[PM-9925] Tokenable for User Verification on Two Factor Authenticator settings (#4558)

* initial changes * Fixing some bits * fixing issue when feature flag is `false`; also names; * consume OTP on read if FF true * comment typo * fix formatting * check access code first to not consume token * add docs * revert checking access code first * update error messages * remove line number from comment --------- Co-authored-by: Jake Fink <jfink@bitwarden.com>
2025-04-05 21:18:13 -05:00 · 2024-07-25 07:51:23 -07:00 · 2024-07-25 07:51:23 -07:00 · aba2f023cd
commit aba2f023cd
parent f211e969c7
6 changed files with 130 additions and 14 deletions
--- a/src/Api/Auth/Controllers/TwoFactorController.cs
+++ b/src/Api/Auth/Controllers/TwoFactorController.cs
@ -3,6 +3,7 @@ using Bit.Api.Auth.Models.Request.Accounts;
 using Bit.Api.Auth.Models.Response.TwoFactor;
 using Bit.Api.Models.Request;
 using Bit.Api.Models.Response;
 using Bit.Core;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.LoginFeatures.PasswordlessLogin.Interfaces;
 using Bit.Core.Auth.Models.Business.Tokenables;
@ -33,7 +34,10 @@ public class TwoFactorController : Controller
    private readonly UserManager<User> _userManager;
    private readonly ICurrentContext _currentContext;
    private readonly IVerifyAuthRequestCommand _verifyAuthRequestCommand;
-    private readonly IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> _tokenDataFactory;
+    private readonly IFeatureService _featureService;
    private readonly IDataProtectorTokenFactory<TwoFactorAuthenticatorUserVerificationTokenable> _twoFactorAuthenticatorDataProtector;
    private readonly IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> _ssoEmailTwoFactorSessionDataProtector;
    private readonly bool _TwoFactorAuthenticatorTokenFeatureFlagEnabled;
    public TwoFactorController(
        IUserService userService,
@ -43,7 +47,9 @@ public class TwoFactorController : Controller
        UserManager<User> userManager,
        ICurrentContext currentContext,
        IVerifyAuthRequestCommand verifyAuthRequestCommand,
-        IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory)
+        IFeatureService featureService,
        IDataProtectorTokenFactory<TwoFactorAuthenticatorUserVerificationTokenable> twoFactorAuthenticatorDataProtector,
        IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> ssoEmailTwoFactorSessionDataProtector)
    {
        _userService = userService;
        _organizationRepository = organizationRepository;
@ -52,7 +58,10 @@ public class TwoFactorController : Controller
        _userManager = userManager;
        _currentContext = currentContext;
        _verifyAuthRequestCommand = verifyAuthRequestCommand;
-        _tokenDataFactory = tokenDataFactory;
+        _featureService = featureService;
        _twoFactorAuthenticatorDataProtector = twoFactorAuthenticatorDataProtector;
        _ssoEmailTwoFactorSessionDataProtector = ssoEmailTwoFactorSessionDataProtector;
        _TwoFactorAuthenticatorTokenFeatureFlagEnabled = _featureService.IsEnabled(FeatureFlagKeys.AuthenticatorTwoFactorToken);
    }
    [HttpGet("")]
@ -93,8 +102,13 @@ public class TwoFactorController : Controller
    public async Task<TwoFactorAuthenticatorResponseModel> GetAuthenticator(
        [FromBody] SecretVerificationRequestModel model)
    {
-        var user = await CheckAsync(model, false, true);
+        var user = _TwoFactorAuthenticatorTokenFeatureFlagEnabled ? await CheckAsync(model, false) : await CheckAsync(model, false, true);
        var response = new TwoFactorAuthenticatorResponseModel(user);
        if (_TwoFactorAuthenticatorTokenFeatureFlagEnabled)
        {
            var tokenable = new TwoFactorAuthenticatorUserVerificationTokenable(user, response.Key);
            response.UserVerificationToken = _twoFactorAuthenticatorDataProtector.Protect(tokenable);
        }
        return response;
    }
@ -103,8 +117,21 @@ public class TwoFactorController : Controller
    public async Task<TwoFactorAuthenticatorResponseModel> PutAuthenticator(
        [FromBody] UpdateTwoFactorAuthenticatorRequestModel model)
    {
-        var user = await CheckAsync(model, false);
+        User user;
-        model.ToUser(user);
+        if (_TwoFactorAuthenticatorTokenFeatureFlagEnabled)
        {
            user = model.ToUser(await _userService.GetUserByPrincipalAsync(User));
            _twoFactorAuthenticatorDataProtector.TryUnprotect(model.UserVerificationToken, out var decryptedToken);
            if (!decryptedToken.TokenIsValid(user, model.Key))
            {
                throw new BadRequestException("UserVerificationToken", "User verification failed.");
            }
        }
        else
        {
            user = await CheckAsync(model, false);
            model.ToUser(user); // populates user obj with proper metadata for VerifyTwoFactorTokenAsync
        }
        if (!await _userManager.VerifyTwoFactorTokenAsync(user,
                CoreHelpers.CustomProviderName(TwoFactorProviderType.Authenticator), model.Token))
@ -118,6 +145,22 @@ public class TwoFactorController : Controller
        return response;
    }
    [RequireFeature(FeatureFlagKeys.AuthenticatorTwoFactorToken)]
    [HttpDelete("authenticator")]
    public async Task<TwoFactorProviderResponseModel> DisableAuthenticator(
    [FromBody] TwoFactorAuthenticatorDisableRequestModel model)
    {
        var user = await _userService.GetUserByPrincipalAsync(User);
        _twoFactorAuthenticatorDataProtector.TryUnprotect(model.UserVerificationToken, out var decryptedToken);
        if (!decryptedToken.TokenIsValid(user, model.Key))
        {
            throw new BadRequestException("UserVerificationToken", "User verification failed.");
        }
        await _userService.DisableTwoFactorProviderAsync(user, model.Type.Value, _organizationService);
        return new TwoFactorProviderResponseModel(model.Type.Value, user);
    }
    [HttpPost("get-yubikey")]
    public async Task<TwoFactorYubiKeyResponseModel> GetYubiKey([FromBody] SecretVerificationRequestModel model)
    {
@ -477,7 +520,7 @@ public class TwoFactorController : Controller
    private bool ValidateSsoEmail2FaToken(string ssoEmail2FaSessionToken, User user)
    {
-        return _tokenDataFactory.TryUnprotect(ssoEmail2FaSessionToken, out var decryptedToken) &&
+        return _ssoEmailTwoFactorSessionDataProtector.TryUnprotect(ssoEmail2FaSessionToken, out var decryptedToken) &&
               decryptedToken.Valid && decryptedToken.TokenIsValid(user);
    }
--- a/src/Api/Auth/Models/Request/TwoFactorRequestModels.cs
+++ b/src/Api/Auth/Models/Request/TwoFactorRequestModels.cs
@ -17,7 +17,7 @@ public class UpdateTwoFactorAuthenticatorRequestModel : SecretVerificationReques
    [Required]
    [StringLength(50)]
    public string Key { get; set; }
-
+    public string UserVerificationToken { get; set; }
    public User ToUser(User existingUser)
    {
        var providers = existingUser.GetTwoFactorProviders();
@ -323,3 +323,11 @@ public class TwoFactorRecoveryRequestModel : TwoFactorEmailRequestModel
    [StringLength(32)]
    public string RecoveryCode { get; set; }
 }
 public class TwoFactorAuthenticatorDisableRequestModel : TwoFactorProviderRequestModel
 {
    [Required]
    public string UserVerificationToken { get; set; }
    [Required]
    public string Key { get; set; }
 }
--- a/src/Api/Auth/Models/Response/TwoFactor/TwoFactorAuthenticatorResponseModel.cs
+++ b/src/Api/Auth/Models/Response/TwoFactor/TwoFactorAuthenticatorResponseModel.cs
@ -10,10 +10,7 @@ public class TwoFactorAuthenticatorResponseModel : ResponseModel
    public TwoFactorAuthenticatorResponseModel(User user)
        : base("twoFactorAuthenticator")
    {
-        if (user == null)
+        ArgumentNullException.ThrowIfNull(user);
        {
            throw new ArgumentNullException(nameof(user));
        }
        var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Authenticator);
        if (provider?.MetaData?.ContainsKey("Key") ?? false)
@ -31,4 +28,5 @@ public class TwoFactorAuthenticatorResponseModel : ResponseModel
    public bool Enabled { get; set; }
    public string Key { get; set; }
    public string UserVerificationToken { get; set; }
 }
--- a/src/Core/Auth/Models/Business/Tokenables/TwoFactorAuthenticatorUserVerificationTokenable.cs
+++ b/src/Core/Auth/Models/Business/Tokenables/TwoFactorAuthenticatorUserVerificationTokenable.cs
@ -0,0 +1,62 @@
 using Bit.Core.Entities;
 using Bit.Core.Tokens;
 using Newtonsoft.Json;
 namespace Bit.Core.Auth.Models.Business.Tokenables;
 /// <summary>
 /// A tokenable object that gives a user the ability to update their authenticator two factor settings.
 /// </summary>
 /// <remarks>
 /// We protect two factor updates behind user verification (re-authentication) to protect against attacks of opportunity
 /// (e.g. a user leaves their web vault unlocked). Most two factor options only require user verification (UV) when
 /// enabling or disabling the option, retrieving the current status usually isn't a sensitive operation. However,
 /// the status of authenticator two factor is sensitive because it reveals the user's secret key, which means both
 /// operations must be protected by UV.
 ///
 /// TOTP as a UV option is only allowed to be used once, so we return this tokenable when retrieving the current status
 /// (and secret key) of authenticator two factor to give the user a means of passing UV when updating (enabling/disabling).
 /// </remarks>
 public class TwoFactorAuthenticatorUserVerificationTokenable : ExpiringTokenable
 {
    private static readonly TimeSpan _tokenLifetime = TimeSpan.FromMinutes(30);
    public const string ClearTextPrefix = "TwoFactorAuthenticatorUserVerification";
    public const string DataProtectorPurpose = "TwoFactorAuthenticatorUserVerificationTokenDataProtector";
    public const string TokenIdentifier = "TwoFactorAuthenticatorUserVerificationToken";
    public string Identifier { get; set; } = TokenIdentifier;
    public Guid UserId { get; set; }
    public string Key { get; set; }
    public override bool Valid => Identifier == TokenIdentifier &&
                                  UserId != default;
    [JsonConstructor]
    public TwoFactorAuthenticatorUserVerificationTokenable()
    {
        ExpirationDate = DateTime.UtcNow.Add(_tokenLifetime);
    }
    public TwoFactorAuthenticatorUserVerificationTokenable(User user, string key) : this()
    {
        UserId = user?.Id ?? default;
        Key = key;
    }
    public bool TokenIsValid(User user, string key)
    {
        if (UserId == default
            || user == null
            || string.IsNullOrWhiteSpace(key))
        {
            return false;
        }
        return UserId == user.Id && Key == key;
    }
    protected override bool TokenIsValid() =>
        Identifier == TokenIdentifier
        && UserId != default
        && !string.IsNullOrWhiteSpace(Key);
 }
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@ -131,6 +131,7 @@ public static class FeatureFlagKeys
    public const string AC2828_ProviderPortalMembersPage = "AC-2828_provider-portal-members-page";
    public const string ProviderClientVaultPrivacyBanner = "ac-2833-provider-client-vault-privacy-banner";
    public const string DeviceTrustLogging = "pm-8285-device-trust-logging";
    public const string AuthenticatorTwoFactorToken = "authenticator-2fa-token";
    public static List<string> GetAllKeys()
    {
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@ -185,14 +185,18 @@ public static class ServiceCollectionExtensions
                serviceProvider.GetDataProtectionProvider(),
                serviceProvider.GetRequiredService<ILogger<DataProtectorTokenFactory<ProviderDeleteTokenable>>>())
        );
        services.AddSingleton<IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable>>(
            serviceProvider => new DataProtectorTokenFactory<RegistrationEmailVerificationTokenable>(
                RegistrationEmailVerificationTokenable.ClearTextPrefix,
                RegistrationEmailVerificationTokenable.DataProtectorPurpose,
                serviceProvider.GetDataProtectionProvider(),
                serviceProvider.GetRequiredService<ILogger<DataProtectorTokenFactory<RegistrationEmailVerificationTokenable>>>()));
-
+        services.AddSingleton<IDataProtectorTokenFactory<TwoFactorAuthenticatorUserVerificationTokenable>>(
            serviceProvider => new DataProtectorTokenFactory<TwoFactorAuthenticatorUserVerificationTokenable>(
                TwoFactorAuthenticatorUserVerificationTokenable.ClearTextPrefix,
                TwoFactorAuthenticatorUserVerificationTokenable.DataProtectorPurpose,
                serviceProvider.GetDataProtectionProvider(),
                serviceProvider.GetRequiredService<ILogger<DataProtectorTokenFactory<TwoFactorAuthenticatorUserVerificationTokenable>>>()));
    }
    public static void AddDefaultServices(this IServiceCollection services, GlobalSettings globalSettings)