PM-20532 - Per discussion with Tools, deprecate SameSendIdHandler.cs and SameSendIdRequirement.cs and just require claim instead. We will write a extension method on the ClaimsPrincipal to get the send id instead of the HttpContext.

2025-05-27 06:14:51 -05:00 · 2025-05-16 12:03:08 -04:00 · 2025-05-16 12:03:08 -04:00 · f8b0b99a41
commit f8b0b99a41
parent 6b91396c89
3 changed files with 2 additions and 61 deletions
--- a/src/Api/Auth/Authorization/Handlers/SameSendIdHandler.cs
+++ b/src/Api/Auth/Authorization/Handlers/SameSendIdHandler.cs
@ -1,51 +0,0 @@
 using Bit.Api.Auth.Authorization.Requirements;
 using Bit.Core.Identity;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc.Filters;
 namespace Bit.Api.Auth.Authorization.Handlers;
 public class SameSendIdHandler : AuthorizationHandler<SameSendIdRequirement>
 {
    protected override Task HandleRequirementAsync(
        AuthorizationHandlerContext context,
        SameSendIdRequirement requirement)
    {
        // TODO: test if this is HTTP context or not
        // https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-9.0#access-mvc-request-context-in-handlers
        if (context.Resource is AuthorizationFilterContext mvcContext)
        {
            // TODO: discuss removal of route value completely from endpoints and just use
            // SendId claim instead
            // 1) Grab the {id} route value
            if (!mvcContext.RouteData.Values.TryGetValue("id", out var rawId))
            {
                return Task.CompletedTask;
            }
            // TODO: maybe have to handle encodedSendId
            var routeId = rawId?.ToString();
            if (string.IsNullOrEmpty(routeId))
            {
                return Task.CompletedTask;
            }
            // 2) Grab the send_id claim
            var claim = context.User.FindFirst(Claims.SendId);
            if (claim == null)
            {
                return Task.CompletedTask;
            }
            // 3) Compare them
            if (string.Equals(claim.Value, routeId, StringComparison.OrdinalIgnoreCase))
            {
                context.Succeed(requirement);
            }
        }
        return Task.CompletedTask;
    }
 }
--- a/src/Api/Auth/Authorization/Requirements/SameSendIdRequirement.cs
+++ b/src/Api/Auth/Authorization/Requirements/SameSendIdRequirement.cs
@ -1,8 +0,0 @@
 using Microsoft.AspNetCore.Authorization;
 namespace Bit.Api.Auth.Authorization.Requirements;
 // <summary>
 // Requires that the id of the send request matches the id of the subject claim in the send access token.
 // </summary>
 public class SameSendIdRequirement : IAuthorizationRequirement { }
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@ -34,6 +34,7 @@ using Bit.Core.Services;
 using Bit.Core.Tools.ImportFeatures;
 using Bit.Core.Tools.ReportFeatures;
 using Bit.Core.Auth.Models.Api.Request;
 using Bit.Core.Identity;
 #if !OSS
 using Bit.Commercial.Core.SecretsManager;
@ -150,8 +151,7 @@ public class Startup
            {
                policy.RequireAuthenticatedUser();
                policy.RequireClaim(JwtClaimTypes.Scope, ApiScopes.Send);
-                // TODO: talk with Tools about potentially
+                policy.RequireClaim(Claims.SendId);
                // policy.AddRequirements(new SameSendIdRequirement());
            });
        });