public async Task <IActionResult> ConfirmTwoFactorAuth(TotpConfirmationViewModel model)
{
if (!User.HasClaim(c => c.Type == VaultClaims.Capability && c.Value == "2fa-unconfirmed"))
{
return(BadRequest());
}
var vaultClient = CreateVaultUserClient();
var validateTotCodeSecret = await vaultClient.V1.Secrets.TOTP.ValidateCodeAsync(User.Identity.Name, model.TotpCode);
bool isValidTotpCode = validateTotCodeSecret.Data.Valid;
if (!isValidTotpCode)
{
ModelState.AddModelError(nameof(model.TotpCode), "Code is invalid. Please try again.");
var barcode = TempData.Peek("TotpBarCode") as string;
return(View(new TotpConfirmationViewModel()
{
TotpBase64EncodeBarcode = barcode
}));
}
else
{
TempData.Remove("TotpBarCode");
// create a new identity from the old one
// & refresh authentication cookie with the new claim set
var identity = new ClaimsIdentity(User.Identity);
// Replace the 2fa-unconfirmed claim with a 2fa-confirmed claim
var unconfirmed2faClaim = identity.FindFirst(x => x.Type == VaultClaims.Capability && x.Value == "2fa-unconfirmed");
identity.RemoveClaim(unconfirmed2faClaim);
identity.AddClaim(new Claim(VaultClaims.Capability, "2fa"));
var authProperties = new AuthenticationProperties();
await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
await HttpContext.SignInAsync(
CookieAuthenticationDefaults.AuthenticationScheme,
new ClaimsPrincipal(identity),
authProperties);
return(RedirectToRoute("account-details"));
}
}
public async Task <IActionResult> DisableTwoFactorAuth(TotpConfirmationViewModel model)
{
if (!User.HasClaim(c => c.Type == VaultClaims.Capability && c.Value == "2fa"))
{
return(BadRequest());
}
var vaultClient = CreateVaultUserClient();
bool isValidTotpCode = await ValidateTotpCodeAsync(vaultClient, User.Identity.Name, model.TotpCode);
if (!isValidTotpCode)
{
ModelState.Remove(nameof(TotpConfirmationViewModel.TotpCode));
ModelState.AddModelError(nameof(TotpConfirmationViewModel.TotpCode), "Invalid code. Try again.");
return(View(new TotpConfirmationViewModel()));
}
else
{
await vaultClient.V1.Secrets.TOTP.DeleteKeyAsync(User.Identity.Name);
// create a new identity from the old one
// remove the 2fa capability
// & refresh authentication cookie with the new claim set
var identity = new ClaimsIdentity(User.Identity);
var claim = identity.Claims.Where(x => x.Type == VaultClaims.Capability && x.Value == "2fa").First();
identity.RemoveClaim(claim);
var authProperties = new AuthenticationProperties();
await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
await HttpContext.SignInAsync(
CookieAuthenticationDefaults.AuthenticationScheme,
new ClaimsPrincipal(identity),
authProperties);
return(RedirectToRoute("account-details"));
}
}
