From 3e07d0bd323c02fe39b15425e55096b802870bc0 Mon Sep 17 00:00:00 2001
From: Mathijs van Veluw <black.dex@gmail.com>
Date: Tue, 3 Jan 2023 19:57:53 +0100
Subject: [PATCH] Fix Inactive two-step login check (#2523)

It looks like 2fa.directory has changed it's API endpoint.
According to https://2fa.directory/api/ it now uses `api.2fa.directory` instead of `2fa.directory/api`.

This PR fixes the URL's where needed.
A fix for the client side is also created.
---
 docker-unified/hbs/nginx-config.hbs | 2 +-
 util/Setup/Configuration.cs         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docker-unified/hbs/nginx-config.hbs b/docker-unified/hbs/nginx-config.hbs
index 5a69352c42..382913796d 100644
--- a/docker-unified/hbs/nginx-config.hbs
+++ b/docker-unified/hbs/nginx-config.hbs
@@ -57,7 +57,7 @@ server {
     include /etc/nginx/security-headers-ssl.conf;
 {{/if}}
     include /etc/nginx/security-headers.conf;
-    add_header Content-Security-Policy "{{{String.Coalesce env.BW_CSP "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com https://2fa.directory; object-src 'self' blob:;"}}}";
+    add_header Content-Security-Policy "{{{String.Coalesce env.BW_CSP "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory; object-src 'self' blob:;"}}}";
     add_header X-Frame-Options SAMEORIGIN;
     add_header X-Robots-Tag "noindex, nofollow";
   }
diff --git a/util/Setup/Configuration.cs b/util/Setup/Configuration.cs
index 0dcfe6ab73..36f82ea4f5 100644
--- a/util/Setup/Configuration.cs
+++ b/util/Setup/Configuration.cs
@@ -81,7 +81,7 @@ public class Configuration
         "child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
         "frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
         "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
-        "https://2fa.directory; object-src 'self' blob:;";
+        "https://api.2fa.directory; object-src 'self' blob:;";
 
     [Description("Communicate with the Bitwarden push relay service (push.bitwarden.com) for mobile\n" +
         "app live sync.")]