Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow bypass of captcha token if the device is known #1626

Merged
merged 1 commit into from
Oct 8, 2021
Merged

Allow bypass of captcha token if the device is known #1626

merged 1 commit into from
Oct 8, 2021

Conversation

MGibson1
Copy link
Member

@MGibson1 MGibson1 commented Oct 8, 2021

Overview

Captcha activation on our cloud instance has caused all CLI authentications using username + password to provide a captcha key.

The thought was that this would be a rare authentication flow rather than a change to the intended path. This is recorded in this CLI issue: bitwarden/cli#383

As a partial remediation, this work bypasses any captcha if the device ID of the client is already associated to the user. This way, any device can only require captcha on the first login. There is an increase in risk for compromised known hardware, but largely that would be an already lost situation.

Files Changed

  • BaseRequestValidator: Provide knownDevice helper
  • ResourceOwnerPasswordValidator: Require captcha only for unknown device && captcha required from captcha service.

@MGibson1 MGibson1 merged commit 8a5a371 into master Oct 8, 2021
@MGibson1 MGibson1 deleted the bypass-captcha-for-know-user-device branch October 8, 2021 23:59
@ivankovnatsky ivankovnatsky mentioned this pull request Oct 9, 2021
Closed
@MGibson1 MGibson1 mentioned this pull request Oct 11, 2021
Closed
kspearrin
kspearrin reviewed Oct 11, 2021
View reviewed changes
src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
Comment on lines +62 to +63
var unknownDevice = !await KnownDeviceAsync(user, context.Request);
if (!unknownDevice && _captchaValidationService.RequireCaptchaValidation(_currentContext))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if this logic is correct. Also, you are negating twice. Why not just drop the two !?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MGibson1 please review ^

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤦🏻 , I missed the double negative here, this may need some revision re-reading it. Thanks Kyle

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#1629

@MGibson1 MGibson1 mentioned this pull request Oct 11, 2021
Merged
MGibson1 added a commit that referenced this pull request Oct 19, 2021
@MGibson1
Allow bypass of captcha token if the device is known (#1626)
0859a2a 
(cherry picked from commit 8a5a371)
dlundgren pushed a commit to dlundgren/server that referenced this pull request Dec 14, 2021
@MGibson1 @dlundgren
Allow bypass of captcha token if the device is known (bitwarden#1626)
0c518a0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kspearrin kspearrin kspearrin left review comments

@cscharf cscharf cscharf approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MGibson1 @kspearrin @cscharf