Auth/pm 17129/login with 2fa recovery code

[Patrick-Pimentel-Bitwarden]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-17128

📔 Objective

We are utilizing the 2FA Token Provider flow to treat Recovery Codes as a special case of 2FA. We have added a new TwoFactorProviderType called RecoveryCode that when provided the correct value will drop the user's 2FA and allow them to login.

Other changes:

• Code cleanup
• Comment normalizing

📸 Screenshots

Screen.Recording.2025-02-06.at.9.28.48.PM.mov

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

LaunchDarkly flag references

🔍 1 flag added or modified

Name	Key	Aliases found	Info
pm-17128-recovery-code-login	pm-17128-recovery-code-login

[codecov]

Codecov Report

Attention: Patch coverage is 62.50000% with 21 lines in your changes missing coverage. Please review.

Project coverage is 44.31%. Comparing base (678d5d5) to head (831f111).
Report is 12 commits behind head on main.

Files with missing lines	Patch %	Lines
src/Core/Services/Implementations/UserService.cs	0.00%	9 Missing ⚠️
src/Api/Auth/Controllers/TwoFactorController.cs	0.00%	6 Missing ⚠️
...entity/TokenProviders/RecoveryCodeTokenProvider.cs	33.33%	6 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5383      +/-   ##
==========================================
+ Coverage   44.27%   44.31%   +0.03%     
==========================================
  Files        1501     1498       -3     
  Lines       69218    69235      +17     
  Branches     6249     6240       -9     
==========================================
+ Hits        30648    30681      +33     
+ Misses      37242    37232      -10     
+ Partials     1328     1322       -6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

Checkmarx One – Scan Summary & Details – 99f48ce0-e1ec-4259-86e6-e8a7e0da4503

New Issues (21)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 173	details Method CreateAuthRequestAsync at line 173 of /src/Core/Auth/Services/Implementations/AuthRequestService.cs sends user information outside the appli... Attack Vector
	Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 221	details Method UpdateAuthRequestAsync at line 221 of /src/Core/Auth/Services/Implementations/AuthRequestService.cs sends user information outside the appli... Attack Vector
	Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 230	details Method UpdateAuthRequestAsync at line 230 of /src/Core/Auth/Services/Implementations/AuthRequestService.cs sends user information outside the appli... Attack Vector
	Privacy_Violation	/src/Core/NotificationHub/NotificationHubPushNotificationService.cs: 192	details Method PushAuthRequestAsync at line 192 of /src/Core/NotificationHub/NotificationHubPushNotificationService.cs sends user information outside the a... Attack Vector
	Heap_Inspection	/src/Core/Constants.cs: 170	details Method at line 170 of /src/Core/Constants.cs defines EnablePasswordManagerSyncAndroid, which is designated to contain user passwords. However, whi... Attack Vector
	Heap_Inspection	/src/Core/Constants.cs: 171	details Method at line 171 of /src/Core/Constants.cs defines EnablePasswordManagerSynciOS, which is designated to contain user passwords. However, while p... Attack Vector
	Log_Forging	/src/Api/Billing/Controllers/OrganizationBillingController.cs: 238	details Method UpdateTaxInformationAsync at line 238 of /src/Api/Billing/Controllers/OrganizationBillingController.cs gets user input from element requestB... Attack Vector
	Log_Forging	/src/Api/Billing/Controllers/OrganizationBillingController.cs: 238	details Method UpdateTaxInformationAsync at line 238 of /src/Api/Billing/Controllers/OrganizationBillingController.cs gets user input from element requestB... Attack Vector
	Log_Forging	/src/Api/Billing/Controllers/OrganizationBillingController.cs: 238	details Method UpdateTaxInformationAsync at line 238 of /src/Api/Billing/Controllers/OrganizationBillingController.cs gets user input from element requestB... Attack Vector
	Log_Forging	/src/Api/Billing/Controllers/ProviderBillingController.cs: 104	details Method UpdateTaxInformationAsync at line 104 of /src/Api/Billing/Controllers/ProviderBillingController.cs gets user input from element requestBody.... Attack Vector
	Log_Forging	/src/Api/Billing/Controllers/OrganizationBillingController.cs: 163	details Method UpdatePaymentMethodAsync at line 163 of /src/Api/Billing/Controllers/OrganizationBillingController.cs gets user input from element requestBo... Attack Vector
	Log_Forging	/src/Api/Billing/Controllers/OrganizationBillingController.cs: 163	details Method UpdatePaymentMethodAsync at line 163 of /src/Api/Billing/Controllers/OrganizationBillingController.cs gets user input from element requestBo... Attack Vector
	Log_Forging	/src/Api/Billing/Controllers/OrganizationBillingController.cs: 163	details Method UpdatePaymentMethodAsync at line 163 of /src/Api/Billing/Controllers/OrganizationBillingController.cs gets user input from element requestBo... Attack Vector
	Log_Forging	/src/Api/Billing/Controllers/ProviderBillingController.cs: 104	details Method UpdateTaxInformationAsync at line 104 of /src/Api/Billing/Controllers/ProviderBillingController.cs gets user input from element requestBody.... Attack Vector
	Log_Forging	/src/Api/Billing/Controllers/ProviderBillingController.cs: 104	details Method UpdateTaxInformationAsync at line 104 of /src/Api/Billing/Controllers/ProviderBillingController.cs gets user input from element requestBody.... Attack Vector
	Log_Forging	/src/Api/Billing/Controllers/OrganizationBillingController.cs: 163	details Method UpdatePaymentMethodAsync at line 163 of /src/Api/Billing/Controllers/OrganizationBillingController.cs gets user input from element requestBo... Attack Vector
	Log_Forging	/src/Api/Vault/Controllers/CiphersController.cs: 173	details Method PostAdmin at line 173 of /src/Api/Vault/Controllers/CiphersController.cs gets user input from element model. This element’s value flows thro... Attack Vector
	Log_Forging	/src/Api/Platform/Push/Controllers/PushController.cs: 75	details Method PostSend at line 75 of /src/Api/Platform/Push/Controllers/PushController.cs gets user input from element model. This element’s value flows t... Attack Vector
	Log_Forging	/src/Api/Vault/Controllers/CiphersController.cs: 158	details Method PostCreate at line 158 of /src/Api/Vault/Controllers/CiphersController.cs gets user input from element model. This element’s value flows thr... Attack Vector
	Use_Of_Hardcoded_Password	/src/Core/Constants.cs: 170	details The application uses the hard-coded password EnablePasswordManagerSyncAndroid for authentication purposes, either using it to verify users' identit... Attack Vector
	Use_Of_Hardcoded_Password	/src/Core/Constants.cs: 171	details The application uses the hard-coded password EnablePasswordManagerSynciOS for authentication purposes, either using it to verify users' identities,... Attack Vector

Fixed Issues (9)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Billing/Controllers/BitPayController.cs: 56
	CSRF	/src/Api/AdminConsole/Controllers/PoliciesController.cs: 168
	Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 230
	Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 221
	Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 173
	Privacy_Violation	/src/Core/NotificationHub/NotificationHubPushNotificationService.cs: 214
	Log_Forging	/src/Api/Vault/Controllers/CiphersController.cs: 173
	Log_Forging	/src/Api/Platform/Push/Controllers/PushController.cs: 75
	Log_Forging	/src/Api/Vault/Controllers/CiphersController.cs: 158

[sonarqubecloud]

Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[ike-kottlowski]

I don't think we need to create a token provider for the new TwoFactorTokenProviderType we just need to use it to control flow in the TwoFactorAuthenticationValidator.

[ike-kottlowski]

💡 : I think this might be a good candidate for a command since it spans multiple domains: User modification and Organization modification.

[ike-kottlowski]

🎨 : I think I would like this to live in the TwoFactorAuthenticationValidator. Adding it to the here increases tech debt on the BaseRequestValidator.

I think it should live in the TwoFactorAuthenticationValidator.ValidateTwoFactorAsync() flow.

[ike-kottlowski]

🎨 : We could check for the recovery code type here and act on it.

[ike-kottlowski]

💭 : I don't think we need this whole Token Provider implementation since we aren't really generating a token. We just use the TwoFactorProviderType to control how we validate the user.