set cors policies to only allow web vault origin (#787)

* set cors policy to only allow web vault

* vault cors policy service

src/Core/IdentityServer/AllowAllCorsPolicyService.cs

@@ -1,13 +0,0 @@
-using IdentityServer4.Services;
-using System.Threading.Tasks;
-
-namespace Bit.Core.IdentityServer
-{
-    public class AllowAllCorsPolicyService : ICorsPolicyService
-    {
-        public Task<bool> IsOriginAllowedAsync(string origin)
-        {
-            return Task.FromResult(true);
-        }
-    }
-}

src/Core/IdentityServer/VaultCorsPolicyService.cs

@@ -0,0 +1,20 @@
+using IdentityServer4.Services;
+using System.Threading.Tasks;
+
+namespace Bit.Core.IdentityServer
+{
+    public class VaultCorsPolicyService : ICorsPolicyService
+    {
+        private readonly GlobalSettings _globalSettings;
+
+        public VaultCorsPolicyService(GlobalSettings globalSettings)
+        {
+            _globalSettings = globalSettings;
+        }
+
+        public Task<bool> IsOriginAllowedAsync(string origin)
+        {
+            return Task.FromResult(origin == _globalSettings.BaseServiceUri.Vault);
+        }
+    }
+}

src/Core/Utilities/ServiceCollectionExtensions.cs

@@ -382,7 +382,7 @@ namespace Bit.Core.Utilities
             }
 
             services.AddTransient<ClientStore>();
-            services.AddTransient<ICorsPolicyService, AllowAllCorsPolicyService>();
+            services.AddTransient<ICorsPolicyService, VaultCorsPolicyService>();
             services.AddScoped<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>();
             services.AddScoped<IProfileService, ProfileService>();
             services.AddSingleton<IPersistedGrantStore, PersistedGrantStore>();