[PM-35394] MasterPasswordService Admin Console Integration

[enmande]

🎟️ Tracking

PM-35394

📔 Objective

Extend the AdminConsole account-recovery flow to accept the new master password payload shape (UnlockData + AuthenticationData) alongside the existing (NewMasterPasswordHash + Key), wiring the new path through the centralized MasterPasswordService.PrepareSetInitialOrUpdateExistingMasterPasswordAsync tier (source).

Per-request availability of an acceptable payload loadout (hash + key, or authenticationdata + unlockdata) is boundary-enforced at the request-model layer; both the v1 and v2 command paths handle either variant, and OrganizationUsersController.PutRecoverAccount dispatches accordingly so clients that have not yet upgraded continue to work while the in-flight updates roll out.

Part of the PM-33011 story-of-stories to route all password set/change/rotate flows through MasterPasswordService. Depends on PM-35393.

📓 This is currently stacked on #7575 which is in QA.

📸 Screenshots

Admin Account Recovery (password only) with reset-two-factor-account-recovery 🎏

ℹ️ This illustrates flow pathing when the pm-15489-reset-two-factor-account-recovery flag is on.
zed is a just-provisioned user in a TDE encryption org.
Admin enmande recovers zed's account.

• New Master Password is successfully set
• Default KDF settings are applied (in range)
• zed is required to update the password on next login.

PM-35394__tde-takeover-admin-reset-two-factor-on.mov

Admin Account Recovery (2FA only) with reset-two-factor-account-recovery 🎏

ℹ️ This illustrates flow pathing when the pm-15489-reset-two-factor-account-recovery flag is on.
zed is an organization user with 2FA (authenticator).
Admin enmande recovers zed's 2FA.

• 2FA is successfully reset, no change to Master Password.

PM-35394__recover-2fa-only.mov

Admin Account Recovery (Master Password + 2FA) with reset-two-factor-account-recovery 🎏

ℹ️ This illustrates flow pathing when the pm-15489-reset-two-factor-account-recovery flag is on.
zed is a user in a TDE encryption org with 2FA (authenticator).
Admin enmande recovers zed's account with Master Password + 2FA.

• 2FA is successfully reset
• New Master Password is successfully set
• zed is required to update the password on next login.

PM-35394__recover-password-and-2fa.mov

Admin Account Recovery

ℹ️ This illustrates flow pathing when the pm-15489-reset-two-factor-account-recovery flag is off.
zed is a just-provisioned user in a TDE encryption org.
Admin enmande recovers zed's account.

• New Master Password is successfully set
• Default KDF settings are applied (in range)
• zed is required to update the password on next login.

PM-35394__tde-recover-admin-reset-two-factor-off.mov

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

Reviewed the AdminConsole account-recovery integration with MasterPasswordService.PrepareSetInitialOrUpdateExistingMasterPasswordAsync. The PR cleanly extends the request model to accept the new AuthenticationData + UnlockData payload alongside the legacy NewMasterPasswordHash + Key, with boundary validation via MasterPasswordPayloadVariantValidator and KdfSettingsValidator.ValidateKdfAndSaltAgreement. Controller dispatch correctly routes flag-on requests to v2 and flag-off requests to the appropriate v1 overload based on payload shape. Test coverage spans the request model, both v1 overloads, the v2 command's dual paths, the v2 validator, and the controller dispatch matrix, and the legacy overloads on both the command and the request record are marked [Obsolete] with a removal tracker (PM-33141).

Code Review Details

No findings.

Notes on what was verified:

• Both new code paths (v1 new overload and v2 new branch) delegate to MasterPasswordService, which centrally handles LastPasswordChangeDate, RevisionDate/AccountRevisionDate, Key, and SecurityStamp rotation (via RefreshStamp = true default) — parity with the legacy UpdatePasswordHash mutations.
• IValidatableObject.Validate short-circuits on 2FA-only resets (!ResetMasterPassword → yield break), and MasterPasswordPayloadVariantValidator.ValidatePresence enforces at-least-one variant when a password reset is requested.
• [Obsolete] calls from the controller and tests do not break the build: CS0618/CS0612 are downgraded to suggestion in .editorconfig despite TreatWarningsAsErrors=true.
• IMasterPasswordService is registered via TryAddScoped in UserServiceCollectionExtensions.
• Prior unresolved threads from BTreston ([Obsolete] requests on AdminRecoverAccountCommand.RecoverAccountAsync and the interface) were addressed in commit 240b3ba.

[codecov]

Codecov Report

❌ Patch coverage is 88.39286% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.90%. Comparing base (eeb3dd5) to head (240b3ba).

Files with missing lines	Patch %	Lines
...ures/AccountRecovery/AdminRecoverAccountCommand.cs	70.00%	8 Missing and 4 partials ⚠️
...tions/OrganizationUserResetPasswordRequestModel.cs	96.29%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@                                    Coverage Diff                                     @@
##           auth/pm-35393/master-password-service-auth-integration    #7629      +/-   ##
==========================================================================================
+ Coverage                                                   59.87%   59.90%   +0.02%     
==========================================================================================
  Files                                                        2124     2124              
  Lines                                                       93469    93566      +97     
  Branches                                                     8307     8326      +19     
==========================================================================================
+ Hits                                                        55965    56048      +83     
- Misses                                                      35527    35535       +8     
- Partials                                                     1977     1983       +6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[BTreston]

LGTM, non blocking comments. I'll have another look when its ready for main

[JaredSnider-Bitwarden]

Merge plan: Auth integration PR (base) merges first then we will rebase this PR and re-request reviews then this can go to QA

[sonarqubecloud]

Quality Gate passed

Issues
32 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
2.6% Duplication on New Code

See analysis details on SonarQube Cloud