Use encoded query parameters over path (#2354)

* Use encoded query parameters over path

* Prefer POST for requests with sensitive information

* Send private information in headers over query

* B64 encode email
This commit is contained in:
Matt Gibson 2023-03-07 17:16:28 -05:00 committed by GitHub
parent c02cd1f15b
commit 4d2b53c809
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 5 deletions

View file

@ -47,7 +47,7 @@ namespace Bit.Core.Abstractions
Task RefreshIdentityTokenAsync();
Task<SsoPrevalidateResponse> PreValidateSso(string identifier);
Task<TResponse> SendAsync<TRequest, TResponse>(HttpMethod method, string path,
TRequest body, bool authed, bool hasResponse, bool logoutOnUnauthorized = true);
TRequest body, bool authed, bool hasResponse, Action<HttpRequestMessage> alterRequest, bool logoutOnUnauthorized = true);
void SetUrls(EnvironmentUrls urls);
[Obsolete("Mar 25 2021: This method has been deprecated in favor of direct uploads. This method still exists for backward compatibility with old server versions.")]
Task<CipherResponse> PostCipherAttachmentLegacyAsync(string id, MultipartFormDataContent data);

View file

@ -10,6 +10,7 @@ using Bit.Core.Exceptions;
using Bit.Core.Models.Domain;
using Bit.Core.Models.Request;
using Bit.Core.Models.Response;
using Bit.Core.Utilities;
using Newtonsoft.Json;
using Newtonsoft.Json.Linq;
using Newtonsoft.Json.Serialization;
@ -183,13 +184,13 @@ namespace Bit.Core.Services
public Task PostAccountRequestOTP()
{
return SendAsync<object, object>(HttpMethod.Post, "/accounts/request-otp", null, true, false, false);
return SendAsync<object, object>(HttpMethod.Post, "/accounts/request-otp", null, true, false, null, false);
}
public Task PostAccountVerifyOTPAsync(VerifyOTPRequest request)
{
return SendAsync<VerifyOTPRequest, object>(HttpMethod.Post, "/accounts/verify-otp", request,
true, false, false);
true, false, null, false);
}
public Task PutUpdateTempPasswordAsync(UpdateTempPasswordRequest request)
@ -570,7 +571,11 @@ namespace Bit.Core.Services
public Task<bool> GetKnownDeviceAsync(string email, string deviceIdentifier)
{
return SendAsync<object, bool>(HttpMethod.Get, $"/devices/knowndevice/{email}/{deviceIdentifier}", null, false, true);
return SendAsync<object, bool>(HttpMethod.Get, "/devices/knowndevice", null, false, true, (message) =>
{
message.Headers.Add("X-Device-Identifier", deviceIdentifier);
message.Headers.Add("X-Request-Email", CoreHelpers.Base64UrlEncode(Encoding.UTF8.GetBytes(email)));
});
}
#endregion
@ -624,7 +629,7 @@ namespace Bit.Core.Services
public Task<TResponse> SendAsync<TResponse>(HttpMethod method, string path, bool authed) =>
SendAsync<object, TResponse>(method, path, null, authed, true);
public async Task<TResponse> SendAsync<TRequest, TResponse>(HttpMethod method, string path, TRequest body,
bool authed, bool hasResponse, bool logoutOnUnauthorized = true)
bool authed, bool hasResponse, Action<HttpRequestMessage> alterRequest = null, bool logoutOnUnauthorized = true)
{
using (var requestMessage = new HttpRequestMessage())
{
@ -671,6 +676,7 @@ namespace Bit.Core.Services
{
requestMessage.Headers.Add("Accept", "application/json");
}
alterRequest?.Invoke(requestMessage);
HttpResponseMessage response;
try