remove validation from 2fa GET and mask sensitive data

src/Api/Auth/Controllers/TwoFactorController.cs

@@ -93,7 +93,7 @@ public class TwoFactorController : Controller
     public async Task<TwoFactorAuthenticatorResponseModel> GetAuthenticator(
         [FromBody] SecretVerificationRequestModel model)
     {
-        var user = await CheckAsync(model, false);
+        var user = await CheckAsync(model, false, false);
         var response = new TwoFactorAuthenticatorResponseModel(user);
         return response;
     }
@@ -121,7 +121,7 @@ public class TwoFactorController : Controller
     [HttpPost("get-yubikey")]
     public async Task<TwoFactorYubiKeyResponseModel> GetYubiKey([FromBody] SecretVerificationRequestModel model)
     {
-        var user = await CheckAsync(model, true);
+        var user = await CheckAsync(model, true, false);
         var response = new TwoFactorYubiKeyResponseModel(user);
         return response;
     }
@@ -147,7 +147,7 @@ public class TwoFactorController : Controller
     [HttpPost("get-duo")]
     public async Task<TwoFactorDuoResponseModel> GetDuo([FromBody] SecretVerificationRequestModel model)
     {
-        var user = await CheckAsync(model, true);
+        var user = await CheckAsync(model, true, false);
         var response = new TwoFactorDuoResponseModel(user);
         return response;
     }
@@ -187,7 +187,7 @@ public class TwoFactorController : Controller
     public async Task<TwoFactorDuoResponseModel> GetOrganizationDuo(string id,
         [FromBody] SecretVerificationRequestModel model)
     {
-        await CheckAsync(model, false);
+        await CheckAsync(model, false, false);
 
         var orgIdGuid = new Guid(id);
         if (!await _currentContext.ManagePolicies(orgIdGuid))
@@ -244,7 +244,7 @@ public class TwoFactorController : Controller
     [HttpPost("get-webauthn")]
     public async Task<TwoFactorWebAuthnResponseModel> GetWebAuthn([FromBody] SecretVerificationRequestModel model)
     {
-        var user = await CheckAsync(model, false);
+        var user = await CheckAsync(model, false, false);
         var response = new TwoFactorWebAuthnResponseModel(user);
         return response;
     }
@@ -253,7 +253,7 @@ public class TwoFactorController : Controller
     [ApiExplorerSettings(IgnoreApi = true)] // Disable Swagger due to CredentialCreateOptions not converting properly
     public async Task<CredentialCreateOptions> GetWebAuthnChallenge([FromBody] SecretVerificationRequestModel model)
     {
-        var user = await CheckAsync(model, false);
+        var user = await CheckAsync(model, false, false);
         var reg = await _userService.StartWebAuthnRegistrationAsync(user);
         return reg;
     }
@@ -288,7 +288,7 @@ public class TwoFactorController : Controller
     [HttpPost("get-email")]
     public async Task<TwoFactorEmailResponseModel> GetEmail([FromBody] SecretVerificationRequestModel model)
     {
-        var user = await CheckAsync(model, false);
+        var user = await CheckAsync(model, false, false);
         var response = new TwoFactorEmailResponseModel(user);
         return response;
     }
@@ -433,7 +433,7 @@ public class TwoFactorController : Controller
         return Task.FromResult(new DeviceVerificationResponseModel(false, false));
     }
 
-    private async Task<User> CheckAsync(SecretVerificationRequestModel model, bool premium)
+    private async Task<User> CheckAsync(SecretVerificationRequestModel model, bool premium, bool verify = true)
     {
         var user = await _userService.GetUserByPrincipalAsync(User);
         if (user == null)
@@ -441,10 +441,14 @@ public class TwoFactorController : Controller
             throw new UnauthorizedAccessException();
         }
 
-        if (!await _userService.VerifySecretAsync(user, model.Secret))
+        if (verify)
         {
-            await Task.Delay(2000);
-            throw new BadRequestException(string.Empty, "User verification failed.");
+            if (!await _userService.VerifySecretAsync(user, model.Secret))
+            {
+                await Task.Delay(2000);
+                throw new BadRequestException(string.Empty, "User verification failed.");
+            }
+
         }
 
         if (premium && !await _userService.CanAccessPremium(user))

src/Api/Auth/Models/Response/TwoFactor/TwoFactorDuoResponseModel.cs

@@ -59,8 +59,8 @@ public class TwoFactorDuoResponseModel : ResponseModel
             // check Skey and IKey first if they exist
             if (provider.MetaData.TryGetValue("SKey", out var sKey))
             {
-                ClientSecret = (string)sKey;
-                SecretKey = (string)sKey;
+                ClientSecret = MaskKey((string)sKey);
+                SecretKey = MaskKey((string)sKey);
             }
             if (provider.MetaData.TryGetValue("IKey", out var iKey))
             {
@@ -73,8 +73,8 @@ public class TwoFactorDuoResponseModel : ResponseModel
             {
                 if (!string.IsNullOrWhiteSpace((string)clientSecret))
                 {
-                    ClientSecret = (string)clientSecret;
-                    SecretKey = (string)clientSecret;
+                    ClientSecret = MaskKey((string)clientSecret);
+                    SecretKey = MaskKey((string)clientSecret);
                 }
             }
             if (provider.MetaData.TryGetValue("ClientId", out var clientId))
@@ -114,4 +114,15 @@ public class TwoFactorDuoResponseModel : ResponseModel
             throw new InvalidDataException("Invalid Duo parameters.");
         }
     }
+
+    private static string MaskKey(string key)
+    {
+        if (string.IsNullOrWhiteSpace(key))
+        {
+            return key;
+        }
+
+        // Mask all but the first 6 characters.
+        return string.Concat(key.AsSpan(0, 6), new string('*', key.Length - 6));
+    }
 }