[PM-1222] Passkeys in the Bitwarden vault (#2679)

* [EC-598] feat: add support for saving fido2 keys * [EC-598] feat: add additional data * [EC-598] feat: add counter, nonDiscoverableId; remove origin * [EC-598] fix: previous incomplete commit * [EC-598] fix: previous incomplete commit.. again * [EC-598] fix: failed merge * [EC-598] fix: move files around to match new structure * [EC-598] feat: add implementation for non-discoverable credentials * [EC-598] chore: remove some changes introduced by vs * [EC-598] fix: linting issues * [PM-1500] Add feature flag to enable pass keys (#2916) * Added feature flag to enable pass keys * Renamed enable pass keys to fido2 vault credentials * only sync fido2key ciphers on clients >=2023.9.0 (#3244) * Renamed fido2key property username to userDisplayName (#3172) * [PM-1859] Renamed NonDiscoverableId to credentialId (#3198) * PM-1859 Refactor to credentialId * PM-1859 Removed unnecessary import --------- Co-authored-by: Andreas Coroiu <andreas.coroiu@gmail.com> * [PM-3807] Store all passkeys as login cipher type (#3261) * [PM-3807] feat: add discoverable property to fido2key * [PM-3807] feat: remove standalone Fido2Key * [PM-3807] chore: clean up unusued constant * [PM-3807] fix: remove standadlone Fido2Key property that I missed * [PM-3807] Store passkeys in array (#3268) * [PM-3807] feat: store passkeys in array * [PM-3807] amazing adventures with the c# linter * [PM-3980] Added creationDate property to the Fido2Key object (#3279) * Added creationDate property to the Fido2Key object * Fixed lint issues * fixed comments * made createionDate required * [PM-3808] [Storage v2] Add old client/new server backward compatibility (#3262) * [PM-3807] feat: add discoverable property to fido2key * [PM-3807] feat: remove standalone Fido2Key * [PM-3807] chore: clean up unusued constant * [PM-3808] feat: add fido2 compatibility check before saving ciphers * Resolved merge conflicts. * Setting minimum version for QA. --------- Co-authored-by: Todd Martin <tmartin@bitwarden.com> * [PM-4054] Rename Fido2Key to Fido2Credential (#3306) * Add server version compatibility check for Fido2Credentials on sharing with org (#3328) * Added compatibility checks. * Refactored into separate methods for easier removal. * Added check on ShareMany * Updated method order to be consistent. * Linting * Updated minimum server version for release, as well as defaulting the feature on for self-hosted. * Added trailing space. * Removed extra assignment --------- Co-authored-by: gbubemismith <gsmithwalter@gmail.com> Co-authored-by: SmithThe4th <gsmith@bitwarden.com> Co-authored-by: Todd Martin <tmartin@bitwarden.com> Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com> Co-authored-by: Carlos Gonçalves <carlosmaccam@gmail.com> Co-authored-by: Todd Martin <106564991+trmartin4@users.noreply.github.com> Co-authored-by: Oscar Hinton <Hinton@users.noreply.github.com>
2025-07-04 01:22:50 -05:00 · 2023-10-17 18:17:13 +02:00
parent 8177821e8b
commit 8c77c65ce8
8 changed files with 151 additions and 7 deletions
--- a/src/Api/Vault/Controllers/CiphersController.cs
+++ b/src/Api/Vault/Controllers/CiphersController.cs
@ -27,6 +27,8 @@ namespace Bit.Api.Vault.Controllers;
 [Authorize("Application")]
 public class CiphersController : Controller
 {
+    private static readonly Version _fido2KeyCipherMinimumVersion = new Version(Constants.Fido2KeyCipherMinimumVersion);
+
    private readonly ICipherRepository _cipherRepository;
    private readonly ICollectionCipherRepository _collectionCipherRepository;
    private readonly ICipherService _cipherService;
@ -178,7 +180,8 @@ public class CiphersController : Controller
            throw new NotFoundException();
        }

-        ValidateItemLevelEncryptionIsAvailable(cipher);
+        ValidateClientVersionForItemLevelEncryptionSupport(cipher);
+        ValidateClientVersionForFido2CredentialSupport(cipher);

        var collectionIds = (await _collectionCipherRepository.GetManyByUserIdCipherIdAsync(userId, id)).Select(c => c.CollectionId).ToList();
        var modelOrgId = string.IsNullOrWhiteSpace(model.OrganizationId) ?
@ -202,7 +205,8 @@ public class CiphersController : Controller
        var userId = _userService.GetProperUserId(User).Value;
        var cipher = await _cipherRepository.GetOrganizationDetailsByIdAsync(id);

-        ValidateItemLevelEncryptionIsAvailable(cipher);
+        ValidateClientVersionForItemLevelEncryptionSupport(cipher);
+        ValidateClientVersionForFido2CredentialSupport(cipher);

        if (cipher == null || !cipher.OrganizationId.HasValue ||
            !await _currentContext.EditAnyCollection(cipher.OrganizationId.Value))
@ -267,6 +271,9 @@ public class CiphersController : Controller
            throw new NotFoundException();
        }

+        ValidateClientVersionForItemLevelEncryptionSupport(cipher);
+        ValidateClientVersionForFido2CredentialSupport(cipher);
+
        var original = cipher.Clone();
        await _cipherService.ShareAsync(original, model.Cipher.ToCipher(cipher), new Guid(model.Cipher.OrganizationId),
            model.CollectionIds.Select(c => new Guid(c)), userId, model.Cipher.LastKnownRevisionDate);
@ -529,7 +536,12 @@ public class CiphersController : Controller
                throw new BadRequestException("Trying to move ciphers that you do not own.");
            }

-            shareCiphers.Add((cipher.ToCipher(ciphersDict[cipher.Id.Value]), cipher.LastKnownRevisionDate));
+            var existingCipher = ciphersDict[cipher.Id.Value];
+
+            ValidateClientVersionForItemLevelEncryptionSupport(existingCipher);
+            ValidateClientVersionForFido2CredentialSupport(existingCipher);
+
+            shareCiphers.Add((cipher.ToCipher(existingCipher), cipher.LastKnownRevisionDate));
        }

        await _cipherService.ShareManyAsync(shareCiphers, organizationId,
@ -582,7 +594,7 @@ public class CiphersController : Controller
            throw new NotFoundException();
        }

-        ValidateItemLevelEncryptionIsAvailable(cipher);
+        ValidateClientVersionForItemLevelEncryptionSupport(cipher);

        if (request.FileSize > CipherService.MAX_FILE_SIZE)
        {
@ -804,11 +816,23 @@ public class CiphersController : Controller
        }
    }

-    private void ValidateItemLevelEncryptionIsAvailable(Cipher cipher)
+    private void ValidateClientVersionForItemLevelEncryptionSupport(Cipher cipher)
    {
        if (cipher.Key != null && _currentContext.ClientVersion < _cipherKeyEncryptionMinimumVersion)
        {
            throw new BadRequestException("Cannot edit item. Update to the latest version of Bitwarden and try again.");
        }
    }
+
+    private void ValidateClientVersionForFido2CredentialSupport(Cipher cipher)
+    {
+        if (cipher.Type == Core.Vault.Enums.CipherType.Login)
+        {
+            var loginData = JsonSerializer.Deserialize<CipherLoginData>(cipher.Data);
+            if (loginData?.Fido2Credentials != null && _currentContext.ClientVersion < _fido2KeyCipherMinimumVersion)
+            {
+                throw new BadRequestException("Cannot edit item. Update to the latest version of Bitwarden and try again.");
+            }
+        }
+    }
 }