diff --git a/src/Api/Controllers/OrganizationUsersController.cs b/src/Api/Controllers/OrganizationUsersController.cs index bd31fc8066..ecd3677d3e 100644 --- a/src/Api/Controllers/OrganizationUsersController.cs +++ b/src/Api/Controllers/OrganizationUsersController.cs @@ -267,10 +267,23 @@ namespace Bit.Api.Controllers } [HttpPut("{userId}/reset-password-enrollment")] - public async Task PutResetPasswordEnrollment(string orgId, string userId, [FromBody]OrganizationUserResetPasswordEnrollmentRequestModel model) + public async Task PutResetPasswordEnrollment(string orgId, string userId, + [FromBody]OrganizationUserResetPasswordEnrollmentRequestModel model) { - var callingUserId = _userService.GetProperUserId(User); - await _organizationService.UpdateUserResetPasswordEnrollmentAsync(new Guid(orgId), new Guid(userId), model.ResetPasswordKey, callingUserId); + var user = await _userService.GetUserByPrincipalAsync(User); + if(user == null) + { + throw new UnauthorizedAccessException(); + } + + if(!await _userService.CheckPasswordAsync(user, model.MasterPasswordHash)) + { + await Task.Delay(2000); + throw new BadRequestException("MasterPasswordHash", "Invalid password."); + } + + await _organizationService.UpdateUserResetPasswordEnrollmentAsync(new Guid(orgId), + new Guid(userId), model.ResetPasswordKey, user.Id); } [HttpPut("{id}/reset-password")] diff --git a/src/Core/Models/Api/Request/Organizations/OrganizationUserRequestModels.cs b/src/Core/Models/Api/Request/Organizations/OrganizationUserRequestModels.cs index 1bb368d9b6..7d60671c83 100644 --- a/src/Core/Models/Api/Request/Organizations/OrganizationUserRequestModels.cs +++ b/src/Core/Models/Api/Request/Organizations/OrganizationUserRequestModels.cs @@ -80,6 +80,10 @@ namespace Bit.Core.Models.Api public class OrganizationUserResetPasswordEnrollmentRequestModel { + + [Required] + [StringLength(300)] + public string MasterPasswordHash { get; set; } public string ResetPasswordKey { get; set; } }