Pm 2032 troubleshoot actions #65

lizard-boy · 2024-10-19T09:03:24Z

Type of change

- [ ] Bug fix
- [ ] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

Code changes

file.ext: Description of what was changed and why

Before you submit

Please check for formatting errors (dotnet format --verify-no-changes) (required)
If making database changes - make sure you also update Entity Framework queries and/or migrations
Please add unit tests where it makes sense to do so (encouraged but not required)
If this change requires a documentation update - notify the documentation team
If this change has particular deployment requirements - notify the DevOps team

Greptile Summary

This PR introduces WebAuthn functionality to the server, focusing on credential management and authentication flows.

Added WebAuthnController in src/Api/Auth/Controllers/WebAuthnController.cs for managing WebAuthn credentials
Implemented new models and enums for WebAuthn requests, responses, and statuses in src/Core/Auth/ and src/Api/Auth/Models/
Created WebAuthnCredentialRepository in both Dapper and EntityFramework implementations for data persistence
Added WebAuthnGrantValidator in src/Identity/IdentityServer/WebAuthnGrantValidator.cs for handling WebAuthn authentication
Introduced UserDecryptionOptionsBuilder in src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs for constructing user decryption options

* [PM-2014] chore: rename `IWebAuthnRespository` to `IWebAuthnCredentialRepository` * [PM-2014] fix: add missing service registration * [PM-2014] feat: add user verification when fetching options * [PM-2014] feat: create migration script for mssql * [PM-2014] chore: append to todo comment * [PM-2014] feat: add support for creation token * [PM-2014] feat: implement credential saving * [PM-2014] chore: add resident key TODO comment * [PM-2014] feat: implement passkey listing * [PM-2014] feat: implement deletion without user verification * [PM-2014] feat: add user verification to delete * [PM-2014] feat: implement passkey limit * [PM-2014] chore: clean up todo comments * [PM-2014] fix: add missing sql scripts Missed staging them when commiting * [PM-2014] feat: include options response model in swagger docs * [PM-2014] chore: move properties after ctor * [PM-2014] feat: use `Guid` directly as input paramter * [PM-2014] feat: use nullable guid in token * [PM-2014] chore: add new-line * [PM-2014] feat: add support for feature flag * [PM-2014] feat: start adding controller tests * [PM-2014] feat: add user verification test * [PM-2014] feat: add controller tests for token interaction * [PM-2014] feat: add tokenable tests * [PM-2014] chore: clean up commented premium check * [PM-2014] feat: add user service test for credential limit * [PM-2014] fix: run `dotnet format` * [PM-2014] chore: remove trailing comma * [PM-2014] chore: add `Async` suffix * [PM-2014] chore: move delay to constant * [PM-2014] chore: change `default` to `null` * [PM-2014] chore: remove autogenerated weirdness * [PM-2014] fix: lint

…methods. (bitwarden#3284) * Added check for PasswordlessLogin feature flag on new controller and methods. * fix: build error from missing constructor argument --------- Co-authored-by: Andreas Coroiu <[email protected]>

* [PM-4171] feat: update database to support PRF * [PM-4171] feat: rename `DescriptorId` to `CredentialId` * [PM-4171] feat: add PRF felds to domain object * [PM-4171] feat: add `SupportsPrf` column * [PM-4171] fix: add missing comma * [PM-4171] fix: add comma

…en#3331) * Added WebAuthnRepo to EF DI * updated config to match current grant types

…port

…equireResidentKey`

* Add `src/Identity/flags.json` to .gitignore * Change to cover all OSS projects * Include `bitwarden_license` projects (cherry picked from commit e9be7f1)

greptile-apps

_{30 file(s) reviewed, 59 comment(s)}
_{Edit PR Review Bot Settings | Greptile}

greptile-apps · 2024-10-19T09:04:40Z

src/Api/Auth/Controllers/WebAuthnController.cs

+    [HttpGet("")]
+    public async Task<ListResponseModel<WebAuthnCredentialResponseModel>> Get()
+    {
+        var user = await GetUserAsync();
+        var credentials = await _credentialRepository.GetManyByUserIdAsync(user.Id);
+
+        return new ListResponseModel<WebAuthnCredentialResponseModel>(credentials.Select(c => new WebAuthnCredentialResponseModel(c)));
+    }


logic: Add authorization check to ensure the user can only access their own credentials

greptile-apps · 2024-10-19T09:04:41Z

src/Api/Auth/Controllers/WebAuthnController.cs

+            throw new NotFoundException("Credential not found.");
+        }
+
+        await _credentialRepository.DeleteAsync(credential);


logic: Add error handling for the DeleteAsync operation

greptile-apps · 2024-10-19T09:04:41Z

src/Api/Auth/Controllers/WebAuthnController.cs

+        var user = await GetUserAsync();
+        if (!await _userService.VerifySecretAsync(user, model.Secret))
+        {
+            await Task.Delay(Constants.FailedSecretVerificationDelay);


logic: Potential timing attack vulnerability. Consider using a constant-time comparison for secret verification

greptile-apps · 2024-10-19T09:05:13Z

src/Api/Auth/Models/Request/WebAuthn/WebAuthnCredentialRequestModel.cs

+using Bit.Core.Utilities;
+using Fido2NetLib;
+
+namespace Bit.Api.Auth.Models.Request.Webauthn;


style: Namespace 'Webauthn' is inconsistent with C# naming conventions. Consider changing to 'WebAuthn'.

greptile-apps · 2024-10-19T09:05:42Z

src/Api/Auth/Models/Response/WebAuthn/WebAuthnCredentialCreateOptionsResponseModel.cs

+
+namespace Bit.Api.Auth.Models.Response.WebAuthn;
+
+public class WebAuthnCredentialCreateOptionsResponseModel : ResponseModel


style: Consider adding XML documentation comments to describe the purpose of this class and its properties

greptile-apps · 2024-10-19T09:18:09Z