set cors policies to only allow web vault origin (#787)

* set cors policy to only allow web vault * vault cors policy service
2024-11-22 12:15:36 +01:00 · 2020-06-23 18:47:53 -04:00 · 2020-06-23 18:47:53 -04:00 · cf70a5e480
commit cf70a5e480
parent 2daca941f3
6 changed files with 24 additions and 17 deletions
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@ -169,7 +169,7 @@ namespace Bit.Api
            app.UseRouting();

            // Add Cors
-            app.UseCors(policy => policy.SetIsOriginAllowed(h => true)
+            app.UseCors(policy => policy.SetIsOriginAllowed(o => o == globalSettings.BaseServiceUri.Vault)
                .AllowAnyMethod().AllowAnyHeader().AllowCredentials());

            // Add authentication and authorization to the request pipeline.
--- a/src/Core/IdentityServer/AllowAllCorsPolicyService.cs
+++ b/src/Core/IdentityServer/AllowAllCorsPolicyService.cs
@ -1,13 +0,0 @@
-using IdentityServer4.Services;
-using System.Threading.Tasks;
-
-namespace Bit.Core.IdentityServer
-{
-    public class AllowAllCorsPolicyService : ICorsPolicyService
-    {
-        public Task<bool> IsOriginAllowedAsync(string origin)
-        {
-            return Task.FromResult(true);
-        }
-    }
-}
--- a/src/Core/IdentityServer/VaultCorsPolicyService.cs
+++ b/src/Core/IdentityServer/VaultCorsPolicyService.cs
@ -0,0 +1,20 @@
+using IdentityServer4.Services;
+using System.Threading.Tasks;
+
+namespace Bit.Core.IdentityServer
+{
+    public class VaultCorsPolicyService : ICorsPolicyService
+    {
+        private readonly GlobalSettings _globalSettings;
+
+        public VaultCorsPolicyService(GlobalSettings globalSettings)
+        {
+            _globalSettings = globalSettings;
+        }
+
+        public Task<bool> IsOriginAllowedAsync(string origin)
+        {
+            return Task.FromResult(origin == _globalSettings.BaseServiceUri.Vault);
+        }
+    }
+}
--- a/src/Core/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Core/Utilities/ServiceCollectionExtensions.cs
@ -382,7 +382,7 @@ namespace Bit.Core.Utilities
            }

            services.AddTransient<ClientStore>();
-            services.AddTransient<ICorsPolicyService, AllowAllCorsPolicyService>();
+            services.AddTransient<ICorsPolicyService, VaultCorsPolicyService>();
            services.AddScoped<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>();
            services.AddScoped<IProfileService, ProfileService>();
            services.AddSingleton<IPersistedGrantStore, PersistedGrantStore>();
--- a/src/Events/Startup.cs
+++ b/src/Events/Startup.cs
@ -101,7 +101,7 @@ namespace Bit.Events
            app.UseRouting();

            // Add Cors
-            app.UseCors(policy => policy.SetIsOriginAllowed(h => true)
+            app.UseCors(policy => policy.SetIsOriginAllowed(o => o == globalSettings.BaseServiceUri.Vault)
                .AllowAnyMethod().AllowAnyHeader().AllowCredentials());

            // Add authentication and authorization to the request pipeline.
--- a/src/Notifications/Startup.cs
+++ b/src/Notifications/Startup.cs
@ -102,7 +102,7 @@ namespace Bit.Notifications
            app.UseRouting();

            // Add Cors
-            app.UseCors(policy => policy.SetIsOriginAllowed(h => true)
+            app.UseCors(policy => policy.SetIsOriginAllowed(o => o == globalSettings.BaseServiceUri.Vault)
                .AllowAnyMethod().AllowAnyHeader().AllowCredentials());

            // Add authentication to the request pipeline.