[PM-25473] Non-encryption passkeys prevent key rotation (#6359)

* use webauthn credentials that have encrypted user key for user key rotation * where condition simplification
2025-12-28 14:13:48 +00:00 · 2025-09-30 17:30:00 +02:00
parent 12303b3acf
commit 721fda0aaa
3 changed files with 74 additions and 33 deletions
--- a/src/Api/KeyManagement/Validators/WebAuthnLoginKeyRotationValidator.cs
+++ b/src/Api/KeyManagement/Validators/WebAuthnLoginKeyRotationValidator.cs
@@ -1,4 +1,5 @@
 using Bit.Api.Auth.Models.Request.WebAuthn;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Entities;
@@ -6,7 +7,13 @@ using Bit.Core.Exceptions;

 namespace Bit.Api.KeyManagement.Validators;

-public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>>
+/// <summary>
+/// Validates WebAuthn credentials during key rotation. Only processes credentials that have PRF enabled
+/// and have encrypted user, public, and private keys. Ensures all such credentials are included
+/// in the rotation request with the required encrypted keys.
+/// </summary>
+public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>,
+    IEnumerable<WebAuthnLoginRotateKeyData>>
 {
    private readonly IWebAuthnCredentialRepository _webAuthnCredentialRepository;

@@ -15,24 +22,20 @@ public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<
        _webAuthnCredentialRepository = webAuthnCredentialRepository;
    }

-    public async Task<IEnumerable<WebAuthnLoginRotateKeyData>> ValidateAsync(User user, IEnumerable<WebAuthnLoginRotateKeyRequestModel> keysToRotate)
+    public async Task<IEnumerable<WebAuthnLoginRotateKeyData>> ValidateAsync(User user,
+        IEnumerable<WebAuthnLoginRotateKeyRequestModel> keysToRotate)
    {
        var result = new List<WebAuthnLoginRotateKeyData>();
-        var existing = await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id);
-        if (existing == null)
+        var validCredentials = (await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id))
+            .Where(credential => credential.GetPrfStatus() == WebAuthnPrfStatus.Enabled).ToList();
+        if (validCredentials.Count == 0)
        {
            return result;
        }

-        var validCredentials = existing.Where(credential => credential.SupportsPrf);
-        if (!validCredentials.Any())
+        foreach (var webAuthnCredential in validCredentials)
        {
-            return result;
-        }
-
-        foreach (var ea in validCredentials)
-        {
-            var keyToRotate = keysToRotate.FirstOrDefault(c => c.Id == ea.Id);
+            var keyToRotate = keysToRotate.FirstOrDefault(c => c.Id == webAuthnCredential.Id);
            if (keyToRotate == null)
            {
                throw new BadRequestException("All existing webauthn prf keys must be included in the rotation.");
@@ -42,6 +45,7 @@ public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<
            {
                throw new BadRequestException("WebAuthn prf keys must have user-key during rotation.");
            }
+
            if (keyToRotate.EncryptedPublicKey == null)
            {
                throw new BadRequestException("WebAuthn prf keys must have public-key during rotation.");