server

bitwarden/server

Fork 0

mirror of https://github.com/bitwarden/server.git synced 2026-06-13 08:56:30 -05:00

Commit Graph

Author	SHA1	Message	Date
Dave	25e78ceba3	[PM-35393] MasterPasswordService auth integration (#7575 ) * feat(mp-service) Wire commands to MasterPasswordService. * feat(self-service) Add logout-and-log to self-service command. * feat(mp-service) Add dual-path request models and wire controller routing. Add structured cryptographic data support to all Auth password endpoints, routing new payloads to MasterPasswordService-backed commands while preserving legacy paths for backward compatibility (PM-33141 removal). * refactor(mp-service) Mark legacy password entry points [Obsolete]. * test(mp-service) Add testing. * refactor(mp-service) Rename ReplaceTemporaryPasswordAsync to be more descriptive. * refactor(mp-service) Add variant validator and tests. * fix(mp-service) Adjust payload variance validation. * test(mp-service) Update integration tests to support payload variants and model validation returns. * fix(password-request): Restore KDF regression guard. * refactor(data-models): Collapse RequestHasNewDataTypes into local check. * test(emergency-access): Update Emergency Access tests. * refactor(mp-payload-variant-validator): Move to Auth utilities. * test(self-service): Combine side-effects and password change into single test. * feat(validation): Add kdf-salt agreement-only validation. * refactor(password-request-model): consolidate onto ValidateKdfAndSaltAgreement. * test(auth): Cover ValidateKdfAndSaltAgreement and enshrine legacy KDF acceptance. * feat(validate-exclusivity): Throw on both payload variants present. * test(accounts-controller): Update tests for exclusivity validation at the boundary. * fix(request-models): Request models must accept both payload variants. * PM-35393 - Add V2 dual-payload integration tests for password-modification flows End-to-end coverage for the new AuthenticationData / UnlockData payload across every endpoint that mutates a master password: - POST /accounts/password — legacy-KDF acceptance, mismatch rejection, auth, current-password check. - PUT /accounts/update-temp-password — legacy-KDF acceptance, mismatch rejection, auth, ForcePasswordReset precondition. - PUT /accounts/update-tde-offboarding-password — sub-minimum KDF rejection (this flow intentionally enforces range), mismatch rejection, auth. - POST /emergency-access/{id}/password — legacy-KDF acceptance, mismatch rejection, no-payload rejection, non-RecoveryApproved precondition. Also extracts BuildAuthData / BuildUnlockData / BuildMismatchedAuthAndUnlock helpers in AccountsControllerTest and rewrites the existing PostKdf_* tests to use them (no behavior change). 15 new test methods, 41 cases. 155/155 controller-suite tests pass. --------- Co-authored-by: Jared Snider <jsnider@bitwarden.com> Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>	2026-05-20 12:28:30 -04:00
Bernd Schoolmann	a714278b9a	[PM-35306] Fix password change not working when using the unlock and authentication data models (#7505 ) * Fix password change not working when using the unlock and authentication data models * Cleanup test * Cleanup test * Clean up test comment * Address feedback * Fix tests * Fix tests * Update src/Core/KeyManagement/Models/Api/Request/MasterPasswordAuthenticationDataRequestModel.cs Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com> --------- Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com> Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>	2026-04-21 12:07:50 -04:00
Patrick-Pimentel-Bitwarden	e113dbd263	feat: [PM-32626] standardize unlock and authentication validation - Standardize validation on `RegisterFinishRequestModel` so Auth and Unlock data are both required and consistently validated - Add salt validation to both unlock and authentication data - Enforce that Auth and Unlock data contain matching values - Keep validation backwards compatible with older clients - Add and update unit tests covering the new validation rules and error messages Co-authored-by: Ike Kottlowski <ikottlowski@bitwarden.com>	2026-04-17 10:47:09 -04:00

Author

SHA1

Message

Date

Dave

25e78ceba3

[PM-35393] MasterPasswordService auth integration (#7575 )

* feat(mp-service) Wire commands to MasterPasswordService.

* feat(self-service) Add logout-and-log to self-service command.

* feat(mp-service) Add dual-path request models and wire controller
routing.

Add structured cryptographic data support to all Auth password endpoints,
routing new payloads to MasterPasswordService-backed commands while
preserving legacy paths for backward compatibility (PM-33141 removal).

* refactor(mp-service) Mark legacy password entry points [Obsolete].

* test(mp-service) Add testing.

* refactor(mp-service) Rename ReplaceTemporaryPasswordAsync to be more descriptive.

* refactor(mp-service) Add variant validator and tests.

* fix(mp-service) Adjust payload variance validation.

* test(mp-service) Update integration tests to support payload variants and model validation returns.

* fix(password-request): Restore KDF regression guard.

* refactor(data-models): Collapse RequestHasNewDataTypes into local check.

* test(emergency-access): Update Emergency Access tests.

* refactor(mp-payload-variant-validator): Move to Auth utilities.

* test(self-service): Combine side-effects and password change into single test.

* feat(validation): Add kdf-salt agreement-only validation.

* refactor(password-request-model): consolidate onto ValidateKdfAndSaltAgreement.

* test(auth): Cover ValidateKdfAndSaltAgreement and enshrine legacy KDF acceptance.

* feat(validate-exclusivity): Throw on both payload variants present.

* test(accounts-controller): Update tests for exclusivity validation at the boundary.

* fix(request-models): Request models must accept both payload variants.

* PM-35393 - Add V2 dual-payload integration tests for password-modification flows

End-to-end coverage for the new AuthenticationData / UnlockData payload
across every endpoint that mutates a master password:

- POST /accounts/password — legacy-KDF acceptance, mismatch rejection,
  auth, current-password check.
- PUT /accounts/update-temp-password — legacy-KDF acceptance, mismatch
  rejection, auth, ForcePasswordReset precondition.
- PUT /accounts/update-tde-offboarding-password — sub-minimum KDF
  rejection (this flow intentionally enforces range), mismatch rejection,
  auth.
- POST /emergency-access/{id}/password — legacy-KDF acceptance, mismatch
  rejection, no-payload rejection, non-RecoveryApproved precondition.

Also extracts BuildAuthData / BuildUnlockData / BuildMismatchedAuthAndUnlock
helpers in AccountsControllerTest and rewrites the existing PostKdf_* tests
to use them (no behavior change).

15 new test methods, 41 cases. 155/155 controller-suite tests pass.

---------

Co-authored-by: Jared Snider <jsnider@bitwarden.com>
Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>

2026-05-20 12:28:30 -04:00

Bernd Schoolmann

a714278b9a

[PM-35306] Fix password change not working when using the unlock and authentication data models (#7505 )

* Fix password change not working when using the unlock and authentication data models

* Cleanup test

* Cleanup test

* Clean up test comment

* Address feedback

* Fix tests

* Fix tests

* Update src/Core/KeyManagement/Models/Api/Request/MasterPasswordAuthenticationDataRequestModel.cs

Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>

---------

Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>

2026-04-21 12:07:50 -04:00

Patrick-Pimentel-Bitwarden

e113dbd263

feat: [PM-32626] standardize unlock and authentication validation

- Standardize validation on `RegisterFinishRequestModel` so Auth and Unlock data are both required and consistently validated
  - Add salt validation to both unlock and authentication data
  - Enforce that Auth and Unlock data contain matching values
  - Keep validation backwards compatible with older clients
  - Add and update unit tests covering the new validation rules and error messages

Co-authored-by: Ike Kottlowski <ikottlowski@bitwarden.com>

2026-04-17 10:47:09 -04:00

3 Commits