diff --git a/src/Api/Auth/Controllers/OpaqueKeyExchangeController.cs b/src/Api/Auth/Controllers/OpaqueKeyExchangeController.cs index 9136afe67d..d6cdb40d03 100644 --- a/src/Api/Auth/Controllers/OpaqueKeyExchangeController.cs +++ b/src/Api/Auth/Controllers/OpaqueKeyExchangeController.cs @@ -1,68 +1,50 @@ -using Bit.Api.Auth.Models.Request.Opaque; -using Bit.Api.Auth.Models.Response.Opaque; +using Bit.Core; using Bit.Core.Auth.Models.Api.Request.Opaque; using Bit.Core.Auth.Models.Api.Response.Opaque; using Bit.Core.Auth.Services; using Bit.Core.Services; +using Bit.Core.Utilities; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; namespace Bit.Api.Auth.Controllers; +[RequireFeature(FeatureFlagKeys.OpaqueKeyExchange)] [Route("opaque")] -public class OpaqueKeyExchangeController : Controller +[Authorize("Web")] +public class OpaqueKeyExchangeController( + IOpaqueKeyExchangeService opaqueKeyExchangeService, + IUserService userService + ) : Controller { - private readonly IOpaqueKeyExchangeService _opaqueKeyExchangeService; - private readonly IUserService _userService; + private readonly IOpaqueKeyExchangeService _opaqueKeyExchangeService = opaqueKeyExchangeService; + private readonly IUserService _userService = userService; - public OpaqueKeyExchangeController( - IOpaqueKeyExchangeService opaqueKeyExchangeService, - IUserService userService - ) + [HttpPost("start-registration")] + public async Task StartRegistrationAsync( + [FromBody] OpaqueRegistrationStartRequest request) { - _opaqueKeyExchangeService = opaqueKeyExchangeService; - _userService = userService; - } - - [Authorize("Web")] - [HttpPost("~/opaque/start-registration")] - public async Task StartRegistrationAsync([FromBody] OpaqueRegistrationStartRequest request) - { - var user = await _userService.GetUserByPrincipalAsync(User); - var result = await _opaqueKeyExchangeService.StartRegistration(Convert.FromBase64String(request.RegistrationRequest), user, request.CipherConfiguration); + var user = await _userService.GetUserByPrincipalAsync(User) + ?? throw new UnauthorizedAccessException(); + var result = await _opaqueKeyExchangeService.StartRegistration( + Convert.FromBase64String(request.RegistrationRequest), user, request.CipherConfiguration); return result; } - - [Authorize("Web")] - [HttpPost("~/opaque/finish-registration")] - public async void FinishRegistrationAsync([FromBody] OpaqueRegistrationFinishRequest request) + [HttpPost("finish-registration")] + public async Task FinishRegistrationAsync([FromBody] OpaqueRegistrationFinishRequest request) { - var user = await _userService.GetUserByPrincipalAsync(User); - await _opaqueKeyExchangeService.FinishRegistration(request.SessionId, Convert.FromBase64String(request.RegistrationUpload), user, request.KeySet); + var user = await _userService.GetUserByPrincipalAsync(User) + ?? throw new UnauthorizedAccessException(); + await _opaqueKeyExchangeService.FinishRegistration( + request.SessionId, Convert.FromBase64String(request.RegistrationUpload), user, request.KeySet); } - [Authorize("Web")] - [HttpPost("~/opaque/set-registration-active")] - public async void SetRegistrationActive([FromBody] OpaqueSetRegistrationActiveRequest request) + [HttpPost("set-registration-active")] + public async Task SetRegistrationActiveAsync([FromBody] OpaqueSetRegistrationActiveRequest request) { - var user = await _userService.GetUserByPrincipalAsync(User); - await _opaqueKeyExchangeService.SetRegistrationActiveForAccount(request.SessionId, user); - } - - // TODO: Remove and move to token endpoint - [HttpPost("~/opaque/start-login")] - public async Task StartLoginAsync([FromBody] OpaqueLoginStartRequest request) - { - var result = await _opaqueKeyExchangeService.StartLogin(Convert.FromBase64String(request.CredentialRequest), request.Email); - return new OpaqueLoginStartResponse(result.Item1, Convert.ToBase64String(result.Item2)); - } - - // TODO: Remove and move to token endpoint - [HttpPost("~/opaque/finish-login")] - public async Task FinishLoginAsync([FromBody] OpaqueLoginFinishRequest request) - { - var result = await _opaqueKeyExchangeService.FinishLogin(request.SessionId, Convert.FromBase64String(request.CredentialFinalization)); - return result; + var user = await _userService.GetUserByPrincipalAsync(User) + ?? throw new UnauthorizedAccessException(); + await _opaqueKeyExchangeService.WriteCacheCredentialToDatabase(request.SessionId, user); } } diff --git a/src/Core/Auth/Models/Api/Request/Opaque/OpaqueLoginStartRequest.cs b/src/Core/Auth/Models/Api/Request/Opaque/OpaqueLoginStartRequest.cs index 72c835dda6..5981514dfe 100644 --- a/src/Core/Auth/Models/Api/Request/Opaque/OpaqueLoginStartRequest.cs +++ b/src/Core/Auth/Models/Api/Request/Opaque/OpaqueLoginStartRequest.cs @@ -1,6 +1,6 @@ using System.ComponentModel.DataAnnotations; -namespace Bit.Api.Auth.Models.Request.Opaque; +namespace Bit.Core.Auth.Models.Api.Request.Opaque; public class OpaqueLoginStartRequest { @@ -8,5 +8,4 @@ public class OpaqueLoginStartRequest public string Email { get; set; } [Required] public string CredentialRequest { get; set; } - } diff --git a/src/Core/Auth/Services/IOpaqueKeyExchangeService.cs b/src/Core/Auth/Services/IOpaqueKeyExchangeService.cs index 1d1d4365e9..b6652847bb 100644 --- a/src/Core/Auth/Services/IOpaqueKeyExchangeService.cs +++ b/src/Core/Auth/Services/IOpaqueKeyExchangeService.cs @@ -18,14 +18,15 @@ public interface IOpaqueKeyExchangeService /// void public Task StartRegistration(byte[] request, User user, OpaqueKeyExchangeCipherConfiguration cipherConfiguration); /// - /// This doesn't actually finish registration. It updates the cache with the server setup and cipher configuration so that the clearly named "SetActive" method can finish registration. + /// This updates the cache with the server setup and cipher configuration so that WriteCacheCredentialToDatabase method can finish registration + /// by writing the credential to the database. /// /// Cache Id /// Byte Array for Rust Magic /// User being acted on /// Key Pair that can be used for vault decryption /// void - public Task FinishRegistration(Guid sessionId, byte[] registrationUpload, User user, RotateableOpaqueKeyset keyset); + public Task FinishRegistration(Guid sessionId, byte[] registrationUpload, User user, RotateableOpaqueKeyset keyset); /// /// Returns server crypto material for the client to consume and reply with a login request to the identity/token endpoint. /// To protect against account enumeration we will always return a deterministic response based on the user's email. @@ -52,21 +53,21 @@ public interface IOpaqueKeyExchangeService /// /// Clears the authentication session from the cache. /// - /// - /// + /// session being acted on. + /// void public Task ClearAuthenticationSession(Guid sessionId); /// - /// This is where registration really finishes. This method writes the Credential to the database. If a credential already exists then it will be removed before the new one is added. + /// This method writes the Credential to the database. If a credential already exists then it will be removed before the new one is added. /// A user can only have one credential. /// /// cache value /// user being acted on - /// void - public Task SetRegistrationActiveForAccount(Guid sessionId, User user); + /// bool based on action result + public Task WriteCacheCredentialToDatabase(Guid sessionId, User user); /// - /// Removes the credential for the user. + /// Removes the credential for the user. If the user does not exist then this does nothing. /// - /// user being acted on + /// User being acted on. /// void - public Task Unenroll(User user); + public Task RemoveUserOpaqueKeyExchangeCredential(User user); } diff --git a/src/Core/Auth/Services/Implementations/OpaqueKeyExchangeService.cs b/src/Core/Auth/Services/Implementations/OpaqueKeyExchangeService.cs index 1684e478c0..197b66b574 100644 --- a/src/Core/Auth/Services/Implementations/OpaqueKeyExchangeService.cs +++ b/src/Core/Auth/Services/Implementations/OpaqueKeyExchangeService.cs @@ -10,6 +10,7 @@ using Bit.Core.Entities; using Bit.Core.Repositories; using Bitwarden.Opaque; using Microsoft.Extensions.Caching.Distributed; +using Microsoft.Extensions.Logging; namespace Bit.Core.Auth.Services; @@ -21,6 +22,7 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService private readonly IOpaqueKeyExchangeCredentialRepository _opaqueKeyExchangeCredentialRepository; private readonly IDistributedCache _distributedCache; private readonly IUserRepository _userRepository; + private readonly ILogger _logger; const string REGISTER_SESSION_KEY = "opaque_register_session_{0}"; const string LOGIN_SESSION_KEY = "opaque_login_session_{0}"; @@ -28,104 +30,119 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService public OpaqueKeyExchangeService( IOpaqueKeyExchangeCredentialRepository opaqueKeyExchangeCredentialRepository, IDistributedCache distributedCache, - IUserRepository userRepository + IUserRepository userRepository, + ILogger logger ) { _bitwardenOpaque = new BitwardenOpaqueServer(); _opaqueKeyExchangeCredentialRepository = opaqueKeyExchangeCredentialRepository; _distributedCache = distributedCache; _userRepository = userRepository; + _logger = logger; } - public async Task StartRegistration(byte[] request, User user, OpaqueKeyExchangeCipherConfiguration cipherConfiguration) + public async Task StartRegistration( + byte[] request, User user, OpaqueKeyExchangeCipherConfiguration cipherConfiguration) { - var registrationRequest = _bitwardenOpaque.StartRegistration(cipherConfiguration.ToNativeConfiguration(), null, request, user.Id.ToString()); + var registrationRequest = _bitwardenOpaque.StartRegistration( + cipherConfiguration.ToNativeConfiguration(), null, request, user.Id.ToString()); var sessionId = Guid.NewGuid(); - var registerSession = new OpaqueKeyExchangeRegisterSession() { SessionId = sessionId, ServerSetup = registrationRequest.serverSetup, CipherConfiguration = cipherConfiguration, UserId = user.Id }; - await _distributedCache.SetAsync(string.Format(REGISTER_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(registerSession))); + var registerSession = new OpaqueKeyExchangeRegisterSession() + { + SessionId = sessionId, + ServerSetup = registrationRequest.serverSetup, + CipherConfiguration = cipherConfiguration, + UserId = user.Id + }; + await _distributedCache.SetAsync( + string.Format(REGISTER_SESSION_KEY, sessionId), + Encoding.ASCII.GetBytes(JsonSerializer.Serialize(registerSession))); - return new OpaqueRegistrationStartResponse(sessionId, Convert.ToBase64String(registrationRequest.registrationResponse)); + return new OpaqueRegistrationStartResponse( + sessionId, Convert.ToBase64String(registrationRequest.registrationResponse)); } - public async Task FinishRegistration(Guid sessionId, byte[] registrationUpload, User user, RotateableOpaqueKeyset keyset) + public async Task FinishRegistration(Guid sessionId, byte[] registrationUpload, User user, RotateableOpaqueKeyset keyset) { - var serializedRegisterSession = await _distributedCache.GetAsync(string.Format(REGISTER_SESSION_KEY, sessionId)); - if (serializedRegisterSession == null) - { - throw new InvalidOperationException("Session not found"); - } - try { + var serializedRegisterSession = await _distributedCache.GetAsync(string.Format(REGISTER_SESSION_KEY, sessionId)) + ?? throw new Exception("Session not found"); var registerSession = JsonSerializer.Deserialize(Encoding.ASCII.GetString(serializedRegisterSession))!; var registrationFinish = _bitwardenOpaque.FinishRegistration(registerSession.CipherConfiguration.ToNativeConfiguration(), registrationUpload); registerSession.PasswordFile = registrationFinish.serverRegistration; registerSession.KeySet = Encoding.ASCII.GetBytes(JsonSerializer.Serialize(keyset)); await _distributedCache.SetAsync(string.Format(REGISTER_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(registerSession))); + return true; } catch (Exception e) { await _distributedCache.RemoveAsync(string.Format(REGISTER_SESSION_KEY, sessionId)); - throw new Exception(e.Message); + _logger.LogError(e, "Error finishing registration for user {UserId}", user.Id); + return false; } } public async Task<(Guid, byte[])> StartLogin(byte[] request, string email) { - var user = await _userRepository.GetByEmailAsync(email); - if (user == null) + try { - // todo don't allow user enumeration - throw new InvalidOperationException("User not found"); + // todo: don't allow user enumeration + var user = await _userRepository.GetByEmailAsync(email) + ?? throw new InvalidOperationException("User not found"); + + // todo: generate fake credential + var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(user.Id) + ?? throw new InvalidOperationException("Credential not found"); + + var cipherConfiguration = JsonSerializer.Deserialize(credential.CipherConfiguration)!; + var credentialBlob = JsonSerializer.Deserialize(credential.CredentialBlob)!; + var serverSetup = credentialBlob.ServerSetup; + var serverRegistration = credentialBlob.PasswordFile; + + var loginResponse = _bitwardenOpaque.StartLogin( + cipherConfiguration.ToNativeConfiguration(), serverSetup, serverRegistration, request, user.Id.ToString()); + + var sessionId = MakeCryptoGuid(); + var loginSession = new OpaqueKeyExchangeLoginSession() + { + UserId = user.Id, + LoginState = loginResponse.state, + CipherConfiguration = cipherConfiguration, + IsAuthenticated = false + }; + await _distributedCache.SetAsync(string.Format(LOGIN_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(loginSession))); + return (sessionId, loginResponse.credentialResponse); } - - var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(user.Id); - if (credential == null) + catch (InvalidOperationException e) { - // generate fake credential - throw new InvalidOperationException("Credential not found"); + _logger.LogError(e, "Error starting login for user {Email}", email); + return (Guid.Empty, []); } - - var cipherConfiguration = JsonSerializer.Deserialize(credential.CipherConfiguration)!; - var credentialBlob = JsonSerializer.Deserialize(credential.CredentialBlob)!; - var serverSetup = credentialBlob.ServerSetup; - var serverRegistration = credentialBlob.PasswordFile; - - var loginResponse = _bitwardenOpaque.StartLogin(cipherConfiguration.ToNativeConfiguration(), serverSetup, serverRegistration, request, user.Id.ToString()); - var sessionId = MakeCryptoGuid(); - var loginSession = new OpaqueKeyExchangeLoginSession() - { - UserId = user.Id, - LoginState = loginResponse.state, - CipherConfiguration = cipherConfiguration, - IsAuthenticated = false - }; - await _distributedCache.SetAsync(string.Format(LOGIN_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(loginSession))); - return (sessionId, loginResponse.credentialResponse); } public async Task FinishLogin(Guid sessionId, byte[] credentialFinalization) { - var serializedLoginSession = await _distributedCache.GetAsync(string.Format(LOGIN_SESSION_KEY, sessionId)); - if (serializedLoginSession == null) - { - throw new InvalidOperationException("Session not found"); - } - var loginSession = JsonSerializer.Deserialize(Encoding.ASCII.GetString(serializedLoginSession))!; - - var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(loginSession.UserId); - if (credential == null) - { - throw new InvalidOperationException("Credential not found"); - } - - var loginState = loginSession.LoginState; - var cipherConfiguration = loginSession.CipherConfiguration; - await _distributedCache.RemoveAsync(string.Format(LOGIN_SESSION_KEY, sessionId)); - try { + var serializedLoginSession = await _distributedCache.GetAsync(string.Format(LOGIN_SESSION_KEY, sessionId)); + if (serializedLoginSession == null) + { + throw new InvalidOperationException("Session not found"); + } + var loginSession = JsonSerializer.Deserialize(Encoding.ASCII.GetString(serializedLoginSession))!; + + var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(loginSession.UserId); + if (credential == null) + { + throw new InvalidOperationException("Credential not found"); + } + + var loginState = loginSession.LoginState; + var cipherConfiguration = loginSession.CipherConfiguration; + await _distributedCache.RemoveAsync(string.Format(LOGIN_SESSION_KEY, sessionId)); + var success = _bitwardenOpaque.FinishLogin(cipherConfiguration.ToNativeConfiguration(), loginState, credentialFinalization); loginSession.IsAuthenticated = true; await _distributedCache.SetAsync(string.Format(LOGIN_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(loginSession))); @@ -141,66 +158,78 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService public async Task GetUserForAuthenticatedSession(Guid sessionId) { - var serializedLoginSession = await _distributedCache.GetAsync(string.Format(LOGIN_SESSION_KEY, sessionId)); - if (serializedLoginSession == null) + try { - throw new InvalidOperationException("Session not found"); - } - var loginSession = JsonSerializer.Deserialize(Encoding.ASCII.GetString(serializedLoginSession))!; + var serializedLoginSession = await _distributedCache.GetAsync(string.Format(LOGIN_SESSION_KEY, sessionId)) + ?? throw new InvalidOperationException("Session not found"); - if (!loginSession.IsAuthenticated) + var loginSession = JsonSerializer.Deserialize(Encoding.ASCII.GetString(serializedLoginSession))!; + + if (!loginSession.IsAuthenticated) + { + throw new InvalidOperationException("Session not authenticated"); + } + + return await _userRepository.GetByIdAsync(loginSession.UserId!)!; + } + catch (InvalidOperationException e) { - throw new InvalidOperationException("Session not authenticated"); + _logger.LogError(e, "Error authenticating user session {SessionId}", sessionId); + return null; } - - return await _userRepository.GetByIdAsync(loginSession.UserId!)!; } - public async Task SetRegistrationActiveForAccount(Guid sessionId, User user) + public async Task WriteCacheCredentialToDatabase(Guid sessionId, User user) { - var serializedRegisterSession = await _distributedCache.GetAsync(string.Format(REGISTER_SESSION_KEY, sessionId)); - if (serializedRegisterSession == null) + try { - throw new InvalidOperationException("Session not found"); - } - var session = JsonSerializer.Deserialize(Encoding.ASCII.GetString(serializedRegisterSession))!; + var serializedRegisterSession = await _distributedCache.GetAsync(string.Format(REGISTER_SESSION_KEY, sessionId)) + ?? throw new InvalidOperationException("Session not found"); - if (session.UserId != user.Id) - { - throw new InvalidOperationException("Session does not belong to user"); - } - if (session.PasswordFile == null) - { - throw new InvalidOperationException("Session did not complete registration"); - } - if (session.KeySet == null) - { - throw new InvalidOperationException("Session did not complete registration"); - } + var session = JsonSerializer.Deserialize(Encoding.ASCII.GetString(serializedRegisterSession))!; + if (session.UserId != user.Id) + { + throw new InvalidOperationException("Session does not belong to user"); + } + if (session.PasswordFile == null) + { + throw new InvalidOperationException("Session did not complete registration"); + } + if (session.KeySet == null) + { + throw new InvalidOperationException("Session did not complete registration"); + } - var keyset = JsonSerializer.Deserialize(Encoding.ASCII.GetString(session.KeySet))!; - var credentialBlob = new OpaqueKeyExchangeCredentialBlob() - { - PasswordFile = session.PasswordFile, - ServerSetup = session.ServerSetup - }; + var keyset = JsonSerializer.Deserialize(Encoding.ASCII.GetString(session.KeySet))!; + var credentialBlob = new OpaqueKeyExchangeCredentialBlob() + { + PasswordFile = session.PasswordFile, + ServerSetup = session.ServerSetup + }; - var credential = new OpaqueKeyExchangeCredential() - { - UserId = user.Id, - CipherConfiguration = JsonSerializer.Serialize(session.CipherConfiguration), - CredentialBlob = JsonSerializer.Serialize(credentialBlob), - EncryptedPrivateKey = keyset.EncryptedPrivateKey, - EncryptedPublicKey = keyset.EncryptedPublicKey, - EncryptedUserKey = keyset.EncryptedUserKey, - CreationDate = DateTime.UtcNow - }; + var credential = new OpaqueKeyExchangeCredential() + { + UserId = user.Id, + CipherConfiguration = JsonSerializer.Serialize(session.CipherConfiguration), + CredentialBlob = JsonSerializer.Serialize(credentialBlob), + EncryptedPrivateKey = keyset.EncryptedPrivateKey, + EncryptedPublicKey = keyset.EncryptedPublicKey, + EncryptedUserKey = keyset.EncryptedUserKey, + CreationDate = DateTime.UtcNow + }; - await Unenroll(user); - await _opaqueKeyExchangeCredentialRepository.CreateAsync(credential); + await RemoveUserOpaqueKeyExchangeCredential(user); + await _opaqueKeyExchangeCredentialRepository.CreateAsync(credential); + return true; + } + catch (InvalidOperationException e) + { + _logger.LogError(e, "Error writing cache opaque credential to database for user {UserId}", user.Id); + return false; + } } - public async Task Unenroll(User user) + public async Task RemoveUserOpaqueKeyExchangeCredential(User user) { var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(user.Id); if (credential != null) @@ -209,10 +238,14 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService } } + /// + /// Makes a cryptographically secure GUID to use as a session Id. + /// + /// GUID private static Guid MakeCryptoGuid() { // Get 16 cryptographically random bytes - byte[] data = RandomNumberGenerator.GetBytes(16); + var data = RandomNumberGenerator.GetBytes(16); // Mark it as a version 4 GUID data[7] = (byte)((data[7] | (byte)0x40) & (byte)0x4f); @@ -227,6 +260,11 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService } } +/// +/// Object saved to the cache for a registration session. We store the registration object in +/// the cache so we can maintain key material separation between the client and server. +/// If we used a Tokenable then it could expose the Server Key material to the client. +/// public class OpaqueKeyExchangeRegisterSession { public required Guid SessionId { get; set; } @@ -237,6 +275,11 @@ public class OpaqueKeyExchangeRegisterSession public byte[]? KeySet { get; set; } } +/// +/// This object is used to accomplish a Pushed Authorization Request (PAR) "adjacent" type action. Where we +/// track authentication state in the cache so when a user finishes authentication they only need +/// the Cryptographically secure GUID sessionId. +/// public class OpaqueKeyExchangeLoginSession { public required Guid UserId { get; set; } diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs index 10a5d21429..c2de3815ab 100644 --- a/src/Core/Services/Implementations/UserService.cs +++ b/src/Core/Services/Implementations/UserService.cs @@ -670,11 +670,11 @@ public class UserService : UserManager, IUserService, IDisposable if (opaqueSessionId != null) { - await _opaqueKeyExchangeService.SetRegistrationActiveForAccount((Guid)opaqueSessionId, user); + await _opaqueKeyExchangeService.WriteCacheCredentialToDatabase((Guid)opaqueSessionId, user); } else { - await _opaqueKeyExchangeService.Unenroll(user); + await _opaqueKeyExchangeService.RemoveUserOpaqueKeyExchangeCredential(user); } await _userRepository.ReplaceAsync(user); await _eventService.LogUserEventAsync(user.Id, EventType.User_ChangedPassword); @@ -817,7 +817,7 @@ public class UserService : UserManager, IUserService, IDisposable user.Key = key; // TODO: Add Opaque-KE support - await _opaqueKeyExchangeService.Unenroll(user); + await _opaqueKeyExchangeService.RemoveUserOpaqueKeyExchangeCredential(user); await _userRepository.ReplaceAsync(user); await _mailService.SendAdminResetPasswordEmailAsync(user.Email, user.Name, org.DisplayName()); await _eventService.LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_AdminResetPassword); @@ -845,7 +845,7 @@ public class UserService : UserManager, IUserService, IDisposable user.MasterPasswordHint = hint; // TODO: Add Opaque-KE support - await _opaqueKeyExchangeService.Unenroll(user); + await _opaqueKeyExchangeService.RemoveUserOpaqueKeyExchangeCredential(user); await _userRepository.ReplaceAsync(user); await _mailService.SendUpdatedTempPasswordEmailAsync(user.Email, user.Name); await _eventService.LogUserEventAsync(user.Id, EventType.User_UpdatedTempPassword); diff --git a/src/Identity/Controllers/AccountsController.cs b/src/Identity/Controllers/AccountsController.cs index 0bf8e35d49..acb1552599 100644 --- a/src/Identity/Controllers/AccountsController.cs +++ b/src/Identity/Controllers/AccountsController.cs @@ -1,7 +1,6 @@ using System.Diagnostics; using System.Text; using System.Text.Json; -using Bit.Api.Auth.Models.Request.Opaque; using Bit.Api.Auth.Models.Response.Opaque; using Bit.Core; using Bit.Core.Auth.Enums;