diff --git a/src/Core/Auth/Models/Mail/RegisterVerifyEmail.cs b/src/Core/Auth/Models/Mail/RegisterVerifyEmail.cs index ce3ed9206..f1863da69 100644 --- a/src/Core/Auth/Models/Mail/RegisterVerifyEmail.cs +++ b/src/Core/Auth/Models/Mail/RegisterVerifyEmail.cs @@ -4,11 +4,15 @@ namespace Bit.Core.Auth.Models.Mail; public class RegisterVerifyEmail : BaseMailModel { - // We must include email in the URL even though it is already in the token so that the + // Note 1: We must include email in the URL even though it is already in the token so that the // client can use it to create the master key when they set their password. // We also have to include the fromEmail flag so that the client knows the user // is coming to the finish signup page from an email link and not directly from another route in the app. - public string Url => string.Format("{0}/finish-signup?token={1}&email={2}&fromEmail=true", + // Note 2: we cannot use a web vault url which contains a # as that is a reserved wild character on Android + // so we must land on a redirect connector which will redirect to the finish signup page. + // Note 3: The use of a fragment to indicate the redirect url is to prevent the query string from being logged by + // proxies and servers. It also helps reduce open redirect vulnerabilities. + public string Url => string.Format("{0}/redirect-connector.html#finish-signup?token={1}&email={2}&fromEmail=true", WebVaultUrl, Token, Email); diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs index 2d26b4052..455b775c2 100644 --- a/src/Core/Services/Implementations/HandlebarsMailService.cs +++ b/src/Core/Services/Implementations/HandlebarsMailService.cs @@ -63,7 +63,7 @@ public class HandlebarsMailService : IMailService { Token = WebUtility.UrlEncode(token), Email = WebUtility.UrlEncode(email), - WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash, + WebVaultUrl = _globalSettings.BaseServiceUri.Vault, SiteName = _globalSettings.SiteName }; await AddMessageContentAsync(message, "Auth.RegistrationVerifyEmail", model);