mirror of
https://github.com/bitwarden/server.git
synced 2026-06-01 12:26:46 -05:00
25e78ceba3
* feat(mp-service) Wire commands to MasterPasswordService.
* feat(self-service) Add logout-and-log to self-service command.
* feat(mp-service) Add dual-path request models and wire controller
routing.
Add structured cryptographic data support to all Auth password endpoints,
routing new payloads to MasterPasswordService-backed commands while
preserving legacy paths for backward compatibility (PM-33141 removal).
* refactor(mp-service) Mark legacy password entry points [Obsolete].
* test(mp-service) Add testing.
* refactor(mp-service) Rename ReplaceTemporaryPasswordAsync to be more descriptive.
* refactor(mp-service) Add variant validator and tests.
* fix(mp-service) Adjust payload variance validation.
* test(mp-service) Update integration tests to support payload variants and model validation returns.
* fix(password-request): Restore KDF regression guard.
* refactor(data-models): Collapse RequestHasNewDataTypes into local check.
* test(emergency-access): Update Emergency Access tests.
* refactor(mp-payload-variant-validator): Move to Auth utilities.
* test(self-service): Combine side-effects and password change into single test.
* feat(validation): Add kdf-salt agreement-only validation.
* refactor(password-request-model): consolidate onto ValidateKdfAndSaltAgreement.
* test(auth): Cover ValidateKdfAndSaltAgreement and enshrine legacy KDF acceptance.
* feat(validate-exclusivity): Throw on both payload variants present.
* test(accounts-controller): Update tests for exclusivity validation at the boundary.
* fix(request-models): Request models must accept both payload variants.
* PM-35393 - Add V2 dual-payload integration tests for password-modification flows
End-to-end coverage for the new AuthenticationData / UnlockData payload
across every endpoint that mutates a master password:
- POST /accounts/password — legacy-KDF acceptance, mismatch rejection,
auth, current-password check.
- PUT /accounts/update-temp-password — legacy-KDF acceptance, mismatch
rejection, auth, ForcePasswordReset precondition.
- PUT /accounts/update-tde-offboarding-password — sub-minimum KDF
rejection (this flow intentionally enforces range), mismatch rejection,
auth.
- POST /emergency-access/{id}/password — legacy-KDF acceptance, mismatch
rejection, no-payload rejection, non-RecoveryApproved precondition.
Also extracts BuildAuthData / BuildUnlockData / BuildMismatchedAuthAndUnlock
helpers in AccountsControllerTest and rewrites the existing PostKdf_* tests
to use them (no behavior change).
15 new test methods, 41 cases. 155/155 controller-suite tests pass.
---------
Co-authored-by: Jared Snider <jsnider@bitwarden.com>
Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>