PM-20532 - Per discussion with Tools, deprecate SameSendIdHandler.cs and SameSendIdRequirement.cs and just require claim instead. We will write a extension method on the ClaimsPrincipal to get the send id instead of the HttpContext.

2025-05-25 21:34:52 -05:00 · 2025-05-16 12:03:08 -04:00 · 2025-05-16 12:03:08 -04:00 · f8b0b99a41
commit f8b0b99a41
parent 6b91396c89
3 changed files with 2 additions and 61 deletions
--- a/src/Api/Auth/Authorization/Handlers/SameSendIdHandler.cs
+++ b/src/Api/Auth/Authorization/Handlers/SameSendIdHandler.cs
@ -1,51 +0,0 @@
-using Bit.Api.Auth.Authorization.Requirements;
-using Bit.Core.Identity;
-using Microsoft.AspNetCore.Authorization;
-using Microsoft.AspNetCore.Mvc.Filters;
-
-namespace Bit.Api.Auth.Authorization.Handlers;
-
-public class SameSendIdHandler : AuthorizationHandler<SameSendIdRequirement>
-{
-    protected override Task HandleRequirementAsync(
-        AuthorizationHandlerContext context,
-        SameSendIdRequirement requirement)
-    {
-        // TODO: test if this is HTTP context or not
-        // https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-9.0#access-mvc-request-context-in-handlers
-        if (context.Resource is AuthorizationFilterContext mvcContext)
-        {
-            // TODO: discuss removal of route value completely from endpoints and just use
-            // SendId claim instead
-
-            // 1) Grab the {id} route value
-            if (!mvcContext.RouteData.Values.TryGetValue("id", out var rawId))
-            {
-                return Task.CompletedTask;
-            }
-
-            // TODO: maybe have to handle encodedSendId
-
-            var routeId = rawId?.ToString();
-            if (string.IsNullOrEmpty(routeId))
-            {
-                return Task.CompletedTask;
-            }
-
-            // 2) Grab the send_id claim
-            var claim = context.User.FindFirst(Claims.SendId);
-            if (claim == null)
-            {
-                return Task.CompletedTask;
-            }
-
-            // 3) Compare them
-            if (string.Equals(claim.Value, routeId, StringComparison.OrdinalIgnoreCase))
-            {
-                context.Succeed(requirement);
-            }
-        }
-
-        return Task.CompletedTask;
-    }
-}
--- a/src/Api/Auth/Authorization/Requirements/SameSendIdRequirement.cs
+++ b/src/Api/Auth/Authorization/Requirements/SameSendIdRequirement.cs
@ -1,8 +0,0 @@
-using Microsoft.AspNetCore.Authorization;
-
-namespace Bit.Api.Auth.Authorization.Requirements;
-
-// <summary>
-// Requires that the id of the send request matches the id of the subject claim in the send access token.
-// </summary>
-public class SameSendIdRequirement : IAuthorizationRequirement { }
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@ -34,6 +34,7 @@ using Bit.Core.Services;
 using Bit.Core.Tools.ImportFeatures;
 using Bit.Core.Tools.ReportFeatures;
 using Bit.Core.Auth.Models.Api.Request;
+using Bit.Core.Identity;

 #if !OSS
 using Bit.Commercial.Core.SecretsManager;
@ -150,8 +151,7 @@ public class Startup
            {
                policy.RequireAuthenticatedUser();
                policy.RequireClaim(JwtClaimTypes.Scope, ApiScopes.Send);
-                // TODO: talk with Tools about potentially
-                // policy.AddRequirements(new SameSendIdRequirement());
+                policy.RequireClaim(Claims.SendId);
            });
        });