Auth/poc/master password service example

src/Api/AdminConsole/Controllers/OrganizationUsersController.cs

@@ -41,6 +41,7 @@
 using Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using AccountRecoveryV2 = Bit.Core.AdminConsole.OrganizationFeatures.AccountRecovery.v2;
 using V1_RevokeOrganizationUserCommand = Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1.IRevokeOrganizationUserCommand;
@@ -533,14 +534,25 @@ public async Task<IResult> PutRecoverAccount(Guid orgId, Guid id, [FromBody] Org
             return Handle(await _adminRecoverAccountCommandV2.RecoverAccountAsync(commandRequest));
         }
 
-        var result = await _adminRecoverAccountCommand.RecoverAccountAsync(
-            orgId, targetOrganizationUser, model.NewMasterPasswordHash!, model.Key!);
-        if (result.Succeeded)
+        IdentityResult identityResult;
+        if (model.RequestHasNewDataTypes())
+        {
+            identityResult = await _adminRecoverAccountCommand.RecoverAccountAsync(
+                orgId, targetOrganizationUser, model.UnlockData!.ToData(), model.AuthenticationData!.ToData());
+        }
+        // To be removed in PM-33141
+        else
+        {
+            identityResult = await _adminRecoverAccountCommand.RecoverAccountAsync(
+                orgId, targetOrganizationUser, model.NewMasterPasswordHash!, model.Key!);
+        }
+
+        if (identityResult.Succeeded)
         {
             return TypedResults.Ok();
         }
 
-        foreach (var error in result.Errors)
+        foreach (var error in identityResult.Errors)
         {
             ModelState.AddModelError(string.Empty, error.Description);
         }

src/Api/Auth/Controllers/AccountsController.cs

@@ -13,6 +13,7 @@
 using Bit.Core.Auth.Models.Api.Request.Accounts;
 using Bit.Core.Auth.Services;
 using Bit.Core.Auth.UserFeatures.TdeOffboardingPassword.Interfaces;
+using Bit.Core.Auth.UserFeatures.TempPassword.Interfaces;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
 using Bit.Core.Enums;
@@ -25,64 +26,47 @@
 using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 
 namespace Bit.Api.Auth.Controllers;
 
 [Route("accounts")]
 [Authorize(Policies.Application)]
-public class AccountsController : Controller
+public class AccountsController(
+    IOrganizationService organizationService,
+    IOrganizationUserRepository organizationUserRepository,
+    IProviderUserRepository providerUserRepository,
+    IUserService userService,
+    ISelfServicePasswordChangeCommand selfServicePasswordChangeCommand,
+    IPolicyService policyService,
+    IFinishSsoJitProvisionMasterPasswordCommand finishSsoJitProvisionMasterPasswordCommand,
+    ISetInitialMasterPasswordCommandV1 setInitialMasterPasswordCommandV1,
+    ITdeSetPasswordCommand tdeSetPasswordCommand,
+    ITdeOffboardingPasswordCommand tdeOffboardingPasswordCommand,
+    IReplaceAdminSetTemporaryPasswordCommand replaceAdminSetTemporaryPasswordCommand,
+    ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
+    IUserAccountKeysQuery userAccountKeysQuery,
+    ITwoFactorEmailService twoFactorEmailService,
+    IChangeKdfCommand changeKdfCommand,
+    IUserRepository userRepository) : Controller
 {
-    private readonly IOrganizationService _organizationService;
-    private readonly IOrganizationUserRepository _organizationUserRepository;
-    private readonly IProviderUserRepository _providerUserRepository;
-    private readonly IUserService _userService;
-    private readonly IPolicyService _policyService;
-    private readonly ISetInitialMasterPasswordCommandV1 _setInitialMasterPasswordCommandV1;
-    private readonly IFinishSsoJitProvisionMasterPasswordCommand _finishSsoJitProvisionMasterPasswordCommand;
-    private readonly ITdeSetPasswordCommand _tdeSetPasswordCommand;
-    private readonly ITdeOffboardingPasswordCommand _tdeOffboardingPasswordCommand;
-    private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
-    private readonly IFeatureService _featureService;
-    private readonly IUserAccountKeysQuery _userAccountKeysQuery;
-    private readonly ITwoFactorEmailService _twoFactorEmailService;
-    private readonly IChangeKdfCommand _changeKdfCommand;
-    private readonly IUserRepository _userRepository;
-
-    public AccountsController(
-        IOrganizationService organizationService,
-        IOrganizationUserRepository organizationUserRepository,
-        IProviderUserRepository providerUserRepository,
-        IUserService userService,
-        IPolicyService policyService,
-        IFinishSsoJitProvisionMasterPasswordCommand finishSsoJitProvisionMasterPasswordCommand,
-        ISetInitialMasterPasswordCommandV1 setInitialMasterPasswordCommandV1,
-        ITdeSetPasswordCommand tdeSetPasswordCommand,
-        ITdeOffboardingPasswordCommand tdeOffboardingPasswordCommand,
-        ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
-        IFeatureService featureService,
-        IUserAccountKeysQuery userAccountKeysQuery,
-        ITwoFactorEmailService twoFactorEmailService,
-        IChangeKdfCommand changeKdfCommand,
-        IUserRepository userRepository
-        )
-    {
-        _organizationService = organizationService;
-        _organizationUserRepository = organizationUserRepository;
-        _providerUserRepository = providerUserRepository;
-        _userService = userService;
-        _policyService = policyService;
-        _finishSsoJitProvisionMasterPasswordCommand = finishSsoJitProvisionMasterPasswordCommand;
-        _setInitialMasterPasswordCommandV1 = setInitialMasterPasswordCommandV1;
-        _tdeSetPasswordCommand = tdeSetPasswordCommand;
-        _tdeOffboardingPasswordCommand = tdeOffboardingPasswordCommand;
-        _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
-        _featureService = featureService;
-        _userAccountKeysQuery = userAccountKeysQuery;
-        _twoFactorEmailService = twoFactorEmailService;
-        _changeKdfCommand = changeKdfCommand;
-        _userRepository = userRepository;
-    }
+    private readonly IOrganizationService _organizationService = organizationService;
+    private readonly IOrganizationUserRepository _organizationUserRepository = organizationUserRepository;
+    private readonly IProviderUserRepository _providerUserRepository = providerUserRepository;
+    private readonly IUserService _userService = userService;
+    private readonly ISelfServicePasswordChangeCommand _selfServicePasswordChangeCommand = selfServicePasswordChangeCommand;
+    private readonly IPolicyService _policyService = policyService;
+    private readonly ISetInitialMasterPasswordCommandV1 _setInitialMasterPasswordCommandV1 = setInitialMasterPasswordCommandV1;
+    private readonly IFinishSsoJitProvisionMasterPasswordCommand _finishSsoJitProvisionMasterPasswordCommand = finishSsoJitProvisionMasterPasswordCommand;
+    private readonly ITdeSetPasswordCommand _tdeSetPasswordCommand = tdeSetPasswordCommand;
+    private readonly ITdeOffboardingPasswordCommand _tdeOffboardingPasswordCommand = tdeOffboardingPasswordCommand;
+    private readonly IReplaceAdminSetTemporaryPasswordCommand _replaceAdminSetTemporaryPasswordCommand = replaceAdminSetTemporaryPasswordCommand;
+    private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
+    private readonly IUserAccountKeysQuery _userAccountKeysQuery = userAccountKeysQuery;
+    private readonly ITwoFactorEmailService _twoFactorEmailService = twoFactorEmailService;
+    private readonly IChangeKdfCommand _changeKdfCommand = changeKdfCommand;
+    private readonly IUserRepository _userRepository = userRepository;
 
 
     [HttpPost("password-hint")]
@@ -188,6 +172,14 @@ public async Task PostVerifyEmailToken([FromBody] VerifyEmailRequestModel model)
         throw new BadRequestException(ModelState);
     }
 
+    /// <summary>
+    /// For a user updating an existing password.
+    ///
+    /// If calling this when a user does not have a master password, it will fail.
+    /// </summary>
+    /// <param name="model"></param>
+    /// <exception cref="UnauthorizedAccessException"></exception>
+    /// <exception cref="BadRequestException"></exception>
     [HttpPost("password")]
     public async Task PostPassword([FromBody] PasswordRequestModel model)
     {
@@ -197,8 +189,23 @@ public async Task PostPassword([FromBody] PasswordRequestModel model)
             throw new UnauthorizedAccessException();
         }
 
-        var result = await _userService.ChangePasswordAsync(user, model.MasterPasswordHash,
-            model.NewMasterPasswordHash, model.MasterPasswordHint, model.Key);
+        IdentityResult result;
+        if (model.RequestHasNewDataTypes())
+        {
+            result = await _selfServicePasswordChangeCommand.ChangePasswordAsync(
+                user,
+                model.MasterPasswordHash,
+                model.UnlockData!.ToData(),
+                model.AuthenticationData!.ToData(),
+                model.MasterPasswordHint);
+        }
+        // To be removed in PM-33141
+        else
+        {
+            result = await _userService.ChangePasswordAsync(user, model.MasterPasswordHash,
+                model.NewMasterPasswordHash, model.MasterPasswordHint, model.Key);
+        }
+
         if (result.Succeeded)
         {
             return;
@@ -222,7 +229,7 @@ public async Task PostSetPasswordAsync([FromBody] SetInitialPasswordRequestModel
             throw new UnauthorizedAccessException();
         }
 
-        if (model.IsV2Request())
+        if (model.RequestHasNewDataTypes())
         {
             if (model.IsTdeSetPasswordRequest())
             {
@@ -235,7 +242,7 @@ public async Task PostSetPasswordAsync([FromBody] SetInitialPasswordRequestModel
         }
         else
         {
-            // TODO removed with https://bitwarden.atlassian.net/browse/PM-27327
+            // To be removed in PM-33141
             try
             {
                 user = model.ToUser(user);
@@ -248,8 +255,8 @@ public async Task PostSetPasswordAsync([FromBody] SetInitialPasswordRequestModel
 
             var result = await _setInitialMasterPasswordCommandV1.SetInitialMasterPasswordAsync(
                 user,
-                model.MasterPasswordHash,
-                model.Key,
+                model.MasterPasswordHash!,
+                model.Key!,
                 model.OrgIdentifier);
 
             if (result.Succeeded)
@@ -288,7 +295,7 @@ public async Task<MasterPasswordPolicyResponseModel> PostVerifyPassword([FromBod
     }
 
     [HttpPost("kdf")]
-    public async Task PostKdf([FromBody] PasswordRequestModel model)
+    public async Task PostKdf([FromBody] ChangeKdfRequestModel model)
     {
         var user = await _userService.GetUserByPrincipalAsync(User);
         if (user == null)
@@ -301,7 +308,10 @@ public async Task PostKdf([FromBody] PasswordRequestModel model)
             throw new BadRequestException("AuthenticationData and UnlockData must be provided.");
         }
 
-        var result = await _changeKdfCommand.ChangeKdfAsync(user, model.MasterPasswordHash, model.AuthenticationData.ToData(), model.UnlockData.ToData());
+        var result = await _changeKdfCommand.ChangeKdfAsync(user,
+            model.MasterPasswordHash,
+            model.AuthenticationData.ToData(),
+            model.UnlockData.ToData());
         if (result.Succeeded)
         {
             return;
@@ -646,7 +656,25 @@ public async Task PutUpdateTempPasswordAsync([FromBody] UpdateTempPasswordReques
             throw new UnauthorizedAccessException();
         }
 
-        var result = await _userService.UpdateTempPasswordAsync(user, model.NewMasterPasswordHash, model.Key, model.MasterPasswordHint);
+        IdentityResult result;
+        if (model.RequestHasNewDataTypes())
+        {
+            result = await _replaceAdminSetTemporaryPasswordCommand.Replace(
+                user,
+                model.UnlockData!.ToData(),
+                model.AuthenticationData!.ToData(),
+                model.MasterPasswordHint);
+        }
+        // To be removed in PM-33141
+        else
+        {
+            result = await _userService.UpdateTempPasswordAsync(
+                user,
+                model.NewMasterPasswordHash,
+                model.Key,
+                model.MasterPasswordHint);
+        }
+
         if (result.Succeeded)
         {
             return;
@@ -669,7 +697,17 @@ public async Task PutUpdateTdePasswordAsync([FromBody] UpdateTdeOffboardingPassw
             throw new UnauthorizedAccessException();
         }
 
-        var result = await _tdeOffboardingPasswordCommand.UpdateTdeOffboardingPasswordAsync(user, model.NewMasterPasswordHash, model.Key, model.MasterPasswordHint);
+        IdentityResult result;
+        if (model.RequestHasNewDataTypes())
+        {
+            result = await _tdeOffboardingPasswordCommand.UpdateTdeOffboardingPasswordAsync(user, model.UnlockData!.ToData(), model.AuthenticationData!.ToData(), model.MasterPasswordHint);
+        }
+        // To be removed in PM-33141
+        else
+        {
+            result = await _tdeOffboardingPasswordCommand.UpdateTdeOffboardingPasswordAsync(user, model.NewMasterPasswordHash!, model.Key!, model.MasterPasswordHint);
+        }
+
         if (result.Succeeded)
         {
             return;

src/Api/Auth/Controllers/EmergencyAccessController.cs

@@ -13,6 +13,7 @@
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 
 namespace Bit.Api.Auth.Controllers;
@@ -170,10 +171,34 @@ public async Task<EmergencyAccessTakeoverResponseModel> Takeover(Guid id)
     }
 
     [HttpPost("{id}/password")]
-    public async Task Password(Guid id, [FromBody] EmergencyAccessPasswordRequestModel model)
+    public async Task<IResult> Password(Guid id, [FromBody] EmergencyAccessPasswordRequestModel model)
     {
         var user = await _userService.GetUserByPrincipalAsync(User);
-        await _emergencyAccessService.PasswordAsync(id, user, model.NewMasterPasswordHash, model.Key);
+
+        IdentityResult identityResult;
+        if (model.RequestHasNewDataTypes())
+        {
+            identityResult = await _emergencyAccessService.FinishRecoveryTakeoverAsync(id, user, model.UnlockData!.ToData(), model.AuthenticationData!.ToData());
+
+            if (identityResult.Succeeded)
+            {
+                return TypedResults.Ok();
+            }
+
+            foreach (var error in identityResult.Errors)
+            {
+                ModelState.AddModelError(string.Empty, error.Description);
+            }
+
+            return TypedResults.BadRequest(ModelState);
+        }
+        // To be removed in PM-33141
+        else
+        {
+            await _emergencyAccessService.FinishRecoveryTakeoverAsync(id, user, model.NewMasterPasswordHash!, model.Key!);
+
+            return TypedResults.Ok();
+        }
     }
 
     [HttpPost("{id}/view")]

src/Api/Auth/Models/Request/Accounts/ChangeKdfRequestModel.cs

@@ -0,0 +1,45 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.KeyManagement.Models.Api.Request;
+
+namespace Bit.Api.Auth.Models.Request.Accounts;
+
+/// <summary>
+/// We recognize this probably doesn't need the obsolete fields but we are leaving it in to be cleaned up anywho
+/// later.
+/// </summary>
+public class ChangeKdfRequestModel : IValidatableObject
+{
+    [Required]
+    public required string MasterPasswordHash { get; set; }
+    [Obsolete("To be removed in PM-33141")]
+    [StringLength(300)]
+    public string? NewMasterPasswordHash { get; set; }
+    [Obsolete("To be removed in PM-33141")]
+    public string? Key { get; set; }
+
+    // Should be made required in PM-33141
+    public MasterPasswordAuthenticationDataRequestModel? AuthenticationData { get; set; }
+    // Should be made required in PM-33141
+    public MasterPasswordUnlockDataRequestModel? UnlockData { get; set; }
+
+    // To be removed in PM-33141
+    public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
+    {
+        var hasNewPayloads = AuthenticationData is not null && UnlockData is not null;
+        var hasLegacyPayloads = NewMasterPasswordHash is not null && Key is not null;
+
+        if (hasNewPayloads && hasLegacyPayloads)
+        {
+            yield return new ValidationResult(
+                "Cannot provide both new payloads (UnlockData/AuthenticationData) and legacy payloads (NewMasterPasswordHash/Key).",
+                [nameof(AuthenticationData), nameof(UnlockData), nameof(NewMasterPasswordHash), nameof(Key)]);
+        }
+
+        if (!hasNewPayloads && !hasLegacyPayloads)
+        {
+            yield return new ValidationResult(
+                "Must provide either new payloads (UnlockData/AuthenticationData) or legacy payloads (NewMasterPasswordHash/Key).",
+                [nameof(AuthenticationData), nameof(UnlockData), nameof(NewMasterPasswordHash), nameof(Key)]);
+        }
+    }
+}