[PM-27260] SSO cookie vending

[dereknance]

🎟️ Tracking

PM-27260

📔 Objective

For self-hosted installs, the /api/sso-cookie-vendor endpoint provides clients with a means to obtain a cookie being used to authenticate requests at a reverse proxy, load balancer, etc.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[claude]

Claude finished @dereknance's task in 1m 50s —— View job

---

Code Review: SSO Cookie Vending

Summary

This PR adds an SSO cookie vending endpoint for self-hosted installs, allowing clients to obtain authentication cookies from a reverse proxy/load balancer via a bitwarden:// redirect scheme. The implementation includes proper input validation, URL encoding, and length limits.

Findings

Type	Location	Description
WARNING	SsoCookieVendorController.cs:32	Case sensitivity mismatch between controller and ConfigResponseModel causes inconsistent behavior

Details

Case Sensitivity Bug: The controller uses case-sensitive comparison (bootstrap != "ssoCookieVendor") while ConfigResponseModel.CommunicationSettings.Build() uses case-insensitive comparison via ToLowerInvariant(). This will cause the config endpoint to expose the feature settings while the cookie vendor endpoint returns 404 if the admin uses different casing in their configuration.

Observations

Positive aspects:

• Comprehensive test coverage for the controller (18 test cases covering edge cases, sharding, encoding)
• Proper URL encoding of cookie values with Uri.EscapeDataString()
• Reasonable safeguards against DoS (max shard count of 20, max URI length of 8192)
• Hardcoded redirect scheme prevents open redirect attacks

Note: The CommunicationSettings.Build() method in ConfigResponseModel.cs does not have dedicated unit tests. The existing integration tests for /config do not verify the new Communication field.

[claude]

WARNING: Case sensitivity mismatch with ConfigResponseModel

This comparison is case-sensitive (bootstrap != "ssoCookieVendor"), but ConfigResponseModel.CommunicationSettings.Build() uses case-insensitive comparison:

var bootstrap = globalSettings.Communication?.Bootstrap?.ToLowerInvariant();
// ...
"ssocookievendor" => new CommunicationSettings { ... }

If an admin configures Bootstrap = "SsoCookieVendor" or Bootstrap = "SSOCOOKIEVENDOR":

• The /config endpoint will return CommunicationSettings (since it lowercases)
• This endpoint will return 404 (since the comparison is case-sensitive)

This will cause confusing behavior where clients see the feature as configured but cannot use it.

Suggested change

	if (string.IsNullOrEmpty(bootstrap) || bootstrap != "ssoCookieVendor")
	if (string.IsNullOrEmpty(bootstrap) || !bootstrap.Equals("ssoCookieVendor", StringComparison.OrdinalIgnoreCase))

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Checkmarx One – Scan Summary & Details – 60eb7d2b-0c1d-4d43-ad0e-a859adf1e7ac

New Issues (2)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 293	details Method at line 293 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
2		CVE-2025-13465	Npm-lodash-4.17.21	details Description: Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unsetand _.omitfunctions. An attacker can pass crafted paths w... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package

Fixed Issues (4)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1178
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1062
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1527
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1403

[codecov]

Codecov Report

❌ Patch coverage is 96.72131% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 56.10%. Comparing base (d0398e4) to head (0c7fbf8).

Files with missing lines	Patch %	Lines
src/Api/Controllers/SsoCookieVendorController.cs	96.72%	0 Missing and 2 partials ⚠️

Additional details and impacted files

@@                           Coverage Diff                            @@
##           pm-29144-communication-in-config-api    #6903      +/-   ##
========================================================================
+ Coverage                                 56.06%   56.10%   +0.04%     
========================================================================
  Files                                      1968     1969       +1     
  Lines                                     86950    87011      +61     
  Branches                                   7746     7758      +12     
========================================================================
+ Hits                                      48746    48816      +70     
+ Misses                                    36401    36390      -11     
- Partials                                   1803     1805       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.