[PM-1188] Server owner auth migration (#2825)

* [PM-1188] add sso project to auth

* [PM-1188] move sso api models to auth

* [PM-1188] fix sso api model namespace & imports

* [PM-1188] move core files to auth

* [PM-1188] fix core sso namespace & models

* [PM-1188] move sso repository files to auth

* [PM-1188] fix sso repo files namespace & imports

* [PM-1188] move sso sql files to auth folder

* [PM-1188] move sso test files to auth folders

* [PM-1188] fix sso tests namespace & imports

* [PM-1188] move auth api files to auth folder

* [PM-1188] fix auth api files namespace & imports

* [PM-1188] move auth core files to auth folder

* [PM-1188] fix auth core files namespace & imports

* [PM-1188] move auth email templates to auth folder

* [PM-1188] move auth email folder back into shared directory

* [PM-1188] fix auth email names

* [PM-1188] move auth core models to auth folder

* [PM-1188] fix auth model namespace & imports

* [PM-1188] add entire Identity project to auth codeowners

* [PM-1188] fix auth orm files namespace & imports

* [PM-1188] move auth orm files to auth folder

* [PM-1188] move auth sql files to auth folder

* [PM-1188] move auth tests to auth folder

* [PM-1188] fix auth test files namespace & imports

* [PM-1188] move emergency access api files to auth folder

* [PM-1188] fix emergencyaccess api files namespace & imports

* [PM-1188] move emergency access core files to auth folder

* [PM-1188] fix emergency access core files namespace & imports

* [PM-1188] move emergency access orm files to auth folder

* [PM-1188] fix emergency access orm files namespace & imports

* [PM-1188] move emergency access sql files to auth folder

* [PM-1188] move emergencyaccess test files to auth folder

* [PM-1188] fix emergency access test files namespace & imports

* [PM-1188] move captcha files to auth folder

* [PM-1188] fix captcha files namespace & imports

* [PM-1188] move auth admin files into auth folder

* [PM-1188] fix admin auth files namespace & imports
- configure mvc to look in auth folders for views

* [PM-1188] remove extra imports and formatting

* [PM-1188] fix ef auth model imports

* [PM-1188] fix DatabaseContextModelSnapshot paths

* [PM-1188] fix grant import in ef

* [PM-1188] update sqlproj

* [PM-1188] move missed sqlproj files

* [PM-1188] move auth ef models out of auth folder

* [PM-1188] fix auth ef models namespace

* [PM-1188] remove auth ef models unused imports

* [PM-1188] fix imports for auth ef models

* [PM-1188] fix more ef model imports

* [PM-1188] fix file encodings

src/Admin/Auth/Controllers/LoginController.cs

@@ -0,0 +1,92 @@
+using Bit.Admin.Auth.IdentityServer;
+using Bit.Admin.Auth.Models;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Admin.Auth.Controllers;
+
+public class LoginController : Controller
+{
+    private readonly PasswordlessSignInManager<IdentityUser> _signInManager;
+
+    public LoginController(
+        PasswordlessSignInManager<IdentityUser> signInManager)
+    {
+        _signInManager = signInManager;
+    }
+
+    public IActionResult Index(string returnUrl = null, int? error = null, int? success = null,
+        bool accessDenied = false)
+    {
+        if (!error.HasValue && accessDenied)
+        {
+            error = 4;
+        }
+
+        return View(new LoginModel
+        {
+            ReturnUrl = returnUrl,
+            Error = GetMessage(error),
+            Success = GetMessage(success)
+        });
+    }
+
+    [HttpPost]
+    [ValidateAntiForgeryToken]
+    public async Task<IActionResult> Index(LoginModel model)
+    {
+        if (ModelState.IsValid)
+        {
+            await _signInManager.PasswordlessSignInAsync(model.Email, model.ReturnUrl);
+            return RedirectToAction("Index", new
+            {
+                success = 3
+            });
+        }
+
+        return View(model);
+    }
+
+    public async Task<IActionResult> Confirm(string email, string token, string returnUrl)
+    {
+        var result = await _signInManager.PasswordlessSignInAsync(email, token, true);
+        if (!result.Succeeded)
+        {
+            return RedirectToAction("Index", new
+            {
+                error = 2
+            });
+        }
+
+        if (!string.IsNullOrWhiteSpace(returnUrl) && Url.IsLocalUrl(returnUrl))
+        {
+            return Redirect(returnUrl);
+        }
+
+        return RedirectToAction("Index", "Home");
+    }
+
+    [HttpPost]
+    [ValidateAntiForgeryToken]
+    public async Task<IActionResult> Logout()
+    {
+        await _signInManager.SignOutAsync();
+        return RedirectToAction("Index", new
+        {
+            success = 1
+        });
+    }
+
+    private string GetMessage(int? messageCode)
+    {
+        return messageCode switch
+        {
+            1 => "You have been logged out.",
+            2 => "This login confirmation link is invalid. Try logging in again.",
+            3 => "If a valid admin user with this email address exists, " +
+                "we've sent you an email with a secure link to log in.",
+            4 => "Access denied. Please log in.",
+            _ => null,
+        };
+    }
+}

src/Admin/Auth/IdentityServer/PasswordlessSignInManager.cs

@@ -0,0 +1,87 @@
+using Bit.Core.Services;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Options;
+
+namespace Bit.Admin.Auth.IdentityServer;
+
+public class PasswordlessSignInManager<TUser> : SignInManager<TUser> where TUser : class
+{
+    public const string PasswordlessSignInPurpose = "PasswordlessSignIn";
+
+    private readonly IMailService _mailService;
+
+    public PasswordlessSignInManager(UserManager<TUser> userManager,
+        IHttpContextAccessor contextAccessor,
+        IUserClaimsPrincipalFactory<TUser> claimsFactory,
+        IOptions<IdentityOptions> optionsAccessor,
+        ILogger<SignInManager<TUser>> logger,
+        IAuthenticationSchemeProvider schemes,
+        IUserConfirmation<TUser> confirmation,
+        IMailService mailService)
+        : base(userManager, contextAccessor, claimsFactory, optionsAccessor, logger, schemes, confirmation)
+    {
+        _mailService = mailService;
+    }
+
+    public async Task<SignInResult> PasswordlessSignInAsync(string email, string returnUrl)
+    {
+        var user = await UserManager.FindByEmailAsync(email);
+        if (user == null)
+        {
+            return SignInResult.Failed;
+        }
+
+        var token = await UserManager.GenerateUserTokenAsync(user, Options.Tokens.PasswordResetTokenProvider,
+            PasswordlessSignInPurpose);
+        await _mailService.SendPasswordlessSignInAsync(returnUrl, token, email);
+        return SignInResult.Success;
+    }
+
+    public async Task<SignInResult> PasswordlessSignInAsync(TUser user, string token, bool isPersistent)
+    {
+        if (user == null)
+        {
+            throw new ArgumentNullException(nameof(user));
+        }
+
+        var attempt = await CheckPasswordlessSignInAsync(user, token);
+        return attempt.Succeeded ?
+            await SignInOrTwoFactorAsync(user, isPersistent, bypassTwoFactor: true) : attempt;
+    }
+
+    public async Task<SignInResult> PasswordlessSignInAsync(string email, string token, bool isPersistent)
+    {
+        var user = await UserManager.FindByEmailAsync(email);
+        if (user == null)
+        {
+            return SignInResult.Failed;
+        }
+
+        return await PasswordlessSignInAsync(user, token, isPersistent);
+    }
+
+    public virtual async Task<SignInResult> CheckPasswordlessSignInAsync(TUser user, string token)
+    {
+        if (user == null)
+        {
+            throw new ArgumentNullException(nameof(user));
+        }
+
+        var error = await PreSignInCheck(user);
+        if (error != null)
+        {
+            return error;
+        }
+
+        if (await UserManager.VerifyUserTokenAsync(user, Options.Tokens.PasswordResetTokenProvider,
+            PasswordlessSignInPurpose, token))
+        {
+            return SignInResult.Success;
+        }
+
+        Logger.LogWarning(2, "User {userId} failed to provide the correct token.",
+            await UserManager.GetUserIdAsync(user));
+        return SignInResult.Failed;
+    }
+}

src/Admin/Auth/Jobs/DatabaseExpiredGrantsJob.cs

@@ -0,0 +1,26 @@
+using Bit.Core;
+using Bit.Core.Jobs;
+using Bit.Core.Repositories;
+using Quartz;
+
+namespace Bit.Admin.Auth.Jobs;
+
+public class DatabaseExpiredGrantsJob : BaseJob
+{
+    private readonly IMaintenanceRepository _maintenanceRepository;
+
+    public DatabaseExpiredGrantsJob(
+        IMaintenanceRepository maintenanceRepository,
+        ILogger<DatabaseExpiredGrantsJob> logger)
+        : base(logger)
+    {
+        _maintenanceRepository = maintenanceRepository;
+    }
+
+    protected async override Task ExecuteJobAsync(IJobExecutionContext context)
+    {
+        _logger.LogInformation(Constants.BypassFiltersEventId, "Execute job task: DeleteExpiredGrantsAsync");
+        await _maintenanceRepository.DeleteExpiredGrantsAsync();
+        _logger.LogInformation(Constants.BypassFiltersEventId, "Finished job task: DeleteExpiredGrantsAsync");
+    }
+}

src/Admin/Auth/Jobs/DeleteAuthRequestsJob.cs

@@ -0,0 +1,27 @@
+using Bit.Core;
+using Bit.Core.Jobs;
+using Bit.Core.Repositories;
+using Quartz;
+
+namespace Bit.Admin.Auth.Jobs;
+
+public class DeleteAuthRequestsJob : BaseJob
+{
+    private readonly IAuthRequestRepository _authRepo;
+
+    public DeleteAuthRequestsJob(
+        IAuthRequestRepository authrepo,
+        ILogger<DeleteAuthRequestsJob> logger)
+        : base(logger)
+    {
+        _authRepo = authrepo;
+    }
+
+    protected async override Task ExecuteJobAsync(IJobExecutionContext context)
+    {
+        _logger.LogInformation(Constants.BypassFiltersEventId, "Execute job task: DeleteAuthRequestsJob: Start");
+        var count = await _authRepo.DeleteExpiredAsync();
+        _logger.LogInformation(Constants.BypassFiltersEventId, $"{count} records deleted from AuthRequests.");
+        _logger.LogInformation(Constants.BypassFiltersEventId, "Execute job task: DeleteAuthRequestsJob: End");
+    }
+}

src/Admin/Auth/Models/LoginModel.cs

@@ -0,0 +1,13 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Admin.Auth.Models;
+
+public class LoginModel
+{
+    [Required]
+    [EmailAddress]
+    public string Email { get; set; }
+    public string ReturnUrl { get; set; }
+    public string Error { get; set; }
+    public string Success { get; set; }
+}

src/Admin/Auth/Views/Login/Index.cshtml

@@ -0,0 +1,34 @@
+@model LoginModel
+@{
+    ViewData["Title"] = "Login";
+}
+
+<div class="row justify-content-md-center">
+    <div class="col col-lg-6 col-md-8">
+        @if(!string.IsNullOrWhiteSpace(Model.Success))
+        {
+            <div class="alert alert-success" role="alert">@Model.Success</div>
+        }
+        else if(!string.IsNullOrWhiteSpace(Model.Error))
+        {
+            <div class="alert alert-danger" role="alert">@Model.Error</div>
+        }
+        <div class="card">
+            <div class="card-body">
+                <p>Please enter your email address below to log in.</p>
+                <form asp-action="" method="post">
+                    <input type="hidden" asp-for="ReturnUrl" />
+                    <div asp-validation-summary="ModelOnly" class="text-danger"></div>
+                    <div class="form-group">
+                        <label asp-for="Email" class="sr-only">Email Address</label>
+                        <input asp-for="Email" type="email" class="form-control" placeholder="ex. john@example.com"
+                               required autofocus>
+                        <span asp-validation-for="Email" class="invalid-feedback"></span>
+                        <small class="form-text text-muted">We'll email you a secure login link.</small>
+                    </div>
+                    <button class="btn btn-primary" type="submit">Continue</button>
+                </form>
+            </div>
+        </div>
+    </div>
+</div>

src/Admin/Auth/Views/_ViewImports.cshtml

@@ -0,0 +1,5 @@
+@using Microsoft.AspNetCore.Identity
+@using Bit.Admin.Auth
+@using Bit.Admin.Auth.Models
+@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
+@addTagHelper "*, Admin"

src/Admin/Auth/Views/_ViewStart.cshtml

@@ -0,0 +1,3 @@
+@{
+    Layout = "_Layout";
+}