nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-05 05:00:19 -05:00
Code

Merge branch 'innovation/opaque-wanna-try-catch-son' into innovation/opaque

Browse Source
This commit is contained in:
Ike Kottlowski 2025-03-20 14:43:55 -04:00
commit 7f997246e5
No known key found for this signature in database
GPG Key ID: C86308E3DCA6D76F
6 changed files with 176 additions and 171 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
src/Api/Auth/Controllers/OpaqueKeyExchangeController.cs
View File

@ -1,5 +1,3 @@
using Bit.Api.Auth.Models.Request.Opaque;
using Bit.Api.Auth.Models.Response.Opaque;
using Bit.Core;
using Bit.Core.Auth.Models.Api.Request.Opaque;
using Bit.Core.Auth.Models.Api.Response.Opaque;
@ -12,64 +10,42 @@ using Microsoft.AspNetCore.Mvc;
namespace Bit.Api.Auth.Controllers;
// TODO: move to identity
[Route("opaque")]
[RequireFeature(FeatureFlagKeys.OpaqueKeyExchange)]
public class OpaqueKeyExchangeController : Controller
[Route("opaque")]
[Authorize("Application")]
public class OpaqueKeyExchangeController(
IOpaqueKeyExchangeService opaqueKeyExchangeService,
IUserService userService
) : Controller
{
private readonly IOpaqueKeyExchangeService _opaqueKeyExchangeService;
private readonly IUserService _userService;
private readonly IOpaqueKeyExchangeService _opaqueKeyExchangeService = opaqueKeyExchangeService;
private readonly IUserService _userService = userService;
public OpaqueKeyExchangeController(
IOpaqueKeyExchangeService opaqueKeyExchangeService,
IUserService userService
)
[HttpPost("start-registration")]
public async Task<OpaqueRegistrationStartResponse> StartRegistrationAsync(
[FromBody] OpaqueRegistrationStartRequest request)
{
_opaqueKeyExchangeService = opaqueKeyExchangeService;
_userService = userService;
}
// TODO: investigate removing ~/opaque from all routes and using controller level route attribute
[Authorize("Application")]
[HttpPost("~/opaque/start-registration")]
public async Task<OpaqueRegistrationStartResponse> StartRegistrationAsync([FromBody] OpaqueRegistrationStartRequest request)
{
var user = await _userService.GetUserByPrincipalAsync(User);
var result = await _opaqueKeyExchangeService.StartRegistration(Convert.FromBase64String(request.RegistrationRequest), user, request.CipherConfiguration);
var user = await _userService.GetUserByPrincipalAsync(User)
?? throw new UnauthorizedAccessException();
var result = await _opaqueKeyExchangeService.StartRegistration(
Convert.FromBase64String(request.RegistrationRequest), user, request.CipherConfiguration);
return result;
}
[Authorize("Application")]
[HttpPost("~/opaque/finish-registration")]
public async void FinishRegistrationAsync([FromBody] OpaqueRegistrationFinishRequest request)
[HttpPost("finish-registration")]
public async Task FinishRegistrationAsync([FromBody] OpaqueRegistrationFinishRequest request)
{
var user = await _userService.GetUserByPrincipalAsync(User);
await _opaqueKeyExchangeService.FinishRegistration(request.SessionId, Convert.FromBase64String(request.RegistrationUpload), user, request.KeySet);
var user = await _userService.GetUserByPrincipalAsync(User)
?? throw new UnauthorizedAccessException();
await _opaqueKeyExchangeService.FinishRegistration(
request.SessionId, Convert.FromBase64String(request.RegistrationUpload), user, request.KeySet);
}
[Authorize("Application")]
[HttpPost("~/opaque/set-registration-active")]
public async void SetRegistrationActive([FromBody] OpaqueSetRegistrationActiveRequest request)
[HttpPost("set-registration-active")]
public async Task SetRegistrationActiveAsync([FromBody] OpaqueSetRegistrationActiveRequest request)
{
var user = await _userService.GetUserByPrincipalAsync(User);
await _opaqueKeyExchangeService.SetRegistrationActiveForAccount(request.SessionId, user);
}
// TODO: Remove and move to token endpoint
[AllowAnonymous]
[HttpPost("~/opaque/start-login")]
public async Task<OpaqueLoginStartResponse> StartLoginAsync([FromBody] OpaqueLoginStartRequest request)
{
var result = await _opaqueKeyExchangeService.StartLogin(Convert.FromBase64String(request.CredentialRequest), request.Email);
return new OpaqueLoginStartResponse(result.Item1, Convert.ToBase64String(result.Item2));
}
// TODO: Remove and move to token endpoint
[AllowAnonymous]
[HttpPost("~/opaque/finish-login")]
public async Task<bool> FinishLoginAsync([FromBody] OpaqueLoginFinishRequest request)
{
var result = await _opaqueKeyExchangeService.FinishLogin(request.SessionId, Convert.FromBase64String(request.CredentialFinalization));
return result;
var user = await _userService.GetUserByPrincipalAsync(User)
?? throw new UnauthorizedAccessException();
await _opaqueKeyExchangeService.WriteCacheCredentialToDatabase(request.SessionId, user);
}
}

3
src/Core/Auth/Models/Api/Request/Opaque/OpaqueLoginStartRequest.cs
View File

@ -1,6 +1,6 @@
using System.ComponentModel.DataAnnotations;
namespace Bit.Api.Auth.Models.Request.Opaque;
namespace Bit.Core.Auth.Models.Api.Request.Opaque;
public class OpaqueLoginStartRequest
{
@ -8,5 +8,4 @@ public class OpaqueLoginStartRequest
public string Email { get; set; }
[Required]
public string CredentialRequest { get; set; }
}

21
src/Core/Auth/Services/IOpaqueKeyExchangeService.cs
View File

@ -18,14 +18,15 @@ public interface IOpaqueKeyExchangeService
/// <returns>void</returns>
public Task<OpaqueRegistrationStartResponse> StartRegistration(byte[] request, User user, OpaqueKeyExchangeCipherConfiguration cipherConfiguration);
/// <summary>
/// This doesn't actually finish registration. It updates the cache with the server setup and cipher configuration so that the clearly named "SetActive" method can finish registration.
/// This updates the cache with the server setup and cipher configuration so that WriteCacheCredentialToDatabase method can finish registration
/// by writing the credential to the database.
/// </summary>
/// <param name="sessionId">Cache Id</param>
/// <param name="registrationUpload">Byte Array for Rust Magic</param>
/// <param name="user">User being acted on</param>
/// <param name="keyset">Key Pair that can be used for vault decryption</param>
/// <returns>void</returns>
public Task FinishRegistration(Guid sessionId, byte[] registrationUpload, User user, RotateableOpaqueKeyset keyset);
public Task<bool> FinishRegistration(Guid sessionId, byte[] registrationUpload, User user, RotateableOpaqueKeyset keyset);
/// <summary>
/// Returns server crypto material for the client to consume and reply with a login request to the identity/token endpoint.
/// To protect against account enumeration we will always return a deterministic response based on the user's email.
@ -52,21 +53,21 @@ public interface IOpaqueKeyExchangeService
/// <summary>
/// Clears the authentication session from the cache.
/// </summary>
/// <param name="sessionId"></param>
/// <returns></returns>
/// <param name="sessionId">session being acted on.</param>
/// <returns>void</returns>
public Task ClearAuthenticationSession(Guid sessionId);
/// <summary>
/// This is where registration really finishes. This method writes the Credential to the database. If a credential already exists then it will be removed before the new one is added.
/// This method writes the Credential to the database. If a credential already exists then it will be removed before the new one is added.
/// A user can only have one credential.
/// </summary>
/// <param name="sessionId">cache value</param>
/// <param name="user">user being acted on</param>
/// <returns>void</returns>
public Task SetRegistrationActiveForAccount(Guid sessionId, User user);
/// <returns>bool based on action result</returns>
public Task<bool> WriteCacheCredentialToDatabase(Guid sessionId, User user);
/// <summary>
/// Removes the credential for the user.
/// Removes the credential for the user. If the user does not exist then this does nothing.
/// </summary>
/// <param name="user">user being acted on</param>
/// <param name="user">User being acted on.</param>
/// <returns>void</returns>
public Task Unenroll(User user);
public Task RemoveUserOpaqueKeyExchangeCredential(User user);
}

238
src/Core/Auth/Services/Implementations/OpaqueKeyExchangeService.cs
View File

@ -10,6 +10,7 @@ using Bit.Core.Entities;
using Bit.Core.Repositories;
using Bitwarden.Opaque;
using Microsoft.Extensions.Caching.Distributed;
using Microsoft.Extensions.Logging;
namespace Bit.Core.Auth.Services;
@ -23,6 +24,7 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService
private readonly IOpaqueKeyExchangeCredentialRepository _opaqueKeyExchangeCredentialRepository;
private readonly IDistributedCache _distributedCache;
private readonly IUserRepository _userRepository;
private readonly ILogger<OpaqueKeyExchangeService> _logger;
const string REGISTRATION_SESSION_KEY = "opaque_register_session_{0}";
const string LOGIN_SESSION_KEY = "opaque_login_session_{0}";
@ -30,18 +32,22 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService
public OpaqueKeyExchangeService(
IOpaqueKeyExchangeCredentialRepository opaqueKeyExchangeCredentialRepository,
IDistributedCache distributedCache,
IUserRepository userRepository
IUserRepository userRepository,
ILogger<OpaqueKeyExchangeService> logger
)
{
_bitwardenOpaque = new BitwardenOpaqueServer();
_opaqueKeyExchangeCredentialRepository = opaqueKeyExchangeCredentialRepository;
_distributedCache = distributedCache;
_userRepository = userRepository;
_logger = logger;
}
public async Task<OpaqueRegistrationStartResponse> StartRegistration(byte[] request, User user, OpaqueKeyExchangeCipherConfiguration cipherConfiguration)
public async Task<OpaqueRegistrationStartResponse> StartRegistration(
byte[] request, User user, OpaqueKeyExchangeCipherConfiguration cipherConfiguration)
{
var registrationRequest = _bitwardenOpaque.StartRegistration(cipherConfiguration.ToNativeConfiguration(), null, request, user.Id.ToString());
var registrationRequest = _bitwardenOpaque.StartRegistration(
cipherConfiguration.ToNativeConfiguration(), null, request, user.Id.ToString());
// We must persist the registration session state to the cache so we can have the server setup and cipher
// Ïconfiguration available when the client finishes registration.
@ -54,17 +60,13 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService
return new OpaqueRegistrationStartResponse(registrationSessionId, Convert.ToBase64String(registrationRequest.registrationResponse));
}
public async Task FinishRegistration(Guid sessionId, byte[] registrationUpload, User user, RotateableOpaqueKeyset keyset)
public async Task<bool> FinishRegistration(Guid sessionId, byte[] registrationUpload, User user, RotateableOpaqueKeyset keyset)
{
// Look up the user's registration session
var serializedRegisterSession = await _distributedCache.GetAsync(string.Format(REGISTRATION_SESSION_KEY, sessionId));
if (serializedRegisterSession == null)
{
throw new InvalidOperationException("Session not found");
}
try
{
// Look up the user's registration session
var serializedRegisterSession = await _distributedCache.GetAsync(string.Format(REGISTRATION_SESSION_KEY, sessionId))
?? throw new Exception("Session not found");
// Deserialize the registration session and finish the registration
var registrationSession = JsonSerializer.Deserialize<OpaqueKeyExchangeRegistrationSession>(Encoding.ASCII.GetString(serializedRegisterSession))!;
var registrationFinish = _bitwardenOpaque.FinishRegistration(registrationSession.CipherConfiguration.ToNativeConfiguration(), registrationUpload);
@ -73,12 +75,14 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService
registrationSession.PasswordFile = registrationFinish.serverRegistration;
registrationSession.KeySet = Encoding.ASCII.GetBytes(JsonSerializer.Serialize(keyset));
await _distributedCache.SetAsync(string.Format(REGISTRATION_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(registrationSession)));
return true;
}
catch (Exception e)
{
// If anything goes wrong, we need to remove the session from the cache
await ClearRegistrationSession(sessionId);
throw new Exception(e.Message);
_logger.LogError(e, "Error finishing registration for user {UserId}", user.Id);
return false;
}
}
@ -89,59 +93,63 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService
public async Task<(Guid, byte[])> StartLogin(byte[] request, string email)
{
var user = await _userRepository.GetByEmailAsync(email);
if (user == null)
try
{
// TODO: don't allow user enumeration
throw new InvalidOperationException("User not found");
// todo: don't allow user enumeration
var user = await _userRepository.GetByEmailAsync(email)
?? throw new InvalidOperationException("User not found");
// todo: generate fake credential
var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(user.Id)
?? throw new InvalidOperationException("Credential not found");
var cipherConfiguration = JsonSerializer.Deserialize<OpaqueKeyExchangeCipherConfiguration>(credential.CipherConfiguration)!;
var credentialBlob = JsonSerializer.Deserialize<OpaqueKeyExchangeCredentialBlob>(credential.CredentialBlob)!;
var serverSetup = credentialBlob.ServerSetup;
var serverRegistration = credentialBlob.PasswordFile;
var loginResponse = _bitwardenOpaque.StartLogin(
cipherConfiguration.ToNativeConfiguration(), serverSetup, serverRegistration, request, user.Id.ToString());
var sessionId = MakeCryptoGuid();
var loginSession = new OpaqueKeyExchangeLoginSession()
{
UserId = user.Id,
LoginState = loginResponse.state,
CipherConfiguration = cipherConfiguration,
IsAuthenticated = false
};
await _distributedCache.SetAsync(string.Format(LOGIN_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(loginSession)));
return (sessionId, loginResponse.credentialResponse);
}
var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(user.Id);
if (credential == null)
catch (InvalidOperationException e)
{
// generate fake credential
throw new InvalidOperationException("Credential not found");
_logger.LogError(e, "Error starting login for user {Email}", email);
return (Guid.Empty, []);
}
var cipherConfiguration = JsonSerializer.Deserialize<OpaqueKeyExchangeCipherConfiguration>(credential.CipherConfiguration)!;
var credentialBlob = JsonSerializer.Deserialize<OpaqueKeyExchangeCredentialBlob>(credential.CredentialBlob)!;
var serverSetup = credentialBlob.ServerSetup;
var serverRegistration = credentialBlob.PasswordFile;
var loginResponse = _bitwardenOpaque.StartLogin(cipherConfiguration.ToNativeConfiguration(), serverSetup, serverRegistration, request, user.Id.ToString());
var sessionId = MakeCryptoGuid();
var loginSession = new OpaqueKeyExchangeLoginSession()
{
UserId = user.Id,
LoginState = loginResponse.state,
CipherConfiguration = cipherConfiguration,
IsAuthenticated = false
};
await _distributedCache.SetAsync(string.Format(LOGIN_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(loginSession)));
return (sessionId, loginResponse.credentialResponse);
}
public async Task<bool> FinishLogin(Guid sessionId, byte[] credentialFinalization)
{
var serializedLoginSession = await _distributedCache.GetAsync(string.Format(LOGIN_SESSION_KEY, sessionId));
if (serializedLoginSession == null)
{
throw new InvalidOperationException("Session not found");
}
var loginSession = JsonSerializer.Deserialize<OpaqueKeyExchangeLoginSession>(Encoding.ASCII.GetString(serializedLoginSession))!;
var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(loginSession.UserId);
if (credential == null)
{
throw new InvalidOperationException("Credential not found");
}
var loginState = loginSession.LoginState;
var cipherConfiguration = loginSession.CipherConfiguration;
await ClearAuthenticationSession(sessionId);
try
{
var serializedLoginSession = await _distributedCache.GetAsync(string.Format(LOGIN_SESSION_KEY, sessionId));
if (serializedLoginSession == null)
{
throw new InvalidOperationException("Session not found");
}
var loginSession = JsonSerializer.Deserialize<OpaqueKeyExchangeLoginSession>(Encoding.ASCII.GetString(serializedLoginSession))!;
var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(loginSession.UserId);
if (credential == null)
{
throw new InvalidOperationException("Credential not found");
}
var loginState = loginSession.LoginState;
var cipherConfiguration = loginSession.CipherConfiguration;
await ClearAuthenticationSession(sessionId);
var success = _bitwardenOpaque.FinishLogin(cipherConfiguration.ToNativeConfiguration(), loginState, credentialFinalization);
loginSession.IsAuthenticated = true;
await _distributedCache.SetAsync(string.Format(LOGIN_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(loginSession)));
@ -157,68 +165,80 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService
public async Task<User?> GetUserForAuthenticatedSession(Guid sessionId)
{
var serializedLoginSession = await _distributedCache.GetAsync(string.Format(LOGIN_SESSION_KEY, sessionId));
if (serializedLoginSession == null)
try
{
throw new InvalidOperationException("Session not found");
}
var loginSession = JsonSerializer.Deserialize<OpaqueKeyExchangeLoginSession>(Encoding.ASCII.GetString(serializedLoginSession))!;
var serializedLoginSession = await _distributedCache.GetAsync(string.Format(LOGIN_SESSION_KEY, sessionId))
?? throw new InvalidOperationException("Session not found");
if (!loginSession.IsAuthenticated)
var loginSession = JsonSerializer.Deserialize<OpaqueKeyExchangeLoginSession>(Encoding.ASCII.GetString(serializedLoginSession))!;
if (!loginSession.IsAuthenticated)
{
throw new InvalidOperationException("Session not authenticated");
}
return await _userRepository.GetByIdAsync(loginSession.UserId!)!;
}
catch (InvalidOperationException e)
{
throw new InvalidOperationException("Session not authenticated");
_logger.LogError(e, "Error authenticating user session {SessionId}", sessionId);
return null;
}
return await _userRepository.GetByIdAsync(loginSession.UserId!)!;
}
public async Task SetRegistrationActiveForAccount(Guid sessionId, User user)
public async Task<bool> WriteCacheCredentialToDatabase(Guid sessionId, User user)
{
var serializedRegisterSession = await _distributedCache.GetAsync(string.Format(REGISTRATION_SESSION_KEY, sessionId));
if (serializedRegisterSession == null)
try
{
throw new InvalidOperationException("Session not found");
}
var session = JsonSerializer.Deserialize<OpaqueKeyExchangeRegistrationSession>(Encoding.ASCII.GetString(serializedRegisterSession))!;
var serializedRegisterSession = await _distributedCache.GetAsync(string.Format(REGISTRATION_SESSION_KEY, sessionId))
?? throw new InvalidOperationException("Session not found");
if (session.UserId != user.Id)
{
throw new InvalidOperationException("Session does not belong to user");
}
if (session.PasswordFile == null)
{
throw new InvalidOperationException("Session did not complete registration");
}
if (session.KeySet == null)
{
throw new InvalidOperationException("Session did not complete registration");
}
var session = JsonSerializer.Deserialize<OpaqueKeyExchangeRegistrationSession>(Encoding.ASCII.GetString(serializedRegisterSession))!;
if (session.UserId != user.Id)
{
throw new InvalidOperationException("Session does not belong to user");
}
if (session.PasswordFile == null)
{
throw new InvalidOperationException("Session did not complete registration");
}
if (session.KeySet == null)
{
throw new InvalidOperationException("Session did not complete registration");
}
var keyset = JsonSerializer.Deserialize<RotateableOpaqueKeyset>(Encoding.ASCII.GetString(session.KeySet))!;
var credentialBlob = new OpaqueKeyExchangeCredentialBlob()
{
PasswordFile = session.PasswordFile,
ServerSetup = session.ServerSetup
};
var keyset = JsonSerializer.Deserialize<RotateableOpaqueKeyset>(Encoding.ASCII.GetString(session.KeySet))!;
var credentialBlob = new OpaqueKeyExchangeCredentialBlob()
{
PasswordFile = session.PasswordFile,
ServerSetup = session.ServerSetup
};
var credential = new OpaqueKeyExchangeCredential()
{
UserId = user.Id,
CipherConfiguration = JsonSerializer.Serialize(session.CipherConfiguration),
CredentialBlob = JsonSerializer.Serialize(credentialBlob),
EncryptedPrivateKey = keyset.EncryptedPrivateKey,
EncryptedPublicKey = keyset.EncryptedPublicKey,
EncryptedUserKey = keyset.EncryptedUserKey,
CreationDate = DateTime.UtcNow
};
var credential = new OpaqueKeyExchangeCredential()
{
UserId = user.Id,
CipherConfiguration = JsonSerializer.Serialize(session.CipherConfiguration),
CredentialBlob = JsonSerializer.Serialize(credentialBlob),
EncryptedPrivateKey = keyset.EncryptedPrivateKey,
EncryptedPublicKey = keyset.EncryptedPublicKey,
EncryptedUserKey = keyset.EncryptedUserKey,
CreationDate = DateTime.UtcNow
};
// Delete any existing registration and then enroll user with latest
// TODO: this could be a single atomic replace / upsert
await Unenroll(user);
await _opaqueKeyExchangeCredentialRepository.CreateAsync(credential);
// Delete any existing registration and then enroll user with latest
// TODO: this could be a single atomic replace / upsert
await RemoveUserOpaqueKeyExchangeCredential(user);
await _opaqueKeyExchangeCredentialRepository.CreateAsync(credential);
return true;
}
catch (InvalidOperationException e)
{
_logger.LogError(e, "Error writing cache opaque credential to database for user {UserId}", user.Id);
return false;
}
}
public async Task Unenroll(User user)
public async Task RemoveUserOpaqueKeyExchangeCredential(User user)
{
var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(user.Id);
if (credential != null)
@ -234,7 +254,7 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService
private static Guid MakeCryptoGuid()
{
// Get 16 cryptographically random bytes
byte[] data = RandomNumberGenerator.GetBytes(16);
var data = RandomNumberGenerator.GetBytes(16);
// Mark it as a version 4 GUID
data[7] = (byte)((data[7] | (byte)0x40) & (byte)0x4f);
@ -249,6 +269,11 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService
}
}
/// <summary>
/// Object saved to the cache for a registration session. We store the registration object in
/// the cache so we can maintain key material separation between the client and server.
/// If we used a Tokenable then it could expose the Server Key material to the client.
/// </summary>
public class OpaqueKeyExchangeRegistrationSession
{
public required Guid RegistrationSessionId { get; set; }
@ -259,6 +284,11 @@ public class OpaqueKeyExchangeRegistrationSession
public byte[]? KeySet { get; set; }
}
/// <summary>
/// This object is used to accomplish a Pushed Authorization Request (PAR) "adjacent" type action. Where we
/// track authentication state in the cache so when a user finishes authentication they only need
/// the Cryptographically secure GUID sessionId.
/// </summary>
public class OpaqueKeyExchangeLoginSession
{
public required Guid UserId { get; set; }

8
src/Core/Services/Implementations/UserService.cs
View File

@ -671,11 +671,11 @@ public class UserService : UserManager<User>, IUserService, IDisposable
// TODO: feature flag this
if (opaqueSessionId != null)
{
await _opaqueKeyExchangeService.SetRegistrationActiveForAccount((Guid)opaqueSessionId, user);
await _opaqueKeyExchangeService.WriteCacheCredentialToDatabase((Guid)opaqueSessionId, user);
}
else
{
await _opaqueKeyExchangeService.Unenroll(user);
await _opaqueKeyExchangeService.RemoveUserOpaqueKeyExchangeCredential(user);
}
await _userRepository.ReplaceAsync(user);
await _eventService.LogUserEventAsync(user.Id, EventType.User_ChangedPassword);
@ -818,7 +818,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
user.Key = key;
// TODO: Add Opaque-KE support
await _opaqueKeyExchangeService.Unenroll(user);
await _opaqueKeyExchangeService.RemoveUserOpaqueKeyExchangeCredential(user);
await _userRepository.ReplaceAsync(user);
await _mailService.SendAdminResetPasswordEmailAsync(user.Email, user.Name, org.DisplayName());
await _eventService.LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_AdminResetPassword);
@ -846,7 +846,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
user.MasterPasswordHint = hint;
// TODO: Add Opaque-KE support
await _opaqueKeyExchangeService.Unenroll(user);
await _opaqueKeyExchangeService.RemoveUserOpaqueKeyExchangeCredential(user);
await _userRepository.ReplaceAsync(user);
await _mailService.SendUpdatedTempPasswordEmailAsync(user.Email, user.Name);
await _eventService.LogUserEventAsync(user.Id, EventType.User_UpdatedTempPassword);

1
src/Identity/Controllers/AccountsController.cs
View File

@ -1,7 +1,6 @@
using System.Diagnostics;
using System.Text;
using System.Text.Json;
using Bit.Api.Auth.Models.Request.Opaque;
using Bit.Api.Auth.Models.Response.Opaque;
using Bit.Core;
using Bit.Core.Auth.Enums;