Use UrlB64 encoding for auth-email header (#1503)

2025-02-27 03:41:30 +01:00 · 2021-08-11 06:21:46 +10:00 · 2021-08-11 06:21:46 +10:00 · f92628fb80
commit f92628fb80
parent 179543d790
1 changed files with 30 additions and 3 deletions
--- a/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
+++ b/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
@ -10,6 +10,7 @@ using Bit.Core.Services;
 using Bit.Core.Identity;
 using Bit.Core.Context;
 using Bit.Core.Settings;
+using Bit.Core.Utilities;
 using Microsoft.Extensions.Logging;

 namespace Bit.Core.IdentityServer
@ -50,9 +51,7 @@ namespace Bit.Core.IdentityServer
        public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
        {
            // Uncomment whenever we want to require the `auth-email` header
-            //
-            //if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Auth-Email") ||
-            //    _currentContext.HttpContext.Request.Headers["Auth-Email"] != context.UserName)
+            //if (!AuthEmailHeaderIsValid(context))
            //{
            //    context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant,
            //        "Auth-Email header invalid.");
@ -135,5 +134,33 @@ namespace Bit.Core.IdentityServer
        {
            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse: customResponse);
        }
+
+        private bool AuthEmailHeaderIsValid(ResourceOwnerPasswordValidationContext context)
+        {
+            if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Auth-Email"))
+            {
+                return false;
+            }
+            else
+            {
+                try
+                {
+                    var authEmailHeader = _currentContext.HttpContext.Request.Headers["Auth-Email"];
+                    var authEmailDecoded = CoreHelpers.Base64UrlDecodeString(authEmailHeader);
+
+                    if (authEmailDecoded != context.UserName)
+                    {
+                        return false;
+                    }
+                }
+                catch (System.Exception e) when (e is System.InvalidOperationException || e is System.FormatException)
+                {
+                    // Invalid B64 encoding
+                    return false;
+                }
+            }
+
+            return true;
+        }
    }
 }