mirror of
https://github.com/bitwarden/server.git
synced 2024-12-23 17:07:42 +01:00
Allow api key as captcha token (#1513)
This allows legitimate users to permanently bypass captcha once they've successfully logged in. Will allow unmonitored scripts more resilience to captcha requirements
This commit is contained in:
parent
6d18f44029
commit
48aa54949b
@ -39,10 +39,9 @@ namespace Bit.Core.Services
|
|||||||
|
|
||||||
public string GenerateCaptchaBypassToken(User user) =>
|
public string GenerateCaptchaBypassToken(User user) =>
|
||||||
$"{TokenClearTextPrefix}{_dataProtector.Protect(CaptchaBypassTokenContent(user))}";
|
$"{TokenClearTextPrefix}{_dataProtector.Protect(CaptchaBypassTokenContent(user))}";
|
||||||
public bool ValidateCaptchaBypassToken(string encryptedToken, User user) =>
|
|
||||||
encryptedToken.StartsWith(TokenClearTextPrefix) && user != null &&
|
public bool ValidateCaptchaBypassToken(string bypassToken, User user) =>
|
||||||
CoreHelpers.TokenIsValid(TokenName, _dataProtector, encryptedToken[TokenClearTextPrefix.Length..],
|
TokenIsApiKey(bypassToken, user) || TokenIsCaptchaBypassToken(bypassToken, user);
|
||||||
user.Email, user.Id, TokenLifetimeInHours);
|
|
||||||
|
|
||||||
public async Task<bool> ValidateCaptchaResponseAsync(string captchaResponse, string clientIpAddress)
|
public async Task<bool> ValidateCaptchaResponseAsync(string captchaResponse, string clientIpAddress)
|
||||||
{
|
{
|
||||||
@ -97,5 +96,13 @@ namespace Bit.Core.Services
|
|||||||
user?.Email,
|
user?.Email,
|
||||||
CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow.AddHours(TokenLifetimeInHours))
|
CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow.AddHours(TokenLifetimeInHours))
|
||||||
});
|
});
|
||||||
|
|
||||||
|
private static bool TokenIsApiKey(string bypassToken, User user) =>
|
||||||
|
!string.IsNullOrWhiteSpace(bypassToken) && user != null && user.ApiKey == bypassToken;
|
||||||
|
private bool TokenIsCaptchaBypassToken(string encryptedToken, User user) =>
|
||||||
|
encryptedToken.StartsWith(TokenClearTextPrefix) && user != null &&
|
||||||
|
CoreHelpers.TokenIsValid(TokenName, _dataProtector, encryptedToken[TokenClearTextPrefix.Length..],
|
||||||
|
user.Email, user.Id, TokenLifetimeInHours);
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user