feat(validation): [PM-32626] Standardize Unlock and Authentication Validation - Added in comments to prepare the server v2 for reset / set of the salt.

Patrick-Pimentel-Bitwarden · Patrick-Pimentel-Bitwarden · commit 54b3af6e2b9f · 2026-02-24T22:35:21.000-05:00
diff --git a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@@ -544,6 +544,18 @@ public async Task<IResult> PutResetPassword(Guid orgId, Guid id, [FromBody] Orga
         return TypedResults.BadRequest(ModelState);
     }
 
+    /// <summary>
+    /// Recovers an organization user's account by resetting their master password (v2).
+    /// </summary>
+    /// <remarks>
+    /// Unlike v1, the request payload separates authentication data and unlock data into distinct objects,
+    /// each carrying explicit KDF settings and salt alongside the hash or wrapped key. This enables
+    /// server-side cross-validation of KDF parameters and salt against the target user's stored values —
+    /// something v1 cannot do because it only receives a flat master-password hash and encrypted key
+    /// with no KDF context.
+    ///
+    ///
+    /// </remarks>
     [HttpPut("{id}/reset-password")]
     [VersionedRoute(2)]
     [Authorize<ManageAccountRecoveryRequirement>]
diff --git a/src/Core/AdminConsole/OrganizationFeatures/AccountRecovery/v2/AdminRecoverAccountCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/AccountRecovery/v2/AdminRecoverAccountCommand.cs
@@ -71,6 +71,18 @@ public async Task<IdentityResult> RecoverAccountAsync(Guid orgId,
         }
 
         // Validate submitted salt matches the user's stored salt
+        // PM-28827: Uncomment below block when MasterPasswordSalt exists on User.
+        // When the user has no stored salt, persist it from the request data.
+        // When the user already has a stored salt, validate it matches the request data.
+        // if (string.IsNullOrEmpty(user.MasterPasswordSalt))
+        // {
+        //     user.MasterPasswordSalt = authenticationData.Salt;
+        // }
+        // else
+        // {
+        //     unlockData.ValidateSaltUnchangedForUser(user);
+        //     authenticationData.ValidateSaltUnchangedForUser(user);
+        // }
         unlockData.ValidateSaltUnchangedForUser(user);
         authenticationData.ValidateSaltUnchangedForUser(user);
 
