2023-04-14 13:25:56 -04:00
|
|
|
|
using Bit.Api.Auth.Models.Request;
|
|
|
|
|
|
using Bit.Api.Auth.Models.Response;
|
2022-09-26 13:21:13 -04:00
|
|
|
|
using Bit.Api.Models.Response;
|
2023-04-14 13:25:56 -04:00
|
|
|
|
using Bit.Core.Auth.Entities;
|
|
|
|
|
|
using Bit.Core.Auth.Exceptions;
|
2022-09-26 13:21:13 -04:00
|
|
|
|
using Bit.Core.Context;
|
|
|
|
|
|
using Bit.Core.Exceptions;
|
|
|
|
|
|
using Bit.Core.Repositories;
|
|
|
|
|
|
using Bit.Core.Services;
|
|
|
|
|
|
using Bit.Core.Settings;
|
2022-11-22 15:32:21 -05:00
|
|
|
|
using Bit.Core.Utilities;
|
2022-09-26 13:21:13 -04:00
|
|
|
|
using Microsoft.AspNetCore.Authorization;
|
|
|
|
|
|
using Microsoft.AspNetCore.Mvc;
|
|
|
|
|
|
|
2023-04-14 13:25:56 -04:00
|
|
|
|
namespace Bit.Api.Auth.Controllers;
|
2022-09-26 13:21:13 -04:00
|
|
|
|
|
|
|
|
|
|
[Route("auth-requests")]
|
|
|
|
|
|
[Authorize("Application")]
|
|
|
|
|
|
public class AuthRequestsController : Controller
|
|
|
|
|
|
{
|
|
|
|
|
|
private readonly IUserRepository _userRepository;
|
|
|
|
|
|
private readonly IDeviceRepository _deviceRepository;
|
|
|
|
|
|
private readonly IUserService _userService;
|
|
|
|
|
|
private readonly IAuthRequestRepository _authRequestRepository;
|
|
|
|
|
|
private readonly ICurrentContext _currentContext;
|
|
|
|
|
|
private readonly IPushNotificationService _pushNotificationService;
|
|
|
|
|
|
private readonly IGlobalSettings _globalSettings;
|
|
|
|
|
|
|
|
|
|
|
|
public AuthRequestsController(
|
|
|
|
|
|
IUserRepository userRepository,
|
|
|
|
|
|
IDeviceRepository deviceRepository,
|
|
|
|
|
|
IUserService userService,
|
|
|
|
|
|
IAuthRequestRepository authRequestRepository,
|
|
|
|
|
|
ICurrentContext currentContext,
|
|
|
|
|
|
IPushNotificationService pushNotificationService,
|
|
|
|
|
|
IGlobalSettings globalSettings)
|
|
|
|
|
|
{
|
|
|
|
|
|
_userRepository = userRepository;
|
|
|
|
|
|
_deviceRepository = deviceRepository;
|
|
|
|
|
|
_userService = userService;
|
|
|
|
|
|
_authRequestRepository = authRequestRepository;
|
|
|
|
|
|
_currentContext = currentContext;
|
|
|
|
|
|
_pushNotificationService = pushNotificationService;
|
|
|
|
|
|
_globalSettings = globalSettings;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
[HttpGet("")]
|
|
|
|
|
|
public async Task<ListResponseModel<AuthRequestResponseModel>> Get()
|
|
|
|
|
|
{
|
|
|
|
|
|
var userId = _userService.GetProperUserId(User).Value;
|
|
|
|
|
|
var authRequests = await _authRequestRepository.GetManyByUserIdAsync(userId);
|
2022-10-04 11:06:01 -04:00
|
|
|
|
var responses = authRequests.Select(a => new AuthRequestResponseModel(a, _globalSettings.BaseServiceUri.Vault)).ToList();
|
2022-09-26 13:21:13 -04:00
|
|
|
|
return new ListResponseModel<AuthRequestResponseModel>(responses);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
[HttpGet("{id}")]
|
|
|
|
|
|
public async Task<AuthRequestResponseModel> Get(string id)
|
|
|
|
|
|
{
|
|
|
|
|
|
var userId = _userService.GetProperUserId(User).Value;
|
|
|
|
|
|
var authRequest = await _authRequestRepository.GetByIdAsync(new Guid(id));
|
|
|
|
|
|
if (authRequest == null || authRequest.UserId != userId)
|
|
|
|
|
|
{
|
|
|
|
|
|
throw new NotFoundException();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2022-10-04 11:06:01 -04:00
|
|
|
|
return new AuthRequestResponseModel(authRequest, _globalSettings.BaseServiceUri.Vault);
|
2022-09-26 13:21:13 -04:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
[HttpGet("{id}/response")]
|
|
|
|
|
|
[AllowAnonymous]
|
|
|
|
|
|
public async Task<AuthRequestResponseModel> GetResponse(string id, [FromQuery] string code)
|
|
|
|
|
|
{
|
|
|
|
|
|
var authRequest = await _authRequestRepository.GetByIdAsync(new Guid(id));
|
2022-11-22 15:32:21 -05:00
|
|
|
|
if (authRequest == null || !CoreHelpers.FixedTimeEquals(authRequest.AccessCode, code) || authRequest.GetExpirationDate() < DateTime.UtcNow)
|
2022-09-26 13:21:13 -04:00
|
|
|
|
{
|
|
|
|
|
|
throw new NotFoundException();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2022-10-04 11:06:01 -04:00
|
|
|
|
return new AuthRequestResponseModel(authRequest, _globalSettings.BaseServiceUri.Vault);
|
2022-09-26 13:21:13 -04:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
[HttpPost("")]
|
|
|
|
|
|
[AllowAnonymous]
|
|
|
|
|
|
public async Task<AuthRequestResponseModel> Post([FromBody] AuthRequestCreateRequestModel model)
|
|
|
|
|
|
{
|
|
|
|
|
|
var user = await _userRepository.GetByEmailAsync(model.Email);
|
|
|
|
|
|
if (user == null)
|
|
|
|
|
|
{
|
|
|
|
|
|
throw new NotFoundException();
|
|
|
|
|
|
}
|
|
|
|
|
|
if (!_currentContext.DeviceType.HasValue)
|
|
|
|
|
|
{
|
|
|
|
|
|
throw new BadRequestException("Device type not provided.");
|
|
|
|
|
|
}
|
2022-09-29 14:10:21 -04:00
|
|
|
|
if (_globalSettings.PasswordlessAuth.KnownDevicesOnly)
|
2022-09-26 13:21:13 -04:00
|
|
|
|
{
|
2022-09-30 09:45:07 -04:00
|
|
|
|
var devices = await _deviceRepository.GetManyByUserIdAsync(user.Id);
|
|
|
|
|
|
if (devices == null || !devices.Any(d => d.Identifier == model.DeviceIdentifier))
|
2022-09-26 13:21:13 -04:00
|
|
|
|
{
|
2022-10-03 11:37:37 -04:00
|
|
|
|
throw new BadRequestException("Login with device is only available on devices that have been previously logged in.");
|
2022-09-26 13:21:13 -04:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var authRequest = new AuthRequest
|
|
|
|
|
|
{
|
|
|
|
|
|
RequestDeviceIdentifier = model.DeviceIdentifier,
|
|
|
|
|
|
RequestDeviceType = _currentContext.DeviceType.Value,
|
|
|
|
|
|
RequestIpAddress = _currentContext.IpAddress,
|
|
|
|
|
|
AccessCode = model.AccessCode,
|
|
|
|
|
|
PublicKey = model.PublicKey,
|
|
|
|
|
|
UserId = user.Id,
|
2023-03-23 13:08:49 +00:00
|
|
|
|
Type = model.Type.Value
|
2022-09-26 13:21:13 -04:00
|
|
|
|
};
|
|
|
|
|
|
authRequest = await _authRequestRepository.CreateAsync(authRequest);
|
|
|
|
|
|
await _pushNotificationService.PushAuthRequestAsync(authRequest);
|
2022-10-04 11:06:01 -04:00
|
|
|
|
var r = new AuthRequestResponseModel(authRequest, _globalSettings.BaseServiceUri.Vault);
|
2022-10-03 11:37:37 -04:00
|
|
|
|
return r;
|
2022-09-26 13:21:13 -04:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
[HttpPut("{id}")]
|
|
|
|
|
|
public async Task<AuthRequestResponseModel> Put(string id, [FromBody] AuthRequestUpdateRequestModel model)
|
|
|
|
|
|
{
|
|
|
|
|
|
var userId = _userService.GetProperUserId(User).Value;
|
|
|
|
|
|
var authRequest = await _authRequestRepository.GetByIdAsync(new Guid(id));
|
|
|
|
|
|
if (authRequest == null || authRequest.UserId != userId || authRequest.GetExpirationDate() < DateTime.UtcNow)
|
|
|
|
|
|
{
|
|
|
|
|
|
throw new NotFoundException();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2022-10-28 11:58:05 -04:00
|
|
|
|
if (authRequest.Approved is not null)
|
|
|
|
|
|
{
|
|
|
|
|
|
throw new DuplicateAuthRequestException();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2022-11-16 10:29:09 -05:00
|
|
|
|
var device = await _deviceRepository.GetByIdentifierAsync(model.DeviceIdentifier, userId);
|
2022-09-26 13:21:13 -04:00
|
|
|
|
if (device == null)
|
|
|
|
|
|
{
|
|
|
|
|
|
throw new BadRequestException("Invalid device.");
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2022-10-25 17:14:48 -04:00
|
|
|
|
authRequest.ResponseDeviceId = device.Id;
|
|
|
|
|
|
authRequest.ResponseDate = DateTime.UtcNow;
|
|
|
|
|
|
authRequest.Approved = model.RequestApproved;
|
2022-12-13 21:50:53 +00:00
|
|
|
|
|
|
|
|
|
|
if (model.RequestApproved)
|
|
|
|
|
|
{
|
|
|
|
|
|
authRequest.Key = model.Key;
|
|
|
|
|
|
authRequest.MasterPasswordHash = model.MasterPasswordHash;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2022-10-25 17:14:48 -04:00
|
|
|
|
await _authRequestRepository.ReplaceAsync(authRequest);
|
2022-10-31 21:31:07 -04:00
|
|
|
|
|
|
|
|
|
|
// We only want to send an approval notification if the request is approved (or null),
|
|
|
|
|
|
// to not leak that it was denied to the originating client if it was originated by a malicious actor.
|
|
|
|
|
|
if (authRequest.Approved ?? true)
|
|
|
|
|
|
{
|
|
|
|
|
|
await _pushNotificationService.PushAuthRequestResponseAsync(authRequest);
|
|
|
|
|
|
}
|
2022-09-26 13:21:13 -04:00
|
|
|
|
|
2022-10-04 11:06:01 -04:00
|
|
|
|
return new AuthRequestResponseModel(authRequest, _globalSettings.BaseServiceUri.Vault);
|
2022-09-26 13:21:13 -04:00
|
|
|
|
}
|
|
|
|
|
|
}
|
