private async Task <bool> VerifyTwoFactor(User user, Organization organization, TwoFactorProviderType type,
string token)
{
switch (type)
{
case TwoFactorProviderType.Authenticator:
case TwoFactorProviderType.Duo:
case TwoFactorProviderType.YubiKey:
case TwoFactorProviderType.U2f:
case TwoFactorProviderType.Remember:
if (type != TwoFactorProviderType.Remember && !user.TwoFactorProviderIsEnabled(type))
{
return(false);
}
return(await _userManager.VerifyTwoFactorTokenAsync(user, type.ToString(), token));
case TwoFactorProviderType.Email:
if (!user.TwoFactorProviderIsEnabled(type))
{
return(false);
}
return(await _userService.VerifyTwoFactorEmailAsync(user, token));
case TwoFactorProviderType.OrganizationDuo:
if (!organization?.TwoFactorProviderIsEnabled(type) ?? true)
{
return(false);
}
return(await _organizationDuoWebTokenProvider.ValidateAsync(token, organization, user));
default:
return(false);
}
}
private async Task <Dictionary <string, object> > BuildTwoFactorParams(User user, TwoFactorProviderType type,
TwoFactorProvider provider)
{
if (!user.TwoFactorProviderIsEnabled(type))
{
return(null);
}
switch (type)
{
case TwoFactorProviderType.Duo:
case TwoFactorProviderType.U2f:
case TwoFactorProviderType.Email:
case TwoFactorProviderType.YubiKey:
var token = await _userManager.GenerateTwoFactorTokenAsync(user, type.ToString());
if (type == TwoFactorProviderType.Duo)
{
return(new Dictionary <string, object>
{
["Host"] = provider.MetaData["Host"],
["Signature"] = token
});
}
else if (type == TwoFactorProviderType.U2f)
{
return(new Dictionary <string, object>
{
["Challenges"] = token
});
}
else if (type == TwoFactorProviderType.Email)
{
return(new Dictionary <string, object>
{
["Email"] = RedactEmail((string)provider.MetaData["Email"])
});
}
else if (type == TwoFactorProviderType.YubiKey)
{
return(new Dictionary <string, object>
{
["Nfc"] = (bool)provider.MetaData["Nfc"]
});
}
return(null);
default:
return(null);
}
}
public async Task DisableTwoFactorProviderAsync(Organization organization, TwoFactorProviderType type)
{
if (!type.ToString().Contains("Organization"))
{
throw new ArgumentException("Not an organization provider type.");
}
var providers = organization.GetTwoFactorProviders();
if (!providers?.ContainsKey(type) ?? true)
{
return;
}
providers.Remove(type);
organization.SetTwoFactorProviders(providers);
await UpdateAsync(organization);
}
private async Task <bool> VerifyTwoFactor(User user, TwoFactorProviderType type, string token)
{
if (type != TwoFactorProviderType.Remember && !user.TwoFactorProviderIsEnabled(type))
{
return(false);
}
switch (type)
{
case TwoFactorProviderType.Authenticator:
case TwoFactorProviderType.Duo:
case TwoFactorProviderType.YubiKey:
case TwoFactorProviderType.U2f:
case TwoFactorProviderType.Remember:
return(await _userManager.VerifyTwoFactorTokenAsync(user, type.ToString(), token));
case TwoFactorProviderType.Email:
return(await _userService.VerifyTwoFactorEmailAsync(user, token));
default:
return(false);
}
}
public static string CustomProviderName(TwoFactorProviderType type)
{
return(string.Concat("Custom_", type.ToString()));
}
public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
{
var oldAuthBearer = context.Request.Raw["OldAuthBearer"]?.ToString();
var twoFactorToken = context.Request.Raw["TwoFactorToken"]?.ToString();
var twoFactorProvider = context.Request.Raw["TwoFactorProvider"]?.ToString();
var twoFactorRequest = !string.IsNullOrWhiteSpace(twoFactorToken) && !string.IsNullOrWhiteSpace(twoFactorProvider);
if (!string.IsNullOrWhiteSpace(oldAuthBearer) && _jwtBearerOptions != null)
{
// support transferring the old auth bearer token
var ticket = ValidateOldAuthBearer(oldAuthBearer);
if (ticket != null && ticket.Principal != null)
{
var idClaim = ticket.Principal.Claims
.FirstOrDefault(c => c.Type == _identityOptions.ClaimsIdentity.UserIdClaimType);
var securityTokenClaim = ticket.Principal.Claims
.FirstOrDefault(c => c.Type == _identityOptions.ClaimsIdentity.SecurityStampClaimType);
if (idClaim != null && securityTokenClaim != null)
{
var user = await _userManager.FindByIdAsync(idClaim.Value);
if (user != null && user.SecurityStamp == securityTokenClaim.Value)
{
var device = await SaveDeviceAsync(user, context);
BuildSuccessResult(user, context, device);
return;
}
}
}
}
else if (!string.IsNullOrWhiteSpace(context.UserName))
{
var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
if (user != null)
{
if (await _userManager.CheckPasswordAsync(user, context.Password))
{
TwoFactorProviderType twoFactorProviderType = TwoFactorProviderType.Authenticator; // Just defaulting it
if (!twoFactorRequest && await TwoFactorRequiredAsync(user))
{
BuildTwoFactorResult(user, context);
return;
}
if (twoFactorRequest && !Enum.TryParse(twoFactorProvider, out twoFactorProviderType))
{
BuildTwoFactorResult(user, context);
return;
}
if (!twoFactorRequest ||
await _userManager.VerifyTwoFactorTokenAsync(user, twoFactorProviderType.ToString(), twoFactorToken))
{
var device = await SaveDeviceAsync(user, context);
BuildSuccessResult(user, context, device);
return;
}
}
}
}
await Task.Delay(2000); // Delay for brute force.
BuildErrorResult(twoFactorRequest, context);
}
private async Task <Dictionary <string, object> > BuildTwoFactorParams(Organization organization, User user,
TwoFactorProviderType type, TwoFactorProvider provider)
{
switch (type)
{
case TwoFactorProviderType.Duo:
case TwoFactorProviderType.U2f:
case TwoFactorProviderType.Email:
case TwoFactorProviderType.YubiKey:
if (!(await user.TwoFactorProviderIsEnabledAsync(type, _userService)))
{
return(null);
}
var token = await _userManager.GenerateTwoFactorTokenAsync(user, type.ToString());
if (type == TwoFactorProviderType.Duo)
{
return(new Dictionary <string, object>
{
["Host"] = provider.MetaData["Host"],
["Signature"] = token
});
}
else if (type == TwoFactorProviderType.U2f)
{
// TODO: Remove "Challenges" in a future update. Deprecated.
var tokens = token?.Split('|');
return(new Dictionary <string, object>
{
["Challenge"] = tokens != null && tokens.Length > 0 ? tokens[0] : null,
["Challenges"] = tokens != null && tokens.Length > 1 ? tokens[1] : null
});
}
else if (type == TwoFactorProviderType.Email)
{
return(new Dictionary <string, object>
{
["Email"] = RedactEmail((string)provider.MetaData["Email"])
});
}
else if (type == TwoFactorProviderType.YubiKey)
{
return(new Dictionary <string, object>
{
["Nfc"] = (bool)provider.MetaData["Nfc"]
});
}
return(null);
case TwoFactorProviderType.OrganizationDuo:
if (await _organizationDuoWebTokenProvider.CanGenerateTwoFactorTokenAsync(organization))
{
return(new Dictionary <string, object>
{
["Host"] = provider.MetaData["Host"],
["Signature"] = await _organizationDuoWebTokenProvider.GenerateAsync(organization, user)
});
}
return(null);
default:
return(null);
}
}
