fix logic (#4550)

bitwarden · Jul 22, 2024 · 66f95d1 · 66f95d1
1 parent 009e43e
commit 66f95d1
Showing 1 changed file with 11 additions and 10 deletions.
diff --git a/src/Api/Auth/Controllers/TwoFactorController.cs b/src/Api/Auth/Controllers/TwoFactorController.cs
@@ -93,7 +93,7 @@ public async Task<ListResponseModel<TwoFactorProviderResponseModel>> GetOrganiza
     public async Task<TwoFactorAuthenticatorResponseModel> GetAuthenticator(
         [FromBody] SecretVerificationRequestModel model)
     {
-        var user = await CheckAsync(model, false, false);
+        var user = await CheckAsync(model, false, true);
         var response = new TwoFactorAuthenticatorResponseModel(user);
         return response;
     }
@@ -121,7 +121,7 @@ public async Task<TwoFactorAuthenticatorResponseModel> PutAuthenticator(
     [HttpPost("get-yubikey")]
     public async Task<TwoFactorYubiKeyResponseModel> GetYubiKey([FromBody] SecretVerificationRequestModel model)
     {
-        var user = await CheckAsync(model, true, false);
+        var user = await CheckAsync(model, true, true);
         var response = new TwoFactorYubiKeyResponseModel(user);
         return response;
     }
@@ -147,7 +147,7 @@ public async Task<TwoFactorYubiKeyResponseModel> PutYubiKey([FromBody] UpdateTwo
     [HttpPost("get-duo")]
     public async Task<TwoFactorDuoResponseModel> GetDuo([FromBody] SecretVerificationRequestModel model)
     {
-        var user = await CheckAsync(model, true, false);
+        var user = await CheckAsync(model, true, true);
         var response = new TwoFactorDuoResponseModel(user);
         return response;
     }
@@ -187,7 +187,7 @@ public async Task<TwoFactorDuoResponseModel> PutDuo([FromBody] UpdateTwoFactorDu
     public async Task<TwoFactorDuoResponseModel> GetOrganizationDuo(string id,
         [FromBody] SecretVerificationRequestModel model)
     {
-        await CheckAsync(model, false, false);
+        await CheckAsync(model, false, true);
 
         var orgIdGuid = new Guid(id);
         if (!await _currentContext.ManagePolicies(orgIdGuid))
@@ -244,7 +244,7 @@ await _organizationService.UpdateTwoFactorProviderAsync(organization,
     [HttpPost("get-webauthn")]
     public async Task<TwoFactorWebAuthnResponseModel> GetWebAuthn([FromBody] SecretVerificationRequestModel model)
     {
-        var user = await CheckAsync(model, false, false);
+        var user = await CheckAsync(model, false, true);
         var response = new TwoFactorWebAuthnResponseModel(user);
         return response;
     }
@@ -253,7 +253,7 @@ public async Task<TwoFactorWebAuthnResponseModel> GetWebAuthn([FromBody] SecretV
     [ApiExplorerSettings(IgnoreApi = true)] // Disable Swagger due to CredentialCreateOptions not converting properly
     public async Task<CredentialCreateOptions> GetWebAuthnChallenge([FromBody] SecretVerificationRequestModel model)
     {
-        var user = await CheckAsync(model, false, false);
+        var user = await CheckAsync(model, false, true);
         var reg = await _userService.StartWebAuthnRegistrationAsync(user);
         return reg;
     }
@@ -288,15 +288,15 @@ public async Task<TwoFactorWebAuthnResponseModel> DeleteWebAuthn(
     [HttpPost("get-email")]
     public async Task<TwoFactorEmailResponseModel> GetEmail([FromBody] SecretVerificationRequestModel model)
     {
-        var user = await CheckAsync(model, false, false);
+        var user = await CheckAsync(model, false, true);
         var response = new TwoFactorEmailResponseModel(user);
         return response;
     }
 
     [HttpPost("send-email")]
     public async Task SendEmail([FromBody] TwoFactorEmailRequestModel model)
     {
-        var user = await CheckAsync(model, false, false);
+        var user = await CheckAsync(model, false, true);
         model.ToUser(user);
         await _userService.SendTwoFactorEmailAsync(user);
     }
@@ -433,15 +433,16 @@ public Task<DeviceVerificationResponseModel> PutDeviceVerificationSettings(
         return Task.FromResult(new DeviceVerificationResponseModel(false, false));
     }
 
-    private async Task<User> CheckAsync(SecretVerificationRequestModel model, bool premium, bool isSetMethod = true)
+    private async Task<User> CheckAsync(SecretVerificationRequestModel model, bool premium,
+        bool skipVerification = false)
     {
         var user = await _userService.GetUserByPrincipalAsync(User);
         if (user == null)
         {
             throw new UnauthorizedAccessException();
         }
 
-        if (!await _userService.VerifySecretAsync(user, model.Secret, isSetMethod))
+        if (!await _userService.VerifySecretAsync(user, model.Secret, skipVerification))
         {
             await Task.Delay(2000);
             throw new BadRequestException(string.Empty, "User verification failed.");