[PM-2740] Add null check on base64-encoded values on knowndevice query (#3586)

* Added null check on header-based knowndevice call to match query-string implementation. * Updated to use model binding instead of individual inputs. * Linting.
2024-11-25 12:45:18 +01:00 · 2023-12-22 15:12:27 -05:00 · 2023-12-22 15:12:27 -05:00 · cf4d8a4f92
commit cf4d8a4f92
parent 506d0aa318
2 changed files with 20 additions and 5 deletions
--- a/src/Api/Controllers/DevicesController.cs
+++ b/src/Api/Controllers/DevicesController.cs
@ -1,4 +1,5 @@
-using Bit.Api.Auth.Models.Request;
+using Api.Models.Request;
+using Bit.Api.Auth.Models.Request;
 using Bit.Api.Auth.Models.Request.Accounts;
 using Bit.Api.Models.Request;
 using Bit.Api.Models.Response;
@ -206,10 +207,8 @@ public class DevicesController : Controller

    [AllowAnonymous]
    [HttpGet("knowndevice")]
-    public async Task<bool> GetByIdentifierQuery(
-        [FromHeader(Name = "X-Request-Email")] string email,
-        [FromHeader(Name = "X-Device-Identifier")] string deviceIdentifier)
-        => await GetByIdentifier(CoreHelpers.Base64UrlDecodeString(email), deviceIdentifier);
+    public async Task<bool> GetByIdentifierQuery([FromHeader] KnownDeviceRequestModel request)
+        => await GetByIdentifier(CoreHelpers.Base64UrlDecodeString(request.Email), request.DeviceIdentifier);

    [Obsolete("Path is deprecated due to encoding issues, use /knowndevice instead.")]
    [AllowAnonymous]
--- a/src/Api/Models/Request/KnownDeviceRequestModel.cs
+++ b/src/Api/Models/Request/KnownDeviceRequestModel.cs
@ -0,0 +1,16 @@
+using System.ComponentModel.DataAnnotations;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Api.Models.Request;
+
+public class KnownDeviceRequestModel
+{
+    [Required]
+    [FromHeader(Name = "X-Request-Email")]
+    public string Email { get; set; }
+
+    [Required]
+    [FromHeader(Name = "X-Device-Identifier")]
+    public string DeviceIdentifier { get; set; }
+
+}