PS-82 check send 2FA email for new devices on TwoFactorController send-email-login (#1977)

2025-07-01 16:12:49 -05:00 · 2022-04-28 13:14:09 -03:00
parent 68f875b3d9
commit a7a45893a3
6 changed files with 161 additions and 21 deletions
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@ -78,5 +78,6 @@ namespace Bit.Core.Services
        Task SendOTPAsync(User user);
        Task<bool> VerifyOTPAsync(User user, string token);
        Task<bool> VerifySecretAsync(User user, string secret);
+        Task<bool> Needs2FABecauseNewDeviceAsync(User user, string deviceIdentifier, string grantType);
    }
 }
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@ -17,7 +17,9 @@ using Bit.Core.Utilities;
 using Fido2NetLib;
 using Fido2NetLib.Objects;
 using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using File = System.IO.File;
@ -51,6 +53,8 @@ namespace Bit.Core.Services
        private readonly GlobalSettings _globalSettings;
        private readonly IOrganizationService _organizationService;
        private readonly IProviderUserRepository _providerUserRepository;
+        private readonly IDeviceRepository _deviceRepository;
+        private readonly IWebHostEnvironment _environment;

        public UserService(
            IUserRepository userRepository,
@ -79,7 +83,9 @@ namespace Bit.Core.Services
            ICurrentContext currentContext,
            GlobalSettings globalSettings,
            IOrganizationService organizationService,
-            IProviderUserRepository providerUserRepository)
+            IProviderUserRepository providerUserRepository,
+            IDeviceRepository deviceRepository,
+            IWebHostEnvironment environment)
            : base(
                  store,
                  optionsAccessor,
@ -114,6 +120,8 @@ namespace Bit.Core.Services
            _globalSettings = globalSettings;
            _organizationService = organizationService;
            _providerUserRepository = providerUserRepository;
+            _deviceRepository = deviceRepository;
+            _environment = environment;
        }

        public Guid? GetProperUserId(ClaimsPrincipal principal)
@ -1408,5 +1416,29 @@ namespace Bit.Core.Services
                ? await VerifyOTPAsync(user, secret)
                : await CheckPasswordAsync(user, secret);
        }
+
+        public async Task<bool> Needs2FABecauseNewDeviceAsync(User user, string deviceIdentifier, string grantType)
+        {
+            return user.EmailVerified
+                   && grantType != "authorization_code"
+                   && !_environment.IsDevelopment()
+                   && await IsNewDeviceAndNotTheFirstOneAsync(user, deviceIdentifier);
+        }
+
+        private async Task<bool> IsNewDeviceAndNotTheFirstOneAsync(User user, string deviceIdentifier)
+        {
+            if (user == null)
+            {
+                return default;
+            }
+
+            var devices = await _deviceRepository.GetManyByUserIdAsync(user.Id);
+            if (!devices.Any())
+            {
+                return false;
+            }
+
+            return !devices.Any(d => d.Identifier == deviceIdentifier);
+        }
    }
 }