nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-05 18:12:48 -05:00
Code Activity

[PM-5518] Refactor Email Token Providers (#3784)

Browse Source 
* new email token providers

* move email redaction to core helpers

* make token options configurable

* protected setters on options

* fix email token provider tests

* fix core tests

---------

Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
This commit is contained in:
Kyle Spearrin
2024-07-11 14:39:27 -04:00
committed by GitHub
parent 1292736f54
commit d2567dd42d
9 changed files with 131 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
src/Core/Auth/Identity/EmailTokenProvider.cs
View File

@ -1,7 +1,6 @@
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Models;
using System.Text;
using Bit.Core.Entities;
using Bit.Core.Services;
using Bit.Core.Utilities;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Caching.Distributed;
using Microsoft.Extensions.DependencyInjection;
@ -10,100 +9,55 @@ namespace Bit.Core.Auth.Identity;
public class EmailTokenProvider : IUserTwoFactorTokenProvider<User>
{
private const string CacheKeyFormat = "Email_TOTP_{0}_{1}";
private const string CacheKeyFormat = "EmailToken_{0}_{1}_{2}";
private readonly IServiceProvider _serviceProvider;
private readonly IDistributedCache _distributedCache;
private readonly DistributedCacheEntryOptions _distributedCacheEntryOptions;
public EmailTokenProvider(
IServiceProvider serviceProvider,
[FromKeyedServices("persistent")]
IDistributedCache distributedCache)
{
_serviceProvider = serviceProvider;
_distributedCache = distributedCache;
_distributedCacheEntryOptions = new DistributedCacheEntryOptions
{
AbsoluteExpirationRelativeToNow = TimeSpan.FromMinutes(20)
AbsoluteExpirationRelativeToNow = TimeSpan.FromMinutes(5)
};
}
public async Task<bool> CanGenerateTwoFactorTokenAsync(UserManager<User> manager, User user)
{
var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Email);
if (!HasProperMetaData(provider))
{
return false;
}
public int TokenLength { get; protected set; } = 8;
public bool TokenAlpha { get; protected set; } = false;
public bool TokenNumeric { get; protected set; } = true;
return await _serviceProvider.GetRequiredService<IUserService>().
TwoFactorProviderIsEnabledAsync(TwoFactorProviderType.Email, user);
public virtual Task<bool> CanGenerateTwoFactorTokenAsync(UserManager<User> manager, User user)
{
return Task.FromResult(!string.IsNullOrEmpty(user.Email));
}
public Task<string> GenerateAsync(string purpose, UserManager<User> manager, User user)
public virtual async Task<string> GenerateAsync(string purpose, UserManager<User> manager, User user)
{
var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Email);
if (!HasProperMetaData(provider))
{
return null;
}
return Task.FromResult(RedactEmail((string)provider.MetaData["Email"]));
var code = CoreHelpers.SecureRandomString(TokenLength, TokenAlpha, true, false, TokenNumeric, false);
var cacheKey = string.Format(CacheKeyFormat, user.Id, user.SecurityStamp, purpose);
await _distributedCache.SetAsync(cacheKey, Encoding.UTF8.GetBytes(code), _distributedCacheEntryOptions);
return code;
}
public async Task<bool> ValidateAsync(string purpose, string token, UserManager<User> manager, User user)
{
var cacheKey = string.Format(CacheKeyFormat, user.Id, token);
var cacheKey = string.Format(CacheKeyFormat, user.Id, user.SecurityStamp, purpose);
var cachedValue = await _distributedCache.GetAsync(cacheKey);
if (cachedValue != null)
if (cachedValue == null)
{
return false;
}
var valid = await _serviceProvider.GetRequiredService<IUserService>().VerifyTwoFactorEmailAsync(user, token);
var code = Encoding.UTF8.GetString(cachedValue);
var valid = string.Equals(token, code);
if (valid)
{
await _distributedCache.SetAsync(cacheKey, [1], _distributedCacheEntryOptions);
await _distributedCache.RemoveAsync(cacheKey);
}
return valid;
}
private bool HasProperMetaData(TwoFactorProvider provider)
{
return provider?.MetaData != null && provider.MetaData.ContainsKey("Email") &&
!string.IsNullOrWhiteSpace((string)provider.MetaData["Email"]);
}
private static string RedactEmail(string email)
{
var emailParts = email.Split('@');
string shownPart = null;
if (emailParts[0].Length > 2 && emailParts[0].Length <= 4)
{
shownPart = emailParts[0].Substring(0, 1);
}
else if (emailParts[0].Length > 4)
{
shownPart = emailParts[0].Substring(0, 2);
}
else
{
shownPart = string.Empty;
}
string redactedPart = null;
if (emailParts[0].Length > 4)
{
redactedPart = new string('*', emailParts[0].Length - 2);
}
else
{
redactedPart = new string('*', emailParts[0].Length - shownPart.Length);
}
return $"{shownPart}{redactedPart}@{emailParts[1]}";
}
}

56
src/Core/Auth/Identity/EmailTwoFactorTokenProvider.cs Normal file
View File

@ -0,0 +1,56 @@
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Models;
using Bit.Core.Entities;
using Bit.Core.Services;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Caching.Distributed;
using Microsoft.Extensions.DependencyInjection;
namespace Bit.Core.Auth.Identity;
public class EmailTwoFactorTokenProvider : EmailTokenProvider
{
private readonly IServiceProvider _serviceProvider;
public EmailTwoFactorTokenProvider(
IServiceProvider serviceProvider,
[FromKeyedServices("persistent")]
IDistributedCache distributedCache) :
base(distributedCache)
{
_serviceProvider = serviceProvider;
TokenAlpha = false;
TokenNumeric = true;
TokenLength = 6;
}
public override async Task<bool> CanGenerateTwoFactorTokenAsync(UserManager<User> manager, User user)
{
var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Email);
if (!HasProperMetaData(provider))
{
return false;
}
return await _serviceProvider.GetRequiredService<IUserService>().
TwoFactorProviderIsEnabledAsync(TwoFactorProviderType.Email, user);
}
public override Task<string> GenerateAsync(string purpose, UserManager<User> manager, User user)
{
var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Email);
if (!HasProperMetaData(provider))
{
return null;
}
return base.GenerateAsync(purpose, manager, user);
}
private static bool HasProperMetaData(TwoFactorProvider provider)
{
return provider?.MetaData != null && provider.MetaData.ContainsKey("Email") &&
!string.IsNullOrWhiteSpace((string)provider.MetaData["Email"]);
}
}

9
src/Core/Services/Implementations/UserService.cs
View File

@ -325,9 +325,8 @@ public class UserService : UserManager<User>, IUserService, IDisposable
}
var email = ((string)provider.MetaData["Email"]).ToLowerInvariant();
var token = await base.GenerateUserTokenAsync(user, TokenOptions.DefaultEmailProvider,
"2faEmail:" + email);
var token = await base.GenerateTwoFactorTokenAsync(user,
CoreHelpers.CustomProviderName(TwoFactorProviderType.Email));
await _mailService.SendTwoFactorEmailAsync(email, token);
}
@ -340,8 +339,8 @@ public class UserService : UserManager<User>, IUserService, IDisposable
}
var email = ((string)provider.MetaData["Email"]).ToLowerInvariant();
return await base.VerifyUserTokenAsync(user, TokenOptions.DefaultEmailProvider,
"2faEmail:" + email, token);
return await base.VerifyTwoFactorTokenAsync(user,
CoreHelpers.CustomProviderName(TwoFactorProviderType.Email), token);
}
public async Task<CredentialCreateOptions> StartWebAuthnRegistrationAsync(User user)

36
src/Core/Utilities/CoreHelpers.cs
View File

@ -876,4 +876,40 @@ public static class CoreHelpers
{
return _whiteSpaceRegex.Replace(input, newValue);
}
public static string RedactEmailAddress(string email)
{
if (string.IsNullOrWhiteSpace(email))
{
return null;
}
var emailParts = email.Split('@');
string shownPart;
if (emailParts[0].Length > 2 && emailParts[0].Length <= 4)
{
shownPart = emailParts[0].Substring(0, 1);
}
else if (emailParts[0].Length > 4)
{
shownPart = emailParts[0].Substring(0, 2);
}
else
{
shownPart = string.Empty;
}
string redactedPart;
if (emailParts[0].Length > 4)
{
redactedPart = new string('*', emailParts[0].Length - 2);
}
else
{
redactedPart = new string('*', emailParts[0].Length - shownPart.Length);
}
return $"{shownPart}{redactedPart}@{emailParts[1]}";
}
}