bitwarden/server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2026-06-01 12:26:46 -05:00
Code Issues Packages Projects Releases 211 Wiki Activity
7,320 Commits 530 Branches 234 Tags
ci/github-code-coverage-upload
Commit Graph

11 Commits

Author SHA1 Message Date
Dave
25e78ceba3 [PM-35393] MasterPasswordService auth integration (#7575) 
* feat(mp-service) Wire commands to MasterPasswordService.

* feat(self-service) Add logout-and-log to self-service command.

* feat(mp-service) Add dual-path request models and wire controller
routing.

Add structured cryptographic data support to all Auth password endpoints,
routing new payloads to MasterPasswordService-backed commands while
preserving legacy paths for backward compatibility (PM-33141 removal).

* refactor(mp-service) Mark legacy password entry points [Obsolete].

* test(mp-service) Add testing.

* refactor(mp-service) Rename ReplaceTemporaryPasswordAsync to be more descriptive.

* refactor(mp-service) Add variant validator and tests.

* fix(mp-service) Adjust payload variance validation.

* test(mp-service) Update integration tests to support payload variants and model validation returns.

* fix(password-request): Restore KDF regression guard.

* refactor(data-models): Collapse RequestHasNewDataTypes into local check.

* test(emergency-access): Update Emergency Access tests.

* refactor(mp-payload-variant-validator): Move to Auth utilities.

* test(self-service): Combine side-effects and password change into single test.

* feat(validation): Add kdf-salt agreement-only validation.

* refactor(password-request-model): consolidate onto ValidateKdfAndSaltAgreement.

* test(auth): Cover ValidateKdfAndSaltAgreement and enshrine legacy KDF acceptance.

* feat(validate-exclusivity): Throw on both payload variants present.

* test(accounts-controller): Update tests for exclusivity validation at the boundary.

* fix(request-models): Request models must accept both payload variants.

* PM-35393 - Add V2 dual-payload integration tests for password-modification flows

End-to-end coverage for the new AuthenticationData / UnlockData payload
across every endpoint that mutates a master password:

- POST /accounts/password — legacy-KDF acceptance, mismatch rejection,
  auth, current-password check.
- PUT /accounts/update-temp-password — legacy-KDF acceptance, mismatch
  rejection, auth, ForcePasswordReset precondition.
- PUT /accounts/update-tde-offboarding-password — sub-minimum KDF
  rejection (this flow intentionally enforces range), mismatch rejection,
  auth.
- POST /emergency-access/{id}/password — legacy-KDF acceptance, mismatch
  rejection, no-payload rejection, non-RecoveryApproved precondition.

Also extracts BuildAuthData / BuildUnlockData / BuildMismatchedAuthAndUnlock
helpers in AccountsControllerTest and rewrites the existing PostKdf_* tests
to use them (no behavior change).

15 new test methods, 41 cases. 155/155 controller-suite tests pass.

---------

Co-authored-by: Jared Snider <jsnider@bitwarden.com>
Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
 2026-05-20 12:28:30 -04:00
Bernd Schoolmann
a714278b9a [PM-35306] Fix password change not working when using the unlock and authentication data models (#7505) 
* Fix password change not working when using the unlock and authentication data models

* Cleanup test

* Cleanup test

* Clean up test comment

* Address feedback

* Fix tests

* Fix tests

* Update src/Core/KeyManagement/Models/Api/Request/MasterPasswordAuthenticationDataRequestModel.cs

Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>

---------

Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
 2026-04-21 12:07:50 -04:00
Patrick-Pimentel-Bitwarden
e113dbd263 feat: [PM-32626] standardize unlock and authentication validation 
- Standardize validation on `RegisterFinishRequestModel` so Auth and Unlock data are both required and consistently validated
  - Add salt validation to both unlock and authentication data
  - Enforce that Auth and Unlock data contain matching values
  - Keep validation backwards compatible with older clients
  - Add and update unit tests covering the new validation rules and error messages

Co-authored-by: Ike Kottlowski <ikottlowski@bitwarden.com>
 2026-04-17 10:47:09 -04:00
Jared Snider
72226eb33a Auth/PM-32487 - Emergency Access - invite or update - require min value of 1 for wait time in days. (#7168) 2026-03-09 12:27:33 -04:00
Patrick-Pimentel-Bitwarden
c52f2e0d09 feat(register): [PM-27084] Account Register Uses New Data Types - Repush (#6855) 
* feat(register): [PM-27084] Account Register Uses New Data Types - Changes.

* test(register): [PM-27084] Account Register Uses New Data Types - Added tests.

* fix(register): [PM-27084] Account Register Uses New Data Types - Added constant for feature flag.
 2026-02-04 10:03:55 -05:00
Patrick-Pimentel-Bitwarden
029a5f6a2d Revert "feat(register): [PM-27084] Account Register Uses New Data Types (#6715)" (#6854) 
This reverts commit 8cb8030534.
 2026-01-15 21:19:16 +00:00
Patrick-Pimentel-Bitwarden
8cb8030534 feat(register): [PM-27084] Account Register Uses New Data Types (#6715) 
* feat(register): [PM-27084] Account Register Uses New Data Types - Implementation

* test(register): [PM-27084] Account Register Uses New Data Types - Added tests
 2026-01-15 15:55:27 -05:00
Maciej Zieniuk
2e92a53f11 [PM-27281] Support v2 account encryption on JIT master password signups (#6777) 
* V2 prep, rename existing SSO JIT MP command to V1

* set initial master password for account registraton V2

* later removel docs

* TDE MP onboarding split

* revert separate TDE onboarding controller api

* Server side hash of the user master password hash

* use `ValidationResult` instead for validation errors

* unit test coverage

* integration test coverage

* update sql migration script date

* revert validate password change

* better requests validation

* explicit error message when org sso identifier invalid

* more unit test coverage

* renamed onboarding to set, hash naming clarifications

* update db sql script, formatting

* use raw json as request instead of request models for integration test

* v1 integration test coverage

* change of name
 2026-01-09 09:17:45 +01:00
rr-bw
e2f96be4dc refactor(sso-config-tweaks): [Auth/PM-933] Make Single Sign-On URL required regardless of EntityId (#6314) 
Makes the Single Sign-On URL required regardless of the EntityId
 2025-10-01 08:55:03 -07:00
Ike
ab5d4738d6 [PM-8107] Remove Duo v2 from server (#4934) 
refactor(TwoFactorAuthentication): Remove references to old Duo SDK version 2 code and replace them with the Duo SDK version 4 supported library DuoUniversal code.

Increased unit test coverage in the Two Factor Authentication code space. We opted to use DI instead of Inheritance for the Duo and OrganizaitonDuo two factor tokens to increase testability, since creating a testing mock of the Duo.Client was non-trivial.

Reviewed-by: @JaredSnider-Bitwarden
 2024-11-18 15:58:05 -08:00
Ike
97b3f3e7ee [PM-5216] User and Organization Duo Request and Response Model refactor (#4126) 
* inital changes

* add provider GatewayType migrations

* db provider migrations

* removed duo migrations added v2 metadata to duo response

* removed helper scripts

* remove signature from org duo

* added backward compatibility for Duo v2

* added tests for duo request + response models

* refactors to TwoFactorController

* updated test methods to be compartmentalized by usage

* fix organization add duo

* Assert.Empty() fix for validator
 2024-06-05 11:42:02 -07:00