mirror of
https://github.com/bitwarden/android.git
synced 2026-05-28 15:38:07 -05:00
bfcfd367dd
* [PM-1208] Add Device approval options screen. View model waiting for additional logic to be added. * [PM-1208] Add device related api endpoint. Add AccoundDecryptOptions model and property to user Account. * [PM-1208] Add continue button and not you option * [PM-1379] add DeviceTrustCryptoService with establish trust logic (#2535) * [PM-1379] add DeviceCryptoService with establish trust logic * PM-1379 update api location and other minor refactors * pm-1379 fix encoding * update trusted device keys api call to Put * [PM-1379] rename DeviceCryptoService to DeviceTrustCryptoService - refactors to prevent side effects * [PM-1379] rearrange methods in DeviceTrustCryptoService * [PM-1379] rearrange methods in abstraction * [PM-1379] deconstruct tuples * [PM-1379] remove extra tasks * [PM-2583] Answer auth request with mp field as null if doesn't have it. (#2609) * [PM-2287][PM-2289][PM-2293] Approval Options (#2608) * [PM-2293] Add AuthRequestType to PasswordlessLoginPage. * [PM-2293] Add Actions to ApproveWithDevicePage * [PM-2293] Change screen text based on AuthRequestType * [PM-2293] Refactor AuthRequestType enum. Add label. Remove unnecessary actions. * [PM-2293] Change boolean variable expression. * [PM-2293] Trust device after admin request login. * code format * [PM-2287] Add trust device to master password unlock. Change trust device method. Remove email from SSO login page. * [PM-2293] Fix state variable get set. * [PM-2287][PM-2289][PM-2293] Rename method * [PM-1201] Change timeout actions available based on hasMasterPassword (#2610) * [PM-1201] Change timeout actions available based on hasMasterPassword * [PM-2731] add user key and master key types * [PM-2713] add new state for new keys and obsolete old ones - UserKey - MasterKey - UserKeyMasterKey (enc UserKey from User Table) * [PM-271] add UserKey and MasterKey support to crypto service * [PM-2713] rename key hash to password hash & begin add methods to crypto service * [PM-2713] continue organizing crypto service * [PM-2713] more updates to crypto service * [PM-2713] add new pin methods to state service * [PM-2713] fix signature of GetUserKeyPin * [PM-2713] add make user key method to crypto service * [PM-2713] refresh pin key when setting user key * [PM-2713] use new MakeMasterKey method * [PM-2713] add toggle method to crypto service for keys * [PM-2713] converting calls to new crypto service api * [PM-2713] add migration for pin on lock screens * [PM-2713] more conversions to new crypto service api * [PM-2713] convert cipher service and others to crypto service api * [PM-2713] More conversions to crypto api * [PM-2713] use new crypto service api in auth service * [PM-2713] remove unused cached values in crypto service * [PM-2713] set decrypt and set user key in login helper * fix bad merge * Update crypto service api call to fix build * [PM-1208] Fix app resource file * [PM-1208] Fix merge * [PM-1208] Fix merge * [PM-2713] optimize async code in crypto service * [PM-2713] rename password hash to master key hash * [PM-2713] fix casting issues and pin * [PM-2713] remove extra comment * [PM-2713] remove broken casting * [PM-2297] Login with trusted device (Flow 2) (#2623) * [PM-2297] Add DecryptUserKeyWithDeviceKey method * [PM-2297] Add methods to DeviceTrustCryptoService update decryption options model * [PM-2297] Update account decryption options model * [PM-2297] Fix TrustedDeviceOption and DeviceResponse model. Change StateService device key get set to have default user id * [PM-2297] Update navigation to decryption options * [PM-2297] Add missing action navigations to iOS extensions * [PM-2297] Fix trust device bug/typo * [PM-2297] Fix model bug * [PM-2297] Fix state var crash * [PM-2297] Add trust device login logic to auth service * [PM-2297] Refactor auth service key connector code * [PM-2297] Remove reconciledOptions for deviceKey in state service * [PM-2297] Remove unnecessary user id params * [PM-2289] [PM-2293] TDE Login with device Admin Request (#2642) * [PM-2713] deconstruct new key pair * [PM-2713] rename PrivateKey methods to UserPrivateKey on crypto service * [PM-2713] rename PinLockEnum to PinLockType * [PM-2713] don't pass user key as param when encrypting * [PM-2713] rename toggle method, don't reset enc user key * [PM-2713] pr feedback * [PM-2713] PR feedback * [PM-2713] rename get pin lock type method * [PM-2713] revert feedback for build * [PM-2713] rename state methods * [PM-2713] combine makeDataEncKey methods * [PM-2713] consolidate attachment key creation - also fix ios files missed during symbol rename * [PM-2713] replace generic with inherited class * rename account keys to be more descriptive * [PM-2713] add auto unlock key to mobile * [PM-1208] Add TDE flows for new users (#2655) * [PM-1208] Create new user on SSO. Logout if not password is setup or has pending admin auth request. * [PM-1208] Fix new user UserKey decryption. * [PM-1208] Add new user continue to vault logic. Auto enrol user on continue. * [PM-1208] Trust device only if needed * [PM-1208] Add logic for New User SSO. * [PM-1208] Add logic for New User SSO (missing file). * [PM-2713] set user key on set password page * [PM-2713] set enc user key during kc onboarding * fix formatting * [PM-2713] make method async again - returning null from a task thats not async throws * [PM-2713] clear service cache when adding new account * Fix build after merge * [PM-3313] Fix Android SSO Login (#2663) * [PM-3313] Catch exception on AuthPendingRequest * [PM-3313] Fix lock timeout action if user doesn't have a master password. * code format * [PM-3313] Null email in Approval Options screen (#2664) * [PM-3313] Fix null email in approval options screen * [PM-3320][PM-3321] Fix labels and UI tweaks (#2666) * [PM-3320] Fix UI copy and remember me default ON. * [PM-3321] Fix UI on Log in with device screen. * [PM-3337] Fix admin request deny error (#2669) * [PM-3342] Not you button logs user out. (#2672) * [PM-3319] Check for admin request in Lock page (#2668) * [PM-3319] Ignore admin auth request when choosing mp as decryption option. * [PM-2289] Change header title based on auth request type (#2670) * [PM-2289] Change header title based on auth request type * [PM-3333] Check for purged admin auth requests (#2671) * [PM-3333] Check for purged admin auth requests Co-authored-by: Federico Maccaroni <fedemkr@gmail.com> --------- Co-authored-by: Federico Maccaroni <fedemkr@gmail.com> * [PM-3341] Vault Timeout Action not persisted correctly (#2673) * [PM-3341] Fix timeout action change when navigating * [PM-3357] Fix copy for Login Initiated (#2674) * [PM-3362] Fix auth request approval (#2675) * [PM-3362] Fix auth request approval * [PM-3362] Add new exception type * [PM-3102] Update Master password reprompt to be based on MP instead of Key Connector (#2653) * PM-3102 Added check to see if a user has master password set replacing previous usage of key connector. * PM-3102 Fix formatting * [PM-2713] Final merge from Key Migration branch to TDE Feature branch (#2667) * [PM-2713] add async to key connector service methods * [PM-2713] rename ephemeral pin key * add state for biometric key and accept UserKey instead of string for auto key * Get UserKey from bio state on unlock * PM-2713 Fix auto-migrating EncKeyEncrypted into MasterKey encrypted UserKey when requesting DecryptUserKeyWithMasterKeyAsync is called * renaming bio key and fix build * PM-3194 Fix biometrics button to be shown on upgrade when no UserKey is present yet * revert removal of key connector service from auth service * PM-2713 set user key when using KC * clear enc user key after migration * use is true for nullable bool * PR feedback, refactor kc service --------- Co-authored-by: Federico Maccaroni <fedemkr@gmail.com> * Fix app fresh install user login with master password. (#2676) * [PM-3303] Fix biometric login after key migration (#2679) * [PM-3303] Add condition to biometric unlock * [PM-3381] Fix TDE login 2FA flow (#2678) * [PM-3381] Check for vault lock on 2FA screen * [PM-3381] Move logic to ViewModel * [PM-3381] Fix null vm error * [PM-3379] Fix key rotation on trusted device. (#2680) * [PM-3381] Update login flows (#2683) * [PM-3381] Update login flows * [PM-3381] Remove _authingWithSso parameter * PM-3385 Fix MP reprompt item level when no MP hash is stored like logging in with TDE. Also refactor code to be more maintainable (#2687) * PM-3386 Fix MP reprompt / OTP decision to be also based on the master key hash. (#2688) * PM-3450 Fix has master password with mp key hash check (#2689) * [PM-3394] Fix login with device for passwordless approvals (#2686) * set activeUserId to null when logging in a new account - Also stop the user key from being set in inactive accounts * get token for login with device if approving device doesn't have master key * add comment * simplify logic * check for route instead of using isAuthenticated - we don't clear the user id when logging in new account - this means we can't trust the state service, so we have to base our logic off the route in login with device * use authenticated auth request for tde login with device * [PM-3394] Add authingWithSso parameter to LoginPasswordlessRequestPage. * pr feedback * [PM-3394] Refactor condition Co-authored-by: Federico Maccaroni <fedemkr@gmail.com> --------- Co-authored-by: André Bispo <abispo@bitwarden.com> Co-authored-by: Federico Maccaroni <fedemkr@gmail.com> * [PM-3462] Handle force password reset on mobile with TDE (#2694) * [PM-3462] Handle force password reset on mobile with TDE * [PM-3462] update references to refactored crypto method - fix kc bug, we were sending private key instead of user key to server - rename kc service method to be correct * [PM-3462] Update TwoFactorPage login logic * [PM-3462] Added pending admin request check to TwoFactorPage * [PM-3462] Added new exception types for null keys --------- Co-authored-by: André Bispo <abispo@bitwarden.com> * [PM-1029] Fix Async suffix in ApiService. Add UserKeyNullExceptions. * [PM 3513] Fix passwordless 2fa login with device on mobile (#2700) * [PM-3513] Fix 2FA for normal login with device with users without mp * move _userKey --------- Co-authored-by: André Bispo <abispo@bitwarden.com> * clear encrypted pin on logout (#2699) --------- Co-authored-by: André Bispo <abispo@bitwarden.com> Co-authored-by: Jake Fink <jfink@bitwarden.com> Co-authored-by: Federico Maccaroni <fedemkr@gmail.com>
740 lines
34 KiB
C#
740 lines
34 KiB
C#
using System;
|
|
using System.Collections.Generic;
|
|
using System.Linq;
|
|
using System.Text;
|
|
using System.Threading.Tasks;
|
|
using Bit.Core.Abstractions;
|
|
using Bit.Core.Enums;
|
|
using Bit.Core.Exceptions;
|
|
using Bit.Core.Models.Domain;
|
|
using Bit.Core.Models.Request;
|
|
using Bit.Core.Models.Response;
|
|
using Bit.Core.Utilities;
|
|
|
|
namespace Bit.Core.Services
|
|
{
|
|
public class AuthService : IAuthService
|
|
{
|
|
private readonly ICryptoService _cryptoService;
|
|
private readonly ICryptoFunctionService _cryptoFunctionService;
|
|
private readonly IApiService _apiService;
|
|
private readonly IStateService _stateService;
|
|
private readonly ITokenService _tokenService;
|
|
private readonly IAppIdService _appIdService;
|
|
private readonly II18nService _i18nService;
|
|
private readonly IPlatformUtilsService _platformUtilsService;
|
|
private readonly IMessagingService _messagingService;
|
|
private readonly IKeyConnectorService _keyConnectorService;
|
|
private readonly IPasswordGenerationService _passwordGenerationService;
|
|
private readonly IPolicyService _policyService;
|
|
private readonly IDeviceTrustCryptoService _deviceTrustCryptoService;
|
|
private readonly IPasswordResetEnrollmentService _passwordResetEnrollmentService;
|
|
private readonly bool _setCryptoKeys;
|
|
|
|
private readonly LazyResolve<IWatchDeviceService> _watchDeviceService = new LazyResolve<IWatchDeviceService>();
|
|
private MasterKey _masterKey;
|
|
private UserKey _userKey;
|
|
|
|
private string _authedUserId;
|
|
private MasterPasswordPolicyOptions _masterPasswordPolicy;
|
|
private ForcePasswordResetReason? _2faForcePasswordResetReason;
|
|
|
|
public AuthService(
|
|
ICryptoService cryptoService,
|
|
ICryptoFunctionService cryptoFunctionService,
|
|
IApiService apiService,
|
|
IStateService stateService,
|
|
ITokenService tokenService,
|
|
IAppIdService appIdService,
|
|
II18nService i18nService,
|
|
IPlatformUtilsService platformUtilsService,
|
|
IMessagingService messagingService,
|
|
IKeyConnectorService keyConnectorService,
|
|
IPasswordGenerationService passwordGenerationService,
|
|
IPolicyService policyService,
|
|
IDeviceTrustCryptoService deviceTrustCryptoService,
|
|
IPasswordResetEnrollmentService passwordResetEnrollmentService,
|
|
bool setCryptoKeys = true)
|
|
{
|
|
_cryptoService = cryptoService;
|
|
_cryptoFunctionService = cryptoFunctionService;
|
|
_apiService = apiService;
|
|
_stateService = stateService;
|
|
_tokenService = tokenService;
|
|
_appIdService = appIdService;
|
|
_i18nService = i18nService;
|
|
_platformUtilsService = platformUtilsService;
|
|
_messagingService = messagingService;
|
|
_keyConnectorService = keyConnectorService;
|
|
_passwordGenerationService = passwordGenerationService;
|
|
_policyService = policyService;
|
|
_deviceTrustCryptoService = deviceTrustCryptoService;
|
|
_passwordResetEnrollmentService = passwordResetEnrollmentService;
|
|
_setCryptoKeys = setCryptoKeys;
|
|
|
|
TwoFactorProviders = new Dictionary<TwoFactorProviderType, TwoFactorProvider>();
|
|
TwoFactorProviders.Add(TwoFactorProviderType.Authenticator, new TwoFactorProvider
|
|
{
|
|
Type = TwoFactorProviderType.Authenticator,
|
|
Priority = 1,
|
|
Sort = 1
|
|
});
|
|
TwoFactorProviders.Add(TwoFactorProviderType.YubiKey, new TwoFactorProvider
|
|
{
|
|
Type = TwoFactorProviderType.YubiKey,
|
|
Priority = 3,
|
|
Sort = 2,
|
|
Premium = true
|
|
});
|
|
TwoFactorProviders.Add(TwoFactorProviderType.Duo, new TwoFactorProvider
|
|
{
|
|
Type = TwoFactorProviderType.Duo,
|
|
Name = "Duo",
|
|
Priority = 2,
|
|
Sort = 3,
|
|
Premium = true
|
|
});
|
|
TwoFactorProviders.Add(TwoFactorProviderType.OrganizationDuo, new TwoFactorProvider
|
|
{
|
|
Type = TwoFactorProviderType.OrganizationDuo,
|
|
Name = "Duo (Organization)",
|
|
Priority = 10,
|
|
Sort = 4
|
|
});
|
|
TwoFactorProviders.Add(TwoFactorProviderType.Fido2WebAuthn, new TwoFactorProvider
|
|
{
|
|
Type = TwoFactorProviderType.Fido2WebAuthn,
|
|
Priority = 4,
|
|
Sort = 5,
|
|
Premium = true
|
|
});
|
|
TwoFactorProviders.Add(TwoFactorProviderType.Email, new TwoFactorProvider
|
|
{
|
|
Type = TwoFactorProviderType.Email,
|
|
Priority = 0,
|
|
Sort = 6,
|
|
});
|
|
}
|
|
|
|
public string Email { get; set; }
|
|
public string CaptchaToken { get; set; }
|
|
public string MasterPasswordHash { get; set; }
|
|
public string LocalMasterPasswordHash { get; set; }
|
|
public string AuthRequestId { get; set; }
|
|
public string Code { get; set; }
|
|
public string CodeVerifier { get; set; }
|
|
public string SsoRedirectUrl { get; set; }
|
|
public Dictionary<TwoFactorProviderType, TwoFactorProvider> TwoFactorProviders { get; set; }
|
|
public Dictionary<TwoFactorProviderType, Dictionary<string, object>> TwoFactorProvidersData { get; set; }
|
|
public TwoFactorProviderType? SelectedTwoFactorProviderType { get; set; }
|
|
|
|
public void Init()
|
|
{
|
|
TwoFactorProviders[TwoFactorProviderType.Email].Name = _i18nService.T("Email");
|
|
TwoFactorProviders[TwoFactorProviderType.Email].Description = _i18nService.T("EmailDesc");
|
|
TwoFactorProviders[TwoFactorProviderType.Authenticator].Name = _i18nService.T("AuthenticatorAppTitle");
|
|
TwoFactorProviders[TwoFactorProviderType.Authenticator].Description =
|
|
_i18nService.T("AuthenticatorAppDesc");
|
|
TwoFactorProviders[TwoFactorProviderType.Duo].Description = _i18nService.T("DuoDesc");
|
|
TwoFactorProviders[TwoFactorProviderType.OrganizationDuo].Name =
|
|
string.Format("Duo ({0})", _i18nService.T("Organization"));
|
|
TwoFactorProviders[TwoFactorProviderType.OrganizationDuo].Description =
|
|
_i18nService.T("DuoOrganizationDesc");
|
|
TwoFactorProviders[TwoFactorProviderType.Fido2WebAuthn].Name = _i18nService.T("Fido2Title");
|
|
TwoFactorProviders[TwoFactorProviderType.Fido2WebAuthn].Description = _i18nService.T("Fido2Desc");
|
|
TwoFactorProviders[TwoFactorProviderType.YubiKey].Name = _i18nService.T("YubiKeyTitle");
|
|
TwoFactorProviders[TwoFactorProviderType.YubiKey].Description = _i18nService.T("YubiKeyDesc");
|
|
}
|
|
|
|
public async Task<AuthResult> LogInAsync(string email, string masterPassword, string captchaToken)
|
|
{
|
|
SelectedTwoFactorProviderType = null;
|
|
_2faForcePasswordResetReason = null;
|
|
var key = await MakePreloginKeyAsync(masterPassword, email);
|
|
var hashedPassword = await _cryptoService.HashMasterKeyAsync(masterPassword, key);
|
|
var localHashedPassword = await _cryptoService.HashMasterKeyAsync(masterPassword, key, HashPurpose.LocalAuthorization);
|
|
var result = await LogInHelperAsync(email, hashedPassword, localHashedPassword, null, null, null, key, null, null, null, captchaToken);
|
|
|
|
if (await RequirePasswordChangeAsync(email, masterPassword))
|
|
{
|
|
if (!string.IsNullOrEmpty(_authedUserId))
|
|
{
|
|
// Authentication was successful, save the WeakMasterPasswordOnLogin flag for the user
|
|
result.ForcePasswordReset = true;
|
|
await _stateService.SetForcePasswordResetReasonAsync(
|
|
ForcePasswordResetReason.WeakMasterPasswordOnLogin, _authedUserId);
|
|
}
|
|
else
|
|
{
|
|
// Authentication not fully successful (likely 2FA), store flag for LogInTwoFactorAsync()
|
|
_2faForcePasswordResetReason = ForcePasswordResetReason.WeakMasterPasswordOnLogin;
|
|
}
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
/// <summary>
|
|
/// Evaluates the supplied master password against the master password policy provided by the Identity response.
|
|
/// </summary>
|
|
/// <param name="email"></param>
|
|
/// <param name="masterPassword"></param>
|
|
/// <returns>True if the master password does NOT meet any policy requirements, false otherwise (or if no policy present)</returns>
|
|
private async Task<bool> RequirePasswordChangeAsync(string email, string masterPassword)
|
|
{
|
|
// No policy with EnforceOnLogin enabled, we're done.
|
|
if (!(_masterPasswordPolicy is { EnforceOnLogin: true }))
|
|
{
|
|
return false;
|
|
}
|
|
|
|
var strength = _passwordGenerationService.PasswordStrength(
|
|
masterPassword,
|
|
_passwordGenerationService.GetPasswordStrengthUserInput(email)
|
|
)?.Score;
|
|
|
|
if (!strength.HasValue)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
return !await _policyService.EvaluateMasterPassword(strength.Value, masterPassword, _masterPasswordPolicy);
|
|
}
|
|
|
|
public async Task<AuthResult> LogInPasswordlessAsync(bool authingWithSso, string email, string accessCode, string authRequestId, byte[] decryptionKey, string encryptedAuthRequestKey, string masterKeyHash)
|
|
{
|
|
var decryptedKey = await _cryptoService.RsaDecryptAsync(encryptedAuthRequestKey, decryptionKey);
|
|
|
|
// If the user is already authenticated, we can just set the key
|
|
// Note: We can't check for the existance of an access token here because the active user id may not be null
|
|
if (authingWithSso)
|
|
{
|
|
if (string.IsNullOrEmpty(masterKeyHash))
|
|
{
|
|
await _cryptoService.SetUserKeyAsync(new UserKey(decryptedKey));
|
|
}
|
|
else
|
|
{
|
|
var masterKey = new MasterKey(decryptedKey);
|
|
var userKey = await _cryptoService.DecryptUserKeyWithMasterKeyAsync(masterKey);
|
|
await _cryptoService.SetMasterKeyAsync(masterKey);
|
|
await _cryptoService.SetUserKeyAsync(userKey);
|
|
}
|
|
await _deviceTrustCryptoService.TrustDeviceIfNeededAsync();
|
|
return null;
|
|
}
|
|
|
|
// The approval device may not have a master key hash if it authenticated with a passwordless method
|
|
if (string.IsNullOrEmpty(masterKeyHash) && decryptionKey != null)
|
|
{
|
|
return await LogInHelperAsync(email, accessCode, null, null, null, null, null, null, null, null, null, authRequestId: authRequestId, userKey2FA: new UserKey(decryptedKey));
|
|
}
|
|
|
|
var decKeyHash = await _cryptoService.RsaDecryptAsync(masterKeyHash, decryptionKey);
|
|
return await LogInHelperAsync(email, accessCode, Encoding.UTF8.GetString(decKeyHash), null, null, null, new MasterKey(decryptedKey), null, null,
|
|
null, null, authRequestId: authRequestId);
|
|
}
|
|
|
|
public async Task<AuthResult> LogInSsoAsync(string code, string codeVerifier, string redirectUrl, string orgId)
|
|
{
|
|
SelectedTwoFactorProviderType = null;
|
|
var result = await LogInHelperAsync(null, null, null, code, codeVerifier, redirectUrl, null, orgId: orgId);
|
|
if (result.ForcePasswordReset)
|
|
{
|
|
await _stateService.SetForcePasswordResetReasonAsync(ForcePasswordResetReason.AdminForcePasswordReset);
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
public async Task<AuthResult> LogInTwoFactorAsync(TwoFactorProviderType twoFactorProvider, string twoFactorToken,
|
|
string captchaToken, bool? remember = null)
|
|
{
|
|
if (captchaToken != null)
|
|
{
|
|
CaptchaToken = captchaToken;
|
|
}
|
|
var result = await LogInHelperAsync(Email, MasterPasswordHash, LocalMasterPasswordHash, Code, CodeVerifier, SsoRedirectUrl, _masterKey,
|
|
twoFactorProvider, twoFactorToken, remember, CaptchaToken, authRequestId: AuthRequestId, userKey2FA: _userKey);
|
|
|
|
// If we successfully authenticated and we have a saved _2faForcePasswordResetReason reason from LogInAsync()
|
|
if (!string.IsNullOrEmpty(_authedUserId) && _2faForcePasswordResetReason.HasValue)
|
|
{
|
|
// Save the forcePasswordReset reason with the state service to force a password reset for the user
|
|
result.ForcePasswordReset = true;
|
|
await _stateService.SetForcePasswordResetReasonAsync(
|
|
_2faForcePasswordResetReason, _authedUserId);
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
public async Task<AuthResult> LogInCompleteAsync(string email, string masterPassword,
|
|
TwoFactorProviderType twoFactorProvider, string twoFactorToken, bool? remember = null)
|
|
{
|
|
SelectedTwoFactorProviderType = null;
|
|
var key = await MakePreloginKeyAsync(masterPassword, email);
|
|
var hashedPassword = await _cryptoService.HashMasterKeyAsync(masterPassword, key);
|
|
var localHashedPassword = await _cryptoService.HashMasterKeyAsync(masterPassword, key, HashPurpose.LocalAuthorization);
|
|
return await LogInHelperAsync(email, hashedPassword, localHashedPassword, null, null, null, key, twoFactorProvider,
|
|
twoFactorToken, remember);
|
|
}
|
|
|
|
public async Task<AuthResult> LogInSsoCompleteAsync(string code, string codeVerifier, string redirectUrl,
|
|
TwoFactorProviderType twoFactorProvider, string twoFactorToken, bool? remember = null)
|
|
{
|
|
SelectedTwoFactorProviderType = null;
|
|
return await LogInHelperAsync(null, null, null, code, codeVerifier, redirectUrl, null, twoFactorProvider,
|
|
twoFactorToken, remember);
|
|
}
|
|
|
|
public void LogOut(Action callback)
|
|
{
|
|
callback.Invoke();
|
|
_messagingService.Send(AccountsManagerMessageCommands.LOGGED_OUT);
|
|
_watchDeviceService.Value.SyncDataToWatchAsync().FireAndForget();
|
|
}
|
|
|
|
public List<TwoFactorProvider> GetSupportedTwoFactorProviders()
|
|
{
|
|
var providers = new List<TwoFactorProvider>();
|
|
if (TwoFactorProvidersData == null)
|
|
{
|
|
return providers;
|
|
}
|
|
if (TwoFactorProvidersData.ContainsKey(TwoFactorProviderType.OrganizationDuo) &&
|
|
_platformUtilsService.SupportsDuo())
|
|
{
|
|
providers.Add(TwoFactorProviders[TwoFactorProviderType.OrganizationDuo]);
|
|
}
|
|
if (TwoFactorProvidersData.ContainsKey(TwoFactorProviderType.Authenticator))
|
|
{
|
|
providers.Add(TwoFactorProviders[TwoFactorProviderType.Authenticator]);
|
|
}
|
|
if (TwoFactorProvidersData.ContainsKey(TwoFactorProviderType.YubiKey))
|
|
{
|
|
providers.Add(TwoFactorProviders[TwoFactorProviderType.YubiKey]);
|
|
}
|
|
if (TwoFactorProvidersData.ContainsKey(TwoFactorProviderType.Duo) && _platformUtilsService.SupportsDuo())
|
|
{
|
|
providers.Add(TwoFactorProviders[TwoFactorProviderType.Duo]);
|
|
}
|
|
if (TwoFactorProvidersData.ContainsKey(TwoFactorProviderType.Fido2WebAuthn) &&
|
|
_platformUtilsService.SupportsFido2())
|
|
{
|
|
providers.Add(TwoFactorProviders[TwoFactorProviderType.Fido2WebAuthn]);
|
|
}
|
|
if (TwoFactorProvidersData.ContainsKey(TwoFactorProviderType.Email))
|
|
{
|
|
providers.Add(TwoFactorProviders[TwoFactorProviderType.Email]);
|
|
}
|
|
return providers;
|
|
}
|
|
|
|
public TwoFactorProviderType? GetDefaultTwoFactorProvider(bool fido2Supported)
|
|
{
|
|
if (TwoFactorProvidersData == null)
|
|
{
|
|
return null;
|
|
}
|
|
if (SelectedTwoFactorProviderType != null &&
|
|
TwoFactorProvidersData.ContainsKey(SelectedTwoFactorProviderType.Value))
|
|
{
|
|
return SelectedTwoFactorProviderType.Value;
|
|
}
|
|
TwoFactorProviderType? providerType = null;
|
|
var providerPriority = -1;
|
|
foreach (var providerKvp in TwoFactorProvidersData)
|
|
{
|
|
if (TwoFactorProviders.ContainsKey(providerKvp.Key))
|
|
{
|
|
var provider = TwoFactorProviders[providerKvp.Key];
|
|
if (provider.Priority > providerPriority)
|
|
{
|
|
if (providerKvp.Key == TwoFactorProviderType.Fido2WebAuthn && !fido2Supported)
|
|
{
|
|
continue;
|
|
}
|
|
providerType = providerKvp.Key;
|
|
providerPriority = provider.Priority;
|
|
}
|
|
}
|
|
}
|
|
return providerType;
|
|
}
|
|
|
|
public bool AuthingWithSso()
|
|
{
|
|
return Code != null && CodeVerifier != null && SsoRedirectUrl != null;
|
|
}
|
|
|
|
public bool AuthingWithPassword()
|
|
{
|
|
return Email != null && MasterPasswordHash != null;
|
|
}
|
|
|
|
// Helpers
|
|
|
|
private async Task<MasterKey> MakePreloginKeyAsync(string masterPassword, string email)
|
|
{
|
|
email = email.Trim().ToLower();
|
|
KdfConfig kdfConfig = KdfConfig.Default;
|
|
try
|
|
{
|
|
var preloginResponse = await _apiService.PostPreloginAsync(new PreloginRequest { Email = email });
|
|
if (preloginResponse != null)
|
|
{
|
|
kdfConfig = preloginResponse.KdfConfig;
|
|
}
|
|
}
|
|
catch (ApiException e)
|
|
{
|
|
if (e.Error == null || e.Error.StatusCode != System.Net.HttpStatusCode.NotFound)
|
|
{
|
|
throw;
|
|
}
|
|
}
|
|
return await _cryptoService.MakeMasterKeyAsync(masterPassword, email, kdfConfig);
|
|
}
|
|
|
|
private async Task<AuthResult> LogInHelperAsync(string email, string hashedPassword, string localHashedPassword,
|
|
string code, string codeVerifier, string redirectUrl, MasterKey masterKey,
|
|
TwoFactorProviderType? twoFactorProvider = null, string twoFactorToken = null, bool? remember = null,
|
|
string captchaToken = null, string orgId = null, string authRequestId = null, UserKey userKey2FA = null)
|
|
{
|
|
var storedTwoFactorToken = await _tokenService.GetTwoFactorTokenAsync(email);
|
|
var appId = await _appIdService.GetAppIdAsync();
|
|
var deviceRequest = new DeviceRequest(appId, _platformUtilsService);
|
|
|
|
string[] emailPassword;
|
|
string[] codeCodeVerifier;
|
|
if (email != null && hashedPassword != null)
|
|
{
|
|
emailPassword = new[] { email, hashedPassword };
|
|
}
|
|
else
|
|
{
|
|
emailPassword = null;
|
|
}
|
|
if (code != null && codeVerifier != null && redirectUrl != null)
|
|
{
|
|
codeCodeVerifier = new[] { code, codeVerifier, redirectUrl };
|
|
}
|
|
else
|
|
{
|
|
codeCodeVerifier = null;
|
|
}
|
|
|
|
TokenRequest request;
|
|
if (twoFactorToken != null && twoFactorProvider != null)
|
|
{
|
|
request = new TokenRequest(emailPassword, codeCodeVerifier, twoFactorProvider, twoFactorToken, remember,
|
|
captchaToken, deviceRequest, authRequestId);
|
|
}
|
|
else if (storedTwoFactorToken != null)
|
|
{
|
|
request = new TokenRequest(emailPassword, codeCodeVerifier, TwoFactorProviderType.Remember,
|
|
storedTwoFactorToken, false, captchaToken, deviceRequest, authRequestId);
|
|
}
|
|
else if (authRequestId != null)
|
|
{
|
|
request = new TokenRequest(emailPassword, null, null, null, false, null, deviceRequest, authRequestId);
|
|
}
|
|
else
|
|
{
|
|
request = new TokenRequest(emailPassword, codeCodeVerifier, null, null, false, captchaToken, deviceRequest);
|
|
}
|
|
|
|
var response = await _apiService.PostIdentityTokenAsync(request);
|
|
ClearState();
|
|
var result = new AuthResult { TwoFactor = response.TwoFactorNeeded, CaptchaSiteKey = response.CaptchaResponse?.SiteKey };
|
|
|
|
if (result.CaptchaNeeded)
|
|
{
|
|
return result;
|
|
}
|
|
|
|
if (result.TwoFactor)
|
|
{
|
|
// Two factor required.
|
|
Email = email;
|
|
MasterPasswordHash = hashedPassword;
|
|
LocalMasterPasswordHash = localHashedPassword;
|
|
AuthRequestId = authRequestId;
|
|
Code = code;
|
|
CodeVerifier = codeVerifier;
|
|
SsoRedirectUrl = redirectUrl;
|
|
_masterKey = _setCryptoKeys ? masterKey : null;
|
|
_userKey = userKey2FA;
|
|
TwoFactorProvidersData = response.TwoFactorResponse.TwoFactorProviders2;
|
|
result.TwoFactorProviders = response.TwoFactorResponse.TwoFactorProviders2;
|
|
CaptchaToken = response.TwoFactorResponse.CaptchaToken;
|
|
_masterPasswordPolicy = response.TwoFactorResponse.MasterPasswordPolicy;
|
|
await _tokenService.ClearTwoFactorTokenAsync(email);
|
|
return result;
|
|
}
|
|
|
|
var tokenResponse = response.TokenResponse;
|
|
result.ResetMasterPassword = tokenResponse.ResetMasterPassword;
|
|
result.ForcePasswordReset = tokenResponse.ForcePasswordReset;
|
|
_masterPasswordPolicy = tokenResponse.MasterPasswordPolicy;
|
|
if (tokenResponse.TwoFactorToken != null)
|
|
{
|
|
await _tokenService.SetTwoFactorTokenAsync(tokenResponse.TwoFactorToken, email);
|
|
}
|
|
await _tokenService.SetAccessTokenAsync(tokenResponse.AccessToken, true);
|
|
await _stateService.AddAccountAsync(
|
|
new Account(
|
|
new Account.AccountProfile()
|
|
{
|
|
UserId = _tokenService.GetUserId(),
|
|
Email = _tokenService.GetEmail(),
|
|
Name = _tokenService.GetName(),
|
|
KdfType = tokenResponse.Kdf,
|
|
KdfIterations = tokenResponse.KdfIterations,
|
|
KdfMemory = tokenResponse.KdfMemory,
|
|
KdfParallelism = tokenResponse.KdfParallelism,
|
|
HasPremiumPersonally = _tokenService.GetPremium(),
|
|
ForcePasswordResetReason = result.ForcePasswordReset
|
|
? ForcePasswordResetReason.AdminForcePasswordReset
|
|
: (ForcePasswordResetReason?)null,
|
|
UserDecryptionOptions = tokenResponse.UserDecryptionOptions,
|
|
},
|
|
new Account.AccountTokens()
|
|
{
|
|
AccessToken = tokenResponse.AccessToken,
|
|
RefreshToken = tokenResponse.RefreshToken,
|
|
}
|
|
)
|
|
);
|
|
_messagingService.Send("accountAdded");
|
|
if (_setCryptoKeys)
|
|
{
|
|
if (localHashedPassword != null)
|
|
{
|
|
await _cryptoService.SetMasterKeyHashAsync(localHashedPassword);
|
|
await _cryptoService.SetMasterKeyAsync(masterKey);
|
|
}
|
|
|
|
// Trusted Device
|
|
var decryptOptions = await _stateService.GetAccountDecryptionOptions();
|
|
var hasUserKey = await _cryptoService.HasUserKeyAsync();
|
|
if (decryptOptions?.TrustedDeviceOption != null && !hasUserKey &&
|
|
decryptOptions.TrustedDeviceOption.EncryptedPrivateKey != null &&
|
|
decryptOptions.TrustedDeviceOption.EncryptedUserKey != null)
|
|
{
|
|
var key = await _deviceTrustCryptoService.DecryptUserKeyWithDeviceKeyAsync(decryptOptions.TrustedDeviceOption.EncryptedPrivateKey,
|
|
decryptOptions.TrustedDeviceOption.EncryptedUserKey);
|
|
if (key != null)
|
|
{
|
|
await _cryptoService.SetUserKeyAsync(key);
|
|
}
|
|
}
|
|
|
|
if (code == null || tokenResponse.Key != null)
|
|
{
|
|
await _cryptoService.SetMasterKeyEncryptedUserKeyAsync(tokenResponse.Key);
|
|
|
|
// Key Connector
|
|
if (!string.IsNullOrEmpty(tokenResponse.KeyConnectorUrl) || !string.IsNullOrEmpty(decryptOptions?.KeyConnectorOption?.KeyConnectorUrl))
|
|
{
|
|
var url = tokenResponse.KeyConnectorUrl ?? decryptOptions.KeyConnectorOption.KeyConnectorUrl;
|
|
await _keyConnectorService.SetMasterKeyFromUrlAsync(url);
|
|
}
|
|
|
|
// Login with Device
|
|
if (masterKey != null && !string.IsNullOrEmpty(authRequestId))
|
|
{
|
|
await _cryptoService.SetMasterKeyAsync(masterKey);
|
|
}
|
|
else if (userKey2FA != null)
|
|
{
|
|
await _cryptoService.SetUserKeyAsync(userKey2FA);
|
|
}
|
|
|
|
// Decrypt UserKey with MasterKey
|
|
masterKey ??= await _stateService.GetMasterKeyAsync();
|
|
if (masterKey != null)
|
|
{
|
|
var userKey = await _cryptoService.DecryptUserKeyWithMasterKeyAsync(masterKey);
|
|
await _cryptoService.SetUserKeyAsync(userKey);
|
|
}
|
|
|
|
// User doesn't have a key pair yet (old account), let's generate one for them.
|
|
if (tokenResponse.PrivateKey == null)
|
|
{
|
|
try
|
|
{
|
|
var keyPair = await _cryptoService.MakeKeyPairAsync();
|
|
await _apiService.PostAccountKeysAsync(new KeysRequest
|
|
{
|
|
PublicKey = keyPair.Item1,
|
|
EncryptedPrivateKey = keyPair.Item2.EncryptedString
|
|
});
|
|
tokenResponse.PrivateKey = keyPair.Item2.EncryptedString;
|
|
}
|
|
catch { }
|
|
}
|
|
|
|
await _cryptoService.SetUserPrivateKeyAsync(tokenResponse.PrivateKey);
|
|
}
|
|
else if (tokenResponse.KeyConnectorUrl != null)
|
|
{
|
|
// New User has tokenResponse.Key == null
|
|
if (tokenResponse.Key == null)
|
|
{
|
|
await _keyConnectorService.ConvertNewUserToKeyConnectorAsync(orgId, tokenResponse);
|
|
}
|
|
else
|
|
{
|
|
await _keyConnectorService.SetMasterKeyFromUrlAsync(tokenResponse.KeyConnectorUrl);
|
|
}
|
|
}
|
|
}
|
|
|
|
_authedUserId = _tokenService.GetUserId();
|
|
await _stateService.SetBiometricLockedAsync(false);
|
|
_messagingService.Send("loggedIn");
|
|
return result;
|
|
}
|
|
|
|
private void ClearState()
|
|
{
|
|
_masterKey = null;
|
|
Email = null;
|
|
CaptchaToken = null;
|
|
MasterPasswordHash = null;
|
|
AuthRequestId = null;
|
|
Code = null;
|
|
CodeVerifier = null;
|
|
SsoRedirectUrl = null;
|
|
TwoFactorProvidersData = null;
|
|
SelectedTwoFactorProviderType = null;
|
|
_masterPasswordPolicy = null;
|
|
_authedUserId = null;
|
|
}
|
|
|
|
public async Task<List<PasswordlessLoginResponse>> GetPasswordlessLoginRequestsAsync()
|
|
{
|
|
var response = await _apiService.GetAuthRequestAsync();
|
|
return await PopulateFingerprintPhrasesAsync(response);
|
|
}
|
|
|
|
public async Task<List<PasswordlessLoginResponse>> GetActivePasswordlessLoginRequestsAsync()
|
|
{
|
|
var requests = await GetPasswordlessLoginRequestsAsync();
|
|
var activeRequests = requests.Where(r => !r.IsAnswered && !r.IsExpired).OrderByDescending(r => r.CreationDate).ToList();
|
|
return await PopulateFingerprintPhrasesAsync(activeRequests);
|
|
}
|
|
public async Task<PasswordlessLoginResponse> GetPasswordlessLoginRequestByIdAsync(string id)
|
|
{
|
|
try
|
|
{
|
|
var response = await _apiService.GetAuthRequestAsync(id);
|
|
return await PopulateFingerprintPhraseAsync(response, await _stateService.GetEmailAsync());
|
|
}
|
|
catch (ApiException ex) when (ex.Error?.StatusCode == System.Net.HttpStatusCode.NotFound)
|
|
{
|
|
// Thrown when request expires and purge job erases it from the db
|
|
return null;
|
|
}
|
|
}
|
|
|
|
/// <inheritdoc />
|
|
public async Task<PasswordlessLoginResponse> GetPasswordlessLoginResquestAsync(string id, string accessCode)
|
|
{
|
|
return await _apiService.GetAuthResponseAsync(id, accessCode);
|
|
}
|
|
|
|
public async Task<PasswordlessLoginResponse> PasswordlessLoginAsync(string id, string pubKey, bool requestApproved)
|
|
{
|
|
var publicKey = CoreHelpers.Base64UrlDecode(pubKey);
|
|
var masterKey = await _cryptoService.GetMasterKeyAsync();
|
|
byte[] keyToEncrypt = null;
|
|
EncString encryptedMasterPassword = null;
|
|
|
|
if (masterKey == null)
|
|
{
|
|
var userKey = await _cryptoService.GetUserKeyAsync();
|
|
if (userKey == null)
|
|
{
|
|
throw new UserAndMasterKeysNullException();
|
|
}
|
|
keyToEncrypt = userKey.Key;
|
|
}
|
|
else
|
|
{
|
|
keyToEncrypt = masterKey.Key;
|
|
var keyHash = await _stateService.GetKeyHashAsync();
|
|
if (!string.IsNullOrEmpty(keyHash))
|
|
{
|
|
encryptedMasterPassword = await _cryptoService.RsaEncryptAsync(Encoding.UTF8.GetBytes(keyHash), publicKey);
|
|
}
|
|
}
|
|
|
|
var encryptedKey = await _cryptoService.RsaEncryptAsync(keyToEncrypt, publicKey);
|
|
var deviceId = await _appIdService.GetAppIdAsync();
|
|
var response = await _apiService.PutAuthRequestAsync(id, encryptedKey.EncryptedString, encryptedMasterPassword?.EncryptedString, deviceId, requestApproved);
|
|
return await PopulateFingerprintPhraseAsync(response, await _stateService.GetEmailAsync());
|
|
}
|
|
|
|
public async Task<PasswordlessLoginResponse> PasswordlessCreateLoginRequestAsync(string email, AuthRequestType authRequestType)
|
|
{
|
|
var deviceId = await _appIdService.GetAppIdAsync();
|
|
var keyPair = await _cryptoFunctionService.RsaGenerateKeyPairAsync(2048);
|
|
var generatedFingerprintPhrase = await _cryptoService.GetFingerprintAsync(email, keyPair.Item1);
|
|
var fingerprintPhrase = string.Join("-", generatedFingerprintPhrase);
|
|
var publicB64 = Convert.ToBase64String(keyPair.Item1);
|
|
var accessCode = await _passwordGenerationService.GeneratePasswordAsync(PasswordGenerationOptions.CreateDefault.WithLength(25));
|
|
var passwordlessCreateLoginRequest = new PasswordlessCreateLoginRequest(email, publicB64, deviceId, accessCode, authRequestType, fingerprintPhrase);
|
|
var response = await _apiService.PostCreateRequestAsync(passwordlessCreateLoginRequest, authRequestType);
|
|
|
|
if (response != null)
|
|
{
|
|
response.RequestKeyPair = keyPair;
|
|
response.RequestAccessCode = accessCode;
|
|
response.FingerprintPhrase = fingerprintPhrase;
|
|
}
|
|
|
|
return response;
|
|
}
|
|
|
|
private async Task<List<PasswordlessLoginResponse>> PopulateFingerprintPhrasesAsync(List<PasswordlessLoginResponse> passwordlessLoginList)
|
|
{
|
|
if (passwordlessLoginList == null)
|
|
{
|
|
return null;
|
|
}
|
|
var userEmail = await _stateService.GetEmailAsync();
|
|
foreach (var passwordlessLogin in passwordlessLoginList)
|
|
{
|
|
await PopulateFingerprintPhraseAsync(passwordlessLogin, userEmail);
|
|
}
|
|
return passwordlessLoginList;
|
|
}
|
|
|
|
private async Task<PasswordlessLoginResponse> PopulateFingerprintPhraseAsync(PasswordlessLoginResponse passwordlessLogin, string userEmail)
|
|
{
|
|
passwordlessLogin.FingerprintPhrase = string.Join("-", await _cryptoService.GetFingerprintAsync(userEmail, CoreHelpers.Base64UrlDecode(passwordlessLogin.PublicKey)));
|
|
return passwordlessLogin;
|
|
}
|
|
|
|
public async Task CreateNewSsoUserAsync(string organizationSsoId)
|
|
{
|
|
var orgAutoEnrollStatusResponse = await _apiService.GetOrganizationAutoEnrollStatusAsync(organizationSsoId);
|
|
var randomBytes = _cryptoFunctionService.RandomBytes(64);
|
|
var userKey = new UserKey(randomBytes);
|
|
var (userPubKey, userPrivKey) = await _cryptoService.MakeKeyPairAsync(userKey);
|
|
await _apiService.PostAccountKeysAsync(new KeysRequest
|
|
{
|
|
PublicKey = userPubKey,
|
|
EncryptedPrivateKey = userPrivKey.EncryptedString
|
|
});
|
|
|
|
await _stateService.SetUserKeyAsync(userKey);
|
|
await _stateService.SetPrivateKeyEncryptedAsync(userPrivKey.EncryptedString);
|
|
await _passwordResetEnrollmentService.EnrollAsync(orgAutoEnrollStatusResponse.Id);
|
|
}
|
|
}
|
|
}
|