10:38:17 -05:00
Code

refactorings around two-factor controller

Browse Source
This commit is contained in:
Kyle Spearrin 2017-06-20 10:08:59 -04:00
parent 475160cfe1
commit 612697e815
8 changed files with 79 additions and 159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
src/Api/Controllers/TwoFactorController.cs
View File

@ -43,7 +43,7 @@ namespace Bit.Api.Controllers
[HttpPost("get-authenticator")]
public async Task<TwoFactorAuthenticatorResponseModel> GetAuthenticator([FromBody]TwoFactorRequestModel model)
{
var user = await GetProviderAsync(model, TwoFactorProviderType.Authenticator);
var user = await CheckPasswordAsync(model.MasterPasswordHash);
var response = new TwoFactorAuthenticatorResponseModel(user);
return response;
}
@ -53,17 +53,8 @@ namespace Bit.Api.Controllers
public async Task<TwoFactorAuthenticatorResponseModel> PutAuthenticator(
[FromBody]UpdateTwoFactorAuthenticatorRequestModel model)
{
var user = await _userService.GetUserByPrincipalAsync(User);
if(user == null)
{
throw new UnauthorizedAccessException();
}
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
{
await Task.Delay(2000);
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
}
var user = await CheckPasswordAsync(model.MasterPasswordHash);
model.ToUser(user);
if(!await _userManager.VerifyTwoFactorTokenAsync(user, TwoFactorProviderType.Authenticator.ToString(), model.Token))
{
@ -79,7 +70,7 @@ namespace Bit.Api.Controllers
[HttpPost("get-email")]
public async Task<TwoFactorEmailResponseModel> GetEmail([FromBody]TwoFactorRequestModel model)
{
var user = await GetProviderAsync(model, TwoFactorProviderType.Email);
var user = await CheckPasswordAsync(model.MasterPasswordHash);
var response = new TwoFactorEmailResponseModel(user);
return response;
}
@ -87,51 +78,25 @@ namespace Bit.Api.Controllers
[HttpPost("send-email")]
public async Task SendEmail([FromBody]TwoFactorEmailRequestModel model)
{
var user = await _userService.GetUserByPrincipalAsync(User);
if(user == null)
{
throw new UnauthorizedAccessException();
}
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
{
await Task.Delay(2000);
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
}
await _userService.SendTwoFactorEmailAsync(user, model.Email);
var user = await CheckPasswordAsync(model.MasterPasswordHash);
model.ToUser(user);
await _userService.SendTwoFactorEmailAsync(user);
}
[HttpPut("email")]
[HttpPost("email")]
public async Task<TwoFactorEmailResponseModel> PutEmail([FromBody]UpdateTwoFactorEmailRequestModel model)
{
var user = await _userService.GetUserByPrincipalAsync(User);
if(user == null)
{
throw new UnauthorizedAccessException();
}
var user = await CheckPasswordAsync(model.MasterPasswordHash);
model.ToUser(user);
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
{
await Task.Delay(2000);
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
}
if(!await _userService.VerifyTwoFactorEmailAsync(user, model.Token, model.Email))
if(!await _userService.VerifyTwoFactorEmailAsync(user, model.Token))
{
await Task.Delay(2000);
throw new BadRequestException("Token", "Invalid token.");
}
var providers = user.GetTwoFactorProviders();
providers[TwoFactorProviderType.Email] = new Core.Models.TwoFactorProvider
{
MetaData = new System.Collections.Generic.Dictionary<string, string> { ["Email"] = model.Email }
};
user.SetTwoFactorProviders(providers);
await _userService.UpdateTwoFactorProviderAsync(user, TwoFactorProviderType.Email);
var response = new TwoFactorEmailResponseModel(user);
return response;
}
@ -140,18 +105,7 @@ namespace Bit.Api.Controllers
[HttpPost("disable")]
public async Task<TwoFactorEmailResponseModel> PutDisable([FromBody]TwoFactorProviderRequestModel model)
{
var user = await _userService.GetUserByPrincipalAsync(User);
if(user == null)
{
throw new UnauthorizedAccessException();
}
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
{
await Task.Delay(2000);
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
}
var user = await CheckPasswordAsync(model.MasterPasswordHash);
await _userService.DisableTwoFactorProviderAsync(user, model.Type.Value);
var response = new TwoFactorEmailResponseModel(user);
@ -169,7 +123,7 @@ namespace Bit.Api.Controllers
}
}
private async Task<User> GetProviderAsync(TwoFactorRequestModel model, TwoFactorProviderType type)
private async Task<User> CheckPasswordAsync(string masterPasswordHash)
{
var user = await _userService.GetUserByPrincipalAsync(User);
if(user == null)
@ -177,13 +131,12 @@ namespace Bit.Api.Controllers
throw new UnauthorizedAccessException();
}
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
if(!await _userManager.CheckPasswordAsync(user, masterPasswordHash))
{
await Task.Delay(2000);
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
}
await _userService.SetupTwoFactorAsync(user, type);
return user;
}
}

2
src/Core/Identity/AuthenticatorTokenProvider.cs
View File

@ -14,8 +14,6 @@ namespace Bit.Core.Identity
var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Authenticator);
var canGenerate = user.TwoFactorProviderIsEnabled(TwoFactorProviderType.Authenticator)
&& user.TwoFactorProvider.HasValue
&& user.TwoFactorProvider.Value == TwoFactorProviderType.Authenticator
&& !string.IsNullOrWhiteSpace(provider.MetaData["Key"]);
return Task.FromResult(canGenerate);

3
src/Core/Identity/DuoTokenProvider.cs
View File

@ -13,10 +13,7 @@ namespace Bit.Core.Identity
public Task<bool> CanGenerateTwoFactorTokenAsync(UserManager<User> manager, User user)
{
var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Duo);
var canGenerate = user.TwoFactorProviderIsEnabled(TwoFactorProviderType.Duo)
&& user.TwoFactorProvider.HasValue
&& user.TwoFactorProvider.Value == TwoFactorProviderType.Duo
&& !string.IsNullOrWhiteSpace(provider?.MetaData["UserId"]);
return Task.FromResult(canGenerate);

3
src/Core/Identity/YubicoOtpTokenProvider.cs
View File

@ -19,10 +19,7 @@ namespace Bit.Core.Identity
public Task<bool> CanGenerateTwoFactorTokenAsync(UserManager<User> manager, User user)
{
var provider = user.GetTwoFactorProvider(TwoFactorProviderType.YubiKey);
var canGenerate = user.TwoFactorProviderIsEnabled(TwoFactorProviderType.YubiKey)
&& user.TwoFactorProvider.HasValue
&& user.TwoFactorProvider.Value == TwoFactorProviderType.YubiKey
&& (provider?.MetaData.Values.Any(v => !string.IsNullOrWhiteSpace(v)) ?? false);
return Task.FromResult(canGenerate);

48
src/Core/Models/Api/Request/TwoFactorRequestModels.cs
View File

@ -1,4 +1,5 @@
using System;
using Bit.Core.Enums;
using Bit.Core.Models.Table;
using System.Collections.Generic;
using System.ComponentModel.DataAnnotations;
@ -9,6 +10,30 @@ namespace Bit.Core.Models.Api
[Required]
[StringLength(50)]
public string Token { get; set; }
[Required]
[StringLength(50)]
public string Key { get; set; }
public User ToUser(User extistingUser)
{
var providers = extistingUser.GetTwoFactorProviders();
if(providers == null)
{
providers = new Dictionary<TwoFactorProviderType, TwoFactorProvider>();
}
else if(providers.ContainsKey(TwoFactorProviderType.Authenticator))
{
providers.Remove(TwoFactorProviderType.Authenticator);
}
providers.Add(TwoFactorProviderType.Authenticator, new TwoFactorProvider
{
MetaData = new Dictionary<string, string> { ["Key"] = Key },
Enabled = true
});
extistingUser.SetTwoFactorProviders(providers);
return extistingUser;
}
}
public class UpdateTwoFactorDuoRequestModel : TwoFactorRequestModel
@ -48,6 +73,27 @@ namespace Bit.Core.Models.Api
[EmailAddress]
[StringLength(50)]
public string Email { get; set; }
public User ToUser(User extistingUser)
{
var providers = extistingUser.GetTwoFactorProviders();
if(providers == null)
{
providers = new Dictionary<TwoFactorProviderType, TwoFactorProvider>();
}
else if(providers.ContainsKey(TwoFactorProviderType.Email))
{
providers.Remove(TwoFactorProviderType.Email);
}
providers.Add(TwoFactorProviderType.Email, new TwoFactorProvider
{
MetaData = new Dictionary<string, string> { ["Email"] = Email },
Enabled = true
});
extistingUser.SetTwoFactorProviders(providers);
return extistingUser;
}
}
public class UpdateTwoFactorEmailRequestModel : TwoFactorEmailRequestModel

3
src/Core/Models/Api/Response/TwoFactor/TwoFactorAuthenticatorResponseModel.cs
View File

@ -1,6 +1,7 @@
using System;
using Bit.Core.Enums;
using Bit.Core.Models.Table;
using OtpNet;
namespace Bit.Core.Models.Api
{
@ -22,6 +23,8 @@ namespace Bit.Core.Models.Api
}
else
{
var key = KeyGeneration.GenerateRandomKey(20);
Key = Base32Encoding.ToString(key);
Enabled = false;
}
}

5
src/Core/Services/IUserService.cs
View File

@ -19,8 +19,8 @@ namespace Bit.Core.Services
Task SaveUserAsync(User user);
Task<IdentityResult> RegisterUserAsync(User user, string masterPassword);
Task SendMasterPasswordHintAsync(string email);
Task SendTwoFactorEmailAsync(User user, string email = null);
Task<bool> VerifyTwoFactorEmailAsync(User user, string token, string email = null);
Task SendTwoFactorEmailAsync(User user);
Task<bool> VerifyTwoFactorEmailAsync(User user, string token);
Task InitiateEmailChangeAsync(User user, string newEmail);
Task<IdentityResult> ChangeEmailAsync(User user, string masterPassword, string newEmail, string newMasterPassword,
string token, string key);
@ -28,7 +28,6 @@ namespace Bit.Core.Services
Task<IdentityResult> UpdateKeyAsync(User user, string masterPassword, string key, string privateKey,
IEnumerable<Cipher> ciphers, IEnumerable<Folder> folders);
Task<IdentityResult> RefreshSecurityStampAsync(User user, string masterPasswordHash);
Task SetupTwoFactorAsync(User user, TwoFactorProviderType provider);
Task UpdateTwoFactorProviderAsync(User user, TwoFactorProviderType type);
Task DisableTwoFactorProviderAsync(User user, TwoFactorProviderType type);
Task<bool> RecoverTwoFactorAsync(string email, string masterPassword, string recoveryCode);

99
src/Core/Services/Implementations/UserService.cs
View File

@ -182,43 +182,29 @@ namespace Bit.Core.Services
await _mailService.SendMasterPasswordHintEmailAsync(email, user.MasterPasswordHint);
}
public async Task SendTwoFactorEmailAsync(User user, string email = null)
public async Task SendTwoFactorEmailAsync(User user)
{
if(string.IsNullOrWhiteSpace(email))
var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Email);
if(provider == null || provider.MetaData == null || !provider.MetaData.ContainsKey("Email"))
{
var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Email);
if(provider != null && provider.MetaData != null && provider.MetaData.ContainsKey("Email"))
{
email = provider.MetaData["Email"];
}
throw new ArgumentNullException("No email.");
}
if(string.IsNullOrWhiteSpace(email))
{
throw new ArgumentNullException(nameof(email));
}
var token = await base.GenerateUserTokenAsync(user, TokenOptions.DefaultEmailProvider, "2faEmail:" + email);
await _mailService.SendChangeEmailEmailAsync(email, token);
var token = await base.GenerateUserTokenAsync(user, TokenOptions.DefaultEmailProvider,
"2faEmail:" + provider.MetaData["Email"]);
await _mailService.SendChangeEmailEmailAsync(provider.MetaData["Email"], token);
}
public async Task<bool> VerifyTwoFactorEmailAsync(User user, string token, string email = null)
public async Task<bool> VerifyTwoFactorEmailAsync(User user, string token)
{
if(string.IsNullOrWhiteSpace(email))
var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Email);
if(provider == null || provider.MetaData == null || !provider.MetaData.ContainsKey("Email"))
{
var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Email);
if(provider != null && provider.MetaData != null && provider.MetaData.ContainsKey("Email"))
{
email = provider.MetaData["Email"];
}
throw new ArgumentNullException("No email.");
}
if(string.IsNullOrWhiteSpace(email))
{
throw new ArgumentNullException(nameof(email));
}
return await base.VerifyUserTokenAsync(user, TokenOptions.DefaultEmailProvider, "2faEmail:" + email, token);
return await base.VerifyUserTokenAsync(user, TokenOptions.DefaultEmailProvider,
"2faEmail:" + provider.MetaData["Email"], token);
}
public async Task InitiateEmailChangeAsync(User user, string newEmail)
@ -355,65 +341,6 @@ namespace Bit.Core.Services
return IdentityResult.Failed(_identityErrorDescriber.PasswordMismatch());
}
public async Task SetupTwoFactorAsync(User user, TwoFactorProviderType provider)
{
var providers = user.GetTwoFactorProviders();
if(providers != null && providers.ContainsKey(provider) && providers[provider].MetaData != null)
{
switch(provider)
{
case TwoFactorProviderType.Authenticator:
if(!string.IsNullOrWhiteSpace(providers[provider].MetaData["Key"]))
{
return;
}
break;
case TwoFactorProviderType.Email:
case TwoFactorProviderType.U2F:
case TwoFactorProviderType.YubiKey:
case TwoFactorProviderType.Duo:
break;
default:
throw new ArgumentException(nameof(provider));
}
}
if(providers == null)
{
providers = new Dictionary<TwoFactorProviderType, TwoFactorProvider>();
}
TwoFactorProvider providerInfo = null;
if(!providers.ContainsKey(provider))
{
providerInfo = new TwoFactorProvider();
providers.Add(provider, providerInfo);
}
else
{
providerInfo = providers[provider];
}
switch(provider)
{
case TwoFactorProviderType.Authenticator:
var key = KeyGeneration.GenerateRandomKey(20);
providerInfo.MetaData = new Dictionary<string, string> { ["Key"] = Base32Encoding.ToString(key) };
break;
case TwoFactorProviderType.Email:
case TwoFactorProviderType.U2F:
case TwoFactorProviderType.YubiKey:
case TwoFactorProviderType.Duo:
break;
default:
throw new ArgumentException(nameof(provider));
}
user.TwoFactorProvider = provider;
user.SetTwoFactorProviders(providers);
await SaveUserAsync(user);
}
public async Task UpdateTwoFactorProviderAsync(User user, TwoFactorProviderType type)
{
var providers = user.GetTwoFactorProviders();