Fix vault pin not settable without biometrics

2024-01-19 09:26:19 +01:00 · 2024-01-19 09:26:19 +01:00 · d2cd2da7e2
parent f3954e196c
commit d2cd2da7e2
1 changed files with 52 additions and 2 deletions
--- a/agent/actions/vault.go
+++ b/agent/actions/vault.go
@ -7,7 +7,7 @@ import (
 	"github.com/quexten/goldwarden/agent/bitwarden/crypto"
 	"github.com/quexten/goldwarden/agent/config"
 	"github.com/quexten/goldwarden/agent/sockets"
-	"github.com/quexten/goldwarden/agent/systemauth"
+	"github.com/quexten/goldwarden/agent/systemauth/biometrics"
 	"github.com/quexten/goldwarden/agent/systemauth/pinentry"
 	"github.com/quexten/goldwarden/agent/vault"

@ -160,6 +160,56 @@ func handleWipeVault(request messages.IPCMessage, cfg *config.Config, vault *vau
 }

 func handleUpdateVaultPin(request messages.IPCMessage, cfg *config.Config, vault *vault.Vault, callingContext *sockets.CallingContext) (response messages.IPCMessage, err error) {
+	//todo refactor
+	if cfg.HasPin() {
+		authenticated := false
+		if cfg.IsLocked() {
+			actionsLog.Info("Browser Biometrics: Vault is locked, asking for pin...")
+			err := cfg.TryUnlock(vault)
+			if err != nil {
+				actionsLog.Info("Browser Biometrics: Vault not unlocked")
+				return messages.IPCMessage{}, err
+			}
+			ctx1 := context.Background()
+			success := sync(ctx1, vault, cfg)
+			if !success {
+				actionsLog.Info("Browser Biometrics: Vault not synced")
+				return messages.IPCMessage{}, err
+			}
+			actionsLog.Info("Browser Biometrics: Vault unlocked")
+			authenticated = true
+		} else {
+			authenticated = biometrics.CheckBiometrics(biometrics.BrowserBiometrics)
+			if !authenticated {
+				// todo, skip when explicitly denied instead of error
+				actionsLog.Info("Browser Biometrics: Biometrics not approved, asking for pin...")
+				pin, err := pinentry.GetPassword("Goldwarden", "Enter your pin to unlock your vault")
+				if err == nil {
+					authenticated = cfg.VerifyPin(pin)
+					if !authenticated {
+						actionsLog.Info("Browser Biometrics: Pin not approved")
+					} else {
+						actionsLog.Info("Browser Biometrics: Pin approved")
+					}
+				}
+			} else {
+				actionsLog.Info("Browser Biometrics: Biometrics approved")
+			}
+		}
+
+		if !authenticated {
+			response, err = messages.IPCMessageFromPayload(messages.ActionResponse{
+				Success: false,
+				Message: "Not authenticated",
+			})
+			if err != nil {
+				return messages.IPCMessage{}, err
+			} else {
+				return response, nil
+			}
+		}
+	}
+
 	pin, err := pinentry.GetPassword("Pin Change", "Enter your desired pin")
 	if err != nil {
 		response, err = messages.IPCMessageFromPayload(messages.ActionResponse{
@ -214,7 +264,7 @@ func init() {
 	AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.UnlockVaultRequest{}), handleUnlockVault)
 	AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.LockVaultRequest{}), handleLockVault)
 	AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.WipeVaultRequest{}), handleWipeVault)
-	AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.UpdateVaultPINRequest{}), ensureBiometricsAuthorized(systemauth.AccessVault, handleUpdateVaultPin))
+	AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.UpdateVaultPINRequest{}), handleUpdateVaultPin)
 	AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.GetVaultPINRequest{}), handlePinStatus)
 	AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.VaultStatusRequest{}), handleVaultStatus)
 }