Auth/PM-3813 - 2FA Management Endpoints - User Verification Refactor

apps/cli/src/auth/commands/login.command.ts

@@ -25,8 +25,8 @@ import {
 import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
 import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
 import { TokenTwoFactorRequest } from "@bitwarden/common/auth/models/request/identity-token/token-two-factor.request";
-import { TwoFactorEmailRequest } from "@bitwarden/common/auth/models/request/two-factor-email.request";
 import { TwoFactorService, TwoFactorApiService } from "@bitwarden/common/auth/two-factor";
+import { TwoFactorEmailLoginRequest } from "@bitwarden/common/auth/two-factor/request/two-factor-email-login.request";
 import { ClientType } from "@bitwarden/common/enums";
 import { CryptoFunctionService } from "@bitwarden/common/key-management/crypto/abstractions/crypto-function.service";
 import { EncryptedMigrator } from "@bitwarden/common/key-management/encrypted-migrator/encrypted-migrator.abstraction";
@@ -300,7 +300,7 @@ export class LoginCommand {
         }
 
         if (twoFactorToken == null && selectedProvider.type === TwoFactorProviderType.Email) {
-          const emailReq = new TwoFactorEmailRequest();
+          const emailReq = new TwoFactorEmailLoginRequest();
           emailReq.email = await this.loginStrategyService.getEmail();
           // if the user was logging in with SSO, we need to include the SSO session token
           if (response.ssoEmail2FaSessionToken != null) {

apps/web/src/app/admin-console/organizations/settings/two-factor-setup.component.ts

@@ -13,10 +13,9 @@ import { PolicyService } from "@bitwarden/common/admin-console/abstractions/poli
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
-import { TwoFactorDuoResponse } from "@bitwarden/common/auth/models/response/two-factor-duo.response";
 import { getUserId } from "@bitwarden/common/auth/services/account.service";
-import { TwoFactorService } from "@bitwarden/common/auth/two-factor";
-import { AuthResponse } from "@bitwarden/common/auth/types/auth-response";
+import { TwoFactorService, TwoFactorSetupDialogData } from "@bitwarden/common/auth/two-factor";
+import { TwoFactorOrganizationDuoResponse } from "@bitwarden/common/auth/two-factor/response/two-factor-organization-duo.response";
 import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions/account/billing-account-profile-state.service";
 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
@@ -93,9 +92,8 @@ export class TwoFactorSetupComponent extends BaseTwoFactorSetupComponent impleme
         const twoFactorVerifyDialogRef = TwoFactorVerifyComponent.open(this.dialogService, {
           data: { type: type, organizationId: this.organizationId },
         });
-        const result: AuthResponse<TwoFactorDuoResponse> = await lastValueFrom(
-          twoFactorVerifyDialogRef.closed,
-        );
+        const result: TwoFactorSetupDialogData<TwoFactorOrganizationDuoResponse> =
+          await lastValueFrom(twoFactorVerifyDialogRef.closed);
         if (!result) {
           return;
         }

apps/web/src/app/auth/core/services/webauthn-login/response/webauthn-login-credential-create-options.response.ts

@@ -1,12 +1,12 @@
-import { ChallengeResponse } from "@bitwarden/common/auth/models/response/two-factor-web-authn.response";
+import { WebAuthnChallengeResponse } from "@bitwarden/common/auth/models/response/web-authn-challenge.response";
 import { BaseResponse } from "@bitwarden/common/models/response/base.response";
 
 /**
  * Options provided by the server to be used during attestation (i.e. creation of a new webauthn credential)
  */
 export class WebauthnLoginCredentialCreateOptionsResponse extends BaseResponse {
   /** Options to be provided to the webauthn authenticator */
-  options: ChallengeResponse;
+  options: WebAuthnChallengeResponse;
 
   /**
    * Contains an encrypted version of the {@link options}.
@@ -16,7 +16,7 @@ export class WebauthnLoginCredentialCreateOptionsResponse extends BaseResponse {
 
   constructor(response: unknown) {
     super(response);
-    this.options = new ChallengeResponse(this.getResponseProperty("options"));
+    this.options = new WebAuthnChallengeResponse(this.getResponseProperty("options"));
     this.token = this.getResponseProperty("token");
   }
 }

apps/web/src/app/auth/core/views/credential-create-options.view.ts

@@ -1,8 +1,8 @@
-import { ChallengeResponse } from "@bitwarden/common/auth/models/response/two-factor-web-authn.response";
+import { WebAuthnChallengeResponse } from "@bitwarden/common/auth/models/response/web-authn-challenge.response";
 
 export class CredentialCreateOptionsView {
   constructor(
-    readonly options: ChallengeResponse,
+    readonly options: WebAuthnChallengeResponse,
     readonly token: string,
   ) {}
 }

apps/web/src/app/auth/settings/account/change-email.component.spec.ts

@@ -5,9 +5,9 @@ import { firstValueFrom } from "rxjs";
 
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
-import { TwoFactorProviderResponse } from "@bitwarden/common/auth/models/response/two-factor-provider.response";
 import { ChangeEmailService } from "@bitwarden/common/auth/services/change-email/change-email.service";
 import { TwoFactorService } from "@bitwarden/common/auth/two-factor";
+import { TwoFactorProviderResponse } from "@bitwarden/common/auth/two-factor/response/two-factor-provider.response";
 import { ListResponse } from "@bitwarden/common/models/response/list.response";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";

apps/web/src/app/auth/settings/two-factor/two-factor-recovery.component.ts

@@ -2,7 +2,7 @@ import { CommonModule } from "@angular/common";
 import { Component, Inject } from "@angular/core";
 
 import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
-import { TwoFactorRecoverResponse } from "@bitwarden/common/auth/models/response/two-factor-recover.response";
+import { TwoFactorRecoverResponse } from "@bitwarden/common/auth/two-factor/response/two-factor-recover.response";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import {
   ButtonModule,

apps/web/src/app/auth/settings/two-factor/two-factor-setup-authenticator.component.ts

@@ -9,11 +9,10 @@ import { JslibModule } from "@bitwarden/angular/jslib.module";
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
-import { DisableTwoFactorAuthenticatorRequest } from "@bitwarden/common/auth/models/request/disable-two-factor-authenticator.request";
-import { UpdateTwoFactorAuthenticatorRequest } from "@bitwarden/common/auth/models/request/update-two-factor-authenticator.request";
-import { TwoFactorAuthenticatorResponse } from "@bitwarden/common/auth/models/response/two-factor-authenticator.response";
-import { TwoFactorService } from "@bitwarden/common/auth/two-factor";
-import { AuthResponse } from "@bitwarden/common/auth/types/auth-response";
+import { TwoFactorService, TwoFactorSetupDialogData } from "@bitwarden/common/auth/two-factor";
+import { TwoFactorAuthenticatorDeleteRequest } from "@bitwarden/common/auth/two-factor/request/two-factor-authenticator-delete.request";
+import { TwoFactorAuthenticatorUpdateRequest } from "@bitwarden/common/auth/two-factor/request/two-factor-authenticator-update.request";
+import { TwoFactorAuthenticatorResponse } from "@bitwarden/common/auth/two-factor/response/two-factor-authenticator.response";
 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -85,7 +84,14 @@ export class TwoFactorSetupAuthenticatorComponent
   @Output() onChangeStatus = new EventEmitter<boolean>();
   type = TwoFactorProviderType.Authenticator;
   key: string;
-  private userVerificationToken: string;
+  private userVerificationToken: string | undefined;
+
+  private requireUserVerificationToken(): string {
+    if (this.userVerificationToken === undefined) {
+      throw new Error("User verification token is missing");
+    }
+    return this.userVerificationToken;
+  }
 
   override componentName = "app-two-factor-authenticator";
   qrScriptError = false;
@@ -96,7 +102,7 @@ export class TwoFactorSetupAuthenticatorComponent
   });
 
   constructor(
-    @Inject(DIALOG_DATA) protected data: AuthResponse<TwoFactorAuthenticatorResponse>,
+    @Inject(DIALOG_DATA) protected data: TwoFactorSetupDialogData<TwoFactorAuthenticatorResponse>,
     private dialogRef: DialogRef,
     twoFactorService: TwoFactorService,
     i18nService: I18nService,
@@ -136,9 +142,9 @@ export class TwoFactorSetupAuthenticatorComponent
     this.formGroup.controls.token.markAsTouched();
   }
 
-  async auth(authResponse: AuthResponse<TwoFactorAuthenticatorResponse>) {
+  async auth(authResponse: TwoFactorSetupDialogData<TwoFactorAuthenticatorResponse>) {
     super.auth(authResponse);
-    return this.processResponse(authResponse.response);
+    return this.processGetResponse(authResponse.response);
   }
 
   submit = async () => {
@@ -155,13 +161,17 @@ export class TwoFactorSetupAuthenticatorComponent
   };
 
   protected async enable() {
-    const request = await this.buildRequestModel(UpdateTwoFactorAuthenticatorRequest);
-    request.token = this.formGroup.value.token;
-    request.key = this.key;
-    request.userVerificationToken = this.userVerificationToken;
+    const request = new TwoFactorAuthenticatorUpdateRequest(
+      this.formGroup.value.token,
+      this.key,
+      this.requireUserVerificationToken(),
+    );
 
     const response = await this.twoFactorService.putTwoFactorAuthenticator(request);
-    await this.processResponse(response);
+    await this.applyAuthenticatorDetails(
+      response.authenticator.enabled,
+      response.authenticator.key,
+    );
     this.onUpdated.emit(true);
   }
 
@@ -176,10 +186,10 @@ export class TwoFactorSetupAuthenticatorComponent
       return;
     }
 
-    const request = await this.buildRequestModel(DisableTwoFactorAuthenticatorRequest);
-    request.type = this.type;
-    request.key = this.key;
-    request.userVerificationToken = this.userVerificationToken;
+    const request = new TwoFactorAuthenticatorDeleteRequest(
+      this.key,
+      this.requireUserVerificationToken(),
+    );
     await this.twoFactorService.deleteTwoFactorAuthenticator(request);
     this.enabled = false;
     this.toastService.showToast({
@@ -190,11 +200,18 @@ export class TwoFactorSetupAuthenticatorComponent
     this.onUpdated.emit(false);
   }
 
-  private async processResponse(response: TwoFactorAuthenticatorResponse) {
-    this.formGroup.get("token").setValue(null);
-    this.enabled = response.enabled;
-    this.key = response.key;
+  private async processGetResponse(response: TwoFactorAuthenticatorResponse) {
     this.userVerificationToken = response.userVerificationToken;
+    await this.applyAuthenticatorDetails(
+      response.authenticator.enabled,
+      response.authenticator.key,
+    );
+  }
+
+  private async applyAuthenticatorDetails(enabled: boolean, key: string) {
+    this.formGroup.get("token").setValue(null);
+    this.enabled = enabled;
+    this.key = key;
 
     await this.waitForQRiousToLoadOrError().catch((error) => {
       this.logService.error(error);
@@ -238,7 +255,7 @@ export class TwoFactorSetupAuthenticatorComponent
 
   static open(
     dialogService: DialogService,
-    config: DialogConfig<AuthResponse<TwoFactorAuthenticatorResponse>>,
+    config: DialogConfig<TwoFactorSetupDialogData<TwoFactorAuthenticatorResponse>>,
   ) {
     return dialogService.open<boolean>(TwoFactorSetupAuthenticatorComponent, config);
   }

apps/web/src/app/auth/settings/two-factor/two-factor-setup-duo.component.ts

@@ -4,10 +4,15 @@ import { FormBuilder, ReactiveFormsModule, Validators } from "@angular/forms";
 
 import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
-import { UpdateTwoFactorDuoRequest } from "@bitwarden/common/auth/models/request/update-two-factor-duo.request";
-import { TwoFactorDuoResponse } from "@bitwarden/common/auth/models/response/two-factor-duo.response";
-import { TwoFactorService } from "@bitwarden/common/auth/two-factor";
-import { AuthResponse } from "@bitwarden/common/auth/types/auth-response";
+import { TwoFactorService, TwoFactorSetupDialogData } from "@bitwarden/common/auth/two-factor";
+import { TwoFactorDuoDeleteRequest } from "@bitwarden/common/auth/two-factor/request/two-factor-duo-delete.request";
+import { TwoFactorDuoUpdateRequest } from "@bitwarden/common/auth/two-factor/request/two-factor-duo-update.request";
+import { TwoFactorOrganizationDuoDeleteRequest } from "@bitwarden/common/auth/two-factor/request/two-factor-organization-duo-delete.request";
+import { TwoFactorDuoDetailsResponse } from "@bitwarden/common/auth/two-factor/response/two-factor-duo-details.response";
+import { TwoFactorDuoUpdateResponse } from "@bitwarden/common/auth/two-factor/response/two-factor-duo-update.response";
+import { TwoFactorDuoResponse } from "@bitwarden/common/auth/two-factor/response/two-factor-duo.response";
+import { TwoFactorOrganizationDuoUpdateResponse } from "@bitwarden/common/auth/two-factor/response/two-factor-organization-duo-update.response";
+import { TwoFactorOrganizationDuoResponse } from "@bitwarden/common/auth/two-factor/response/two-factor-organization-duo.response";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
@@ -30,6 +35,11 @@ import { I18nPipe } from "@bitwarden/ui-common";
 
 import { TwoFactorSetupMethodBaseComponent } from "./two-factor-setup-method-base.component";
 
+type TwoFactorDuoResponseUnion = TwoFactorDuoResponse | TwoFactorOrganizationDuoResponse;
+type TwoFactorDuoUpdateResponseUnion =
+  | TwoFactorDuoUpdateResponse
+  | TwoFactorOrganizationDuoUpdateResponse;
+
 // FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
 // eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
 @Component({
@@ -64,6 +74,14 @@ export class TwoFactorSetupDuoComponent
     host: ["", [Validators.required]],
   });
   override componentName = "app-two-factor-duo";
+  private userVerificationToken: string | undefined;
+
+  private requireUserVerificationToken(): string {
+    if (this.userVerificationToken === undefined) {
+      throw new Error("User verification token is missing");
+    }
+    return this.userVerificationToken;
+  }
 
   constructor(
     @Inject(DIALOG_DATA) protected data: TwoFactorDuoComponentConfig,
@@ -113,7 +131,7 @@ export class TwoFactorSetupDuoComponent
     }
 
     super.auth(this.data.authResponse);
-    this.processResponse(this.data.authResponse.response);
+    this.processGetResponse(this.data.authResponse.response);
 
     if (this.data.organizationId) {
       this.type = TwoFactorProviderType.OrganizationDuo;
@@ -135,12 +153,14 @@ export class TwoFactorSetupDuoComponent
   };
 
   protected async enable() {
-    const request = await this.buildRequestModel(UpdateTwoFactorDuoRequest);
-    request.clientId = this.clientId;
-    request.clientSecret = this.clientSecret;
-    request.host = this.host;
+    const request = new TwoFactorDuoUpdateRequest(
+      this.clientId,
+      this.clientSecret,
+      this.host,
+      this.requireUserVerificationToken(),
+    );
 
-    let response: TwoFactorDuoResponse;
+    let response: TwoFactorDuoUpdateResponseUnion;
 
     if (this.organizationId != null) {
       response = await this.twoFactorService.putTwoFactorOrganizationDuo(
@@ -151,19 +171,54 @@ export class TwoFactorSetupDuoComponent
       response = await this.twoFactorService.putTwoFactorDuo(request);
     }
 
-    this.processResponse(response);
+    this.applyDuoDetails(response.duo);
     this.onUpdated.emit(true);
   }
 
+  protected override async disableMethod() {
+    const confirmed = await this.dialogService.openSimpleDialog({
+      title: { key: "disable" },
+      content: { key: "twoStepDisableDesc" },
+      type: "warning",
+    });
+
+    if (!confirmed) {
+      return;
+    }
+
+    if (this.organizationId != null) {
+      const request = new TwoFactorOrganizationDuoDeleteRequest(
+        this.requireUserVerificationToken(),
+      );
+      await this.twoFactorService.deleteTwoFactorOrganizationDuo(this.organizationId, request);
+    } else {
+      const request = new TwoFactorDuoDeleteRequest(this.requireUserVerificationToken());
+      await this.twoFactorService.deleteTwoFactorDuo(request);
+    }
+
+    this.enabled = false;
+    this.toastService.showToast({
+      variant: "success",
+      title: "",
+      message: this.i18nService.t("twoStepDisabled"),
+    });
+    this.onUpdated.emit(false);
+  }
+
   onClose = () => {
     void this.dialogRef.close(this.enabled);
   };
 
-  private processResponse(response: TwoFactorDuoResponse) {
-    this.clientId = response.clientId;
-    this.clientSecret = response.clientSecret;
-    this.host = response.host;
-    this.enabled = response.enabled;
+  private processGetResponse(response: TwoFactorDuoResponseUnion) {
+    this.userVerificationToken = response.userVerificationToken;
+    this.applyDuoDetails(response.duo);
+  }
+
+  private applyDuoDetails(duoDetails: TwoFactorDuoDetailsResponse) {
+    this.clientId = duoDetails.clientId;
+    this.clientSecret = duoDetails.clientSecret;
+    this.host = duoDetails.host;
+    this.enabled = duoDetails.enabled;
   }
 
   /**
@@ -183,6 +238,6 @@ export class TwoFactorSetupDuoComponent
 }
 
 type TwoFactorDuoComponentConfig = {
-  authResponse: AuthResponse<TwoFactorDuoResponse>;
+  authResponse: TwoFactorSetupDialogData<TwoFactorDuoResponseUnion>;
   organizationId?: string;
 };