[PM-29144] Add server communication config to /api/config

[dereknance]

🎟️ Tracking

PM-29144

📔 Objective

This PR adds the new config from #6880 to the /api/config endpoint so clients may learn if the server requires extra work to establish a connection.

endpoint payload comparison

Without ssoCookieVendor

The communication property is present, but null.

{
  "version": "2026.1.0",
  "gitHash": "f9c0cec8",
  "server": null,
  "environment": {
    "cloudRegion": null,
    "vault": "https://localhost:8080",
    "api": "http://localhost:4000",
    "identity": "http://localhost:33656",
    "notifications": "http://localhost:61840",
    "sso": "http://localhost:51822"
  },
  "featureStates": {
    "web-push": false
  },
  "push": {
    "pushTechnology": 0,
    "vapidPublicKey": null
  },
  "communication": null,
  "settings": {
    "disableUserRegistration": false
  },
  "object": "config"
}

With ssoCookieVendor

The communication property is present and includes the additional required properties for that type.

{
  "version": "2026.1.0",
  "gitHash": "f9c0cec8",
  "server": null,
  "environment": {
    "cloudRegion": null,
    "vault": "https://localhost:8080",
    "api": "http://localhost:4000",
    "identity": "http://localhost:33656",
    "notifications": "http://localhost:61840",
    "sso": "http://localhost:51822"
  },
  "featureStates": {
    "web-push": false
  },
  "push": {
    "pushTechnology": 0,
    "vapidPublicKey": null
  },
  "communication": {
    "type": "ssoCookieVendor",
    "idpLoginUrl": "",
    "cookieName": "",
    "cookieDomain": ""
  },
  "settings": {
    "disableUserRegistration": false
  },
  "object": "config"
}

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[claude]

Claude finished @dereknance's task in 1m 21s —— View job

---

Code Review: PM-29144 Add server communication config to /api/config

Status: Reviewed

Summary

This PR exposes server communication configuration through the /api/config endpoint, allowing clients to discover if additional bootstrapping (such as SSO cookie vending) is required. The implementation correctly builds upon the settings infrastructure introduced in PR #6880.

Findings

Severity	Finding	Location
⚠️ IMPORTANT	Missing unit tests for CommunicationSettings.Build() logic	ConfigResponseModel.cs

Analysis

What this PR does well:

• Clean integration with existing ConfigResponseModel structure
• Proper null safety with null-conditional operators
• Case-insensitive bootstrap type matching
• Graceful handling of unknown/unconfigured bootstrap types (returns null)
• Configuration exposed is non-sensitive (URLs, cookie names/domains for client bootstrapping)

Security Assessment:
The configuration values exposed (IdpLoginUrl, CookieName, CookieDomain) are appropriate for an unauthenticated endpoint as they contain no secrets and are required for clients to properly bootstrap their connection.

---

Reviewed by Claude via Bitwarden Code Review

[github-actions]

Checkmarx One – Scan Summary & Details – 46dd0b3e-b83a-4166-93a4-701864791a1b

New Issues (4)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1178	details Method at line 1178 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
2		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1062	details Method at line 1062 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
3		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1527	details Method at line 1527 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
4		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1403	details Method at line 1403 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 293

[codecov]

Codecov Report

❌ Patch coverage is 26.08696% with 17 lines in your changes missing coverage. Please review.
✅ Project coverage is 56.06%. Comparing base (866ba66) to head (d0398e4).

Files with missing lines	Patch %	Lines
src/Api/Models/Response/ConfigResponseModel.cs	26.08%	15 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6892      +/-   ##
==========================================
- Coverage   56.07%   56.06%   -0.02%     
==========================================
  Files        1968     1968              
  Lines       86927    86950      +23     
  Branches     7742     7746       +4     
==========================================
+ Hits        48744    48746       +2     
- Misses      36383    36401      +18     
- Partials     1800     1803       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[dereknance]

This setup will yield camel case, which is consistent with the current /api/config payload, but different than the lower snake case example in the description of PM-29144.

If that's a deal-breaker, I'm happy to make this work with lower snake case.

[addisonbeck]

I also used camel for this 👍

[addisonbeck]

I also used camel for this 👍