mirror of
https://github.com/bitwarden/server.git
synced 2025-04-06 21:48:12 -05:00
user null checks for unauthorized
This commit is contained in:
Kyle Spearrin
parent
57b4a32194
commit
ef3d5ee10c
@ -64,6 +64,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task PostEmailToken([FromBody]EmailTokenRequestModel model)
|
public async Task PostEmailToken([FromBody]EmailTokenRequestModel model)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
|
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
|
||||||
{
|
{
|
||||||
await Task.Delay(2000);
|
await Task.Delay(2000);
|
||||||
@ -78,6 +83,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task PutEmail([FromBody]EmailRequestModel model)
|
public async Task PutEmail([FromBody]EmailRequestModel model)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
var result = await _userService.ChangeEmailAsync(user, model.MasterPasswordHash, model.NewEmail,
|
var result = await _userService.ChangeEmailAsync(user, model.MasterPasswordHash, model.NewEmail,
|
||||||
model.NewMasterPasswordHash, model.Token, model.Key);
|
model.NewMasterPasswordHash, model.Token, model.Key);
|
||||||
if(result.Succeeded)
|
if(result.Succeeded)
|
||||||
@ -99,6 +109,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task PutPassword([FromBody]PasswordRequestModel model)
|
public async Task PutPassword([FromBody]PasswordRequestModel model)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
var result = await _userService.ChangePasswordAsync(user, model.MasterPasswordHash,
|
var result = await _userService.ChangePasswordAsync(user, model.MasterPasswordHash,
|
||||||
model.NewMasterPasswordHash, model.Key);
|
model.NewMasterPasswordHash, model.Key);
|
||||||
if(result.Succeeded)
|
if(result.Succeeded)
|
||||||
@ -120,6 +135,10 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task PutKey([FromBody]UpdateKeyRequestModel model)
|
public async Task PutKey([FromBody]UpdateKeyRequestModel model)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
// NOTE: It is assumed that the eventual repository call will make sure the updated
|
// NOTE: It is assumed that the eventual repository call will make sure the updated
|
||||||
// ciphers belong to user making this call. Therefore, no check is done here.
|
// ciphers belong to user making this call. Therefore, no check is done here.
|
||||||
@ -154,6 +173,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task PutSecurityStamp([FromBody]SecurityStampRequestModel model)
|
public async Task PutSecurityStamp([FromBody]SecurityStampRequestModel model)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
var result = await _userService.RefreshSecurityStampAsync(user, model.MasterPasswordHash);
|
var result = await _userService.RefreshSecurityStampAsync(user, model.MasterPasswordHash);
|
||||||
if(result.Succeeded)
|
if(result.Succeeded)
|
||||||
{
|
{
|
||||||
@ -173,6 +197,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task<ProfileResponseModel> GetProfile()
|
public async Task<ProfileResponseModel> GetProfile()
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
var organizationUserDetails = await _organizationUserRepository.GetManyDetailsByUserAsync(user.Id,
|
var organizationUserDetails = await _organizationUserRepository.GetManyDetailsByUserAsync(user.Id,
|
||||||
OrganizationUserStatusType.Confirmed);
|
OrganizationUserStatusType.Confirmed);
|
||||||
var response = new ProfileResponseModel(user, organizationUserDetails);
|
var response = new ProfileResponseModel(user, organizationUserDetails);
|
||||||
@ -194,6 +223,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task<ProfileResponseModel> PutProfile([FromBody]UpdateProfileRequestModel model)
|
public async Task<ProfileResponseModel> PutProfile([FromBody]UpdateProfileRequestModel model)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
await _userService.SaveUserAsync(model.ToUser(user));
|
await _userService.SaveUserAsync(model.ToUser(user));
|
||||||
var response = new ProfileResponseModel(user, null);
|
var response = new ProfileResponseModel(user, null);
|
||||||
return response;
|
return response;
|
||||||
@ -217,6 +251,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task<TwoFactorResponseModel> GetTwoFactor(string masterPasswordHash, TwoFactorProviderType provider)
|
public async Task<TwoFactorResponseModel> GetTwoFactor(string masterPasswordHash, TwoFactorProviderType provider)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
if(!await _userManager.CheckPasswordAsync(user, masterPasswordHash))
|
if(!await _userManager.CheckPasswordAsync(user, masterPasswordHash))
|
||||||
{
|
{
|
||||||
await Task.Delay(2000);
|
await Task.Delay(2000);
|
||||||
@ -234,6 +273,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task<TwoFactorResponseModel> PutTwoFactor([FromBody]UpdateTwoFactorRequestModel model)
|
public async Task<TwoFactorResponseModel> PutTwoFactor([FromBody]UpdateTwoFactorRequestModel model)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
|
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
|
||||||
{
|
{
|
||||||
await Task.Delay(2000);
|
await Task.Delay(2000);
|
||||||
@ -271,6 +315,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task<TwoFactorResponseModel> PutTwoFactorRegenerate([FromBody]RegenerateTwoFactorRequestModel model)
|
public async Task<TwoFactorResponseModel> PutTwoFactorRegenerate([FromBody]RegenerateTwoFactorRequestModel model)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
|
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
|
||||||
{
|
{
|
||||||
await Task.Delay(2000);
|
await Task.Delay(2000);
|
||||||
@ -298,6 +347,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task<KeysResponseModel> PutKeys([FromBody]KeysRequestModel model)
|
public async Task<KeysResponseModel> PutKeys([FromBody]KeysRequestModel model)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
await _userService.SaveUserAsync(model.ToUser(user));
|
await _userService.SaveUserAsync(model.ToUser(user));
|
||||||
return new KeysResponseModel(user);
|
return new KeysResponseModel(user);
|
||||||
}
|
}
|
||||||
@ -306,6 +360,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task<KeysResponseModel> GetKeys()
|
public async Task<KeysResponseModel> GetKeys()
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
return new KeysResponseModel(user);
|
return new KeysResponseModel(user);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -313,6 +372,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task PostDelete([FromBody]DeleteAccountRequestModel model)
|
public async Task PostDelete([FromBody]DeleteAccountRequestModel model)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
|
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
|
||||||
{
|
{
|
||||||
ModelState.AddModelError("MasterPasswordHash", "Invalid password.");
|
ModelState.AddModelError("MasterPasswordHash", "Invalid password.");
|
||||||
|
|||||||
@ -48,6 +48,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task<AuthTokenResponseModel> PostTokenTwoFactor([FromBody]AuthTokenTwoFactorRequestModel model)
|
public async Task<AuthTokenResponseModel> PostTokenTwoFactor([FromBody]AuthTokenTwoFactorRequestModel model)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
var result = await _signInManager.TwoFactorSignInAsync(user, model.Provider, model.Code, model.Device?.ToDevice());
|
var result = await _signInManager.TwoFactorSignInAsync(user, model.Provider, model.Code, model.Device?.ToDevice());
|
||||||
if(result == JwtBearerSignInResult.Success)
|
if(result == JwtBearerSignInResult.Success)
|
||||||
{
|
{
|
||||||
|
|||||||
@ -115,6 +115,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task Accept(string orgId, string id, [FromBody]OrganizationUserAcceptRequestModel model)
|
public async Task Accept(string orgId, string id, [FromBody]OrganizationUserAcceptRequestModel model)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
var result = await _organizationService.AcceptUserAsync(new Guid(id), user, model.Token);
|
var result = await _organizationService.AcceptUserAsync(new Guid(id), user, model.Token);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -95,6 +95,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task<OrganizationResponseModel> Post([FromBody]OrganizationCreateRequestModel model)
|
public async Task<OrganizationResponseModel> Post([FromBody]OrganizationCreateRequestModel model)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
var organizationSignup = model.ToOrganizationSignup(user);
|
var organizationSignup = model.ToOrganizationSignup(user);
|
||||||
var result = await _organizationService.SignUpAsync(organizationSignup);
|
var result = await _organizationService.SignUpAsync(organizationSignup);
|
||||||
return new OrganizationResponseModel(result.Item1);
|
return new OrganizationResponseModel(result.Item1);
|
||||||
@ -218,6 +223,11 @@ namespace Bit.Api.Controllers
|
|||||||
}
|
}
|
||||||
|
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
|
if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
|
||||||
{
|
{
|
||||||
ModelState.AddModelError("MasterPasswordHash", "Invalid password.");
|
ModelState.AddModelError("MasterPasswordHash", "Invalid password.");
|
||||||
|
|||||||
@ -23,6 +23,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task<DomainsResponseModel> GetDomains(bool excluded = true)
|
public async Task<DomainsResponseModel> GetDomains(bool excluded = true)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
var response = new DomainsResponseModel(user, excluded);
|
var response = new DomainsResponseModel(user, excluded);
|
||||||
return response;
|
return response;
|
||||||
}
|
}
|
||||||
@ -32,6 +37,11 @@ namespace Bit.Api.Controllers
|
|||||||
public async Task<DomainsResponseModel> PutDomains([FromBody]UpdateDomainsRequestModel model)
|
public async Task<DomainsResponseModel> PutDomains([FromBody]UpdateDomainsRequestModel model)
|
||||||
{
|
{
|
||||||
var user = await _userService.GetUserByPrincipalAsync(User);
|
var user = await _userService.GetUserByPrincipalAsync(User);
|
||||||
|
if(user == null)
|
||||||
|
{
|
||||||
|
throw new UnauthorizedAccessException();
|
||||||
|
}
|
||||||
|
|
||||||
await _userService.SaveUserAsync(model.ToUser(user));
|
await _userService.SaveUserAsync(model.ToUser(user));
|
||||||
|
|
||||||
var response = new DomainsResponseModel(user);
|
var response = new DomainsResponseModel(user);
|
||||||
|
|||||||
@ -58,6 +58,11 @@ namespace Bit.Api.Utilities
|
|||||||
errorModel.Message = "Invalid token.";
|
errorModel.Message = "Invalid token.";
|
||||||
context.HttpContext.Response.StatusCode = 403;
|
context.HttpContext.Response.StatusCode = 403;
|
||||||
}
|
}
|
||||||
|
else if(exception is UnauthorizedAccessException)
|
||||||
|
{
|
||||||
|
errorModel.Message = "Unauthorized.";
|
||||||
|
context.HttpContext.Response.StatusCode = 401;
|
||||||
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
var logger = context.HttpContext.RequestServices.GetRequiredService<ILogger<ExceptionHandlerFilterAttribute>>();
|
var logger = context.HttpContext.RequestServices.GetRequiredService<ILogger<ExceptionHandlerFilterAttribute>>();
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user