[PM-35393] MasterPasswordService auth integration

[enmande]

🎟️ Tracking

PM-35393

📔 Objective

Integrate Auth-domain callers with MasterPasswordService.
Wires five password-mutation flows to the service added in #7530 :

• Self-service password change
• TDE offboarding
• Emergency Access Takeover
• Temporary password replacement
• SSO JIT provisioning.

All relevant request models now accept both payload variants ("new": AuthenticationData + UnlockData, or "legacy": NewMasterPasswordHash + Key) for backward compatibility.
KDF validation is enforced at the request model layer whenever new payloads are present.
Legacy entry points on IUserService are marked [Obsolete] with specific replacement guidance. Legacy fields are tracked for removal in PM-33141.

📸 Screenshots

Master Password Self-Service

User enmande updates their Master Password using self-service.

• Current Master Password is required and passes validation.
• New Master Password is hashed and set.
• User is logged out on success (behavioral parity with main).
• User can log in with the new Master Password.

pm-35393__mp-self-service.mov

TDE Offboarding

• User zed belongs to an SSO-required Trusted Device Encryption organization.
• Organization Owner enmande converts the organization to Master Password Encryption. This is generally described as "TDE Offboarding."
• User zed is required to set a new Master Password at next login; password is successfully set and allows zed to log in and view their vault.

NOTE: This organization retains SSO requirement throughout; zed remains authenticated to SSO for the duration of this test, so SSO challenge is not represented in this video.

pm-35393__tde-offboarding.mov

Emergency Access Takeover

• User zed, who is enrolled in Emergency Access Takeover by organizational policy, has their account taken over ("Recovered") by organization Owner enmande.
• enmande sets zed's new temporary Master Password.
• New temporary Master Password is accepted at next login for zed's account.
• Upon login, zed's account requires the setting of a new Master Password.
• User is logged out on change of the Master Password.
• New Master Password hash is set, and enabled subsequent login and access to the vault.

pm-35393__account-recovery.mov

[github-actions]

Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR integrates five Auth-domain master-password mutation flows (self-service change, TDE offboarding, Emergency Access takeover, temporary password replacement, SSO JIT provisioning) with the new MasterPasswordService. Request models accept both legacy (NewMasterPasswordHash/Key) and new (AuthenticationData/UnlockData) payload variants for backward compatibility, with KDF and salt validation enforced at the request-model boundary. Legacy IUserService entry points are marked [Obsolete] with explicit replacement guidance, and the new MasterPasswordPayloadVariantValidator plus KdfSettingsValidator.ValidateKdfAndSaltAgreement correctly preserve the PM-27892 regression guard for legacy-KDF users. Test coverage is comprehensive across new commands, request models, and the EmergencyAccess takeover flow.

Code Review Details

Scope

• 39 files changed across src/Api/Auth, src/Core/Auth/UserFeatures, src/Core/Utilities, src/Core/Services, and corresponding test/ trees.
• New commands: SelfServicePasswordChangeCommand, ReplaceAdminSetTemporaryPasswordCommand.
• New helpers: MasterPasswordPayloadVariantValidator, KdfSettingsValidator.ValidateKdfAndSaltAgreement.
• New request model: ChangeKdfRequestModel (split from PasswordRequestModel so existing-password flows do not range-check legacy KDFs).
• No dependency manifest changes.

Verification Notes

• Dual-path dispatch in AccountsController.PostPassword, PutUpdateTempPasswordAsync, PutUpdateTdePasswordAsync, and EmergencyAccessController.Password correctly branches on RequestHasNewDataTypes() and falls back to the legacy IUserService paths.
• Removal of if (user.Key != null) from TdeSetPasswordCommand.SetMasterPasswordAsync is safe: equivalent guard is now centralized in SetInitialPasswordData.ValidateDataForUser (checks HasMasterPassword(), Key != null, MasterPasswordSalt != null, UsesKeyConnector) and runs inside MasterPasswordService.PrepareSetInitialMasterPasswordAsync.
• FinishRecoveryTakeoverAsync correctly handles password-validation failures via OneOf<User, IdentityError[]>; the legacy PasswordAsync discards the UpdatePasswordHash result (pre-existing behavior, fixed by the new path).
• Server-side timestamp updates (LastPasswordChangeDate, RevisionDate, AccountRevisionDate) and IPasswordHasher<User> hashing are handled inside MasterPasswordService, so the new commands and Emergency Access takeover do not need to re-do them.
• DI registrations in UserServiceCollectionExtensions use AddScoped consistent with the file's existing convention.
• Loss of SecretVerificationRequestModel inheritance on PasswordRequestModel is benign: OTP / AuthRequestAccessCode were never consumed by /accounts/password.
• Previously raised inline concerns (test coverage for FinishRecoveryTakeoverAsync, CODEOWNERS placement of MasterPasswordPayloadVariantValidator) have been resolved in commits aa5c24d and 8ee4c6d respectively.

No new findings.

[codecov]

Codecov Report

❌ Patch coverage is 64.77273% with 124 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.62%. Comparing base (5ae8570) to head (b2c9a70).
⚠️ Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
src/Api/Auth/Controllers/AccountsController.cs	17.02%	38 Missing and 1 partial ⚠️
...fboardingPassword/TdeOffboardingPasswordCommand.cs	15.90%	35 Missing and 2 partials ⚠️
...Features/EmergencyAccess/EmergencyAccessService.cs	5.88%	32 Missing ⚠️
.../Api/Auth/Controllers/EmergencyAccessController.cs	0.00%	15 Missing ⚠️
...assword/ReplaceAdminSetTemporaryPasswordCommand.cs	96.29%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##             main    #7575    +/-   ##
========================================
  Coverage   59.62%   59.62%            
========================================
  Files        2097     2101     +4     
  Lines       92611    92914   +303     
  Branches     8249     8295    +46     
========================================
+ Hits        55215    55397   +182     
- Misses      35443    35562   +119     
- Partials     1953     1955     +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[codecov]

Codecov Report

❌ Patch coverage is 74.79893% with 94 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.76%. Comparing base (f835212) to head (36e6e97).
⚠️ Report is 17 commits behind head on main.

Files with missing lines	Patch %	Lines
src/Api/Auth/Controllers/AccountsController.cs	17.02%	38 Missing and 1 partial ⚠️
...fboardingPassword/TdeOffboardingPasswordCommand.cs	15.90%	35 Missing and 2 partials ⚠️
.../Api/Auth/Controllers/EmergencyAccessController.cs	0.00%	15 Missing ⚠️
src/Core/Services/Implementations/UserService.cs	33.33%	2 Missing ⚠️
...assword/ReplaceAdminSetTemporaryPasswordCommand.cs	96.29%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7575      +/-   ##
==========================================
+ Coverage   59.73%   59.76%   +0.03%     
==========================================
  Files        2102     2113      +11     
  Lines       92691    93060     +369     
  Branches     8257     8290      +33     
==========================================
+ Hits        55371    55621     +250     
- Misses      35366    35472     +106     
- Partials     1954     1967      +13     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ike-kottlowski]

Just some concerns around the removal of salt tests.

By removing them I think we are lessening our testing coverage for ensuring the salt remains unchanged. I know there maybe concerns about business logic locations and checking the salt in a JIT User Provision unit test suite may not be the correct palace for it but having it in the wrong place is better than not having it at all.

[ike-kottlowski]

Good catch on the KDF iterations.

[sonarqubecloud]

Quality Gate passed

Issues
74 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
3.7% Duplication on New Code

See analysis details on SonarQube Cloud