src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs

using System.Security.Claims;
using Bit.Core.Context;
using Bit.Core.Entities;
using Bit.Core.Identity;
using Bit.Core.Repositories;
using Bit.Core.Services;
using Bit.Core.Settings;
using Bit.Core.Utilities;
using IdentityServer4.Models;
using IdentityServer4.Validation;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Logging;

namespace Bit.Core.IdentityServer;

public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwnerPasswordValidationContext>,
    IResourceOwnerPasswordValidator
{
    private UserManager<User> _userManager;
    private readonly IUserService _userService;
    private readonly ICurrentContext _currentContext;
    private readonly ICaptchaValidationService _captchaValidationService;
    public ResourceOwnerPasswordValidator(
        UserManager<User> userManager,
        IDeviceRepository deviceRepository,
        IDeviceService deviceService,
        IUserService userService,
        IEventService eventService,
        IOrganizationDuoWebTokenProvider organizationDuoWebTokenProvider,
        IOrganizationRepository organizationRepository,
        IOrganizationUserRepository organizationUserRepository,
        IApplicationCacheService applicationCacheService,
        IMailService mailService,
        ILogger<ResourceOwnerPasswordValidator> logger,
        ICurrentContext currentContext,
        GlobalSettings globalSettings,
        IPolicyRepository policyRepository,
        ICaptchaValidationService captchaValidationService,
        IUserRepository userRepository)
        : base(userManager, deviceRepository, deviceService, userService, eventService,
              organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
              applicationCacheService, mailService, logger, currentContext, globalSettings, policyRepository,
              userRepository, captchaValidationService)
    {
        _userManager = userManager;
        _userService = userService;
        _currentContext = currentContext;
        _captchaValidationService = captchaValidationService;
    }

    public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
    {
        if (!AuthEmailHeaderIsValid(context))
        {
            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant,
                "Auth-Email header invalid.");
            return;
        }

        var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
        var validatorContext = new CustomValidatorRequestContext
        {
            User = user,
            KnownDevice = await KnownDeviceAsync(user, context.Request)
        };
        string bypassToken = null;
        if (!validatorContext.KnownDevice &&
            _captchaValidationService.RequireCaptchaValidation(_currentContext, user))
        {
            var captchaResponse = context.Request.Raw["captchaResponse"]?.ToString();

            if (string.IsNullOrWhiteSpace(captchaResponse))
            {
                context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Captcha required.",
                    new Dictionary<string, object>
                    {
                        { _captchaValidationService.SiteKeyResponseKeyName, _captchaValidationService.SiteKey },
                    });
                return;
            }

            validatorContext.CaptchaResponse = await _captchaValidationService.ValidateCaptchaResponseAsync(
                captchaResponse, _currentContext.IpAddress, user);
            if (!validatorContext.CaptchaResponse.Success)
            {
                await BuildErrorResultAsync("Captcha is invalid. Please refresh and try again", false, context, null);
                return;
            }
            bypassToken = _captchaValidationService.GenerateCaptchaBypassToken(user);
        }

        await ValidateAsync(context, context.Request, validatorContext);
        if (context.Result.CustomResponse != null && bypassToken != null)
        {
            context.Result.CustomResponse["CaptchaBypassToken"] = bypassToken;
        }
    }

    protected async override Task<bool> ValidateContextAsync(ResourceOwnerPasswordValidationContext context,
        CustomValidatorRequestContext validatorContext)
    {
        if (string.IsNullOrWhiteSpace(context.UserName) || validatorContext.User == null)
        {
            return false;
        }

        if (!await _userService.CheckPasswordAsync(validatorContext.User, context.Password))
        {
            return false;
        }

        return true;
    }

    protected override Task SetSuccessResult(ResourceOwnerPasswordValidationContext context, User user,
        List<Claim> claims, Dictionary<string, object> customResponse)
    {
        context.Result = new GrantValidationResult(user.Id.ToString(), "Application",
            identityProvider: "bitwarden",
            claims: claims.Count > 0 ? claims : null,
            customResponse: customResponse);
        return Task.CompletedTask;
    }

    protected override void SetTwoFactorResult(ResourceOwnerPasswordValidationContext context,
        Dictionary<string, object> customResponse)
    {
        context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Two factor required.",
            customResponse);
    }

    protected override void SetSsoResult(ResourceOwnerPasswordValidationContext context,
        Dictionary<string, object> customResponse)
    {
        context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Sso authentication required.",
            customResponse);
    }

    protected override void SetErrorResult(ResourceOwnerPasswordValidationContext context,
        Dictionary<string, object> customResponse)
    {
        context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse: customResponse);
    }

    private bool AuthEmailHeaderIsValid(ResourceOwnerPasswordValidationContext context)
    {
        if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Auth-Email"))
        {
            return false;
        }
        else
        {
            try
            {
                var authEmailHeader = _currentContext.HttpContext.Request.Headers["Auth-Email"];
                var authEmailDecoded = CoreHelpers.Base64UrlDecodeString(authEmailHeader);

                if (authEmailDecoded != context.UserName)
                {
                    return false;
                }
            }
            catch (System.Exception e) when (e is System.InvalidOperationException || e is System.FormatException)
            {
                // Invalid B64 encoding
                return false;
            }
        }

        return true;
    }
}
-												Turn On `ImplicitUsings` (#2079)

* Turn on ImplicitUsings

* Fix formatting

* Run linter
											
										
										
											2022-06-29 19:46:41 -04:00
+								using System.Security.Claims;
-												Add disable send policy (#1130)

* Add Disable Send policy

* Test DisableSend policy

* PR Review

* Update tests for using CurrentContext

This required making an interface for CurrentContext and mocking out
the members used. The interface can be expanded as needed for tests.

I moved CurrentContext to a folder, which changes the namespace
and causes a lot of file touches, but most are just adding a reference

* Fix failing test

* Update exemption to include all exempt users

* Move all CurrentContext usages to ICurrentContext

* PR review. Match messaging with Web
											
										
										
											2021-02-04 12:54:21 -06:00
+								using Bit.Core.Context;
-												Split out repositories to Infrastructure.Dapper / EntityFramework (#1759)


											
										
										
											2022-01-11 10:40:51 +01:00
+								using Bit.Core.Entities;
-												added org duo to 2fa flow

											
										
										
											2018-04-03 14:31:33 -04:00
+								using Bit.Core.Identity;
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								using Bit.Core.Repositories;
-												notification hub push registration service

											
										
										
											2017-05-26 00:50:27 -04:00
+								using Bit.Core.Services;
-												Use sas token for attachment downloads (#1153)

* Get limited life attachment download URL

This change limits url download to a 1min lifetime.
This requires moving to a new container to allow for non-public blob
access.

Clients will have to call GetAttachmentData api function to receive the download
URL. For backwards compatibility, attachment URLs are still present, but will not
work for attachments stored in non-public access blobs.

* Make GlobalSettings interface for testing

* Test LocalAttachmentStorageService equivalence

* Remove comment

* Add missing globalSettings using

* Simplify default attachment container

* Default to attachments containe for existing methods

A new upload method will be made for uploading to attachments-v2.
For compatibility for clients which don't use these new methods, we need
to still use the old container. The new container will be used only for
new uploads

* Remove Default MetaData fixture.

* Keep attachments container blob-level security for all instances

* Close unclosed FileStream

* Favor default value for noop services
											
										
										
											2021-02-22 15:35:16 -06:00
+								using Bit.Core.Settings;
-												Use UrlB64 encoding for auth-email header (#1503)


											
										
										
											2021-08-11 06:21:46 +10:00
+								using Bit.Core.Utilities;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								using IdentityServer4.Models;
 								using IdentityServer4.Validation;
 								using Microsoft.AspNetCore.Identity;
-												login failed log message

											
										
										
											2019-11-22 07:30:32 -05:00
+								using Microsoft.Extensions.Logging;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
-												move identityserver libs into core

											
										
										
											2017-05-05 16:11:50 -04:00
+								namespace Bit.Core.IdentityServer;
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
-												move identityserver libs into core

											
										
										
											2017-05-05 16:11:50 -04:00
+								public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwnerPasswordValidationContext>,
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								    IResourceOwnerPasswordValidator
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								{
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								    private UserManager<User> _userManager;
-												verify all 2fa methods

											
										
										
											2017-06-20 14:50:12 -04:00
+								    private readonly IUserService _userService;
-												commented code to validate auth-email header (#1361)

* commented code to validate auth-email header

* format comment more
											
										
										
											2021-05-28 16:04:58 -04:00
+								    private readonly ICurrentContext _currentContext;
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
+								    private readonly ICaptchaValidationService _captchaValidationService;
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								    public ResourceOwnerPasswordValidator(
-												Moved identity implementations to scoped lifetime since they have dependencies on CurrentContext

											
										
										
											2017-01-25 22:31:14 -05:00
+								        UserManager<User> userManager,
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
+								        IDeviceRepository deviceRepository,
-												verify all 2fa methods

											
										
										
											2017-06-20 14:50:12 -04:00
+								        IDeviceService deviceService,
-												log user events

											
										
										
											2017-12-01 10:07:14 -05:00
+								        IUserService userService,
-												added org duo to 2fa flow

											
										
										
											2018-04-03 14:31:33 -04:00
+								        IEventService eventService,
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								        IOrganizationDuoWebTokenProvider organizationDuoWebTokenProvider,
-												added org duo to 2fa flow

											
										
										
											2018-04-03 14:31:33 -04:00
+								        IOrganizationRepository organizationRepository,
 								        IOrganizationUserRepository organizationUserRepository,
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
+								        IApplicationCacheService applicationCacheService,
-												new device logged in email notification

											
										
										
											2019-01-24 22:37:49 -05:00
+								        IMailService mailService,
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								        ILogger<ResourceOwnerPasswordValidator> logger,
-												Add disable send policy (#1130)

* Add Disable Send policy

* Test DisableSend policy

* PR Review

* Update tests for using CurrentContext

This required making an interface for CurrentContext and mocking out
the members used. The interface can be expanded as needed for tests.

I moved CurrentContext to a folder, which changes the namespace
and causes a lot of file touches, but most are just adding a reference

* Fix failing test

* Update exemption to include all exempt users

* Move all CurrentContext usages to ICurrentContext

* PR review. Match messaging with Web
											
										
										
											2021-02-04 12:54:21 -06:00
+								        ICurrentContext currentContext,
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								        GlobalSettings globalSettings,
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
+								        IPolicyRepository policyRepository,
-												[Captcha] Implement failed logins ceiling (#1870)

* [Hacker1] Failed Login Attempts Captcha

* [Captcha] Implement failed logins ceiling

* Formatting

* Updated approach after implementation talks with Kyle

* Updated email templates // Updated calling arch for failed attempts

* Formatting

* Updated 2fa email links

* Renamed baserequest methods to better match their actions

* EF migrations/scripts

* Updated with requested changes

* Defaults for MaxiumumFailedLoginAttempts
											
										
										
											2022-03-02 15:45:00 -06:00
+								        ICaptchaValidationService captchaValidationService,
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
+								        IUserRepository userRepository)
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								        : base(userManager, deviceRepository, deviceService, userService, eventService,
 								              organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
+								              applicationCacheService, mailService, logger, currentContext, globalSettings, policyRepository,
-												[Captcha] Implement failed logins ceiling (#1870)

* [Hacker1] Failed Login Attempts Captcha

* [Captcha] Implement failed logins ceiling

* Formatting

* Updated approach after implementation talks with Kyle

* Updated email templates // Updated calling arch for failed attempts

* Formatting

* Updated 2fa email links

* Renamed baserequest methods to better match their actions

* EF migrations/scripts

* Updated with requested changes

* Defaults for MaxiumumFailedLoginAttempts
											
										
										
											2022-03-02 15:45:00 -06:00
+								              userRepository, captchaValidationService)
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    {
-												commented code to validate auth-email header (#1361)

* commented code to validate auth-email header

* format comment more
											
										
										
											2021-05-28 16:04:58 -04:00
+								        _userManager = userManager;
 								        _userService = userService;
 								        _currentContext = currentContext;
 								        _captchaValidationService = captchaValidationService;
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    }
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								    public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								    {
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
+								        if (!AuthEmailHeaderIsValid(context))
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								        {
-												commented code to validate auth-email header (#1361)

* commented code to validate auth-email header

* format comment more
											
										
										
											2021-05-28 16:04:58 -04:00
+								            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant,
 								                "Auth-Email header invalid.");
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								            return;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								        }
 								        var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
 								        var validatorContext = new CustomValidatorRequestContext
 								        {
-												captcha scores (#1967)

* captcha scores

* some api fixes

* check bot on captcha attribute

* Update src/Core/Services/Implementations/HCaptchaValidationService.cs

Co-authored-by: e271828- <e271828-@users.noreply.github.com>

Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Co-authored-by: e271828- <e271828-@users.noreply.github.com>
											
										
										
											2022-05-09 12:25:13 -04:00
+								            User = user,
-												uncomment to require auth-email header (#1604)


											
										
										
											2021-09-30 11:24:29 -04:00
+								            KnownDevice = await KnownDeviceAsync(user, context.Request)
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								        };
-												uncomment to require auth-email header (#1604)


											
										
										
											2021-09-30 11:24:29 -04:00
+								        string bypassToken = null;
 								        if (!validatorContext.KnownDevice &&
-												Feature/sync Enable hcaptcha on login (#1469)

* Share globalSettings hcaptcha public key with clients

* Require captcha valid only prior to two factor

users with two factor will have already solved captcha is necessary.
Users without two factor will have`TwoFactorVerified` set to false

* Do not require CaptchaResponse on two-factor requests

* Add option to always require captcha for testing purposes

* Allow for self-hosted instances if they want to use it

* Move refresh suggestion to correct error

* Expect lifetime in helper method

* Add captcha bypass token to successful captcha validations

* Remove twofactorValidated

* PR Feedback
											
										
										
											2021-07-21 13:42:06 -05:00
+								            _captchaValidationService.RequireCaptchaValidation(_currentContext, user))
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								        {
-												Feature/sync Enable hcaptcha on login (#1469)

* Share globalSettings hcaptcha public key with clients

* Require captcha valid only prior to two factor

users with two factor will have already solved captcha is necessary.
Users without two factor will have`TwoFactorVerified` set to false

* Do not require CaptchaResponse on two-factor requests

* Add option to always require captcha for testing purposes

* Allow for self-hosted instances if they want to use it

* Move refresh suggestion to correct error

* Expect lifetime in helper method

* Add captcha bypass token to successful captcha validations

* Remove twofactorValidated

* PR Feedback
											
										
										
											2021-07-21 13:42:06 -05:00
+								            var captchaResponse = context.Request.Raw["captchaResponse"]?.ToString();
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
-												uncomment to require auth-email header (#1604)


											
										
										
											2021-09-30 11:24:29 -04:00
+								            if (string.IsNullOrWhiteSpace(captchaResponse))
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
+								            {
-												[Require SSO] Enterprise policy enforcement (#970)

* Initial commit of require sso authentication policy enforcement

* Updated sproc to send UseSso flag // Updated base validator to send back error message // Added changes to EntityFramework (just so its there for the future

* Update policy name // adjusted conditional to demorgan's

* Updated sproc // Added migrator script

* Added .sql file extension to DeleteOrgUserWithOrg migrator script

* Added policy // edit // strings // validation to business portal

* Change requests from review // Added Owner & Admin exemption

* Updated repository function used to get org user's type

* Updated with requested changes
											
										
										
											2020-10-26 11:56:16 -05:00
+								                context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Captcha required.",
-												captcha scores (#1967)

* captcha scores

* some api fixes

* check bot on captcha attribute

* Update src/Core/Services/Implementations/HCaptchaValidationService.cs

Co-authored-by: e271828- <e271828-@users.noreply.github.com>

Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Co-authored-by: e271828- <e271828-@users.noreply.github.com>
											
										
										
											2022-05-09 12:25:13 -04:00
+								                    new Dictionary<string, object>
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
+								                    {
-												Protect user registration with captcha (#1480)

* Protect user registration with captcha

* PR feedback
											
										
										
											2021-07-22 12:29:06 -05:00
+								                        { _captchaValidationService.SiteKeyResponseKeyName, _captchaValidationService.SiteKey },
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
+								                    });
-												Feature/sync Enable hcaptcha on login (#1469)

* Share globalSettings hcaptcha public key with clients

* Require captcha valid only prior to two factor

users with two factor will have already solved captcha is necessary.
Users without two factor will have`TwoFactorVerified` set to false

* Do not require CaptchaResponse on two-factor requests

* Add option to always require captcha for testing purposes

* Allow for self-hosted instances if they want to use it

* Move refresh suggestion to correct error

* Expect lifetime in helper method

* Add captcha bypass token to successful captcha validations

* Remove twofactorValidated

* PR Feedback
											
										
										
											2021-07-21 13:42:06 -05:00
+								                return;
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
+								            }
-												captcha scores (#1967)

* captcha scores

* some api fixes

* check bot on captcha attribute

* Update src/Core/Services/Implementations/HCaptchaValidationService.cs

Co-authored-by: e271828- <e271828-@users.noreply.github.com>

Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Co-authored-by: e271828- <e271828-@users.noreply.github.com>
											
										
										
											2022-05-09 12:25:13 -04:00
+								            validatorContext.CaptchaResponse = await _captchaValidationService.ValidateCaptchaResponseAsync(
 								                captchaResponse, _currentContext.IpAddress, user);
 								            if (!validatorContext.CaptchaResponse.Success)
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
+								            {
-												captcha scores (#1967)

* captcha scores

* some api fixes

* check bot on captcha attribute

* Update src/Core/Services/Implementations/HCaptchaValidationService.cs

Co-authored-by: e271828- <e271828-@users.noreply.github.com>

Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Co-authored-by: e271828- <e271828-@users.noreply.github.com>
											
										
										
											2022-05-09 12:25:13 -04:00
+								                await BuildErrorResultAsync("Captcha is invalid. Please refresh and try again", false, context, null);
 								                return;
-												Feature/sync Enable hcaptcha on login (#1469)

* Share globalSettings hcaptcha public key with clients

* Require captcha valid only prior to two factor

users with two factor will have already solved captcha is necessary.
Users without two factor will have`TwoFactorVerified` set to false

* Do not require CaptchaResponse on two-factor requests

* Add option to always require captcha for testing purposes

* Allow for self-hosted instances if they want to use it

* Move refresh suggestion to correct error

* Expect lifetime in helper method

* Add captcha bypass token to successful captcha validations

* Remove twofactorValidated

* PR Feedback
											
										
										
											2021-07-21 13:42:06 -05:00
+								            }
 								            bypassToken = _captchaValidationService.GenerateCaptchaBypassToken(user);
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								        }
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
-												captcha scores (#1967)

* captcha scores

* some api fixes

* check bot on captcha attribute

* Update src/Core/Services/Implementations/HCaptchaValidationService.cs

Co-authored-by: e271828- <e271828-@users.noreply.github.com>

Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Co-authored-by: e271828- <e271828-@users.noreply.github.com>
											
										
										
											2022-05-09 12:25:13 -04:00
+								        await ValidateAsync(context, context.Request, validatorContext);
 								        if (context.Result.CustomResponse != null && bypassToken != null)
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								        {
-												captcha scores (#1967)

* captcha scores

* some api fixes

* check bot on captcha attribute

* Update src/Core/Services/Implementations/HCaptchaValidationService.cs

Co-authored-by: e271828- <e271828-@users.noreply.github.com>

Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Co-authored-by: e271828- <e271828-@users.noreply.github.com>
											
										
										
											2022-05-09 12:25:13 -04:00
+								            context.Result.CustomResponse["CaptchaBypassToken"] = bypassToken;
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								        }
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    }
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
-												Add support for Key Connector OTP and account migration (#1663)

Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
											
										
										
											2021-11-09 16:37:32 +01:00
+								    protected async override Task<bool> ValidateContextAsync(ResourceOwnerPasswordValidationContext context,
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								        CustomValidatorRequestContext validatorContext)
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    {
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								        if (string.IsNullOrWhiteSpace(context.UserName) || validatorContext.User == null)
-												validate old auth bearer tokens so that we can generate new identity ones

											
										
										
											2017-01-21 23:12:28 -05:00
+								        {
-												Add support for Key Connector OTP and account migration (#1663)

Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
											
										
										
											2021-11-09 16:37:32 +01:00
+								            return false;
-												validate old auth bearer tokens so that we can generate new identity ones

											
										
										
											2017-01-21 23:12:28 -05:00
+								        }
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								        if (!await _userService.CheckPasswordAsync(validatorContext.User, context.Password))
-												cleanup ResourceOwnerPasswordValidator

											
										
										
											2017-01-25 00:28:18 -05:00
+								        {
 								            return false;
 								        }
-												captcha scores (#1967)

* captcha scores

* some api fixes

* check bot on captcha attribute

* Update src/Core/Services/Implementations/HCaptchaValidationService.cs

Co-authored-by: e271828- <e271828-@users.noreply.github.com>

Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Co-authored-by: e271828- <e271828-@users.noreply.github.com>
											
										
										
											2022-05-09 12:25:13 -04:00
+								        return true;
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    }
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								    protected override Task SetSuccessResult(ResourceOwnerPasswordValidationContext context, User user,
 								        List<Claim> claims, Dictionary<string, object> customResponse)
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    {
-												Add support for Key Connector OTP and account migration (#1663)

Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
											
										
										
											2021-11-09 16:37:32 +01:00
+								        context.Result = new GrantValidationResult(user.Id.ToString(), "Application",
-												public and private keys added to db and user domain. added account APIs got getting and putting keys.

											
										
										
											2017-02-11 23:00:55 -05:00
+								            identityProvider: "bitwarden",
 								            claims: claims.Count > 0 ? claims : null,
-												return share information with cipher API response

											
										
										
											2017-02-21 22:52:02 -05:00
+								            customResponse: customResponse);
-												Add support for Key Connector OTP and account migration (#1663)

Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
											
										
										
											2021-11-09 16:37:32 +01:00
+								        return Task.CompletedTask;
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    }
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								    protected override void SetTwoFactorResult(ResourceOwnerPasswordValidationContext context,
 								        Dictionary<string, object> customResponse)
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    {
-												cleanup ResourceOwnerPasswordValidator

											
										
										
											2017-01-25 00:28:18 -05:00
+								        context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Two factor required.",
 								            customResponse);
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    }
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								    protected override void SetSsoResult(ResourceOwnerPasswordValidationContext context,
 								        Dictionary<string, object> customResponse)
-												Turn on file scoped namespaces (#2225)


											
										
										
											2022-08-29 14:53:16 -04:00
+								    {
-												[Require SSO] Enterprise policy enforcement (#970)

* Initial commit of require sso authentication policy enforcement

* Updated sproc to send UseSso flag // Updated base validator to send back error message // Added changes to EntityFramework (just so its there for the future

* Update policy name // adjusted conditional to demorgan's

* Updated sproc // Added migrator script

* Added .sql file extension to DeleteOrgUserWithOrg migrator script

* Added policy // edit // strings // validation to business portal

* Change requests from review // Added Owner & Admin exemption

* Updated repository function used to get org user's type

* Updated with requested changes
											
										
										
											2020-10-26 11:56:16 -05:00
+								        context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Sso authentication required.",
 								            customResponse);
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    }
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								    protected override void SetErrorResult(ResourceOwnerPasswordValidationContext context,
 								        Dictionary<string, object> customResponse)
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    {
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								        context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse: customResponse);
-												[Require SSO] Enterprise policy enforcement (#970)

* Initial commit of require sso authentication policy enforcement

* Updated sproc to send UseSso flag // Updated base validator to send back error message // Added changes to EntityFramework (just so its there for the future

* Update policy name // adjusted conditional to demorgan's

* Updated sproc // Added migrator script

* Added .sql file extension to DeleteOrgUserWithOrg migrator script

* Added policy // edit // strings // validation to business portal

* Change requests from review // Added Owner & Admin exemption

* Updated repository function used to get org user's type

* Updated with requested changes
											
										
										
											2020-10-26 11:56:16 -05:00
+								    }
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								    private bool AuthEmailHeaderIsValid(ResourceOwnerPasswordValidationContext context)
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								    {
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								        if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Auth-Email"))
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								        {
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								            return false;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								        }
-												Use UrlB64 encoding for auth-email header (#1503)


											
										
										
											2021-08-11 06:21:46 +10:00
+								        else
 								        {
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								            try
-												Use UrlB64 encoding for auth-email header (#1503)


											
										
										
											2021-08-11 06:21:46 +10:00
+								            {
 								                var authEmailHeader = _currentContext.HttpContext.Request.Headers["Auth-Email"];
 								                var authEmailDecoded = CoreHelpers.Base64UrlDecodeString(authEmailHeader);
 								                if (authEmailDecoded != context.UserName)
 								                {
 								                    return false;
 								                }
 								            }
 								            catch (System.Exception e) when (e is System.InvalidOperationException || e is System.FormatException)
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								            {
-												Use UrlB64 encoding for auth-email header (#1503)


											
										
										
											2021-08-11 06:21:46 +10:00
+								                // Invalid B64 encoding
-												captcha scores (#1967)

* captcha scores

* some api fixes

* check bot on captcha attribute

* Update src/Core/Services/Implementations/HCaptchaValidationService.cs

Co-authored-by: e271828- <e271828-@users.noreply.github.com>

Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Co-authored-by: e271828- <e271828-@users.noreply.github.com>
											
										
										
											2022-05-09 12:25:13 -04:00
+								                return false;
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								            }
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
+								        }
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
-												captcha scores (#1967)

* captcha scores

* some api fixes

* check bot on captcha attribute

* Update src/Core/Services/Implementations/HCaptchaValidationService.cs

Co-authored-by: e271828- <e271828-@users.noreply.github.com>

Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Co-authored-by: e271828- <e271828-@users.noreply.github.com>
											
										
										
											2022-05-09 12:25:13 -04:00
+								        return true;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								    }
 								}