Skip to content

[PM- 30370] [PM-28827] Add Salt to Auth and KM DTOs#7239

Open
ike-kottlowski wants to merge 15 commits intomainfrom
auth/pm-21926/add-salt-to-auth-dtos
Open

[PM- 30370] [PM-28827] Add Salt to Auth and KM DTOs#7239
ike-kottlowski wants to merge 15 commits intomainfrom
auth/pm-21926/add-salt-to-auth-dtos

Conversation

@ike-kottlowski
Copy link
Contributor

@ike-kottlowski ike-kottlowski commented Mar 17, 2026
edited by atlassian bot
Loading

🎟️ Tracking

PM-30370
PM-28827

📔 Objective

Add MasterPasswordSalt to Auth and KM models.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 17, 2026
edited
Loading

Logo
Checkmarx One – Scan Summary & Detailscc70e901-f1ec-4055-925a-d47f0539629d

New Issues (2) Checkmarx found the following issues in this Pull Request
# Severity Issue Source File / Package Checkmarx Insight
1 MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1592
detailsMethod at line 1592 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ...
Attack Vector
2 MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1419
detailsMethod at line 1419 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ...
Attack Vector
Fixed Issues (1) Great job! The following issues were fixed in this Pull Request
Severity Issue Source File / Package
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 293

@ike-kottlowski ike-kottlowski changed the title [PM- 30370] Add Salt to Auth and KM DTOs [PM- 30370] [PM-28827] Add Salt to Auth and KM DTOs Mar 18, 2026
@codecov
Copy link

codecov bot commented Mar 18, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 66.66667% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.64%. Comparing base (d977ba4) to head (955f048).

Files with missing lines Patch % Lines
.../Data/MasterPasswordUnlockAndAuthenticationData.cs 25.00% 2 Missing and 1 partial ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #7239   +/-   ##
=======================================
  Coverage   57.64%   57.64%           
=======================================
  Files        2033     2033           
  Lines       89622    89627    +5     
  Branches     7977     7978    +1     
=======================================
+ Hits        51660    51663    +3     
- Misses      36106    36107    +1     
- Partials     1856     1857    +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ike-kottlowski ike-kottlowski marked this pull request as ready for review March 19, 2026 15:16
@ike-kottlowski ike-kottlowski requested review from a team as code owners March 19, 2026 15:16
@ike-kottlowski ike-kottlowski added the ai-review Request a Claude code review label Mar 19, 2026
@claude
Copy link
Contributor

claude bot commented Mar 19, 2026
edited
Loading

Claude finished @ike-kottlowski's task in 2m 15s —— View job

Code Review: PR #7239 - Add Salt to Auth and KM DTOs

  • Gather context and review PR diff
  • Perform detailed code review
  • Post findings

Review Summary

Verdict: Clean PR — no actionable findings.

This PR adds the MasterPasswordSalt property to Auth and Key Management DTOs, enabling a transition from email-derived salt to explicit salt values. The changes include a new optional field on MasterPasswordUnlockAndAuthenticationDataModel with appropriate [MaxLength(256)] validation, backward-compatible fallback logic (MasterPasswordSalt ?? Email), and an update to UserDecryptionOptionsBuilder to use User.GetMasterPasswordSalt(). Test coverage is thorough, with new tests for both explicit salt and null-salt fallback scenarios across registration, TDE set-password, and initial master password flows.

What was reviewed:

File Change
MasterPasswordUnlockDataAndAuthenticationModel.cs New MasterPasswordSalt property with [MaxLength(256)] validation, mapped through ToUnlockData()
RegisterFinishRequestModel.cs Salt mapping enabled (correctly defers fallback — per author's note, no coalescing on write path)
UserDecryptionOptionsBuilder.cs Switched from hardcoded Email.ToLowerInvariant() to canonical GetMasterPasswordSalt()
4 test files Good coverage for explicit salt and null-salt-with-email-fallback scenarios

No security, correctness, or style issues identified.

ike-kottlowski
ike-kottlowski commented Mar 19, 2026
View reviewed changes
src/Core/Auth/Models/Api/Request/Accounts/RegisterFinishRequestModel.cs
KdfParallelism = MasterPasswordUnlock?.Kdf.Parallelism ?? KdfParallelism,
// PM-28827 To be added when MasterPasswordSalt is added to the user column
// MasterPasswordSalt = MasterPasswordUnlock?.Salt ?? Email.ToLower().Trim(),
MasterPasswordSalt = MasterPasswordUnlock?.Salt,
Copy link
Contributor Author

@ike-kottlowski ike-kottlowski Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are not coalescing here because this data is used to write to the database, and we agreed that when writing to the database, we only supply what the client give us allowing null to be an options. Tracking fallbacks on both the server and the client was deemed too complex to follow and unwind in the future.

@ike-kottlowski ike-kottlowski mentioned this pull request Mar 19, 2026
Merged
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 20, 2026

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Thomas-Avery Thomas-Avery Awaiting requested review from Thomas-Avery Thomas-Avery is a code owner automatically assigned from bitwarden/team-key-management-dev

@JaredSnider-Bitwarden JaredSnider-Bitwarden Awaiting requested review from JaredSnider-Bitwarden JaredSnider-Bitwarden is a code owner automatically assigned from bitwarden/team-auth-dev

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

ai-review Request a Claude code review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ike-kottlowski