grepdemos · lizard-boy · Apr 26, 2023 · Apr 28, 2023 · May 1, 2023 · May 1, 2023
diff --git a/src/Api/Auth/Controllers/WebAuthnController.cs b/src/Api/Auth/Controllers/WebAuthnController.cs
@@ -0,0 +1,110 @@
+using Bit.Api.Auth.Models.Request.Accounts;
+using Bit.Api.Auth.Models.Request.Webauthn;
+using Bit.Api.Auth.Models.Response.WebAuthn;
+using Bit.Api.Models.Response;
+using Bit.Core;
+using Bit.Core.Auth.Models.Business.Tokenables;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Exceptions;
+using Bit.Core.Services;
+using Bit.Core.Tokens;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Auth.Controllers;
+
+[Route("webauthn")]
+[Authorize("Web")]
+public class WebAuthnController : Controller
+{
+    private readonly IUserService _userService;
+    private readonly IWebAuthnCredentialRepository _credentialRepository;
+    private readonly IDataProtectorTokenFactory<WebAuthnCredentialCreateOptionsTokenable> _createOptionsDataProtector;
+
+    public WebAuthnController(
+        IUserService userService,
+        IWebAuthnCredentialRepository credentialRepository,
+        IDataProtectorTokenFactory<WebAuthnCredentialCreateOptionsTokenable> createOptionsDataProtector)
+    {
+        _userService = userService;
+        _credentialRepository = credentialRepository;
+        _createOptionsDataProtector = createOptionsDataProtector;
+    }
+
+    [HttpGet("")]
+    public async Task<ListResponseModel<WebAuthnCredentialResponseModel>> Get()
+    {
+        var user = await GetUserAsync();
+        var credentials = await _credentialRepository.GetManyByUserIdAsync(user.Id);
+
+        return new ListResponseModel<WebAuthnCredentialResponseModel>(credentials.Select(c => new WebAuthnCredentialResponseModel(c)));
+    }
+
+    [HttpPost("options")]
+    public async Task<WebAuthnCredentialCreateOptionsResponseModel> PostOptions([FromBody] SecretVerificationRequestModel model)
+    {
+        var user = await VerifyUserAsync(model);
+        var options = await _userService.StartWebAuthnLoginRegistrationAsync(user);
+
+        var tokenable = new WebAuthnCredentialCreateOptionsTokenable(user, options);
+        var token = _createOptionsDataProtector.Protect(tokenable);
+
+        return new WebAuthnCredentialCreateOptionsResponseModel
+        {
+            Options = options,
+            Token = token
+        };
+    }
+
+    [HttpPost("")]
+    public async Task Post([FromBody] WebAuthnCredentialRequestModel model)
+    {
+        var user = await GetUserAsync();
+        var tokenable = _createOptionsDataProtector.Unprotect(model.Token);
+        if (!tokenable.TokenIsValid(user))
+        {
+            throw new BadRequestException("The token associated with your request is expired. A valid token is required to continue.");
+        }
+
+        var success = await _userService.CompleteWebAuthLoginRegistrationAsync(user, model.Name, model.UserKey, model.PrfPublicKey, model.PrfPrivateKey, model.SupportsPrf, tokenable.Options, model.DeviceResponse);
+        if (!success)
+        {
+            throw new BadRequestException("Unable to complete WebAuthn registration.");
+        }
+    }
+
+    [HttpPost("{id}/delete")]
+    public async Task Delete(Guid id, [FromBody] SecretVerificationRequestModel model)
+    {
+        var user = await VerifyUserAsync(model);
+        var credential = await _credentialRepository.GetByIdAsync(id, user.Id);
+        if (credential == null)
+        {
+            throw new NotFoundException("Credential not found.");
+        }
+
+        await _credentialRepository.DeleteAsync(credential);
+    }
+
+    private async Task<Core.Entities.User> GetUserAsync()
+    {
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+        return user;
+    }
+
+    private async Task<Core.Entities.User> VerifyUserAsync(SecretVerificationRequestModel model)
+    {
+        var user = await GetUserAsync();
+        if (!await _userService.VerifySecretAsync(user, model.Secret))
+        {
+            await Task.Delay(Constants.FailedSecretVerificationDelay);
+            throw new BadRequestException(string.Empty, "User verification failed.");
+        }
+
+        return user;
+    }
+}
diff --git a/src/Api/Auth/Models/Request/WebAuthn/WebAuthnCredentialRequestModel.cs b/src/Api/Auth/Models/Request/WebAuthn/WebAuthnCredentialRequestModel.cs
@@ -0,0 +1,24 @@
+using System.ComponentModel.DataAnnotations;
+using Fido2NetLib;
+
+namespace Bit.Api.Auth.Models.Request.Webauthn;
+
+public class WebAuthnCredentialRequestModel
+{
+    [Required]
+    public AuthenticatorAttestationRawResponse DeviceResponse { get; set; }
+
+    [Required]
+    public string Name { get; set; }
+
+    [Required]
+    public string Token { get; set; }
+
+    [Required]
+    public bool SupportsPrf { get; set; }
+
+    public string UserKey { get; set; }
+    public string PrfPublicKey { get; set; }
+    public string PrfPrivateKey { get; set; }
+}
+
diff --git a/src/Api/Auth/Models/Response/WebAuthn/WebAuthnCredentialCreateOptionsResponseModel.cs b/src/Api/Auth/Models/Response/WebAuthn/WebAuthnCredentialCreateOptionsResponseModel.cs
@@ -0,0 +1,16 @@
+using Bit.Core.Models.Api;
+using Fido2NetLib;
+
+namespace Bit.Api.Auth.Models.Response.WebAuthn;
+
+public class WebAuthnCredentialCreateOptionsResponseModel : ResponseModel
+{
+    private const string ResponseObj = "webauthnCredentialCreateOptions";
+
+    public WebAuthnCredentialCreateOptionsResponseModel() : base(ResponseObj)
+    {
+    }
+
+    public CredentialCreateOptions Options { get; set; }
+    public string Token { get; set; }
+}
diff --git a/src/Api/Auth/Models/Response/WebAuthn/WebAuthnCredentialResponseModel.cs b/src/Api/Auth/Models/Response/WebAuthn/WebAuthnCredentialResponseModel.cs
@@ -0,0 +1,21 @@
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Models.Api;
+
+namespace Bit.Api.Auth.Models.Response.WebAuthn;
+
+public class WebAuthnCredentialResponseModel : ResponseModel
+{
+    private const string ResponseObj = "webauthnCredential";
+
+    public WebAuthnCredentialResponseModel(WebAuthnCredential credential) : base(ResponseObj)
+    {
+        Id = credential.Id.ToString();
+        Name = credential.Name;
+        PrfStatus = credential.GetPrfStatus();
+    }
+
+    public string Id { get; set; }
+    public string Name { get; set; }
+    public WebAuthnPrfStatus PrfStatus { get; set; }
+}
diff --git a/src/Core/Auth/Entities/WebAuthnCredential.cs b/src/Core/Auth/Entities/WebAuthnCredential.cs
@@ -0,0 +1,48 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Entities;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.Auth.Entities;
+
+public class WebAuthnCredential : ITableObject<Guid>
+{
+    public Guid Id { get; set; }
+    public Guid UserId { get; set; }
+    [MaxLength(50)]
+    public string Name { get; set; }
+    [MaxLength(256)]
+    public string PublicKey { get; set; }
+    [MaxLength(256)]
+    public string DescriptorId { get; set; }
+    public int Counter { get; set; }
+    [MaxLength(20)]
+    public string Type { get; set; }
+    public Guid AaGuid { get; set; }
+    public string UserKey { get; set; }
+    public string PrfPublicKey { get; set; }
+    public string PrfPrivateKey { get; set; }
+    public bool SupportsPrf { get; set; }
+    public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
+    public DateTime RevisionDate { get; internal set; } = DateTime.UtcNow;
+
+    public void SetNewId()
+    {
+        Id = CoreHelpers.GenerateComb();
+    }
+
+    public WebAuthnPrfStatus GetPrfStatus()
+    {
+        if (SupportsPrf && PrfPublicKey != null && PrfPrivateKey != null)
+        {
+            return WebAuthnPrfStatus.Enabled;
+        }
+        else if (SupportsPrf)
+        {
+            return WebAuthnPrfStatus.Supported;
+        }
+
+        return WebAuthnPrfStatus.Unsupported;
+    }
+
+}
diff --git a/src/Core/Auth/Enums/WebAuthnPrfStatus.cs b/src/Core/Auth/Enums/WebAuthnPrfStatus.cs
@@ -0,0 +1,9 @@
+namespace Bit.Core.Auth.Enums;
+
+public enum WebAuthnPrfStatus
+{
+    Enabled = 0,
+    Supported = 1,
+    Unsupported = 2
+}
+
diff --git a/src/Core/Auth/Models/Api/Request/Accounts/WebauthnCredentialAssertionOptionsRequestModel.cs b/src/Core/Auth/Models/Api/Request/Accounts/WebauthnCredentialAssertionOptionsRequestModel.cs
@@ -0,0 +1,11 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Core.Auth.Models.Api.Request.Accounts;
+
+public class WebauthnCredentialAssertionOptionsRequestModel
+{
+    [EmailAddress]
+    [StringLength(256)]
+    public string Email { get; set; }
+}
+
diff --git a/src/Core/Auth/Models/Api/Request/Accounts/WebauthnCredentialAssertionRequestModel .cs b/src/Core/Auth/Models/Api/Request/Accounts/WebauthnCredentialAssertionRequestModel .cs
@@ -0,0 +1,14 @@
+using System.ComponentModel.DataAnnotations;
+using Fido2NetLib;
+
+namespace Bit.Core.Auth.Models.Api.Request.Accounts;
+
+public class WebauthnCredentialAssertionRequestModel
+{
+    [Required]
+    public AuthenticatorAssertionRawResponse DeviceResponse { get; set; }
+
+    [Required]
+    public string Token { get; set; }
+}
+
diff --git a/...Core/Auth/Models/Api/Response/Accounts/WebauthnCredentialAssertionOptionsResponseModel.cs b/...Core/Auth/Models/Api/Response/Accounts/WebauthnCredentialAssertionOptionsResponseModel.cs
@@ -0,0 +1,17 @@
+using Bit.Core.Models.Api;
+using Fido2NetLib;
+
+namespace Bit.Core.Auth.Models.Api.Response.Accounts;
+
+public class WebAuthnCredentialAssertionOptionsResponseModel : ResponseModel
+{
+    private const string ResponseObj = "webauthnCredentialAssertionOptions";
+
+    public WebAuthnCredentialAssertionOptionsResponseModel() : base(ResponseObj)
+    {
+    }
+
+    public AssertionOptions Options { get; set; }
+    public string Token { get; set; }
+}
+
diff --git a/src/Core/Auth/Models/Api/Response/Accounts/WebauthnCredentialAssertionResponseModel.cs b/src/Core/Auth/Models/Api/Response/Accounts/WebauthnCredentialAssertionResponseModel.cs
@@ -0,0 +1,15 @@
+using Bit.Core.Models.Api;
+
+namespace Bit.Core.Auth.Models.Api.Response.Accounts;
+
+public class WebAuthnCredentialAssertionResponseModel : ResponseModel
+{
+    private const string ResponseObj = "webauthnCredentialAssertion";
+
+    public WebAuthnCredentialAssertionResponseModel() : base(ResponseObj)
+    {
+    }
+
+    public string Token { get; set; }
+}
+
diff --git a/src/Core/Auth/Models/Business/Tokenables/WebAuthnCredentialAssertionOptionsTokenable.cs b/src/Core/Auth/Models/Business/Tokenables/WebAuthnCredentialAssertionOptionsTokenable.cs
@@ -0,0 +1,44 @@
+using System.Text.Json.Serialization;
+using Bit.Core.Entities;
+using Bit.Core.Tokens;
+using Fido2NetLib;
+
+namespace Bit.Core.Auth.Models.Business.Tokenables;
+
+public class WebAuthnCredentialAssertionOptionsTokenable : ExpiringTokenable
+{
+    // 7 minutes = max webauthn timeout (6 minutes) + slack for miscellaneous delays
+    private const double _tokenLifetimeInHours = (double)7 / 60;
+    public const string ClearTextPrefix = "BWWebAuthnCredentialAssertionOptions_";
+    public const string DataProtectorPurpose = "WebAuthnCredentialAssertionDataProtector";
+    public const string TokenIdentifier = "WebAuthnCredentialAssertionOptionsToken";
+
+    public string Identifier { get; set; } = TokenIdentifier;
+    public Guid? UserId { get; set; }
+    public AssertionOptions Options { get; set; }
+
+    [JsonConstructor]
+    public WebAuthnCredentialAssertionOptionsTokenable()
+    {
+        ExpirationDate = DateTime.UtcNow.AddHours(_tokenLifetimeInHours);
+    }
+
+    public WebAuthnCredentialAssertionOptionsTokenable(User user, AssertionOptions options) : this()
+    {
+        UserId = user?.Id;
+        Options = options;
+    }
+
+    public bool TokenIsValid(User user)
+    {
+        if (!Valid || user == null)
+        {
+            return false;
+        }
+
+        return UserId == user.Id;
+    }
+
+    protected override bool TokenIsValid() => Identifier == TokenIdentifier && UserId != null && Options != null;
+}
+
diff --git a/src/Core/Auth/Models/Business/Tokenables/WebAuthnCredentialCreateOptionsTokenable.cs b/src/Core/Auth/Models/Business/Tokenables/WebAuthnCredentialCreateOptionsTokenable.cs
@@ -0,0 +1,44 @@
+using System.Text.Json.Serialization;
+using Bit.Core.Entities;
+using Bit.Core.Tokens;
+using Fido2NetLib;
+
+namespace Bit.Core.Auth.Models.Business.Tokenables;
+
+public class WebAuthnCredentialCreateOptionsTokenable : ExpiringTokenable
+{
+    // 7 minutes = max webauthn timeout (6 minutes) + slack for miscellaneous delays
+    private const double _tokenLifetimeInHours = (double)7 / 60;
+    public const string ClearTextPrefix = "BWWebAuthnCredentialCreateOptions_";
+    public const string DataProtectorPurpose = "WebAuthnCredentialCreateDataProtector";
+    public const string TokenIdentifier = "WebAuthnCredentialCreateOptionsToken";
+
+    public string Identifier { get; set; } = TokenIdentifier;
+    public Guid? UserId { get; set; }
+    public CredentialCreateOptions Options { get; set; }
+
+    [JsonConstructor]
+    public WebAuthnCredentialCreateOptionsTokenable()
+    {
+        ExpirationDate = DateTime.UtcNow.AddHours(_tokenLifetimeInHours);
+    }
+
+    public WebAuthnCredentialCreateOptionsTokenable(User user, CredentialCreateOptions options) : this()
+    {
+        UserId = user?.Id;
+        Options = options;
+    }
+
+    public bool TokenIsValid(User user)
+    {
+        if (!Valid || user == null)
+        {
+            return false;
+        }
+
+        return UserId == user.Id;
+    }
+
+    protected override bool TokenIsValid() => Identifier == TokenIdentifier && UserId != null && Options != null;
+}
+