From 465681c712886799d7dd9df06c61860ba68495ba Mon Sep 17 00:00:00 2001
From: Matt Gibson <mgibson@bitwarden.com>
Date: Tue, 7 Mar 2023 13:49:29 -0500
Subject: [PATCH] Use encoded query parameters over path (#2682)

* Use encoded query parameters over path

* Prefer POST for requests with sensitive information

* Send private information in headers over query

* B64 encode email
---
 src/Api/Controllers/DevicesController.cs | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/Api/Controllers/DevicesController.cs b/src/Api/Controllers/DevicesController.cs
index cc4ae0f12..a73fe546c 100644
--- a/src/Api/Controllers/DevicesController.cs
+++ b/src/Api/Controllers/DevicesController.cs
@@ -4,6 +4,7 @@ using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
+using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
@@ -130,6 +131,14 @@ public class DevicesController : Controller
         await _deviceService.DeleteAsync(device);
     }
 
+    [AllowAnonymous]
+    [HttpGet("knowndevice")]
+    public async Task<bool> GetByIdentifierQuery(
+        [FromHeader(Name = "X-Request-Email")] string email,
+        [FromHeader(Name = "X-Device-Identifier")] string deviceIdentifier)
+        => await GetByIdentifier(CoreHelpers.Base64UrlDecodeString(email), deviceIdentifier);
+
+    [Obsolete("Path is deprecated due to encoding issues, use /knowndevice instead.")]
     [AllowAnonymous]
     [HttpGet("knowndevice/{email}/{identifier}")]
     public async Task<bool> GetByIdentifier(string email, string identifier)