public async Task <IActionResult> ConfirmTwoFactorAuth(TotpConfirmationViewModel model) { if (!User.HasClaim(c => c.Type == VaultClaims.Capability && c.Value == "2fa-unconfirmed")) { return(BadRequest()); } var vaultClient = CreateVaultUserClient(); var validateTotCodeSecret = await vaultClient.V1.Secrets.TOTP.ValidateCodeAsync(User.Identity.Name, model.TotpCode); bool isValidTotpCode = validateTotCodeSecret.Data.Valid; if (!isValidTotpCode) { ModelState.AddModelError(nameof(model.TotpCode), "Code is invalid. Please try again."); var barcode = TempData.Peek("TotpBarCode") as string; return(View(new TotpConfirmationViewModel() { TotpBase64EncodeBarcode = barcode })); } else { TempData.Remove("TotpBarCode"); // create a new identity from the old one // & refresh authentication cookie with the new claim set var identity = new ClaimsIdentity(User.Identity); // Replace the 2fa-unconfirmed claim with a 2fa-confirmed claim var unconfirmed2faClaim = identity.FindFirst(x => x.Type == VaultClaims.Capability && x.Value == "2fa-unconfirmed"); identity.RemoveClaim(unconfirmed2faClaim); identity.AddClaim(new Claim(VaultClaims.Capability, "2fa")); var authProperties = new AuthenticationProperties(); await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme); await HttpContext.SignInAsync( CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity), authProperties); return(RedirectToRoute("account-details")); } }
public async Task <IActionResult> DisableTwoFactorAuth(TotpConfirmationViewModel model) { if (!User.HasClaim(c => c.Type == VaultClaims.Capability && c.Value == "2fa")) { return(BadRequest()); } var vaultClient = CreateVaultUserClient(); bool isValidTotpCode = await ValidateTotpCodeAsync(vaultClient, User.Identity.Name, model.TotpCode); if (!isValidTotpCode) { ModelState.Remove(nameof(TotpConfirmationViewModel.TotpCode)); ModelState.AddModelError(nameof(TotpConfirmationViewModel.TotpCode), "Invalid code. Try again."); return(View(new TotpConfirmationViewModel())); } else { await vaultClient.V1.Secrets.TOTP.DeleteKeyAsync(User.Identity.Name); // create a new identity from the old one // remove the 2fa capability // & refresh authentication cookie with the new claim set var identity = new ClaimsIdentity(User.Identity); var claim = identity.Claims.Where(x => x.Type == VaultClaims.Capability && x.Value == "2fa").First(); identity.RemoveClaim(claim); var authProperties = new AuthenticationProperties(); await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme); await HttpContext.SignInAsync( CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity), authProperties); return(RedirectToRoute("account-details")); } }