From 5b766e936c68e3e1444cadacf0bce03892a6c5d2 Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Thu, 4 Dec 2025 13:27:23 +0100
Subject: [PATCH] Update

---
 .../Auth/Controllers/AccountsController.cs    |  7 ++---
 src/Api/Models/Response/KeysResponseModel.cs  | 27 +++++++++++--------
 2 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/src/Api/Auth/Controllers/AccountsController.cs b/src/Api/Auth/Controllers/AccountsController.cs
index 7156af1c2b..2be7b10d95 100644
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@@ -446,14 +446,14 @@ public class AccountsController : Controller
 
         if (model.AccountKeys != null)
         {
-            await _setAccountKeysForUserCommand.SetAccountKeysForUserAsync(user.Id, model.AccountKeys);
+            await _setAccountKeysForUserCommand.SetAccountKeysForUserAsync(user, model.AccountKeys);
         }
         else
         {
             await _userService.SaveUserAsync(model.ToUser(user));
         }
 
-        return new KeysResponseModel(user);
+        return new KeysResponseModel(model.AccountKeys.ToAccountKeysData(), user.Key);
     }
 
     [HttpGet("keys")]
@@ -465,7 +465,8 @@ public class AccountsController : Controller
             throw new UnauthorizedAccessException();
         }
 
-        return new KeysResponseModel(user);
+        var accountKeys = await _userAccountKeysQuery.Run(user);
+        return new KeysResponseModel(accountKeys, user.Key);
     }
 
     [HttpDelete]
diff --git a/src/Api/Models/Response/KeysResponseModel.cs b/src/Api/Models/Response/KeysResponseModel.cs
index cfc1a6a0a1..4c877e0bfc 100644
--- a/src/Api/Models/Response/KeysResponseModel.cs
+++ b/src/Api/Models/Response/KeysResponseModel.cs
@@ -1,27 +1,32 @@
-// FIXME: Update this file to be null safe and then delete the line below
-#nullable disable
-
-using Bit.Core.Entities;
+using Bit.Core.KeyManagement.Models.Api.Response;
+using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.Models.Api;
 
 namespace Bit.Api.Models.Response;
 
 public class KeysResponseModel : ResponseModel
 {
-    public KeysResponseModel(User user)
+    public KeysResponseModel(UserAccountKeysData accountKeys, string? masterKeyWrappedUserKey)
         : base("keys")
     {
-        if (user == null)
+        if (masterKeyWrappedUserKey != null)
         {
-            throw new ArgumentNullException(nameof(user));
+            Key = masterKeyWrappedUserKey;
         }
 
-        Key = user.Key;
-        PublicKey = user.PublicKey;
-        PrivateKey = user.PrivateKey;
+        PublicKey = accountKeys.PublicKeyEncryptionKeyPairData.PublicKey;
+        PrivateKey = accountKeys.PublicKeyEncryptionKeyPairData.WrappedPrivateKey;
+        AccountKeys = new PrivateKeysResponseModel(accountKeys);
     }
 
-    public string Key { get; set; }
+    /// <summary>
+    /// The master key wrapped user key. The master key can either be a master-password master key or a
+    /// key-connector master key.
+    /// </summary>
+    public string? Key { get; set; }
+    [Obsolete("Use AccountKeys.PublicKeyEncryptionKeyPair.PublicKey instead")]
     public string PublicKey { get; set; }
+    [Obsolete("Use AccountKeys.PublicKeyEncryptionKeyPair.WrappedPrivateKey instead")]
     public string PrivateKey { get; set; }
+    public PrivateKeysResponseModel AccountKeys { get; set; }
 }