From ab73eeae16953b427dfc8722fa1bd17366cb2d55 Mon Sep 17 00:00:00 2001
From: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
Date: Tue, 10 Sep 2024 11:30:01 -0400
Subject: [PATCH] Auth/PM-11252 - Registration with Email Verification - Adjust
 url to point to new signup redirect connector (#4691)

* PM-11252 - Registration with Email Verification - Adjust url in email to point to new signup redirect connector.

* PM-11252 - RegisterVerifyEmail - use url fragment structure to obfuscate query params from logging and prevent open redirects.
---
 src/Core/Auth/Models/Mail/RegisterVerifyEmail.cs          | 8 ++++++--
 .../Services/Implementations/HandlebarsMailService.cs     | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/Core/Auth/Models/Mail/RegisterVerifyEmail.cs b/src/Core/Auth/Models/Mail/RegisterVerifyEmail.cs
index ce3ed9206..f1863da69 100644
--- a/src/Core/Auth/Models/Mail/RegisterVerifyEmail.cs
+++ b/src/Core/Auth/Models/Mail/RegisterVerifyEmail.cs
@@ -4,11 +4,15 @@ namespace Bit.Core.Auth.Models.Mail;
 
 public class RegisterVerifyEmail : BaseMailModel
 {
-    // We must include email in the URL even though it is already in the token so that the
+    // Note 1: We must include email in the URL even though it is already in the token so that the
     // client can use it to create the master key when they set their password.
     // We also have to include the fromEmail flag so that the client knows the user
     // is coming to the finish signup page from an email link and not directly from another route in the app.
-    public string Url => string.Format("{0}/finish-signup?token={1}&email={2}&fromEmail=true",
+    // Note 2: we cannot use a web vault url which contains a # as that is a reserved wild character on Android
+    // so we must land on a redirect connector which will redirect to the finish signup page.
+    // Note 3: The use of a fragment to indicate the redirect url is to prevent the query string from being logged by
+    // proxies and servers. It also helps reduce open redirect vulnerabilities.
+    public string Url => string.Format("{0}/redirect-connector.html#finish-signup?token={1}&email={2}&fromEmail=true",
         WebVaultUrl,
         Token,
         Email);
diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index 2d26b4052..455b775c2 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -63,7 +63,7 @@ public class HandlebarsMailService : IMailService
         {
             Token = WebUtility.UrlEncode(token),
             Email = WebUtility.UrlEncode(email),
-            WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
+            WebVaultUrl = _globalSettings.BaseServiceUri.Vault,
             SiteName = _globalSettings.SiteName
         };
         await AddMessageContentAsync(message, "Auth.RegistrationVerifyEmail", model);