Merge branch 'main' into billing/PM-36951/cohorts-crud-ui

# Conflicts:
#	src/Core/Billing/Extensions/ServiceCollectionExtensions.cs

Author: kdenney

.github/workflows/review-code.yml

@@ -2,7 +2,7 @@ name: Code Review
 
 on:
   pull_request:
-    types: [opened, synchronize, reopened]
+    types: [labeled, opened, ready_for_review, reopened, synchronize]
 
 permissions: {}
 

AppHost/AppHost.cs

@@ -13,9 +13,7 @@
 builder.ConfigureIdp();
 var services = builder.ConfigureServices(db, secretsSetup, mail, azurite);
 
-#if ENABLE_NODEJS_COMMUNITY_PLUGIN
 builder.ConfigureWebFrontend(services["api"]);
-#endif
 
 #if ENABLE_NGROK_COMMUNITY_PLUGIN
 builder.ConfigureNgrok((services["billing"], "http"));

AppHost/AppHost.csproj

@@ -11,8 +11,6 @@
     <!-- Disable community plugins by default -->
     <EnableNgrokCommunityPlugin>false</EnableNgrokCommunityPlugin>
     <DefineConstants Condition="'$(EnableNgrokCommunityPlugin)' == 'true'">$(DefineConstants);ENABLE_NGROK_COMMUNITY_PLUGIN</DefineConstants>
-    <EnableNodeJsCommunityPlugin>false</EnableNodeJsCommunityPlugin>
-    <DefineConstants Condition="'$(EnableNodeJsCommunityPlugin)' == 'true'">$(DefineConstants);ENABLE_NODEJS_COMMUNITY_PLUGIN</DefineConstants>
   </PropertyGroup>
 
   <ItemGroup>
@@ -26,10 +24,6 @@
     <PackageReference Include="CommunityToolkit.Aspire.Hosting.Ngrok" Version="[13.3.0]" />
   </ItemGroup>
 
-  <ItemGroup Condition="'$(EnableNodeJsCommunityPlugin)' == 'true'">
-    <PackageReference Include="CommunityToolkit.Aspire.Hosting.NodeJS.Extensions" Version="[9.9.0]"/>
-  </ItemGroup>
-
   <ItemGroup>
     <ProjectReference Include="..\src\Admin\Admin.csproj"/>
     <ProjectReference Include="..\src\Api\Api.csproj"/>

AppHost/BuilderExtensions.cs

@@ -1,4 +1,5 @@
 using Aspire.Hosting.Azure;
+using Aspire.Hosting.JavaScript;
 using Azure.Provisioning;
 using Azure.Provisioning.Storage;
 
@@ -66,11 +67,14 @@ public static IResourceBuilder<AzureStorageResource> ConfigureAzurite(this IDist
                     MaxAgeInSeconds = new BicepValue<int>("30")
                 }));
             })
-            .RunAsEmulator(c =>
+            .RunAsEmulator(emulator =>
             {
-                c.WithBlobPort(10000)
+                emulator
+                    .WithBlobPort(10000)
                     .WithQueuePort(10001)
-                    .WithTablePort(10002);
+                    .WithTablePort(10002)
+                    .WithDataVolume()
+                    .WithLifetime(ContainerLifetime.Persistent);
             });
 
         builder
@@ -256,30 +260,29 @@ private static (string Name, string Tag) GetImageParts(this IDistributedApplicat
     private static bool IsSelfHosted(this IDistributedApplicationBuilder builder) =>
         builder.Configuration["SelfHost"]?.Equals("true", StringComparison.OrdinalIgnoreCase) == true;
 
-#if ENABLE_NODEJS_COMMUNITY_PLUGIN
     public static void ConfigureWebFrontend(this IDistributedApplicationBuilder builder,
         IResourceBuilder<ProjectResource> api)
     {
         if (!int.TryParse(builder.Required("WebFrontend:Port"), out var port))
             throw new InvalidOperationException("Invalid value for WebFrontend:Port.");
 
         builder
-            .AddBitwardenNpmApp("web-frontend", "web", api)
-            .WithHttpsEndpoint(port, port, "angular-http", isProxied: false)
+            .AddBitwardenNpmApp("web-frontend", "web", api, port: port)
             .WithUrl(builder.Required("WebFrontend:Url"))
             .WithExternalHttpEndpoints();
     }
 
-    private static IResourceBuilder<NodeAppResource> AddBitwardenNpmApp(this IDistributedApplicationBuilder builder,
-        string name, string path, IResourceBuilder<ProjectResource> api, string scriptName = "build:bit:watch")
+    private static IResourceBuilder<JavaScriptAppResource> AddBitwardenNpmApp(this IDistributedApplicationBuilder builder,
+        string name, string path, IResourceBuilder<ProjectResource> api, int port, string scriptName = "build:bit:watch")
     {
         return builder
-            .AddNpmApp(name, $"{builder.Required("ClientsPath")}/{path}", scriptName)
+            .AddJavaScriptApp(name, $"{builder.Required("ClientsPath")}/{path}", scriptName)
+            .WithHttpsEndpoint(port, port, "angular-http", isProxied: false)
+            .WithNpm(install: false)
             .WithReference(api)
             .WaitFor(api)
             .WithExplicitStart();
     }
-#endif
 
 #if ENABLE_NGROK_COMMUNITY_PLUGIN
     public static void ConfigureNgrok(this IDistributedApplicationBuilder builder,

AppHost/README.md

@@ -30,7 +30,7 @@ the services wait for the database and secrets setup to finish before launching.
 | `setup-secrets`     | Executable                | Runs `dev/setup_secrets.ps1` — applies `dev/secrets.json` to all projects |
 | `mssql`             | SQL Server 2022 container | Persistent data volume, port 1433                                         |
 | `run-db-migrations` | Executable                | Runs `dev/migrate.ps1` against `vault_dev` (or `self_host_dev`)           |
-| `azurite`           | Azure Storage emulator    | Blob :10000 · Queue :10001 · Table :10002                                 |
+| `azurite`           | Azure Storage emulator    | Blob :10000 · Queue :10001 · Table :10002 · persistent data volume        |
 | `azurite-setup`     | Executable                | Runs `dev/setup_azurite.ps1` after Azurite is ready                       |
 | `mailcatcher`       | Container                 | SMTP :10250 · Web UI :1080                                                |
 | `redis`             | Container                 | Redis with AOF persistence, port 6379                                     |
@@ -71,7 +71,7 @@ dotnet user-secrets set "Database:Password" "<your-sa-password>"
 | Key                         | Default                            | Description                                                                          |
 |-----------------------------|------------------------------------|--------------------------------------------------------------------------------------|
 | `SelfHost`                  | `false`                            | Switch to self-hosted mode (see [Self-Hosted Mode](#self-hosted-mode))               |
-| `ClientsPath`               | `../../clients/apps`               | Path to the `clients` repo's `apps/` directory (used by the Node.js plugin)          |
+| `ClientsPath`               | `../../clients/apps`               | Path to the `clients` repo's `apps/` directory (see [Git Worktrees](#git-worktrees)) |
 | `WorkingDirectory`          | `../dev`                           | Directory where dev scripts are resolved                                             |
 | `Services:<name>:BasePort`  | see `appsettings.Development.json` | HTTP port for each service; pre-filled to match each service's `launchSettings.json` |
 | `Database:Image`            | `mssql/server:2022-latest`         | Docker image for SQL Server                                                          |
@@ -85,33 +85,23 @@ dotnet user-secrets set "Database:Password" "<your-sa-password>"
 | `MailCatcher:SmtpPort`      | `10250`                            | Host SMTP port                                                                       |
 | `MailCatcher:WebPort`       | `1080`                             | MailCatcher web UI port                                                              |
 | `NgrokAuthToken`            | _(empty)_                          | ngrok auth token (used only when ngrok plugin is enabled)                            |
-| `WebFrontend:Port`          | `8080`                             | Web frontend port (used only when Node.js plugin is enabled)                         |
+| `WebFrontend:Port`          | `8080`                             | Web frontend port                                                                    |
 | `WebFrontend:Url`           | `https://bitwarden.test:8080`      | Web frontend URL shown in the dashboard                                              |
 
 ## Optional Features
 
-### Web Frontend (Node.js community plugin)
+### Web Frontend
 
 Runs the web client alongside the server services. Requires the Bitwarden
 [clients](https://github.com/bitwarden/clients) repo cloned as a sibling to `server`.
 
-1. Create an `AppHost.csproj.user` file next to `AppHost.csproj` (it is covered by `.gitignore`):
-
-   ```xml
-   <Project>
-     <PropertyGroup>
-       <EnableNodeJsCommunityPlugin>true</EnableNodeJsCommunityPlugin>
-     </PropertyGroup>
-   </Project>
-   ```
-
-2. If the clients repo is not at `../../clients/apps`, override the path:
+1. If the clients repo is not at `../../clients/apps`, override the path:
 
    ```bash
    dotnet user-secrets set "ClientsPath" "<path/to/clients/apps>"
    ```
 
-3. Run `dotnet run` as normal. The `web-frontend` resource starts with **explicit start** — open
+2. Run `dotnet run` as normal. The `web-frontend` resource starts with **explicit start** — open
    the Aspire dashboard and start it manually when you're ready.
 
 ### Ngrok (Billing Webhook Tunneling)
@@ -194,6 +184,26 @@ variables for every resource.
 - If you create an `appsettings.local.json`, add it to `.gitignore` before writing any values
   to it.
 
+## Git Worktrees
+
+Path-based settings resolve relative to where you run `dotnet run`. If your worktree lives in
+a different location than the main checkout, those paths won't resolve correctly. Use absolute
+paths for any such setting:
+
+- **`ClientsPath`** defaults to `../../clients/apps` — override if your worktree is not
+  alongside the `clients` repo:
+
+  ```bash
+  dotnet user-secrets set "ClientsPath" "<absolute/path/to/clients/apps>"
+  ```
+
+- **`AdditionalProjects:<name>:Path`** — use an absolute path when adding projects via user
+  secrets in a worktree:
+
+  ```bash
+  dotnet user-secrets set "AdditionalProjects:<name>:Path" "<absolute/path/to/Project.csproj>"
+  ```
+
 ## Troubleshooting
 
 | Symptom                          | Fix                                                                                   |

src/Api/AdminConsole/Attributes/BindOrganizationAttribute.cs

@@ -0,0 +1,60 @@
+using Bit.Api.AdminConsole.Authorization;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.ModelBinding;
+
+namespace Bit.Api.AdminConsole.Attributes;
+
+/// <summary>
+/// Binds an <see cref="Organization"/> parameter by loading it from the database
+/// using the <c>orgId</c> or <c>organizationId</c> route parameter.
+/// </summary>
+/// <remarks>
+/// If the organization is not found, a <see cref="NotFoundException"/> is thrown.
+/// </remarks>
+/// <example>
+/// <code><![CDATA[
+/// [HttpPost("bulk-auto-confirm")]
+/// public async Task<IResult> BulkAutomaticallyConfirmOrganizationUsersAsync(
+///     [BindOrganization] Organization organization,
+///     [FromBody] OrganizationUserBulkConfirmRequestModel model)
+/// ]]></code>
+/// </example>
+[AttributeUsage(AttributeTargets.Parameter)]
+public sealed class BindOrganizationAttribute() : ModelBinderAttribute(typeof(OrganizationModelBinder));
+
+/// <summary>
+/// Custom model binder that loads an <see cref="Organization"/> from the database
+/// using the <c>orgId</c> or <c>organizationId</c> route parameter and binds it to the parameter.
+/// </summary>
+/// <remarks>
+/// This binder is used via the <see cref="BindOrganizationAttribute"/>.
+/// </remarks>
+public class OrganizationModelBinder : IModelBinder
+{
+    public async Task BindModelAsync(ModelBindingContext bindingContext)
+    {
+        Guid orgId;
+        try
+        {
+            orgId = bindingContext.HttpContext.GetOrganizationId();
+        }
+        catch (InvalidOperationException)
+        {
+            throw new BadRequestException("Route parameter 'orgId' or 'organizationId' is missing or invalid.");
+        }
+
+        var repo = bindingContext.HttpContext.RequestServices
+            .GetRequiredService<IOrganizationRepository>();
+
+        var organization = await repo.GetByIdAsync(orgId);
+        if (organization is null)
+        {
+            throw new NotFoundException();
+        }
+
+        bindingContext.Result = ModelBindingResult.Success(organization);
+    }
+}

src/Api/AdminConsole/Controllers/OrganizationInviteLinksController.cs

@@ -19,7 +19,8 @@ public class OrganizationInviteLinksController(
     IGetOrganizationInviteLinkStatusQuery getOrganizationInviteLinkStatusQuery,
     IUpdateOrganizationInviteLinkCommand updateOrganizationInviteLinkCommand,
     IDeleteOrganizationInviteLinkCommand deleteOrganizationInviteLinkCommand,
-    IRefreshOrganizationInviteLinkCommand refreshOrganizationInviteLinkCommand)
+    IRefreshOrganizationInviteLinkCommand refreshOrganizationInviteLinkCommand,
+    IValidateOrganizationInviteLinkEmailDomainQuery validateOrganizationInviteLinkEmailDomainQuery)
     : BaseAdminConsoleController
 {
     [AllowAnonymous]
@@ -37,6 +38,17 @@ status.Sso is null
                     : new OrganizationInviteLinkSsoResponseModel(status.Sso.OrgSsoId, status.Sso.Required))));
     }
 
+    [AllowAnonymous]
+    [HttpPost("/organizations/invite-link/validate-email-domain")]
+    public async Task<IResult> ValidateEmailDomain(
+        [FromBody] OrganizationInviteLinkValidateEmailDomainRequestModel model)
+    {
+        var result = await validateOrganizationInviteLinkEmailDomainQuery.ValidateAsync(model.Code, model.Email);
+
+        return Handle(result, isAllowed =>
+            TypedResults.Ok(new OrganizationInviteLinkValidateEmailDomainResponseModel(isAllowed)));
+    }
+
     [HttpGet("")]
     [Authorize<ManageUsersRequirement>]
     public async Task<IResult> Get(Guid orgId)

src/Api/AdminConsole/Controllers/OrganizationUsersController.cs

@@ -10,6 +10,7 @@
 using Bit.Api.AdminConsole.Models.Response.Organizations;
 using Bit.Api.Models.Response;
 using Bit.Core;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.OrganizationFeatures.AccountRecovery;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
@@ -42,6 +43,7 @@
 using Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using AccountRecoveryV2 = Bit.Core.AdminConsole.OrganizationFeatures.AccountRecovery.v2;
 using V1_RevokeOrganizationUserCommand = Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1.IRevokeOrganizationUserCommand;
@@ -229,10 +231,11 @@ private ListResponseModel<OrganizationUserUserDetailsResponseModel> GetResultLis
 
     [HttpGet("{id}/reset-password-details")]
     [Authorize<ManageAccountRecoveryRequirement>]
-    public async Task<OrganizationUserResetPasswordDetailsResponseModel> GetResetPasswordDetails(Guid orgId, Guid id)
+    public async Task<OrganizationUserResetPasswordDetailsResponseModel> GetResetPasswordDetails(Guid id,
+        [BindOrganization] Organization organization)
     {
         var organizationUser = await _organizationUserRepository.GetByIdAsync(id);
-        if (organizationUser is null || organizationUser.OrganizationId != orgId || organizationUser.UserId is null)
+        if (organizationUser is null || organizationUser.OrganizationId != organization.Id || organizationUser.UserId is null)
         {
             throw new NotFoundException();
         }
@@ -245,14 +248,7 @@ public async Task<OrganizationUserResetPasswordDetailsResponseModel> GetResetPas
             throw new NotFoundException();
         }
 
-        // Retrieve Encrypted Private Key from organization
-        var org = await _organizationRepository.GetByIdAsync(orgId);
-        if (org == null)
-        {
-            throw new NotFoundException();
-        }
-
-        return new OrganizationUserResetPasswordDetailsResponseModel(new OrganizationUserResetPasswordDetails(organizationUser, user, org));
+        return new OrganizationUserResetPasswordDetailsResponseModel(new OrganizationUserResetPasswordDetails(organizationUser, user, organization));
     }
 
     [HttpPost("account-recovery-details")]
@@ -534,8 +530,17 @@ public async Task<IResult> PutRecoverAccount(Guid orgId, Guid id, [FromBody] Org
             return Handle(await _adminRecoverAccountCommandV2.RecoverAccountAsync(commandRequest));
         }
 
-        var result = await _adminRecoverAccountCommand.RecoverAccountAsync(
-            orgId, targetOrganizationUser, model.NewMasterPasswordHash!, model.Key!);
+        IdentityResult result;
+        if (model.RequestHasNewDataTypes())
+        {
+            result = await _adminRecoverAccountCommand.RecoverAccountAsync(
+                orgId, targetOrganizationUser, model.UnlockData!.ToData(), model.AuthenticationData!.ToData());
+        }
+        else
+        {
+            result = await _adminRecoverAccountCommand.RecoverAccountAsync(
+                orgId, targetOrganizationUser, model.NewMasterPasswordHash!, model.Key!);
+        }
         if (result.Succeeded)
         {
             return TypedResults.Ok();

src/Api/AdminConsole/Models/Request/Organizations/OrganizationInviteLinkValidateEmailDomainRequestModel.cs

@@ -0,0 +1,13 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Api.AdminConsole.Models.Request.Organizations;
+
+public class OrganizationInviteLinkValidateEmailDomainRequestModel
+{
+    [Required]
+    public required Guid Code { get; set; }
+
+    [Required]
+    [EmailAddress]
+    public required string Email { get; set; }
+}