admin/server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2026-02-14 12:53:49 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
b87846f97faf781ee94f29c02cd7013e35bc5b5a
server/src/Identity/IdentityServer/ResourceOwnerPasswordValidator.cs

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

194 lines
7.7 KiB
C#
Raw Normal View History

Turn On `ImplicitUsings` (#2079) * Turn on ImplicitUsings * Fix formatting * Run linter
2022-06-29 19:46:41 -04:00
using System.Security.Claims;
[PM-1188] Server owner auth migration (#2825) * [PM-1188] add sso project to auth * [PM-1188] move sso api models to auth * [PM-1188] fix sso api model namespace & imports * [PM-1188] move core files to auth * [PM-1188] fix core sso namespace & models * [PM-1188] move sso repository files to auth * [PM-1188] fix sso repo files namespace & imports * [PM-1188] move sso sql files to auth folder * [PM-1188] move sso test files to auth folders * [PM-1188] fix sso tests namespace & imports * [PM-1188] move auth api files to auth folder * [PM-1188] fix auth api files namespace & imports * [PM-1188] move auth core files to auth folder * [PM-1188] fix auth core files namespace & imports * [PM-1188] move auth email templates to auth folder * [PM-1188] move auth email folder back into shared directory * [PM-1188] fix auth email names * [PM-1188] move auth core models to auth folder * [PM-1188] fix auth model namespace & imports * [PM-1188] add entire Identity project to auth codeowners * [PM-1188] fix auth orm files namespace & imports * [PM-1188] move auth orm files to auth folder * [PM-1188] move auth sql files to auth folder * [PM-1188] move auth tests to auth folder * [PM-1188] fix auth test files namespace & imports * [PM-1188] move emergency access api files to auth folder * [PM-1188] fix emergencyaccess api files namespace & imports * [PM-1188] move emergency access core files to auth folder * [PM-1188] fix emergency access core files namespace & imports * [PM-1188] move emergency access orm files to auth folder * [PM-1188] fix emergency access orm files namespace & imports * [PM-1188] move emergency access sql files to auth folder * [PM-1188] move emergencyaccess test files to auth folder * [PM-1188] fix emergency access test files namespace & imports * [PM-1188] move captcha files to auth folder * [PM-1188] fix captcha files namespace & imports * [PM-1188] move auth admin files into auth folder * [PM-1188] fix admin auth files namespace & imports - configure mvc to look in auth folders for views * [PM-1188] remove extra imports and formatting * [PM-1188] fix ef auth model imports * [PM-1188] fix DatabaseContextModelSnapshot paths * [PM-1188] fix grant import in ef * [PM-1188] update sqlproj * [PM-1188] move missed sqlproj files * [PM-1188] move auth ef models out of auth folder * [PM-1188] fix auth ef models namespace * [PM-1188] remove auth ef models unused imports * [PM-1188] fix imports for auth ef models * [PM-1188] fix more ef model imports * [PM-1188] fix file encodings
2023-04-14 13:25:56 -04:00
using Bit.Core.Auth.Identity;
using Bit.Core.Auth.Services;
Add disable send policy (#1130) * Add Disable Send policy * Test DisableSend policy * PR Review * Update tests for using CurrentContext This required making an interface for CurrentContext and mocking out the members used. The interface can be expanded as needed for tests. I moved CurrentContext to a folder, which changes the namespace and causes a lot of file touches, but most are just adding a reference * Fix failing test * Update exemption to include all exempt users * Move all CurrentContext usages to ICurrentContext * PR review. Match messaging with Web
2021-02-04 12:54:21 -06:00
using Bit.Core.Context;
Split out repositories to Infrastructure.Dapper / EntityFramework (#1759)
2022-01-11 10:40:51 +01:00
using Bit.Core.Entities;
Two factor and device handling on identity token validation
2017-01-18 00:14:28 -05:00
using Bit.Core.Repositories;
notification hub push registration service
2017-05-26 00:50:27 -04:00
using Bit.Core.Services;
Use sas token for attachment downloads (#1153) * Get limited life attachment download URL This change limits url download to a 1min lifetime. This requires moving to a new container to allow for non-public blob access. Clients will have to call GetAttachmentData api function to receive the download URL. For backwards compatibility, attachment URLs are still present, but will not work for attachments stored in non-public access blobs. * Make GlobalSettings interface for testing * Test LocalAttachmentStorageService equivalence * Remove comment * Add missing globalSettings using * Simplify default attachment container * Default to attachments containe for existing methods A new upload method will be made for uploading to attachments-v2. For compatibility for clients which don't use these new methods, we need to still use the old container. The new container will be used only for new uploads * Remove Default MetaData fixture. * Keep attachments container blob-level security for all instances * Close unclosed FileStream * Favor default value for noop services
2021-02-22 15:35:16 -06:00
using Bit.Core.Settings;
Use UrlB64 encoding for auth-email header (#1503)
2021-08-11 06:21:46 +10:00
using Bit.Core.Utilities;
WIP: Added IdentityServer4 to API via Bearer2 auth scheme
2017-01-11 00:34:16 -05:00
using IdentityServer4.Models;
using IdentityServer4.Validation;
using Microsoft.AspNetCore.Identity;
[SM-220] Move identity specific files to identity (#2279)
2022-09-27 18:30:37 +02:00
namespace Bit.Identity.IdentityServer;
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
move identityserver libs into core
2017-05-05 16:11:50 -04:00
public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwnerPasswordValidationContext>,
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
IResourceOwnerPasswordValidator
WIP: Added IdentityServer4 to API via Bearer2 auth scheme
2017-01-11 00:34:16 -05:00
{
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
private UserManager<User> _userManager;
verify all 2fa methods
2017-06-20 14:50:12 -04:00
private readonly IUserService _userService;
commented code to validate auth-email header (#1361) * commented code to validate auth-email header * format comment more
2021-05-28 16:04:58 -04:00
private readonly ICurrentContext _currentContext;
hcaptcha validation on password login (#1398)
2021-06-16 12:47:41 -04:00
private readonly ICaptchaValidationService _captchaValidationService;
[SG-167] Implement Passwordless Authentication via Notifications (#2276) * [SG-549] Commit Initial AuthRequest Repository (#2174) * Model Passwordless * Scaffold database for Passwordless * Implement SQL Repository * [SG-167] Base Passwordless API (#2185) * Implement Passwordless notifications * Implement Controller * Add documentation to BaseRequestValidator * Register AuthRequestRepo * Remove ExpirationDate from the AuthRequest table * [SG-407] Create job to delete expired requests (#2187) * chore: init * remove exp date * fix: log name * [SG-167] Added fingerprint phrase to response model. (#2233) * Remove FailedLoginAttempt logic * Block unknown devices * Add EF Support for passwordless * Got SignalR working for responses * Added delete job method to EF repo * Implement a GetMany API endpoint for AuthRequests * Ran dotnet format * Fix a merge issues * Redated migration scripts * tried sorting sqlproj * Remove FailedLoginAttempts from SQL * Groom Postgres script * Remove extra commas from migration script * Correct isSpent() * [SG-167] Adde identity validation for passwordless requests. Registered IAuthRepository. * [SG-167] Added origin of the request to response model * Use display name for device identifier in response * Add datetime conversions back to postgres migration script * [SG-655] Add anonymous endpoint for checking if a device & user combo match * [review] Consolidate error conditions Co-authored-by: Brandon Maharaj <107377945+BrandonM-Bitwarden@users.noreply.github.com> Co-authored-by: André Filipe da Silva Bispo <andrefsbispo@hotmail.com> Co-authored-by: André Bispo <abispo@bitwarden.com>
2022-09-26 13:21:13 -04:00
private readonly IAuthRequestRepository _authRequestRepository;
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
public ResourceOwnerPasswordValidator(
Moved identity implementations to scoped lifetime since they have dependencies on CurrentContext
2017-01-25 22:31:14 -05:00
UserManager<User> userManager,
hcaptcha validation on password login (#1398)
2021-06-16 12:47:41 -04:00
IDeviceRepository deviceRepository,
verify all 2fa methods
2017-06-20 14:50:12 -04:00
IDeviceService deviceService,
log user events
2017-12-01 10:07:14 -05:00
IUserService userService,
added org duo to 2fa flow
2018-04-03 14:31:33 -04:00
IEventService eventService,
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
IOrganizationDuoWebTokenProvider organizationDuoWebTokenProvider,
added org duo to 2fa flow
2018-04-03 14:31:33 -04:00
IOrganizationRepository organizationRepository,
IOrganizationUserRepository organizationUserRepository,
hcaptcha validation on password login (#1398)
2021-06-16 12:47:41 -04:00
IApplicationCacheService applicationCacheService,
new device logged in email notification
2019-01-24 22:37:49 -05:00
IMailService mailService,
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
ILogger<ResourceOwnerPasswordValidator> logger,
Add disable send policy (#1130) * Add Disable Send policy * Test DisableSend policy * PR Review * Update tests for using CurrentContext This required making an interface for CurrentContext and mocking out the members used. The interface can be expanded as needed for tests. I moved CurrentContext to a folder, which changes the namespace and causes a lot of file touches, but most are just adding a reference * Fix failing test * Update exemption to include all exempt users * Move all CurrentContext usages to ICurrentContext * PR review. Match messaging with Web
2021-02-04 12:54:21 -06:00
ICurrentContext currentContext,
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
GlobalSettings globalSettings,
hcaptcha validation on password login (#1398)
2021-06-16 12:47:41 -04:00
IPolicyRepository policyRepository,
[Captcha] Implement failed logins ceiling (#1870) * [Hacker1] Failed Login Attempts Captcha * [Captcha] Implement failed logins ceiling * Formatting * Updated approach after implementation talks with Kyle * Updated email templates // Updated calling arch for failed attempts * Formatting * Updated 2fa email links * Renamed baserequest methods to better match their actions * EF migrations/scripts * Updated with requested changes * Defaults for MaxiumumFailedLoginAttempts
2022-03-02 15:45:00 -06:00
ICaptchaValidationService captchaValidationService,
[SG-167] Implement Passwordless Authentication via Notifications (#2276) * [SG-549] Commit Initial AuthRequest Repository (#2174) * Model Passwordless * Scaffold database for Passwordless * Implement SQL Repository * [SG-167] Base Passwordless API (#2185) * Implement Passwordless notifications * Implement Controller * Add documentation to BaseRequestValidator * Register AuthRequestRepo * Remove ExpirationDate from the AuthRequest table * [SG-407] Create job to delete expired requests (#2187) * chore: init * remove exp date * fix: log name * [SG-167] Added fingerprint phrase to response model. (#2233) * Remove FailedLoginAttempt logic * Block unknown devices * Add EF Support for passwordless * Got SignalR working for responses * Added delete job method to EF repo * Implement a GetMany API endpoint for AuthRequests * Ran dotnet format * Fix a merge issues * Redated migration scripts * tried sorting sqlproj * Remove FailedLoginAttempts from SQL * Groom Postgres script * Remove extra commas from migration script * Correct isSpent() * [SG-167] Adde identity validation for passwordless requests. Registered IAuthRepository. * [SG-167] Added origin of the request to response model * Use display name for device identifier in response * Add datetime conversions back to postgres migration script * [SG-655] Add anonymous endpoint for checking if a device & user combo match * [review] Consolidate error conditions Co-authored-by: Brandon Maharaj <107377945+BrandonM-Bitwarden@users.noreply.github.com> Co-authored-by: André Filipe da Silva Bispo <andrefsbispo@hotmail.com> Co-authored-by: André Bispo <abispo@bitwarden.com>
2022-09-26 13:21:13 -04:00
IAuthRequestRepository authRequestRepository,
[AC-1070] Enforce master password policy on login (#2714) * [EC-1070] Add API endpoint to retrieve all policies for the current user The additional API endpoint is required to avoid forcing a full sync call before every login for master password policy enforcement on login. * [EC-1070] Add MasterPasswordPolicyData model * [EC-1070] Move PolicyResponseModel to Core project The response model is used by both the Identity and Api projects. * [EC-1070] Supply master password polices as a custom identity token response * [EC-1070] Include master password policies in 2FA token response * [EC-1070] Add response model to verify-password endpoint that includes master password policies * [AC-1070] Introduce MasterPasswordPolicyResponseModel * [AC-1070] Add policy service method to retrieve a user's master password policy * [AC-1070] User new policy service method - Update BaseRequestValidator - Update AccountsController for /verify-password endpoint - Update VerifyMasterPasswordResponseModel to accept MasterPasswordPolicyData * [AC-1070] Cleanup new policy service method - Use User object instead of Guid - Remove TODO message - Use `PolicyRepository.GetManyByTypeApplicableToUserIdAsync` instead of filtering locally * [AC-1070] Cleanup MasterPasswordPolicy models - Remove default values from both models - Add missing `RequireLower` - Fix mismatched properties in `CombineWith` method - Make properties nullable in response model * [AC-1070] Remove now un-used GET /policies endpoint * [AC-1070] Update policy service method to use GetManyByUserIdAsync * [AC-1070] Ensure existing value is not null before comparison * [AC-1070] Remove redundant VerifyMasterPasswordResponse model * [AC-1070] Fix service typo in constructor
2023-04-17 07:35:47 -07:00
IUserRepository userRepository,
IPolicyService policyService)
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
: base(userManager, deviceRepository, deviceService, userService, eventService,
organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
hcaptcha validation on password login (#1398)
2021-06-16 12:47:41 -04:00
applicationCacheService, mailService, logger, currentContext, globalSettings, policyRepository,
[AC-1070] Enforce master password policy on login (#2714) * [EC-1070] Add API endpoint to retrieve all policies for the current user The additional API endpoint is required to avoid forcing a full sync call before every login for master password policy enforcement on login. * [EC-1070] Add MasterPasswordPolicyData model * [EC-1070] Move PolicyResponseModel to Core project The response model is used by both the Identity and Api projects. * [EC-1070] Supply master password polices as a custom identity token response * [EC-1070] Include master password policies in 2FA token response * [EC-1070] Add response model to verify-password endpoint that includes master password policies * [AC-1070] Introduce MasterPasswordPolicyResponseModel * [AC-1070] Add policy service method to retrieve a user's master password policy * [AC-1070] User new policy service method - Update BaseRequestValidator - Update AccountsController for /verify-password endpoint - Update VerifyMasterPasswordResponseModel to accept MasterPasswordPolicyData * [AC-1070] Cleanup new policy service method - Use User object instead of Guid - Remove TODO message - Use `PolicyRepository.GetManyByTypeApplicableToUserIdAsync` instead of filtering locally * [AC-1070] Cleanup MasterPasswordPolicy models - Remove default values from both models - Add missing `RequireLower` - Fix mismatched properties in `CombineWith` method - Make properties nullable in response model * [AC-1070] Remove now un-used GET /policies endpoint * [AC-1070] Update policy service method to use GetManyByUserIdAsync * [AC-1070] Ensure existing value is not null before comparison * [AC-1070] Remove redundant VerifyMasterPasswordResponse model * [AC-1070] Fix service typo in constructor
2023-04-17 07:35:47 -07:00
userRepository, policyService)
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
{
commented code to validate auth-email header (#1361) * commented code to validate auth-email header * format comment more
2021-05-28 16:04:58 -04:00
_userManager = userManager;
_userService = userService;
_currentContext = currentContext;
_captchaValidationService = captchaValidationService;
[SG-167] Implement Passwordless Authentication via Notifications (#2276) * [SG-549] Commit Initial AuthRequest Repository (#2174) * Model Passwordless * Scaffold database for Passwordless * Implement SQL Repository * [SG-167] Base Passwordless API (#2185) * Implement Passwordless notifications * Implement Controller * Add documentation to BaseRequestValidator * Register AuthRequestRepo * Remove ExpirationDate from the AuthRequest table * [SG-407] Create job to delete expired requests (#2187) * chore: init * remove exp date * fix: log name * [SG-167] Added fingerprint phrase to response model. (#2233) * Remove FailedLoginAttempt logic * Block unknown devices * Add EF Support for passwordless * Got SignalR working for responses * Added delete job method to EF repo * Implement a GetMany API endpoint for AuthRequests * Ran dotnet format * Fix a merge issues * Redated migration scripts * tried sorting sqlproj * Remove FailedLoginAttempts from SQL * Groom Postgres script * Remove extra commas from migration script * Correct isSpent() * [SG-167] Adde identity validation for passwordless requests. Registered IAuthRepository. * [SG-167] Added origin of the request to response model * Use display name for device identifier in response * Add datetime conversions back to postgres migration script * [SG-655] Add anonymous endpoint for checking if a device & user combo match * [review] Consolidate error conditions Co-authored-by: Brandon Maharaj <107377945+BrandonM-Bitwarden@users.noreply.github.com> Co-authored-by: André Filipe da Silva Bispo <andrefsbispo@hotmail.com> Co-authored-by: André Bispo <abispo@bitwarden.com>
2022-09-26 13:21:13 -04:00
_authRequestRepository = authRequestRepository;
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
}
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
WIP: Added IdentityServer4 to API via Bearer2 auth scheme
2017-01-11 00:34:16 -05:00
{
hcaptcha validation on password login (#1398)
2021-06-16 12:47:41 -04:00
if (!AuthEmailHeaderIsValid(context))
WIP: Added IdentityServer4 to API via Bearer2 auth scheme
2017-01-11 00:34:16 -05:00
{
commented code to validate auth-email header (#1361) * commented code to validate auth-email header * format comment more
2021-05-28 16:04:58 -04:00
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant,
"Auth-Email header invalid.");
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
return;
WIP: Added IdentityServer4 to API via Bearer2 auth scheme
2017-01-11 00:34:16 -05:00
}
var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
var validatorContext = new CustomValidatorRequestContext
{
captcha scores (#1967) * captcha scores * some api fixes * check bot on captcha attribute * Update src/Core/Services/Implementations/HCaptchaValidationService.cs Co-authored-by: e271828- <e271828-@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com>
2022-05-09 12:25:13 -04:00
User = user,
uncomment to require auth-email header (#1604)
2021-09-30 11:24:29 -04:00
KnownDevice = await KnownDeviceAsync(user, context.Request)
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
};
uncomment to require auth-email header (#1604)
2021-09-30 11:24:29 -04:00
string bypassToken = null;
if (!validatorContext.KnownDevice &&
Feature/sync Enable hcaptcha on login (#1469) * Share globalSettings hcaptcha public key with clients * Require captcha valid only prior to two factor users with two factor will have already solved captcha is necessary. Users without two factor will have`TwoFactorVerified` set to false * Do not require CaptchaResponse on two-factor requests * Add option to always require captcha for testing purposes * Allow for self-hosted instances if they want to use it * Move refresh suggestion to correct error * Expect lifetime in helper method * Add captcha bypass token to successful captcha validations * Remove twofactorValidated * PR Feedback
2021-07-21 13:42:06 -05:00
_captchaValidationService.RequireCaptchaValidation(_currentContext, user))
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
{
Feature/sync Enable hcaptcha on login (#1469) * Share globalSettings hcaptcha public key with clients * Require captcha valid only prior to two factor users with two factor will have already solved captcha is necessary. Users without two factor will have`TwoFactorVerified` set to false * Do not require CaptchaResponse on two-factor requests * Add option to always require captcha for testing purposes * Allow for self-hosted instances if they want to use it * Move refresh suggestion to correct error * Expect lifetime in helper method * Add captcha bypass token to successful captcha validations * Remove twofactorValidated * PR Feedback
2021-07-21 13:42:06 -05:00
var captchaResponse = context.Request.Raw["captchaResponse"]?.ToString();
hcaptcha validation on password login (#1398)
2021-06-16 12:47:41 -04:00
uncomment to require auth-email header (#1604)
2021-09-30 11:24:29 -04:00
if (string.IsNullOrWhiteSpace(captchaResponse))
Revert filescoped (#2227) * Revert "Add git blame entry (#2226)" This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d. * Revert "Turn on file scoped namespaces (#2225)" This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
2022-08-29 15:53:48 -04:00
{
[Require SSO] Enterprise policy enforcement (#970) * Initial commit of require sso authentication policy enforcement * Updated sproc to send UseSso flag // Updated base validator to send back error message // Added changes to EntityFramework (just so its there for the future * Update policy name // adjusted conditional to demorgan's * Updated sproc // Added migrator script * Added .sql file extension to DeleteOrgUserWithOrg migrator script * Added policy // edit // strings // validation to business portal * Change requests from review // Added Owner & Admin exemption * Updated repository function used to get org user's type * Updated with requested changes
2020-10-26 11:56:16 -05:00
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Captcha required.",
captcha scores (#1967) * captcha scores * some api fixes * check bot on captcha attribute * Update src/Core/Services/Implementations/HCaptchaValidationService.cs Co-authored-by: e271828- <e271828-@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com>
2022-05-09 12:25:13 -04:00
new Dictionary<string, object>
Revert filescoped (#2227) * Revert "Add git blame entry (#2226)" This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d. * Revert "Turn on file scoped namespaces (#2225)" This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
2022-08-29 15:53:48 -04:00
{
Protect user registration with captcha (#1480) * Protect user registration with captcha * PR feedback
2021-07-22 12:29:06 -05:00
{ _captchaValidationService.SiteKeyResponseKeyName, _captchaValidationService.SiteKey },
Revert filescoped (#2227) * Revert "Add git blame entry (#2226)" This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d. * Revert "Turn on file scoped namespaces (#2225)" This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
2022-08-29 15:53:48 -04:00
});
Feature/sync Enable hcaptcha on login (#1469) * Share globalSettings hcaptcha public key with clients * Require captcha valid only prior to two factor users with two factor will have already solved captcha is necessary. Users without two factor will have`TwoFactorVerified` set to false * Do not require CaptchaResponse on two-factor requests * Add option to always require captcha for testing purposes * Allow for self-hosted instances if they want to use it * Move refresh suggestion to correct error * Expect lifetime in helper method * Add captcha bypass token to successful captcha validations * Remove twofactorValidated * PR Feedback
2021-07-21 13:42:06 -05:00
return;
Revert filescoped (#2227) * Revert "Add git blame entry (#2226)" This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d. * Revert "Turn on file scoped namespaces (#2225)" This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
2022-08-29 15:53:48 -04:00
}
captcha scores (#1967) * captcha scores * some api fixes * check bot on captcha attribute * Update src/Core/Services/Implementations/HCaptchaValidationService.cs Co-authored-by: e271828- <e271828-@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com>
2022-05-09 12:25:13 -04:00
validatorContext.CaptchaResponse = await _captchaValidationService.ValidateCaptchaResponseAsync(
captchaResponse, _currentContext.IpAddress, user);
if (!validatorContext.CaptchaResponse.Success)
Revert filescoped (#2227) * Revert "Add git blame entry (#2226)" This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d. * Revert "Turn on file scoped namespaces (#2225)" This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
2022-08-29 15:53:48 -04:00
{
captcha scores (#1967) * captcha scores * some api fixes * check bot on captcha attribute * Update src/Core/Services/Implementations/HCaptchaValidationService.cs Co-authored-by: e271828- <e271828-@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com>
2022-05-09 12:25:13 -04:00
await BuildErrorResultAsync("Captcha is invalid. Please refresh and try again", false, context, null);
return;
Feature/sync Enable hcaptcha on login (#1469) * Share globalSettings hcaptcha public key with clients * Require captcha valid only prior to two factor users with two factor will have already solved captcha is necessary. Users without two factor will have`TwoFactorVerified` set to false * Do not require CaptchaResponse on two-factor requests * Add option to always require captcha for testing purposes * Allow for self-hosted instances if they want to use it * Move refresh suggestion to correct error * Expect lifetime in helper method * Add captcha bypass token to successful captcha validations * Remove twofactorValidated * PR Feedback
2021-07-21 13:42:06 -05:00
}
bypassToken = _captchaValidationService.GenerateCaptchaBypassToken(user);
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
}
Two factor and device handling on identity token validation
2017-01-18 00:14:28 -05:00
captcha scores (#1967) * captcha scores * some api fixes * check bot on captcha attribute * Update src/Core/Services/Implementations/HCaptchaValidationService.cs Co-authored-by: e271828- <e271828-@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com>
2022-05-09 12:25:13 -04:00
await ValidateAsync(context, context.Request, validatorContext);
if (context.Result.CustomResponse != null && bypassToken != null)
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
{
captcha scores (#1967) * captcha scores * some api fixes * check bot on captcha attribute * Update src/Core/Services/Implementations/HCaptchaValidationService.cs Co-authored-by: e271828- <e271828-@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com>
2022-05-09 12:25:13 -04:00
context.Result.CustomResponse["CaptchaBypassToken"] = bypassToken;
Two factor and device handling on identity token validation
2017-01-18 00:14:28 -05:00
}
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
}
Two factor and device handling on identity token validation
2017-01-18 00:14:28 -05:00
Add support for Key Connector OTP and account migration (#1663) Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
2021-11-09 16:37:32 +01:00
protected async override Task<bool> ValidateContextAsync(ResourceOwnerPasswordValidationContext context,
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
CustomValidatorRequestContext validatorContext)
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
{
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
if (string.IsNullOrWhiteSpace(context.UserName) || validatorContext.User == null)
validate old auth bearer tokens so that we can generate new identity ones
2017-01-21 23:12:28 -05:00
{
Add support for Key Connector OTP and account migration (#1663) Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
2021-11-09 16:37:32 +01:00
return false;
validate old auth bearer tokens so that we can generate new identity ones
2017-01-21 23:12:28 -05:00
}
[SG-167] Implement Passwordless Authentication via Notifications (#2276) * [SG-549] Commit Initial AuthRequest Repository (#2174) * Model Passwordless * Scaffold database for Passwordless * Implement SQL Repository * [SG-167] Base Passwordless API (#2185) * Implement Passwordless notifications * Implement Controller * Add documentation to BaseRequestValidator * Register AuthRequestRepo * Remove ExpirationDate from the AuthRequest table * [SG-407] Create job to delete expired requests (#2187) * chore: init * remove exp date * fix: log name * [SG-167] Added fingerprint phrase to response model. (#2233) * Remove FailedLoginAttempt logic * Block unknown devices * Add EF Support for passwordless * Got SignalR working for responses * Added delete job method to EF repo * Implement a GetMany API endpoint for AuthRequests * Ran dotnet format * Fix a merge issues * Redated migration scripts * tried sorting sqlproj * Remove FailedLoginAttempts from SQL * Groom Postgres script * Remove extra commas from migration script * Correct isSpent() * [SG-167] Adde identity validation for passwordless requests. Registered IAuthRepository. * [SG-167] Added origin of the request to response model * Use display name for device identifier in response * Add datetime conversions back to postgres migration script * [SG-655] Add anonymous endpoint for checking if a device & user combo match * [review] Consolidate error conditions Co-authored-by: Brandon Maharaj <107377945+BrandonM-Bitwarden@users.noreply.github.com> Co-authored-by: André Filipe da Silva Bispo <andrefsbispo@hotmail.com> Co-authored-by: André Bispo <abispo@bitwarden.com>
2022-09-26 13:21:13 -04:00
var authRequestId = context.Request.Raw["AuthRequest"]?.ToString()?.ToLowerInvariant();
if (!string.IsNullOrWhiteSpace(authRequestId) && Guid.TryParse(authRequestId, out var authRequestGuid))
cleanup ResourceOwnerPasswordValidator
2017-01-25 00:28:18 -05:00
{
[SG-167] Implement Passwordless Authentication via Notifications (#2276) * [SG-549] Commit Initial AuthRequest Repository (#2174) * Model Passwordless * Scaffold database for Passwordless * Implement SQL Repository * [SG-167] Base Passwordless API (#2185) * Implement Passwordless notifications * Implement Controller * Add documentation to BaseRequestValidator * Register AuthRequestRepo * Remove ExpirationDate from the AuthRequest table * [SG-407] Create job to delete expired requests (#2187) * chore: init * remove exp date * fix: log name * [SG-167] Added fingerprint phrase to response model. (#2233) * Remove FailedLoginAttempt logic * Block unknown devices * Add EF Support for passwordless * Got SignalR working for responses * Added delete job method to EF repo * Implement a GetMany API endpoint for AuthRequests * Ran dotnet format * Fix a merge issues * Redated migration scripts * tried sorting sqlproj * Remove FailedLoginAttempts from SQL * Groom Postgres script * Remove extra commas from migration script * Correct isSpent() * [SG-167] Adde identity validation for passwordless requests. Registered IAuthRepository. * [SG-167] Added origin of the request to response model * Use display name for device identifier in response * Add datetime conversions back to postgres migration script * [SG-655] Add anonymous endpoint for checking if a device & user combo match * [review] Consolidate error conditions Co-authored-by: Brandon Maharaj <107377945+BrandonM-Bitwarden@users.noreply.github.com> Co-authored-by: André Filipe da Silva Bispo <andrefsbispo@hotmail.com> Co-authored-by: André Bispo <abispo@bitwarden.com>
2022-09-26 13:21:13 -04:00
var authRequest = await _authRequestRepository.GetByIdAsync(authRequestGuid);
if (authRequest != null)
{
var requestAge = DateTime.UtcNow - authRequest.CreationDate;
[SG-698] Refactored 2fa send email and identity to cater for passwordless (#2346) * Allow for auth request validation for sending two factor emails * Refactored 2fa send email and identity to cater for passwordless * Refactored 2fa send email and identity to cater for passwordless Signed-off-by: gbubemismith <gsmithwalter@gmail.com> * Inform that we track issues outside of Github (#2331) * Inform that we track issues outside of Github * Use checkboxes for info acknowledgement Signed-off-by: gbubemismith <gsmithwalter@gmail.com> * Refactored 2fa send email and identity to cater for passwordless * ran dotnet format Signed-off-by: gbubemismith <gsmithwalter@gmail.com> Co-authored-by: addison <addisonbeck1@gmail.com>
2022-10-18 14:50:48 -04:00
if (requestAge < TimeSpan.FromHours(1) &&
[SG-167] Implement Passwordless Authentication via Notifications (#2276) * [SG-549] Commit Initial AuthRequest Repository (#2174) * Model Passwordless * Scaffold database for Passwordless * Implement SQL Repository * [SG-167] Base Passwordless API (#2185) * Implement Passwordless notifications * Implement Controller * Add documentation to BaseRequestValidator * Register AuthRequestRepo * Remove ExpirationDate from the AuthRequest table * [SG-407] Create job to delete expired requests (#2187) * chore: init * remove exp date * fix: log name * [SG-167] Added fingerprint phrase to response model. (#2233) * Remove FailedLoginAttempt logic * Block unknown devices * Add EF Support for passwordless * Got SignalR working for responses * Added delete job method to EF repo * Implement a GetMany API endpoint for AuthRequests * Ran dotnet format * Fix a merge issues * Redated migration scripts * tried sorting sqlproj * Remove FailedLoginAttempts from SQL * Groom Postgres script * Remove extra commas from migration script * Correct isSpent() * [SG-167] Adde identity validation for passwordless requests. Registered IAuthRepository. * [SG-167] Added origin of the request to response model * Use display name for device identifier in response * Add datetime conversions back to postgres migration script * [SG-655] Add anonymous endpoint for checking if a device & user combo match * [review] Consolidate error conditions Co-authored-by: Brandon Maharaj <107377945+BrandonM-Bitwarden@users.noreply.github.com> Co-authored-by: André Filipe da Silva Bispo <andrefsbispo@hotmail.com> Co-authored-by: André Bispo <abispo@bitwarden.com>
2022-09-26 13:21:13 -04:00
CoreHelpers.FixedTimeEquals(authRequest.AccessCode, context.Password))
{
authRequest.AuthenticationDate = DateTime.UtcNow;
await _authRequestRepository.ReplaceAsync(authRequest);
return true;
}
}
cleanup ResourceOwnerPasswordValidator
2017-01-25 00:28:18 -05:00
return false;
}
[SG-698] Refactored 2fa send email and identity to cater for passwordless (#2346) * Allow for auth request validation for sending two factor emails * Refactored 2fa send email and identity to cater for passwordless * Refactored 2fa send email and identity to cater for passwordless Signed-off-by: gbubemismith <gsmithwalter@gmail.com> * Inform that we track issues outside of Github (#2331) * Inform that we track issues outside of Github * Use checkboxes for info acknowledgement Signed-off-by: gbubemismith <gsmithwalter@gmail.com> * Refactored 2fa send email and identity to cater for passwordless * ran dotnet format Signed-off-by: gbubemismith <gsmithwalter@gmail.com> Co-authored-by: addison <addisonbeck1@gmail.com>
2022-10-18 14:50:48 -04:00
if (!await _userService.CheckPasswordAsync(validatorContext.User, context.Password))
[SG-167] Implement Passwordless Authentication via Notifications (#2276) * [SG-549] Commit Initial AuthRequest Repository (#2174) * Model Passwordless * Scaffold database for Passwordless * Implement SQL Repository * [SG-167] Base Passwordless API (#2185) * Implement Passwordless notifications * Implement Controller * Add documentation to BaseRequestValidator * Register AuthRequestRepo * Remove ExpirationDate from the AuthRequest table * [SG-407] Create job to delete expired requests (#2187) * chore: init * remove exp date * fix: log name * [SG-167] Added fingerprint phrase to response model. (#2233) * Remove FailedLoginAttempt logic * Block unknown devices * Add EF Support for passwordless * Got SignalR working for responses * Added delete job method to EF repo * Implement a GetMany API endpoint for AuthRequests * Ran dotnet format * Fix a merge issues * Redated migration scripts * tried sorting sqlproj * Remove FailedLoginAttempts from SQL * Groom Postgres script * Remove extra commas from migration script * Correct isSpent() * [SG-167] Adde identity validation for passwordless requests. Registered IAuthRepository. * [SG-167] Added origin of the request to response model * Use display name for device identifier in response * Add datetime conversions back to postgres migration script * [SG-655] Add anonymous endpoint for checking if a device & user combo match * [review] Consolidate error conditions Co-authored-by: Brandon Maharaj <107377945+BrandonM-Bitwarden@users.noreply.github.com> Co-authored-by: André Filipe da Silva Bispo <andrefsbispo@hotmail.com> Co-authored-by: André Bispo <abispo@bitwarden.com>
2022-09-26 13:21:13 -04:00
{
[SG-698] Refactored 2fa send email and identity to cater for passwordless (#2346) * Allow for auth request validation for sending two factor emails * Refactored 2fa send email and identity to cater for passwordless * Refactored 2fa send email and identity to cater for passwordless Signed-off-by: gbubemismith <gsmithwalter@gmail.com> * Inform that we track issues outside of Github (#2331) * Inform that we track issues outside of Github * Use checkboxes for info acknowledgement Signed-off-by: gbubemismith <gsmithwalter@gmail.com> * Refactored 2fa send email and identity to cater for passwordless * ran dotnet format Signed-off-by: gbubemismith <gsmithwalter@gmail.com> Co-authored-by: addison <addisonbeck1@gmail.com>
2022-10-18 14:50:48 -04:00
return false;
[SG-167] Implement Passwordless Authentication via Notifications (#2276) * [SG-549] Commit Initial AuthRequest Repository (#2174) * Model Passwordless * Scaffold database for Passwordless * Implement SQL Repository * [SG-167] Base Passwordless API (#2185) * Implement Passwordless notifications * Implement Controller * Add documentation to BaseRequestValidator * Register AuthRequestRepo * Remove ExpirationDate from the AuthRequest table * [SG-407] Create job to delete expired requests (#2187) * chore: init * remove exp date * fix: log name * [SG-167] Added fingerprint phrase to response model. (#2233) * Remove FailedLoginAttempt logic * Block unknown devices * Add EF Support for passwordless * Got SignalR working for responses * Added delete job method to EF repo * Implement a GetMany API endpoint for AuthRequests * Ran dotnet format * Fix a merge issues * Redated migration scripts * tried sorting sqlproj * Remove FailedLoginAttempts from SQL * Groom Postgres script * Remove extra commas from migration script * Correct isSpent() * [SG-167] Adde identity validation for passwordless requests. Registered IAuthRepository. * [SG-167] Added origin of the request to response model * Use display name for device identifier in response * Add datetime conversions back to postgres migration script * [SG-655] Add anonymous endpoint for checking if a device & user combo match * [review] Consolidate error conditions Co-authored-by: Brandon Maharaj <107377945+BrandonM-Bitwarden@users.noreply.github.com> Co-authored-by: André Filipe da Silva Bispo <andrefsbispo@hotmail.com> Co-authored-by: André Bispo <abispo@bitwarden.com>
2022-09-26 13:21:13 -04:00
}
[SG-698] Refactored 2fa send email and identity to cater for passwordless (#2346) * Allow for auth request validation for sending two factor emails * Refactored 2fa send email and identity to cater for passwordless * Refactored 2fa send email and identity to cater for passwordless Signed-off-by: gbubemismith <gsmithwalter@gmail.com> * Inform that we track issues outside of Github (#2331) * Inform that we track issues outside of Github * Use checkboxes for info acknowledgement Signed-off-by: gbubemismith <gsmithwalter@gmail.com> * Refactored 2fa send email and identity to cater for passwordless * ran dotnet format Signed-off-by: gbubemismith <gsmithwalter@gmail.com> Co-authored-by: addison <addisonbeck1@gmail.com>
2022-10-18 14:50:48 -04:00
return true;
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
}
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
protected override Task SetSuccessResult(ResourceOwnerPasswordValidationContext context, User user,
List<Claim> claims, Dictionary<string, object> customResponse)
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
{
Add support for Key Connector OTP and account migration (#1663) Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
2021-11-09 16:37:32 +01:00
context.Result = new GrantValidationResult(user.Id.ToString(), "Application",
public and private keys added to db and user domain. added account APIs got getting and putting keys.
2017-02-11 23:00:55 -05:00
identityProvider: "bitwarden",
claims: claims.Count > 0 ? claims : null,
return share information with cipher API response
2017-02-21 22:52:02 -05:00
customResponse: customResponse);
Add support for Key Connector OTP and account migration (#1663) Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
2021-11-09 16:37:32 +01:00
return Task.CompletedTask;
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
}
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
protected override void SetTwoFactorResult(ResourceOwnerPasswordValidationContext context,
Dictionary<string, object> customResponse)
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
{
cleanup ResourceOwnerPasswordValidator
2017-01-25 00:28:18 -05:00
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Two factor required.",
customResponse);
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
}
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
protected override void SetSsoResult(ResourceOwnerPasswordValidationContext context,
Dictionary<string, object> customResponse)
Turn on file scoped namespaces (#2225)
2022-08-29 14:53:16 -04:00
{
[Require SSO] Enterprise policy enforcement (#970) * Initial commit of require sso authentication policy enforcement * Updated sproc to send UseSso flag // Updated base validator to send back error message // Added changes to EntityFramework (just so its there for the future * Update policy name // adjusted conditional to demorgan's * Updated sproc // Added migrator script * Added .sql file extension to DeleteOrgUserWithOrg migrator script * Added policy // edit // strings // validation to business portal * Change requests from review // Added Owner & Admin exemption * Updated repository function used to get org user's type * Updated with requested changes
2020-10-26 11:56:16 -05:00
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Sso authentication required.",
customResponse);
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
}
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
protected override void SetErrorResult(ResourceOwnerPasswordValidationContext context,
Dictionary<string, object> customResponse)
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
{
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse: customResponse);
[Require SSO] Enterprise policy enforcement (#970) * Initial commit of require sso authentication policy enforcement * Updated sproc to send UseSso flag // Updated base validator to send back error message // Added changes to EntityFramework (just so its there for the future * Update policy name // adjusted conditional to demorgan's * Updated sproc // Added migrator script * Added .sql file extension to DeleteOrgUserWithOrg migrator script * Added policy // edit // strings // validation to business portal * Change requests from review // Added Owner & Admin exemption * Updated repository function used to get org user's type * Updated with requested changes
2020-10-26 11:56:16 -05:00
}
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
private bool AuthEmailHeaderIsValid(ResourceOwnerPasswordValidationContext context)
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
{
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Auth-Email"))
Two factor and device handling on identity token validation
2017-01-18 00:14:28 -05:00
{
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
return false;
WIP: Added IdentityServer4 to API via Bearer2 auth scheme
2017-01-11 00:34:16 -05:00
}
Use UrlB64 encoding for auth-email header (#1503)
2021-08-11 06:21:46 +10:00
else
{
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
try
Use UrlB64 encoding for auth-email header (#1503)
2021-08-11 06:21:46 +10:00
{
var authEmailHeader = _currentContext.HttpContext.Request.Headers["Auth-Email"];
var authEmailDecoded = CoreHelpers.Base64UrlDecodeString(authEmailHeader);
if (authEmailDecoded != context.UserName)
{
return false;
}
}
catch (System.Exception e) when (e is System.InvalidOperationException || e is System.FormatException)
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
{
Use UrlB64 encoding for auth-email header (#1503)
2021-08-11 06:21:46 +10:00
// Invalid B64 encoding
captcha scores (#1967) * captcha scores * some api fixes * check bot on captcha attribute * Update src/Core/Services/Implementations/HCaptchaValidationService.cs Co-authored-by: e271828- <e271828-@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com>
2022-05-09 12:25:13 -04:00
return false;
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
}
Revert filescoped (#2227) * Revert "Add git blame entry (#2226)" This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d. * Revert "Turn on file scoped namespaces (#2225)" This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
2022-08-29 15:53:48 -04:00
}
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
captcha scores (#1967) * captcha scores * some api fixes * check bot on captcha attribute * Update src/Core/Services/Implementations/HCaptchaValidationService.cs Co-authored-by: e271828- <e271828-@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com>
2022-05-09 12:25:13 -04:00
return true;
WIP: Added IdentityServer4 to API via Bearer2 auth scheme
2017-01-11 00:34:16 -05:00
}
}
Reference in New Issue Copy Permalink