diff --git a/src/Api/Auth/Controllers/TwoFactorController.cs b/src/Api/Auth/Controllers/TwoFactorController.cs index 1062ec4ace..43159c8dd1 100644 --- a/src/Api/Auth/Controllers/TwoFactorController.cs +++ b/src/Api/Auth/Controllers/TwoFactorController.cs @@ -93,7 +93,7 @@ public class TwoFactorController : Controller public async Task GetAuthenticator( [FromBody] SecretVerificationRequestModel model) { - var user = await CheckAsync(model, false); + var user = await CheckAsync(model, false, false); var response = new TwoFactorAuthenticatorResponseModel(user); return response; } @@ -121,7 +121,7 @@ public class TwoFactorController : Controller [HttpPost("get-yubikey")] public async Task GetYubiKey([FromBody] SecretVerificationRequestModel model) { - var user = await CheckAsync(model, true); + var user = await CheckAsync(model, true, false); var response = new TwoFactorYubiKeyResponseModel(user); return response; } @@ -147,7 +147,7 @@ public class TwoFactorController : Controller [HttpPost("get-duo")] public async Task GetDuo([FromBody] SecretVerificationRequestModel model) { - var user = await CheckAsync(model, true); + var user = await CheckAsync(model, true, false); var response = new TwoFactorDuoResponseModel(user); return response; } @@ -187,7 +187,7 @@ public class TwoFactorController : Controller public async Task GetOrganizationDuo(string id, [FromBody] SecretVerificationRequestModel model) { - await CheckAsync(model, false); + await CheckAsync(model, false, false); var orgIdGuid = new Guid(id); if (!await _currentContext.ManagePolicies(orgIdGuid)) @@ -244,7 +244,7 @@ public class TwoFactorController : Controller [HttpPost("get-webauthn")] public async Task GetWebAuthn([FromBody] SecretVerificationRequestModel model) { - var user = await CheckAsync(model, false); + var user = await CheckAsync(model, false, false); var response = new TwoFactorWebAuthnResponseModel(user); return response; } @@ -253,7 +253,7 @@ public class TwoFactorController : Controller [ApiExplorerSettings(IgnoreApi = true)] // Disable Swagger due to CredentialCreateOptions not converting properly public async Task GetWebAuthnChallenge([FromBody] SecretVerificationRequestModel model) { - var user = await CheckAsync(model, false); + var user = await CheckAsync(model, false, false); var reg = await _userService.StartWebAuthnRegistrationAsync(user); return reg; } @@ -288,7 +288,7 @@ public class TwoFactorController : Controller [HttpPost("get-email")] public async Task GetEmail([FromBody] SecretVerificationRequestModel model) { - var user = await CheckAsync(model, false); + var user = await CheckAsync(model, false, false); var response = new TwoFactorEmailResponseModel(user); return response; } @@ -433,7 +433,7 @@ public class TwoFactorController : Controller return Task.FromResult(new DeviceVerificationResponseModel(false, false)); } - private async Task CheckAsync(SecretVerificationRequestModel model, bool premium) + private async Task CheckAsync(SecretVerificationRequestModel model, bool premium, bool verify = true) { var user = await _userService.GetUserByPrincipalAsync(User); if (user == null) @@ -441,10 +441,14 @@ public class TwoFactorController : Controller throw new UnauthorizedAccessException(); } - if (!await _userService.VerifySecretAsync(user, model.Secret)) + if (verify) { - await Task.Delay(2000); - throw new BadRequestException(string.Empty, "User verification failed."); + if (!await _userService.VerifySecretAsync(user, model.Secret)) + { + await Task.Delay(2000); + throw new BadRequestException(string.Empty, "User verification failed."); + } + } if (premium && !await _userService.CanAccessPremium(user)) diff --git a/src/Api/Auth/Models/Response/TwoFactor/TwoFactorDuoResponseModel.cs b/src/Api/Auth/Models/Response/TwoFactor/TwoFactorDuoResponseModel.cs index 2aaebf9897..8206854f09 100644 --- a/src/Api/Auth/Models/Response/TwoFactor/TwoFactorDuoResponseModel.cs +++ b/src/Api/Auth/Models/Response/TwoFactor/TwoFactorDuoResponseModel.cs @@ -59,8 +59,8 @@ public class TwoFactorDuoResponseModel : ResponseModel // check Skey and IKey first if they exist if (provider.MetaData.TryGetValue("SKey", out var sKey)) { - ClientSecret = (string)sKey; - SecretKey = (string)sKey; + ClientSecret = MaskKey((string)sKey); + SecretKey = MaskKey((string)sKey); } if (provider.MetaData.TryGetValue("IKey", out var iKey)) { @@ -73,8 +73,8 @@ public class TwoFactorDuoResponseModel : ResponseModel { if (!string.IsNullOrWhiteSpace((string)clientSecret)) { - ClientSecret = (string)clientSecret; - SecretKey = (string)clientSecret; + ClientSecret = MaskKey((string)clientSecret); + SecretKey = MaskKey((string)clientSecret); } } if (provider.MetaData.TryGetValue("ClientId", out var clientId)) @@ -114,4 +114,15 @@ public class TwoFactorDuoResponseModel : ResponseModel throw new InvalidDataException("Invalid Duo parameters."); } } + + private static string MaskKey(string key) + { + if (string.IsNullOrWhiteSpace(key)) + { + return key; + } + + // Mask all but the first 6 characters. + return string.Concat(key.AsSpan(0, 6), new string('*', key.Length - 6)); + } }