[PM-6794] block legacy users from authN (#4088)

* block legacy users from authN * undo change to GetDeviceFromRequest * lint * add feature flag * format * add web vault url to error message * fix test * format
2025-07-02 16:42:50 -05:00 · 2024-06-03 09:19:56 -04:00
parent 21a02054af
commit b072fc56b1
6 changed files with 107 additions and 0 deletions
--- a/src/Identity/IdentityServer/BaseRequestValidator.cs
+++ b/src/Identity/IdentityServer/BaseRequestValidator.cs
@ -162,6 +162,17 @@ public abstract class BaseRequestValidator<T> where T : class
            twoFactorToken = null;
        }

+
+        // Force legacy users to the web for migration
+        if (FeatureService.IsEnabled(FeatureFlagKeys.BlockLegacyUsers))
+        {
+            if (UserService.IsLegacyUser(user) && request.ClientId != "web")
+            {
+                await FailAuthForLegacyUserAsync(user, context);
+                return;
+            }
+        }
+
        // Returns true if can finish validation process
        if (await IsValidAuthTypeAsync(user, request.GrantType))
        {
@ -184,6 +195,13 @@ public abstract class BaseRequestValidator<T> where T : class
        }
    }

+    protected async Task FailAuthForLegacyUserAsync(User user, T context)
+    {
+        await BuildErrorResultAsync(
+            $"Encryption key migration is required. Please log in to the web vault at {_globalSettings.BaseServiceUri.VaultWithHash}",
+            false, context, user);
+    }
+
    protected abstract Task<bool> ValidateContextAsync(T context, CustomValidatorRequestContext validatorContext);

    protected async Task BuildSuccessResultAsync(User user, T context, Device device, bool sendRememberToken)
--- a/src/Identity/IdentityServer/CustomTokenRequestValidator.cs
+++ b/src/Identity/IdentityServer/CustomTokenRequestValidator.cs
@ -13,6 +13,7 @@ using Bit.Core.Settings;
 using Bit.Core.Tokens;
 using Duende.IdentityServer.Extensions;
 using Duende.IdentityServer.Validation;
+using HandlebarsDotNet;
 using IdentityModel;
 using Microsoft.AspNetCore.Identity;

@ -57,6 +58,17 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque

    public async Task ValidateAsync(CustomTokenRequestValidationContext context)
    {
+        if (context.Result.ValidatedRequest.GrantType == "refresh_token")
+        {
+            // Force legacy users to the web for migration
+            if (await _userService.IsLegacyUser(GetSubject(context)?.GetSubjectId()) &&
+                context.Result.ValidatedRequest.ClientId != "web")
+            {
+                await FailAuthForLegacyUserAsync(null, context);
+                return;
+            }
+        }
+
        string[] allowedGrantTypes = { "authorization_code", "client_credentials" };
        if (!allowedGrantTypes.Contains(context.Result.ValidatedRequest.GrantType)
            || context.Result.ValidatedRequest.ClientId.StartsWith("organization")
@ -70,6 +82,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
                context.Result.CustomResponse = new Dictionary<string, object> { { "encrypted_payload", payload } };
            }

+
            return;
        }