diff --git a/src/Api/Auth/Controllers/TwoFactorController.cs b/src/Api/Auth/Controllers/TwoFactorController.cs index 1a2e29848f..0a50f9bc2f 100644 --- a/src/Api/Auth/Controllers/TwoFactorController.cs +++ b/src/Api/Auth/Controllers/TwoFactorController.cs @@ -3,6 +3,7 @@ using Bit.Api.Auth.Models.Request.Accounts; using Bit.Api.Auth.Models.Response.TwoFactor; using Bit.Api.Models.Request; using Bit.Api.Models.Response; +using Bit.Core; using Bit.Core.Auth.Enums; using Bit.Core.Auth.LoginFeatures.PasswordlessLogin.Interfaces; using Bit.Core.Auth.Models.Business.Tokenables; @@ -33,7 +34,10 @@ public class TwoFactorController : Controller private readonly UserManager _userManager; private readonly ICurrentContext _currentContext; private readonly IVerifyAuthRequestCommand _verifyAuthRequestCommand; - private readonly IDataProtectorTokenFactory _tokenDataFactory; + private readonly IFeatureService _featureService; + private readonly IDataProtectorTokenFactory _twoFactorAuthenticatorDataProtector; + private readonly IDataProtectorTokenFactory _ssoEmailTwoFactorSessionDataProtector; + private readonly bool _TwoFactorAuthenticatorTokenFeatureFlagEnabled; public TwoFactorController( IUserService userService, @@ -43,7 +47,9 @@ public class TwoFactorController : Controller UserManager userManager, ICurrentContext currentContext, IVerifyAuthRequestCommand verifyAuthRequestCommand, - IDataProtectorTokenFactory tokenDataFactory) + IFeatureService featureService, + IDataProtectorTokenFactory twoFactorAuthenticatorDataProtector, + IDataProtectorTokenFactory ssoEmailTwoFactorSessionDataProtector) { _userService = userService; _organizationRepository = organizationRepository; @@ -52,7 +58,10 @@ public class TwoFactorController : Controller _userManager = userManager; _currentContext = currentContext; _verifyAuthRequestCommand = verifyAuthRequestCommand; - _tokenDataFactory = tokenDataFactory; + _featureService = featureService; + _twoFactorAuthenticatorDataProtector = twoFactorAuthenticatorDataProtector; + _ssoEmailTwoFactorSessionDataProtector = ssoEmailTwoFactorSessionDataProtector; + _TwoFactorAuthenticatorTokenFeatureFlagEnabled = _featureService.IsEnabled(FeatureFlagKeys.AuthenticatorTwoFactorToken); } [HttpGet("")] @@ -93,8 +102,13 @@ public class TwoFactorController : Controller public async Task GetAuthenticator( [FromBody] SecretVerificationRequestModel model) { - var user = await CheckAsync(model, false, true); + var user = _TwoFactorAuthenticatorTokenFeatureFlagEnabled ? await CheckAsync(model, false) : await CheckAsync(model, false, true); var response = new TwoFactorAuthenticatorResponseModel(user); + if (_TwoFactorAuthenticatorTokenFeatureFlagEnabled) + { + var tokenable = new TwoFactorAuthenticatorUserVerificationTokenable(user, response.Key); + response.UserVerificationToken = _twoFactorAuthenticatorDataProtector.Protect(tokenable); + } return response; } @@ -103,8 +117,21 @@ public class TwoFactorController : Controller public async Task PutAuthenticator( [FromBody] UpdateTwoFactorAuthenticatorRequestModel model) { - var user = await CheckAsync(model, false); - model.ToUser(user); + User user; + if (_TwoFactorAuthenticatorTokenFeatureFlagEnabled) + { + user = model.ToUser(await _userService.GetUserByPrincipalAsync(User)); + _twoFactorAuthenticatorDataProtector.TryUnprotect(model.UserVerificationToken, out var decryptedToken); + if (!decryptedToken.TokenIsValid(user, model.Key)) + { + throw new BadRequestException("UserVerificationToken", "User verification failed."); + } + } + else + { + user = await CheckAsync(model, false); + model.ToUser(user); // populates user obj with proper metadata for VerifyTwoFactorTokenAsync + } if (!await _userManager.VerifyTwoFactorTokenAsync(user, CoreHelpers.CustomProviderName(TwoFactorProviderType.Authenticator), model.Token)) @@ -118,6 +145,22 @@ public class TwoFactorController : Controller return response; } + [RequireFeature(FeatureFlagKeys.AuthenticatorTwoFactorToken)] + [HttpDelete("authenticator")] + public async Task DisableAuthenticator( + [FromBody] TwoFactorAuthenticatorDisableRequestModel model) + { + var user = await _userService.GetUserByPrincipalAsync(User); + _twoFactorAuthenticatorDataProtector.TryUnprotect(model.UserVerificationToken, out var decryptedToken); + if (!decryptedToken.TokenIsValid(user, model.Key)) + { + throw new BadRequestException("UserVerificationToken", "User verification failed."); + } + + await _userService.DisableTwoFactorProviderAsync(user, model.Type.Value, _organizationService); + return new TwoFactorProviderResponseModel(model.Type.Value, user); + } + [HttpPost("get-yubikey")] public async Task GetYubiKey([FromBody] SecretVerificationRequestModel model) { @@ -477,7 +520,7 @@ public class TwoFactorController : Controller private bool ValidateSsoEmail2FaToken(string ssoEmail2FaSessionToken, User user) { - return _tokenDataFactory.TryUnprotect(ssoEmail2FaSessionToken, out var decryptedToken) && + return _ssoEmailTwoFactorSessionDataProtector.TryUnprotect(ssoEmail2FaSessionToken, out var decryptedToken) && decryptedToken.Valid && decryptedToken.TokenIsValid(user); } diff --git a/src/Api/Auth/Models/Request/TwoFactorRequestModels.cs b/src/Api/Auth/Models/Request/TwoFactorRequestModels.cs index fc7129503f..f2f01a2378 100644 --- a/src/Api/Auth/Models/Request/TwoFactorRequestModels.cs +++ b/src/Api/Auth/Models/Request/TwoFactorRequestModels.cs @@ -17,7 +17,7 @@ public class UpdateTwoFactorAuthenticatorRequestModel : SecretVerificationReques [Required] [StringLength(50)] public string Key { get; set; } - + public string UserVerificationToken { get; set; } public User ToUser(User existingUser) { var providers = existingUser.GetTwoFactorProviders(); @@ -323,3 +323,11 @@ public class TwoFactorRecoveryRequestModel : TwoFactorEmailRequestModel [StringLength(32)] public string RecoveryCode { get; set; } } + +public class TwoFactorAuthenticatorDisableRequestModel : TwoFactorProviderRequestModel +{ + [Required] + public string UserVerificationToken { get; set; } + [Required] + public string Key { get; set; } +} diff --git a/src/Api/Auth/Models/Response/TwoFactor/TwoFactorAuthenticatorResponseModel.cs b/src/Api/Auth/Models/Response/TwoFactor/TwoFactorAuthenticatorResponseModel.cs index a3fa1a8d20..f791c6fb1e 100644 --- a/src/Api/Auth/Models/Response/TwoFactor/TwoFactorAuthenticatorResponseModel.cs +++ b/src/Api/Auth/Models/Response/TwoFactor/TwoFactorAuthenticatorResponseModel.cs @@ -10,10 +10,7 @@ public class TwoFactorAuthenticatorResponseModel : ResponseModel public TwoFactorAuthenticatorResponseModel(User user) : base("twoFactorAuthenticator") { - if (user == null) - { - throw new ArgumentNullException(nameof(user)); - } + ArgumentNullException.ThrowIfNull(user); var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Authenticator); if (provider?.MetaData?.ContainsKey("Key") ?? false) @@ -31,4 +28,5 @@ public class TwoFactorAuthenticatorResponseModel : ResponseModel public bool Enabled { get; set; } public string Key { get; set; } + public string UserVerificationToken { get; set; } } diff --git a/src/Core/Auth/Models/Business/Tokenables/TwoFactorAuthenticatorUserVerificationTokenable.cs b/src/Core/Auth/Models/Business/Tokenables/TwoFactorAuthenticatorUserVerificationTokenable.cs new file mode 100644 index 0000000000..70a94f5928 --- /dev/null +++ b/src/Core/Auth/Models/Business/Tokenables/TwoFactorAuthenticatorUserVerificationTokenable.cs @@ -0,0 +1,62 @@ +using Bit.Core.Entities; +using Bit.Core.Tokens; +using Newtonsoft.Json; + +namespace Bit.Core.Auth.Models.Business.Tokenables; + +/// +/// A tokenable object that gives a user the ability to update their authenticator two factor settings. +/// +/// +/// We protect two factor updates behind user verification (re-authentication) to protect against attacks of opportunity +/// (e.g. a user leaves their web vault unlocked). Most two factor options only require user verification (UV) when +/// enabling or disabling the option, retrieving the current status usually isn't a sensitive operation. However, +/// the status of authenticator two factor is sensitive because it reveals the user's secret key, which means both +/// operations must be protected by UV. +/// +/// TOTP as a UV option is only allowed to be used once, so we return this tokenable when retrieving the current status +/// (and secret key) of authenticator two factor to give the user a means of passing UV when updating (enabling/disabling). +/// +public class TwoFactorAuthenticatorUserVerificationTokenable : ExpiringTokenable +{ + private static readonly TimeSpan _tokenLifetime = TimeSpan.FromMinutes(30); + + public const string ClearTextPrefix = "TwoFactorAuthenticatorUserVerification"; + public const string DataProtectorPurpose = "TwoFactorAuthenticatorUserVerificationTokenDataProtector"; + public const string TokenIdentifier = "TwoFactorAuthenticatorUserVerificationToken"; + public string Identifier { get; set; } = TokenIdentifier; + public Guid UserId { get; set; } + public string Key { get; set; } + + public override bool Valid => Identifier == TokenIdentifier && + UserId != default; + + [JsonConstructor] + public TwoFactorAuthenticatorUserVerificationTokenable() + { + ExpirationDate = DateTime.UtcNow.Add(_tokenLifetime); + } + + public TwoFactorAuthenticatorUserVerificationTokenable(User user, string key) : this() + { + UserId = user?.Id ?? default; + Key = key; + } + + public bool TokenIsValid(User user, string key) + { + if (UserId == default + || user == null + || string.IsNullOrWhiteSpace(key)) + { + return false; + } + + return UserId == user.Id && Key == key; + } + + protected override bool TokenIsValid() => + Identifier == TokenIdentifier + && UserId != default + && !string.IsNullOrWhiteSpace(Key); +} diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs index 34f499c96e..4fcbadd99c 100644 --- a/src/Core/Constants.cs +++ b/src/Core/Constants.cs @@ -131,6 +131,7 @@ public static class FeatureFlagKeys public const string AC2828_ProviderPortalMembersPage = "AC-2828_provider-portal-members-page"; public const string ProviderClientVaultPrivacyBanner = "ac-2833-provider-client-vault-privacy-banner"; public const string DeviceTrustLogging = "pm-8285-device-trust-logging"; + public const string AuthenticatorTwoFactorToken = "authenticator-2fa-token"; public static List GetAllKeys() { diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs index 3de33e52ae..67652bf612 100644 --- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs +++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs @@ -185,14 +185,18 @@ public static class ServiceCollectionExtensions serviceProvider.GetDataProtectionProvider(), serviceProvider.GetRequiredService>>()) ); - services.AddSingleton>( serviceProvider => new DataProtectorTokenFactory( RegistrationEmailVerificationTokenable.ClearTextPrefix, RegistrationEmailVerificationTokenable.DataProtectorPurpose, serviceProvider.GetDataProtectionProvider(), serviceProvider.GetRequiredService>>())); - + services.AddSingleton>( + serviceProvider => new DataProtectorTokenFactory( + TwoFactorAuthenticatorUserVerificationTokenable.ClearTextPrefix, + TwoFactorAuthenticatorUserVerificationTokenable.DataProtectorPurpose, + serviceProvider.GetDataProtectionProvider(), + serviceProvider.GetRequiredService>>())); } public static void AddDefaultServices(this IServiceCollection services, GlobalSettings globalSettings)