From cf70a5e480ff272318d29b27b2d0556edc65628e Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Tue, 23 Jun 2020 18:47:53 -0400
Subject: [PATCH] set cors policies to only allow web vault origin (#787)

* set cors policy to only allow web vault

* vault cors policy service
---
 src/Api/Startup.cs                            |  2 +-
 .../AllowAllCorsPolicyService.cs              | 13 ------------
 .../IdentityServer/VaultCorsPolicyService.cs  | 20 +++++++++++++++++++
 .../Utilities/ServiceCollectionExtensions.cs  |  2 +-
 src/Events/Startup.cs                         |  2 +-
 src/Notifications/Startup.cs                  |  2 +-
 6 files changed, 24 insertions(+), 17 deletions(-)
 delete mode 100644 src/Core/IdentityServer/AllowAllCorsPolicyService.cs
 create mode 100644 src/Core/IdentityServer/VaultCorsPolicyService.cs

diff --git a/src/Api/Startup.cs b/src/Api/Startup.cs
index 868d0e500a..1c6aef12f4 100644
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@@ -169,7 +169,7 @@ namespace Bit.Api
             app.UseRouting();
 
             // Add Cors
-            app.UseCors(policy => policy.SetIsOriginAllowed(h => true)
+            app.UseCors(policy => policy.SetIsOriginAllowed(o => o == globalSettings.BaseServiceUri.Vault)
                 .AllowAnyMethod().AllowAnyHeader().AllowCredentials());
 
             // Add authentication and authorization to the request pipeline.
diff --git a/src/Core/IdentityServer/AllowAllCorsPolicyService.cs b/src/Core/IdentityServer/AllowAllCorsPolicyService.cs
deleted file mode 100644
index 74934a9f98..0000000000
--- a/src/Core/IdentityServer/AllowAllCorsPolicyService.cs
+++ /dev/null
@@ -1,13 +0,0 @@
-using IdentityServer4.Services;
-using System.Threading.Tasks;
-
-namespace Bit.Core.IdentityServer
-{
-    public class AllowAllCorsPolicyService : ICorsPolicyService
-    {
-        public Task<bool> IsOriginAllowedAsync(string origin)
-        {
-            return Task.FromResult(true);
-        }
-    }
-}
diff --git a/src/Core/IdentityServer/VaultCorsPolicyService.cs b/src/Core/IdentityServer/VaultCorsPolicyService.cs
new file mode 100644
index 0000000000..51476a962a
--- /dev/null
+++ b/src/Core/IdentityServer/VaultCorsPolicyService.cs
@@ -0,0 +1,20 @@
+using IdentityServer4.Services;
+using System.Threading.Tasks;
+
+namespace Bit.Core.IdentityServer
+{
+    public class VaultCorsPolicyService : ICorsPolicyService
+    {
+        private readonly GlobalSettings _globalSettings;
+
+        public VaultCorsPolicyService(GlobalSettings globalSettings)
+        {
+            _globalSettings = globalSettings;
+        }
+
+        public Task<bool> IsOriginAllowedAsync(string origin)
+        {
+            return Task.FromResult(origin == _globalSettings.BaseServiceUri.Vault);
+        }
+    }
+}
diff --git a/src/Core/Utilities/ServiceCollectionExtensions.cs b/src/Core/Utilities/ServiceCollectionExtensions.cs
index 2080f2f921..89bd9a96c5 100644
--- a/src/Core/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Core/Utilities/ServiceCollectionExtensions.cs
@@ -382,7 +382,7 @@ namespace Bit.Core.Utilities
             }
 
             services.AddTransient<ClientStore>();
-            services.AddTransient<ICorsPolicyService, AllowAllCorsPolicyService>();
+            services.AddTransient<ICorsPolicyService, VaultCorsPolicyService>();
             services.AddScoped<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>();
             services.AddScoped<IProfileService, ProfileService>();
             services.AddSingleton<IPersistedGrantStore, PersistedGrantStore>();
diff --git a/src/Events/Startup.cs b/src/Events/Startup.cs
index 44127a6224..4149dffb70 100644
--- a/src/Events/Startup.cs
+++ b/src/Events/Startup.cs
@@ -101,7 +101,7 @@ namespace Bit.Events
             app.UseRouting();
 
             // Add Cors
-            app.UseCors(policy => policy.SetIsOriginAllowed(h => true)
+            app.UseCors(policy => policy.SetIsOriginAllowed(o => o == globalSettings.BaseServiceUri.Vault)
                 .AllowAnyMethod().AllowAnyHeader().AllowCredentials());
 
             // Add authentication and authorization to the request pipeline.
diff --git a/src/Notifications/Startup.cs b/src/Notifications/Startup.cs
index 076e805012..564db90e27 100644
--- a/src/Notifications/Startup.cs
+++ b/src/Notifications/Startup.cs
@@ -102,7 +102,7 @@ namespace Bit.Notifications
             app.UseRouting();
 
             // Add Cors
-            app.UseCors(policy => policy.SetIsOriginAllowed(h => true)
+            app.UseCors(policy => policy.SetIsOriginAllowed(o => o == globalSettings.BaseServiceUri.Vault)
                 .AllowAnyMethod().AllowAnyHeader().AllowCredentials());
 
             // Add authentication to the request pipeline.