nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-04 18:20:33 -05:00
Code

Refactor ConfirmOrganizationUserCommand to streamline two-factor authentication policy validation logic

Browse Source
This commit is contained in:
Rui Tome 2025-05-26 11:24:08 +01:00
parent eeb0b0768f
commit aa73ad31df
No known key found for this signature in database
GPG Key ID: 526239D96A8EC066
1 changed files with 20 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/ConfirmOrganizationUserCommand.cs
View File

@ -153,19 +153,7 @@ public class ConfirmOrganizationUserCommand : IConfirmOrganizationUserCommand
ICollection<OrganizationUser> userOrgs, bool userTwoFactorEnabled)
{
// Enforce Two Factor Authentication Policy for this organization
if (_featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements))
{
await ValidateTwoFactorAuthenticationPolicyAsync(user, organizationId, userTwoFactorEnabled);
}
else
{
var orgRequiresTwoFactor = (await _policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication))
.Any(p => p.OrganizationId == organizationId);
if (orgRequiresTwoFactor && !userTwoFactorEnabled)
{
throw new BadRequestException("User does not have two-step login enabled.");
}
}
await ValidateTwoFactorAuthenticationPolicyAsync(user, organizationId, userTwoFactorEnabled);
var hasOtherOrgs = userOrgs.Any(ou => ou.OrganizationId != organizationId);
var singleOrgPolicies = await _policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.SingleOrg);
@ -183,29 +171,30 @@ public class ConfirmOrganizationUserCommand : IConfirmOrganizationUserCommand
}
}
/// <summary>
/// Validates the two-factor authentication policy for the organization user.
/// If the policy applies to the organization, the user must have two-step login enabled.
/// </summary>
/// <param name="user">The user to validate the policy for.</param>
/// <param name="organizationId">The ID of the organization to validate the policy for.</param>
/// <param name="userTwoFactorEnabled">Whether the user has two-step login enabled.</param>
/// <exception cref="BadRequestException">Thrown if the policy applies to the organization and
/// the user does not have two-step login enabled.</exception>
private async Task ValidateTwoFactorAuthenticationPolicyAsync(User user, Guid organizationId, bool userTwoFactorEnabled)
{
if (userTwoFactorEnabled)
if (_featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements))
{
// If the user has two-step login enabled, we skip checking the 2FA policy
return;
if (userTwoFactorEnabled)
{
// If the user has two-step login enabled, we skip checking the 2FA policy
return;
}
var twoFactorPolicyRequirement = await _policyRequirementQuery.GetAsync<RequireTwoFactorPolicyRequirement>(user.Id);
if (twoFactorPolicyRequirement.IsTwoFactorRequiredForOrganization(organizationId))
{
throw new BadRequestException("User does not have two-step login enabled.");
}
}
var twoFactorPolicyRequirement = await _policyRequirementQuery.GetAsync<RequireTwoFactorPolicyRequirement>(user.Id);
var twoFactorRequired = twoFactorPolicyRequirement.IsTwoFactorRequiredForOrganization(organizationId);
if (twoFactorRequired)
else
{
throw new BadRequestException("User does not have two-step login enabled.");
var orgRequiresTwoFactor = (await _policyService.GetPoliciesApplicableToUserAsync(user.Id, PolicyType.TwoFactorAuthentication))
.Any(p => p.OrganizationId == organizationId);
if (orgRequiresTwoFactor && !userTwoFactorEnabled)
{
throw new BadRequestException("User does not have two-step login enabled.");
}
}
}