public async Task UpdateTwoFactorProviderAsync(User user, TwoFactorProviderType type) { SetTwoFactorProvider(user, type); await SaveUserAsync(user); await _eventService.LogUserEventAsync(user.Id, EventType.User_Updated2fa); }
private void AfterVerifyTwoFactor(User user, TwoFactorProviderType type, bool requires2FABecauseNewDevice) { if (type == TwoFactorProviderType.Email && requires2FABecauseNewDevice) { user.ClearTwoFactorProviders(); } }
public async Task <AuthResult> LogInSsoCompleteAsync(string code, string codeVerifier, string redirectUrl, TwoFactorProviderType twoFactorProvider, string twoFactorToken, bool?remember = null) { SelectedTwoFactorProviderType = null; return(await LogInHelperAsync(null, null, null, code, codeVerifier, redirectUrl, null, twoFactorProvider, twoFactorToken, remember)); }
public async Task GetTwoFactorAsync(User user, TwoFactorProviderType provider) { if (user.TwoFactorEnabled && user.TwoFactorProvider.HasValue && user.TwoFactorProvider.Value == provider) { switch (provider) { case TwoFactorProviderType.Authenticator: if (!string.IsNullOrWhiteSpace(user.AuthenticatorKey)) { return; } break; default: throw new ArgumentException(nameof(provider)); } } user.TwoFactorProvider = provider; // Reset authenticator key. user.AuthenticatorKey = null; switch (provider) { case TwoFactorProviderType.Authenticator: var key = KeyGeneration.GenerateRandomKey(20); user.AuthenticatorKey = Base32Encoding.ToString(key); break; default: throw new ArgumentException(nameof(provider)); } await SaveUserAsync(user); }
public async Task <LoginResult> LogInTwoFactorWithHashAsync(TwoFactorProviderType type, string token, string email, string masterPasswordHash) { if (type == TwoFactorProviderType.Email || type == TwoFactorProviderType.Authenticator) { token = token.Trim().Replace(" ", ""); } var request = new TokenRequest { Email = email.Trim().ToLower(), MasterPasswordHash = masterPasswordHash, Token = token, Provider = type, Remember = false }; var response = await ApiService.Instance.PostTokenAsync(request); if (!response.Succeeded) { var result = new LoginResult(); result.Success = false; result.ErrorMessage = response.Errors.FirstOrDefault()?.Message; return(result); } return(await ProcessLogInSuccessAsync(response.Result)); }
public async Task DisableTwoFactorProviderAsync(User user, TwoFactorProviderType type, IOrganizationService organizationService) { var providers = user.GetTwoFactorProviders(); if (!providers?.ContainsKey(type) ?? true) { return; } // Since the user can no longer directly manipulate U2F tokens, we should // disable them when the user disables WebAuthn. if (type == TwoFactorProviderType.WebAuthn) { providers.Remove(TwoFactorProviderType.U2f); } providers.Remove(type); user.SetTwoFactorProviders(providers); await SaveUserAsync(user); await _eventService.LogUserEventAsync(user.Id, EventType.User_Disabled2fa); if (!await TwoFactorIsEnabledAsync(user)) { await CheckPoliciesOnTwoFactorRemovalAsync(user, organizationService); } }
public async Task <Models.LoginResult> TokenPostTwoFactorAsync(TwoFactorProviderType type, string token, bool remember, string email, string masterPasswordHash, SymmetricCryptoKey key) { var result = new Models.LoginResult(); var request = new TokenRequest { Remember = remember, Email = email.Trim().ToLower(), MasterPasswordHash = masterPasswordHash, Token = token, Provider = type, Device = new DeviceRequest(_appIdService, _deviceInfoService) }; var response = await _connectApiRepository.PostTokenAsync(request); if (!response.Succeeded) { result.Success = false; result.ErrorMessage = response.Errors.FirstOrDefault()?.Message; return(result); } result.Success = true; await ProcessLoginSuccessAsync(key, response.Result); return(result); }
public async Task<AuthResult> LogInCompleteAsync(string email, string masterPassword, TwoFactorProviderType twoFactorProvider, string twoFactorToken, bool? remember = null) { SelectedTwoFactorProviderType = null; var key = await MakePreloginKeyAsync(masterPassword, email); var hashedPassword = await _cryptoService.HashPasswordAsync(masterPassword, key); return await LogInHelperAsync(email, hashedPassword, key, twoFactorProvider, twoFactorToken, remember); }
public Task <AuthResult> LogInTwoFactorAsync(TwoFactorProviderType twoFactorProvider, string twoFactorToken, string captchaToken, bool?remember = null) { if (captchaToken != null) { CaptchaToken = captchaToken; } return(LogInHelperAsync(Email, MasterPasswordHash, LocalMasterPasswordHash, Code, CodeVerifier, SsoRedirectUrl, _key, twoFactorProvider, twoFactorToken, remember, CaptchaToken)); }
public TwoFactorProvider GetTwoFactorProvider(TwoFactorProviderType provider) { var providers = GetTwoFactorProviders(); if (providers == null || !providers.ContainsKey(provider)) { return(null); } return(providers[provider]); }
public bool TwoFactorProviderIsEnabled(TwoFactorProviderType provider) { var providers = GetTwoFactorProviders(); if (providers == null || !providers.ContainsKey(provider)) { return(false); } return(providers[provider].Enabled && (Premium || !TwoFactorProvider.RequiresPremium(provider))); }
public bool TwoFactorProviderIsEnabled(TwoFactorProviderType provider) { var providers = GetTwoFactorProviders(); if (providers == null || !providers.ContainsKey(provider)) { return(false); } return(providers[provider].Enabled && Use2fa); }
public TwoFactorProviderResponseModel(TwoFactorProviderType type, TwoFactorProvider provider) : base(ResponseObj) { if (provider == null) { throw new ArgumentNullException(nameof(provider)); } Enabled = provider.Enabled; Type = type; }
public TwoFactorProviderResponseModel(TwoFactorProviderType type, User user) : base(ResponseObj) { if (user == null) { throw new ArgumentNullException(nameof(user)); } var provider = user.GetTwoFactorProvider(type); Enabled = provider?.Enabled ?? false; Type = type; }
public async Task DisableTwoFactorProviderAsync(User user, TwoFactorProviderType type) { var providers = user.GetTwoFactorProviders(); if (!providers?.ContainsKey(type) ?? true) { return; } providers.Remove(type); user.SetTwoFactorProviders(providers); await SaveUserAsync(user); }
public static bool RequiresPremium(TwoFactorProviderType type) { switch (type) { case TwoFactorProviderType.Duo: case TwoFactorProviderType.YubiKey: case TwoFactorProviderType.U2f: return(true); default: return(false); } }
public TwoFactorProviderResponseModel(TwoFactorProviderType type, Organization organization) : base(ResponseObj) { if (organization == null) { throw new ArgumentNullException(nameof(organization)); } var provider = organization.GetTwoFactorProvider(type); Enabled = provider?.Enabled ?? false; Type = type; }
public async Task <LoginResult> LogInTwoFactorAsync(TwoFactorProviderType type, string token, string email, string masterPassword) { var normalizedEmail = email.Trim().ToLower(); var key = Crypto.MakeKeyFromPassword(masterPassword, normalizedEmail); var result = await LogInTwoFactorWithHashAsync(type, token, email, Crypto.HashPasswordBase64(key, masterPassword)); key = null; masterPassword = null; return(result); }
public static bool RequiresPremium(TwoFactorProviderType type) { switch (type) { case TwoFactorProviderType.Duo: case TwoFactorProviderType.YubiKey: case TwoFactorProviderType.U2f: // Keep to ensure old U2f keys are considered premium case TwoFactorProviderType.WebAuthn: return(true); default: return(false); } }
public async Task DisableTwoFactorProviderAsync(User user, TwoFactorProviderType type) { var providers = user.GetTwoFactorProviders(); if (!providers?.ContainsKey(type) ?? true) { return; } providers.Remove(type); user.SetTwoFactorProviders(providers); await SaveUserAsync(user); await _eventService.LogUserEventAsync(user.Id, EventType.User_Disabled2fa); }
private void BeforeVerifyTwoFactor(User user, TwoFactorProviderType type, bool requires2FABecauseNewDevice) { if (type == TwoFactorProviderType.Email && requires2FABecauseNewDevice) { user.SetTwoFactorProviders(new Dictionary <TwoFactorProviderType, TwoFactorProvider> { [TwoFactorProviderType.Email] = new TwoFactorProvider { MetaData = new Dictionary <string, object> { ["Email"] = user.Email.ToLowerInvariant() }, Enabled = true } }); } }
public async Task <bool> TwoFactorProviderIsEnabledAsync(TwoFactorProviderType provider, ITwoFactorProvidersUser user) { var providers = user.GetTwoFactorProviders(); if (providers == null || !providers.ContainsKey(provider) || !providers[provider].Enabled) { return(false); } if (!TwoFactorProvider.RequiresPremium(provider)) { return(true); } return(await CanAccessPremium(user)); }
public void SetTwoFactorProvider(User user, TwoFactorProviderType type) { var providers = user.GetTwoFactorProviders(); if (!providers?.ContainsKey(type) ?? true) { return; } providers[type].Enabled = true; user.SetTwoFactorProviders(providers); if (string.IsNullOrWhiteSpace(user.TwoFactorRecoveryCode)) { user.TwoFactorRecoveryCode = CoreHelpers.SecureRandomString(32, upper: false, special: false); } }
public async Task DisableTwoFactorProviderAsync(Organization organization, TwoFactorProviderType type) { if (!type.ToString().Contains("Organization")) { throw new ArgumentException("Not an organization provider type."); } var providers = organization.GetTwoFactorProviders(); if (!providers?.ContainsKey(type) ?? true) { return; } providers.Remove(type); organization.SetTwoFactorProviders(providers); await UpdateAsync(organization); }
public async Task DisableTwoFactorProviderAsync(User user, TwoFactorProviderType type, IOrganizationService organizationService) { var providers = user.GetTwoFactorProviders(); if (!providers?.ContainsKey(type) ?? true) { return; } providers.Remove(type); user.SetTwoFactorProviders(providers); await SaveUserAsync(user); await _eventService.LogUserEventAsync(user.Id, EventType.User_Disabled2fa); if (!await TwoFactorIsEnabledAsync(user)) { var policies = await _policyRepository.GetManyByUserIdAsync(user.Id); var twoFactorPolicies = policies.Where(p => p.Type == PolicyType.TwoFactorAuthentication && p.Enabled); if (twoFactorPolicies.Any()) { var userOrgs = await _organizationUserRepository.GetManyByUserAsync(user.Id); var ownerOrgs = userOrgs.Where(o => o.Type == OrganizationUserType.Owner) .Select(o => o.Id).ToHashSet(); foreach (var policy in twoFactorPolicies) { if (!ownerOrgs.Contains(policy.OrganizationId)) { await organizationService.DeleteUserAsync(policy.OrganizationId, user.Id); var organization = await _organizationRepository.GetByIdAsync(policy.OrganizationId); await _mailService.SendOrganizationUserRemovedForPolicyTwoStepEmailAsync( organization.Name, user.Email); } } } } }
public async Task UpdateTwoFactorProviderAsync(User user, TwoFactorProviderType type) { var providers = user.GetTwoFactorProviders(); if (!providers?.ContainsKey(type) ?? true) { return; } providers[type].Enabled = true; user.SetTwoFactorProviders(providers); if (string.IsNullOrWhiteSpace(user.TwoFactorRecoveryCode)) { user.TwoFactorRecoveryCode = CoreHelpers.SecureRandomString(32, upper: false, special: false); } await SaveUserAsync(user); await _eventService.LogUserEventAsync(user.Id, EventType.User_Updated2fa); }
public async Task DisableTwoFactorProviderAsync(User user, TwoFactorProviderType type, IOrganizationService organizationService) { var providers = user.GetTwoFactorProviders(); if (!providers?.ContainsKey(type) ?? true) { return; } providers.Remove(type); user.SetTwoFactorProviders(providers); await SaveUserAsync(user); await _eventService.LogUserEventAsync(user.Id, EventType.User_Disabled2fa); if (!await TwoFactorIsEnabledAsync(user)) { await CheckPoliciesOnTwoFactorRemovalAsync(user, organizationService); } }
private async Task <bool> VerifyTwoFactor(User user, TwoFactorProviderType type, string token) { if (type != TwoFactorProviderType.Remember && !user.TwoFactorProviderIsEnabled(type)) { return(false); } switch (type) { case TwoFactorProviderType.Authenticator: case TwoFactorProviderType.Duo: case TwoFactorProviderType.YubiKey: case TwoFactorProviderType.U2f: case TwoFactorProviderType.Remember: return(await _userManager.VerifyTwoFactorTokenAsync(user, type.ToString(), token)); case TwoFactorProviderType.Email: return(await _userService.VerifyTwoFactorEmailAsync(user, token)); default: return(false); } }
public static string CustomProviderName(TwoFactorProviderType type) { return(string.Concat("Custom_", type.ToString())); }
public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context) { var oldAuthBearer = context.Request.Raw["OldAuthBearer"]?.ToString(); var twoFactorToken = context.Request.Raw["TwoFactorToken"]?.ToString(); var twoFactorProvider = context.Request.Raw["TwoFactorProvider"]?.ToString(); var twoFactorRequest = !string.IsNullOrWhiteSpace(twoFactorToken) && !string.IsNullOrWhiteSpace(twoFactorProvider); if (!string.IsNullOrWhiteSpace(oldAuthBearer) && _jwtBearerOptions != null) { // support transferring the old auth bearer token var ticket = ValidateOldAuthBearer(oldAuthBearer); if (ticket != null && ticket.Principal != null) { var idClaim = ticket.Principal.Claims .FirstOrDefault(c => c.Type == _identityOptions.ClaimsIdentity.UserIdClaimType); var securityTokenClaim = ticket.Principal.Claims .FirstOrDefault(c => c.Type == _identityOptions.ClaimsIdentity.SecurityStampClaimType); if (idClaim != null && securityTokenClaim != null) { var user = await _userManager.FindByIdAsync(idClaim.Value); if (user != null && user.SecurityStamp == securityTokenClaim.Value) { var device = await SaveDeviceAsync(user, context); BuildSuccessResult(user, context, device); return; } } } } else if (!string.IsNullOrWhiteSpace(context.UserName)) { var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant()); if (user != null) { if (await _userManager.CheckPasswordAsync(user, context.Password)) { TwoFactorProviderType twoFactorProviderType = TwoFactorProviderType.Authenticator; // Just defaulting it if (!twoFactorRequest && await TwoFactorRequiredAsync(user)) { BuildTwoFactorResult(user, context); return; } if (twoFactorRequest && !Enum.TryParse(twoFactorProvider, out twoFactorProviderType)) { BuildTwoFactorResult(user, context); return; } if (!twoFactorRequest || await _userManager.VerifyTwoFactorTokenAsync(user, twoFactorProviderType.ToString(), twoFactorToken)) { var device = await SaveDeviceAsync(user, context); BuildSuccessResult(user, context, device); return; } } } } await Task.Delay(2000); // Delay for brute force. BuildErrorResult(twoFactorRequest, context); }