* [deps] Tools: Pin dependencies
* [PM-24840] updated dependencies that are required with Net 10 switch
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Alex Dragovich <adragovich@bitwarden.com>
Co-authored-by: Alex Dragovich <46065570+itsadrago@users.noreply.github.com>
Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
feat: add salt to password pre-login response
- Include salt in GetDefaultKdf so clients receive the correct algorithm and salt for password authentication
- Normalize email when looking up the salt to ensure consistent matching
- Add startup warning for self-hosted users about the new salt requirement
- Use CoreHelpers to check for the salt value in the accounts controller
- Enforce nullable reference types and add explanatory comments in the accounts controller
- Add unit and integration test coverage for the new salt property
feat: Add WebAuthn Cache
- Add IWebAuthnChallengeCacheProvider with distributed cache implementation for storing WebAuthn Challenges
- Inject the cache provider into AssertWebAuthnLoginCredentialCommand and WebAuthnGrantValidator so challenges can be stored
- Use a static token lifetime for WebAuthnLoginAssertionOptionsTokenable and enable nullable reference types on the tokenable
- Add unit tests for the cache provider, the assertion command, and the WebAuthn controller; add Identity integration and unit tests for WebAuthnGrantValidator with a FakeWebAuthnAuthenticator helper
Deprecating V1 User Asymmetric Key information in favor of new V2 User Asymmetric Account Keys structure.
This PR adds support for the new AccountKeys structure while maintaining support for the legacy UserAsymmetricKey-based flow. Validation is updated to check either AccountKeys or UserAsymmetricKeys are updated. Tests include modeling for both scenarios.
* [PM-31684] Remove email hashing for send access
* [PM-31684] switching the order of migration files
* [PM-31684] adding more migrations
* [PM-31684] Removing anon access emails field and reusing emails field
* [PM-31684] cleanup before adding migrations back
* [PM-31684] restore original snapshots
* [PM-31684] restore original postgres snapshots
* [PM-31684] adding migrations
* [PM-31684] removing encryption attributes from emails request model
* [PM-31684] adding missing stored proc alters
* [PM-31684] Improved formatting for stored proc defs
* [PM-31684] adding necessary comment back
* [PM-31684] adding case-insensitive check on the server for send auth
* feat: remove invalid email response and instead return email and OTP required to protect against enumeration attacks.
* fix: fixing tests and dotnet format
* [PM-31394] use email address hash for send access email verification
* [PM-31394] fixing identity server tests for send access
* [PM-31394] fixing more identity server tests for send access
* Add policy for blocking account creation from claimed domains.
* dotnet format
* check as part of email verification
* add feature flag
* fix tests
* try to fix dates on database integration tests
* PR feedback from claude
* remove claude local settings
* pr feedback
* format
* fix test
* create or alter
* PR feedback
* PR feedback
* Update src/Core/Constants.cs
Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
* fix merge issues
* fix tests
---------
Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
* feat: add static enumeration helper class
* test: add enumeration helper class unit tests
* feat: implement NeverAuthenticateValidator
* test: unit and integration tests SendNeverAuthenticateValidator
* test: use static class for common integration test setup for Send Access unit and integration tests
* test: update tests to use static helper
**feat**: create `SendGrantValidator` and initial `SendPasswordValidator` for Send access grants
**feat**: add feature flag to toggle Send grant validation logic
**feat**: add Send client to Identity and update `ApiClient` to generic `Client`
**feat**: register Send services in DI pipeline
**feat**: add claims management support to `ProfileService`
**feat**: distinguish between invalid grant and invalid request in `SendAccessGrantValidator`
**fix**: update parsing of `send_id` from request
**fix**: add early return when feature flag is disabled
**fix**: rename and organize Send access scope and grant type
**fix**: dotnet format
**test**: add unit and integration tests for `SendGrantValidator`
**test**: update OpenID configuration and API resource claims
**doc**: move documentation to interfaces and update inline comments
**chore**: add TODO for future support of `CustomGrantTypes`
* Add DynamicClientStore
* Formatting
* Fix Debug assertion
* Make Identity internals visible to its unit tests
* Add installation client provider tests
* Add internal client provider tests
* Add DynamicClientStore tests
* Fix namespaces after merge
* Format
* Add docs and remove TODO comments
* Use preferred prefix for API keys
---------
Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
* feat : remove old registration endpoint
* fix: update integration test user registration to match current registration; We need to keep the IRegistrationCommand.RegisterUser method to JIT user.
* fix: updating accounts/profile tests to match current implementations
* feat(newDeviceVerification) : Initial update to email
* fix : email copying over extra whitespace when using keyboard short cuts
* test : Fixing tests for new device verificaiton email format
* PM-10600: Notification push notification
* PM-10600: Sending to specific client types for relay push notifications
* PM-10600: Sending to specific client types for other clients
* PM-10600: Send push notification on notification creation
* PM-10600: Explicit group names
* PM-10600: Id typos
* PM-10600: Revert global push notifications
* PM-10600: Added DeviceType claim
* PM-10600: Sent to organization typo
* PM-10600: UT coverage
* PM-10600: Small refactor, UTs coverage
* PM-10600: UTs coverage
* PM-10600: Startup fix
* PM-10600: Test fix
* PM-10600: Required attribute, organization group for push notification fix
* PM-10600: UT coverage
* PM-10600: Fix Mobile devices not registering to organization push notifications
We only register devices for organization push notifications when the organization is being created. This does not work, since we have a use case (Notification Center) of delivering notifications to all users of organization. This fixes it, by adding the organization id tag when device registers for push notifications.
* PM-10600: Unit Test coverage for NotificationHubPushRegistrationService
Fixed IFeatureService substitute mocking for Android tests.
Added user part of organization test with organizationId tags expectation.
* PM-10600: Unit Tests fix to NotificationHubPushRegistrationService after merge conflict
* PM-10600: Organization push notifications not sending to mobile device from self-hosted.
Self-hosted instance uses relay to register the mobile device against Bitwarden Cloud Api. Only the self-hosted server knows client's organization membership, which means it needs to pass in the organization id's information to the relay. Similarly, for Bitwarden Cloud, the organizaton id will come directly from the server.
* PM-10600: Fix self-hosted organization notification not being received by mobile device.
When mobile device registers on self-hosted through the relay, every single id, like user id, device id and now organization id needs to be prefixed with the installation id. This have been missing in the PushController that handles this for organization id.
* PM-10600: Broken NotificationsController integration test
Device type is now part of JWT access token, so the notification center results in the integration test are now scoped to client type web and all.
* PM-10600: Merge conflicts fix
* merge conflict fix
* chore: set up a `CODEOWNERS` space for platform
* chore: move sql objects for `Installation` to platform's domain
* chore: move `Installation` and `PushRelay` code to platform's domain
* feat(BaseRequestValidator):
Add global setting for new device verification.
Refactor BaseRequestValidator enabling better self-documenting code and better single responsibility principle for validators.
Updated DeviceValidator to handle new device verification, behind a feature flag.
Moved IDeviceValidator interface to separate file.
Updated CustomRequestValidator to act as the conduit by which *Validators communicate authentication context between themselves and the RequestValidators.
Adding new test for DeviceValidator class.
Updated tests for BaseRequestValidator as some functionality was moved to the DeviceValidator class.
refactor(TwoFactorAuthentication): Remove references to old Duo SDK version 2 code and replace them with the Duo SDK version 4 supported library DuoUniversal code.
Increased unit test coverage in the Two Factor Authentication code space. We opted to use DI instead of Inheritance for the Duo and OrganizaitonDuo two factor tokens to increase testability, since creating a testing mock of the Duo.Client was non-trivial.
Reviewed-by: @JaredSnider-Bitwarden
* PM-11969 - Add new logic for registering a user via an AcceptEmergencyAccessInviteToken
* PM-11969 - Unit test new RegisterUserViaAcceptEmergencyAccessInviteToken method.
* PM-11969 - Integration test new method
* PM-11945 - Rename RegisterUserWithOptionalOrgInvite to RegisterUserViaOrgInvite as the org invite isn't optional in the function - just the overall process of registration.
* PM-11945 - Yet another rename
* PM-11945 - Wire up call to RegisterUserViaOrgSponsoredFreeFamilyPlanInviteToken and test.
* PM-11945 - RegisterUserCommandTests - test new method
* PM-11949 - Rename tests
* PM-11945 - AccountsControllerTests.cs - add integration test for RegistrationWithEmailVerification_WithOrgSponsoredFreeFamilyPlanInviteToken_Succeeds
* PM-11945 - Adjust naming per PR feedback to match docs.
* PM-11945 - More renaming
