1
0
mirror of https://github.com/bitwarden/server.git synced 2024-12-23 17:07:42 +01:00

Allow api key as captcha token (#1513)

This allows legitimate users to permanently bypass captcha once
they've successfully logged in. Will allow unmonitored scripts more
resilience to captcha requirements
This commit is contained in:
Matt Gibson 2021-08-13 09:52:52 -04:00 committed by GitHub
parent 6d18f44029
commit 48aa54949b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -39,10 +39,9 @@ namespace Bit.Core.Services
public string GenerateCaptchaBypassToken(User user) => public string GenerateCaptchaBypassToken(User user) =>
$"{TokenClearTextPrefix}{_dataProtector.Protect(CaptchaBypassTokenContent(user))}"; $"{TokenClearTextPrefix}{_dataProtector.Protect(CaptchaBypassTokenContent(user))}";
public bool ValidateCaptchaBypassToken(string encryptedToken, User user) =>
encryptedToken.StartsWith(TokenClearTextPrefix) && user != null && public bool ValidateCaptchaBypassToken(string bypassToken, User user) =>
CoreHelpers.TokenIsValid(TokenName, _dataProtector, encryptedToken[TokenClearTextPrefix.Length..], TokenIsApiKey(bypassToken, user) || TokenIsCaptchaBypassToken(bypassToken, user);
user.Email, user.Id, TokenLifetimeInHours);
public async Task<bool> ValidateCaptchaResponseAsync(string captchaResponse, string clientIpAddress) public async Task<bool> ValidateCaptchaResponseAsync(string captchaResponse, string clientIpAddress)
{ {
@ -97,5 +96,13 @@ namespace Bit.Core.Services
user?.Email, user?.Email,
CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow.AddHours(TokenLifetimeInHours)) CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow.AddHours(TokenLifetimeInHours))
}); });
private static bool TokenIsApiKey(string bypassToken, User user) =>
!string.IsNullOrWhiteSpace(bypassToken) && user != null && user.ApiKey == bypassToken;
private bool TokenIsCaptchaBypassToken(string encryptedToken, User user) =>
encryptedToken.StartsWith(TokenClearTextPrefix) && user != null &&
CoreHelpers.TokenIsValid(TokenName, _dataProtector, encryptedToken[TokenClearTextPrefix.Length..],
user.Email, user.Id, TokenLifetimeInHours);
} }
} }