[PM-27260] SSO cookie vending

[dereknance]

🎟️ Tracking

PM-27260

📔 Objective

For self-hosted installs, the /api/sso-cookie-vendor endpoint provides clients with a means to obtain a cookie being used to authenticate requests at a reverse proxy, load balancer, etc.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[claude]

Claude finished @dereknance's task in 2m 52s —— View job

---

Code Review: SSO Cookie Vending (Re-review)

Summary

This PR adds an SSO cookie vending endpoint for self-hosted installs, allowing clients to obtain authentication cookies from a reverse proxy/load balancer via a bitwarden:// redirect scheme.

Changes Since Last Review

The latest commit (84ec232) is a merge from main with no changes to the PR code itself. The previous review findings have all been addressed:

Status	Description
RESOLVED	Case sensitivity mismatch fixed with StringComparison.OrdinalIgnoreCase
RESOLVED	Self-hosted restriction added via [SelfHosted(SelfHostedOnly = true)] attribute

Assessment

No issues identified. The implementation is well-structured with:

• Self-hosted restriction via [SelfHosted(SelfHostedOnly = true)] attribute
• Case-insensitive configuration check matching ConfigResponseModel behavior
• Comprehensive test coverage (18 test cases)
• URL encoding of cookie values with Uri.EscapeDataString()
• DoS safeguards (max 20 shards, max 8192 URI length)
• Hardcoded bitwarden:// scheme preventing open redirect attacks
• Sentinel value (d=1) for truncation detection

---

Generated with Claude Code

[github-actions]

Checkmarx One – Scan Summary & Details – ab2dd0ce-ff14-4884-af23-8cd21b58a4e1

New Issues (4)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 291	details Method at line 291 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
2		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 452	details Method at line 452 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
3		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1527	details Method at line 1527 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
4		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1403	details Method at line 1403 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector

Fixed Issues (4)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/Tools/Controllers/SendsController.cs: 68
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 847
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 847
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 293

[codecov]

Codecov Report

❌ Patch coverage is 96.72131% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 56.19%. Comparing base (52955d1) to head (84ec232).
⚠️ Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
src/Api/Controllers/SsoCookieVendorController.cs	96.72%	0 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6903      +/-   ##
==========================================
+ Coverage   56.16%   56.19%   +0.03%     
==========================================
  Files        1975     1976       +1     
  Lines       87312    87373      +61     
  Branches     7772     7784      +12     
==========================================
+ Hits        49035    49101      +66     
+ Misses      36462    36454       -8     
- Partials     1815     1818       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coroiu]

Quality stuff!

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

The base branch was changed.