From f75ad367701b977fd51f3dc31f4e0af29f3885e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20=C3=85berg?= Date: Mon, 6 Oct 2025 16:15:05 +0200 Subject: [PATCH] PM-13632: Add support for configuring multiple allowed origins (#6317) * Add support for configuring multiple allowed origins * Use if/else instead of union * Add conditionals * Added Chromium based extension ID's * format * Update src/Core/Constants.cs Co-authored-by: Matt Bishop * remove chromedevelopmentid * format --------- Co-authored-by: Matt Bishop --- src/Core/Constants.cs | 11 +++++++++++ src/Core/Settings/GlobalSettings.cs | 6 ++++++ .../Utilities/ServiceCollectionExtensions.cs | 18 +++++++++++++++++- 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs index 38612c737f..97ae9d2485 100644 --- a/src/Core/Constants.cs +++ b/src/Core/Constants.cs @@ -70,6 +70,17 @@ public static class Constants /// public const string UnitedStates = "US"; } + + + /// + /// Constants for our browser extensions IDs + /// + public static class BrowserExtensions + { + public const string ChromeId = "chrome-extension://nngceckbapebfimnlniiiahkandclblb/"; + public const string EdgeId = "chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh/"; + public const string OperaId = "chrome-extension://ccnckbpmaceehanjmeomladnmlffdjgn/"; + } } public static class AuthConstants diff --git a/src/Core/Settings/GlobalSettings.cs b/src/Core/Settings/GlobalSettings.cs index f045570df5..250daf0007 100644 --- a/src/Core/Settings/GlobalSettings.cs +++ b/src/Core/Settings/GlobalSettings.cs @@ -103,6 +103,7 @@ public class GlobalSettings : IGlobalSettings /// public virtual string SendDefaultHashKey { get; set; } public virtual string PricingUri { get; set; } + public virtual Fido2Settings Fido2 { get; set; } = new Fido2Settings(); public string BuildExternalUri(string explicitValue, string name) { @@ -772,4 +773,9 @@ public class GlobalSettings : IGlobalSettings { public string VapidPublicKey { get; set; } } + + public class Fido2Settings + { + public HashSet Origins { get; set; } + } } diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs index d69fec919f..58ce0466c3 100644 --- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs +++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs @@ -7,6 +7,7 @@ using System.Security.Claims; using System.Security.Cryptography.X509Certificates; using AspNetCoreRateLimit; using Azure.Messaging.ServiceBus; +using Bit.Core; using Bit.Core.AdminConsole.AbilitiesCache; using Bit.Core.AdminConsole.Models.Business.Tokenables; using Bit.Core.AdminConsole.Models.Data.EventIntegrations; @@ -695,8 +696,23 @@ public static class ServiceCollectionExtensions { options.ServerDomain = new Uri(globalSettings.BaseServiceUri.Vault).Host; options.ServerName = "Bitwarden"; - options.Origins = new HashSet { globalSettings.BaseServiceUri.Vault, }; options.TimestampDriftTolerance = 300000; + + if (globalSettings.Fido2?.Origins?.Any() == true) + { + options.Origins = new HashSet(globalSettings.Fido2.Origins); + } + else + { + // Default to allowing the vault domain and chromium browser extension IDs + options.Origins = new HashSet { + globalSettings.BaseServiceUri.Vault, + Constants.BrowserExtensions.ChromeId, + Constants.BrowserExtensions.EdgeId, + Constants.BrowserExtensions.OperaId + }; + } + }); }