feat(register): [PM-27084] Account Register Uses New Data Types

src/Core/Auth/Models/Api/Request/Accounts/RegisterFinishRequestModel.cs

@@ -1,6 +1,6 @@
-#nullable enable
-using Bit.Core.Entities;
+using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.Utilities;
 
 namespace Bit.Core.Auth.Models.Api.Request.Accounts;
@@ -21,19 +21,28 @@ public class RegisterFinishRequestModel : IValidatableObject
     public required string Email { get; set; }
     public string? EmailVerificationToken { get; set; }
 
+    public MasterPasswordAuthenticationData? MasterPasswordAuthenticationData { get; set; }
+    public MasterPasswordUnlockData? MasterPasswordUnlockData { get; set; }
+
+    // PM-28143 - Remove line below (made optional during migration to MasterPasswordUnlockData)
     [StringLength(1000)]
-    public required string MasterPasswordHash { get; set; }
+    public string? MasterPasswordHash { get; set; }
 
     [StringLength(50)]
     public string? MasterPasswordHint { get; set; }
 
-    public required string UserSymmetricKey { get; set; }
+    // PM-28143 - Remove line below (made optional during migration to MasterPasswordUnlockData)
+    public string? UserSymmetricKey { get; set; }
 
     public required KeysRequestModel UserAsymmetricKeys { get; set; }
 
-    public required KdfType Kdf { get; set; }
-    public required int KdfIterations { get; set; }
+    // PM-28143 - Remove line below (made optional during migration to MasterPasswordUnlockData)
+    public KdfType? Kdf { get; set; }
+    // PM-28143 - Remove line below (made optional during migration to MasterPasswordUnlockData)
+    public int? KdfIterations { get; set; }
+    // PM-28143 - Remove line below
     public int? KdfMemory { get; set; }
+    // PM-28143 - Remove line below
     public int? KdfParallelism { get; set; }
 
     public Guid? OrganizationUserId { get; set; }
@@ -54,11 +63,13 @@ public User ToUser()
         {
             Email = Email,
             MasterPasswordHint = MasterPasswordHint,
-            Kdf = Kdf,
-            KdfIterations = KdfIterations,
-            KdfMemory = KdfMemory,
-            KdfParallelism = KdfParallelism,
-            Key = UserSymmetricKey,
+            Kdf = MasterPasswordUnlockData?.Kdf.KdfType ?? Kdf ?? throw new Exception("KdfType couldn't be found on either the MasterPasswordUnlockData or the Kdf property passed in."),
+            KdfIterations = MasterPasswordUnlockData?.Kdf.Iterations ?? KdfIterations ?? throw new Exception("KdfIterations couldn't be found on either the MasterPasswordUnlockData or the KdfIterations property passed in."),
+            KdfMemory = MasterPasswordUnlockData?.Kdf.Memory ?? KdfMemory,
+            KdfParallelism = MasterPasswordUnlockData?.Kdf.Parallelism ?? KdfParallelism,
+            // PM-28827 To be added when MasterPasswordSalt is added to the user column
+            // MasterPasswordSalt = MasterPasswordUnlockData?.Salt ?? Email.ToLower().Trim(),
+            Key = MasterPasswordUnlockData?.MasterKeyWrappedUserKey ?? UserSymmetricKey,
         };
 
         UserAsymmetricKeys.ToUser(user);
@@ -95,6 +106,28 @@ public RegisterFinishTokenType GetTokenType()
 
     public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
     {
-        return KdfSettingsValidator.Validate(Kdf, KdfIterations, KdfMemory, KdfParallelism);
+        // PM-28143 - Remove line below
+        var kdf = MasterPasswordUnlockData?.Kdf.KdfType
+                  ?? Kdf
+                  ?? throw new Exception($"{nameof(Kdf)} not found on RequestModel");
+
+        // PM-28143 - Remove line below
+        var kdfIterations = MasterPasswordUnlockData?.Kdf.Iterations
+                            ?? KdfIterations
+                            ?? throw new Exception($"{nameof(KdfIterations)} not found on RequestModel");
+
+        // PM-28143 - Remove line below
+        var kdfMemory = MasterPasswordUnlockData?.Kdf.Memory
+                        ?? KdfMemory;
+
+        // PM-28143 - Remove line below
+        var kdfParallelism = MasterPasswordUnlockData?.Kdf.Parallelism
+                             ?? KdfParallelism;
+
+        // PM-28143 - Remove line below in favor of using the unlock data.
+        return KdfSettingsValidator.Validate(kdf, kdfIterations, kdfMemory, kdfParallelism);
+
+        // PM-28143 - Uncomment
+        // return KdfSettingsValidator.Validate(MasterPasswordUnlockData);
     }
 }

src/Core/Entities/User.cs

@@ -7,8 +7,6 @@
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Identity;
 
-#nullable enable
-
 namespace Bit.Core.Entities;
 
 public class User : ITableObject<Guid>, IStorableSubscriber, IRevisable, ITwoFactorProvidersUser
@@ -51,7 +49,7 @@ public class User : ITableObject<Guid>, IStorableSubscriber, IRevisable, ITwoFac
     public string? Key { get; set; }
     /// <summary>
     /// The raw public key, without a signature from the user's signature key.
-    /// </summary> 
+    /// </summary>
     public string? PublicKey { get; set; }
     /// <summary>
     /// User key wrapped private key.
@@ -102,6 +100,8 @@ public class User : ITableObject<Guid>, IStorableSubscriber, IRevisable, ITwoFac
     public DateTime? LastKeyRotationDate { get; set; }
     public DateTime? LastEmailChangeDate { get; set; }
     public bool VerifyDevices { get; set; } = true;
+    // PM-28827 Uncomment below line.
+    // public string? MasterPasswordSalt { get; set; }
 
     public string GetMasterPasswordSalt()
     {

src/Core/Utilities/KdfSettingsValidator.cs

@@ -6,6 +6,7 @@ namespace Bit.Core.Utilities;
 
 public static class KdfSettingsValidator
 {
+    // PM-28143 - Remove below when fixing ticket
     public static IEnumerable<ValidationResult> Validate(KdfType kdfType, int kdfIterations, int? kdfMemory, int? kdfParallelism)
     {
         switch (kdfType)
@@ -36,6 +37,34 @@ public static IEnumerable<ValidationResult> Validate(KdfType kdfType, int kdfIte
         }
     }
 
+    // PM-28143 - Will be used in the referenced ticket.
+    public static IEnumerable<ValidationResult> Validate(MasterPasswordUnlockData masterPasswordUnlockData)
+    {
+        switch (masterPasswordUnlockData.Kdf.KdfType)
+        {
+            case KdfType.PBKDF2_SHA256:
+                if (!AuthConstants.PBKDF2_ITERATIONS.InsideRange(masterPasswordUnlockData.Kdf.Iterations))
+                {
+                    yield return new ValidationResult($"KDF iterations must be between {AuthConstants.PBKDF2_ITERATIONS.Min} and {AuthConstants.PBKDF2_ITERATIONS.Max}.");
+                }
+                break;
+            case KdfType.Argon2id:
+                if (!AuthConstants.ARGON2_ITERATIONS.InsideRange(masterPasswordUnlockData.Kdf.Iterations))
+                {
+                    yield return new ValidationResult($"Argon2 iterations must be between {AuthConstants.ARGON2_ITERATIONS.Min} and {AuthConstants.ARGON2_ITERATIONS.Max}.");
+                }
+                else if (!masterPasswordUnlockData.Kdf.Memory.HasValue || !AuthConstants.ARGON2_MEMORY.InsideRange(masterPasswordUnlockData.Kdf.Memory.Value))
+                {
+                    yield return new ValidationResult($"Argon2 memory must be between {AuthConstants.ARGON2_MEMORY.Min}mb and {AuthConstants.ARGON2_MEMORY.Max}mb.");
+                }
+                else if (!masterPasswordUnlockData.Kdf.Parallelism.HasValue || !AuthConstants.ARGON2_PARALLELISM.InsideRange(masterPasswordUnlockData.Kdf.Parallelism.Value))
+                {
+                    yield return new ValidationResult($"Argon2 parallelism must be between {AuthConstants.ARGON2_PARALLELISM.Min} and {AuthConstants.ARGON2_PARALLELISM.Max}.");
+                }
+                break;
+        }
+    }
+
     public static IEnumerable<ValidationResult> Validate(KdfSettings settings)
     {
         return Validate(settings.KdfType, settings.Iterations, settings.Memory, settings.Parallelism);

src/Identity/Controllers/AccountsController.cs

@@ -1,8 +1,4 @@
-// FIXME: Update this file to be null safe and then delete the line below
-#nullable disable
-
-using System.Diagnostics;
-using System.Text;
+using System.Text;
 using Bit.Core;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Api.Request.Accounts;
@@ -42,7 +38,7 @@
     private readonly IFeatureService _featureService;
     private readonly IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable> _registrationEmailVerificationTokenDataFactory;
 
-    private readonly byte[] _defaultKdfHmacKey = null;
+    private readonly byte[]? _defaultKdfHmacKey = null;
     private static readonly List<UserKdfInformation> _defaultKdfResults =
     [
         // The first result (index 0) should always return the "normal" default.
@@ -107,7 +103,7 @@
     }
 
     [HttpPost("register/send-verification-email")]
     public async Task<IActionResult> PostRegisterSendVerificationEmail([FromBody] RegisterSendVerificationEmailRequestModel model)
     {
         // Only pass fromMarketing if the feature flag is enabled
         var isMarketingFeatureEnabled = _featureService.IsEnabled(FeatureFlagKeys.MarketingInitiatedPremiumFlow);
@@ -125,7 +121,7 @@
     }
 
     [HttpPost("register/verification-email-clicked")]
     public async Task<IActionResult> PostRegisterVerificationEmailClicked([FromBody] RegisterVerificationEmailClickedRequestModel model)
     {
         var tokenValid = RegistrationEmailVerificationTokenable.ValidateToken(_registrationEmailVerificationTokenDataFactory, model.EmailVerificationToken, model.Email);
 
@@ -143,42 +139,87 @@
     }
 
     [HttpPost("register/finish")]
     public async Task<RegisterFinishResponseModel> PostRegisterFinish([FromBody] RegisterFinishRequestModel model)
     {
-        var user = model.ToUser();
+        User user;
+
+        try
+        {
+            user = model.ToUser();
+        }
+        catch (Exception e)
+        {
+            throw new BadRequestException(e.Message);
+        }
 
         // Users will either have an emailed token or an email verification token - not both.
-        IdentityResult identityResult = null;
+        IdentityResult? identityResult = null;
+
+        // PM-28143 - Just use the MasterPasswordAuthenticationData.MasterPasswordAuthenticationHash
+        string masterPasswordHash = model.MasterPasswordAuthenticationData?.MasterPasswordAuthenticationHash
+                                 ?? model.MasterPasswordHash ?? throw new BadRequestException("MasterPasswordHash couldn't be found on either the MasterPasswordAuthenticationData or the MasterPasswordHash property passed in.");
 
         switch (model.GetTokenType())
         {
             case RegisterFinishTokenType.EmailVerification:
-                identityResult =
-                    await _registerUserCommand.RegisterUserViaEmailVerificationToken(user, model.MasterPasswordHash,
-                        model.EmailVerificationToken);
+                if (string.IsNullOrEmpty(model.EmailVerificationToken))
+                    throw new BadRequestException("Email verification token absent when processing register/finish.");
 
+                identityResult = await _registerUserCommand.RegisterUserViaEmailVerificationToken(
+                    user,
+                    masterPasswordHash,
+                    model.EmailVerificationToken);
                 return ProcessRegistrationResult(identityResult, user);
-            case RegisterFinishTokenType.OrganizationInvite:
-                identityResult = await _registerUserCommand.RegisterUserViaOrganizationInviteToken(user, model.MasterPasswordHash,
-                    model.OrgInviteToken, model.OrganizationUserId);
 
+            case RegisterFinishTokenType.OrganizationInvite:
+                if (string.IsNullOrEmpty(model.OrgInviteToken))
+                    throw new BadRequestException("Organization invite token absent when processing register/finish.");
+
+                identityResult = await _registerUserCommand.RegisterUserViaOrganizationInviteToken(
+                    user,
+                    masterPasswordHash,
+                    model.OrgInviteToken,
+                    model.OrganizationUserId);
                 return ProcessRegistrationResult(identityResult, user);
+
             case RegisterFinishTokenType.OrgSponsoredFreeFamilyPlan:
-                identityResult = await _registerUserCommand.RegisterUserViaOrganizationSponsoredFreeFamilyPlanInviteToken(user, model.MasterPasswordHash, model.OrgSponsoredFreeFamilyPlanToken);
+                if (string.IsNullOrEmpty(model.OrgSponsoredFreeFamilyPlanToken))
+                    throw new BadRequestException("Organization sponsored free family plan token absent when processing register/finish.");
 
+                identityResult = await _registerUserCommand.RegisterUserViaOrganizationSponsoredFreeFamilyPlanInviteToken(
+                    user,
+                    masterPasswordHash,
+                    model.OrgSponsoredFreeFamilyPlanToken);
                 return ProcessRegistrationResult(identityResult, user);
+
             case RegisterFinishTokenType.EmergencyAccessInvite:
-                Debug.Assert(model.AcceptEmergencyAccessId.HasValue);
-                identityResult = await _registerUserCommand.RegisterUserViaAcceptEmergencyAccessInviteToken(user, model.MasterPasswordHash,
-                    model.AcceptEmergencyAccessInviteToken, model.AcceptEmergencyAccessId.Value);
+                if (string.IsNullOrEmpty(model.AcceptEmergencyAccessInviteToken))
+                    throw new BadRequestException("Accept emergency access invite token absent when processing register/finish.");
+
+                if (model.AcceptEmergencyAccessId == null || model.AcceptEmergencyAccessId == Guid.Empty)
+                    throw new BadRequestException("Accept emergency access id absent when processing register/finish.");
 
+                identityResult = await _registerUserCommand.RegisterUserViaAcceptEmergencyAccessInviteToken(
+                    user,
+                    masterPasswordHash,
+                    model.AcceptEmergencyAccessInviteToken,
+                    model.AcceptEmergencyAccessId.Value);
                 return ProcessRegistrationResult(identityResult, user);
+
             case RegisterFinishTokenType.ProviderInvite:
-                Debug.Assert(model.ProviderUserId.HasValue);
-                identityResult = await _registerUserCommand.RegisterUserViaProviderInviteToken(user, model.MasterPasswordHash,
-                    model.ProviderInviteToken, model.ProviderUserId.Value);
+                if (string.IsNullOrEmpty(model.ProviderInviteToken))
+                    throw new BadRequestException("Provider invite token absent when processing register/finish.");
+
+                if (model.ProviderUserId == null || model.ProviderUserId == Guid.Empty)
+                    throw new BadRequestException("Provider user id absent when processing register/finish.");
 
+                identityResult = await _registerUserCommand.RegisterUserViaProviderInviteToken(
+                    user,
+                    masterPasswordHash,
+                    model.ProviderInviteToken,
+                    model.ProviderUserId.Value);
                 return ProcessRegistrationResult(identityResult, user);
+
             default:
                 throw new BadRequestException("Invalid registration finish request");
         }
@@ -202,7 +243,7 @@
     [HttpPost("prelogin")]
     [Obsolete("Migrating to use a more descriptive endpoint that would support different types of prelogins. " +
               "Use prelogin/password instead. This endpoint has no EOL at the time of writing.")]
     public async Task<PasswordPreloginResponseModel> PostPrelogin([FromBody] PasswordPreloginRequestModel model)
     {
         // Same as PostPasswordPrelogin to maintain compatibility. Do not make changes in this function body,
         // only make changes in MakePasswordPreloginCall
@@ -213,7 +254,7 @@
     // cannot handle two of the same post attributes on the same function call. That is why there is a
     // PostPrelogin and the more appropriate PostPasswordPrelogin.
     [HttpPost("prelogin/password")]
     public async Task<PasswordPreloginResponseModel> PostPasswordPrelogin([FromBody] PasswordPreloginRequestModel model)
     {
         // Same as PostPrelogin to maintain backwards compatibility. Do not make changes in this function body,
         // only make changes in MakePasswordPreloginCall