mirror of
https://github.com/bitwarden/server
synced 2026-02-12 06:23:28 +00:00
[PM-31394] use email address hash for send access email verification (#6921)
* [PM-31394] use email address hash for send access email verification * [PM-31394] fixing identity server tests for send access * [PM-31394] fixing more identity server tests for send access
This commit is contained in:
Alex Dragovich
GitHub
@@ -44,7 +44,7 @@ public record ResourcePassword(string Hash) : SendAuthenticationMethod;
|
||||
/// <summary>
|
||||
/// Create a send claim by requesting a one time password (OTP) confirmation code.
|
||||
/// </summary>
|
||||
/// <param name="Emails">
|
||||
/// <param name="EmailHashes">
|
||||
/// The list of email address **hashes** permitted access to the send.
|
||||
/// </param>
|
||||
public record EmailOtp(string[] Emails) : SendAuthenticationMethod;
|
||||
public record EmailOtp(string[] EmailHashes) : SendAuthenticationMethod;
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
using System.Security.Claims;
|
||||
using System.Security.Cryptography;
|
||||
using System.Text;
|
||||
using Bit.Core;
|
||||
using Bit.Core.Auth.Identity;
|
||||
using Bit.Core.Auth.Identity.TokenProviders;
|
||||
@@ -40,8 +42,10 @@ public class SendEmailOtpRequestValidator(
|
||||
return BuildErrorResult(SendAccessConstants.EmailOtpValidatorResults.EmailRequired);
|
||||
}
|
||||
|
||||
// email must be in the list of emails in the EmailOtp array
|
||||
if (!authMethod.Emails.Contains(email))
|
||||
// email hash must be in the list of email hashes in the EmailOtp array
|
||||
byte[] hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(email));
|
||||
string hashEmailHex = Convert.ToHexString(hashBytes).ToUpperInvariant();
|
||||
if (!authMethod.EmailHashes.Contains(hashEmailHex))
|
||||
{
|
||||
return BuildErrorResult(SendAccessConstants.EmailOtpValidatorResults.EmailInvalid);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user