nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-30 15:42:48 -05:00
Code Activity

PS-82 check send 2FA email for new devices on TwoFactorController send-email-login (#1977)

Browse Source
This commit is contained in:
Federico Maccaroni
2022-04-28 13:14:09 -03:00
committed by GitHub
parent 68f875b3d9
commit a7a45893a3
6 changed files with 161 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/Api/Controllers/TwoFactorController.cs
View File

@ -289,7 +289,16 @@ namespace Bit.Api.Controllers
{
if (await _userService.VerifySecretAsync(user, model.Secret))
{
await _userService.SendTwoFactorEmailAsync(user);
var isBecauseNewDeviceLogin = false;
if (user.GetTwoFactorProvider(TwoFactorProviderType.Email) is null
&&
await _userService.Needs2FABecauseNewDeviceAsync(user, model.DeviceIdentifier, null))
{
model.ToUser(user);
isBecauseNewDeviceLogin = true;
}
await _userService.SendTwoFactorEmailAsync(user, isBecauseNewDeviceLogin);
return;
}
}

2
src/Api/Models/Request/TwoFactorRequestModels.cs
View File

@ -203,6 +203,8 @@ namespace Bit.Api.Models.Request
[StringLength(256)]
public string Email { get; set; }
public string DeviceIdentifier { get; set; }
public User ToUser(User extistingUser)
{
var providers = extistingUser.GetTwoFactorProviders();

24
src/Core/IdentityServer/BaseRequestValidator.cs
View File

@ -319,9 +319,11 @@ namespace Bit.Core.IdentityServer
var requires2FA = individualRequired || firstEnabledOrg != null;
var requires2FABecauseNewDevice = !requires2FA
&& user.EmailVerified
&& request.GrantType != "authorization_code"
&& await IsNewDeviceAndNotTheFirstOneAsync(user, request);
&&
await _userService.Needs2FABecauseNewDeviceAsync(
user,
GetDeviceFromRequest(request)?.Identifier,
request.GrantType);
requires2FA = requires2FA || requires2FABecauseNewDevice;
@ -536,22 +538,6 @@ namespace Bit.Core.IdentityServer
return await _deviceRepository.GetByIdentifierAsync(GetDeviceFromRequest(request).Identifier, user.Id);
}
protected async Task<bool> IsNewDeviceAndNotTheFirstOneAsync(User user, ValidatedTokenRequest request)
{
if (user == null)
{
return default;
}
var devices = await _deviceRepository.GetManyByUserIdAsync(user.Id);
if (!devices.Any())
{
return false;
}
return !devices.Any(d => d.Identifier == GetDeviceFromRequest(request)?.Identifier);
}
private async Task<Device> SaveDeviceAsync(User user, ValidatedTokenRequest request)
{
var device = GetDeviceFromRequest(request);

1
src/Core/Services/IUserService.cs
View File

@ -78,5 +78,6 @@ namespace Bit.Core.Services
Task SendOTPAsync(User user);
Task<bool> VerifyOTPAsync(User user, string token);
Task<bool> VerifySecretAsync(User user, string secret);
Task<bool> Needs2FABecauseNewDeviceAsync(User user, string deviceIdentifier, string grantType);
}
}

34
src/Core/Services/Implementations/UserService.cs
View File

@ -17,7 +17,9 @@ using Bit.Core.Utilities;
using Fido2NetLib;
using Fido2NetLib.Objects;
using Microsoft.AspNetCore.DataProtection;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using File = System.IO.File;
@ -51,6 +53,8 @@ namespace Bit.Core.Services
private readonly GlobalSettings _globalSettings;
private readonly IOrganizationService _organizationService;
private readonly IProviderUserRepository _providerUserRepository;
private readonly IDeviceRepository _deviceRepository;
private readonly IWebHostEnvironment _environment;
public UserService(
IUserRepository userRepository,
@ -79,7 +83,9 @@ namespace Bit.Core.Services
ICurrentContext currentContext,
GlobalSettings globalSettings,
IOrganizationService organizationService,
IProviderUserRepository providerUserRepository)
IProviderUserRepository providerUserRepository,
IDeviceRepository deviceRepository,
IWebHostEnvironment environment)
: base(
store,
optionsAccessor,
@ -114,6 +120,8 @@ namespace Bit.Core.Services
_globalSettings = globalSettings;
_organizationService = organizationService;
_providerUserRepository = providerUserRepository;
_deviceRepository = deviceRepository;
_environment = environment;
}
public Guid? GetProperUserId(ClaimsPrincipal principal)
@ -1408,5 +1416,29 @@ namespace Bit.Core.Services
? await VerifyOTPAsync(user, secret)
: await CheckPasswordAsync(user, secret);
}
public async Task<bool> Needs2FABecauseNewDeviceAsync(User user, string deviceIdentifier, string grantType)
{
return user.EmailVerified
&& grantType != "authorization_code"
&& !_environment.IsDevelopment()
&& await IsNewDeviceAndNotTheFirstOneAsync(user, deviceIdentifier);
}
private async Task<bool> IsNewDeviceAndNotTheFirstOneAsync(User user, string deviceIdentifier)
{
if (user == null)
{
return default;
}
var devices = await _deviceRepository.GetManyByUserIdAsync(user.Id);
if (!devices.Any())
{
return false;
}
return !devices.Any(d => d.Identifier == deviceIdentifier);
}
}
}