[PM-33895] Filter [BindNever] parameters from OpenAPI schema

[dani-garcia]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-33895
bitwarden/sdk-internal#728 (comment)
https://bitwarden.slack.com/archives/C05LRC3DBDK/p1771858123530539

📔 Objective

Create a new Swagger filter to filter out complex type parameters using [BindNever]. This is required to correctly generate the schema for some billing functions that look like this:

[HttpGet("credit")]
[InjectUser]
public async Task<IResult> GetCreditAsync([BindNever] User user) { ... }

The issue here is caused by Swashbuckle first expanding User into one query parameter per field (id, name, etc) before trying to filter out the query parameter user, which doesn't exist anymore and so it doesn't get correctly filtered out. This causes the OpenAPI schema and the SDK-generated code to have a lot of invalid query parameters:
https://github.com/bitwarden/sdk-internal/blob/7637fdfd66c4403b9f718d85c4cbd5bde15288d9/crates/bitwarden-api-api/src/apis/account_billing_v_next_api.rs#L31
This filter fixes this by manually filtering all the properties of any parameter annotated with [BindNever]. I've tested it locally and this fixes the invalid code generation for the billing endpoints.

The cause of this issue seems to me like a Swashbuckle bug so I'm thinking about reporting it upstream, but this filter should at least solve it for the time being.

📸 Screenshots

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Checkmarx One – Scan Summary & Details – c5018371-e0cf-4029-9aaa-b24ea6ea1952

---

New Issues (2)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1592	details Method at line 1592 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
2		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1419	details Method at line 1419 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector

---

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 293

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.73%. Comparing base (005c744) to head (34472c8).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7257      +/-   ##
==========================================
+ Coverage   57.72%   57.73%   +0.01%     
==========================================
  Files        2042     2043       +1     
  Lines       89817    89848      +31     
  Branches     7985     7991       +6     
==========================================
+ Hits        51845    51875      +30     
- Misses      36114    36115       +1     
  Partials     1858     1858              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
7 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud