using System.Diagnostics; using System.Text; using System.Text.Json; using Bit.Core; using Bit.Core.Auth.Enums; using Bit.Core.Auth.Models.Api.Request.Accounts; using Bit.Core.Auth.Models.Api.Request.Opaque; using Bit.Core.Auth.Models.Api.Response.Accounts; using Bit.Core.Auth.Models.Business.Tokenables; using Bit.Core.Auth.Repositories; using Bit.Core.Auth.Services; using Bit.Core.Auth.UserFeatures.Registration; using Bit.Core.Auth.UserFeatures.WebAuthnLogin; using Bit.Core.Auth.Utilities; using Bit.Core.Context; using Bit.Core.Entities; using Bit.Core.Enums; using Bit.Core.Exceptions; using Bit.Core.Models.Data; using Bit.Core.Repositories; using Bit.Core.Services; using Bit.Core.Settings; using Bit.Core.Tokens; using Bit.Core.Tools.Enums; using Bit.Core.Tools.Models.Business; using Bit.Core.Tools.Services; using Bit.Core.Utilities; using Bit.Identity.Models.Request.Accounts; using Bit.Identity.Models.Response.Accounts; using Bit.SharedWeb.Utilities; using Microsoft.AspNetCore.Identity; using Microsoft.AspNetCore.Mvc; namespace Bit.Identity.Controllers; [Route("accounts")] [ExceptionHandlerFilter] public class AccountsController : Controller { private readonly ICurrentContext _currentContext; private readonly ILogger _logger; private readonly IUserRepository _userRepository; private readonly IRegisterUserCommand _registerUserCommand; private readonly ICaptchaValidationService _captchaValidationService; private readonly IDataProtectorTokenFactory _assertionOptionsDataProtector; private readonly IGetWebAuthnLoginCredentialAssertionOptionsCommand _getWebAuthnLoginCredentialAssertionOptionsCommand; private readonly ISendVerificationEmailForRegistrationCommand _sendVerificationEmailForRegistrationCommand; private readonly IReferenceEventService _referenceEventService; private readonly IFeatureService _featureService; private readonly IDataProtectorTokenFactory _registrationEmailVerificationTokenDataFactory; private readonly IOpaqueKeyExchangeCredentialRepository _opaqueKeyExchangeCredentialRepository; private readonly byte[] _defaultKdfHmacKey = null; private static readonly List _defaultKdfResults = [ // The first result (index 0) should always return the "normal" default. new() { Kdf = KdfType.PBKDF2_SHA256, KdfIterations = AuthConstants.PBKDF2_ITERATIONS.Default, }, // We want more weight for this default, so add it again new() { Kdf = KdfType.PBKDF2_SHA256, KdfIterations = AuthConstants.PBKDF2_ITERATIONS.Default, }, // Add some other possible defaults... new() { Kdf = KdfType.PBKDF2_SHA256, KdfIterations = 100_000, }, new() { Kdf = KdfType.PBKDF2_SHA256, KdfIterations = 5_000, }, new() { Kdf = KdfType.Argon2id, KdfIterations = AuthConstants.ARGON2_ITERATIONS.Default, KdfMemory = AuthConstants.ARGON2_MEMORY.Default, KdfParallelism = AuthConstants.ARGON2_PARALLELISM.Default, } ]; public AccountsController( ICurrentContext currentContext, ILogger logger, IUserRepository userRepository, IRegisterUserCommand registerUserCommand, ICaptchaValidationService captchaValidationService, IDataProtectorTokenFactory assertionOptionsDataProtector, IGetWebAuthnLoginCredentialAssertionOptionsCommand getWebAuthnLoginCredentialAssertionOptionsCommand, ISendVerificationEmailForRegistrationCommand sendVerificationEmailForRegistrationCommand, IReferenceEventService referenceEventService, IFeatureService featureService, IDataProtectorTokenFactory registrationEmailVerificationTokenDataFactory, IOpaqueKeyExchangeCredentialRepository opaqueKeyExchangeCredentialRepository, GlobalSettings globalSettings ) { _currentContext = currentContext; _logger = logger; _userRepository = userRepository; _registerUserCommand = registerUserCommand; _captchaValidationService = captchaValidationService; _assertionOptionsDataProtector = assertionOptionsDataProtector; _getWebAuthnLoginCredentialAssertionOptionsCommand = getWebAuthnLoginCredentialAssertionOptionsCommand; _sendVerificationEmailForRegistrationCommand = sendVerificationEmailForRegistrationCommand; _referenceEventService = referenceEventService; _featureService = featureService; _registrationEmailVerificationTokenDataFactory = registrationEmailVerificationTokenDataFactory; _opaqueKeyExchangeCredentialRepository = opaqueKeyExchangeCredentialRepository; if (CoreHelpers.SettingHasValue(globalSettings.KdfDefaultHashKey)) { _defaultKdfHmacKey = Encoding.UTF8.GetBytes(globalSettings.KdfDefaultHashKey); } } [HttpPost("register")] [CaptchaProtected] public async Task PostRegister([FromBody] RegisterRequestModel model) { var user = model.ToUser(); var identityResult = await _registerUserCommand.RegisterUserViaOrganizationInviteToken(user, model.MasterPasswordHash, model.Token, model.OrganizationUserId); // delaysEnabled false is only for the new registration with email verification process return await ProcessRegistrationResult(identityResult, user, delaysEnabled: true); } [HttpPost("register/send-verification-email")] public async Task PostRegisterSendVerificationEmail([FromBody] RegisterSendVerificationEmailRequestModel model) { var token = await _sendVerificationEmailForRegistrationCommand.Run(model.Email, model.Name, model.ReceiveMarketingEmails); var refEvent = new ReferenceEvent { Type = ReferenceEventType.SignupEmailSubmit, ClientId = _currentContext.ClientId, ClientVersion = _currentContext.ClientVersion, Source = ReferenceEventSource.Registration }; await _referenceEventService.RaiseEventAsync(refEvent); if (token != null) { return Ok(token); } return NoContent(); } [HttpPost("register/verification-email-clicked")] public async Task PostRegisterVerificationEmailClicked([FromBody] RegisterVerificationEmailClickedRequestModel model) { var tokenValid = RegistrationEmailVerificationTokenable.ValidateToken(_registrationEmailVerificationTokenDataFactory, model.EmailVerificationToken, model.Email); // Check to see if the user already exists - this is just to catch the unlikely but possible case // where a user finishes registration and then clicks the email verification link again. var user = await _userRepository.GetByEmailAsync(model.Email); var userExists = user != null; var refEvent = new ReferenceEvent { Type = ReferenceEventType.SignupEmailClicked, ClientId = _currentContext.ClientId, ClientVersion = _currentContext.ClientVersion, Source = ReferenceEventSource.Registration, EmailVerificationTokenValid = tokenValid, UserAlreadyExists = userExists }; await _referenceEventService.RaiseEventAsync(refEvent); if (!tokenValid || userExists) { throw new BadRequestException("Expired link. Please restart registration or try logging in. You may already have an account"); } return Ok(); } [HttpPost("register/finish")] public async Task PostRegisterFinish([FromBody] RegisterFinishRequestModel model) { var user = model.ToUser(); // Users will either have an emailed token or an email verification token - not both. IdentityResult identityResult = null; var delaysEnabled = !_featureService.IsEnabled(FeatureFlagKeys.EmailVerificationDisableTimingDelays); switch (model.GetTokenType()) { case RegisterFinishTokenType.EmailVerification: identityResult = await _registerUserCommand.RegisterUserViaEmailVerificationToken(user, model.MasterPasswordHash, model.EmailVerificationToken); return await ProcessRegistrationResult(identityResult, user, delaysEnabled); break; case RegisterFinishTokenType.OrganizationInvite: identityResult = await _registerUserCommand.RegisterUserViaOrganizationInviteToken(user, model.MasterPasswordHash, model.OrgInviteToken, model.OrganizationUserId); return await ProcessRegistrationResult(identityResult, user, delaysEnabled); break; case RegisterFinishTokenType.OrgSponsoredFreeFamilyPlan: identityResult = await _registerUserCommand.RegisterUserViaOrganizationSponsoredFreeFamilyPlanInviteToken(user, model.MasterPasswordHash, model.OrgSponsoredFreeFamilyPlanToken); return await ProcessRegistrationResult(identityResult, user, delaysEnabled); break; case RegisterFinishTokenType.EmergencyAccessInvite: Debug.Assert(model.AcceptEmergencyAccessId.HasValue); identityResult = await _registerUserCommand.RegisterUserViaAcceptEmergencyAccessInviteToken(user, model.MasterPasswordHash, model.AcceptEmergencyAccessInviteToken, model.AcceptEmergencyAccessId.Value); return await ProcessRegistrationResult(identityResult, user, delaysEnabled); break; case RegisterFinishTokenType.ProviderInvite: Debug.Assert(model.ProviderUserId.HasValue); identityResult = await _registerUserCommand.RegisterUserViaProviderInviteToken(user, model.MasterPasswordHash, model.ProviderInviteToken, model.ProviderUserId.Value); return await ProcessRegistrationResult(identityResult, user, delaysEnabled); break; default: throw new BadRequestException("Invalid registration finish request"); } } private async Task ProcessRegistrationResult(IdentityResult result, User user, bool delaysEnabled) { if (result.Succeeded) { var captchaBypassToken = _captchaValidationService.GenerateCaptchaBypassToken(user); return new RegisterResponseModel(captchaBypassToken); } foreach (var error in result.Errors.Where(e => e.Code != "DuplicateUserName")) { ModelState.AddModelError(string.Empty, error.Description); } if (delaysEnabled) { await Task.Delay(Random.Shared.Next(100, 130)); } throw new BadRequestException(ModelState); } // Moved from API, If you modify this endpoint, please update API as well. Self hosted installs still use the API endpoints. [HttpPost("prelogin")] public async Task PostPrelogin([FromBody] PreloginRequestModel model) { var kdfInformation = await _userRepository.GetKdfInformationByEmailAsync(model.Email); if (kdfInformation == null) { kdfInformation = GetDefaultKdf(model.Email); } var user = await _userRepository.GetByEmailAsync(model.Email); var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(user.Id); if (credential != null) { return new PreloginResponseModel(kdfInformation, JsonSerializer.Deserialize(credential.CipherConfiguration)!); } else { return new PreloginResponseModel(kdfInformation, null); } } [HttpGet("webauthn/assertion-options")] public WebAuthnLoginAssertionOptionsResponseModel GetWebAuthnLoginAssertionOptions() { var options = _getWebAuthnLoginCredentialAssertionOptionsCommand.GetWebAuthnLoginCredentialAssertionOptions(); var tokenable = new WebAuthnLoginAssertionOptionsTokenable(WebAuthnLoginAssertionOptionsScope.Authentication, options); var token = _assertionOptionsDataProtector.Protect(tokenable); return new WebAuthnLoginAssertionOptionsResponseModel { Options = options, Token = token }; } private UserKdfInformation GetDefaultKdf(string email) { if (_defaultKdfHmacKey == null) { return _defaultKdfResults[0]; } else { // Compute the HMAC hash of the email var hmacMessage = Encoding.UTF8.GetBytes(email.Trim().ToLowerInvariant()); using var hmac = new System.Security.Cryptography.HMACSHA256(_defaultKdfHmacKey); var hmacHash = hmac.ComputeHash(hmacMessage); // Convert the hash to a number var hashHex = BitConverter.ToString(hmacHash).Replace("-", string.Empty).ToLowerInvariant(); var hashFirst8Bytes = hashHex.Substring(0, 16); var hashNumber = long.Parse(hashFirst8Bytes, System.Globalization.NumberStyles.HexNumber); // Find the default KDF value for this hash number var hashIndex = (int)(Math.Abs(hashNumber) % _defaultKdfResults.Count); return _defaultKdfResults[hashIndex]; } } }