PM-13632: Add support for configuring multiple allowed origins (#6317)

* Add support for configuring multiple allowed origins * Use if/else instead of union * Add conditionals * Added Chromium based extension ID's * format * Update src/Core/Constants.cs Co-authored-by: Matt Bishop <mbishop@bitwarden.com> * remove chromedevelopmentid * format --------- Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
2025-12-15 07:43:54 +00:00 · 2025-10-06 16:15:05 +02:00
parent a15974029e
commit f75ad36770
3 changed files with 34 additions and 1 deletions
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -70,6 +70,17 @@ public static class Constants
        /// </summary>
        public const string UnitedStates = "US";
    }
    /// <summary>
    /// Constants for our browser extensions IDs
    /// </summary>
    public static class BrowserExtensions
    {
        public const string ChromeId = "chrome-extension://nngceckbapebfimnlniiiahkandclblb/";
        public const string EdgeId = "chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh/";
        public const string OperaId = "chrome-extension://ccnckbpmaceehanjmeomladnmlffdjgn/";
    }
 }
 public static class AuthConstants
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@@ -103,6 +103,7 @@ public class GlobalSettings : IGlobalSettings
    /// </summary>
    public virtual string SendDefaultHashKey { get; set; }
    public virtual string PricingUri { get; set; }
    public virtual Fido2Settings Fido2 { get; set; } = new Fido2Settings();
    public string BuildExternalUri(string explicitValue, string name)
    {
@@ -772,4 +773,9 @@ public class GlobalSettings : IGlobalSettings
    {
        public string VapidPublicKey { get; set; }
    }
    public class Fido2Settings
    {
        public HashSet<string> Origins { get; set; }
    }
 }
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -7,6 +7,7 @@ using System.Security.Claims;
 using System.Security.Cryptography.X509Certificates;
 using AspNetCoreRateLimit;
 using Azure.Messaging.ServiceBus;
 using Bit.Core;
 using Bit.Core.AdminConsole.AbilitiesCache;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.Models.Data.EventIntegrations;
@@ -695,8 +696,23 @@ public static class ServiceCollectionExtensions
        {
            options.ServerDomain = new Uri(globalSettings.BaseServiceUri.Vault).Host;
            options.ServerName = "Bitwarden";
            options.Origins = new HashSet<string> { globalSettings.BaseServiceUri.Vault, };
            options.TimestampDriftTolerance = 300000;
            if (globalSettings.Fido2?.Origins?.Any() == true)
            {
                options.Origins = new HashSet<string>(globalSettings.Fido2.Origins);
            }
            else
            {
                // Default to allowing the vault domain and chromium browser extension IDs
                options.Origins = new HashSet<string> {
                    globalSettings.BaseServiceUri.Vault,
                    Constants.BrowserExtensions.ChromeId,
                    Constants.BrowserExtensions.EdgeId,
                    Constants.BrowserExtensions.OperaId
                 };
            }
        });
    }