feat: add ChangeEmailCommand [PM-35830]
- Add ChangeEmailCommand to encapsulate core email change logic
- Add OrganizationDomainAllowEmailChangeQuery returning OrganizationDomainAllowEmailChangeDenialReason enum so callers can branch on the specific denial reason, if any
- Surface tailored BadRequestException messages per denial reason via a switch expression that fails closed on unknown values
- Push sync-only notification (no logout)
- Add unit tests covering denial reasons, domain case invariance, and the null-customerId-with-gateway path
* PM-37166 - Add ClientVersion to Device entity and repository contract
* PM-37166 - Add ClientVersion SQL schema and refactor bump stored procedures
* PM-37166 - Implement combined bump in repositories and add EF migrations
EF snapshot regeneration also absorbs Collection / CollectionGroup /
CollectionUser namespace moves (Bit.Infrastructure.EntityFramework.Models
-> Bit.Infrastructure.EntityFramework.AdminConsole.Models) that were left
un-regenerated by PR #7523 (PM-35489). Namespace-only, no SQL impact;
flagged with the AC team for awareness.
* PM-37166 - Replace DeviceLastActivityCacheService with DeviceDataCacheService
* PM-37166 - Replace BumpDeviceLastActivityDateCommand with BumpDeviceDataCommand
* PM-37166 - Pass ClientVersion through identity request validators
* PM-37166 - Align migration script with SQL style guide
Refresh Device_ReadBy* sprocs after DeviceView change so their cached
schema picks up ClientVersion, swap retired-sproc drops to
DROP PROCEDURE IF EXISTS, and tighten the ALTER TABLE indent in step 1.
* PM-37166 - Rename BumpData to UpdateLastActivity across device write pathway
The "BumpData" naming was vague — "data" named a category, not the thing
being written. Rename to "UpdateLastActivity" everywhere: SP, repositories,
command, cache, validators, tests. "Last activity" names the event of the
device's most recent appearance; LastActivityDate (when) and ClientVersion
(what was running) are facts we observed about that event. ClientVersion is
treated as a property of the activity event rather than an independent value,
so future last-observed properties (last IP, OS, etc.) slot in without renaming.
The SQL layer uses Update* per architect guidance on bitwarden/server#7302;
the Bump* SPs in this codebase are legacy and not being extended. The
extensibility note lives on IUpdateDeviceLastActivityCommand with short
pointers from the SP, repo, and cache.
Cache key prefix changes from device:data: to device:last-activity: — safe
because the cache is only a write-suppression optimization (SP guards ensure
correctness) and entries TTL out within 24h.
Migration renamed to 2026-05-14 to reflect the rewrite.
* PM-37166 - Add UTF-8 BOM to device last activity cache files
Aligns file encoding with the repo's .editorconfig (charset = utf-8-bom for .cs) so dotnet format --verify-no-changes passes.
* PM-37166 - Compare LastActivityDate at second precision in device creation test
GetManyByUserIdWithDeviceAuth_ReturnsLastActivityDate_ForNewDeviceAsync was
flaking on SqlServer: Dapper binds DateTime params as legacy `datetime`
(~3.33ms granularity), so the entity initializer's UtcNow can be rounded a
few ms earlier than the in-memory `beforeCreation` capture, making a strict
>= comparison occasionally false. Truncate both sides to the second to
absorb that drift while still rejecting stale or defaulted values.
* PM-37166 - Rename Device.ClientVersion EF migration
Renames migration class/files from AddDeviceClientVersionRefactorDeviceDataBump
to AddDeviceClientVersion to drop stale "Bump" terminology and the misleading
"RefactorDeviceData" prefix. The EF migration only adds the ClientVersion
column; the BumpData -> UpdateLastActivity SP refactor lives in MSSQL .sql
files and has no EF representation.
* PM-37166 - Document null-is-no-op semantics for ClientVersion on IUpdateDeviceLastActivityCommand
Tighten the interface-level summary and add a <param> note clarifying that
a null clientVersion is treated as "no opinion" and will not clear an
existing stored value.
* PM-37166 - Regenerate Device.ClientVersion EF migration on post-#7634 baseline
PR #7634 merged AddLastApiKeyRotationDateToUserTable into main while this
branch was open. The prior AddDeviceClientVersion migration's frozen model
snapshot (its .Designer.cs) was generated before that PR landed, so it did
not include User.LastApiKeyRotationDate. Applying migrations incrementally
against that stale snapshot would produce an inconsistent model graph.
Regenerated AddDeviceClientVersion on top of the merged-from-main baseline
so the new .Designer.cs files include both columns. The migration body
itself still only adds Device.ClientVersion; the top-level
DatabaseContextModelSnapshot.cs files were already correct from git's
three-way merge.
New timestamps (20260514192xxx) come after the User migration
(20260514011xxx), preserving migration order.
* PM-37166 - util/Migrator/DbScripts/2026-05-14_00_AddDeviceClientVersionAndUpdateLastActivitySp.sql - fix wrong comment
* PM-37166 - Bump Device.ClientVersion column width from 20 to 43
43 is the upper bound of Version.ToString() for any input parseable by
Version.TryParse — four Int32 components (Int32.MaxValue = 10 digits)
joined by 3 dots. Sizing to the type's mathematical max prevents
SQL Server error 8152 on malformed/hostile Bitwarden-Client-Version
headers without paying the cost of normalization at the call sites.
Real Bitwarden CalVer (YYYY.M.B) remains well within bounds at ~9 chars.
- Device.cs [MaxLength] + entity doc comment
- SSDT table + 4 stored procedures
- Cloud migration ALTER TABLE + SP parameters
- EF migrations regenerated for MySQL / Postgres / SQLite
* PM-37166 - Defer dropping old single-column UpdateLastActivityDate SPs to follow-up
Server and DB deploys are decoupled, so dropping the old SPs in the same migration that
introduces the new combined ones would break server rollback. Per discussion on PR #7632:
- Remove DROP PROCEDURE statements from the migration; replace with a note explaining the deferral.
- Restore the old Device_UpdateLastActivityDate{ById,ByIdentifierUserId}.sql files in src/Sql/dbo
so the SSDT source-of-truth stays aligned with deployed schema (EDD).
A follow-up ticket will drop the old SPs and delete the .sql files together once we're
confident no deployed server version still calls them.
* PM-37166 - Pass @LastActivityDate into Device_UpdateLastActivity SPs
Bitwarden convention is to compute timestamps in the application layer
and pass them as DATETIME2(7) params, not call GETUTCDATE() inside SPs.
Dapper repo now computes DateTime.UtcNow locally (matching the EF repo
and UserRepository.cs precedent) and passes LastActivityDate through.
* PM-37165 - Add LastApiKeyRotationDate column to User
Adds a nullable DATETIME2(7) LastApiKeyRotationDate column on the User
table alongside the other Last*Date audit columns. Covers the MSSQL
table, view, User_Create / User_Update stored procedures (new optional
parameter, EDD-safe with default NULL), the SSDT source-of-truth, and
EF migrations for MySql, Postgres, and Sqlite.
Repository round-trip integration tests verify that CreateAsync
defaults the column to NULL and ReplaceAsync persists it across all
four providers.
* PM-37165 - Add RotateUserApiKeyCommand under Auth/UserFeatures
Extracts user API key rotation out of UserService into a new CQS
command at src/Core/Auth/UserFeatures/UserApiKey/, mirroring the
existing decomposition pattern for other Auth user features. The
command generates a new 30-char ApiKey, bumps RevisionDate, sets
LastApiKeyRotationDate, and persists via IUserRepository.ReplaceAsync.
Adds the PM37165_RotateUserApiKeyCommand feature flag so the new path
can be rolled out behind a flag in a follow-up commit. Registers the
command via AddUserApiKeyCommands inside AddUserServices.
Unit tests verify the command assigns a fresh key, updates both
RevisionDate and LastApiKeyRotationDate to the same recent UTC value,
and calls ReplaceAsync exactly once.
* PM-37165 - Flag-gate rotate-api-key endpoint to new command
Wires AccountsController.RotateApiKey to dispatch between
IRotateUserApiKeyCommand (flag on) and the legacy
UserService.RotateApiKeyAsync (flag off) based on
PM37165_RotateUserApiKeyCommand. Both paths preserve the existing
auth and secret-verification guards, which run before the flag
branch.
Marks IUserService.RotateApiKeyAsync and its implementation [Obsolete]
pointing callers at IRotateUserApiKeyCommand, with TODOs tying their
removal to the flag cleanup. The body of the legacy method is
deliberately unchanged so it does NOT write LastApiKeyRotationDate
while the flag is off; that genuinely gates the new behavior so the
ramp is observable and reversible. The single remaining call site
(the controller fallback) is wrapped in #pragma warning disable
CS0618 so the attribute continues to flag any new callers.
Tests:
- AccountsControllerTests: dispatch tests for both flag states; the
auth and bad-secret guard tests are parameterized over flag state.
Pre-existing typo in two tests that called _sut.ApiKey() instead of
_sut.RotateApiKey() is fixed.
- UserServiceTests: regression test locks in the legacy non-write
behavior so it cannot drift before the flag is removed.
- AccountsControllerTest (integration): three endpoint tests cover
flag-off (LastApiKeyRotationDate stays NULL), flag-on (column is
populated), and bad-secret over both flag states (no rotation
occurs).
Each flag-state-specific test carries a TODO breadcrumb describing
the exact rename or deletion when the flag is cleaned up.
* PM-37165 - Tweak comment
* PM-37165 - Move LastApiKeyRotationDate to end of User schema
Append the new column to the end of User.sql, UserView.sql, the
matching CREATE OR ALTER VIEW in the migrator script, and the User
entity so SSDT mirrors what ALTER TABLE ADD produces in production.
feat: Add WebAuthn Cache
- Add IWebAuthnChallengeCacheProvider with distributed cache implementation for storing WebAuthn Challenges
- Inject the cache provider into AssertWebAuthnLoginCredentialCommand and WebAuthnGrantValidator so challenges can be stored
- Use a static token lifetime for WebAuthnLoginAssertionOptionsTokenable and enable nullable reference types on the tokenable
- Add unit tests for the cache provider, the assertion command, and the WebAuthn controller; add Identity integration and unit tests for WebAuthnGrantValidator with a FakeWebAuthnAuthenticator helper
Deprecating V1 User Asymmetric Key information in favor of new V2 User Asymmetric Account Keys structure.
This PR adds support for the new AccountKeys structure while maintaining support for the legacy UserAsymmetricKey-based flow. Validation is updated to check either AccountKeys or UserAsymmetricKeys are updated. Tests include modeling for both scenarios.
* PM-4517 - Add LastActivityDate to Device entity, interfaces, DTOs, and response models
Adds the LastActivityDate nullable DateTime property to the Device entity,
IDeviceRepository interface (BumpLastActivityDateByIdAsync and
BumpLastActivityDateByIdentifierAsync), DeviceAuthDetails DTO,
DeviceResponseModel, DeviceAuthRequestResponseModel, and the
DevicesLastActivityDate feature flag key in Constants.
* PM-4517 - Add BumpDeviceLastActivityDateCommand with distributed cache guard
Adds IBumpDeviceLastActivityDateCommand and IDeviceLastActivityCacheService
interfaces with their implementations. The cache service uses the persistent
keyed IDistributedCache (Cosmos DB in cloud, SQL Server in self-hosted) with
a 48h TTL to guard against redundant DB writes within the same calendar day.
Moves device DI registration into a consolidated AddDeviceServices() extension.
* PM-4517 - Add LastActivityDate SQL schema, stored procedures, and MSSQL migration
Adds LastActivityDate DATETIME2 column to the Device table. Updates Device_Create
and Device_Update stored procedures. Adds Device_BumpLastActivityDateById and
Device_BumpLastActivityDateByIdentifier stored procedures with a CAST AS DATE
guard as a fallback against redundant writes when the application-layer cache
is unavailable.
* PM-4517 - Implement LastActivityDate repository methods and EF migrations
Implements BumpLastActivityDateByIdAsync and BumpLastActivityDateByIdentifierAsync
in both Dapper (via stored procedures) and EF (via ExecuteUpdateAsync with a
date-level guard). Adds EF migrations for Postgres, SQLite, and MySQL.
* PM-4517 - Bump device LastActivityDate on login and refresh token
Wires IBumpDeviceLastActivityDateCommand into BaseRequestValidator (login path,
keyed on device.Id) and CustomTokenRequestValidator (refresh token path, keyed
on device identifier from subject claims). Both call sites are feature-flagged
behind DevicesLastActivityDate.
* PM-4517 - Move AddDeviceServices() to AddBaseServices alongside IDeviceService
Device services are not user features — co-locating them with IDeviceService
in AddBaseServices is more cohesive than nesting them inside AddUserServices.
* PM-4517 - Swallow transient LastActivityDate bump failures to prevent auth disruption
* PM-4517 - Fix DeviceAuthDetails Dapper constructor parameter order to match LastActivityDate column position
* PM-4517 - Add edge case tests for BumpDeviceLastActivityForRefreshAsync guard conditions
* PM-4517 - Add tests for BumpLastActivityDate flag-disabled, null-device, and happy-path cases
* PM-4517 - Add PM-34091 cleanup TODOs to all DevicesLastActivityDate feature flag sites
* PM-4517 - Refine PM-34091 cleanup TODOs and add missing feature flag disabled test for refresh path
* PM-4517 - Remove redundant LastActivityDate shadow property from DeviceAuthDetails
* PM-4517 - Use CultureInfo.InvariantCulture in date string formatting for CA1305
* PM-4517 - Make _bumpDeviceLastActivityDateCommand protected in base to remove duplicate field in derived class
* PM-4517 - Scope device last activity cache key by userId to prevent cross-user collisions
The Device table's unique constraint is (UserId, Identifier), not Identifier alone,
so two users can share the same device identifier (e.g. account switching in a browser).
Scoping the cache key to device:last-activity:{userId}:{identifier} ensures that a cache
hit for one user never suppresses a DB write for another.
Also adds userId to BumpByIdAsync signature and reorders params to be consistent with
BumpByIdentifierAsync(string identifier, Guid userId).
* PM-4517 - Widen try-catch in TryBumpDeviceLastActivityForRefreshAsync and add happy-path test
Renames BumpDeviceLastActivityForRefreshAsync to TryBumpDeviceLastActivityForRefreshAsync
to signal the swallow-on-error intent. Moves the try-catch to wrap the entire method body,
including GetSubjectId() which can throw InvalidOperationException, so no exception can
escape and disrupt token refresh. Also moves the XML doc comment to RecordActivityForInstallation
where it belongs, and adds a happy-path test verifying BumpByIdentifierAsync is called
with the correct identifier and userId.
* PM-4517 - Capture DateTime.UtcNow once in EF bump methods to ensure consistent timestamp
Avoids a minor inconsistency where the WHERE filter and SET clause could evaluate
DateTime.UtcNow at slightly different moments, aligning behavior with the SQL stored
procedures which use a single @RevisionDate parameter.
* PM-4517 - Preserve LastActivityDate on Device_Update when null to prevent regressions
Device_Update previously overwrote LastActivityDate unconditionally, meaning any unrelated
device update (push token rotation, trust changes, deactivation) could silently regress a
recently-bumped value. COALESCE preserves the existing DB value when NULL is passed, while
still allowing callers to set it in the same write by passing a non-NULL value. The EF
ReplaceAsync override applies the same semantics via IsModified = false. Integration test
added to cover the preserve-on-null behaviour across all DB providers.
* PM-4517 - Add docs
* PM-4517 - Adjust docs
* PM-4517 - Add test coverage for BumpLastActivityDateByIdentifierAsync
* PM-4517 - Per PR feedback, add docs on IDeviceLastActivityCacheService
* PM-4517 - Per PR feedback, adjust IBumpDeviceLastActivityDateCommand.BumpById to be bump by device instead b/c it has all what we need.
* PM-4517 - Per PR feedback, add tech debt ticket.
* PM-4517 - Rename BumpByIdentifierAsync to BumpByIdentifierAndUserIdAsync across the board.
* PM-4517 - Per PR feedback, adjust stored proc names to meet SQL style requirements
* PM-4517 - Replace COALESCE with CASE in Device_Update to prevent stale non-null LastActivityDate overwrites
* PM-4517 - Add EF repository feature parity for replace logic + test to ensure we don't run into this again.
* PM-4517 - Fix DB migration order after main merge.
* PM-4517 - Regenerate EF DB migrations
* PM-4517 - actually regenerate EF DB migrations
* PM-4517 - Add LastActivityDate to Device_ReadActiveWithPendingAuthRequestsByUserId and integration tests
* Refactor organization user confirmation logic by removing direct feature flag checks. Updated related commands and tests to utilize policy requirements instead of feature service checks for automatic user confirmation. Cleaned up organization form view by simplifying checkbox rendering for automatic user confirmation.
* Refactor ProviderService to remove feature service dependency for automatic user confirmation. Updated logic to streamline policy requirement checks and cleaned up related tests by removing unnecessary feature flag assertions.
* Enhance tests for automatic user confirmation policy requirements. Updated multiple test classes to include checks for `AutomaticUserConfirmationPolicyRequirement`, ensuring no auto-confirm restrictions are applied by default. Refactored related assertions in `AcceptOrgUserCommandTests`, `ConfirmOrganizationUserCommandTests`, `RestoreOrganizationUserCommandTests`, and others to streamline compliance validation logic.
* Enhance tests for automatic user confirmation policy across multiple test classes. Added checks for `AutomaticUserConfirmationPolicyRequirement` in `ConfirmOrganizationUserCommandTests`, `RestoreOrganizationUserCommandTests`, and `SelfHostedOrganizationSignUpCommandTests`, ensuring compliance validation logic is streamlined and consistent. Updated assertions to reflect new policy requirements.
* Implement mock for AutomaticUserConfirmationPolicyRequirement in ProviderServiceTests to enhance test coverage for user confirmation policies.
* Update ProviderServiceTests to include mocks for AutomaticUserConfirmationPolicyRequirement, enhancing test coverage for user acceptance scenarios.
* Refactor test method names in EmergencyAccessServiceTests for clarity by removing feature flag references, improving readability and maintainability of the test suite.
* fix(refactor): [PM-34246] Rename Set Password to Finalize Onboarding - Initial set of renames take two.
* fix(refactor): [PM-34246] Rename Set Password to Finalize Onboarding - Updated function name.
* fix(refactor): [PM-34246] Rename Set Password to Finalize Onboarding - Fixed test.
* fix(refactor): [PM-34246] Rename Set Password to Finalize Onboarding - Unborked tests.
* fix(refactor): [PM-34246] Rename Set Password to Finalize Onboarding - Changed test names.
* implementation plan
* feedback updates
* revert updates
* implementation plan
* feedback updates
* revert updates
* implement plan
* Revert "Merge branch '2fa-account-recovery' of github.com:bitwarden/server into 2fa-account-recovery"
This reverts commit 3be2d140f1, reversing
changes made to 9fb8d3891c.
* PR feedback
* revert claude local settings
* lint fixes
* fix test models
* move new commands to v2 namespace.
* format
* fix swagger stuff
* update feature flag name
feat: add `MasterPasswordSalt` to unlock and authentication flow
- Add optional `MasterPasswordSalt`:
- `MasterPasswordUnlockAndAuthenticationData`
- `RegisterFinishRequestModel`
- `UserDecryptionOptionsBuilder`
- Add test coverage for explicit checks where appropriate in the above model updates
* Send better error message when token is expired
* Add comment indicating frontend usage
* Add testcase for Invalid Token scenario
* Update comment in test-case
* Fix merge issue
* Fix method name
* Consolidate token validation error calculation, apply to new area
* Move away from magic strings, fix tests
* Adjust class name
* Clean up old method name references
* Change errors to fields for singleton behavior
* Formatting
* feat(emergency-access): [PM-29585] Prevent New EA Invitations or Acceptance - Initial implementation
* fix(emergency-access): [PM-29585] Prevent New EA Invitations or Acceptance - Changes in a good place. Need to write tests.
* test(emergency-access): [PM-29585] Prevent New EA Invitations or Acceptance - Service tests have been added.
* fix(emergency-access): [PM-29585] Prevent New EA Invitations or Acceptance - Fixed comment.
* PM-32035 - EmergencyAccessService - fix interface docs, method docs, and tests to cover grantee / grantor deletion which is supported today.
* PM-32035 - EmergencyAccessService - mark existing delete as deprecated
* PM-32035 - EmergencyAccess readme docs - fix deletion docs
* PM-32035 - Add new EmergencyAccessDetails_ReadByUserIds stored proc
* PM-32035 - Add migration script for EmergencyAccessDetails_ReadByUserIds
* PM-32035 - Build out GetManyDetailsByUserIdsAsync in repository layer plus add tests
* PM-32035 - EmergencyAccessRepo - DeleteManyAsync - remove grantee revision bump as not necessary since no EA sync data exists + update tests
* PM-32035 - Fix incorrect nullability annotation on EmergencyAccessDetails.GrantorEmail. Both the SQL view and EF projection use a LEFT JOIN to the User table, meaning the value can be null if the grantor's account no longer exists. Changed to string? and removed the required modifier since the class is only ever materialized from database queries, never directly instantiated.
* PM-32035 - Refactor DeleteEmergencyAccess command to offer new DeleteAllByUserIdAsync and DeleteAllByUserIdsAsync methods. Need to build out DeleteByIdAndUserIdAsync with a new stored proc.
* PM-32035 - Build out IEmergencyAccessRepository.GetDetailsByIdAsync because we need such a method in order to meet the product requirements to send grantor email notifications for normal deletions in the future.
* PM-32035 - Wire up DeleteEmergencyAccessCommand.DeleteByIdAndUserIdAsync to use new repository method emergencyAccessRepository.GetDetailsByIdAsync so we can send notifications. Now, it is full replacement for the existing emergency access service deletion method + has the new notification functionaliy requested.
* PM-32035 - Add more test coverage for DeleteByIdAndUserIdAsync
* PM-32035 - Fix missing GranteeAvatarColor and GrantorAvatarColor projections in EmergencyAccessDetailsViewQuery. The EF view query omitted both avatar color fields from its Select projection, causing the integration tests to fail on all non-SqlServer databases (MySql, Postgres, Sqlite) where EF is used instead of Dapper.
* PM-32035 - Rename migration after main merge revealed collision
* PM-32035 - Rename migration script
* PM-32035 - PR feedback - add ticket + todos to deprecated delete async method.
* PM-32035 - DeleteEmergencyAccessCommand - add logs if we don't have user data required to send email notifications.
* PM-32035 - PR Feedback - rename EmergencyAccessDetails_ReadByUserIds to EmergencyAccessDetails_ReadManyByUserIds
* [PM-28300] Remove BlockClaimedDomainAccountCreation feature flag checks
* Fix user registration tests by adding proper email domains
* Remove redundant feature flag checks from user registration tests
* Remove BlockClaimedDomainAccountCreation constant from FeatureFlagKeys
* feat: Add initial DeleteEmergencyContactCommand
* chore: remove nullable enable and add comments
* test: add tests for new delete command
* test: update tests to test IMailer was called.
* feat: add delete by GranteeId and allow for multiple grantors to be contacted.
* feat: add DeleteMany stored procedure for EmergencyAccess
* test: add database tests for new SP
* feat: commands use DeleteManyById for emergencyAccessDeletes
* claude: send one email per grantor instead of a bulk email to all grantors. Modified tests to validate.
* feat: change revision dates for confirmed grantees;
* feat: add AccountRevisionDate bump for grantee users in the confirmed status
* test: update integration test to validate only confirmed users are updated as well as proper deletion of emergency access
* Initial implementation of new policy query
* Remove unused using
* Adjusts method name to better match repository method
* Correct namespace
* Initial refactor of policy loading
* Add xml doc, incorporate shim data model
* Updates usages to reflect new shim model
* Prune extranneous data from policy detail response model, format code
* Fix broken test, delete inapplicable test
* Adds test cases covering query
* Adjust codebase to use new PolicyQueryçˆ
* Format code
* Fix incorrect mock on test
* Fix formatting
* Adjust method name
* More naming adjustments
* Add PolicyData constructor, update test usages
* Rename PolicyData -> PolicyStatus
* Remove unused using
* feat(emergency-access) [PM-29584]: Add email template.
* refactor(emergency-access) [PM-29584]: Move Emergency Access to Auth/UserFeatures.
* refactor(emergency-access) [PM-29584]: Move EmergencyAccess tests to UserFeatures space.
* feat(emergency-access) [PM-29584]: Add compiled EmergencyAccess templates.
* test(emergency-access) [PM-29584]: Add mailer-specific tests.
* refactor(emergency-access) [PM-29584]: Move mail to UserFeatures area.
* feat(emergency-access) [PM-29584]: Update link for help pages, not web vault.
* test(emergency-access) [PM-29584]: Update mail tests for new URL and single responsibility.
* refactor(emergency-access) [PM-29584]: Add comments for added test.
* V2 prep, rename existing SSO JIT MP command to V1
* set initial master password for account registraton V2
* later removel docs
* TDE MP onboarding split
* revert separate TDE onboarding controller api
* Server side hash of the user master password hash
* use `ValidationResult` instead for validation errors
* unit test coverage
* integration test coverage
* update sql migration script date
* revert validate password change
* better requests validation
* explicit error message when org sso identifier invalid
* more unit test coverage
* renamed onboarding to set, hash naming clarifications
* update db sql script, formatting
* use raw json as request instead of request models for integration test
* v1 integration test coverage
* change of name
* Removed 2FA user interface from premium method signatures
* Added some more comments for clarity and small touchups.
* Add PremiumAccessCacheCheck feature flag to Constants.cs
* Add IPremiumAccessQuery interface and PremiumAccessQuery implementation for checking user premium access status
* Add unit tests for PremiumAccessQuery to validate user premium access logic
* Add XML documentation to Premium in OrganizationUserUserDetails and User classes
* Add PremiumAccessQueries to UserServiceCollectionExtensions
* Refactor TwoFactorIsEnabledQuery to incorporate PremiumAccessQuery and feature flag for premium access checks. Enhanced user premium status retrieval logic and improved handling of user details based on feature flag state.
* Mark methods in IUserRepository and IUserService as obsolete, directing users to new methods in IPremiumAccessQuery for premium access checks.
* Rename CanAccessPremiumBulkAsync to CanAccessPremiumAsync in IPremiumAccessQuery
* Update TwoFactorIsEnabledQuery to use CanAccessPremiumAsync for premium status checks
* Refactor TwoFactorIsEnabledQuery to introduce VNextAsync methods for improved premium access checks and user detail handling. Removed obsolete feature service dependency and enhanced test coverage for new functionality.
* Refactor IPremiumAccessQuery and PremiumAccessQuery to remove the overloaded CanAccessPremiumAsync method. Update related methods to streamline premium access checks using the User object directly. Enhance test coverage by removing obsolete tests and ensuring proper functionality with the new method signatures.
* Add new sync static method to determine if TwoFactor is enabled
* Enhance XML documentation for Premium property in OrganizationUserUserDetails and User classes to clarify its usage and limitations regarding personal and organizational premium access.
* Refactor IPremiumAccessQuery and PremiumAccessQuery to replace User parameter with Guid for user ID in CanAccessPremiumAsync methods. Update related methods and tests to streamline premium access checks and improve clarity in method signatures.
* Update feature flag references in IUserRepository and IUserService to use 'PremiumAccessQuery' instead of 'PremiumAccessCacheCheck'. Adjust related XML documentation for clarity on premium access methods.
* Rename IPremiumAccessQuery to IHasPremiumAccessQuery and move to Billing owned folder
* Remove unnecessary whitespace from IHasPremiumAccessQuery interface.
* Refactor HasPremiumAccessQuery to throw NotFoundException for null users
* Add NotFoundException handling in HasPremiumAccessQuery for mismatched user counts
* Refactor TwoFactorIsEnabledQuery to optimize premium access checks and improve two-factor provider handling. Introduced bulk fetching of premium status for users with only premium providers and streamlined the logic for determining if two-factor authentication is enabled.
* Refactor TwoFactorIsEnabledQueryTests to enhance clarity and optimize test scenarios. Consolidated test cases for two-factor authentication, improved naming conventions, and ensured premium access checks are only performed when necessary.
* Add UserPremiumAccess model to represent user premium access status from personal subscriptions and memberships
* Add User_ReadPremiumAccessByIds stored procedure and UserPremiumAccessView view to enhance premium access retrieval. Updated Organization table index to include UsersGetPremium for optimized queries.
* Add SQL migration script
* Add premium access retrieval methods to IUserRepository and implementations in UserRepository classes. Introduced GetPremiumAccessByIdsAsync and GetPremiumAccessAsync methods to fetch premium status for multiple users and a single user, respectively. Updated using directives to include necessary models.
* Refactor HasPremiumAccessQuery and IHasPremiumAccessQuery to streamline premium access checks. Updated method names for clarity and improved documentation. Adjusted test cases to reflect changes in user premium access retrieval logic.
* Update IUserRepository to reflect new method names for premium access retrieval. Changed obsolete method messages to point to GetPremiumAccessByIdsAsync and GetPremiumAccessAsync. Added internal use notes for IHasPremiumAccessQuery. Improved documentation for clarity.
* Refactor TwoFactorIsEnabledQuery to utilize IFeatureService for premium access checks.
* Enhance EF UserRepository to improve premium access retrieval by including related organization data.
* Add unit tests for premium access retrieval in UserRepositoryTests.
* Optimize HasPremiumAccessQuery to eliminate duplicate user IDs before checking premium access. Updated logic to ensure accurate comparison of premium users against distinct user IDs.
* Refactor TwoFactorIsEnabledQuery to improve handling of users without two-factor providers. Added early exit for users lacking providers and streamlined premium status checks for enabled two-factor authentication.
* Update HasPremiumAccessQueryTests to use simplified exception handling and improve test clarity
* Replaced fully qualified exception references with simplified ones.
* Refactored test setup to use individual user variables for better readability.
* Ensured assertions reflect the updated user variable structure.
* Enhance TwoFactorIsEnabledQuery to throw NotFoundException for non-existent users
* Updated TwoFactorIsEnabledQuery to throw NotFoundException when a user is not found instead of returning false.
* Added a new unit test to verify that the NotFoundException is thrown when a user is not found while premium access query is enabled.
* Move premium access query to Billing owned ServiceCollectionExtensions
* Refactor IUserService to enhance premium access checks
* Updated CanAccessPremium and HasPremiumFromOrganization methods to clarify usage with the new premium access query.
* Integrated IHasPremiumAccessQuery into UserService for improved premium access handling based on feature flag.
* Adjusted method documentation to reflect changes in premium access logic.
* Update IUserRepository to clarify usage of premium access methods
* Modified Obsolete attribute messages for GetManyWithCalculatedPremiumAsync and GetCalculatedPremiumAsync to indicate that callers should use the new methods when the 'PremiumAccessQuery' feature flag is enabled.
* Enhanced documentation to improve clarity regarding premium access handling.
* Update IUserRepository and IUserService to clarify deprecation of premium access methods
* Modified Obsolete attribute messages for GetManyWithCalculatedPremiumAsync and GetCalculatedPremiumAsync in IUserRepository to indicate these methods will be removed in a future version.
* Updated Obsolete attribute message for HasPremiumFromOrganization in IUserService to reflect the same deprecation notice.
* Refactor TwoFactorIsEnabledQuery to streamline user ID retrieval
* Consolidated user ID retrieval logic to avoid redundancy.
* Ensured consistent handling of user ID checks for premium access queries.
* Improved code readability by reducing duplicate code blocks.
* Rename migration script to fix the date
* Update migration script to create the index with DROP_EXISTING = ON
* Refactor UserPremiumAccessView to use LEFT JOINs and GROUP BY for improved performance and clarity
* Update HasPremiumAccessQueryTests to return null for GetPremiumAccessAsync instead of throwing NotFoundException
* Add unit tests for premium access scenarios in UserRepositoryTests
- Implement tests for GetPremiumAccessAsync to cover various user and organization premium access combinations.
- Validate behavior when users belong to multiple organizations, including cases with and without premium access.
- Update email generation for user creation to ensure uniqueness without specific prefixes.
- Enhance assertions to verify expected premium access results across different test cases.
* Bump date on migration script
* Update OrganizationEntityTypeConfiguration to include UsersGetPremium in index properties
* Add migration scripts for OrganizationUsersGetPremiumIndex across MySQL, PostgreSQL, and SQLite
- Introduced new migration files to create the OrganizationUsersGetPremiumIndex.
- Updated the DatabaseContextModelSnapshot to include UsersGetPremium in index properties for all database types.
- Ensured consistency in index creation across different database implementations.
---------
Co-authored-by: Todd Martin <tmartin@bitwarden.com>
Co-authored-by: Patrick Pimentel <ppimentel@bitwarden.com>
Fix: fix bugs reported by QA for Welcome emails
* test: add test for new plan type in welcome email
* fix: change to headStyle so styling is only included once
* fix: update MJML templates to have correct copy text
* chore: move build artifacts for updated email templates
* fix: add setting for SMTP to SSO project
* fix: update component css styling
* chore: rebuild hbs templates
* fix: using billing extension method to fetch Correct PlanType.
* Add policy for blocking account creation from claimed domains.
* dotnet format
* check as part of email verification
* add feature flag
* fix tests
* try to fix dates on database integration tests
* PR feedback from claude
* remove claude local settings
* pr feedback
* format
* fix test
* create or alter
* PR feedback
* PR feedback
* Update src/Core/Constants.cs
Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
* fix merge issues
* fix tests
---------
Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
feat(PM-21741): implement MJML welcome email templates with feature flag support
- Add MJML templates for individual, family, and organization welcome emails
- Track *.hbs artifacts from MJML build
- Implement feature flag for gradual rollout of new email templates
- Update RegisterUserCommand and HandlebarsMailService to support new templates
- Add text versions and sanitization for all welcome emails
- Fetch organization data from database for welcome emails
- Add comprehensive test coverage for registration flow
Co-authored-by: Rui Tomé <108268980+r-tome@users.noreply.github.com>
* Remove gathering and reporting of ReferenceEvents
* Fix test that relied on reference events throwing
---------
Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
* fix : split out the interface from the TwoFactorAuthenticationValidator into separate file.
* fix: replacing IUserService.TwoFactorEnabled with ITwoFactorEnabledQuery
* fix: combined logic for both bulk and single user look ups for TwoFactorIsEnabledQuery.
* fix: return two factor provider enabled on CanGenerate() method.
* tech debt: modfifying MFA providers to call the database less to validate if two factor is enabled.
* tech debt: removed unused service from AuthenticatorTokenProvider
* doc: added documentation to ITwoFactorProviderUsers
* doc: updated comments for TwoFactorIsEnabled impl
* test: fixing tests for ITwoFactorIsEnabledQuery
* test: updating tests to have correct DI and removing test for automatic email of TOTP.
* test: adding better test coverage
* PM-11969 - Add new logic for registering a user via an AcceptEmergencyAccessInviteToken
* PM-11969 - Unit test new RegisterUserViaAcceptEmergencyAccessInviteToken method.
* PM-11969 - Integration test new method
* PM-11945 - Rename RegisterUserWithOptionalOrgInvite to RegisterUserViaOrgInvite as the org invite isn't optional in the function - just the overall process of registration.
* PM-11945 - Yet another rename
* PM-11945 - Wire up call to RegisterUserViaOrgSponsoredFreeFamilyPlanInviteToken and test.
* PM-11945 - RegisterUserCommandTests - test new method
* PM-11949 - Rename tests
* PM-11945 - AccountsControllerTests.cs - add integration test for RegistrationWithEmailVerification_WithOrgSponsoredFreeFamilyPlanInviteToken_Succeeds
* PM-11945 - Adjust naming per PR feedback to match docs.
* PM-11945 - More renaming
* feat: Add stored procedure for reading organization user details with premium access by organization ID
The code changes include:
- Addition of a new stored procedure [dbo].[OrganizationUserUserDetailsWithPremiumAccess_ReadByOrganizationId] to read organization user details with premium access by organization ID
- Modification of the IUserService interface to include an optional parameter for checking two-factor authentication with premium access
- Modification of the UserService class to handle the new optional parameter in the TwoFactorIsEnabledAsync method
- Addition of a new method GetManyDetailsWithPremiumAccessByOrganizationAsync in the IOrganizationUserRepository interface to retrieve organization user details with premium access by organization ID
- Addition of a new view [dbo].[OrganizationUserUserDetailsWithPremiumAccessView] to retrieve organization user details with premium access
* Add IUserRepository.SearchDetailsAsync that includes the field HasPremiumAccess
* Check the feature flag on Admin.UsersController to see if the optimization runs
* Modify PolicyService to run query optimization if the feature flag is enabled
* Refactor the parameter check on UserService.TwoFactorIsEnabledAsync
* Run query optimization on public MembersController if feature flag is enabled
* Restore refactor
* Reverted change used for development
* Add unit tests for OrganizationService.RestoreUser
* Separate new CheckPoliciesBeforeRestoreAsync optimization into new method
* Add more unit tests
* Apply refactor to bulk restore
* Add GetManyDetailsAsync method to IUserRepository. Add ConfirmUsersAsync_vNext method to IOrganizationService
* Add unit tests for ConfirmUser_vNext
* Refactor the optimization to use the new TwoFactorIsEnabledAsync method instead of changing the existing one
* Removed unused sql scripts and added migration script
* Remove unnecessary view
* chore: Remove unused SearchDetailsAsync method from IUserRepository and UserRepository
* refactor: Use UserDetails constructor in UserRepository
* Add summary to IUserRepository.GetManyDetailsAsync
* Add summary descriptions to IUserService.TwoFactorIsEnabledAsync
* Remove obsolete annotation from IUserRepository.UpdateUserKeyAndEncryptedDataAsync
* refactor: Rename UserDetails to UserWithCalculatedPremium across the codebase
* Extract IUserService.TwoFactorIsEnabledAsync into a new TwoFactorIsEnabledQuery class
* Add unit tests for TwoFactorIsEnabledQuery
* Update TwoFactorIsEnabledQueryTests to include additional provider types
* Refactor TwoFactorIsEnabledQuery
* Refactor TwoFactorIsEnabledQuery and update tests
* refactor: Update TwoFactorIsEnabledQueryTests to include test for null TwoFactorProviders
* refactor: Improve TwoFactorIsEnabledQuery and update tests
* refactor: Improve TwoFactorIsEnabledQuery and update tests
* Remove empty <returns> from summary
* Update User_ReadByIdsWithCalculatedPremium stored procedure to accept JSON array of IDs
* Attempt to fix tde to mp flow
* Move tde offboarding to dedicated flag
* Add tde offboarding password request
* Validate tde offboarding input
* Correctly check whether tde is active when building trusted device options
* Refactor Tde offboarding into a separate command
* Add unit tests for tde offboarding
* Update tde offboarding request model
* Fix tests
* Fix further tests
* Fix documentation
* Add validation for updatetdepasswordasync key/newmasterpassword
* Add comment explaining test
* Remove unrelated changes
* PM-7322 - AccountsController.cs - create empty method + empty req model to be able to create draft PR.
* PM-7322 - Start on RegisterFinishRequestModel.cs
* PM-7322 - WIP on Complete Registration endpoint
* PM-7322 - UserService.cs - RegisterUserAsync - Tweak of token to be orgInviteToken as we are adding a new email verification token to the mix.
* PM-7322 - UserService - Rename MP to MPHash
* PM-7322 - More WIP progress on getting new finish registration process in place.
* PM-7322 Create IRegisterUserCommand
* PM-7322 - RegisterUserCommand.cs - first WIP draft
* PM-7322 - Implement use of new command in Identity.
* PM-7322 - Rename RegisterUserViaOrgInvite to just be RegisterUser as orgInvite is optional.
* PM07322 - Test RegisterUserCommand.RegisterUser(...) happy paths and one bad request path.
* PM-7322 - More WIP on RegisterUserCommand.cs and tests
* PM-7322 - RegisterUserCommand.cs - refactor ValidateOrgInviteToken logic to always validate the token if we have one.
* PM-7322 - RegisterUserCommand.cs - Refactor OrgInviteToken validation to be more clear + validate org invite token even in open registration scenarios + added tests.
* PM-7322 - Add more test coverage to RegisterUserWithOptionalOrgInvite
* PM-7322 - IRegisterUserCommand - DOCS
* PM-7322 - Test RegisterUser
* PM-7322 - IRegisterUserCommand - Add more docs.
* PM-7322 - Finish updating all existing user service register calls to use the new command.
* PM-7322 - RegistrationEmailVerificationTokenable.cs changes + tests
* PM-7322 - RegistrationEmailVerificationTokenable.cs changed to only verify email as it's the only thing we need to verify + updated tests.
* PM-7322 - Get RegisterUserViaEmailVerificationToken built and tested
* PM-7322 - AccountsController.cs - get bones of PostRegisterFinish in place
* PM-7322 - SendVerificationEmailForRegistrationCommand - Feature flag timing attack delays per architecture discussion with a default of keeping them around.
* PM-7322 - RegisterFinishRequestModel.cs - EmailVerificationToken must be optional for org invite scenarios.
* PM-7322 - HandlebarsMailService.cs - SendRegistrationVerificationEmailAsync - must URL encode email to avoid invalid email upon submission to server on complete registration step
* PM-7322 - RegisterUserCommandTests.cs - add API key assertions
* PM-7322 - Clean up RegisterUserCommand.cs
* PM-7322 - Refactor AccountsController.cs existing org invite method and new process to consider new feature flag for delays.
* PM-7322 - Add feature flag svc to AccountsControllerTests.cs + add TODO
* PM-7322 - AccountsController.cs - Refactor shared IdentityResult logic into private helper.
* PM-7322 - Work on getting PostRegisterFinish tests in place.
* PM-7322 - AccountsControllerTests.cs - test new method.
* PM-7322 - RegisterFinishRequestModel.cs - Update to use required keyword instead of required annotations as it is easier to catch mistakes.
* PM-7322 - Fix misspelling
* PM-7322 - Integration tests for RegistrationWithEmailVerification
* PM-7322 - Fix leaky integration tests.
* PM-7322 - Another leaky test fix.
* PM-7322 - AccountsControllerTests.cs - fix RegistrationWithEmailVerification_WithOrgInviteToken_Succeeds
* PM-7322 - AccountsControllerTests.cs - Finish out integration test suite!
* PM-5092 - Add new EnableEmailVerification global setting.
* PM-5092 - WIP - AccountsController.cs - create stub for new PostRegisterSendEmailVerification
* PM-5092 - RegisterSendEmailVerificationRequestModel
* PM-5092 - Create EmailVerificationTokenable.cs and get started on tests (still WIP).
* PM-5092 - EmailVerificationTokenable.cs finished + tests working.
* PM-5092 - Add token data factory for new EmailVerificationTokenable factory.
* PM-5092 - EmailVerificationTokenable.cs - set expiration to match existing verify email.
* PM-5092 - Get SendVerificationEmailForRegistrationCommand command mostly written + register as scoped.
* PM-5092 - Rename tokenable to be more clear and differentiate it from the existing email verification token.
* PM-5092 - Add new registration verify email method on mail service.
* PM-5092 - Refactor SendVerificationEmailForRegistrationCommand and add call to mail service to send email.
* PM-5092 - NoopMailService.cs needs to implement all interface methods.
* PM-5092 - AccountsController.cs - get PostRegisterSendEmailVerification logic in place.
* PM-5092 - AccountsControllerTests.cs - Add some unit tests - WIP
* PM-5092 - SendVerificationEmailForRegistrationCommandTests
* PM-5092 - Add integration tests for new acct controller method
* PM-5092 - Cleanup unit tests
* PM-5092 - AccountsController.cs - PostRegisterSendEmailVerification - remove modelState invalid check as .NET literally executes this validation pre-method execution.
* PM-5092 - Rename to read better - send verification email > send email verification
* PM-5092 - Revert primary constructor approach so DI works.
* PM-5092 - (1) Cleanup new but now not needed global setting (2) Add custom email for registration verify email.
* PM-5092 - Fix email text
* PM-5092 - (1) Modify ReferenceEvent.cs to allow nullable values for the 2 params which should have been nullable based on the constructor logic (2) Add new ReferenceEventType.cs for email verification register submit (3) Update AccountsController.cs to log new reference event (4) Update tests
* PM-5092 - RegistrationEmailVerificationTokenable - update prefix, purpose, and token id to include registration to differentiate it from the existing email verification token.
* PM-5092 - Per PR feedback, cleanup used dict.
* PM-5092 - formatting pass (manual + dotnet format)
* PM-5092 - Per PR feedback, log reference event after core business logic executes
* PM-5092 - Per PR feedback, add validation + added nullable flag to name as it is optional.
* PM-5092 - Per PR feedback, add constructor validation for required tokenable data
* PM-5092 - RegisterVerifyEmail url now contains email as that is required in client side registration step to create a master key.
* PM-5092 - Add fromEmail flag + some docs
* PM-5092 - ReferenceEvent.cs - Per PR feedback, make SignupInitiationPath and PlanUpgradePath nullable
* PM-5092 - ReferenceEvent.cs - remove nullability per PR feedback
* PM-5092 - Per PR feedback, use default constructor and manually create reference event.
* PM-5092 - Per PR feedback, add more docs!
