From f92628fb80f59940aca611068afcb1327adb4422 Mon Sep 17 00:00:00 2001
From: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
Date: Wed, 11 Aug 2021 06:21:46 +1000
Subject: [PATCH] Use UrlB64 encoding for auth-email header (#1503)

---
 .../ResourceOwnerPasswordValidator.cs         | 33 +++++++++++++++++--
 1 file changed, 30 insertions(+), 3 deletions(-)

diff --git a/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs b/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
index a42acd6769..777f2e259b 100644
--- a/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
+++ b/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
@@ -10,6 +10,7 @@ using Bit.Core.Services;
 using Bit.Core.Identity;
 using Bit.Core.Context;
 using Bit.Core.Settings;
+using Bit.Core.Utilities;
 using Microsoft.Extensions.Logging;
 
 namespace Bit.Core.IdentityServer
@@ -50,9 +51,7 @@ namespace Bit.Core.IdentityServer
         public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
         {
             // Uncomment whenever we want to require the `auth-email` header
-            //
-            //if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Auth-Email") ||
-            //    _currentContext.HttpContext.Request.Headers["Auth-Email"] != context.UserName)
+            //if (!AuthEmailHeaderIsValid(context))
             //{
             //    context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant,
             //        "Auth-Email header invalid.");
@@ -135,5 +134,33 @@ namespace Bit.Core.IdentityServer
         {
             context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse: customResponse);
         }
+
+        private bool AuthEmailHeaderIsValid(ResourceOwnerPasswordValidationContext context)
+        {
+            if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Auth-Email"))
+            {
+                return false;
+            }
+            else
+            {
+                try
+                {
+                    var authEmailHeader = _currentContext.HttpContext.Request.Headers["Auth-Email"];
+                    var authEmailDecoded = CoreHelpers.Base64UrlDecodeString(authEmailHeader);
+
+                    if (authEmailDecoded != context.UserName)
+                    {
+                        return false;
+                    }
+                }
+                catch (System.Exception e) when (e is System.InvalidOperationException || e is System.FormatException)
+                {
+                    // Invalid B64 encoding
+                    return false;
+                }
+            }
+
+            return true;
+        }
     }
 }