feat(validation): [PM-32626] Standardize Unlock and Authentication Validation - Initial pass at standardizing the validation for the RegisterFinishRequestModel.

Author: Patrick-Pimentel-Bitwarden

src/Core/Auth/Models/Api/Request/Accounts/RegisterFinishRequestModel.cs

@@ -133,18 +133,11 @@ public IEnumerable<ValidationResult> Validate(ValidationContext validationContex
                 [nameof(MasterPasswordAuthentication.MasterPasswordAuthenticationHash), nameof(MasterPasswordHash)]);
         }
 
-        // 2. Validate kdf settings.
-        if (MasterPasswordUnlock != null)
+        // 2. Validate kdf settings, kdf equality, and salt equality between authentication and unlock.
+        if (MasterPasswordUnlock != null && MasterPasswordAuthentication != null)
         {
-            foreach (var validationResult in KdfSettingsValidator.Validate(MasterPasswordUnlock.ToData().Kdf))
-            {
-                yield return validationResult;
-            }
-        }
-
-        if (MasterPasswordAuthentication != null)
-        {
-            foreach (var validationResult in KdfSettingsValidator.Validate(MasterPasswordAuthentication.ToData().Kdf))
+            foreach (var validationResult in KdfSettingsValidator.ValidateAuthenticationAndUnlockData(
+                MasterPasswordAuthentication.ToData(), MasterPasswordUnlock.ToData()))
             {
                 yield return validationResult;
             }
@@ -188,7 +181,7 @@ public IEnumerable<ValidationResult> Validate(ValidationContext validationContex
             yield return new ValidationResult($"{nameof(MasterPasswordAuthentication)} not found on RequestModel", [nameof(MasterPasswordAuthentication)]);
         }
 
-        // 3. Lastly, validate access token type and presence. Must be done last because of yield break.
+        // 4. Lastly, validate access token type and presence. Must be done last because of yield break.
         RegisterFinishTokenType tokenType;
         var tokenTypeResolved = true;
         try

src/Core/Utilities/KdfSettingsValidator.cs

@@ -6,6 +6,37 @@ namespace Bit.Core.Utilities;
 
 public static class KdfSettingsValidator
 {
+    /// <summary>
+    /// Validates that authentication and unlock data have matching KDF settings and salts,
+    /// then validates the KDF settings themselves.
+    /// </summary>
+    public static IEnumerable<ValidationResult> ValidateAuthenticationAndUnlockData(
+        MasterPasswordAuthenticationData authentication,
+        MasterPasswordUnlockData unlock)
+    {
+        // Currently KDF settings are not saved separately for authentication and unlock and must therefore be equal
+        if (!authentication.Kdf.Equals(unlock.Kdf))
+        {
+            yield return new ValidationResult(
+                "KDF settings must be equal for authentication and unlock.",
+                [nameof(authentication.Kdf)]);
+            // KDF settings diverge; remaining validation is not meaningful
+            yield break;
+        }
+
+        if (authentication.Salt != unlock.Salt)
+        {
+            yield return new ValidationResult(
+                "Salt must be equal for authentication and unlock.",
+                [nameof(authentication.Salt)]);
+        }
+
+        foreach (var validationResult in Validate(authentication.Kdf))
+        {
+            yield return validationResult;
+        }
+    }
+
     // PM-28143 - Remove below when fixing ticket
     public static IEnumerable<ValidationResult> Validate(KdfType kdfType, int kdfIterations, int? kdfMemory, int? kdfParallelism)
     {

test/Api.Test/Utilities/KdfSettingsValidatorTests.cs

@@ -1,4 +1,5 @@
 using Bit.Core.Enums;
+using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.Utilities;
 using Xunit;
 
@@ -33,4 +34,93 @@ public void Validate_Fails(KdfType kdfType, int kdfIterations, int? kdfMemory, i
         Assert.NotEmpty(results);
         Assert.Equal(expectedFailures, results.Count());
     }
+
+    [Fact]
+    public void ValidateAuthenticationAndUnlockData_WhenMatchingKdfAndSalt_ReturnsNoErrors()
+    {
+        var kdf = new KdfSettings { KdfType = KdfType.PBKDF2_SHA256, Iterations = 600_000 };
+        var authentication = new MasterPasswordAuthenticationData
+        {
+            Kdf = kdf,
+            MasterPasswordAuthenticationHash = "hash",
+            Salt = "salt"
+        };
+        var unlock = new MasterPasswordUnlockData
+        {
+            Kdf = new KdfSettings { KdfType = KdfType.PBKDF2_SHA256, Iterations = 600_000 },
+            MasterKeyWrappedUserKey = "wrapped",
+            Salt = "salt"
+        };
+
+        var results = KdfSettingsValidator.ValidateAuthenticationAndUnlockData(authentication, unlock).ToList();
+
+        Assert.Empty(results);
+    }
+
+    [Fact]
+    public void ValidateAuthenticationAndUnlockData_WhenKdfMismatch_ReturnsKdfEqualityError()
+    {
+        var authentication = new MasterPasswordAuthenticationData
+        {
+            Kdf = new KdfSettings { KdfType = KdfType.PBKDF2_SHA256, Iterations = 600_000 },
+            MasterPasswordAuthenticationHash = "hash",
+            Salt = "salt"
+        };
+        var unlock = new MasterPasswordUnlockData
+        {
+            Kdf = new KdfSettings { KdfType = KdfType.Argon2id, Iterations = 3, Memory = 64, Parallelism = 4 },
+            MasterKeyWrappedUserKey = "wrapped",
+            Salt = "salt"
+        };
+
+        var results = KdfSettingsValidator.ValidateAuthenticationAndUnlockData(authentication, unlock).ToList();
+
+        Assert.Single(results);
+        Assert.Equal("KDF settings must be equal for authentication and unlock.", results[0].ErrorMessage);
+    }
+
+    [Fact]
+    public void ValidateAuthenticationAndUnlockData_WhenSaltMismatch_ReturnsSaltEqualityError()
+    {
+        var authentication = new MasterPasswordAuthenticationData
+        {
+            Kdf = new KdfSettings { KdfType = KdfType.PBKDF2_SHA256, Iterations = 600_000 },
+            MasterPasswordAuthenticationHash = "hash",
+            Salt = "salt-auth"
+        };
+        var unlock = new MasterPasswordUnlockData
+        {
+            Kdf = new KdfSettings { KdfType = KdfType.PBKDF2_SHA256, Iterations = 600_000 },
+            MasterKeyWrappedUserKey = "wrapped",
+            Salt = "salt-unlock"
+        };
+
+        var results = KdfSettingsValidator.ValidateAuthenticationAndUnlockData(authentication, unlock).ToList();
+
+        Assert.Single(results);
+        Assert.Equal("Salt must be equal for authentication and unlock.", results[0].ErrorMessage);
+    }
+
+    [Fact]
+    public void ValidateAuthenticationAndUnlockData_WhenKdfInvalid_ReturnsKdfValidationError()
+    {
+        // Matching but out-of-range KDF (iterations below minimum for PBKDF2)
+        var authentication = new MasterPasswordAuthenticationData
+        {
+            Kdf = new KdfSettings { KdfType = KdfType.PBKDF2_SHA256, Iterations = 100 },
+            MasterPasswordAuthenticationHash = "hash",
+            Salt = "salt"
+        };
+        var unlock = new MasterPasswordUnlockData
+        {
+            Kdf = new KdfSettings { KdfType = KdfType.PBKDF2_SHA256, Iterations = 100 },
+            MasterKeyWrappedUserKey = "wrapped",
+            Salt = "salt"
+        };
+
+        var results = KdfSettingsValidator.ValidateAuthenticationAndUnlockData(authentication, unlock).ToList();
+
+        Assert.Single(results);
+        Assert.Contains("KDF iterations must be between", results[0].ErrorMessage);
+    }
 }

test/Core.Test/Auth/Models/Api/Request/Accounts/RegisterFinishRequestModelTests.cs

@@ -326,6 +326,60 @@ public void Validate_WhenAllFieldsValidWithSubModels_IsValid()
         Assert.Empty(results);
     }
 
+    [Fact]
+    public void Validate_WhenKdfMismatchBetweenAuthAndUnlock_ReturnsKdfEqualityError()
+    {
+        var model = new RegisterFinishRequestModel
+        {
+            Email = "user@example.com",
+            UserAsymmetricKeys = new KeysRequestModel { PublicKey = "pk", EncryptedPrivateKey = "sk" },
+            MasterPasswordUnlock = new MasterPasswordUnlockDataRequestModel
+            {
+                Kdf = new KdfRequestModel { KdfType = KdfType.PBKDF2_SHA256, Iterations = AuthConstants.PBKDF2_ITERATIONS.Default },
+                MasterKeyWrappedUserKey = "wrapped",
+                Salt = "salt"
+            },
+            MasterPasswordAuthentication = new MasterPasswordAuthenticationDataRequestModel
+            {
+                Kdf = new KdfRequestModel { KdfType = KdfType.Argon2id, Iterations = 3, Memory = 64, Parallelism = 4 },
+                MasterPasswordAuthenticationHash = "auth-hash",
+                Salt = "salt"
+            },
+            EmailVerificationToken = "token"
+        };
+
+        var results = Validate(model);
+
+        Assert.Contains(results, r => r.ErrorMessage == "KDF settings must be equal for authentication and unlock.");
+    }
+
+    [Fact]
+    public void Validate_WhenSaltMismatchBetweenAuthAndUnlock_ReturnsSaltEqualityError()
+    {
+        var model = new RegisterFinishRequestModel
+        {
+            Email = "user@example.com",
+            UserAsymmetricKeys = new KeysRequestModel { PublicKey = "pk", EncryptedPrivateKey = "sk" },
+            MasterPasswordUnlock = new MasterPasswordUnlockDataRequestModel
+            {
+                Kdf = new KdfRequestModel { KdfType = KdfType.PBKDF2_SHA256, Iterations = AuthConstants.PBKDF2_ITERATIONS.Default },
+                MasterKeyWrappedUserKey = "wrapped",
+                Salt = "salt-unlock"
+            },
+            MasterPasswordAuthentication = new MasterPasswordAuthenticationDataRequestModel
+            {
+                Kdf = new KdfRequestModel { KdfType = KdfType.PBKDF2_SHA256, Iterations = AuthConstants.PBKDF2_ITERATIONS.Default },
+                MasterPasswordAuthenticationHash = "auth-hash",
+                Salt = "salt-auth"
+            },
+            EmailVerificationToken = "token"
+        };
+
+        var results = Validate(model);
+
+        Assert.Contains(results, r => r.ErrorMessage == "Salt must be equal for authentication and unlock.");
+    }
+
     [Fact]
     public void Validate_WhenNoValidRegistrationTokenProvided_ReturnsTokenErrorOnly()
     {