[PM- 21926] Add MasterPasswordSalt to DTOs

[ike-kottlowski]

🎟️ Tracking

PM-21926
PM-32389
PM-28827
PM-30370

📔 Objective

PM-21926

We need to begin to return the MasterPasswordSalt column in queries that will expect it in the future. This PR adds the MasterPasswordSalt to the ReadKdfByEmail method in the User Repository and adds the MasterPasswordSalt to the OrganizationUserResetPasswordDetails method.

PM-32289

We add null coalescing to the User.GetMasterPasswordSalt() method to be the only fallback when a MasterPasswordSalt is null. The locations that set the Salt to the User.Email.Lower().Trim() were replaced with the User.GetMasterPasswordSalt() method to ensure forward compatibility.

PM-28827

Accept the MasterPasswordUnlockData?.Salt from the RegisterFinishRequestModel. This does not do any coalescing to match the pattern where the Server only writes what the Client submits and does not try to guess.

PM-30370

Return User.MasterPasswordSalt() in the UserDecryptionResponseModel and the SyncResponseModel instead of the User.Email.ToLower().Trim().

📸 Screenshots

[github-actions]

Checkmarx One – Scan Summary & Details – 748587df-f31d-4fa7-a7e3-59b979d7373a

---

Fixed Issues (118)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Stored_XSS	/src/SharedWeb/Health/HealthCheckServiceExtensions.cs: 61
	Stored_XSS	/util/Server/Startup.cs: 57
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1527
	CSRF	/src/Api/Tools/Controllers/SendsController.cs: 73
	CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 307
	CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 307
	CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 122
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 217
	CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91
	CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91
	CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91
	CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91
	CSRF	/src/Api/Controllers/CollectionsController.cs: 176
	CSRF	/src/Api/Controllers/CollectionsController.cs: 176
	CSRF	/src/Api/Controllers/CollectionsController.cs: 176
	CSRF	/src/Api/Controllers/CollectionsController.cs: 176
	CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 146
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 452
	CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 189
	CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 531
	CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 81
	CSRF	/src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs: 107
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1428
	CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 233
	CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 286
	CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 189
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1428
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1428
	CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 289
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1403
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1457
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1178
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1062
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1311
	CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 399
	CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 390
	CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 390
	CSRF	/src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs: 95
	CSRF	/src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs: 82
	CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 70
	CSRF	/src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs: 49
	CSRF	/src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs: 40
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1256
	CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 146
	CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 105
	CSRF	/src/Api/Vault/Controllers/SecurityTaskController.cs: 66
	CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 105
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 721
	CSRF	/src/Api/Auth/Controllers/EmergencyAccessController.cs: 173
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 192
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 641
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 412
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 385
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 664
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 126
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 847
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 847
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 847
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 847
	CSRF	/src/Api/NotificationCenter/Controllers/NotificationsController.cs: 67
	CSRF	/src/Api/NotificationCenter/Controllers/NotificationsController.cs: 61
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1457
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 775
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 807
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 807
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 775
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 807
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 807
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 775
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 775
	CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 138
	CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 166
	CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 166
	CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 419
	CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 419
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 558
	CSRF	/src/Api/AdminConsole/Public/Controllers/MembersController.cs: 181
	CSRF	/src/Api/AdminConsole/Public/Controllers/MembersController.cs: 181
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 161
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 709
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1457
	CSRF	/src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 136
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 216
	CSRF	/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs: 87
	CSRF	/src/Api/Controllers/CollectionsController.cs: 208
	CSRF	/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs: 97
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1050
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1160
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 293
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 191
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1403
	CSRF	/src/Api/AdminConsole/Controllers/ProviderUsersController.cs: 183
	CSRF	/src/Api/AdminConsole/Controllers/ProviderUsersController.cs: 202
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 293
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1508
	CSRF	/src/Api/AdminConsole/Public/Controllers/MembersController.cs: 218
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 582
	CSRF	/src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 164
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 709
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 245
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1088
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1017
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 732
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 732
	CSRF	/src/Api/Auth/Controllers/WebAuthnController.cs: 159
	SSL_Verification_Bypass	/src/Core/Platform/Mail/Delivery/MailKitSmtpMailDeliveryService.cs: 84
	Use_Of_Hardcoded_Password	/src/Core/Constants.cs: 171
	Use_Of_Hardcoded_Password	/src/Core/Constants.cs: 170
	Use_Of_Hardcoded_Password	/util/Seeder/Factories/UserSeeder.cs: 12
	Use_Of_Hardcoded_Password	/src/Core/Constants.cs: 166
	Use_Of_Hardcoded_Password	/src/Identity/IdentityServer/RequestValidators/SendAccess/SendAccessConstants.cs: 111
	Use_Of_Hardcoded_Password	/src/Core/Constants.cs: 201
	Use_Of_Hardcoded_Password	/src/Identity/IdentityServer/RequestValidators/SendAccess/SendAccessConstants.cs: 62
	Use_Of_Hardcoded_Password	/src/Identity/IdentityServer/RequestValidators/SendAccess/SendAccessConstants.cs: 58
	Use_Of_Hardcoded_Password	/src/Identity/IdentityServer/RequestValidators/SendAccess/SendAccessConstants.cs: 26
	Use_Of_Hardcoded_Password	/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs: 43
	Use_Of_Hardcoded_Password	/src/Core/KeyManagement/Sends/SendPasswordHasherServiceCollectionExtensions.cs: 14
	Use_Of_Hardcoded_Password	/src/Core/Constants.cs: 242

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
15.1% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

❌ Patch coverage is 71.42857% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 14.00%. Comparing base (8d9ace6) to head (d2805cb).
⚠️ Report is 14 commits behind head on main.

Files with missing lines	Patch %	Lines
...Api/Request/Accounts/RegisterFinishRequestModel.cs	0.00%	1 Missing ⚠️
src/Core/Entities/User.cs	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #7178       +/-   ##
===========================================
- Coverage   56.88%   14.00%   -42.88%     
===========================================
  Files        2028     1241      -787     
  Lines       88826    52916    -35910     
  Branches     7918     4091     -3827     
===========================================
- Hits        50528     7412    -43116     
- Misses      36468    45372     +8904     
+ Partials     1830      132     -1698     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.