[PM-6303] Add duo state to 2fa (#3806)

* add duo state to 2fa * Id to UserId
2025-04-05 21:18:13 -05:00 · 2024-02-14 18:00:46 -05:00 · 2024-02-14 18:00:46 -05:00 · d99d3b8380
commit d99d3b8380
parent 744d21ec5e
3 changed files with 65 additions and 5 deletions
--- a/src/Core/Auth/Identity/TemporaryDuoWebV4SDKService.cs
+++ b/src/Core/Auth/Identity/TemporaryDuoWebV4SDKService.cs
@ -1,7 +1,9 @@
 using Bit.Core.Auth.Models;
+using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Settings;
+using Bit.Core.Tokens;
 using Duo = DuoUniversal;

 namespace Bit.Core.Auth.Identity;
@ -22,6 +24,7 @@ public class TemporaryDuoWebV4SDKService : ITemporaryDuoWebV4SDKService
 {
    private readonly ICurrentContext _currentContext;
    private readonly GlobalSettings _globalSettings;
+    private readonly IDataProtectorTokenFactory<DuoUserStateTokenable> _tokenDataFactory;

    /// <summary>
    /// Constructor for the DuoUniversalPromptService. Used to supplement v2 implementation of Duo with v4 SDK
@ -30,10 +33,12 @@ public class TemporaryDuoWebV4SDKService : ITemporaryDuoWebV4SDKService
    /// <param name="globalSettings">used to fetch vault URL for Redirect URL</param>
    public TemporaryDuoWebV4SDKService(
        ICurrentContext currentContext,
-        GlobalSettings globalSettings)
+        GlobalSettings globalSettings,
+        IDataProtectorTokenFactory<DuoUserStateTokenable> tokenDataFactory)
    {
        _currentContext = currentContext;
        _globalSettings = globalSettings;
+        _tokenDataFactory = tokenDataFactory;
    }

    /// <summary>
@ -56,7 +61,7 @@ public class TemporaryDuoWebV4SDKService : ITemporaryDuoWebV4SDKService
            return null;
        }

-        var state = Duo.Client.GenerateState(); //? Not sure on this yet. But required for GenerateAuthUrl
+        var state = _tokenDataFactory.Protect(new DuoUserStateTokenable(user));
        var authUrl = duoClient.GenerateAuthUri(user.Email, state);

        return authUrl;
@ -82,8 +87,20 @@ public class TemporaryDuoWebV4SDKService : ITemporaryDuoWebV4SDKService
            return false;
        }

+        var parts = token.Split("|");
+        var authCode = parts[0];
+        var state = parts[1];
+
+        _tokenDataFactory.TryUnprotect(state, out var tokenable);
+        if (!tokenable.Valid || !tokenable.TokenIsValid(user))
+        {
+            return false;
+        }
+
+        // duoClient compares the email from the received IdToken with user.Email to verify a bad actor hasn't used
+        // their authCode with a victims credentials
+        var res = await duoClient.ExchangeAuthorizationCodeFor2faResult(authCode, user.Email);
        // If the result of the exchange doesn't throw an exception and it's not null, then it's valid
-        var res = await duoClient.ExchangeAuthorizationCodeFor2faResult(token, user.Email);
        return res.AuthResult.Result == "allow";
    }

--- a/src/Core/Auth/Models/Business/Tokenables/DuoUserStateTokenable.cs
+++ b/src/Core/Auth/Models/Business/Tokenables/DuoUserStateTokenable.cs
@ -0,0 +1,37 @@
+using Bit.Core.Entities;
+using Bit.Core.Tokens;
+using Newtonsoft.Json;
+
+namespace Bit.Core.Auth.Models.Business.Tokenables;
+
+public class DuoUserStateTokenable : Tokenable
+{
+    public const string ClearTextPrefix = "BwDuoUserId";
+    public const string DataProtectorPurpose = "DuoUserIdTokenDataProtector";
+    public const string TokenIdentifier = "DuoUserIdToken";
+    public string Identifier { get; set; } = TokenIdentifier;
+    public Guid UserId { get; set; }
+
+    public override bool Valid => Identifier == TokenIdentifier &&
+                                  UserId != default;
+
+    [JsonConstructor]
+    public DuoUserStateTokenable()
+    {
+    }
+
+    public DuoUserStateTokenable(User user)
+    {
+        UserId = user?.Id ?? default;
+    }
+
+    public bool TokenIsValid(User user)
+    {
+        if (UserId == default || user == null)
+        {
+            return false;
+        }
+
+        return UserId == user.Id;
+    }
+}
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@ -197,6 +197,12 @@ public static class ServiceCollectionExtensions
                OrgUserInviteTokenable.DataProtectorPurpose,
                serviceProvider.GetDataProtectionProvider(),
                serviceProvider.GetRequiredService<ILogger<DataProtectorTokenFactory<OrgUserInviteTokenable>>>()));
+        services.AddSingleton<IDataProtectorTokenFactory<DuoUserStateTokenable>>(serviceProvider =>
+            new DataProtectorTokenFactory<DuoUserStateTokenable>(
+                DuoUserStateTokenable.ClearTextPrefix,
+                DuoUserStateTokenable.DataProtectorPurpose,
+                serviceProvider.GetDataProtectionProvider(),
+                serviceProvider.GetRequiredService<ILogger<DataProtectorTokenFactory<DuoUserStateTokenable>>>()));
    }

    public static void AddDefaultServices(this IServiceCollection services, GlobalSettings globalSettings)