server

Commit Graph

Author	SHA1	Message	Date
Ike	ffebc0d792	[PM- 30370] [PM-28827] Add Salt to Auth and KM DTOs (#7239 ) feat: add `MasterPasswordSalt` to unlock and authentication flow - Add optional `MasterPasswordSalt`: - `MasterPasswordUnlockAndAuthenticationData` - `RegisterFinishRequestModel` - `UserDecryptionOptionsBuilder` - Add test coverage for explicit checks where appropriate in the above model updates	6 days ago
sven-bitwarden	081bbe66d0	[PM-30993] Better Error Message for Expired Invitation Tokens (#6971 ) * Send better error message when token is expired * Add comment indicating frontend usage * Add testcase for Invalid Token scenario * Update comment in test-case * Fix merge issue * Fix method name * Consolidate token validation error calculation, apply to new area * Move away from magic strings, fix tests * Adjust class name * Clean up old method name references * Change errors to fields for singleton behavior * Formatting	2 weeks ago
Jimmy Vo	7371705530	[PM-33364] Fix the emergency access help URL. (#7262 )	2 weeks ago
Jared Snider	80e6f87afd	Auth/PM-33168 - Emergency Access - Prevent grantor from inviting themselves as an emergency access contact (#7165 )	2 weeks ago
Patrick-Pimentel-Bitwarden	e0a08710a8	feat(emergency-access): [PM-29585] Prevent New EA Invitations or Acceptance (#6940 ) * feat(emergency-access): [PM-29585] Prevent New EA Invitations or Acceptance - Initial implementation * fix(emergency-access): [PM-29585] Prevent New EA Invitations or Acceptance - Changes in a good place. Need to write tests. * test(emergency-access): [PM-29585] Prevent New EA Invitations or Acceptance - Service tests have been added. * fix(emergency-access): [PM-29585] Prevent New EA Invitations or Acceptance - Fixed comment.	3 weeks ago
Isaiah Inuwa	dfc736fd20	Return WebAuthn credential record in create response (#7145 ) * Return WebAuthn credential record in create response * Make CreateWebAuthnLoginCredentialCommand null-safe	4 weeks ago
Jared Snider	18973a4f63	Auth/PM-32035 - Emergency Access - DeleteEmergencyAccessCommand refactor (#7054 ) * PM-32035 - EmergencyAccessService - fix interface docs, method docs, and tests to cover grantee / grantor deletion which is supported today. * PM-32035 - EmergencyAccessService - mark existing delete as deprecated * PM-32035 - EmergencyAccess readme docs - fix deletion docs * PM-32035 - Add new EmergencyAccessDetails_ReadByUserIds stored proc * PM-32035 - Add migration script for EmergencyAccessDetails_ReadByUserIds * PM-32035 - Build out GetManyDetailsByUserIdsAsync in repository layer plus add tests * PM-32035 - EmergencyAccessRepo - DeleteManyAsync - remove grantee revision bump as not necessary since no EA sync data exists + update tests * PM-32035 - Fix incorrect nullability annotation on EmergencyAccessDetails.GrantorEmail. Both the SQL view and EF projection use a LEFT JOIN to the User table, meaning the value can be null if the grantor's account no longer exists. Changed to string? and removed the required modifier since the class is only ever materialized from database queries, never directly instantiated. * PM-32035 - Refactor DeleteEmergencyAccess command to offer new DeleteAllByUserIdAsync and DeleteAllByUserIdsAsync methods. Need to build out DeleteByIdAndUserIdAsync with a new stored proc. * PM-32035 - Build out IEmergencyAccessRepository.GetDetailsByIdAsync because we need such a method in order to meet the product requirements to send grantor email notifications for normal deletions in the future. * PM-32035 - Wire up DeleteEmergencyAccessCommand.DeleteByIdAndUserIdAsync to use new repository method emergencyAccessRepository.GetDetailsByIdAsync so we can send notifications. Now, it is full replacement for the existing emergency access service deletion method + has the new notification functionaliy requested. * PM-32035 - Add more test coverage for DeleteByIdAndUserIdAsync * PM-32035 - Fix missing GranteeAvatarColor and GrantorAvatarColor projections in EmergencyAccessDetailsViewQuery. The EF view query omitted both avatar color fields from its Select projection, causing the integration tests to fail on all non-SqlServer databases (MySql, Postgres, Sqlite) where EF is used instead of Dapper. * PM-32035 - Rename migration after main merge revealed collision * PM-32035 - Rename migration script * PM-32035 - PR feedback - add ticket + todos to deprecated delete async method. * PM-32035 - DeleteEmergencyAccessCommand - add logs if we don't have user data required to send email notifications. * PM-32035 - PR Feedback - rename EmergencyAccessDetails_ReadByUserIds to EmergencyAccessDetails_ReadManyByUserIds	1 month ago
sven-bitwarden	4d91350fb7	[PM-29498] Remove Premium Feature Flagged Logic (#6967 ) * Remove feature flag logic and fix unit tests * Simplify query * Fix test * Fix local review	1 month ago
Dave	ca35b9e26f	[PM-29890] Refactor Two-factor WebAuthn Methods Out of UserService (#6920 ) * refactor(2fa-webauthn) [PM-29890]: Add command for start 2fa WebAuthn. * refactor(2fa-webauthn) [PM-29890]: Put files into iface-root /implementations structure to align with other feature areas. * refactor(2fa-webauthn) [PM-29890]: Add complete WebAuthn registration command. * test(2fa-webauthn) [PM-29890]: Refactor and imrove 2fa WebAuthn testing from UserService. * refactor(2fa-webauthn) [PM-29890]: Add delete WebAuthn credential command. * test(2fa-webauthn) [PM-29890]: Add tests for delete WebAuthn credential command. * refactor(2fa-webauthn) [PM-29890]: Update docs. * refctor(2fa-webauthn) [PM-29890]: Re-spell docs. * refactor(2fa-webauthn) [PM-29890]: Add comment around last-credential deletion.	2 months ago
Rui Tomé	17166dc0f5	[PM-28300] Remove BlockClaimedDomainAccountCreation feature flag checks (#6934 ) * [PM-28300] Remove BlockClaimedDomainAccountCreation feature flag checks * Fix user registration tests by adding proper email domains * Remove redundant feature flag checks from user registration tests * Remove BlockClaimedDomainAccountCreation constant from FeatureFlagKeys	2 months ago
Ike	68e67e1853	[PM-26376] Emergency Access Delete Command (#6857 ) * feat: Add initial DeleteEmergencyContactCommand * chore: remove nullable enable and add comments * test: add tests for new delete command * test: update tests to test IMailer was called. * feat: add delete by GranteeId and allow for multiple grantors to be contacted. * feat: add DeleteMany stored procedure for EmergencyAccess * test: add database tests for new SP * feat: commands use DeleteManyById for emergencyAccessDeletes * claude: send one email per grantor instead of a bulk email to all grantors. Modified tests to validate. * feat: change revision dates for confirmed grantees; * feat: add AccountRevisionDate bump for grantee users in the confirmed status * test: update integration test to validate only confirmed users are updated as well as proper deletion of emergency access	2 months ago
sven-bitwarden	93a28eed40	[PM-29246] Simplify Usage of Organization Policies (#6837 ) * Initial implementation of new policy query * Remove unused using * Adjusts method name to better match repository method * Correct namespace * Initial refactor of policy loading * Add xml doc, incorporate shim data model * Updates usages to reflect new shim model * Prune extranneous data from policy detail response model, format code * Fix broken test, delete inapplicable test * Adds test cases covering query * Adjust codebase to use new PolicyQueryçˆ * Format code * Fix incorrect mock on test * Fix formatting * Adjust method name * More naming adjustments * Add PolicyData constructor, update test usages * Rename PolicyData -> PolicyStatus * Remove unused using	2 months ago
Dave	93e2c971df	feat(emergency-access) [PM-29584] Create Email for Emergency Access Removal (#6793 ) * feat(emergency-access) [PM-29584]: Add email template. * refactor(emergency-access) [PM-29584]: Move Emergency Access to Auth/UserFeatures. * refactor(emergency-access) [PM-29584]: Move EmergencyAccess tests to UserFeatures space. * feat(emergency-access) [PM-29584]: Add compiled EmergencyAccess templates. * test(emergency-access) [PM-29584]: Add mailer-specific tests. * refactor(emergency-access) [PM-29584]: Move mail to UserFeatures area. * feat(emergency-access) [PM-29584]: Update link for help pages, not web vault. * test(emergency-access) [PM-29584]: Update mail tests for new URL and single responsibility. * refactor(emergency-access) [PM-29584]: Add comments for added test.	2 months ago
Maciej Zieniuk	2e92a53f11	[PM-27281] Support v2 account encryption on JIT master password signups (#6777 ) * V2 prep, rename existing SSO JIT MP command to V1 * set initial master password for account registraton V2 * later removel docs * TDE MP onboarding split * revert separate TDE onboarding controller api * Server side hash of the user master password hash * use `ValidationResult` instead for validation errors * unit test coverage * integration test coverage * update sql migration script date * revert validate password change * better requests validation * explicit error message when org sso identifier invalid * more unit test coverage * renamed onboarding to set, hash naming clarifications * update db sql script, formatting * use raw json as request instead of request models for integration test * v1 integration test coverage * change of name	3 months ago
Rui Tomé	f7c615cc01	[PM-21411] Refactor interface for determining premium status and features (#6688 ) * Removed 2FA user interface from premium method signatures * Added some more comments for clarity and small touchups. * Add PremiumAccessCacheCheck feature flag to Constants.cs * Add IPremiumAccessQuery interface and PremiumAccessQuery implementation for checking user premium access status * Add unit tests for PremiumAccessQuery to validate user premium access logic * Add XML documentation to Premium in OrganizationUserUserDetails and User classes * Add PremiumAccessQueries to UserServiceCollectionExtensions * Refactor TwoFactorIsEnabledQuery to incorporate PremiumAccessQuery and feature flag for premium access checks. Enhanced user premium status retrieval logic and improved handling of user details based on feature flag state. * Mark methods in IUserRepository and IUserService as obsolete, directing users to new methods in IPremiumAccessQuery for premium access checks. * Rename CanAccessPremiumBulkAsync to CanAccessPremiumAsync in IPremiumAccessQuery * Update TwoFactorIsEnabledQuery to use CanAccessPremiumAsync for premium status checks * Refactor TwoFactorIsEnabledQuery to introduce VNextAsync methods for improved premium access checks and user detail handling. Removed obsolete feature service dependency and enhanced test coverage for new functionality. * Refactor IPremiumAccessQuery and PremiumAccessQuery to remove the overloaded CanAccessPremiumAsync method. Update related methods to streamline premium access checks using the User object directly. Enhance test coverage by removing obsolete tests and ensuring proper functionality with the new method signatures. * Add new sync static method to determine if TwoFactor is enabled * Enhance XML documentation for Premium property in OrganizationUserUserDetails and User classes to clarify its usage and limitations regarding personal and organizational premium access. * Refactor IPremiumAccessQuery and PremiumAccessQuery to replace User parameter with Guid for user ID in CanAccessPremiumAsync methods. Update related methods and tests to streamline premium access checks and improve clarity in method signatures. * Update feature flag references in IUserRepository and IUserService to use 'PremiumAccessQuery' instead of 'PremiumAccessCacheCheck'. Adjust related XML documentation for clarity on premium access methods. * Rename IPremiumAccessQuery to IHasPremiumAccessQuery and move to Billing owned folder * Remove unnecessary whitespace from IHasPremiumAccessQuery interface. * Refactor HasPremiumAccessQuery to throw NotFoundException for null users * Add NotFoundException handling in HasPremiumAccessQuery for mismatched user counts * Refactor TwoFactorIsEnabledQuery to optimize premium access checks and improve two-factor provider handling. Introduced bulk fetching of premium status for users with only premium providers and streamlined the logic for determining if two-factor authentication is enabled. * Refactor TwoFactorIsEnabledQueryTests to enhance clarity and optimize test scenarios. Consolidated test cases for two-factor authentication, improved naming conventions, and ensured premium access checks are only performed when necessary. * Add UserPremiumAccess model to represent user premium access status from personal subscriptions and memberships * Add User_ReadPremiumAccessByIds stored procedure and UserPremiumAccessView view to enhance premium access retrieval. Updated Organization table index to include UsersGetPremium for optimized queries. * Add SQL migration script * Add premium access retrieval methods to IUserRepository and implementations in UserRepository classes. Introduced GetPremiumAccessByIdsAsync and GetPremiumAccessAsync methods to fetch premium status for multiple users and a single user, respectively. Updated using directives to include necessary models. * Refactor HasPremiumAccessQuery and IHasPremiumAccessQuery to streamline premium access checks. Updated method names for clarity and improved documentation. Adjusted test cases to reflect changes in user premium access retrieval logic. * Update IUserRepository to reflect new method names for premium access retrieval. Changed obsolete method messages to point to GetPremiumAccessByIdsAsync and GetPremiumAccessAsync. Added internal use notes for IHasPremiumAccessQuery. Improved documentation for clarity. * Refactor TwoFactorIsEnabledQuery to utilize IFeatureService for premium access checks. * Enhance EF UserRepository to improve premium access retrieval by including related organization data. * Add unit tests for premium access retrieval in UserRepositoryTests. * Optimize HasPremiumAccessQuery to eliminate duplicate user IDs before checking premium access. Updated logic to ensure accurate comparison of premium users against distinct user IDs. * Refactor TwoFactorIsEnabledQuery to improve handling of users without two-factor providers. Added early exit for users lacking providers and streamlined premium status checks for enabled two-factor authentication. * Update HasPremiumAccessQueryTests to use simplified exception handling and improve test clarity * Replaced fully qualified exception references with simplified ones. * Refactored test setup to use individual user variables for better readability. * Ensured assertions reflect the updated user variable structure. * Enhance TwoFactorIsEnabledQuery to throw NotFoundException for non-existent users * Updated TwoFactorIsEnabledQuery to throw NotFoundException when a user is not found instead of returning false. * Added a new unit test to verify that the NotFoundException is thrown when a user is not found while premium access query is enabled. * Move premium access query to Billing owned ServiceCollectionExtensions * Refactor IUserService to enhance premium access checks * Updated CanAccessPremium and HasPremiumFromOrganization methods to clarify usage with the new premium access query. * Integrated IHasPremiumAccessQuery into UserService for improved premium access handling based on feature flag. * Adjusted method documentation to reflect changes in premium access logic. * Update IUserRepository to clarify usage of premium access methods * Modified Obsolete attribute messages for GetManyWithCalculatedPremiumAsync and GetCalculatedPremiumAsync to indicate that callers should use the new methods when the 'PremiumAccessQuery' feature flag is enabled. * Enhanced documentation to improve clarity regarding premium access handling. * Update IUserRepository and IUserService to clarify deprecation of premium access methods * Modified Obsolete attribute messages for GetManyWithCalculatedPremiumAsync and GetCalculatedPremiumAsync in IUserRepository to indicate these methods will be removed in a future version. * Updated Obsolete attribute message for HasPremiumFromOrganization in IUserService to reflect the same deprecation notice. * Refactor TwoFactorIsEnabledQuery to streamline user ID retrieval * Consolidated user ID retrieval logic to avoid redundancy. * Ensured consistent handling of user ID checks for premium access queries. * Improved code readability by reducing duplicate code blocks. * Rename migration script to fix the date * Update migration script to create the index with DROP_EXISTING = ON * Refactor UserPremiumAccessView to use LEFT JOINs and GROUP BY for improved performance and clarity * Update HasPremiumAccessQueryTests to return null for GetPremiumAccessAsync instead of throwing NotFoundException * Add unit tests for premium access scenarios in UserRepositoryTests - Implement tests for GetPremiumAccessAsync to cover various user and organization premium access combinations. - Validate behavior when users belong to multiple organizations, including cases with and without premium access. - Update email generation for user creation to ensure uniqueness without specific prefixes. - Enhance assertions to verify expected premium access results across different test cases. * Bump date on migration script * Update OrganizationEntityTypeConfiguration to include UsersGetPremium in index properties * Add migration scripts for OrganizationUsersGetPremiumIndex across MySQL, PostgreSQL, and SQLite - Introduced new migration files to create the OrganizationUsersGetPremiumIndex. - Updated the DatabaseContextModelSnapshot to include UsersGetPremium in index properties for all database types. - Ensured consistency in index creation across different database implementations. --------- Co-authored-by: Todd Martin <tmartin@bitwarden.com> Co-authored-by: Patrick Pimentel <ppimentel@bitwarden.com>	4 months ago
Kyle Spearrin	bead4f1d5a	validate and email on sso privisioning (#6734 )	4 months ago
Ike	d5f39eac91	[PM-28769] [PM-28768] [PM-28772] Welcome email bug fixes (#6644 ) Fix: fix bugs reported by QA for Welcome emails * test: add test for new plan type in welcome email * fix: change to headStyle so styling is only included once * fix: update MJML templates to have correct copy text * chore: move build artifacts for updated email templates * fix: add setting for SMTP to SSO project * fix: update component css styling * chore: rebuild hbs templates * fix: using billing extension method to fetch Correct PlanType.	4 months ago
Ike	8a67aafbe5	[PM-1632] Redirect on `SsoRequired` - return SsoOrganizationIdentifier (#6597 ) feat: add SSO request validation and organization identifier lookup - Implement SsoRequestValidator to validate SSO requirements - Add UserSsoOrganizationIdentifierQuery to fetch organization identifiers - Create SsoOrganizationIdentifier custom response for SSO redirects - Add feature flag (RedirectOnSsoRequired) for gradual rollout - Register validators and queries in dependency injection - Create RequestValidationConstants to reduce magic strings - Add comprehensive test coverage for validation logic - Update BaseRequestValidator to consume SsoRequestValidator	4 months ago
rr-bw	5fb69e42b0	feat(marketing-initiated-premium): (Auth) [PM-27541] Add optional marketing param to email verification link (#6604 ) Adds an optional `&fromMarketing=premium` query parameter to the verification email link. Feature flag: `"pm-26140-marketing-initiated-premium-flow"`	4 months ago
Kyle Spearrin	c0700a6946	[PM-27766] Add policy for blocking account creation from claimed domains. (#6537 ) * Add policy for blocking account creation from claimed domains. * dotnet format * check as part of email verification * add feature flag * fix tests * try to fix dates on database integration tests * PR feedback from claude * remove claude local settings * pr feedback * format * fix test * create or alter * PR feedback * PR feedback * Update src/Core/Constants.cs Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> * fix merge issues * fix tests --------- Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>	4 months ago
Ike	9b3adf0ddc	[PM-21741] Welcome email updates (#6479 ) feat(PM-21741): implement MJML welcome email templates with feature flag support - Add MJML templates for individual, family, and organization welcome emails - Track *.hbs artifacts from MJML build - Implement feature flag for gradual rollout of new email templates - Update RegisterUserCommand and HandlebarsMailService to support new templates - Add text versions and sanitization for all welcome emails - Fetch organization data from database for welcome emails - Add comprehensive test coverage for registration flow Co-authored-by: Rui Tomé <108268980+r-tome@users.noreply.github.com>	5 months ago
Ike	96fe09af89	[PM-25415] move files into better place for code ownership (#6275 ) * chore: move files into better place for code ownership * fix: import correct namespace	7 months ago
Ike	d2d3e0f11b	[PM-22678] Send email otp authentication method (#6255 ) feat(auth): email OTP validation, and generalize authentication interface - Generalized send authentication method interface - Made validate method async - Added email mail support for Handlebars - Modified email templates to match future implementation fix(auth): update constants, naming conventions, and error handling - Renamed constants for clarity - Updated claims naming convention - Fixed error message generation - Added customResponse for Rust consumption test(auth): add and fix tests for validators and email - Added tests for SendEmailOtpRequestValidator - Updated tests for SendAccessGrantValidator chore: apply dotnet formatting	7 months ago
Ike	8a36d96e56	[PM-22739] Add ClaimsPrincipal Extension feat: add ClaimsPrincipal Extension test: add tests	8 months ago
Daniel James Smith	c7b1c7f6d5	[PM-22190] Remove gathering and reporting of ReferenceEvents (#5897 ) * Remove gathering and reporting of ReferenceEvents * Fix test that relied on reference events throwing --------- Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>	10 months ago
Jared Snider	9ebe165871	fix(RegistrationViaOrgInviteWelcomeEmail): [Auth/PM-21428] Registration via Org Invite should send welcome email even if reference data isn't provided (#5796 )	11 months ago
Ike	3f95513d11	[PM-19029][PM-19203] Addressing `UserService` tech debt around `ITwoFactorIsEnabledQuery` (#5754 ) * fix : split out the interface from the TwoFactorAuthenticationValidator into separate file. * fix: replacing IUserService.TwoFactorEnabled with ITwoFactorEnabledQuery * fix: combined logic for both bulk and single user look ups for TwoFactorIsEnabledQuery. * fix: return two factor provider enabled on CanGenerate() method. * tech debt: modfifying MFA providers to call the database less to validate if two factor is enabled. * tech debt: removed unused service from AuthenticatorTokenProvider * doc: added documentation to ITwoFactorProviderUsers * doc: updated comments for TwoFactorIsEnabled impl * test: fixing tests for ITwoFactorIsEnabledQuery * test: updating tests to have correct DI and removing test for automatic email of TOTP. * test: adding better test coverage	11 months ago
Bernd Schoolmann	0a4f97b50e	[PM-19883] Add untrust devices endpoint (#5619 ) * Add untrust devices endpoint * Fix tests * Update src/Core/Auth/UserFeatures/DeviceTrust/UntrustDevicesCommand.cs Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com> * Fix whitespace --------- Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>	12 months ago
Bernd Schoolmann	fae8692d2a	[PM-12607] Move key rotation & validators to km ownership (#4941 ) * Move key rotation & validators to km ownership * Fix build errors * Fix build errors * Fix import ordering * Update validator namespace * Move key rotation data to km ownership * Fix linting * Fix namespaces * Fix namespace * Fix namespaces * Move rotateuserkeycommandtests to km ownership	1 year ago
Jared Snider	e6245bbece	Auth/PM-12613 - Registration with Email Verification - Provider Invite Flow (#4917 ) * PM-12613 - Add RegisterUserViaProviderInviteToken flow (needs manual, unit, and integration tests) * PM-12613 - RegisterUserCommandTests - test register via provider inv * PM-12613 - AccountsControllerTests.cs - Add integration test for provider * PM-12613 - Remove comment * PM-12613 - Add temp logging to help debug integration test failure in pipeline * PM-12613 - WebApplicationFactoryBase.cs - add ConfigureServices * PM-12613 - AccountsControllerTests.cs - refactor test to sidestep encryption * PM-12613 - Per PR feedback, refactor AccountsController.cs and move token type checking into request model. * PM-12613 - Remove debug writelines * PM-12613 - Add RegisterFinishRequestModelTests	1 year ago
Jared Snider	fd07de736d	Auth/PM-11969 - Registration with Email Verification - Accept Emergency Access Invite Flow (#4773 ) * PM-11969 - Add new logic for registering a user via an AcceptEmergencyAccessInviteToken * PM-11969 - Unit test new RegisterUserViaAcceptEmergencyAccessInviteToken method. * PM-11969 - Integration test new method	2 years ago
Jared Snider	7d8df767cd	Auth/PM-11945 - Registration with Email Verification - Fix Org Sponsored Free Family Plan not working (#4772 ) * PM-11945 - Rename RegisterUserWithOptionalOrgInvite to RegisterUserViaOrgInvite as the org invite isn't optional in the function - just the overall process of registration. * PM-11945 - Yet another rename * PM-11945 - Wire up call to RegisterUserViaOrgSponsoredFreeFamilyPlanInviteToken and test. * PM-11945 - RegisterUserCommandTests - test new method * PM-11949 - Rename tests * PM-11945 - AccountsControllerTests.cs - add integration test for RegistrationWithEmailVerification_WithOrgSponsoredFreeFamilyPlanInviteToken_Succeeds * PM-11945 - Adjust naming per PR feedback to match docs. * PM-11945 - More renaming	2 years ago
Rui Tomé	8d69bb0aaa	[AC-1698] Check if a user has 2FA enabled more efficiently (#4524 ) * feat: Add stored procedure for reading organization user details with premium access by organization ID The code changes include: - Addition of a new stored procedure [dbo].[OrganizationUserUserDetailsWithPremiumAccess_ReadByOrganizationId] to read organization user details with premium access by organization ID - Modification of the IUserService interface to include an optional parameter for checking two-factor authentication with premium access - Modification of the UserService class to handle the new optional parameter in the TwoFactorIsEnabledAsync method - Addition of a new method GetManyDetailsWithPremiumAccessByOrganizationAsync in the IOrganizationUserRepository interface to retrieve organization user details with premium access by organization ID - Addition of a new view [dbo].[OrganizationUserUserDetailsWithPremiumAccessView] to retrieve organization user details with premium access * Add IUserRepository.SearchDetailsAsync that includes the field HasPremiumAccess * Check the feature flag on Admin.UsersController to see if the optimization runs * Modify PolicyService to run query optimization if the feature flag is enabled * Refactor the parameter check on UserService.TwoFactorIsEnabledAsync * Run query optimization on public MembersController if feature flag is enabled * Restore refactor * Reverted change used for development * Add unit tests for OrganizationService.RestoreUser * Separate new CheckPoliciesBeforeRestoreAsync optimization into new method * Add more unit tests * Apply refactor to bulk restore * Add GetManyDetailsAsync method to IUserRepository. Add ConfirmUsersAsync_vNext method to IOrganizationService * Add unit tests for ConfirmUser_vNext * Refactor the optimization to use the new TwoFactorIsEnabledAsync method instead of changing the existing one * Removed unused sql scripts and added migration script * Remove unnecessary view * chore: Remove unused SearchDetailsAsync method from IUserRepository and UserRepository * refactor: Use UserDetails constructor in UserRepository * Add summary to IUserRepository.GetManyDetailsAsync * Add summary descriptions to IUserService.TwoFactorIsEnabledAsync * Remove obsolete annotation from IUserRepository.UpdateUserKeyAndEncryptedDataAsync * refactor: Rename UserDetails to UserWithCalculatedPremium across the codebase * Extract IUserService.TwoFactorIsEnabledAsync into a new TwoFactorIsEnabledQuery class * Add unit tests for TwoFactorIsEnabledQuery * Update TwoFactorIsEnabledQueryTests to include additional provider types * Refactor TwoFactorIsEnabledQuery * Refactor TwoFactorIsEnabledQuery and update tests * refactor: Update TwoFactorIsEnabledQueryTests to include test for null TwoFactorProviders * refactor: Improve TwoFactorIsEnabledQuery and update tests * refactor: Improve TwoFactorIsEnabledQuery and update tests * Remove empty <returns> from summary * Update User_ReadByIdsWithCalculatedPremium stored procedure to accept JSON array of IDs	2 years ago
Jared Snider	54bd5fa894	Auth/PM-10130 - Registration with Email Verification - Respect Self-hosted Disable Open Registration flag (#4561 ) * PM-10130 - Registration with email verification - respect self hosted disable open registration setting properly in non-org invite scenarios. * PM-10130 - Fix unit tests. * PM-10130 - Update integration tests.	2 years ago
Bernd Schoolmann	ce185eb3df	[PM-5963] Fix tde offboarding vault corruption (#4144 ) * Attempt to fix tde to mp flow * Move tde offboarding to dedicated flag * Add tde offboarding password request * Validate tde offboarding input * Correctly check whether tde is active when building trusted device options * Refactor Tde offboarding into a separate command * Add unit tests for tde offboarding * Update tde offboarding request model * Fix tests * Fix further tests * Fix documentation * Add validation for updatetdepasswordasync key/newmasterpassword * Add comment explaining test * Remove unrelated changes	2 years ago
Jared Snider	8471326b1e	Auth/PM-7322 - Registration with Email verification - Finish registration endpoint (#4182 ) * PM-7322 - AccountsController.cs - create empty method + empty req model to be able to create draft PR. * PM-7322 - Start on RegisterFinishRequestModel.cs * PM-7322 - WIP on Complete Registration endpoint * PM-7322 - UserService.cs - RegisterUserAsync - Tweak of token to be orgInviteToken as we are adding a new email verification token to the mix. * PM-7322 - UserService - Rename MP to MPHash * PM-7322 - More WIP progress on getting new finish registration process in place. * PM-7322 Create IRegisterUserCommand * PM-7322 - RegisterUserCommand.cs - first WIP draft * PM-7322 - Implement use of new command in Identity. * PM-7322 - Rename RegisterUserViaOrgInvite to just be RegisterUser as orgInvite is optional. * PM07322 - Test RegisterUserCommand.RegisterUser(...) happy paths and one bad request path. * PM-7322 - More WIP on RegisterUserCommand.cs and tests * PM-7322 - RegisterUserCommand.cs - refactor ValidateOrgInviteToken logic to always validate the token if we have one. * PM-7322 - RegisterUserCommand.cs - Refactor OrgInviteToken validation to be more clear + validate org invite token even in open registration scenarios + added tests. * PM-7322 - Add more test coverage to RegisterUserWithOptionalOrgInvite * PM-7322 - IRegisterUserCommand - DOCS * PM-7322 - Test RegisterUser * PM-7322 - IRegisterUserCommand - Add more docs. * PM-7322 - Finish updating all existing user service register calls to use the new command. * PM-7322 - RegistrationEmailVerificationTokenable.cs changes + tests * PM-7322 - RegistrationEmailVerificationTokenable.cs changed to only verify email as it's the only thing we need to verify + updated tests. * PM-7322 - Get RegisterUserViaEmailVerificationToken built and tested * PM-7322 - AccountsController.cs - get bones of PostRegisterFinish in place * PM-7322 - SendVerificationEmailForRegistrationCommand - Feature flag timing attack delays per architecture discussion with a default of keeping them around. * PM-7322 - RegisterFinishRequestModel.cs - EmailVerificationToken must be optional for org invite scenarios. * PM-7322 - HandlebarsMailService.cs - SendRegistrationVerificationEmailAsync - must URL encode email to avoid invalid email upon submission to server on complete registration step * PM-7322 - RegisterUserCommandTests.cs - add API key assertions * PM-7322 - Clean up RegisterUserCommand.cs * PM-7322 - Refactor AccountsController.cs existing org invite method and new process to consider new feature flag for delays. * PM-7322 - Add feature flag svc to AccountsControllerTests.cs + add TODO * PM-7322 - AccountsController.cs - Refactor shared IdentityResult logic into private helper. * PM-7322 - Work on getting PostRegisterFinish tests in place. * PM-7322 - AccountsControllerTests.cs - test new method. * PM-7322 - RegisterFinishRequestModel.cs - Update to use required keyword instead of required annotations as it is easier to catch mistakes. * PM-7322 - Fix misspelling * PM-7322 - Integration tests for RegistrationWithEmailVerification * PM-7322 - Fix leaky integration tests. * PM-7322 - Another leaky test fix. * PM-7322 - AccountsControllerTests.cs - fix RegistrationWithEmailVerification_WithOrgInviteToken_Succeeds * PM-7322 - AccountsControllerTests.cs - Finish out integration test suite!	2 years ago
Jared Snider	b2b1e3de87	Auth/PM-5092 - Registration with Email verification - Send Email Verification Endpoint (#4173 ) * PM-5092 - Add new EnableEmailVerification global setting. * PM-5092 - WIP - AccountsController.cs - create stub for new PostRegisterSendEmailVerification * PM-5092 - RegisterSendEmailVerificationRequestModel * PM-5092 - Create EmailVerificationTokenable.cs and get started on tests (still WIP). * PM-5092 - EmailVerificationTokenable.cs finished + tests working. * PM-5092 - Add token data factory for new EmailVerificationTokenable factory. * PM-5092 - EmailVerificationTokenable.cs - set expiration to match existing verify email. * PM-5092 - Get SendVerificationEmailForRegistrationCommand command mostly written + register as scoped. * PM-5092 - Rename tokenable to be more clear and differentiate it from the existing email verification token. * PM-5092 - Add new registration verify email method on mail service. * PM-5092 - Refactor SendVerificationEmailForRegistrationCommand and add call to mail service to send email. * PM-5092 - NoopMailService.cs needs to implement all interface methods. * PM-5092 - AccountsController.cs - get PostRegisterSendEmailVerification logic in place. * PM-5092 - AccountsControllerTests.cs - Add some unit tests - WIP * PM-5092 - SendVerificationEmailForRegistrationCommandTests * PM-5092 - Add integration tests for new acct controller method * PM-5092 - Cleanup unit tests * PM-5092 - AccountsController.cs - PostRegisterSendEmailVerification - remove modelState invalid check as .NET literally executes this validation pre-method execution. * PM-5092 - Rename to read better - send verification email > send email verification * PM-5092 - Revert primary constructor approach so DI works. * PM-5092 - (1) Cleanup new but now not needed global setting (2) Add custom email for registration verify email. * PM-5092 - Fix email text * PM-5092 - (1) Modify ReferenceEvent.cs to allow nullable values for the 2 params which should have been nullable based on the constructor logic (2) Add new ReferenceEventType.cs for email verification register submit (3) Update AccountsController.cs to log new reference event (4) Update tests * PM-5092 - RegistrationEmailVerificationTokenable - update prefix, purpose, and token id to include registration to differentiate it from the existing email verification token. * PM-5092 - Per PR feedback, cleanup used dict. * PM-5092 - formatting pass (manual + dotnet format) * PM-5092 - Per PR feedback, log reference event after core business logic executes * PM-5092 - Per PR feedback, add validation + added nullable flag to name as it is optional. * PM-5092 - Per PR feedback, add constructor validation for required tokenable data * PM-5092 - RegisterVerifyEmail url now contains email as that is required in client side registration step to create a master key. * PM-5092 - Add fromEmail flag + some docs * PM-5092 - ReferenceEvent.cs - Per PR feedback, make SignupInitiationPath and PlanUpgradePath nullable * PM-5092 - ReferenceEvent.cs - remove nullability per PR feedback * PM-5092 - Per PR feedback, use default constructor and manually create reference event. * PM-5092 - Per PR feedback, add more docs!	2 years ago
Bernd Schoolmann	3ad4bc1cab	[PM-4371] Implement PRF key rotation (#4157 ) * Send rotateable keyset on list webauthn keys * Implement basic prf key rotation * Add validator for webauthn rotation * Fix accounts controller tests * Add webauthn rotation validator tests * Introduce separate request model * Fix tests * Remove extra empty line * Remove filtering in validator * Don't send encrypted private key * Fix tests * Implement delegated webauthn db transactions * Add backward compatibility * Fix query not working * Update migration sql * Update dapper query * Remove unused helper * Rename webauthn to WebAuthnLogin * Fix linter errors * Fix tests * Fix tests	2 years ago
Bernd Schoolmann	0189952e1f	[PM-5938] Prevent permanent vault coruption on key-rotation with desycned vault (#4098 ) * Add check to verify the vault state for rotation is not obviously desynced (empty) * Add unit test for key rotation guardrail * Move de-synced vault detection to validators * Add tests	2 years ago
Justin Baur	e22da3a53e	Replace `async void` with `async Task` (#3835 )	2 years ago
Andreas Coroiu	d63c917c95	[PM-4619] Rewrite `UserService` methods as commands (#3432 ) * [PM-4619] feat: scaffold new create options command * [PM-4169] feat: implement credential create options command * [PM-4619] feat: create command for credential creation * [PM-4619] feat: create assertion options command * [PM-4619] chore: clean-up unused argument * [PM-4619] feat: implement assertion command * [PM-4619] feat: migrate to commands * [PM-4619] fix: lint * [PM-4169] fix: use constant * [PM-4619] fix: lint I have no idea what this commit acutally changes, but the file seems to have some character encoding issues. This fix was generated by `dotnet format`	2 years ago
Jake Fink	989603ddd3	[Pm 3797 Part 2] Add emergency access rotations (#3434 ) ## Type of change <!-- (mark with an `X`) --> ``` - [ ] Bug fix - [ ] New feature development - [x] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [ ] Build/deploy pipeline (DevOps) - [ ] Other ``` ## Objective <!--Describe what the purpose of this PR is. For example: what bug you're fixing or what new feature you're adding--> See #3425 for part 1 and background. This PR adds emergency access to the rotation. All new code is hidden behind a feature flag. The Accounts controller has also been moved to Auth ownership. ## Code changes <!--Explain the changes you've made to each file or major component. This should help the reviewer understand your changes--> <!--Also refer to any related changes or PRs in other repositories--> * file.ext: Description of what was changed and why * AccountsController.cs: Moved to Auth ownership. Emergency access validation was added (as well as initializing empty lists to avoid errors). * EmergencyAccessRotationValidator.cs: Performs validation on the provided list of new emergency access keys. * EmergencyAccessRepository.cs: Adds a method to rotate encryption keys. This is added to a list in the `RotateUserKeyCommand` that the `UserRepository` calls so it doesn't have to know about all the domains. ## Before you submit - Please check for formatting errors (`dotnet format --verify-no-changes`) (required) - If making database changes - make sure you also update Entity Framework queries and/or migrations - Please add unit tests where it makes sense to do so (encouraged but not required) - If this change requires a documentation update - notify the documentation team - If this change has particular deployment requirements - notify the DevOps team	2 years ago
Thomas Rittson	9021236d61	AC Team code ownership moves: Organization pt. 1 (#3472 ) * move Organization.cs files to AC Team code ownership	2 years ago
Jake Fink	b716a925f8	[PM-3797 Part 1] Layout new key rotation methods (#3425 ) * layout new key rotation methods - add endpoint with request model - add command with data model - add repository method * layout new key rotation methods - add endpoint with request model - add command with data model - add repository method * formatting * rename account recovery to reset password * fix tests * remove extra endpoint * rename account recovery to reset password * fix tests and formatting * register db calls in command, removing list from user repo * formatting	2 years ago
Jared Snider	ee618328c0	Auth/PM-3275 - Changes to support TDE User without MP being able to Set a Password + misc refactoring (#3242 ) * PM-3275 - Add new GetMasterPasswordPolicy endpoint which will allow authenticated clients to get an enabled MP org policy if it exists for the purposes of enforcing those policy requirements when setting a password. * PM-3275 - AccountsController.cs - PostSetPasswordAsync - (1) Convert UserService.setPasswordAsync into new SetInitialMasterPasswordCommand (2) Refactor SetInitialMasterPasswordCommand to only accept post SSO users who are in the invited state (3) Add TODOs for more cleanup work and more commands * PM-3275 - Update AccountsControllerTests.cs to add new SetInitialMasterPasswordCommand * PM-3275 - UserService.cs - Remove non implemented ChangePasswordAsync method * PM-3275 - The new SetInitialMasterPasswordCommand leveraged the OrganizationService.cs AcceptUserAsync method so while I was in here I converted the AcceptUserAsync methods into a new AcceptOrgUserCommand.cs and turned the private method which accepted an existing org user public for use in the SetInitialMasterPasswordCommand * PM-3275 - Dotnet format * PM-3275 - Test SetInitialMasterPasswordCommand * Dotnet format * PM-3275 - In process AcceptOrgUserCommandTests.cs * PM-3275 - Migrate changes from AC-244 / #3199 over into new AcceptOrgUserCommand * PM-3275 - AcceptOrgUserCommand.cs - create data protector specifically for this command * PM-3275 - Add TODO for renaming / removing overloading of methods to improve readability / clarity * PM-3275 - AcceptOrgUserCommand.cs - refactor AcceptOrgUserAsync by OrgId to retrieve orgUser with _organizationUserRepository.GetByOrganizationAsync which gets a single user instead of a collection * PM-3275 - AcceptOrgUserCommand.cs - update name in TODO for evaluation later * PM-3275 / PM-1196 - (1) Slightly refactor SsoEmail2faSessionTokenable to provide public static GetTokenLifeTime() method for testing (2) Add missed tests to SsoEmail2faSessionTokenable in preparation for building tests for new OrgUserInviteTokenable.cs * PM-3275 / PM-1196 - Removing SsoEmail2faSessionTokenable.cs changes + tests as I've handled that separately in a new PR (#3270) for newly created task PM-3925 * PM-3275 - ExpiringTokenable.cs - add clarifying comments to help distinguish between the Valid property and the TokenIsValid method. * PM-3275 - Create OrgUserInviteTokenable.cs and add tests in OrgUserInviteTokenableTests.cs * PM-3275 - OrganizationService.cs - Refactor Org User Invite methods to use new OrgUserInviteTokenable instead of manual creation of a token * PM-3275 - OrgUserInviteTokenable.cs - clarify backwards compat note * PM-3275 - AcceptOrgUserCommand.cs - Add TODOs + minor name refactor * PM-3275 - AcceptOrgUserCommand.cs - replace method overloading with more easily readable names. * PM-3275 - AcceptOrgUserCommand.cs - Update ValidateOrgUserInviteToken to add new token validation while maintaining backwards compatibility for 1 release. * dotnet format * PM-3275 - AcceptOrgUserCommand.cs - Move private method below where it is used * PM-3275 - ServiceCollectionExtensions.cs - Must register IDataProtectorTokenFactory<OrgUserInviteTokenable> for new tokenable * PM-3275 - OrgUserInviteTokenable needed access to global settings to set its token lifetime to the _globalSettings.OrganizationInviteExpirationHours value. Creating a factory seemed the most straightforward way to encapsulate the desired creation logic. Unsure if in the correct location in ServiceCollectionExtensions.cs but will figure that out later. * PM-3275 - In process work of creating AcceptOrgUserCommandTests.cs * PM-3275 - Remove no longer relevant AcceptOrgUser tests from OrganizationServiceTests.cs * PM-3275 - Register OrgUserInviteTokenableFactory alongside tokenizer * PM-3275 - AcceptOrgUserCommandTests.cs - AcceptOrgUserAsync basic test suite completed. * PM-3275 - AcceptOrgUserCommandTests.cs - tweak test names * PM-3275 - AcceptOrgUserCommandTests.cs - (1) Remove old tests from OrganizationServiceTests as no longer needed to reference (2) Add summary for SetupCommonAcceptOrgUserMocks (3) Get AcceptOrgUserByToken_OldToken_AcceptsUserAndVerifiesEmail passing * PM-3275 - Create interface for OrgUserInviteTokenableFactory b/c that's the right thing to do + enables test substitution * PM-3275 - AcceptOrgUserCommandTests.cs - (1) Start work on AcceptOrgUserByToken_NewToken_AcceptsUserAndVerifiesEmail (2) Create and use SetupCommonAcceptOrgUserByTokenMocks() (3) Create generic FakeDataProtectorTokenFactory for tokenable testing * PM-3275 - (1) Get AcceptOrgUserByToken_NewToken_AcceptsUserAndVerifiesEmail test passing (2) Move FakeDataProtectorTokenFactory to own file * PM-3275 - AcceptOrgUserCommandTests.cs - Finish up tests for AcceptOrgUserByTokenAsync * PM-3275 - Add pseudo section comments * PM-3275 - Clean up unused params on AcceptOrgUserByToken_EmailMismatch_ThrowsBadRequest test * PM-3275 - (1) Tests written for AcceptOrgUserByOrgSsoIdAsync (2) Refactor happy path assertions into helper function AssertValidAcceptedOrgUser to reduce code duplication * PM-3275 - Finish up testing AcceptOrgUserCommandTests.cs by adding tests for AcceptOrgUserByOrgIdAsync * PM-3275 - Tweaking test naming to ensure consistency. * PM-3275 - Bugfix - OrgUserInviteTokenableFactory implementation required when declaring singleton service in ServiceCollectionExtensions.cs * PM-3275 - Resolve failing OrganizationServiceTests.cs * dotnet format * PM-3275 - PoliciesController.cs - GetMasterPasswordPolicy bugfix - for orgs without a MP policy, policy comes back as null and we should return notFound in that case. * PM-3275 - Add PoliciesControllerTests.cs specifically for new GetMasterPasswordPolicy(...) endpoint. * PM-3275 - dotnet format PoliciesControllerTests.cs * PM-3275 - PoliciesController.cs - (1) Add tech debt task number (2) Properly flag endpoint as deprecated * PM-3275 - Add new hasManageResetPasswordPermission property to ProfileResponseModel.cs primarily for sync so that we can condition client side if TDE user obtains elevated permissions * PM-3275 - Fix AccountsControllerTests.cs * PM-3275 - OrgUserInviteTokenable.cs - clarify TODO * PM-3275 - AcceptOrgUserCommand.cs - Refactor token validation to use short circuiting to only run old token validation if new token validation fails. * PM-3275 - OrgUserInviteTokenable.cs - (1) Add new static methods to centralize validation logic to avoid repetition (2) Add new token validation method so we can avoid having to pass in a full org user (and hitting the db to do so) * PM-3275 - Realized that the old token validation was used in the PoliciesController.cs (existing user clicks invite link in email and goes to log in) and UserService.cs (user clicks invite link in email and registers for a new acct). Added tech debt item for cleaning up backwards compatibility in future. * dotnet format * PM-3275 - (1) AccountsController.cs - Update PostSetPasswordAsync SetPasswordRequestModel to allow null keys for the case where we have a TDE user who obtains elevated permissions - they already have a user public and user encrypted private key saved in the db. (2) AccountsControllerTests.cs - test PostSetPasswordAsync scenarios to ensure changes will work as expected. * PM-3275 - PR review feedback - (1) set CurrentContext to private (2) Refactor GetProfile to use variables to improve clarity and simplify debugging. * PM-3275 - SyncController.cs - PR Review Feedback - Set current context as private instead of protected. * PM-3275 - CurrentContextExtensions.cs - PR Feedback - move parenthesis up from own line. * PM-3275 - SetInitialMasterPasswordCommandTests.cs - Replace unnecessary variable * PM-3275 - SetInitialMasterPasswordCommandTests.cs - PR Feedback - Add expected outcome statement to test name * PM-3275 - Set Initial Password command and tests - PR Feedback changes - (1) Rename orgIdentifier --> OrgSsoIdentifier for clarity (2) Update SetInitialMasterPasswordAsync to not allow null orgSsoId with explicit message saying this vs letting null org trigger invalid organization (3) Add test to cover this new scenario. * PM-3275 - SetInitialMasterPasswordCommand.cs - Move summary from implementation to interface to better respect standards and the fact that the interface is the more seen piece of code. * PM-3275 - AcceptOrgUserCommand.cs - Per PR feedback, rename AcceptOrgUserByTokenAsync -> AcceptOrgUserByEmailTokenAsync + replace generic name token with emailToken * PM-3275 - OrganizationService.cs - Per PR feedback, remove dupe line * PM-3275 - AcceptOrgUserCommand.cs - Per PR feedback, remove new lines in error messages for consistency. * PM-3275 - SetInitialMasterPasswordCommand.cs - Per PR feedback, adjust formatting of constructor for improved readability. * PM-3275 - CurrentContextExtensions.cs - Refactor AnyOrgUserHasManageResetPasswordPermission per PR feedback to remove unnecessary var. * PM-3275 - AcceptOrgUserCommand.cs - Per PR feedback, remove completed TODO * PM-3275 - PoliciesController.cs - Per PR feedback, update GetByInvitedUser param to be guid instead of string. * PM-3275 - OrgUserInviteTokenable.cs - per PR feedback, add tech debt item info. * PM-3275 - AcceptOrgUserCommand.cs - Per PR feedback, use const purpose from tokenable instead of magic string. * PM-3275 - Restore non duplicate line to fix tests * PM-3275 - Per PR feedback, revert all sync controller changes as the ProfileResponseModel.organizations array has org objects which have permissions which have the ManageResetPassword permission. So, I have the information that I need clientside already to determine if the user has the ManageResetPassword in any org. * PM-3275 - PoliciesControllerTests.cs - Update imports as the PoliciesController was moved under the admin console team's domain. * PM-3275 - Resolve issues from merge conflict resolutions to get solution building. * PM-3275 / PM-4633 - PoliciesController.cs - use orgUserId to look up user instead of orgId. Oops. * Fix user service tests * Resolve merge conflict	2 years ago

45 Commits (renovate/microsoft.data.sqlclient-7.x)