[PM-6208] Move TOTP cache validation logic to providers (#3779)

* move totp cache validation logic to providers * remove unused usings * reduce TTL
2026-01-04 17:43:53 +00:00 · 2024-02-09 15:44:31 -05:00
parent a19ae0159f
commit 17118bc74f
6 changed files with 63 additions and 44 deletions
--- a/src/Identity/IdentityServer/BaseRequestValidator.cs
+++ b/src/Identity/IdentityServer/BaseRequestValidator.cs
@@ -27,7 +27,6 @@ using Bit.Core.Tokens;
 using Bit.Core.Utilities;
 using Duende.IdentityServer.Validation;
 using Microsoft.AspNetCore.Identity;
-using Microsoft.Extensions.Caching.Distributed;

 namespace Bit.Identity.IdentityServer;

@@ -47,8 +46,6 @@ public abstract class BaseRequestValidator<T> where T : class
    private readonly GlobalSettings _globalSettings;
    private readonly IUserRepository _userRepository;
    private readonly IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> _tokenDataFactory;
-    private readonly IDistributedCache _distributedCache;
-    private readonly DistributedCacheEntryOptions _cacheEntryOptions;

    protected ICurrentContext CurrentContext { get; }
    protected IPolicyService PolicyService { get; }
@@ -77,7 +74,6 @@ public abstract class BaseRequestValidator<T> where T : class
        IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory,
        IFeatureService featureService,
        ISsoConfigRepository ssoConfigRepository,
-        IDistributedCache distributedCache,
        IUserDecryptionOptionsBuilder userDecryptionOptionsBuilder)
    {
        _userManager = userManager;
@@ -99,14 +95,6 @@ public abstract class BaseRequestValidator<T> where T : class
        _tokenDataFactory = tokenDataFactory;
        FeatureService = featureService;
        SsoConfigRepository = ssoConfigRepository;
-        _distributedCache = distributedCache;
-        _cacheEntryOptions = new DistributedCacheEntryOptions
-        {
-            // This sets the time an item is cached to 17 minutes. This value is hard coded
-            // to 17 because to it covers all time-out windows for both Authenticators and
-            // Email TOTP.
-            AbsoluteExpirationRelativeToNow = TimeSpan.FromMinutes(17)
-        };
        UserDecryptionOptionsBuilder = userDecryptionOptionsBuilder;
    }

@@ -153,11 +141,7 @@ public abstract class BaseRequestValidator<T> where T : class

            var verified = await VerifyTwoFactor(user, twoFactorOrganization,
                twoFactorProviderType, twoFactorToken);
-
-            var cacheKey = "TOTP_" + user.Email + "_" + twoFactorToken;
-
-            var isOtpCached = Core.Utilities.DistributedCacheExtensions.TryGetValue(_distributedCache, cacheKey, out string _);
-            if (!verified || isBot || isOtpCached)
+            if (!verified || isBot)
            {
                if (twoFactorProviderType != TwoFactorProviderType.Remember)
                {
@@ -170,11 +154,6 @@ public abstract class BaseRequestValidator<T> where T : class
                }
                return;
            }
-            // We only want to track TOTPs in the cache to enforce one time use.
-            if (twoFactorProviderType == TwoFactorProviderType.Authenticator || twoFactorProviderType == TwoFactorProviderType.Email)
-            {
-                await Core.Utilities.DistributedCacheExtensions.SetAsync(_distributedCache, cacheKey, twoFactorToken, _cacheEntryOptions);
-            }
        }
        else
        {
--- a/src/Identity/IdentityServer/CustomTokenRequestValidator.cs
+++ b/src/Identity/IdentityServer/CustomTokenRequestValidator.cs
@@ -15,7 +15,6 @@ using Duende.IdentityServer.Extensions;
 using Duende.IdentityServer.Validation;
 using IdentityModel;
 using Microsoft.AspNetCore.Identity;
-using Microsoft.Extensions.Caching.Distributed;

 #nullable enable

@@ -46,14 +45,12 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
        IPolicyService policyService,
        IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory,
        IFeatureService featureService,
-        [FromKeyedServices("persistent")]
-        IDistributedCache distributedCache,
        IUserDecryptionOptionsBuilder userDecryptionOptionsBuilder)
        : base(userManager, deviceRepository, deviceService, userService, eventService,
            organizationDuoWebTokenProvider, duoWebV4SDKService, organizationRepository, organizationUserRepository,
            applicationCacheService, mailService, logger, currentContext, globalSettings,
            userRepository, policyService, tokenDataFactory, featureService, ssoConfigRepository,
-            distributedCache, userDecryptionOptionsBuilder)
+            userDecryptionOptionsBuilder)
    {
        _userManager = userManager;
    }
--- a/src/Identity/IdentityServer/ResourceOwnerPasswordValidator.cs
+++ b/src/Identity/IdentityServer/ResourceOwnerPasswordValidator.cs
@@ -15,7 +15,6 @@ using Bit.Core.Utilities;
 using Duende.IdentityServer.Models;
 using Duende.IdentityServer.Validation;
 using Microsoft.AspNetCore.Identity;
-using Microsoft.Extensions.Caching.Distributed;

 namespace Bit.Identity.IdentityServer;

@@ -49,13 +48,11 @@ public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwner
        IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory,
        IFeatureService featureService,
        ISsoConfigRepository ssoConfigRepository,
-        [FromKeyedServices("persistent")]
-        IDistributedCache distributedCache,
        IUserDecryptionOptionsBuilder userDecryptionOptionsBuilder)
        : base(userManager, deviceRepository, deviceService, userService, eventService,
              organizationDuoWebTokenProvider, duoWebV4SDKService, organizationRepository, organizationUserRepository,
              applicationCacheService, mailService, logger, currentContext, globalSettings, userRepository, policyService,
-              tokenDataFactory, featureService, ssoConfigRepository, distributedCache, userDecryptionOptionsBuilder)
+              tokenDataFactory, featureService, ssoConfigRepository, userDecryptionOptionsBuilder)
    {
        _userManager = userManager;
        _userService = userService;
--- a/src/Identity/IdentityServer/WebAuthnGrantValidator.cs
+++ b/src/Identity/IdentityServer/WebAuthnGrantValidator.cs
@@ -18,7 +18,6 @@ using Duende.IdentityServer.Models;
 using Duende.IdentityServer.Validation;
 using Fido2NetLib;
 using Microsoft.AspNetCore.Identity;
-using Microsoft.Extensions.Caching.Distributed;

 namespace Bit.Identity.IdentityServer;

@@ -50,15 +49,13 @@ public class WebAuthnGrantValidator : BaseRequestValidator<ExtensionGrantValidat
        IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory,
        IDataProtectorTokenFactory<WebAuthnLoginAssertionOptionsTokenable> assertionOptionsDataProtector,
        IFeatureService featureService,
-        [FromKeyedServices("persistent")]
-        IDistributedCache distributedCache,
        IUserDecryptionOptionsBuilder userDecryptionOptionsBuilder,
        IAssertWebAuthnLoginCredentialCommand assertWebAuthnLoginCredentialCommand
        )
        : base(userManager, deviceRepository, deviceService, userService, eventService,
            organizationDuoWebTokenProvider, duoWebV4SDKService, organizationRepository, organizationUserRepository,
            applicationCacheService, mailService, logger, currentContext, globalSettings,
-            userRepository, policyService, tokenDataFactory, featureService, ssoConfigRepository, distributedCache, userDecryptionOptionsBuilder)
+            userRepository, policyService, tokenDataFactory, featureService, ssoConfigRepository, userDecryptionOptionsBuilder)
    {
        _assertionOptionsDataProtector = assertionOptionsDataProtector;
        _assertWebAuthnLoginCredentialCommand = assertWebAuthnLoginCredentialCommand;