From 48aa54949b9dc48765eca2e5fd62bde056a059a2 Mon Sep 17 00:00:00 2001
From: Matt Gibson <mgibson@bitwarden.com>
Date: Fri, 13 Aug 2021 09:52:52 -0400
Subject: [PATCH] Allow api key as captcha token (#1513)

This allows legitimate users to permanently bypass captcha once
they've successfully logged in. Will allow unmonitored scripts more
resilience to captcha requirements
---
 .../Implementations/HCaptchaValidationService.cs  | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/Core/Services/Implementations/HCaptchaValidationService.cs b/src/Core/Services/Implementations/HCaptchaValidationService.cs
index e1f507f7b0..4acd6cbfec 100644
--- a/src/Core/Services/Implementations/HCaptchaValidationService.cs
+++ b/src/Core/Services/Implementations/HCaptchaValidationService.cs
@@ -39,10 +39,9 @@ namespace Bit.Core.Services
 
         public string GenerateCaptchaBypassToken(User user) =>
             $"{TokenClearTextPrefix}{_dataProtector.Protect(CaptchaBypassTokenContent(user))}";
-        public bool ValidateCaptchaBypassToken(string encryptedToken, User user) =>
-            encryptedToken.StartsWith(TokenClearTextPrefix) && user != null &&
-            CoreHelpers.TokenIsValid(TokenName, _dataProtector, encryptedToken[TokenClearTextPrefix.Length..],
-            user.Email, user.Id, TokenLifetimeInHours);
+
+        public bool ValidateCaptchaBypassToken(string bypassToken, User user) =>
+            TokenIsApiKey(bypassToken, user) || TokenIsCaptchaBypassToken(bypassToken, user);
 
         public async Task<bool> ValidateCaptchaResponseAsync(string captchaResponse, string clientIpAddress)
         {
@@ -97,5 +96,13 @@ namespace Bit.Core.Services
                 user?.Email,
                 CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow.AddHours(TokenLifetimeInHours))
             });
+
+        private static bool TokenIsApiKey(string bypassToken, User user) =>
+            !string.IsNullOrWhiteSpace(bypassToken) && user != null && user.ApiKey == bypassToken;
+        private bool TokenIsCaptchaBypassToken(string encryptedToken, User user) =>
+            encryptedToken.StartsWith(TokenClearTextPrefix) && user != null &&
+            CoreHelpers.TokenIsValid(TokenName, _dataProtector, encryptedToken[TokenClearTextPrefix.Length..],
+            user.Email, user.Id, TokenLifetimeInHours);
+
     }
 }