feat(auth-validator): [Auth/PM-22975] Client Version Validator

src/Core/KeyManagement/Constants.cs

@@ -0,0 +1,6 @@
+namespace Bit.Core.KeyManagement;
+
+public static class Constants
+{
+    public static readonly Version MinimumClientVersion = new Version("2025.11.0");
+}

src/Core/KeyManagement/KeyManagementServiceCollectionExtensions.cs

@@ -26,5 +26,7 @@ private static void AddKeyManagementCommands(this IServiceCollection services)
     private static void AddKeyManagementQueries(this IServiceCollection services)
     {
         services.AddScoped<IUserAccountKeysQuery, UserAccountKeysQuery>();
+        services.AddScoped<IIsV2EncryptionUserQuery, IsV2EncryptionUserQuery>();
+        services.AddScoped<IGetMinimumClientVersionForUserQuery, GetMinimumClientVersionForUserQuery>();
     }
 }

src/Core/KeyManagement/Queries/GetMinimumClientVersionForUserQuery.cs

@@ -0,0 +1,23 @@
+using Bit.Core.Entities;
+using Bit.Core.KeyManagement.Queries.Interfaces;
+
+namespace Bit.Core.KeyManagement.Queries;
+
+public class GetMinimumClientVersionForUserQuery(IIsV2EncryptionUserQuery isV2EncryptionUserQuery)
+    : IGetMinimumClientVersionForUserQuery
+{
+    public async Task<Version?> Run(User? user)
+    {
+        if (user == null)
+        {
+            return null;
+        }
+
+        if (await isV2EncryptionUserQuery.Run(user))
+        {
+            return Constants.MinimumClientVersion;
+        }
+
+        return null;
+    }
+}

src/Core/KeyManagement/Queries/Interfaces/IGetMinimumClientVersionForUserQuery.cs

@@ -0,0 +1,8 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.KeyManagement.Queries.Interfaces;
+
+public interface IGetMinimumClientVersionForUserQuery
+{
+    Task<Version?> Run(User? user);
+}

src/Core/KeyManagement/Queries/Interfaces/IIsV2EncryptionUserQuery.cs

@@ -0,0 +1,8 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.KeyManagement.Queries.Interfaces;
+
+public interface IIsV2EncryptionUserQuery
+{
+    Task<bool> Run(User user);
+}

src/Core/KeyManagement/Queries/IsV2EncryptionUserQuery.cs

@@ -0,0 +1,31 @@
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.KeyManagement.Queries.Interfaces;
+using Bit.Core.KeyManagement.Repositories;
+using Bit.Core.KeyManagement.Utilities;
+
+namespace Bit.Core.KeyManagement.Queries;
+
+public class IsV2EncryptionUserQuery(IUserSignatureKeyPairRepository userSignatureKeyPairRepository)
+    : IIsV2EncryptionUserQuery
+{
+    public async Task<bool> Run(User user)
+    {
+        ArgumentNullException.ThrowIfNull(user);
+
+        var hasSignatureKeyPair = await userSignatureKeyPairRepository.GetByUserIdAsync(user.Id) != null;
+        var isPrivateKeyEncryptionV2 =
+            !string.IsNullOrWhiteSpace(user.PrivateKey) &&
+            EncryptionParsing.GetEncryptionType(user.PrivateKey) == EncryptionType.XChaCha20Poly1305_B64;
+
+        return hasSignatureKeyPair switch
+        {
+            // Valid v2 user
+            true when isPrivateKeyEncryptionV2 => true,
+            // Valid v1 user
+            false when !isPrivateKeyEncryptionV2 => false,
+            _ => throw new InvalidOperationException(
+                "User is in an invalid state for key rotation. User has a signature key pair, but the private key is not in v2 format, or vice versa.")
+        };
+    }
+}

src/Core/KeyManagement/UserKey/Implementations/RotateUserAccountkeysCommand.cs → src/Core/KeyManagement/UserKey/Implementations/RotateUserAccountKeysCommand.cs

@@ -6,6 +6,7 @@
 using Bit.Core.Enums;
 using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.KeyManagement.Repositories;
+using Bit.Core.KeyManagement.Utilities;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -137,7 +138,7 @@ public async Task UpdateAccountKeysAsync(RotateUserAccountKeysData model, User u
         }
         else
         {
-            if (GetEncryptionType(model.AccountKeys.PublicKeyEncryptionKeyPairData.WrappedPrivateKey) != EncryptionType.AesCbc256_HmacSha256_B64)
+            if (EncryptionParsing.GetEncryptionType(model.AccountKeys.PublicKeyEncryptionKeyPairData.WrappedPrivateKey) != EncryptionType.AesCbc256_HmacSha256_B64)
             {
                 throw new InvalidOperationException("The provided account private key was not wrapped with AES-256-CBC-HMAC");
             }
@@ -209,7 +210,7 @@ private bool IsV2EncryptionUserAsync(User user)
     {
         // Returns whether the user is a V2 user based on the private key's encryption type.
         ArgumentNullException.ThrowIfNull(user);
-        var isPrivateKeyEncryptionV2 = GetEncryptionType(user.PrivateKey) == EncryptionType.XChaCha20Poly1305_B64;
+        var isPrivateKeyEncryptionV2 = EncryptionParsing.GetEncryptionType(user.PrivateKey) == EncryptionType.XChaCha20Poly1305_B64;
         return isPrivateKeyEncryptionV2;
     }
 
@@ -237,7 +238,7 @@ private static void ValidateV2Encryption(RotateUserAccountKeysData model)
         {
             throw new InvalidOperationException("Signature key pair data is required for V2 encryption.");
         }
-        if (GetEncryptionType(model.AccountKeys.SignatureKeyPairData.WrappedSigningKey) != EncryptionType.XChaCha20Poly1305_B64)
+        if (EncryptionParsing.GetEncryptionType(model.AccountKeys.SignatureKeyPairData.WrappedSigningKey) != EncryptionType.XChaCha20Poly1305_B64)
         {
             throw new InvalidOperationException("The provided signing key data is not wrapped with XChaCha20-Poly1305.");
         }
@@ -246,7 +247,7 @@ private static void ValidateV2Encryption(RotateUserAccountKeysData model)
             throw new InvalidOperationException("The provided signature key pair data does not contain a valid verifying key.");
         }
 
-        if (GetEncryptionType(model.AccountKeys.PublicKeyEncryptionKeyPairData.WrappedPrivateKey) != EncryptionType.XChaCha20Poly1305_B64)
+        if (EncryptionParsing.GetEncryptionType(model.AccountKeys.PublicKeyEncryptionKeyPairData.WrappedPrivateKey) != EncryptionType.XChaCha20Poly1305_B64)
         {
             throw new InvalidOperationException("The provided private key encryption key is not wrapped with XChaCha20-Poly1305.");
         }
@@ -260,23 +261,5 @@ private static void ValidateV2Encryption(RotateUserAccountKeysData model)
         }
     }
 
-    /// <summary>
-    /// Helper method to convert an encryption type string to an enum value.
-    /// </summary>
-    private static EncryptionType GetEncryptionType(string encString)
-    {
-        var parts = encString.Split('.');
-        if (parts.Length == 1)
-        {
-            throw new ArgumentException("Invalid encryption type string.");
-        }
-        if (byte.TryParse(parts[0], out var encryptionTypeNumber))
-        {
-            if (Enum.IsDefined(typeof(EncryptionType), encryptionTypeNumber))
-            {
-                return (EncryptionType)encryptionTypeNumber;
-            }
-        }
-        throw new ArgumentException("Invalid encryption type string.");
-    }
+    // Parsing moved to Bit.Core.KeyManagement.Utilities.EncryptionParsing
 }

src/Core/KeyManagement/Utilities/EncryptionParsing.cs

@@ -0,0 +1,26 @@
+using Bit.Core.Enums;
+
+namespace Bit.Core.KeyManagement.Utilities;
+
+public static class EncryptionParsing
+{
+    /// <summary>
+    /// Helper method to convert an encryption type string to an enum value.
+    /// </summary>
+    public static EncryptionType GetEncryptionType(string encString)
+    {
+        var parts = encString.Split('.');
+        if (parts.Length == 1)
+        {
+            throw new ArgumentException("Invalid encryption type string.");
+        }
+        if (byte.TryParse(parts[0], out var encryptionTypeNumber))
+        {
+            if (Enum.IsDefined(typeof(EncryptionType), encryptionTypeNumber))
+            {
+                return (EncryptionType)encryptionTypeNumber;
+            }
+        }
+        throw new ArgumentException("Invalid encryption type string.");
+    }
+}

src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs

@@ -40,6 +40,7 @@ public abstract class BaseRequestValidator<T> where T : class
     private readonly IUserRepository _userRepository;
     private readonly IAuthRequestRepository _authRequestRepository;
     private readonly IMailService _mailService;
+    private readonly IClientVersionValidator _clientVersionValidator;
 
     protected ICurrentContext CurrentContext { get; }
     protected IPolicyService PolicyService { get; }
@@ -68,7 +69,8 @@ public BaseRequestValidator(
         IPolicyRequirementQuery policyRequirementQuery,
         IAuthRequestRepository authRequestRepository,
         IMailService mailService,
-        IUserAccountKeysQuery userAccountKeysQuery
+        IUserAccountKeysQuery userAccountKeysQuery,
+        IClientVersionValidator clientVersionValidator
     )
     {
         _userManager = userManager;
@@ -89,6 +91,7 @@ IUserAccountKeysQuery userAccountKeysQuery
         _authRequestRepository = authRequestRepository;
         _mailService = mailService;
         _accountKeysQuery = userAccountKeysQuery;
+        _clientVersionValidator = clientVersionValidator;
     }
 
     protected async Task ValidateAsync(T context, ValidatedTokenRequest request,
@@ -108,7 +111,8 @@ await BuildSuccessResultAsync(validatorContext.User, context, validatorContext.D
         }
         else
         {
-            // 1. We need to check if the user's master password hash is correct.
+            // 1. We need to check if the user is legitimate via the contextually appropriate mechanism
+            // (webauthn, password, custom token, etc.).
             var valid = await ValidateContextAsync(context, validatorContext);
             var user = validatorContext.User;
             if (!valid)
@@ -119,6 +123,13 @@ await BuildSuccessResultAsync(validatorContext.User, context, validatorContext.D
                 return;
             }
 
+            // 1.5 Now check the version number of the client. Do this after ValidateContextAsync so that
+            // we prevent account enumeration. If we were to do this before ValidateContextAsync, then attackers
+            // could use a known invalid client version and make a request for a user (before we know if they have
+            // demonstrated ownership of the account via correct credentials) and identify if they exist by getting
+            // an error response back from the validator saying the user is not compatible with the client.
+            await ValidateClientVersionAsync(context, validatorContext);
+
             // 2. Decide if this user belongs to an organization that requires SSO.
             validatorContext.SsoRequired = await RequireSsoLoginAsync(user, request.GrantType);
             if (validatorContext.SsoRequired)
@@ -259,6 +270,7 @@ private Func<Task<bool>>[] DetermineValidationOrder(T context, ValidatedTokenReq
             return
             [
                 () => ValidateMasterPasswordAsync(context, validatorContext),
+                () => ValidateClientVersionAsync(context, validatorContext),
                 () => ValidateTwoFactorAsync(context, request, validatorContext),
                 () => ValidateSsoAsync(context, request, validatorContext),
                 () => ValidateNewDeviceAsync(context, request, validatorContext),
@@ -272,6 +284,7 @@ private Func<Task<bool>>[] DetermineValidationOrder(T context, ValidatedTokenReq
             return
             [
                 () => ValidateMasterPasswordAsync(context, validatorContext),
+                () => ValidateClientVersionAsync(context, validatorContext),
                 () => ValidateSsoAsync(context, request, validatorContext),
                 () => ValidateTwoFactorAsync(context, request, validatorContext),
                 () => ValidateNewDeviceAsync(context, request, validatorContext),
@@ -323,6 +336,24 @@ private static async Task<bool> ProcessValidatorsAsync(params Func<Task<bool>>[]
         return true;
     }
 
+    /// <summary>
+    /// Validates whether the client version is compatible for the user attempting to authenticate.
+    /// New authentications only; refresh/device grants are handled elsewhere.
+    /// </summary>
+    /// <returns>true if the scheme successfully passed validation, otherwise false.</returns>
+    private async Task<bool> ValidateClientVersionAsync(T context, CustomValidatorRequestContext validatorContext)
+    {
+        var ok = await _clientVersionValidator.ValidateAsync(validatorContext.User, validatorContext);
+        if (ok)
+        {
+            return true;
+        }
+
+        SetValidationErrorResult(context, validatorContext);
+        await LogFailedLoginEvent(validatorContext.User, EventType.User_FailedLogIn);
+        return false;
+    }
+
     /// <summary>
     /// Validates the user's Master Password hash.
     /// </summary>

src/Identity/IdentityServer/RequestValidators/ClientVersionValidator.cs

@@ -0,0 +1,56 @@
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.KeyManagement.Queries.Interfaces;
+using Bit.Core.Models.Api;
+using Duende.IdentityServer.Validation;
+
+namespace Bit.Identity.IdentityServer.RequestValidators;
+
+public interface IClientVersionValidator
+{
+    Task<bool> ValidateAsync(User user, CustomValidatorRequestContext requestContext);
+}
+
+public class ClientVersionValidator(
+    ICurrentContext currentContext,
+    IGetMinimumClientVersionForUserQuery getMinimumClientVersionForUserQuery)
+    : IClientVersionValidator
+{
+    private static readonly string UpgradeMessage = "Please update your app to continue using Bitwarden";
+
+    public async Task<bool> ValidateAsync(User? user, CustomValidatorRequestContext requestContext)
+    {
+        if (user == null)
+        {
+            return true;
+        }
+
+        var clientVersion = currentContext.ClientVersion;
+        var minVersion = await getMinimumClientVersionForUserQuery.Run(user);
+
+        // Fail-open if headers are missing or no restriction
+        if (minVersion == null)
+        {
+            return true;
+        }
+
+        if (clientVersion < minVersion)
+        {
+            requestContext.ValidationErrorResult = new ValidationResult
+            {
+                Error = "invalid_client_version",
+                ErrorDescription = UpgradeMessage,
+                IsError = true
+            };
+            requestContext.CustomResponse = new Dictionary<string, object>
+            {
+                { "ErrorModel", new ErrorResponseModel(UpgradeMessage) }
+            };
+            return false;
+        }
+
+        return true;
+    }
+}
+
+

src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs

@@ -16,11 +16,8 @@
 using Duende.IdentityModel;
 using Duende.IdentityServer.Extensions;
 using Duende.IdentityServer.Validation;
-using HandlebarsDotNet;
 using Microsoft.AspNetCore.Identity;
 
-#nullable enable
-
 namespace Bit.Identity.IdentityServer.RequestValidators;
 
 public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenRequestValidationContext>,
@@ -49,7 +46,8 @@ public CustomTokenRequestValidator(
         IPolicyRequirementQuery policyRequirementQuery,
         IAuthRequestRepository authRequestRepository,
         IMailService mailService,
-        IUserAccountKeysQuery userAccountKeysQuery)
+        IUserAccountKeysQuery userAccountKeysQuery,
+        IClientVersionValidator clientVersionValidator)
         : base(
             userManager,
             userService,
@@ -68,7 +66,8 @@ public CustomTokenRequestValidator(
             policyRequirementQuery,
             authRequestRepository,
             mailService,
-            userAccountKeysQuery)
+            userAccountKeysQuery,
+            clientVersionValidator)
     {
         _userManager = userManager;
         _updateInstallationCommand = updateInstallationCommand;

src/Identity/IdentityServer/RequestValidators/ResourceOwnerPasswordValidator.cs

@@ -43,7 +43,8 @@ public ResourceOwnerPasswordValidator(
         IUserDecryptionOptionsBuilder userDecryptionOptionsBuilder,
         IPolicyRequirementQuery policyRequirementQuery,
         IMailService mailService,
-        IUserAccountKeysQuery userAccountKeysQuery)
+        IUserAccountKeysQuery userAccountKeysQuery,
+        IClientVersionValidator clientVersionValidator)
         : base(
             userManager,
             userService,
@@ -62,7 +63,8 @@ public ResourceOwnerPasswordValidator(
             policyRequirementQuery,
             authRequestRepository,
             mailService,
-            userAccountKeysQuery)
+            userAccountKeysQuery,
+            clientVersionValidator)
     {
         _userManager = userManager;
         _currentContext = currentContext;