Skip to content

Commit 54b3af6

Browse files
feat(validation): [PM-32626] Standardize Unlock and Authentication Validation - Added in comments to prepare the server v2 for reset / set of the salt.
1 parent dbd29bc commit 54b3af6

File tree

2 files changed

+24
-0
lines changed

2 files changed

+24
-0
lines changed

src/Api/AdminConsole/Controllers/OrganizationUsersController.cs

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -544,6 +544,18 @@ public async Task<IResult> PutResetPassword(Guid orgId, Guid id, [FromBody] Orga
544544
return TypedResults.BadRequest(ModelState);
545545
}
546546

547+
/// <summary>
548+
/// Recovers an organization user's account by resetting their master password (v2).
549+
/// </summary>
550+
/// <remarks>
551+
/// Unlike v1, the request payload separates authentication data and unlock data into distinct objects,
552+
/// each carrying explicit KDF settings and salt alongside the hash or wrapped key. This enables
553+
/// server-side cross-validation of KDF parameters and salt against the target user's stored values —
554+
/// something v1 cannot do because it only receives a flat master-password hash and encrypted key
555+
/// with no KDF context.
556+
///
557+
///
558+
/// </remarks>
547559
[HttpPut("{id}/reset-password")]
548560
[VersionedRoute(2)]
549561
[Authorize<ManageAccountRecoveryRequirement>]

src/Core/AdminConsole/OrganizationFeatures/AccountRecovery/v2/AdminRecoverAccountCommand.cs

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,18 @@ public async Task<IdentityResult> RecoverAccountAsync(Guid orgId,
7171
}
7272

7373
// Validate submitted salt matches the user's stored salt
74+
// PM-28827: Uncomment below block when MasterPasswordSalt exists on User.
75+
// When the user has no stored salt, persist it from the request data.
76+
// When the user already has a stored salt, validate it matches the request data.
77+
// if (string.IsNullOrEmpty(user.MasterPasswordSalt))
78+
// {
79+
// user.MasterPasswordSalt = authenticationData.Salt;
80+
// }
81+
// else
82+
// {
83+
// unlockData.ValidateSaltUnchangedForUser(user);
84+
// authenticationData.ValidateSaltUnchangedForUser(user);
85+
// }
7486
unlockData.ValidateSaltUnchangedForUser(user);
7587
authenticationData.ValidateSaltUnchangedForUser(user);
7688

0 commit comments

Comments
 (0)