Feature/token service (#1785)

* Implement draft token service * Add tokenizer and factory * Handle expiring tokens through base class * Allow direct token validity checks * Add safe unprotect to tokenizer * Add interface to tokenizer factory * Use tokenizer * Fix rebase * Handle cleartext prefix in tokenizer base * Use epoch milliseconds for expiration in tokens * Use tokenizers * Test tokens * Linter fixes * Add TokenizerFactory to DI services * Test epoch milliseconds deserialization * Use separate injectables for each token type * Fix directory * Add functional unprotect to token * Fix namespace and correct object names * Remove Tokenable interface * Test remaining Tokens classes * Dotnet format * Fix sut provider errors with update * Remove useless property Co-authored-by: Hinton <oscar@oscarhinton.com>
2025-12-22 19:23:45 +00:00 · 2022-01-10 10:58:16 -05:00
parent 924ebca153
commit e2c6fc81f4
19 changed files with 562 additions and 33 deletions
--- a/src/Core/Services/Implementations/HCaptchaValidationService.cs
+++ b/src/Core/Services/Implementations/HCaptchaValidationService.cs
@@ -3,10 +3,10 @@ using System.Collections.Generic;
 using System.Net.Http;
 using System.Threading.Tasks;
 using Bit.Core.Context;
+using Bit.Core.Models.Business.Tokenables;
 using Bit.Core.Models.Table;
 using Bit.Core.Settings;
-using Bit.Core.Utilities;
-using Microsoft.AspNetCore.DataProtection;
+using Bit.Core.Tokens;
 using Microsoft.Extensions.Logging;
 using Newtonsoft.Json;

@@ -14,31 +14,27 @@ namespace Bit.Core.Services
 {
    public class HCaptchaValidationService : ICaptchaValidationService
    {
-        private const double TokenLifetimeInHours = (double)5 / 60; // 5 minutes
-        private const string TokenName = "CaptchaBypassToken";
-        private const string TokenClearTextPrefix = "BWCaptchaBypass_";
        private readonly ILogger<HCaptchaValidationService> _logger;
        private readonly IHttpClientFactory _httpClientFactory;
        private readonly GlobalSettings _globalSettings;
-        private readonly IDataProtector _dataProtector;
+        private readonly IDataProtectorTokenFactory<HCaptchaTokenable> _tokenizer;

        public HCaptchaValidationService(
            ILogger<HCaptchaValidationService> logger,
            IHttpClientFactory httpClientFactory,
-            IDataProtectionProvider dataProtectorProvider,
+            IDataProtectorTokenFactory<HCaptchaTokenable> tokenizer,
            GlobalSettings globalSettings)
        {
            _logger = logger;
            _httpClientFactory = httpClientFactory;
            _globalSettings = globalSettings;
-            _dataProtector = dataProtectorProvider.CreateProtector("CaptchaServiceDataProtector");
+            _tokenizer = tokenizer;
        }

        public string SiteKeyResponseKeyName => "HCaptcha_SiteKey";
        public string SiteKey => _globalSettings.Captcha.HCaptchaSiteKey;

-        public string GenerateCaptchaBypassToken(User user) =>
-            $"{TokenClearTextPrefix}{_dataProtector.Protect(CaptchaBypassTokenContent(user))}";
+        public string GenerateCaptchaBypassToken(User user) => _tokenizer.Protect(new HCaptchaTokenable(user));

        public bool ValidateCaptchaBypassToken(string bypassToken, User user) =>
            TokenIsApiKey(bypassToken, user) || TokenIsCaptchaBypassToken(bypassToken, user);
@@ -89,20 +85,12 @@ namespace Bit.Core.Services
        public bool RequireCaptchaValidation(ICurrentContext currentContext) =>
            currentContext.IsBot || _globalSettings.Captcha.ForceCaptchaRequired;

-        private static string CaptchaBypassTokenContent(User user) =>
-            string.Join(' ', new object[] {
-                TokenName,
-                user?.Id,
-                user?.Email,
-                CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow.AddHours(TokenLifetimeInHours))
-            });
-
        private static bool TokenIsApiKey(string bypassToken, User user) =>
            !string.IsNullOrWhiteSpace(bypassToken) && user != null && user.ApiKey == bypassToken;
-        private bool TokenIsCaptchaBypassToken(string encryptedToken, User user) =>
-            encryptedToken.StartsWith(TokenClearTextPrefix) && user != null &&
-            CoreHelpers.TokenIsValid(TokenName, _dataProtector, encryptedToken[TokenClearTextPrefix.Length..],
-            user.Email, user.Id, TokenLifetimeInHours);
-
+        private bool TokenIsCaptchaBypassToken(string encryptedToken, User user)
+        {
+            return _tokenizer.TryUnprotect(encryptedToken, out var data) &&
+                data.Valid && data.TokenIsValid(user);
+        }
    }
 }