[PM-30920] Server changes to encrypt send access email list

[harr1424]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-30920

📔 Objective

In order to better align with our Security Principles we need to make use of encryption and hashing functionality to protect the email address list associated with a Send as a part of the Email Verification feature.

Necessary server changes:

• Store identical lists of email addresses in 2 columns of the Send table

Emails (contains an encrypted list of email addresses)

• The values of this column are modified when a user saves or edits a Send
• The values of this column are read when a user edits a Send
• Utilizes user’s e2e encryption
• NVARCHAR(4000) DB type to keep data in the same row

EmailHashes (new column, contains an encrypted list of email address hashes)

• The values of this column are modified when a user saves or edits a Send
• The values of this column are read when the email owner associated to a Send wants to view a Send through Send Access.
• Utilizes ASP.NET Core Data Protection functionality for encryption
• NVARCHAR(4000) DB type to keep data in the same row
• Note: the value of the EmailHashes column should not be returned to the client as it’s unnecessary to the client

SendAuthenticationQuery.cs will need changes so that it compares against the hashes from the EmailHashes column instead of the current comma-separated plain-text list

Adapt model files to account for the new EmailsHashes field / value

Add methods to the SendRepository.cs files for both Dapper and EntityFramework so that these repositories can encrypt (upon write) and decrypt (upon read) the value in the EmailHashes column

Acceptance criteria

• Existing Emails column in the Send table only stores an encrypted value, instead of a plain-text list of email addresses
• The EmailHashes column exists on the Send table and only holds encrypted values

Expect send access to fail to auth until the client code changes that provide a value for the EmailHashescolumn are completed if the pm-19051-send-email-verification feature flag is enabled

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[codecov]

Codecov Report

❌ Patch coverage is 50.00000% with 43 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.97%. Comparing base (2a45880) to head (f08238a).

Files with missing lines	Patch %	Lines
...ucture.Dapper/Tools/Repositories/SendRepository.cs	44.44%	35 Missing and 5 partials ⚠️
...ls/SendFeatures/Queries/SendAuthenticationQuery.cs	66.66%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6867      +/-   ##
==========================================
+ Coverage   56.08%   59.97%   +3.88%     
==========================================
  Files        1968     1968              
  Lines       86974    87042      +68     
  Branches     7748     7756       +8     
==========================================
+ Hits        48783    52200    +3417     
+ Misses      36385    32948    -3437     
- Partials     1806     1894      +88     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Checkmarx One – Scan Summary & Details – 55ca1f8e-759c-4828-907c-7f509d5c7754

New Issues (1)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CSRF	/src/Api/Tools/Controllers/SendsController.cs: 68	details Method at line 68 of /src/Api/Tools/Controllers/SendsController.cs gets a parameter from a user request from id. This parameter value flows thro... Attack Vector

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 291

[claude]

Claude finished @harr1424's task in 2m 51s —— View job

---

Re-Review: PM-30920 - Server changes to encrypt send access email list

Summary

All previous findings have been addressed. The author responded to the review feedback in commit cd924d2ca.

Previous Findings - Now Resolved

Severity	Finding	Status
❌ Critical	Tests not updated to use EmailHashes	✅ Resolved - Tests updated with comprehensive coverage
⚠️ Important	TOCTOU validation concern	✅ Resolved - Acknowledged my analysis was incorrect; validation is properly consolidated
🎨 Suggested	StringLength mismatch (1000 vs 4000)	✅ Resolved - Changed to [StringLength(4000)]

Changes Since Last Review

• SendRequestModel.EmailHashes now uses [StringLength(4000)] matching the entity
• SendAuthenticationQueryTests.cs updated to use EmailHashes instead of Emails
• Added 7 new test methods covering validation scenarios (Disabled, Expired, Deleted, AccessCount, etc.)
• Removed obsolete controller validation tests (validation moved to SendAuthenticationQuery)

Verdict

✅ Approved - All findings addressed, tests are comprehensive.

---

🤖 Review generated by Claude Code