nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-06 13:38:13 -05:00
Code

Use UrlB64 encoding for auth-email header (#1503)

Browse Source
This commit is contained in:
Thomas Rittson 2021-08-11 06:21:46 +10:00 committed by GitHub
parent 179543d790
commit f92628fb80
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
View File

@ -10,6 +10,7 @@ using Bit.Core.Services;
using Bit.Core.Identity; using Bit.Core.Identity;
using Bit.Core.Context; using Bit.Core.Context;
using Bit.Core.Settings; using Bit.Core.Settings;
using Bit.Core.Utilities;
using Microsoft.Extensions.Logging; using Microsoft.Extensions.Logging;
namespace Bit.Core.IdentityServer namespace Bit.Core.IdentityServer
@ -50,9 +51,7 @@ namespace Bit.Core.IdentityServer
public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context) public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
{ {
// Uncomment whenever we want to require the `auth-email` header // Uncomment whenever we want to require the `auth-email` header
// //if (!AuthEmailHeaderIsValid(context))
//if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Auth-Email") ||
// _currentContext.HttpContext.Request.Headers["Auth-Email"] != context.UserName)
//{ //{
// context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, // context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant,
// "Auth-Email header invalid."); // "Auth-Email header invalid.");
@ -135,5 +134,33 @@ namespace Bit.Core.IdentityServer
{ {
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse: customResponse); context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse: customResponse);
} }
private bool AuthEmailHeaderIsValid(ResourceOwnerPasswordValidationContext context)
{
if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Auth-Email"))
{
return false;
}
else
{
try
{
var authEmailHeader = _currentContext.HttpContext.Request.Headers["Auth-Email"];
var authEmailDecoded = CoreHelpers.Base64UrlDecodeString(authEmailHeader);
if (authEmailDecoded != context.UserName)
{
return false;
}
}
catch (System.Exception e) when (e is System.InvalidOperationException || e is System.FormatException)
{
// Invalid B64 encoding
return false;
}
}
return true;
}
} }
} }