[PM-9925] Tokenable for User Verification on Two Factor Authenticator settings (#4558)

* initial changes * Fixing some bits * fixing issue when feature flag is `false`; also names; * consume OTP on read if FF true * comment typo * fix formatting * check access code first to not consume token * add docs * revert checking access code first * update error messages * remove line number from comment --------- Co-authored-by: Jake Fink <jfink@bitwarden.com>
2025-04-05 05:00:19 -05:00 · 2024-07-25 07:51:23 -07:00 · 2024-07-25 07:51:23 -07:00 · aba2f023cd
commit aba2f023cd
parent f211e969c7
6 changed files with 130 additions and 14 deletions
--- a/src/Api/Auth/Controllers/TwoFactorController.cs
+++ b/src/Api/Auth/Controllers/TwoFactorController.cs
@ -3,6 +3,7 @@ using Bit.Api.Auth.Models.Request.Accounts;
 using Bit.Api.Auth.Models.Response.TwoFactor;
 using Bit.Api.Models.Request;
 using Bit.Api.Models.Response;
+using Bit.Core;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.LoginFeatures.PasswordlessLogin.Interfaces;
 using Bit.Core.Auth.Models.Business.Tokenables;
@ -33,7 +34,10 @@ public class TwoFactorController : Controller
    private readonly UserManager<User> _userManager;
    private readonly ICurrentContext _currentContext;
    private readonly IVerifyAuthRequestCommand _verifyAuthRequestCommand;
-    private readonly IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> _tokenDataFactory;
+    private readonly IFeatureService _featureService;
+    private readonly IDataProtectorTokenFactory<TwoFactorAuthenticatorUserVerificationTokenable> _twoFactorAuthenticatorDataProtector;
+    private readonly IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> _ssoEmailTwoFactorSessionDataProtector;
+    private readonly bool _TwoFactorAuthenticatorTokenFeatureFlagEnabled;

    public TwoFactorController(
        IUserService userService,
@ -43,7 +47,9 @@ public class TwoFactorController : Controller
        UserManager<User> userManager,
        ICurrentContext currentContext,
        IVerifyAuthRequestCommand verifyAuthRequestCommand,
-        IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory)
+        IFeatureService featureService,
+        IDataProtectorTokenFactory<TwoFactorAuthenticatorUserVerificationTokenable> twoFactorAuthenticatorDataProtector,
+        IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> ssoEmailTwoFactorSessionDataProtector)
    {
        _userService = userService;
        _organizationRepository = organizationRepository;
@ -52,7 +58,10 @@ public class TwoFactorController : Controller
        _userManager = userManager;
        _currentContext = currentContext;
        _verifyAuthRequestCommand = verifyAuthRequestCommand;
-        _tokenDataFactory = tokenDataFactory;
+        _featureService = featureService;
+        _twoFactorAuthenticatorDataProtector = twoFactorAuthenticatorDataProtector;
+        _ssoEmailTwoFactorSessionDataProtector = ssoEmailTwoFactorSessionDataProtector;
+        _TwoFactorAuthenticatorTokenFeatureFlagEnabled = _featureService.IsEnabled(FeatureFlagKeys.AuthenticatorTwoFactorToken);
    }

    [HttpGet("")]
@ -93,8 +102,13 @@ public class TwoFactorController : Controller
    public async Task<TwoFactorAuthenticatorResponseModel> GetAuthenticator(
        [FromBody] SecretVerificationRequestModel model)
    {
-        var user = await CheckAsync(model, false, true);
+        var user = _TwoFactorAuthenticatorTokenFeatureFlagEnabled ? await CheckAsync(model, false) : await CheckAsync(model, false, true);
        var response = new TwoFactorAuthenticatorResponseModel(user);
+        if (_TwoFactorAuthenticatorTokenFeatureFlagEnabled)
+        {
+            var tokenable = new TwoFactorAuthenticatorUserVerificationTokenable(user, response.Key);
+            response.UserVerificationToken = _twoFactorAuthenticatorDataProtector.Protect(tokenable);
+        }
        return response;
    }

@ -103,8 +117,21 @@ public class TwoFactorController : Controller
    public async Task<TwoFactorAuthenticatorResponseModel> PutAuthenticator(
        [FromBody] UpdateTwoFactorAuthenticatorRequestModel model)
    {
-        var user = await CheckAsync(model, false);
-        model.ToUser(user);
+        User user;
+        if (_TwoFactorAuthenticatorTokenFeatureFlagEnabled)
+        {
+            user = model.ToUser(await _userService.GetUserByPrincipalAsync(User));
+            _twoFactorAuthenticatorDataProtector.TryUnprotect(model.UserVerificationToken, out var decryptedToken);
+            if (!decryptedToken.TokenIsValid(user, model.Key))
+            {
+                throw new BadRequestException("UserVerificationToken", "User verification failed.");
+            }
+        }
+        else
+        {
+            user = await CheckAsync(model, false);
+            model.ToUser(user); // populates user obj with proper metadata for VerifyTwoFactorTokenAsync
+        }

        if (!await _userManager.VerifyTwoFactorTokenAsync(user,
                CoreHelpers.CustomProviderName(TwoFactorProviderType.Authenticator), model.Token))
@ -118,6 +145,22 @@ public class TwoFactorController : Controller
        return response;
    }

+    [RequireFeature(FeatureFlagKeys.AuthenticatorTwoFactorToken)]
+    [HttpDelete("authenticator")]
+    public async Task<TwoFactorProviderResponseModel> DisableAuthenticator(
+    [FromBody] TwoFactorAuthenticatorDisableRequestModel model)
+    {
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        _twoFactorAuthenticatorDataProtector.TryUnprotect(model.UserVerificationToken, out var decryptedToken);
+        if (!decryptedToken.TokenIsValid(user, model.Key))
+        {
+            throw new BadRequestException("UserVerificationToken", "User verification failed.");
+        }
+
+        await _userService.DisableTwoFactorProviderAsync(user, model.Type.Value, _organizationService);
+        return new TwoFactorProviderResponseModel(model.Type.Value, user);
+    }
+
    [HttpPost("get-yubikey")]
    public async Task<TwoFactorYubiKeyResponseModel> GetYubiKey([FromBody] SecretVerificationRequestModel model)
    {
@ -477,7 +520,7 @@ public class TwoFactorController : Controller

    private bool ValidateSsoEmail2FaToken(string ssoEmail2FaSessionToken, User user)
    {
-        return _tokenDataFactory.TryUnprotect(ssoEmail2FaSessionToken, out var decryptedToken) &&
+        return _ssoEmailTwoFactorSessionDataProtector.TryUnprotect(ssoEmail2FaSessionToken, out var decryptedToken) &&
               decryptedToken.Valid && decryptedToken.TokenIsValid(user);
    }

--- a/src/Api/Auth/Models/Request/TwoFactorRequestModels.cs
+++ b/src/Api/Auth/Models/Request/TwoFactorRequestModels.cs
@ -17,7 +17,7 @@ public class UpdateTwoFactorAuthenticatorRequestModel : SecretVerificationReques
    [Required]
    [StringLength(50)]
    public string Key { get; set; }
-
+    public string UserVerificationToken { get; set; }
    public User ToUser(User existingUser)
    {
        var providers = existingUser.GetTwoFactorProviders();
@ -323,3 +323,11 @@ public class TwoFactorRecoveryRequestModel : TwoFactorEmailRequestModel
    [StringLength(32)]
    public string RecoveryCode { get; set; }
 }
+
+public class TwoFactorAuthenticatorDisableRequestModel : TwoFactorProviderRequestModel
+{
+    [Required]
+    public string UserVerificationToken { get; set; }
+    [Required]
+    public string Key { get; set; }
+}
--- a/src/Api/Auth/Models/Response/TwoFactor/TwoFactorAuthenticatorResponseModel.cs
+++ b/src/Api/Auth/Models/Response/TwoFactor/TwoFactorAuthenticatorResponseModel.cs
@ -10,10 +10,7 @@ public class TwoFactorAuthenticatorResponseModel : ResponseModel
    public TwoFactorAuthenticatorResponseModel(User user)
        : base("twoFactorAuthenticator")
    {
-        if (user == null)
-        {
-            throw new ArgumentNullException(nameof(user));
-        }
+        ArgumentNullException.ThrowIfNull(user);

        var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Authenticator);
        if (provider?.MetaData?.ContainsKey("Key") ?? false)
@ -31,4 +28,5 @@ public class TwoFactorAuthenticatorResponseModel : ResponseModel

    public bool Enabled { get; set; }
    public string Key { get; set; }
+    public string UserVerificationToken { get; set; }
 }
--- a/src/Core/Auth/Models/Business/Tokenables/TwoFactorAuthenticatorUserVerificationTokenable.cs
+++ b/src/Core/Auth/Models/Business/Tokenables/TwoFactorAuthenticatorUserVerificationTokenable.cs
@ -0,0 +1,62 @@
+using Bit.Core.Entities;
+using Bit.Core.Tokens;
+using Newtonsoft.Json;
+
+namespace Bit.Core.Auth.Models.Business.Tokenables;
+
+/// <summary>
+/// A tokenable object that gives a user the ability to update their authenticator two factor settings.
+/// </summary>
+/// <remarks>
+/// We protect two factor updates behind user verification (re-authentication) to protect against attacks of opportunity
+/// (e.g. a user leaves their web vault unlocked). Most two factor options only require user verification (UV) when
+/// enabling or disabling the option, retrieving the current status usually isn't a sensitive operation. However,
+/// the status of authenticator two factor is sensitive because it reveals the user's secret key, which means both
+/// operations must be protected by UV.
+///
+/// TOTP as a UV option is only allowed to be used once, so we return this tokenable when retrieving the current status
+/// (and secret key) of authenticator two factor to give the user a means of passing UV when updating (enabling/disabling).
+/// </remarks>
+public class TwoFactorAuthenticatorUserVerificationTokenable : ExpiringTokenable
+{
+    private static readonly TimeSpan _tokenLifetime = TimeSpan.FromMinutes(30);
+
+    public const string ClearTextPrefix = "TwoFactorAuthenticatorUserVerification";
+    public const string DataProtectorPurpose = "TwoFactorAuthenticatorUserVerificationTokenDataProtector";
+    public const string TokenIdentifier = "TwoFactorAuthenticatorUserVerificationToken";
+    public string Identifier { get; set; } = TokenIdentifier;
+    public Guid UserId { get; set; }
+    public string Key { get; set; }
+
+    public override bool Valid => Identifier == TokenIdentifier &&
+                                  UserId != default;
+
+    [JsonConstructor]
+    public TwoFactorAuthenticatorUserVerificationTokenable()
+    {
+        ExpirationDate = DateTime.UtcNow.Add(_tokenLifetime);
+    }
+
+    public TwoFactorAuthenticatorUserVerificationTokenable(User user, string key) : this()
+    {
+        UserId = user?.Id ?? default;
+        Key = key;
+    }
+
+    public bool TokenIsValid(User user, string key)
+    {
+        if (UserId == default
+            || user == null
+            || string.IsNullOrWhiteSpace(key))
+        {
+            return false;
+        }
+
+        return UserId == user.Id && Key == key;
+    }
+
+    protected override bool TokenIsValid() =>
+        Identifier == TokenIdentifier
+        && UserId != default
+        && !string.IsNullOrWhiteSpace(Key);
+}
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@ -131,6 +131,7 @@ public static class FeatureFlagKeys
    public const string AC2828_ProviderPortalMembersPage = "AC-2828_provider-portal-members-page";
    public const string ProviderClientVaultPrivacyBanner = "ac-2833-provider-client-vault-privacy-banner";
    public const string DeviceTrustLogging = "pm-8285-device-trust-logging";
+    public const string AuthenticatorTwoFactorToken = "authenticator-2fa-token";

    public static List<string> GetAllKeys()
    {
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@ -185,14 +185,18 @@ public static class ServiceCollectionExtensions
                serviceProvider.GetDataProtectionProvider(),
                serviceProvider.GetRequiredService<ILogger<DataProtectorTokenFactory<ProviderDeleteTokenable>>>())
        );
-
        services.AddSingleton<IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable>>(
            serviceProvider => new DataProtectorTokenFactory<RegistrationEmailVerificationTokenable>(
                RegistrationEmailVerificationTokenable.ClearTextPrefix,
                RegistrationEmailVerificationTokenable.DataProtectorPurpose,
                serviceProvider.GetDataProtectionProvider(),
                serviceProvider.GetRequiredService<ILogger<DataProtectorTokenFactory<RegistrationEmailVerificationTokenable>>>()));
-
+        services.AddSingleton<IDataProtectorTokenFactory<TwoFactorAuthenticatorUserVerificationTokenable>>(
+            serviceProvider => new DataProtectorTokenFactory<TwoFactorAuthenticatorUserVerificationTokenable>(
+                TwoFactorAuthenticatorUserVerificationTokenable.ClearTextPrefix,
+                TwoFactorAuthenticatorUserVerificationTokenable.DataProtectorPurpose,
+                serviceProvider.GetDataProtectionProvider(),
+                serviceProvider.GetRequiredService<ILogger<DataProtectorTokenFactory<TwoFactorAuthenticatorUserVerificationTokenable>>>()));
    }

    public static void AddDefaultServices(this IServiceCollection services, GlobalSettings globalSettings)