PM-13632: Add support for configuring multiple allowed origins (#6317)

* Add support for configuring multiple allowed origins * Use if/else instead of union * Add conditionals * Added Chromium based extension ID's * format * Update src/Core/Constants.cs Co-authored-by: Matt Bishop <mbishop@bitwarden.com> * remove chromedevelopmentid * format --------- Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
2025-12-06 00:03:34 +00:00 · 2025-10-06 16:15:05 +02:00
parent a15974029e
commit f75ad36770
3 changed files with 34 additions and 1 deletions
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -70,6 +70,17 @@ public static class Constants
        /// </summary>
        public const string UnitedStates = "US";
    }
+
+
+    /// <summary>
+    /// Constants for our browser extensions IDs
+    /// </summary>
+    public static class BrowserExtensions
+    {
+        public const string ChromeId = "chrome-extension://nngceckbapebfimnlniiiahkandclblb/";
+        public const string EdgeId = "chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh/";
+        public const string OperaId = "chrome-extension://ccnckbpmaceehanjmeomladnmlffdjgn/";
+    }
 }

 public static class AuthConstants
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@@ -103,6 +103,7 @@ public class GlobalSettings : IGlobalSettings
    /// </summary>
    public virtual string SendDefaultHashKey { get; set; }
    public virtual string PricingUri { get; set; }
+    public virtual Fido2Settings Fido2 { get; set; } = new Fido2Settings();

    public string BuildExternalUri(string explicitValue, string name)
    {
@@ -772,4 +773,9 @@ public class GlobalSettings : IGlobalSettings
    {
        public string VapidPublicKey { get; set; }
    }
+
+    public class Fido2Settings
+    {
+        public HashSet<string> Origins { get; set; }
+    }
 }
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -7,6 +7,7 @@ using System.Security.Claims;
 using System.Security.Cryptography.X509Certificates;
 using AspNetCoreRateLimit;
 using Azure.Messaging.ServiceBus;
+using Bit.Core;
 using Bit.Core.AdminConsole.AbilitiesCache;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.Models.Data.EventIntegrations;
@@ -695,8 +696,23 @@ public static class ServiceCollectionExtensions
        {
            options.ServerDomain = new Uri(globalSettings.BaseServiceUri.Vault).Host;
            options.ServerName = "Bitwarden";
-            options.Origins = new HashSet<string> { globalSettings.BaseServiceUri.Vault, };
            options.TimestampDriftTolerance = 300000;
+
+            if (globalSettings.Fido2?.Origins?.Any() == true)
+            {
+                options.Origins = new HashSet<string>(globalSettings.Fido2.Origins);
+            }
+            else
+            {
+                // Default to allowing the vault domain and chromium browser extension IDs
+                options.Origins = new HashSet<string> {
+                    globalSettings.BaseServiceUri.Vault,
+                    Constants.BrowserExtensions.ChromeId,
+                    Constants.BrowserExtensions.EdgeId,
+                    Constants.BrowserExtensions.OperaId
+                 };
+            }
+
        });
    }