Updated auth for phishing domain endpoints to either require api, or licensing claims to support both web and browser clients, and selfhost api clients

2025-04-05 05:00:19 -05:00 · 2025-03-18 08:54:09 -04:00 · 2025-03-18 08:54:09 -04:00 · 7baa788484
commit 7baa788484
parent 3ae97155ab
3 changed files with 10 additions and 2 deletions
--- a/src/Api/Controllers/PhishingDomainsController.cs
+++ b/src/Api/Controllers/PhishingDomainsController.cs
@ -5,7 +5,7 @@ using Microsoft.AspNetCore.Mvc;
 namespace Bit.Api.Controllers;

 [Route("phishing-domains")]
-[Authorize("Application")]
+[Authorize("PhishingDomains")]
 public class PhishingDomainsController(IPhishingDomainRepository phishingDomainRepository) : Controller
 {
    [HttpGet]
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@ -143,6 +143,14 @@ public class Startup
                    (c.Value.Contains(ApiScopes.Api) || c.Value.Contains(ApiScopes.ApiSecrets))
                ));
            });
+            config.AddPolicy("PhishingDomains", policy =>
+            {
+                policy.RequireAuthenticatedUser();
+                policy.RequireAssertion(ctx => 
+                    ctx.User.HasClaim(c => c.Type == JwtClaimTypes.Scope && 
+                        (c.Value == ApiScopes.ApiLicensing || c.Value == ApiScopes.Api))
+                );
+            });
        });

        services.AddScoped<AuthenticatorTokenProvider>();
--- a/src/Core/PhishingDomainFeatures/CloudPhishingDomainRelayQuery.cs
+++ b/src/Core/PhishingDomainFeatures/CloudPhishingDomainRelayQuery.cs
@ -21,7 +21,7 @@ public class CloudPhishingDomainRelayQuery : BaseIdentityClientService, ICloudPh
            httpFactory,
            globalSettings.Installation.ApiUri,
            globalSettings.Installation.IdentityUri,
-            "api.installation",
+            "api.licensing",
            $"installation.{globalSettings.Installation.Id}",
            globalSettings.Installation.Key,
            logger)