[PS-589] Fix emergency contact takeover device verification and endpoints for its settings (#2016)

* Added UnknownDeviceVerificationEnabled on User that is turned off when emergency contact takes over the account. Also added endpoints to get and update 2fa device verification settings. And Updated migrations & tests * Applied dotnet format * Fixed method rename call on TwoFactorController * PS-589 Format fixes * PS-589 changed UnknownDeviceVerificationEnabled to be non-nullable
2025-07-01 16:12:49 -05:00 · 2022-06-06 14:52:50 -03:00
parent 16c6b23a27
commit b070e9a387
23 changed files with 3781 additions and 13 deletions
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@ -79,5 +79,6 @@ namespace Bit.Core.Services
        Task<bool> VerifyOTPAsync(User user, string token);
        Task<bool> VerifySecretAsync(User user, string secret);
        Task<bool> Needs2FABecauseNewDeviceAsync(User user, string deviceIdentifier, string grantType);
+        bool CanEditDeviceVerificationSettings(User user);
    }
 }
--- a/src/Core/Services/Implementations/EmergencyAccessService.cs
+++ b/src/Core/Services/Implementations/EmergencyAccessService.cs
@ -327,6 +327,7 @@ namespace Bit.Core.Services
            grantor.Key = key;
            // Disable TwoFactor providers since they will otherwise block logins
            grantor.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>());
+            grantor.UnknownDeviceVerificationEnabled = false;
            await _userRepository.ReplaceAsync(grantor);

            // Remove grantor from all organizations unless Owner
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@ -1417,12 +1417,20 @@ namespace Bit.Core.Services

        public async Task<bool> Needs2FABecauseNewDeviceAsync(User user, string deviceIdentifier, string grantType)
        {
-            return _globalSettings.TwoFactorAuth.EmailOnNewDeviceLogin
-                   && user.EmailVerified
+            return CanEditDeviceVerificationSettings(user)
+                   && user.UnknownDeviceVerificationEnabled
                   && grantType != "authorization_code"
                   && await IsNewDeviceAndNotTheFirstOneAsync(user, deviceIdentifier);
        }

+        public bool CanEditDeviceVerificationSettings(User user)
+        {
+            return _globalSettings.TwoFactorAuth.EmailOnNewDeviceLogin
+                   && user.EmailVerified
+                   && !user.UsesKeyConnector
+                   && !(user.GetTwoFactorProviders()?.Any() ?? false);
+        }
+
        private async Task<bool> IsNewDeviceAndNotTheFirstOneAsync(User user, string deviceIdentifier)
        {
            if (user == null)