From 4d2b53c80945277605c298119ee7ad2c13b73d4c Mon Sep 17 00:00:00 2001 From: Matt Gibson Date: Tue, 7 Mar 2023 17:16:28 -0500 Subject: [PATCH] Use encoded query parameters over path (#2354) * Use encoded query parameters over path * Prefer POST for requests with sensitive information * Send private information in headers over query * B64 encode email --- src/Core/Abstractions/IApiService.cs | 2 +- src/Core/Services/ApiService.cs | 14 ++++++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/src/Core/Abstractions/IApiService.cs b/src/Core/Abstractions/IApiService.cs index 1d4ee9037..75cc565d6 100644 --- a/src/Core/Abstractions/IApiService.cs +++ b/src/Core/Abstractions/IApiService.cs @@ -47,7 +47,7 @@ namespace Bit.Core.Abstractions Task RefreshIdentityTokenAsync(); Task PreValidateSso(string identifier); Task SendAsync(HttpMethod method, string path, - TRequest body, bool authed, bool hasResponse, bool logoutOnUnauthorized = true); + TRequest body, bool authed, bool hasResponse, Action alterRequest, bool logoutOnUnauthorized = true); void SetUrls(EnvironmentUrls urls); [Obsolete("Mar 25 2021: This method has been deprecated in favor of direct uploads. This method still exists for backward compatibility with old server versions.")] Task PostCipherAttachmentLegacyAsync(string id, MultipartFormDataContent data); diff --git a/src/Core/Services/ApiService.cs b/src/Core/Services/ApiService.cs index 7849951a2..66587b4a0 100644 --- a/src/Core/Services/ApiService.cs +++ b/src/Core/Services/ApiService.cs @@ -10,6 +10,7 @@ using Bit.Core.Exceptions; using Bit.Core.Models.Domain; using Bit.Core.Models.Request; using Bit.Core.Models.Response; +using Bit.Core.Utilities; using Newtonsoft.Json; using Newtonsoft.Json.Linq; using Newtonsoft.Json.Serialization; @@ -183,13 +184,13 @@ namespace Bit.Core.Services public Task PostAccountRequestOTP() { - return SendAsync(HttpMethod.Post, "/accounts/request-otp", null, true, false, false); + return SendAsync(HttpMethod.Post, "/accounts/request-otp", null, true, false, null, false); } public Task PostAccountVerifyOTPAsync(VerifyOTPRequest request) { return SendAsync(HttpMethod.Post, "/accounts/verify-otp", request, - true, false, false); + true, false, null, false); } public Task PutUpdateTempPasswordAsync(UpdateTempPasswordRequest request) @@ -570,7 +571,11 @@ namespace Bit.Core.Services public Task GetKnownDeviceAsync(string email, string deviceIdentifier) { - return SendAsync(HttpMethod.Get, $"/devices/knowndevice/{email}/{deviceIdentifier}", null, false, true); + return SendAsync(HttpMethod.Get, "/devices/knowndevice", null, false, true, (message) => + { + message.Headers.Add("X-Device-Identifier", deviceIdentifier); + message.Headers.Add("X-Request-Email", CoreHelpers.Base64UrlEncode(Encoding.UTF8.GetBytes(email))); + }); } #endregion @@ -624,7 +629,7 @@ namespace Bit.Core.Services public Task SendAsync(HttpMethod method, string path, bool authed) => SendAsync(method, path, null, authed, true); public async Task SendAsync(HttpMethod method, string path, TRequest body, - bool authed, bool hasResponse, bool logoutOnUnauthorized = true) + bool authed, bool hasResponse, Action alterRequest = null, bool logoutOnUnauthorized = true) { using (var requestMessage = new HttpRequestMessage()) { @@ -671,6 +676,7 @@ namespace Bit.Core.Services { requestMessage.Headers.Add("Accept", "application/json"); } + alterRequest?.Invoke(requestMessage); HttpResponseMessage response; try