commented code to validate auth-email header (#1361)

* commented code to validate auth-email header * format comment more
2025-01-22 21:51:22 +01:00 · 2021-05-28 16:04:58 -04:00 · 2021-05-28 16:04:58 -04:00 · 52dea4c2a4
commit 52dea4c2a4
parent 0e76371d0d
1 changed files with 10 additions and 0 deletions
--- a/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
+++ b/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
@ -19,6 +19,7 @@ namespace Bit.Core.IdentityServer
    {
        private UserManager<User> _userManager;
        private readonly IUserService _userService;
+        private readonly ICurrentContext _currentContext;

        public ResourceOwnerPasswordValidator(
            UserManager<User> userManager,
@ -41,6 +42,7 @@ namespace Bit.Core.IdentityServer
        {
            _userManager = userManager;
            _userService = userService;
+            _currentContext = currentContext;
        }

        public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
@ -55,6 +57,14 @@ namespace Bit.Core.IdentityServer
                return (null, false);
            }

+            // Uncomment whenever we want to require the `auth-email` header
+            //
+            //if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Auth-Email") ||
+            //    _currentContext.HttpContext.Request.Headers["Auth-Email"] != context.UserName)
+            //{
+            //    return (null, false);
+            //}
+
            var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
            if (user == null || !await _userService.CheckPasswordAsync(user, context.Password))
            {