feat(kdf-settings-validator): Enforce salt cannot be empty string.

[enmande]

🎟️ Tracking

PM-35393

📔 Objective

[Required] attribution on salt-related fields enforces by default that salt cannot be null, empty, or whitespace. However, this is a configurable opinion. While it should probably not be configured to allow whitespace, because this is a critical path, reinforcement should be present to guard against configuration drift, which would otherwise be invisible to this logic.
string.IsNullOrWhitespace properly captures all of these.

Tests have been added to support.

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR layers defense-in-depth against null/empty/whitespace master-password salts. KdfSettingsValidator.ValidateAuthenticationAndUnlockData and ValidateKdfAndSaltAgreement now short-circuit with a ValidationResult when either salt fails string.IsNullOrWhiteSpace, and the request models MasterPasswordAuthenticationDataRequestModel.Salt and MasterPasswordUnlockDataRequestModel.Salt have been tightened to [Required(AllowEmptyStrings = false)]. The yield break short-circuit mirrors the existing KDF-mismatch handling, and the new [Theory] tests cover empty string, space, tab, and newline inputs for both salt fields across both validator entry points. The validator guard is the load-bearing layer since the validator consumes data-layer models reachable from non-request-model call paths.

Code Review Details

No findings.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.88%. Comparing base (eeb3dd5) to head (e105c20).

Additional details and impacted files

@@                                   Coverage Diff                                   @@
##           auth/pm-35393/master-password-service-auth-integration    #7628   +/-   ##
=======================================================================================
  Coverage                                                   59.87%   59.88%           
=======================================================================================
  Files                                                        2124     2124           
  Lines                                                       93469    93492   +23     
  Branches                                                     8307     8311    +4     
=======================================================================================
+ Hits                                                        55965    55988   +23     
  Misses                                                      35527    35527           
  Partials                                                     1977     1977           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ike-kottlowski]

🎨 I'm thinking we can tighten up the data annotation on the request model themselves as well. This would give us the benefit of failing closer to the controller and the KdfSettingsValidator changes act as a safety net that should be unreachable in practice.

// MasterPasswordAuthenticationDataRequestModel.cs
[Required(AllowEmptyStrings = false)]
[StringLength(256)]
public required string Salt { get; init; }

// MasterPasswordUnlockDataRequestModel.cs
[Required(AllowEmptyStrings = false)]
[StringLength(256)]
public required string Salt { get; init; }

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
23.2% Duplication on New Code

See analysis details on SonarQube Cloud