Use encoded query parameters over path (#2354)

* Use encoded query parameters over path

* Prefer POST for requests with sensitive information

* Send private information in headers over query

* B64 encode email
This commit is contained in:
Matt Gibson 2023-03-07 17:16:28 -05:00 committed by GitHub
parent c02cd1f15b
commit 4d2b53c809
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 5 deletions

View file

@ -47,7 +47,7 @@ namespace Bit.Core.Abstractions
Task RefreshIdentityTokenAsync(); Task RefreshIdentityTokenAsync();
Task<SsoPrevalidateResponse> PreValidateSso(string identifier); Task<SsoPrevalidateResponse> PreValidateSso(string identifier);
Task<TResponse> SendAsync<TRequest, TResponse>(HttpMethod method, string path, Task<TResponse> SendAsync<TRequest, TResponse>(HttpMethod method, string path,
TRequest body, bool authed, bool hasResponse, bool logoutOnUnauthorized = true); TRequest body, bool authed, bool hasResponse, Action<HttpRequestMessage> alterRequest, bool logoutOnUnauthorized = true);
void SetUrls(EnvironmentUrls urls); void SetUrls(EnvironmentUrls urls);
[Obsolete("Mar 25 2021: This method has been deprecated in favor of direct uploads. This method still exists for backward compatibility with old server versions.")] [Obsolete("Mar 25 2021: This method has been deprecated in favor of direct uploads. This method still exists for backward compatibility with old server versions.")]
Task<CipherResponse> PostCipherAttachmentLegacyAsync(string id, MultipartFormDataContent data); Task<CipherResponse> PostCipherAttachmentLegacyAsync(string id, MultipartFormDataContent data);

View file

@ -10,6 +10,7 @@ using Bit.Core.Exceptions;
using Bit.Core.Models.Domain; using Bit.Core.Models.Domain;
using Bit.Core.Models.Request; using Bit.Core.Models.Request;
using Bit.Core.Models.Response; using Bit.Core.Models.Response;
using Bit.Core.Utilities;
using Newtonsoft.Json; using Newtonsoft.Json;
using Newtonsoft.Json.Linq; using Newtonsoft.Json.Linq;
using Newtonsoft.Json.Serialization; using Newtonsoft.Json.Serialization;
@ -183,13 +184,13 @@ namespace Bit.Core.Services
public Task PostAccountRequestOTP() public Task PostAccountRequestOTP()
{ {
return SendAsync<object, object>(HttpMethod.Post, "/accounts/request-otp", null, true, false, false); return SendAsync<object, object>(HttpMethod.Post, "/accounts/request-otp", null, true, false, null, false);
} }
public Task PostAccountVerifyOTPAsync(VerifyOTPRequest request) public Task PostAccountVerifyOTPAsync(VerifyOTPRequest request)
{ {
return SendAsync<VerifyOTPRequest, object>(HttpMethod.Post, "/accounts/verify-otp", request, return SendAsync<VerifyOTPRequest, object>(HttpMethod.Post, "/accounts/verify-otp", request,
true, false, false); true, false, null, false);
} }
public Task PutUpdateTempPasswordAsync(UpdateTempPasswordRequest request) public Task PutUpdateTempPasswordAsync(UpdateTempPasswordRequest request)
@ -570,7 +571,11 @@ namespace Bit.Core.Services
public Task<bool> GetKnownDeviceAsync(string email, string deviceIdentifier) public Task<bool> GetKnownDeviceAsync(string email, string deviceIdentifier)
{ {
return SendAsync<object, bool>(HttpMethod.Get, $"/devices/knowndevice/{email}/{deviceIdentifier}", null, false, true); return SendAsync<object, bool>(HttpMethod.Get, "/devices/knowndevice", null, false, true, (message) =>
{
message.Headers.Add("X-Device-Identifier", deviceIdentifier);
message.Headers.Add("X-Request-Email", CoreHelpers.Base64UrlEncode(Encoding.UTF8.GetBytes(email)));
});
} }
#endregion #endregion
@ -624,7 +629,7 @@ namespace Bit.Core.Services
public Task<TResponse> SendAsync<TResponse>(HttpMethod method, string path, bool authed) => public Task<TResponse> SendAsync<TResponse>(HttpMethod method, string path, bool authed) =>
SendAsync<object, TResponse>(method, path, null, authed, true); SendAsync<object, TResponse>(method, path, null, authed, true);
public async Task<TResponse> SendAsync<TRequest, TResponse>(HttpMethod method, string path, TRequest body, public async Task<TResponse> SendAsync<TRequest, TResponse>(HttpMethod method, string path, TRequest body,
bool authed, bool hasResponse, bool logoutOnUnauthorized = true) bool authed, bool hasResponse, Action<HttpRequestMessage> alterRequest = null, bool logoutOnUnauthorized = true)
{ {
using (var requestMessage = new HttpRequestMessage()) using (var requestMessage = new HttpRequestMessage())
{ {
@ -671,6 +676,7 @@ namespace Bit.Core.Services
{ {
requestMessage.Headers.Add("Accept", "application/json"); requestMessage.Headers.Add("Accept", "application/json");
} }
alterRequest?.Invoke(requestMessage);
HttpResponseMessage response; HttpResponseMessage response;
try try