Pm 2032 troubleshoot actions

.gitignore

@@ -225,4 +225,4 @@ src/Identity/Identity.zip
 src/Notifications/Notifications.zip
 bitwarden_license/src/Portal/Portal.zip
 bitwarden_license/src/Sso/Sso.zip
-src/Api/flags.json
+**/src/*/flags.json

src/Api/Auth/Controllers/WebAuthnController.cs

@@ -0,0 +1,112 @@
+using Bit.Api.Auth.Models.Request.Accounts;
+using Bit.Api.Auth.Models.Request.Webauthn;
+using Bit.Api.Auth.Models.Response.WebAuthn;
+using Bit.Api.Models.Response;
+using Bit.Core;
+using Bit.Core.Auth.Models.Business.Tokenables;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Exceptions;
+using Bit.Core.Services;
+using Bit.Core.Tokens;
+using Bit.Core.Utilities;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Auth.Controllers;
+
+[Route("webauthn")]
+[Authorize("Web")]
+[RequireFeature(FeatureFlagKeys.PasswordlessLogin)]
+public class WebAuthnController : Controller
+{
+    private readonly IUserService _userService;
+    private readonly IWebAuthnCredentialRepository _credentialRepository;
+    private readonly IDataProtectorTokenFactory<WebAuthnCredentialCreateOptionsTokenable> _createOptionsDataProtector;
+
+    public WebAuthnController(
+        IUserService userService,
+        IWebAuthnCredentialRepository credentialRepository,
+        IDataProtectorTokenFactory<WebAuthnCredentialCreateOptionsTokenable> createOptionsDataProtector)
+    {
+        _userService = userService;
+        _credentialRepository = credentialRepository;
+        _createOptionsDataProtector = createOptionsDataProtector;
+    }
+
+    [HttpGet("")]
+    public async Task<ListResponseModel<WebAuthnCredentialResponseModel>> Get()
+    {
+        var user = await GetUserAsync();
+        var credentials = await _credentialRepository.GetManyByUserIdAsync(user.Id);
+
+        return new ListResponseModel<WebAuthnCredentialResponseModel>(credentials.Select(c => new WebAuthnCredentialResponseModel(c)));
+    }
+
+    [HttpPost("options")]
+    public async Task<WebAuthnCredentialCreateOptionsResponseModel> PostOptions([FromBody] SecretVerificationRequestModel model)
+    {
+        var user = await VerifyUserAsync(model);
+        var options = await _userService.StartWebAuthnLoginRegistrationAsync(user);
+
+        var tokenable = new WebAuthnCredentialCreateOptionsTokenable(user, options);
+        var token = _createOptionsDataProtector.Protect(tokenable);
+
+        return new WebAuthnCredentialCreateOptionsResponseModel
+        {
+            Options = options,
+            Token = token
+        };
+    }
+
+    [HttpPost("")]
+    public async Task Post([FromBody] WebAuthnCredentialRequestModel model)
+    {
+        var user = await GetUserAsync();
+        var tokenable = _createOptionsDataProtector.Unprotect(model.Token);
+        if (!tokenable.TokenIsValid(user))
+        {
+            throw new BadRequestException("The token associated with your request is expired. A valid token is required to continue.");
+        }
+
+        var success = await _userService.CompleteWebAuthLoginRegistrationAsync(user, model.Name, model.SupportsPrf, model.EncryptedUserKey, model.EncryptedPublicKey, model.EncryptedPrivateKey, tokenable.Options, model.DeviceResponse);
+        if (!success)
+        {
+            throw new BadRequestException("Unable to complete WebAuthn registration.");
+        }
+    }
+
+    [HttpPost("{id}/delete")]
+    public async Task Delete(Guid id, [FromBody] SecretVerificationRequestModel model)
+    {
+        var user = await VerifyUserAsync(model);
+        var credential = await _credentialRepository.GetByIdAsync(id, user.Id);
+        if (credential == null)
+        {
+            throw new NotFoundException("Credential not found.");
+        }
+
+        await _credentialRepository.DeleteAsync(credential);
+    }
+
+    private async Task<Core.Entities.User> GetUserAsync()
+    {
+        var user = await _userService.GetUserByPrincipalAsync(User);
+        if (user == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+        return user;
+    }
+
+    private async Task<Core.Entities.User> VerifyUserAsync(SecretVerificationRequestModel model)
+    {
+        var user = await GetUserAsync();
+        if (!await _userService.VerifySecretAsync(user, model.Secret))
+        {
+            await Task.Delay(Constants.FailedSecretVerificationDelay);
+            throw new BadRequestException(string.Empty, "User verification failed.");
+        }
+
+        return user;
+    }
+}

src/Api/Auth/Models/Request/WebAuthn/WebAuthnCredentialRequestModel.cs

@@ -0,0 +1,33 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Utilities;
+using Fido2NetLib;
+
+namespace Bit.Api.Auth.Models.Request.Webauthn;
+
+public class WebAuthnCredentialRequestModel
+{
+    [Required]
+    public AuthenticatorAttestationRawResponse DeviceResponse { get; set; }
+
+    [Required]
+    public string Name { get; set; }
+
+    [Required]
+    public string Token { get; set; }
+
+    [Required]
+    public bool SupportsPrf { get; set; }
+
+    [EncryptedString]
+    [EncryptedStringLength(2000)]
+    public string EncryptedUserKey { get; set; }
+
+    [EncryptedString]
+    [EncryptedStringLength(2000)]
+    public string EncryptedPublicKey { get; set; }
+
+    [EncryptedString]
+    [EncryptedStringLength(2000)]
+    public string EncryptedPrivateKey { get; set; }
+}
+

src/Api/Auth/Models/Response/WebAuthn/WebAuthnCredentialCreateOptionsResponseModel.cs

@@ -0,0 +1,16 @@
+using Bit.Core.Models.Api;
+using Fido2NetLib;
+
+namespace Bit.Api.Auth.Models.Response.WebAuthn;
+
+public class WebAuthnCredentialCreateOptionsResponseModel : ResponseModel
+{
+    private const string ResponseObj = "webauthnCredentialCreateOptions";
+
+    public WebAuthnCredentialCreateOptionsResponseModel() : base(ResponseObj)
+    {
+    }
+
+    public CredentialCreateOptions Options { get; set; }
+    public string Token { get; set; }
+}

src/Api/Auth/Models/Response/WebAuthn/WebAuthnCredentialResponseModel.cs

@@ -0,0 +1,21 @@
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Models.Api;
+
+namespace Bit.Api.Auth.Models.Response.WebAuthn;
+
+public class WebAuthnCredentialResponseModel : ResponseModel
+{
+    private const string ResponseObj = "webauthnCredential";
+
+    public WebAuthnCredentialResponseModel(WebAuthnCredential credential) : base(ResponseObj)
+    {
+        Id = credential.Id.ToString();
+        Name = credential.Name;
+        PrfStatus = credential.GetPrfStatus();
+    }
+
+    public string Id { get; set; }
+    public string Name { get; set; }
+    public WebAuthnPrfStatus PrfStatus { get; set; }
+}

src/Core/Auth/Entities/WebAuthnCredential.cs

@@ -0,0 +1,50 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Entities;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.Auth.Entities;
+
+public class WebAuthnCredential : ITableObject<Guid>
+{
+    public Guid Id { get; set; }
+    public Guid UserId { get; set; }
+    [MaxLength(50)]
+    public string Name { get; set; }
+    [MaxLength(256)]
+    public string PublicKey { get; set; }
+    [MaxLength(256)]
+    public string CredentialId { get; set; }
+    public int Counter { get; set; }
+    [MaxLength(20)]
+    public string Type { get; set; }
+    public Guid AaGuid { get; set; }
+    [MaxLength(2000)]
+    public string EncryptedUserKey { get; set; }
+    [MaxLength(2000)]
+    public string EncryptedPrivateKey { get; set; }
+    [MaxLength(2000)]
+    public string EncryptedPublicKey { get; set; }
+    public bool SupportsPrf { get; set; }
+    public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
+    public DateTime RevisionDate { get; internal set; } = DateTime.UtcNow;
+
+    public void SetNewId()
+    {
+        Id = CoreHelpers.GenerateComb();
+    }
+
+    public WebAuthnPrfStatus GetPrfStatus()
+    {
+        if (SupportsPrf && EncryptedUserKey != null && EncryptedPrivateKey != null && EncryptedPublicKey != null)
+        {
+            return WebAuthnPrfStatus.Enabled;
+        }
+        else if (SupportsPrf)
+        {
+            return WebAuthnPrfStatus.Supported;
+        }
+
+        return WebAuthnPrfStatus.Unsupported;
+    }
+}

src/Core/Auth/Enums/WebAuthnLoginAssertionOptionsScope.cs

@@ -0,0 +1,7 @@
+namespace Bit.Core.Auth.Enums;
+
+public enum WebAuthnLoginAssertionOptionsScope
+{
+    Authentication = 0,
+    PrfRegistration = 1
+}

src/Core/Auth/Enums/WebAuthnPrfStatus.cs

@@ -0,0 +1,8 @@
+namespace Bit.Core.Auth.Enums;
+
+public enum WebAuthnPrfStatus
+{
+    Enabled = 0,
+    Supported = 1,
+    Unsupported = 2
+}

src/Core/Auth/Models/Api/Response/Accounts/WebAuthnLoginAssertionOptionsResponseModel.cs

@@ -0,0 +1,18 @@
+
+using Bit.Core.Models.Api;
+using Fido2NetLib;
+
+namespace Bit.Core.Auth.Models.Api.Response.Accounts;
+
+public class WebAuthnLoginAssertionOptionsResponseModel : ResponseModel
+{
+    private const string ResponseObj = "webAuthnLoginAssertionOptions";
+
+    public WebAuthnLoginAssertionOptionsResponseModel() : base(ResponseObj)
+    {
+    }
+
+    public AssertionOptions Options { get; set; }
+    public string Token { get; set; }
+}
+

src/Core/Auth/Models/Api/Response/UserDecryptionOptions.cs

@@ -16,6 +16,12 @@ public UserDecryptionOptions() : base("userDecryptionOptions")
     /// </summary>
     public bool HasMasterPassword { get; set; }
 
+    /// <summary>
+    /// Gets or sets the WebAuthn PRF decryption keys.
+    /// </summary>
+    [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+    public WebAuthnPrfDecryptionOption? WebAuthnPrfOptions { get; set; }
+
     /// <summary>
     /// Gets or sets information regarding this users trusted device decryption setup.
     /// </summary>
@@ -29,6 +35,20 @@ public UserDecryptionOptions() : base("userDecryptionOptions")
     public KeyConnectorUserDecryptionOption? KeyConnectorOption { get; set; }
 }
 
+public class WebAuthnPrfDecryptionOption
+{
+    public string EncryptedPrivateKey { get; }
+    public string EncryptedUserKey { get; }
+
+    public WebAuthnPrfDecryptionOption(
+        string encryptedPrivateKey,
+        string encryptedUserKey)
+    {
+        EncryptedPrivateKey = encryptedPrivateKey;
+        EncryptedUserKey = encryptedUserKey;
+    }
+}
+
 public class TrustedDeviceUserDecryptionOption
 {
     public bool HasAdminApproval { get; }

src/Core/Auth/Models/Business/Tokenables/WebAuthnCredentialCreateOptionsTokenable.cs

@@ -0,0 +1,44 @@
+using System.Text.Json.Serialization;
+using Bit.Core.Entities;
+using Bit.Core.Tokens;
+using Fido2NetLib;
+
+namespace Bit.Core.Auth.Models.Business.Tokenables;
+
+public class WebAuthnCredentialCreateOptionsTokenable : ExpiringTokenable
+{
+    // 7 minutes = max webauthn timeout (6 minutes) + slack for miscellaneous delays
+    private const double _tokenLifetimeInHours = (double)7 / 60;
+    public const string ClearTextPrefix = "BWWebAuthnCredentialCreateOptions_";
+    public const string DataProtectorPurpose = "WebAuthnCredentialCreateDataProtector";
+    public const string TokenIdentifier = "WebAuthnCredentialCreateOptionsToken";
+
+    public string Identifier { get; set; } = TokenIdentifier;
+    public Guid? UserId { get; set; }
+    public CredentialCreateOptions Options { get; set; }
+
+    [JsonConstructor]
+    public WebAuthnCredentialCreateOptionsTokenable()
+    {
+        ExpirationDate = DateTime.UtcNow.AddHours(_tokenLifetimeInHours);
+    }
+
+    public WebAuthnCredentialCreateOptionsTokenable(User user, CredentialCreateOptions options) : this()
+    {
+        UserId = user?.Id;
+        Options = options;
+    }
+
+    public bool TokenIsValid(User user)
+    {
+        if (!Valid || user == null)
+        {
+            return false;
+        }
+
+        return UserId == user.Id;
+    }
+
+    protected override bool TokenIsValid() => Identifier == TokenIdentifier && UserId != null && Options != null;
+}
+