[PS-589] Fix emergency contact takeover device verification and endpoints for its settings (#2016)

* Added UnknownDeviceVerificationEnabled on User that is turned off when emergency contact takes over the account. Also added endpoints to get and update 2fa device verification settings. And Updated migrations & tests * Applied dotnet format * Fixed method rename call on TwoFactorController * PS-589 Format fixes * PS-589 changed UnknownDeviceVerificationEnabled to be non-nullable
2025-06-30 23:52:50 -05:00 · 2022-06-06 14:52:50 -03:00
parent 16c6b23a27
commit b070e9a387
23 changed files with 3781 additions and 13 deletions
--- a/src/Core/Entities/User.cs
+++ b/src/Core/Entities/User.cs
@ -62,6 +62,7 @@ namespace Bit.Core.Entities
        public bool UsesKeyConnector { get; set; }
        public int FailedLoginCount { get; set; }
        public DateTime? LastFailedLoginDate { get; set; }
+        public bool UnknownDeviceVerificationEnabled { get; set; }

        public void SetNewId()
        {
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@ -79,5 +79,6 @@ namespace Bit.Core.Services
        Task<bool> VerifyOTPAsync(User user, string token);
        Task<bool> VerifySecretAsync(User user, string secret);
        Task<bool> Needs2FABecauseNewDeviceAsync(User user, string deviceIdentifier, string grantType);
+        bool CanEditDeviceVerificationSettings(User user);
    }
 }
--- a/src/Core/Services/Implementations/EmergencyAccessService.cs
+++ b/src/Core/Services/Implementations/EmergencyAccessService.cs
@ -327,6 +327,7 @@ namespace Bit.Core.Services
            grantor.Key = key;
            // Disable TwoFactor providers since they will otherwise block logins
            grantor.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>());
+            grantor.UnknownDeviceVerificationEnabled = false;
            await _userRepository.ReplaceAsync(grantor);

            // Remove grantor from all organizations unless Owner
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@ -1417,12 +1417,20 @@ namespace Bit.Core.Services

        public async Task<bool> Needs2FABecauseNewDeviceAsync(User user, string deviceIdentifier, string grantType)
        {
-            return _globalSettings.TwoFactorAuth.EmailOnNewDeviceLogin
-                   && user.EmailVerified
+            return CanEditDeviceVerificationSettings(user)
+                   && user.UnknownDeviceVerificationEnabled
                   && grantType != "authorization_code"
                   && await IsNewDeviceAndNotTheFirstOneAsync(user, deviceIdentifier);
        }

+        public bool CanEditDeviceVerificationSettings(User user)
+        {
+            return _globalSettings.TwoFactorAuth.EmailOnNewDeviceLogin
+                   && user.EmailVerified
+                   && !user.UsesKeyConnector
+                   && !(user.GetTwoFactorProviders()?.Any() ?? false);
+        }
+
        private async Task<bool> IsNewDeviceAndNotTheFirstOneAsync(User user, string deviceIdentifier)
        {
            if (user == null)
--- a/src/Core/Utilities/ClaimsExtensions.cs
+++ b/src/Core/Utilities/ClaimsExtensions.cs
@ -0,0 +1,15 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Claims;
+
+namespace Bit.Core.Utilities
+{
+    public static class ClaimsExtensions
+    {
+        public static bool HasSsoIdP(this IEnumerable<Claim> claims)
+        {
+            return claims.Any(c => c.Type == "idp" && c.Value == "sso");
+        }
+    }
+}