GitHub-Bitwarden
/
server
mirror of https://github.com/bitwarden/server.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Auth/PM-11252 - Registration with Email Verification - Adjust url to point to new signup redirect connector (#4691) 

* PM-11252 - Registration with Email Verification - Adjust url in email to point to new signup redirect connector.

* PM-11252 - RegisterVerifyEmail - use url fragment structure to obfuscate query params from logging and prevent open redirects.
pull/4756/head
Jared Snider 1 year ago committed by GitHub
parent
add8783e31
commit
ab73eeae16
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 7 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      src/Core/Auth/Models/Mail/RegisterVerifyEmail.cs
  2. 2
      src/Core/Services/Implementations/HandlebarsMailService.cs

8
src/Core/Auth/Models/Mail/RegisterVerifyEmail.cs
Unescape View File

@ -4,11 +4,15 @@ namespace Bit.Core.Auth.Models.Mail; @@ -4,11 +4,15 @@ namespace Bit.Core.Auth.Models.Mail;
public class RegisterVerifyEmail : BaseMailModel
{
// We must include email in the URL even though it is already in the token so that the
// Note 1: We must include email in the URL even though it is already in the token so that the
// client can use it to create the master key when they set their password.
// We also have to include the fromEmail flag so that the client knows the user
// is coming to the finish signup page from an email link and not directly from another route in the app.
public string Url => string.Format("{0}/finish-signup?token={1}&email={2}&fromEmail=true",
// Note 2: we cannot use a web vault url which contains a # as that is a reserved wild character on Android
// so we must land on a redirect connector which will redirect to the finish signup page.
// Note 3: The use of a fragment to indicate the redirect url is to prevent the query string from being logged by
// proxies and servers. It also helps reduce open redirect vulnerabilities.
public string Url => string.Format("{0}/redirect-connector.html#finish-signup?token={1}&email={2}&fromEmail=true",
WebVaultUrl,
Token,
Email);

2
src/Core/Services/Implementations/HandlebarsMailService.cs
Unescape View File

@ -63,7 +63,7 @@ public class HandlebarsMailService : IMailService @@ -63,7 +63,7 @@ public class HandlebarsMailService : IMailService
{
Token = WebUtility.UrlEncode(token),
Email = WebUtility.UrlEncode(email),
WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
WebVaultUrl = _globalSettings.BaseServiceUri.Vault,
SiteName = _globalSettings.SiteName
};
await AddMessageContentAsync(message, "Auth.RegistrationVerifyEmail", model);

Write Preview
Loading…
Cancel
Save