Merge branch 'master' into flexible-collections/deprecate-custom-collection-perm

2026-01-01 08:03:23 +00:00 · 2023-11-08 11:14:52 +00:00
parent 20d095734a f29d3e79a5
commit fc385c15b1
15 changed files with 72 additions and 26 deletions
--- a/src/Api/Auth/Controllers/WebAuthnController.cs
+++ b/src/Api/Auth/Controllers/WebAuthnController.cs
@@ -75,7 +75,7 @@ public class WebAuthnController : Controller
            throw new BadRequestException("The token associated with your request is expired. A valid token is required to continue.");
        }

-        var success = await _userService.CompleteWebAuthLoginRegistrationAsync(user, model.Name, tokenable.Options, model.DeviceResponse);
+        var success = await _userService.CompleteWebAuthLoginRegistrationAsync(user, model.Name, tokenable.Options, model.DeviceResponse, model.SupportsPrf, model.EncryptedUserKey, model.EncryptedPublicKey, model.EncryptedPrivateKey);
        if (!success)
        {
            throw new BadRequestException("Unable to complete WebAuthn registration.");
--- a/src/Api/Auth/Models/Request/Accounts/SetPasswordRequestModel.cs
+++ b/src/Api/Auth/Models/Request/Accounts/SetPasswordRequestModel.cs
@@ -1,6 +1,4 @@
-#nullable enable
-
-using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations;
 using Bit.Core.Auth.Models.Api.Request.Accounts;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -17,7 +15,7 @@ public class SetPasswordRequestModel : IValidatableObject
    public string Key { get; set; }
    [StringLength(50)]
    public string MasterPasswordHint { get; set; }
-    public KeysRequestModel? Keys { get; set; }
+    public KeysRequestModel Keys { get; set; }
    [Required]
    public KdfType Kdf { get; set; }
    [Required]
--- a/src/Api/Auth/Models/Request/WebAuthn/WebAuthnCredentialRequestModel.cs
+++ b/src/Api/Auth/Models/Request/WebAuthn/WebAuthnCredentialRequestModel.cs
@@ -1,4 +1,5 @@
 using System.ComponentModel.DataAnnotations;
+using Bit.Core.Utilities;
 using Fido2NetLib;

 namespace Bit.Api.Auth.Models.Request.Webauthn;
@@ -13,5 +14,20 @@ public class WebAuthnCredentialRequestModel

    [Required]
    public string Token { get; set; }
+
+    [Required]
+    public bool SupportsPrf { get; set; }
+
+    [EncryptedString]
+    [EncryptedStringLength(2000)]
+    public string EncryptedUserKey { get; set; }
+
+    [EncryptedString]
+    [EncryptedStringLength(2000)]
+    public string EncryptedPublicKey { get; set; }
+
+    [EncryptedString]
+    [EncryptedStringLength(2000)]
+    public string EncryptedPrivateKey { get; set; }
 }

--- a/src/Api/Auth/Models/Response/WebAuthn/WebAuthnCredentialResponseModel.cs
+++ b/src/Api/Auth/Models/Response/WebAuthn/WebAuthnCredentialResponseModel.cs
@@ -1,4 +1,5 @@
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Models.Api;

 namespace Bit.Api.Auth.Models.Response.WebAuthn;
@@ -11,10 +12,10 @@ public class WebAuthnCredentialResponseModel : ResponseModel
    {
        Id = credential.Id.ToString();
        Name = credential.Name;
-        PrfSupport = false;
+        PrfStatus = credential.GetPrfStatus();
    }

    public string Id { get; set; }
    public string Name { get; set; }
-    public bool PrfSupport { get; set; }
+    public WebAuthnPrfStatus PrfStatus { get; set; }
 }
--- a/src/Core/Auth/Entities/WebAuthnCredential.cs
+++ b/src/Core/Auth/Entities/WebAuthnCredential.cs
@@ -1,4 +1,5 @@
 using System.ComponentModel.DataAnnotations;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Utilities;

@@ -18,8 +19,11 @@ public class WebAuthnCredential : ITableObject<Guid>
    [MaxLength(20)]
    public string Type { get; set; }
    public Guid AaGuid { get; set; }
+    [MaxLength(2000)]
    public string EncryptedUserKey { get; set; }
+    [MaxLength(2000)]
    public string EncryptedPrivateKey { get; set; }
+    [MaxLength(2000)]
    public string EncryptedPublicKey { get; set; }
    public bool SupportsPrf { get; set; }
    public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
@@ -29,4 +33,19 @@ public class WebAuthnCredential : ITableObject<Guid>
    {
        Id = CoreHelpers.GenerateComb();
    }
+
+    public WebAuthnPrfStatus GetPrfStatus()
+    {
+        if (!SupportsPrf)
+        {
+            return WebAuthnPrfStatus.Unsupported;
+        }
+
+        if (EncryptedUserKey != null && EncryptedPrivateKey != null && EncryptedPublicKey != null)
+        {
+            return WebAuthnPrfStatus.Enabled;
+        }
+
+        return WebAuthnPrfStatus.Supported;
+    }
 }
--- a/src/Core/Auth/Enums/WebAuthnPrfStatus.cs
+++ b/src/Core/Auth/Enums/WebAuthnPrfStatus.cs
@@ -0,0 +1,8 @@
+namespace Bit.Core.Auth.Enums;
+
+public enum WebAuthnPrfStatus
+{
+    Enabled = 0,
+    Supported = 1,
+    Unsupported = 2
+}
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@@ -28,7 +28,7 @@ public interface IUserService
    Task<bool> DeleteWebAuthnKeyAsync(User user, int id);
    Task<bool> CompleteWebAuthRegistrationAsync(User user, int value, string name, AuthenticatorAttestationRawResponse attestationResponse);
    Task<CredentialCreateOptions> StartWebAuthnLoginRegistrationAsync(User user);
-    Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, CredentialCreateOptions options, AuthenticatorAttestationRawResponse attestationResponse);
+    Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, CredentialCreateOptions options, AuthenticatorAttestationRawResponse attestationResponse, bool supportsPrf, string encryptedUserKey = null, string encryptedPublicKey = null, string encryptedPrivateKey = null);
    Task<AssertionOptions> StartWebAuthnLoginAssertionAsync(User user);
    Task<string> CompleteWebAuthLoginAssertionAsync(AuthenticatorAssertionRawResponse assertionResponse, User user);
    Task SendEmailVerificationAsync(User user);
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -552,9 +552,9 @@ public class UserService : UserManager<User>, IUserService, IDisposable
        return options;
    }

-    public async Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name,
-        CredentialCreateOptions options,
-        AuthenticatorAttestationRawResponse attestationResponse)
+    public async Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, CredentialCreateOptions options,
+        AuthenticatorAttestationRawResponse attestationResponse, bool supportsPrf,
+        string encryptedUserKey = null, string encryptedPublicKey = null, string encryptedPrivateKey = null)
    {
        var existingCredentials = await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id);
        if (existingCredentials.Count >= 5)
@@ -575,7 +575,11 @@ public class UserService : UserManager<User>, IUserService, IDisposable
            Type = success.Result.CredType,
            AaGuid = success.Result.Aaguid,
            Counter = (int)success.Result.Counter,
-            UserId = user.Id
+            UserId = user.Id,
+            SupportsPrf = supportsPrf,
+            EncryptedUserKey = encryptedUserKey,
+            EncryptedPublicKey = encryptedPublicKey,
+            EncryptedPrivateKey = encryptedPrivateKey
        };

        await _webAuthnCredentialRepository.CreateAsync(credential);