feat(master-password): Master Password Service - Made changed to the request models and the master password service.

2026-04-28 01:02:29 -05:00 · 2026-04-09 11:35:00 -04:00
parent 8385caee60
commit cb98256f16
6 changed files with 24 additions and 16 deletions
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@@ -669,6 +669,17 @@ public class AccountsController : Controller
            throw new UnauthorizedAccessException();
        }

+
+        var result;
+        if (model.RequestHasNewDataTypes())
+        {
+            result = await _tdeOffboardingPasswordCommand.UpdateTdeOffboardingPasswordAsync(user, model.UnlockData!.ToData(), model.AuthenticationData!.ToData(), model.MasterPasswordHint);
+        }
+        else
+        {
+            result = await _tdeOffboardingPasswordCommand.UpdateTdeOffboardingPasswordAsync(user, model.NewMasterPasswordHash, model.Key, model.MasterPasswordHint);
+        }
+
        var result = await _tdeOffboardingPasswordCommand.UpdateTdeOffboardingPasswordAsync(user, model.NewMasterPasswordHash, model.Key, model.MasterPasswordHint);
        if (result.Succeeded)
        {
--- a/src/Api/Auth/Models/Request/Accounts/PasswordRequestModel.cs
+++ b/src/Api/Auth/Models/Request/Accounts/PasswordRequestModel.cs
@@ -5,11 +5,13 @@ namespace Bit.Api.Auth.Models.Request.Accounts;

 public class PasswordRequestModel : SecretVerificationRequestModel
 {
+    [Obsolete("To be removed in PM-33141")]
    [StringLength(300)]
    public string? NewMasterPasswordHash { get; set; }
+    [Obsolete("To be removed in PM-33141")]
+    public string? Key { get; set; }
    [StringLength(50)]
    public string? MasterPasswordHint { get; set; }
-    public string? Key { get; set; }

    public MasterPasswordAuthenticationDataRequestModel? AuthenticationData { get; set; }
    public MasterPasswordUnlockDataRequestModel? UnlockData { get; set; }
--- a/src/Api/Auth/Models/Request/Accounts/UpdateTempPasswordRequestModel.cs
+++ b/src/Api/Auth/Models/Request/Accounts/UpdateTempPasswordRequestModel.cs
@@ -1,7 +1,4 @@
-// FIXME: Update this file to be null safe and then delete the line below
-#nullable disable
-
-using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations;
 using Bit.Api.Models.Request.Organizations;

 namespace Bit.Api.Auth.Models.Request.Accounts;
@@ -9,5 +6,5 @@ namespace Bit.Api.Auth.Models.Request.Accounts;
 public class UpdateTempPasswordRequestModel : OrganizationUserResetPasswordRequestModel
 {
    [StringLength(50)]
-    public string MasterPasswordHint { get; set; }
+    public string? MasterPasswordHint { get; set; }
 }
--- a/src/Core/Auth/UserFeatures/TdeOffboardingPassword/Interfaces/ITdeOffboardingPasswordCommand.cs
+++ b/src/Core/Auth/UserFeatures/TdeOffboardingPassword/Interfaces/ITdeOffboardingPasswordCommand.cs
@@ -11,8 +11,8 @@ namespace Bit.Core.Auth.UserFeatures.TdeOffboardingPassword.Interfaces;
 public interface ITdeOffboardingPasswordCommand
 {
    public Task<IdentityResult> UpdateTdeOffboardingPasswordAsync(User user, string masterPassword, string key,
-        string orgSsoIdentifier);
+        string masterPasswordHint);

    public Task<IdentityResult> UpdateTdeOffboardingPasswordAsync(User user, MasterPasswordUnlockData unlockData,
-        MasterPasswordAuthenticationData authenticationData, string orgSsoIdentifier);
+        MasterPasswordAuthenticationData authenticationData, string masterPasswordHint);
 }
--- a/src/Core/Auth/UserFeatures/UserMasterPassword/Interfaces/IMasterPasswordService.cs
+++ b/src/Core/Auth/UserFeatures/UserMasterPassword/Interfaces/IMasterPasswordService.cs
@@ -107,8 +107,8 @@ public interface IMasterPasswordService
    /// Use when the caller controls persistence.
    /// </summary>
    /// <param name="user">
-    /// The user object to mutate. Must already have a master password; must not be a Key Connector
-    /// user. KDF parameters and salt must be unchanged relative to the values in
+    /// The user object to mutate. Will not update a master password salt. Must already have a master password;
+    /// must not be a Key Connector user. KDF parameters and salt must be unchanged relative to the values in
    /// <paramref name="updateExistingData"/>. Validated via
    /// <see cref="UpdateExistingPasswordData.ValidateDataForUser"/>.
    /// </param>
--- a/src/Core/Auth/UserFeatures/UserMasterPassword/MasterPasswordService.cs
+++ b/src/Core/Auth/UserFeatures/UserMasterPassword/MasterPasswordService.cs
@@ -70,11 +70,8 @@ public class MasterPasswordService(
        // Set salt on the user
        user.MasterPasswordSalt = setInitialData.MasterPasswordUnlock.Salt;

-        // If we've passed in a hint then set it
-        if (setInitialData.MasterPasswordHint != null)
-        {
-            user.MasterPasswordHint = setInitialData.MasterPasswordHint;
-        }
+        // Always override the master password hint, even if it's null.
+        user.MasterPasswordHint = setInitialData.MasterPasswordHint;

        // Update time markers on the user
        var now = _timeProvider.GetUtcNow().UtcDateTime;
@@ -139,7 +136,8 @@ public class MasterPasswordService(

        user.Key = updateExistingData.MasterPasswordUnlock.MasterKeyWrappedUserKey;

-        user.MasterPasswordSalt = updateExistingData.MasterPasswordUnlock.Salt;
+        // Always override the master password hint, even if it's null.
+        user.MasterPasswordHint = updateExistingData.MasterPasswordHint;

        user.LastPasswordChangeDate = now;
        user.RevisionDate = user.AccountRevisionDate = now;