[Reset Password] Get/Post Org Keys and API updates (#1323)

* [Reset Password] Organization Keys APIs * Updated details response to include private key and added more security checks for reset password methods * Added org type and policy security checks to the enrollment api * Updated based on PR feedback * Added org user type permission checks * Added TODO for email to user * Removed unecessary policyRepository object
2025-07-11 12:53:50 -05:00 · 2021-05-19 09:40:32 -05:00
parent 982e26cbfd
commit c7f88ae430
9 changed files with 181 additions and 21 deletions
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@ -626,8 +626,59 @@ namespace Bit.Core.Services
            return IdentityResult.Success;
        }
        
-        public async Task<IdentityResult> AdminResetPasswordAsync(User user, string newMasterPassword, string key)
+        public async Task<IdentityResult> AdminResetPasswordAsync(OrganizationUserType callingUserType, Guid orgId, Guid id, string newMasterPassword, string key)
        {
+            // Org must be able to use reset password
+            var org = await _organizationRepository.GetByIdAsync(orgId);
+            if (org == null || !org.UseResetPassword)
+            {
+                throw new BadRequestException("Organization does not allow password reset.");
+            }
+            
+            // Enterprise policy must be enabled 
+            var resetPasswordPolicy =
+                await _policyRepository.GetByOrganizationIdTypeAsync(orgId, PolicyType.ResetPassword);
+            if (resetPasswordPolicy == null || !resetPasswordPolicy.Enabled)
+            {
+                throw new BadRequestException("Organization does not have the password reset policy enabled.");
+            }
+            
+            // Org User must be confirmed and have a ResetPasswordKey
+            var orgUser = await _organizationUserRepository.GetByIdAsync(id);
+            if (orgUser == null || orgUser.Status != OrganizationUserStatusType.Confirmed ||
+                orgUser.OrganizationId != orgId || string.IsNullOrEmpty(orgUser.ResetPasswordKey) ||
+                !orgUser.UserId.HasValue)
+            {
+                throw new BadRequestException("Organization User not valid");
+            }
+            
+            // Calling User must be of higher/equal user type to reset user's password
+            var canAdjustPassword = false;
+            switch (callingUserType)
+            {
+                case OrganizationUserType.Owner:
+                    canAdjustPassword = true;
+                    break;
+                case OrganizationUserType.Admin:
+                    canAdjustPassword = orgUser.Type != OrganizationUserType.Owner;
+                    break;
+                case OrganizationUserType.Custom:
+                    canAdjustPassword = orgUser.Type != OrganizationUserType.Owner &&
+                        orgUser.Type != OrganizationUserType.Admin;
+                    break;
+            }
+
+            if (!canAdjustPassword)
+            {
+                throw new BadRequestException("Calling user does not have permission to reset this user's master password");
+            }
+
+            var user = await GetUserByIdAsync(orgUser.UserId.Value);
+            if (user == null)
+            {
+                throw new NotFoundException();
+            }
+            
            var result = await UpdatePasswordHash(user, newMasterPassword);
            if (!result.Succeeded)
            {
@ -638,6 +689,7 @@ namespace Bit.Core.Services
            user.Key = key;

            await _userRepository.ReplaceAsync(user);
+            // TODO Reset Password - Send email alerting user of changed password
            await _eventService.LogUserEventAsync(user.Id, EventType.User_ChangedPassword);
            await _pushService.PushLogOutAsync(user.Id);