From 31cdf401f1e2f42bb6d0c5e27ac698b678c161a9 Mon Sep 17 00:00:00 2001
From: Federico Maccaroni <fedemkr@gmail.com>
Date: Thu, 3 Feb 2022 17:46:45 -0300
Subject: [PATCH] Fix delete account SSO with CME that the OTP parameter was
 being sent incorrectly to the server (#1751)

---
 src/Android/MainApplication.cs                    |  4 ++--
 src/App/Pages/Accounts/DeleteAccountViewModel.cs  |  7 ++-----
 .../Pages/Accounts/VerificationCodeViewModel.cs   |  4 +++-
 .../Utilities/VerificationActionsFlowHelper.cs    | 15 ++++++++++++---
 src/Core/Models/Request/DeleteAccountRequest.cs   |  2 ++
 src/Core/Services/UserVerificationService.cs      |  6 ++----
 src/iOS.Core/Utilities/iOSCoreHelpers.cs          |  6 +++---
 7 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/src/Android/MainApplication.cs b/src/Android/MainApplication.cs
index 3e58b4cab..1957f70a2 100644
--- a/src/Android/MainApplication.cs
+++ b/src/Android/MainApplication.cs
@@ -52,14 +52,14 @@ namespace Bit.Droid
                 var deleteAccountActionFlowExecutioner = new DeleteAccountActionFlowExecutioner(
                     ServiceContainer.Resolve<IApiService>("apiService"),
                     ServiceContainer.Resolve<IMessagingService>("messagingService"),
-                    ServiceContainer.Resolve<ICryptoService>("cryptoService"),
                     ServiceContainer.Resolve<IPlatformUtilsService>("platformUtilsService"),
                     ServiceContainer.Resolve<IDeviceActionService>("deviceActionService"));
                 ServiceContainer.Register<IDeleteAccountActionFlowExecutioner>("deleteAccountActionFlowExecutioner", deleteAccountActionFlowExecutioner);
 
                 var verificationActionsFlowHelper = new VerificationActionsFlowHelper(
                     ServiceContainer.Resolve<IKeyConnectorService>("keyConnectorService"),
-                    ServiceContainer.Resolve<IPasswordRepromptService>("passwordRepromptService"));
+                    ServiceContainer.Resolve<IPasswordRepromptService>("passwordRepromptService"),
+                    ServiceContainer.Resolve<ICryptoService>("cryptoService"));
                 ServiceContainer.Register<IVerificationActionsFlowHelper>("verificationActionsFlowHelper", verificationActionsFlowHelper);
             }
 #if !FDROID
diff --git a/src/App/Pages/Accounts/DeleteAccountViewModel.cs b/src/App/Pages/Accounts/DeleteAccountViewModel.cs
index 53c195e58..cab70bd38 100644
--- a/src/App/Pages/Accounts/DeleteAccountViewModel.cs
+++ b/src/App/Pages/Accounts/DeleteAccountViewModel.cs
@@ -58,19 +58,16 @@ namespace Bit.App.Pages
     {
         readonly IApiService _apiService;
         readonly IMessagingService _messagingService;
-        readonly ICryptoService _cryptoService;
         readonly IPlatformUtilsService _platformUtilsService;
         readonly IDeviceActionService _deviceActionService;
 
         public DeleteAccountActionFlowExecutioner(IApiService apiService,
             IMessagingService messagingService,
-            ICryptoService cryptoService,
             IPlatformUtilsService platformUtilsService,
             IDeviceActionService deviceActionService)
         {
             _apiService = apiService;
             _messagingService = messagingService;
-            _cryptoService = cryptoService;
             _platformUtilsService = platformUtilsService;
             _deviceActionService = deviceActionService;
         }
@@ -81,10 +78,10 @@ namespace Bit.App.Pages
             {
                 await _deviceActionService.ShowLoadingAsync(AppResources.DeletingYourAccount);
 
-                var masterPasswordHashKey = await _cryptoService.HashPasswordAsync(parameters.Secret, null);
                 await _apiService.DeleteAccountAsync(new Core.Models.Request.DeleteAccountRequest
                 {
-                    MasterPasswordHash = masterPasswordHashKey
+                    MasterPasswordHash = parameters.VerificationType == Core.Enums.VerificationType.MasterPassword ? parameters.Secret : (string)null,
+                    OTP = parameters.VerificationType == Core.Enums.VerificationType.OTP ? parameters.Secret : (string)null
                 });
 
                 await _deviceActionService.HideLoadingAsync();
diff --git a/src/App/Pages/Accounts/VerificationCodeViewModel.cs b/src/App/Pages/Accounts/VerificationCodeViewModel.cs
index 5bc57a2f4..e160a535d 100644
--- a/src/App/Pages/Accounts/VerificationCodeViewModel.cs
+++ b/src/App/Pages/Accounts/VerificationCodeViewModel.cs
@@ -10,6 +10,7 @@ using Xamarin.CommunityToolkit.ObjectModel;
 using System.Windows.Input;
 using Bit.App.Utilities;
 using Bit.Core;
+using Bit.Core.Enums;
 #if !FDROID
 using Microsoft.AppCenter.Crashes;
 #endif
@@ -144,7 +145,7 @@ namespace Bit.App.Pages
 
                 await _deviceActionService.ShowLoadingAsync(AppResources.Verifying);
 
-                if (!await _userVerificationService.VerifyUser(Secret, Core.Enums.VerificationType.OTP))
+                if (!await _userVerificationService.VerifyUser(Secret, VerificationType.OTP))
                 {
                     await _deviceActionService.HideLoadingAsync();
                     return;
@@ -154,6 +155,7 @@ namespace Bit.App.Pages
 
                 var parameters = _verificationActionsFlowHelper.GetParameters();
                 parameters.Secret = Secret;
+                parameters.VerificationType = VerificationType.OTP;
                 await _verificationActionsFlowHelper.ExecuteAsync(parameters);
 
                 Secret = string.Empty;
diff --git a/src/App/Utilities/VerificationActionsFlowHelper.cs b/src/App/Utilities/VerificationActionsFlowHelper.cs
index 79feab0bc..eaf3376e9 100644
--- a/src/App/Utilities/VerificationActionsFlowHelper.cs
+++ b/src/App/Utilities/VerificationActionsFlowHelper.cs
@@ -24,11 +24,15 @@ namespace Bit.App.Utilities
 
     public interface IActionFlowParmeters
     {
+        VerificationType VerificationType { get; set; }
+
         string Secret { get; set; }
     }
 
     public class DefaultActionFlowParameters : IActionFlowParmeters
     {
+        public VerificationType VerificationType { get; set; }
+
         public string Secret { get; set; }
     }
 
@@ -58,6 +62,7 @@ namespace Bit.App.Utilities
     {
         private readonly IKeyConnectorService _keyConnectorService;
         private readonly IPasswordRepromptService _passwordRepromptService;
+        private readonly ICryptoService _cryptoService;
 
         private VerificationFlowAction? _action;
         private IActionFlowParmeters _parameters;
@@ -67,10 +72,12 @@ namespace Bit.App.Utilities
         private readonly Dictionary<VerificationFlowAction, IActionFlowExecutioner> _actionExecutionerDictionary = new Dictionary<VerificationFlowAction, IActionFlowExecutioner>();
 
         public VerificationActionsFlowHelper(IKeyConnectorService keyConnectorService,
-            IPasswordRepromptService passwordRepromptService)
+            IPasswordRepromptService passwordRepromptService,
+            ICryptoService cryptoService)
         {
             _keyConnectorService = keyConnectorService;
             _passwordRepromptService = passwordRepromptService;
+            _cryptoService = cryptoService;
 
             _actionExecutionerDictionary.Add(VerificationFlowAction.DeleteAccount, ServiceContainer.Resolve<IDeleteAccountActionFlowExecutioner>("deleteAccountActionFlowExecutioner"));
         }
@@ -113,8 +120,10 @@ namespace Bit.App.Utilities
                         return;
                     }
 
-                    GetParameters().Secret = password;
-                    await ExecuteAsync(_parameters);
+                    var parameters = GetParameters();
+                    parameters.Secret = await _cryptoService.HashPasswordAsync(password, null);
+                    parameters.VerificationType = VerificationType.MasterPassword;
+                    await ExecuteAsync(parameters);
                     break;
                 case VerificationType.OTP:
                     await Application.Current.MainPage.Navigation.PushModalAsync(new NavigationPage(
diff --git a/src/Core/Models/Request/DeleteAccountRequest.cs b/src/Core/Models/Request/DeleteAccountRequest.cs
index 7776d890e..8eb38d347 100644
--- a/src/Core/Models/Request/DeleteAccountRequest.cs
+++ b/src/Core/Models/Request/DeleteAccountRequest.cs
@@ -3,5 +3,7 @@
     public class DeleteAccountRequest
     {
         public string MasterPasswordHash { get; set; }
+
+        public string OTP { get; set; }
     }
 }
diff --git a/src/Core/Services/UserVerificationService.cs b/src/Core/Services/UserVerificationService.cs
index ae65d7f7b..74031b55c 100644
--- a/src/Core/Services/UserVerificationService.cs
+++ b/src/Core/Services/UserVerificationService.cs
@@ -1,9 +1,7 @@
-using System;
+using System.Threading.Tasks;
+using Bit.Core.Abstractions;
 using Bit.Core.Enums;
 using Bit.Core.Models.Request;
-using Bit.Core.Services;
-using Bit.Core.Abstractions;
-using System.Threading.Tasks;
 
 namespace Bit.Core.Services
 {
diff --git a/src/iOS.Core/Utilities/iOSCoreHelpers.cs b/src/iOS.Core/Utilities/iOSCoreHelpers.cs
index 633803c81..1bac23f65 100644
--- a/src/iOS.Core/Utilities/iOSCoreHelpers.cs
+++ b/src/iOS.Core/Utilities/iOSCoreHelpers.cs
@@ -154,14 +154,14 @@ namespace Bit.iOS.Core.Utilities
             var deleteAccountActionFlowExecutioner = new DeleteAccountActionFlowExecutioner(
                 ServiceContainer.Resolve<IApiService>("apiService"),
                 ServiceContainer.Resolve<IMessagingService>("messagingService"),
-                ServiceContainer.Resolve<ICryptoService>("cryptoService"),
                 ServiceContainer.Resolve<IPlatformUtilsService>("platformUtilsService"),
                 ServiceContainer.Resolve<IDeviceActionService>("deviceActionService"));
             ServiceContainer.Register<IDeleteAccountActionFlowExecutioner>("deleteAccountActionFlowExecutioner", deleteAccountActionFlowExecutioner);
 
             var verificationActionsFlowHelper = new VerificationActionsFlowHelper(
-            ServiceContainer.Resolve<IKeyConnectorService>("keyConnectorService"),
-            ServiceContainer.Resolve<IPasswordRepromptService>("passwordRepromptService"));
+                ServiceContainer.Resolve<IKeyConnectorService>("keyConnectorService"),
+                ServiceContainer.Resolve<IPasswordRepromptService>("passwordRepromptService"),
+                ServiceContainer.Resolve<ICryptoService>("cryptoService"));
             ServiceContainer.Register<IVerificationActionsFlowHelper>("verificationActionsFlowHelper", verificationActionsFlowHelper);
 
             if (postBootstrapFunc != null)