Use encoded query parameters over path (#2354)

* Use encoded query parameters over path * Prefer POST for requests with sensitive information * Send private information in headers over query * B64 encode email
2023-03-07 17:16:28 -05:00 · 2023-03-07 17:16:28 -05:00 · 4d2b53c809
parent c02cd1f15b
commit 4d2b53c809
2 changed files with 11 additions and 5 deletions
--- a/src/Core/Abstractions/IApiService.cs
+++ b/src/Core/Abstractions/IApiService.cs
@ -47,7 +47,7 @@ namespace Bit.Core.Abstractions
        Task RefreshIdentityTokenAsync();
        Task<SsoPrevalidateResponse> PreValidateSso(string identifier);
        Task<TResponse> SendAsync<TRequest, TResponse>(HttpMethod method, string path,
-            TRequest body, bool authed, bool hasResponse, bool logoutOnUnauthorized = true);
+            TRequest body, bool authed, bool hasResponse, Action<HttpRequestMessage> alterRequest, bool logoutOnUnauthorized = true);
        void SetUrls(EnvironmentUrls urls);
        [Obsolete("Mar 25 2021: This method has been deprecated in favor of direct uploads. This method still exists for backward compatibility with old server versions.")]
        Task<CipherResponse> PostCipherAttachmentLegacyAsync(string id, MultipartFormDataContent data);
--- a/src/Core/Services/ApiService.cs
+++ b/src/Core/Services/ApiService.cs
@ -10,6 +10,7 @@ using Bit.Core.Exceptions;
 using Bit.Core.Models.Domain;
 using Bit.Core.Models.Request;
 using Bit.Core.Models.Response;
 using Bit.Core.Utilities;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
 using Newtonsoft.Json.Serialization;
@ -183,13 +184,13 @@ namespace Bit.Core.Services
        public Task PostAccountRequestOTP()
        {
-            return SendAsync<object, object>(HttpMethod.Post, "/accounts/request-otp", null, true, false, false);
+            return SendAsync<object, object>(HttpMethod.Post, "/accounts/request-otp", null, true, false, null, false);
        }
        public Task PostAccountVerifyOTPAsync(VerifyOTPRequest request)
        {
            return SendAsync<VerifyOTPRequest, object>(HttpMethod.Post, "/accounts/verify-otp", request,
-                true, false, false);
+                true, false, null, false);
        }
        public Task PutUpdateTempPasswordAsync(UpdateTempPasswordRequest request)
@ -570,7 +571,11 @@ namespace Bit.Core.Services
        public Task<bool> GetKnownDeviceAsync(string email, string deviceIdentifier)
        {
-            return SendAsync<object, bool>(HttpMethod.Get, $"/devices/knowndevice/{email}/{deviceIdentifier}", null, false, true);
+            return SendAsync<object, bool>(HttpMethod.Get, "/devices/knowndevice", null, false, true, (message) =>
            {
                message.Headers.Add("X-Device-Identifier", deviceIdentifier);
                message.Headers.Add("X-Request-Email", CoreHelpers.Base64UrlEncode(Encoding.UTF8.GetBytes(email)));
            });
        }
        #endregion
@ -624,7 +629,7 @@ namespace Bit.Core.Services
        public Task<TResponse> SendAsync<TResponse>(HttpMethod method, string path, bool authed) =>
            SendAsync<object, TResponse>(method, path, null, authed, true);
        public async Task<TResponse> SendAsync<TRequest, TResponse>(HttpMethod method, string path, TRequest body,
-            bool authed, bool hasResponse, bool logoutOnUnauthorized = true)
+            bool authed, bool hasResponse, Action<HttpRequestMessage> alterRequest = null, bool logoutOnUnauthorized = true)
        {
            using (var requestMessage = new HttpRequestMessage())
            {
@ -671,6 +676,7 @@ namespace Bit.Core.Services
                {
                    requestMessage.Headers.Add("Accept", "application/json");
                }
                alterRequest?.Invoke(requestMessage);
                HttpResponseMessage response;
                try