diff --git a/src/Api/Tools/Controllers/SendsController.cs b/src/Api/Tools/Controllers/SendsController.cs
index f9f71d076d..61002a0168 100644
--- a/src/Api/Tools/Controllers/SendsController.cs
+++ b/src/Api/Tools/Controllers/SendsController.cs
@@ -239,12 +239,6 @@ public class SendsController : Controller
{
throw new BadRequestException("Could not locate send");
}
- if (send.MaxAccessCount.GetValueOrDefault(int.MaxValue) <= send.AccessCount ||
- send.ExpirationDate.GetValueOrDefault(DateTime.MaxValue) < DateTime.UtcNow || send.Disabled ||
- send.DeletionDate < DateTime.UtcNow)
- {
- throw new NotFoundException();
- }
var sendResponse = new SendAccessResponseModel(send);
if (send.UserId.HasValue && !send.HideEmail.GetValueOrDefault())
@@ -272,12 +266,6 @@ public class SendsController : Controller
{
throw new BadRequestException("Could not locate send");
}
- if (send.MaxAccessCount.GetValueOrDefault(int.MaxValue) <= send.AccessCount ||
- send.ExpirationDate.GetValueOrDefault(DateTime.MaxValue) < DateTime.UtcNow || send.Disabled ||
- send.DeletionDate < DateTime.UtcNow)
- {
- throw new NotFoundException();
- }
var url = await _sendFileStorageService.GetSendFileDownloadUrlAsync(send, fileId);
diff --git a/src/Api/Tools/Models/Request/SendRequestModel.cs b/src/Api/Tools/Models/Request/SendRequestModel.cs
index f3308dbd5a..00dcb6273f 100644
--- a/src/Api/Tools/Models/Request/SendRequestModel.cs
+++ b/src/Api/Tools/Models/Request/SendRequestModel.cs
@@ -102,9 +102,17 @@ public class SendRequestModel
/// Comma-separated list of emails that may access the send using OTP
/// authentication. Mutually exclusive with .
///
- [StringLength(4000)]
+ [EncryptedString]
+ [EncryptedStringLength(4000)]
public string Emails { get; set; }
+ ///
+ /// Comma-separated list of email **hashes** that may access the send using OTP
+ /// authentication. Mutually exclusive with .
+ ///
+ [StringLength(4000)]
+ public string EmailHashes { get; set; }
+
///
/// When , send access is disabled.
/// Defaults to .
@@ -253,6 +261,7 @@ public class SendRequestModel
// normalize encoding
var emails = Emails.Split(',', RemoveEmptyEntries | TrimEntries);
existingSend.Emails = string.Join(",", emails);
+ existingSend.EmailHashes = EmailHashes;
existingSend.Password = null;
existingSend.AuthType = Core.Tools.Enums.AuthType.Email;
}
diff --git a/src/Core/Tools/Entities/Send.cs b/src/Core/Tools/Entities/Send.cs
index 52b439c41e..c4398e212c 100644
--- a/src/Core/Tools/Entities/Send.cs
+++ b/src/Core/Tools/Entities/Send.cs
@@ -81,6 +81,15 @@ public class Send : ITableObject
[MaxLength(4000)]
public string? Emails { get; set; }
+ ///
+ /// Comma-separated list of email **hashes** for OTP authentication.
+ ///
+ ///
+ /// This field is mutually exclusive with
+ ///
+ [MaxLength(4000)]
+ public string? EmailHashes { get; set; }
+
///
/// The send becomes unavailable to API callers when
/// >= .
diff --git a/src/Core/Tools/Models/Data/SendAuthenticationTypes.cs b/src/Core/Tools/Models/Data/SendAuthenticationTypes.cs
index 9ce477ed0c..c90dba43a8 100644
--- a/src/Core/Tools/Models/Data/SendAuthenticationTypes.cs
+++ b/src/Core/Tools/Models/Data/SendAuthenticationTypes.cs
@@ -45,6 +45,6 @@ public record ResourcePassword(string Hash) : SendAuthenticationMethod;
/// Create a send claim by requesting a one time password (OTP) confirmation code.
///
///
-/// The list of email addresses permitted access to the send.
+/// The list of email address **hashes** permitted access to the send.
///
public record EmailOtp(string[] Emails) : SendAuthenticationMethod;
diff --git a/src/Core/Tools/SendFeatures/Queries/SendAuthenticationQuery.cs b/src/Core/Tools/SendFeatures/Queries/SendAuthenticationQuery.cs
index 97c2e64dc5..a82c27d0c3 100644
--- a/src/Core/Tools/SendFeatures/Queries/SendAuthenticationQuery.cs
+++ b/src/Core/Tools/SendFeatures/Queries/SendAuthenticationQuery.cs
@@ -37,8 +37,11 @@ public class SendAuthenticationQuery : ISendAuthenticationQuery
SendAuthenticationMethod method = send switch
{
null => NEVER_AUTHENTICATE,
- var s when s.AccessCount >= s.MaxAccessCount => NEVER_AUTHENTICATE,
- var s when s.AuthType == AuthType.Email && s.Emails is not null => emailOtp(s.Emails),
+ var s when s.Disabled => NEVER_AUTHENTICATE,
+ var s when s.AccessCount >= s.MaxAccessCount.GetValueOrDefault(int.MaxValue) => NEVER_AUTHENTICATE,
+ var s when s.ExpirationDate.GetValueOrDefault(DateTime.MaxValue) < DateTime.UtcNow => NEVER_AUTHENTICATE,
+ var s when s.DeletionDate <= DateTime.UtcNow => NEVER_AUTHENTICATE,
+ var s when s.AuthType == AuthType.Email && s.EmailHashes is not null => EmailOtp(s.EmailHashes),
var s when s.AuthType == AuthType.Password && s.Password is not null => new ResourcePassword(s.Password),
_ => NOT_AUTHENTICATED
};
@@ -46,9 +49,13 @@ public class SendAuthenticationQuery : ISendAuthenticationQuery
return method;
}
- private EmailOtp emailOtp(string emails)
+ private static EmailOtp EmailOtp(string? emailHashes)
{
- var list = emails.Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
+ if (string.IsNullOrWhiteSpace(emailHashes))
+ {
+ return new EmailOtp([]);
+ }
+ var list = emailHashes.Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
return new EmailOtp(list);
}
}
diff --git a/src/Infrastructure.Dapper/Tools/Repositories/SendRepository.cs b/src/Infrastructure.Dapper/Tools/Repositories/SendRepository.cs
index 81a94f0f7c..4c5d70340f 100644
--- a/src/Infrastructure.Dapper/Tools/Repositories/SendRepository.cs
+++ b/src/Infrastructure.Dapper/Tools/Repositories/SendRepository.cs
@@ -1,6 +1,7 @@
#nullable enable
using System.Data;
+using Bit.Core;
using Bit.Core.KeyManagement.UserKey;
using Bit.Core.Settings;
using Bit.Core.Tools.Entities;
@@ -8,6 +9,7 @@ using Bit.Core.Tools.Repositories;
using Bit.Infrastructure.Dapper.Repositories;
using Bit.Infrastructure.Dapper.Tools.Helpers;
using Dapper;
+using Microsoft.AspNetCore.DataProtection;
using Microsoft.Data.SqlClient;
namespace Bit.Infrastructure.Dapper.Tools.Repositories;
@@ -15,13 +17,24 @@ namespace Bit.Infrastructure.Dapper.Tools.Repositories;
///
public class SendRepository : Repository, ISendRepository
{
- public SendRepository(GlobalSettings globalSettings)
- : this(globalSettings.SqlServer.ConnectionString, globalSettings.SqlServer.ReadOnlyConnectionString)
+ private readonly IDataProtector _dataProtector;
+
+ public SendRepository(GlobalSettings globalSettings, IDataProtectionProvider dataProtectionProvider)
+ : this(globalSettings.SqlServer.ConnectionString, globalSettings.SqlServer.ReadOnlyConnectionString, dataProtectionProvider)
{ }
- public SendRepository(string connectionString, string readOnlyConnectionString)
+ public SendRepository(string connectionString, string readOnlyConnectionString, IDataProtectionProvider dataProtectionProvider)
: base(connectionString, readOnlyConnectionString)
- { }
+ {
+ _dataProtector = dataProtectionProvider.CreateProtector(Constants.DatabaseFieldProtectorPurpose);
+ }
+
+ public override async Task GetByIdAsync(Guid id)
+ {
+ var send = await base.GetByIdAsync(id);
+ UnprotectData(send);
+ return send;
+ }
///
public async Task> GetManyByUserIdAsync(Guid userId)
@@ -33,7 +46,9 @@ public class SendRepository : Repository, ISendRepository
new { UserId = userId },
commandType: CommandType.StoredProcedure);
- return results.ToList();
+ var sends = results.ToList();
+ UnprotectData(sends);
+ return sends;
}
}
@@ -47,15 +62,35 @@ public class SendRepository : Repository, ISendRepository
new { DeletionDate = deletionDateBefore },
commandType: CommandType.StoredProcedure);
- return results.ToList();
+ var sends = results.ToList();
+ UnprotectData(sends);
+ return sends;
}
}
+ public override async Task CreateAsync(Send send)
+ {
+ await ProtectDataAndSaveAsync(send, async () => await base.CreateAsync(send));
+ return send;
+ }
+
+ public override async Task ReplaceAsync(Send send)
+ {
+ await ProtectDataAndSaveAsync(send, async () => await base.ReplaceAsync(send));
+ }
+
///
public UpdateEncryptedDataForKeyRotation UpdateForKeyRotation(Guid userId, IEnumerable sends)
{
return async (connection, transaction) =>
{
+ // Protect all sends before bulk update
+ var sendsList = sends.ToList();
+ foreach (var send in sendsList)
+ {
+ ProtectData(send);
+ }
+
// Create temp table
var sqlCreateTemp = @"
SELECT TOP 0 *
@@ -71,7 +106,7 @@ public class SendRepository : Repository, ISendRepository
using (var bulkCopy = new SqlBulkCopy(connection, SqlBulkCopyOptions.KeepIdentity, transaction))
{
bulkCopy.DestinationTableName = "#TempSend";
- var sendsTable = sends.ToDataTable();
+ var sendsTable = sendsList.ToDataTable();
foreach (DataColumn col in sendsTable.Columns)
{
bulkCopy.ColumnMappings.Add(col.ColumnName, col.ColumnName);
@@ -101,6 +136,69 @@ public class SendRepository : Repository, ISendRepository
cmd.Parameters.Add("@UserId", SqlDbType.UniqueIdentifier).Value = userId;
cmd.ExecuteNonQuery();
}
+
+ // Unprotect after save
+ foreach (var send in sendsList)
+ {
+ UnprotectData(send);
+ }
};
}
+
+ private async Task ProtectDataAndSaveAsync(Send send, Func saveTask)
+ {
+ if (send == null)
+ {
+ await saveTask();
+ return;
+ }
+
+ // Capture original value
+ var originalEmailHashes = send.EmailHashes;
+
+ // Protect value
+ ProtectData(send);
+
+ // Save
+ await saveTask();
+
+ // Restore original value
+ send.EmailHashes = originalEmailHashes;
+ }
+
+ private void ProtectData(Send send)
+ {
+ if (!send.EmailHashes?.StartsWith(Constants.DatabaseFieldProtectedPrefix) ?? false)
+ {
+ send.EmailHashes = string.Concat(Constants.DatabaseFieldProtectedPrefix,
+ _dataProtector.Protect(send.EmailHashes!));
+ }
+ }
+
+ private void UnprotectData(Send? send)
+ {
+ if (send == null)
+ {
+ return;
+ }
+
+ if (send.EmailHashes?.StartsWith(Constants.DatabaseFieldProtectedPrefix) ?? false)
+ {
+ send.EmailHashes = _dataProtector.Unprotect(
+ send.EmailHashes.Substring(Constants.DatabaseFieldProtectedPrefix.Length));
+ }
+ }
+
+ private void UnprotectData(IEnumerable sends)
+ {
+ if (sends == null)
+ {
+ return;
+ }
+
+ foreach (var send in sends)
+ {
+ UnprotectData(send);
+ }
+ }
}
diff --git a/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs b/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
index a0ee0376c0..3f638f88e5 100644
--- a/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
@@ -119,6 +119,7 @@ public class DatabaseContext : DbContext
var eOrganizationDomain = builder.Entity();
var aWebAuthnCredential = builder.Entity();
var eOrganizationMemberBaseDetail = builder.Entity();
+ var eSend = builder.Entity();
// Shadow property configurations go here
@@ -148,6 +149,7 @@ public class DatabaseContext : DbContext
var dataProtectionConverter = new DataProtectionConverter(dataProtector);
eUser.Property(c => c.Key).HasConversion(dataProtectionConverter);
eUser.Property(c => c.MasterPassword).HasConversion(dataProtectionConverter);
+ eSend.Property(c => c.EmailHashes).HasConversion(dataProtectionConverter);
if (Database.IsNpgsql())
{
diff --git a/src/Sql/dbo/Tools/Stored Procedures/Send_Create.sql b/src/Sql/dbo/Tools/Stored Procedures/Send_Create.sql
index 752f8fb496..e277174717 100644
--- a/src/Sql/dbo/Tools/Stored Procedures/Send_Create.sql
+++ b/src/Sql/dbo/Tools/Stored Procedures/Send_Create.sql
@@ -18,7 +18,8 @@
-- FIXME: remove null default value once this argument has been
-- in 2 server releases
@Emails NVARCHAR(4000) = NULL,
- @AuthType TINYINT = NULL
+ @AuthType TINYINT = NULL,
+ @EmailHashes NVARCHAR(4000) = NULL
AS
BEGIN
SET NOCOUNT ON
@@ -42,7 +43,8 @@ BEGIN
[HideEmail],
[CipherId],
[Emails],
- [AuthType]
+ [AuthType],
+ [EmailHashes]
)
VALUES
(
@@ -63,7 +65,8 @@ BEGIN
@HideEmail,
@CipherId,
@Emails,
- @AuthType
+ @AuthType,
+ @EmailHashes
)
IF @UserId IS NOT NULL
diff --git a/src/Sql/dbo/Tools/Stored Procedures/Send_Update.sql b/src/Sql/dbo/Tools/Stored Procedures/Send_Update.sql
index fba842d8d6..a2bcb0a24b 100644
--- a/src/Sql/dbo/Tools/Stored Procedures/Send_Update.sql
+++ b/src/Sql/dbo/Tools/Stored Procedures/Send_Update.sql
@@ -16,7 +16,8 @@
@HideEmail BIT,
@CipherId UNIQUEIDENTIFIER = NULL,
@Emails NVARCHAR(4000) = NULL,
- @AuthType TINYINT = NULL
+ @AuthType TINYINT = NULL,
+ @EmailHashes NVARCHAR(4000) = NULL
AS
BEGIN
SET NOCOUNT ON
@@ -40,7 +41,8 @@ BEGIN
[HideEmail] = @HideEmail,
[CipherId] = @CipherId,
[Emails] = @Emails,
- [AuthType] = @AuthType
+ [AuthType] = @AuthType,
+ [EmailHashes] = @EmailHashes
WHERE
[Id] = @Id
diff --git a/src/Sql/dbo/Tools/Tables/Send.sql b/src/Sql/dbo/Tools/Tables/Send.sql
index 94311d6328..59a42a2aa5 100644
--- a/src/Sql/dbo/Tools/Tables/Send.sql
+++ b/src/Sql/dbo/Tools/Tables/Send.sql
@@ -1,22 +1,24 @@
-CREATE TABLE [dbo].[Send] (
+CREATE TABLE [dbo].[Send]
+(
[Id] UNIQUEIDENTIFIER NOT NULL,
[UserId] UNIQUEIDENTIFIER NULL,
[OrganizationId] UNIQUEIDENTIFIER NULL,
[Type] TINYINT NOT NULL,
[Data] VARCHAR(MAX) NOT NULL,
- [Key] VARCHAR (MAX) NOT NULL,
- [Password] NVARCHAR (300) NULL,
- [Emails] NVARCHAR (4000) NULL,
+ [Key] VARCHAR(MAX) NOT NULL,
+ [Password] NVARCHAR(300) NULL,
+ [Emails] NVARCHAR(4000) NULL,
[MaxAccessCount] INT NULL,
[AccessCount] INT NOT NULL,
- [CreationDate] DATETIME2 (7) NOT NULL,
- [RevisionDate] DATETIME2 (7) NOT NULL,
- [ExpirationDate] DATETIME2 (7) NULL,
- [DeletionDate] DATETIME2 (7) NOT NULL,
+ [CreationDate] DATETIME2(7) NOT NULL,
+ [RevisionDate] DATETIME2(7) NOT NULL,
+ [ExpirationDate] DATETIME2(7) NULL,
+ [DeletionDate] DATETIME2(7) NOT NULL,
[Disabled] BIT NOT NULL,
[HideEmail] BIT NULL,
[CipherId] UNIQUEIDENTIFIER NULL,
[AuthType] TINYINT NULL,
+ [EmailHashes] NVARCHAR(4000) NULL,
CONSTRAINT [PK_Send] PRIMARY KEY CLUSTERED ([Id] ASC),
CONSTRAINT [FK_Send_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id]),
CONSTRAINT [FK_Send_User] FOREIGN KEY ([UserId]) REFERENCES [dbo].[User] ([Id]),
@@ -26,9 +28,9 @@
GO
CREATE NONCLUSTERED INDEX [IX_Send_UserId_OrganizationId]
- ON [dbo].[Send]([UserId] ASC, [OrganizationId] ASC);
+ ON [dbo].[Send] ([UserId] ASC, [OrganizationId] ASC);
GO
CREATE NONCLUSTERED INDEX [IX_Send_DeletionDate]
- ON [dbo].[Send]([DeletionDate] ASC);
+ ON [dbo].[Send] ([DeletionDate] ASC);
diff --git a/test/Api.Test/Tools/Controllers/SendsControllerTests.cs b/test/Api.Test/Tools/Controllers/SendsControllerTests.cs
index e3a9ba4435..9322948037 100644
--- a/test/Api.Test/Tools/Controllers/SendsControllerTests.cs
+++ b/test/Api.Test/Tools/Controllers/SendsControllerTests.cs
@@ -981,205 +981,6 @@ public class SendsControllerTests : IDisposable
Assert.Equal(expectedUrl, response.Url);
}
- #region AccessUsingAuth Validation Tests
-
- [Theory, AutoData]
- public async Task AccessUsingAuth_WithExpiredSend_ThrowsNotFoundException(Guid sendId)
- {
- var send = new Send
- {
- Id = sendId,
- UserId = Guid.NewGuid(),
- Type = SendType.Text,
- Data = JsonSerializer.Serialize(new SendTextData("Test", "Notes", "Text", false)),
- DeletionDate = DateTime.UtcNow.AddDays(7),
- ExpirationDate = DateTime.UtcNow.AddDays(-1), // Expired yesterday
- Disabled = false,
- AccessCount = 0,
- MaxAccessCount = null
- };
- var user = CreateUserWithSendIdClaim(sendId);
- _sut.ControllerContext = CreateControllerContextWithUser(user);
- _sendRepository.GetByIdAsync(sendId).Returns(send);
-
- await Assert.ThrowsAsync(() => _sut.AccessUsingAuth());
-
- await _sendRepository.Received(1).GetByIdAsync(sendId);
- }
-
- [Theory, AutoData]
- public async Task AccessUsingAuth_WithDeletedSend_ThrowsNotFoundException(Guid sendId)
- {
- var send = new Send
- {
- Id = sendId,
- UserId = Guid.NewGuid(),
- Type = SendType.Text,
- Data = JsonSerializer.Serialize(new SendTextData("Test", "Notes", "Text", false)),
- DeletionDate = DateTime.UtcNow.AddDays(-1), // Should have been deleted yesterday
- ExpirationDate = null,
- Disabled = false,
- AccessCount = 0,
- MaxAccessCount = null
- };
- var user = CreateUserWithSendIdClaim(sendId);
- _sut.ControllerContext = CreateControllerContextWithUser(user);
- _sendRepository.GetByIdAsync(sendId).Returns(send);
-
- await Assert.ThrowsAsync(() => _sut.AccessUsingAuth());
-
- await _sendRepository.Received(1).GetByIdAsync(sendId);
- }
-
- [Theory, AutoData]
- public async Task AccessUsingAuth_WithDisabledSend_ThrowsNotFoundException(Guid sendId)
- {
- var send = new Send
- {
- Id = sendId,
- UserId = Guid.NewGuid(),
- Type = SendType.Text,
- Data = JsonSerializer.Serialize(new SendTextData("Test", "Notes", "Text", false)),
- DeletionDate = DateTime.UtcNow.AddDays(7),
- ExpirationDate = null,
- Disabled = true, // Disabled
- AccessCount = 0,
- MaxAccessCount = null
- };
- var user = CreateUserWithSendIdClaim(sendId);
- _sut.ControllerContext = CreateControllerContextWithUser(user);
- _sendRepository.GetByIdAsync(sendId).Returns(send);
-
- await Assert.ThrowsAsync(() => _sut.AccessUsingAuth());
-
- await _sendRepository.Received(1).GetByIdAsync(sendId);
- }
-
- [Theory, AutoData]
- public async Task AccessUsingAuth_WithAccessCountExceeded_ThrowsNotFoundException(Guid sendId)
- {
- var send = new Send
- {
- Id = sendId,
- UserId = Guid.NewGuid(),
- Type = SendType.Text,
- Data = JsonSerializer.Serialize(new SendTextData("Test", "Notes", "Text", false)),
- DeletionDate = DateTime.UtcNow.AddDays(7),
- ExpirationDate = null,
- Disabled = false,
- AccessCount = 5,
- MaxAccessCount = 5 // Limit reached
- };
- var user = CreateUserWithSendIdClaim(sendId);
- _sut.ControllerContext = CreateControllerContextWithUser(user);
- _sendRepository.GetByIdAsync(sendId).Returns(send);
-
- await Assert.ThrowsAsync(() => _sut.AccessUsingAuth());
-
- await _sendRepository.Received(1).GetByIdAsync(sendId);
- }
-
- #endregion
-
- #region GetSendFileDownloadDataUsingAuth Validation Tests
-
- [Theory, AutoData]
- public async Task GetSendFileDownloadDataUsingAuth_WithExpiredSend_ThrowsNotFoundException(
- Guid sendId, string fileId)
- {
- var send = new Send
- {
- Id = sendId,
- Type = SendType.File,
- Data = JsonSerializer.Serialize(new SendFileData("Test", "Notes", "file.pdf")),
- DeletionDate = DateTime.UtcNow.AddDays(7),
- ExpirationDate = DateTime.UtcNow.AddDays(-1), // Expired
- Disabled = false,
- AccessCount = 0,
- MaxAccessCount = null
- };
- var user = CreateUserWithSendIdClaim(sendId);
- _sut.ControllerContext = CreateControllerContextWithUser(user);
- _sendRepository.GetByIdAsync(sendId).Returns(send);
-
- await Assert.ThrowsAsync(() => _sut.GetSendFileDownloadDataUsingAuth(fileId));
-
- await _sendRepository.Received(1).GetByIdAsync(sendId);
- }
-
- [Theory, AutoData]
- public async Task GetSendFileDownloadDataUsingAuth_WithDeletedSend_ThrowsNotFoundException(
- Guid sendId, string fileId)
- {
- var send = new Send
- {
- Id = sendId,
- Type = SendType.File,
- Data = JsonSerializer.Serialize(new SendFileData("Test", "Notes", "file.pdf")),
- DeletionDate = DateTime.UtcNow.AddDays(-1), // Deleted
- ExpirationDate = null,
- Disabled = false,
- AccessCount = 0,
- MaxAccessCount = null
- };
- var user = CreateUserWithSendIdClaim(sendId);
- _sut.ControllerContext = CreateControllerContextWithUser(user);
- _sendRepository.GetByIdAsync(sendId).Returns(send);
-
- await Assert.ThrowsAsync(() => _sut.GetSendFileDownloadDataUsingAuth(fileId));
-
- await _sendRepository.Received(1).GetByIdAsync(sendId);
- }
-
- [Theory, AutoData]
- public async Task GetSendFileDownloadDataUsingAuth_WithDisabledSend_ThrowsNotFoundException(
- Guid sendId, string fileId)
- {
- var send = new Send
- {
- Id = sendId,
- Type = SendType.File,
- Data = JsonSerializer.Serialize(new SendFileData("Test", "Notes", "file.pdf")),
- DeletionDate = DateTime.UtcNow.AddDays(7),
- ExpirationDate = null,
- Disabled = true, // Disabled
- AccessCount = 0,
- MaxAccessCount = null
- };
- var user = CreateUserWithSendIdClaim(sendId);
- _sut.ControllerContext = CreateControllerContextWithUser(user);
- _sendRepository.GetByIdAsync(sendId).Returns(send);
-
- await Assert.ThrowsAsync(() => _sut.GetSendFileDownloadDataUsingAuth(fileId));
-
- await _sendRepository.Received(1).GetByIdAsync(sendId);
- }
-
- [Theory, AutoData]
- public async Task GetSendFileDownloadDataUsingAuth_WithAccessCountExceeded_ThrowsNotFoundException(
- Guid sendId, string fileId)
- {
- var send = new Send
- {
- Id = sendId,
- Type = SendType.File,
- Data = JsonSerializer.Serialize(new SendFileData("Test", "Notes", "file.pdf")),
- DeletionDate = DateTime.UtcNow.AddDays(7),
- ExpirationDate = null,
- Disabled = false,
- AccessCount = 10,
- MaxAccessCount = 10 // Limit reached
- };
- var user = CreateUserWithSendIdClaim(sendId);
- _sut.ControllerContext = CreateControllerContextWithUser(user);
- _sendRepository.GetByIdAsync(sendId).Returns(send);
-
- await Assert.ThrowsAsync(() => _sut.GetSendFileDownloadDataUsingAuth(fileId));
-
- await _sendRepository.Received(1).GetByIdAsync(sendId);
- }
-
- #endregion
#endregion
diff --git a/test/Core.Test/Tools/Services/SendAuthenticationQueryTests.cs b/test/Core.Test/Tools/Services/SendAuthenticationQueryTests.cs
index 7901b3c5c0..56b0f306cb 100644
--- a/test/Core.Test/Tools/Services/SendAuthenticationQueryTests.cs
+++ b/test/Core.Test/Tools/Services/SendAuthenticationQueryTests.cs
@@ -43,12 +43,12 @@ public class SendAuthenticationQueryTests
}
[Theory]
- [MemberData(nameof(EmailParsingTestCases))]
- public async Task GetAuthenticationMethod_WithEmails_ParsesEmailsCorrectly(string emailString, string[] expectedEmails)
+ [MemberData(nameof(EmailHashesParsingTestCases))]
+ public async Task GetAuthenticationMethod_WithEmailHashes_ParsesEmailHashesCorrectly(string emailHashString, string[] expectedEmailHashes)
{
// Arrange
var sendId = Guid.NewGuid();
- var send = CreateSend(accessCount: 0, maxAccessCount: 10, emails: emailString, password: null, AuthType.Email);
+ var send = CreateSend(accessCount: 0, maxAccessCount: 10, emailHashes: emailHashString, password: null, AuthType.Email);
_sendRepository.GetByIdAsync(sendId).Returns(send);
// Act
@@ -56,15 +56,15 @@ public class SendAuthenticationQueryTests
// Assert
var emailOtp = Assert.IsType(result);
- Assert.Equal(expectedEmails, emailOtp.Emails);
+ Assert.Equal(expectedEmailHashes, emailOtp.Emails);
}
[Fact]
- public async Task GetAuthenticationMethod_WithBothEmailsAndPassword_ReturnsEmailOtp()
+ public async Task GetAuthenticationMethod_WithBothEmailHashesAndPassword_ReturnsEmailOtp()
{
// Arrange
var sendId = Guid.NewGuid();
- var send = CreateSend(accessCount: 0, maxAccessCount: 10, emails: "test@example.com", password: "hashedpassword", AuthType.Email);
+ var send = CreateSend(accessCount: 0, maxAccessCount: 10, emailHashes: "hashedemail", password: "hashedpassword", AuthType.Email);
_sendRepository.GetByIdAsync(sendId).Returns(send);
// Act
@@ -79,7 +79,7 @@ public class SendAuthenticationQueryTests
{
// Arrange
var sendId = Guid.NewGuid();
- var send = CreateSend(accessCount: 0, maxAccessCount: 10, emails: null, password: null, AuthType.None);
+ var send = CreateSend(accessCount: 0, maxAccessCount: 10, emailHashes: null, password: null, AuthType.None);
_sendRepository.GetByIdAsync(sendId).Returns(send);
// Act
@@ -106,32 +106,218 @@ public class SendAuthenticationQueryTests
public static IEnumerable AuthenticationMethodTestCases()
{
yield return new object[] { null, typeof(NeverAuthenticate) };
- yield return new object[] { CreateSend(accessCount: 5, maxAccessCount: 5, emails: null, password: null, AuthType.None), typeof(NeverAuthenticate) };
- yield return new object[] { CreateSend(accessCount: 6, maxAccessCount: 5, emails: null, password: null, AuthType.None), typeof(NeverAuthenticate) };
- yield return new object[] { CreateSend(accessCount: 0, maxAccessCount: 10, emails: "test@example.com", password: null, AuthType.Email), typeof(EmailOtp) };
- yield return new object[] { CreateSend(accessCount: 0, maxAccessCount: 10, emails: null, password: "hashedpassword", AuthType.Password), typeof(ResourcePassword) };
- yield return new object[] { CreateSend(accessCount: 0, maxAccessCount: 10, emails: null, password: null, AuthType.None), typeof(NotAuthenticated) };
+ yield return new object[] { CreateSend(accessCount: 5, maxAccessCount: 5, emailHashes: null, password: null, AuthType.None), typeof(NeverAuthenticate) };
+ yield return new object[] { CreateSend(accessCount: 6, maxAccessCount: 5, emailHashes: null, password: null, AuthType.None), typeof(NeverAuthenticate) };
+ yield return new object[] { CreateSend(accessCount: 0, maxAccessCount: 10, emailHashes: "hashedemail", password: null, AuthType.Email), typeof(EmailOtp) };
+ yield return new object[] { CreateSend(accessCount: 0, maxAccessCount: 10, emailHashes: null, password: "hashedpassword", AuthType.Password), typeof(ResourcePassword) };
+ yield return new object[] { CreateSend(accessCount: 0, maxAccessCount: 10, emailHashes: null, password: null, AuthType.None), typeof(NotAuthenticated) };
}
- public static IEnumerable EmailParsingTestCases()
+ [Fact]
+ public async Task GetAuthenticationMethod_WithDisabledSend_ReturnsNeverAuthenticate()
{
- yield return new object[] { "test@example.com", new[] { "test@example.com" } };
- yield return new object[] { "test1@example.com,test2@example.com", new[] { "test1@example.com", "test2@example.com" } };
- yield return new object[] { " test@example.com , other@example.com ", new[] { "test@example.com", "other@example.com" } };
- yield return new object[] { "test@example.com,,other@example.com", new[] { "test@example.com", "other@example.com" } };
- yield return new object[] { " , test@example.com, ,other@example.com, ", new[] { "test@example.com", "other@example.com" } };
+ // Arrange
+ var sendId = Guid.NewGuid();
+ var send = new Send
+ {
+ Id = sendId,
+ AccessCount = 0,
+ MaxAccessCount = 10,
+ EmailHashes = "hashedemail",
+ Password = null,
+ AuthType = AuthType.Email,
+ Disabled = true,
+ DeletionDate = DateTime.UtcNow.AddDays(7),
+ ExpirationDate = null
+ };
+ _sendRepository.GetByIdAsync(sendId).Returns(send);
+
+ // Act
+ var result = await _sendAuthenticationQuery.GetAuthenticationMethod(sendId);
+
+ // Assert
+ Assert.IsType(result);
}
- private static Send CreateSend(int accessCount, int? maxAccessCount, string? emails, string? password, AuthType? authType)
+ [Fact]
+ public async Task GetAuthenticationMethod_WithExpiredSend_ReturnsNeverAuthenticate()
+ {
+ // Arrange
+ var sendId = Guid.NewGuid();
+ var send = new Send
+ {
+ Id = sendId,
+ AccessCount = 0,
+ MaxAccessCount = 10,
+ EmailHashes = "hashedemail",
+ Password = null,
+ AuthType = AuthType.Email,
+ Disabled = false,
+ DeletionDate = DateTime.UtcNow.AddDays(7),
+ ExpirationDate = DateTime.UtcNow.AddDays(-1) // Expired yesterday
+ };
+ _sendRepository.GetByIdAsync(sendId).Returns(send);
+
+ // Act
+ var result = await _sendAuthenticationQuery.GetAuthenticationMethod(sendId);
+
+ // Assert
+ Assert.IsType(result);
+ }
+
+ [Fact]
+ public async Task GetAuthenticationMethod_WithDeletionDatePassed_ReturnsNeverAuthenticate()
+ {
+ // Arrange
+ var sendId = Guid.NewGuid();
+ var send = new Send
+ {
+ Id = sendId,
+ AccessCount = 0,
+ MaxAccessCount = 10,
+ EmailHashes = "hashedemail",
+ Password = null,
+ AuthType = AuthType.Email,
+ Disabled = false,
+ DeletionDate = DateTime.UtcNow.AddDays(-1), // Should have been deleted yesterday
+ ExpirationDate = null
+ };
+ _sendRepository.GetByIdAsync(sendId).Returns(send);
+
+ // Act
+ var result = await _sendAuthenticationQuery.GetAuthenticationMethod(sendId);
+
+ // Assert
+ Assert.IsType(result);
+ }
+
+ [Fact]
+ public async Task GetAuthenticationMethod_WithDeletionDateEqualToNow_ReturnsNeverAuthenticate()
+ {
+ // Arrange
+ var sendId = Guid.NewGuid();
+ var now = DateTime.UtcNow;
+ var send = new Send
+ {
+ Id = sendId,
+ AccessCount = 0,
+ MaxAccessCount = 10,
+ EmailHashes = "hashedemail",
+ Password = null,
+ AuthType = AuthType.Email,
+ Disabled = false,
+ DeletionDate = now, // DeletionDate <= DateTime.UtcNow
+ ExpirationDate = null
+ };
+ _sendRepository.GetByIdAsync(sendId).Returns(send);
+
+ // Act
+ var result = await _sendAuthenticationQuery.GetAuthenticationMethod(sendId);
+
+ // Assert
+ Assert.IsType(result);
+ }
+
+ [Fact]
+ public async Task GetAuthenticationMethod_WithAccessCountEqualToMaxAccessCount_ReturnsNeverAuthenticate()
+ {
+ // Arrange
+ var sendId = Guid.NewGuid();
+ var send = new Send
+ {
+ Id = sendId,
+ AccessCount = 5,
+ MaxAccessCount = 5,
+ EmailHashes = "hashedemail",
+ Password = null,
+ AuthType = AuthType.Email,
+ Disabled = false,
+ DeletionDate = DateTime.UtcNow.AddDays(7),
+ ExpirationDate = null
+ };
+ _sendRepository.GetByIdAsync(sendId).Returns(send);
+
+ // Act
+ var result = await _sendAuthenticationQuery.GetAuthenticationMethod(sendId);
+
+ // Assert
+ Assert.IsType(result);
+ }
+
+ [Fact]
+ public async Task GetAuthenticationMethod_WithNullMaxAccessCount_DoesNotRestrictAccess()
+ {
+ // Arrange
+ var sendId = Guid.NewGuid();
+ var send = new Send
+ {
+ Id = sendId,
+ AccessCount = 1000,
+ MaxAccessCount = null, // No limit
+ EmailHashes = "hashedemail",
+ Password = null,
+ AuthType = AuthType.Email,
+ Disabled = false,
+ DeletionDate = DateTime.UtcNow.AddDays(7),
+ ExpirationDate = null
+ };
+ _sendRepository.GetByIdAsync(sendId).Returns(send);
+
+ // Act
+ var result = await _sendAuthenticationQuery.GetAuthenticationMethod(sendId);
+
+ // Assert
+ Assert.IsType(result);
+ }
+
+ [Fact]
+ public async Task GetAuthenticationMethod_WithNullExpirationDate_DoesNotExpire()
+ {
+ // Arrange
+ var sendId = Guid.NewGuid();
+ var send = new Send
+ {
+ Id = sendId,
+ AccessCount = 0,
+ MaxAccessCount = 10,
+ EmailHashes = "hashedemail",
+ Password = null,
+ AuthType = AuthType.Email,
+ Disabled = false,
+ DeletionDate = DateTime.UtcNow.AddDays(7),
+ ExpirationDate = null // No expiration
+ };
+ _sendRepository.GetByIdAsync(sendId).Returns(send);
+
+ // Act
+ var result = await _sendAuthenticationQuery.GetAuthenticationMethod(sendId);
+
+ // Assert
+ Assert.IsType(result);
+ }
+
+ public static IEnumerable EmailHashesParsingTestCases()
+ {
+ yield return new object[] { "hash1", new[] { "hash1" } };
+ yield return new object[] { "hash1,hash2", new[] { "hash1", "hash2" } };
+ yield return new object[] { " hash1 , hash2 ", new[] { "hash1", "hash2" } };
+ yield return new object[] { "hash1,,hash2", new[] { "hash1", "hash2" } };
+ yield return new object[] { " , hash1, ,hash2, ", new[] { "hash1", "hash2" } };
+ }
+
+ private static Send CreateSend(int accessCount, int? maxAccessCount, string? emailHashes, string? password, AuthType? authType)
{
return new Send
{
Id = Guid.NewGuid(),
AccessCount = accessCount,
MaxAccessCount = maxAccessCount,
- Emails = emails,
+ EmailHashes = emailHashes,
Password = password,
- AuthType = authType
+ AuthType = authType,
+ Disabled = false,
+ DeletionDate = DateTime.UtcNow.AddDays(7),
+ ExpirationDate = null
};
}
}
diff --git a/util/Migrator/DbScripts/2026-01-17_00_Send_EmailHashes.sql b/util/Migrator/DbScripts/2026-01-17_00_Send_EmailHashes.sql
new file mode 100644
index 0000000000..2b00913661
--- /dev/null
+++ b/util/Migrator/DbScripts/2026-01-17_00_Send_EmailHashes.sql
@@ -0,0 +1,148 @@
+-- Update Send table to add EmailHashes Column
+IF COL_LENGTH('[dbo].[Send]', 'EmailHashes') IS NULL
+BEGIN
+ALTER TABLE [dbo].[Send]
+ ADD [EmailHashes] NVARCHAR(4000) NULL;
+END
+GO
+
+-- Update Send_Create to include EmailHashes column
+CREATE OR ALTER PROCEDURE [dbo].[Send_Create]
+ @Id UNIQUEIDENTIFIER OUTPUT,
+ @UserId UNIQUEIDENTIFIER,
+ @OrganizationId UNIQUEIDENTIFIER,
+ @Type TINYINT,
+ @Data VARCHAR(MAX),
+ @Key VARCHAR(MAX),
+ @Password NVARCHAR(300),
+ @MaxAccessCount INT,
+ @AccessCount INT,
+ @CreationDate DATETIME2(7),
+ @RevisionDate DATETIME2(7),
+ @ExpirationDate DATETIME2(7),
+ @DeletionDate DATETIME2(7),
+ @Disabled BIT,
+ @HideEmail BIT,
+ @CipherId UNIQUEIDENTIFIER = NULL,
+ @Emails NVARCHAR(4000) = NULL,
+ @AuthType TINYINT = NULL,
+ @EmailHashes NVARCHAR(4000) = NULL
+AS
+BEGIN
+ SET NOCOUNT ON
+
+ INSERT INTO [dbo].[Send]
+ (
+ [Id],
+ [UserId],
+ [OrganizationId],
+ [Type],
+ [Data],
+ [Key],
+ [Password],
+ [MaxAccessCount],
+ [AccessCount],
+ [CreationDate],
+ [RevisionDate],
+ [ExpirationDate],
+ [DeletionDate],
+ [Disabled],
+ [HideEmail],
+ [CipherId],
+ [Emails],
+ [AuthType],
+ [EmailHashes]
+ )
+ VALUES
+ (
+ @Id,
+ @UserId,
+ @OrganizationId,
+ @Type,
+ @Data,
+ @Key,
+ @Password,
+ @MaxAccessCount,
+ @AccessCount,
+ @CreationDate,
+ @RevisionDate,
+ @ExpirationDate,
+ @DeletionDate,
+ @Disabled,
+ @HideEmail,
+ @CipherId,
+ @Emails,
+ @AuthType,
+ @EmailHashes
+ )
+
+ IF @UserId IS NOT NULL
+ BEGIN
+ IF @Type = 1 --File
+ BEGIN
+ EXEC [dbo].[User_UpdateStorage] @UserId
+ END
+ EXEC [dbo].[User_BumpAccountRevisionDate] @UserId
+ END
+ -- TODO: OrganizationId bump?
+END
+GO
+
+-- Update Send_Update to include EmailHashes column
+CREATE OR ALTER PROCEDURE [dbo].[Send_Update]
+ @Id UNIQUEIDENTIFIER,
+ @UserId UNIQUEIDENTIFIER,
+ @OrganizationId UNIQUEIDENTIFIER,
+ @Type TINYINT,
+ @Data VARCHAR(MAX),
+ @Key VARCHAR(MAX),
+ @Password NVARCHAR(300),
+ @MaxAccessCount INT,
+ @AccessCount INT,
+ @CreationDate DATETIME2(7),
+ @RevisionDate DATETIME2(7),
+ @ExpirationDate DATETIME2(7),
+ @DeletionDate DATETIME2(7),
+ @Disabled BIT,
+ @HideEmail BIT,
+ @CipherId UNIQUEIDENTIFIER = NULL,
+ @Emails NVARCHAR(4000) = NULL,
+ @AuthType TINYINT = NULL,
+ @EmailHashes NVARCHAR(4000) = NULL
+AS
+BEGIN
+ SET NOCOUNT ON
+
+ UPDATE
+ [dbo].[Send]
+ SET
+ [UserId] = @UserId,
+ [OrganizationId] = @OrganizationId,
+ [Type] = @Type,
+ [Data] = @Data,
+ [Key] = @Key,
+ [Password] = @Password,
+ [MaxAccessCount] = @MaxAccessCount,
+ [AccessCount] = @AccessCount,
+ [CreationDate] = @CreationDate,
+ [RevisionDate] = @RevisionDate,
+ [ExpirationDate] = @ExpirationDate,
+ [DeletionDate] = @DeletionDate,
+ [Disabled] = @Disabled,
+ [HideEmail] = @HideEmail,
+ [CipherId] = @CipherId,
+ [Emails] = @Emails,
+ [AuthType] = @AuthType,
+ [EmailHashes] = @EmailHashes
+ WHERE
+ [Id] = @Id
+
+ IF @UserId IS NOT NULL
+ BEGIN
+ EXEC [dbo].[User_BumpAccountRevisionDate] @UserId
+ END
+ -- TODO: OrganizationId bump?
+END
+GO
+EXECUTE sp_refreshview N'[dbo].[SendView]'
+GO
diff --git a/util/MySqlMigrations/Migrations/20260117234040_2026-01-17_00_Send_EmailHashes.Designer.cs b/util/MySqlMigrations/Migrations/20260117234040_2026-01-17_00_Send_EmailHashes.Designer.cs
new file mode 100644
index 0000000000..3b2aff4547
--- /dev/null
+++ b/util/MySqlMigrations/Migrations/20260117234040_2026-01-17_00_Send_EmailHashes.Designer.cs
@@ -0,0 +1,3506 @@
+//
+using System;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Metadata;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations
+{
+ [DbContext(typeof(DatabaseContext))]
+ [Migration("20260117234040_2026-01-17_00_Send_EmailHashes")]
+ partial class _20260117_00_Send_EmailHashes
+ {
+ ///
+ protected override void BuildTargetModel(ModelBuilder modelBuilder)
+ {
+#pragma warning disable 612, 618
+ modelBuilder
+ .HasAnnotation("ProductVersion", "8.0.8")
+ .HasAnnotation("Relational:MaxIdentifierLength", 64);
+
+ MySqlModelBuilderExtensions.AutoIncrementColumns(modelBuilder);
+
+ modelBuilder.Entity("Bit.Core.Dirt.Reports.Models.Data.OrganizationMemberBaseDetail", b =>
+ {
+ b.Property("CipherId")
+ .HasColumnType("char(36)");
+
+ b.Property("CollectionId")
+ .HasColumnType("char(36)");
+
+ b.Property("CollectionName")
+ .HasColumnType("longtext");
+
+ b.Property("Email")
+ .HasColumnType("longtext");
+
+ b.Property("GroupId")
+ .HasColumnType("char(36)");
+
+ b.Property("GroupName")
+ .HasColumnType("longtext");
+
+ b.Property("HidePasswords")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("Manage")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("ReadOnly")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("ResetPasswordKey")
+ .HasColumnType("longtext");
+
+ b.Property("TwoFactorProviders")
+ .HasColumnType("longtext");
+
+ b.Property("UserGuid")
+ .HasColumnType("char(36)");
+
+ b.Property("UserName")
+ .HasColumnType("longtext");
+
+ b.Property("UsesKeyConnector")
+ .HasColumnType("tinyint(1)");
+
+ b.ToTable("OrganizationMemberBaseDetails");
+ });
+
+ modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Organization", b =>
+ {
+ b.Property("Id")
+ .HasColumnType("char(36)");
+
+ b.Property("AllowAdminAccessToAllCollectionItems")
+ .HasColumnType("tinyint(1)")
+ .HasDefaultValue(true);
+
+ b.Property("BillingEmail")
+ .IsRequired()
+ .HasMaxLength(256)
+ .HasColumnType("varchar(256)");
+
+ b.Property("BusinessAddress1")
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("BusinessAddress2")
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("BusinessAddress3")
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("BusinessCountry")
+ .HasMaxLength(2)
+ .HasColumnType("varchar(2)");
+
+ b.Property("BusinessName")
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("BusinessTaxNumber")
+ .HasMaxLength(30)
+ .HasColumnType("varchar(30)");
+
+ b.Property("CreationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Enabled")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("ExpirationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Gateway")
+ .HasColumnType("tinyint unsigned");
+
+ b.Property("GatewayCustomerId")
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("GatewaySubscriptionId")
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("Identifier")
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("LicenseKey")
+ .HasMaxLength(100)
+ .HasColumnType("varchar(100)");
+
+ b.Property("LimitCollectionCreation")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("LimitCollectionDeletion")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("LimitItemDeletion")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("MaxAutoscaleSeats")
+ .HasColumnType("int");
+
+ b.Property("MaxAutoscaleSmSeats")
+ .HasColumnType("int");
+
+ b.Property("MaxAutoscaleSmServiceAccounts")
+ .HasColumnType("int");
+
+ b.Property("MaxCollections")
+ .HasColumnType("smallint");
+
+ b.Property("MaxStorageGb")
+ .HasColumnType("smallint");
+
+ b.Property("Name")
+ .IsRequired()
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("OwnersNotifiedOfAutoscaling")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Plan")
+ .IsRequired()
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("PlanType")
+ .HasColumnType("tinyint unsigned");
+
+ b.Property("PrivateKey")
+ .HasColumnType("longtext");
+
+ b.Property("PublicKey")
+ .HasColumnType("longtext");
+
+ b.Property("ReferenceData")
+ .HasColumnType("longtext");
+
+ b.Property("RevisionDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Seats")
+ .HasColumnType("int");
+
+ b.Property("SelfHost")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("SmSeats")
+ .HasColumnType("int");
+
+ b.Property("SmServiceAccounts")
+ .HasColumnType("int");
+
+ b.Property("Status")
+ .HasColumnType("tinyint unsigned");
+
+ b.Property("Storage")
+ .HasColumnType("bigint");
+
+ b.Property("SyncSeats")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("TwoFactorProviders")
+ .HasColumnType("longtext");
+
+ b.Property("Use2fa")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UseAdminSponsoredFamilies")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UseApi")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UseAutomaticUserConfirmation")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UseCustomPermissions")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UseDirectory")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UseDisableSmAdsForUsers")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UseEvents")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UseGroups")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UseKeyConnector")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UseOrganizationDomains")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UsePasswordManager")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UsePhishingBlocker")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UsePolicies")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UseResetPassword")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UseRiskInsights")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UseScim")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UseSecretsManager")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UseSso")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UseTotp")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("UsersGetPremium")
+ .HasColumnType("tinyint(1)");
+
+ b.HasKey("Id");
+
+ b.HasIndex("Id", "Enabled")
+ .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp", "UsersGetPremium" });
+
+ b.ToTable("Organization", (string)null);
+ });
+
+ modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Policy", b =>
+ {
+ b.Property("Id")
+ .HasColumnType("char(36)");
+
+ b.Property("CreationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Data")
+ .HasColumnType("longtext");
+
+ b.Property("Enabled")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("OrganizationId")
+ .HasColumnType("char(36)");
+
+ b.Property("RevisionDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Type")
+ .HasColumnType("tinyint unsigned");
+
+ b.HasKey("Id");
+
+ b.HasIndex("OrganizationId")
+ .HasAnnotation("SqlServer:Clustered", false);
+
+ b.HasIndex("OrganizationId", "Type")
+ .IsUnique()
+ .HasAnnotation("SqlServer:Clustered", false);
+
+ b.ToTable("Policy", (string)null);
+ });
+
+ modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.Provider", b =>
+ {
+ b.Property("Id")
+ .HasColumnType("char(36)");
+
+ b.Property("BillingEmail")
+ .HasColumnType("longtext");
+
+ b.Property("BillingPhone")
+ .HasColumnType("longtext");
+
+ b.Property("BusinessAddress1")
+ .HasColumnType("longtext");
+
+ b.Property("BusinessAddress2")
+ .HasColumnType("longtext");
+
+ b.Property("BusinessAddress3")
+ .HasColumnType("longtext");
+
+ b.Property("BusinessCountry")
+ .HasColumnType("longtext");
+
+ b.Property("BusinessName")
+ .HasColumnType("longtext");
+
+ b.Property("BusinessTaxNumber")
+ .HasColumnType("longtext");
+
+ b.Property("CreationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("DiscountId")
+ .HasColumnType("longtext");
+
+ b.Property("Enabled")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("Gateway")
+ .HasColumnType("tinyint unsigned");
+
+ b.Property("GatewayCustomerId")
+ .HasColumnType("longtext");
+
+ b.Property("GatewaySubscriptionId")
+ .HasColumnType("longtext");
+
+ b.Property("Name")
+ .HasColumnType("longtext");
+
+ b.Property("RevisionDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Status")
+ .HasColumnType("tinyint unsigned");
+
+ b.Property("Type")
+ .HasColumnType("tinyint unsigned");
+
+ b.Property("UseEvents")
+ .HasColumnType("tinyint(1)");
+
+ b.HasKey("Id");
+
+ b.ToTable("Provider", (string)null);
+ });
+
+ modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderOrganization", b =>
+ {
+ b.Property("Id")
+ .HasColumnType("char(36)");
+
+ b.Property("CreationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Key")
+ .HasColumnType("longtext");
+
+ b.Property("OrganizationId")
+ .HasColumnType("char(36)");
+
+ b.Property("ProviderId")
+ .HasColumnType("char(36)");
+
+ b.Property("RevisionDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Settings")
+ .HasColumnType("longtext");
+
+ b.HasKey("Id");
+
+ b.HasIndex("OrganizationId");
+
+ b.HasIndex("ProviderId");
+
+ b.ToTable("ProviderOrganization", (string)null);
+ });
+
+ modelBuilder.Entity("Bit.Infrastructure.EntityFramework.AdminConsole.Models.Provider.ProviderUser", b =>
+ {
+ b.Property("Id")
+ .HasColumnType("char(36)");
+
+ b.Property("CreationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Email")
+ .HasColumnType("longtext");
+
+ b.Property("Key")
+ .HasColumnType("longtext");
+
+ b.Property("Permissions")
+ .HasColumnType("longtext");
+
+ b.Property("ProviderId")
+ .HasColumnType("char(36)");
+
+ b.Property("RevisionDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Status")
+ .HasColumnType("tinyint unsigned");
+
+ b.Property("Type")
+ .HasColumnType("tinyint unsigned");
+
+ b.Property("UserId")
+ .HasColumnType("char(36)");
+
+ b.HasKey("Id");
+
+ b.HasIndex("ProviderId");
+
+ b.HasIndex("UserId");
+
+ b.ToTable("ProviderUser", (string)null);
+ });
+
+ modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
+ {
+ b.Property("Id")
+ .HasColumnType("char(36)");
+
+ b.Property("AccessCode")
+ .HasMaxLength(25)
+ .HasColumnType("varchar(25)");
+
+ b.Property("Approved")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("AuthenticationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("CreationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Key")
+ .HasColumnType("longtext");
+
+ b.Property("MasterPasswordHash")
+ .HasColumnType("longtext");
+
+ b.Property("OrganizationId")
+ .HasColumnType("char(36)");
+
+ b.Property("PublicKey")
+ .HasColumnType("longtext");
+
+ b.Property("RequestCountryName")
+ .HasMaxLength(200)
+ .HasColumnType("varchar(200)");
+
+ b.Property("RequestDeviceIdentifier")
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("RequestDeviceType")
+ .HasColumnType("tinyint unsigned");
+
+ b.Property("RequestIpAddress")
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("ResponseDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("ResponseDeviceId")
+ .HasColumnType("char(36)");
+
+ b.Property("Type")
+ .HasColumnType("tinyint unsigned");
+
+ b.Property("UserId")
+ .HasColumnType("char(36)");
+
+ b.HasKey("Id");
+
+ b.HasIndex("OrganizationId");
+
+ b.HasIndex("ResponseDeviceId");
+
+ b.HasIndex("UserId");
+
+ b.ToTable("AuthRequest", (string)null);
+ });
+
+ modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.EmergencyAccess", b =>
+ {
+ b.Property("Id")
+ .HasColumnType("char(36)");
+
+ b.Property("CreationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Email")
+ .HasMaxLength(256)
+ .HasColumnType("varchar(256)");
+
+ b.Property("GranteeId")
+ .HasColumnType("char(36)");
+
+ b.Property("GrantorId")
+ .HasColumnType("char(36)");
+
+ b.Property("KeyEncrypted")
+ .HasColumnType("longtext");
+
+ b.Property("LastNotificationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("RecoveryInitiatedDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("RevisionDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Status")
+ .HasColumnType("tinyint unsigned");
+
+ b.Property("Type")
+ .HasColumnType("tinyint unsigned");
+
+ b.Property("WaitTimeDays")
+ .HasColumnType("smallint");
+
+ b.HasKey("Id");
+
+ b.HasIndex("GranteeId");
+
+ b.HasIndex("GrantorId");
+
+ b.ToTable("EmergencyAccess", (string)null);
+ });
+
+ modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.Grant", b =>
+ {
+ b.Property("Id")
+ .ValueGeneratedOnAdd()
+ .HasColumnType("int");
+
+ MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property("Id"));
+
+ b.Property("ClientId")
+ .IsRequired()
+ .HasMaxLength(200)
+ .HasColumnType("varchar(200)");
+
+ b.Property("ConsumedDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("CreationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Data")
+ .IsRequired()
+ .HasColumnType("longtext");
+
+ b.Property("Description")
+ .HasMaxLength(200)
+ .HasColumnType("varchar(200)");
+
+ b.Property("ExpirationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Key")
+ .IsRequired()
+ .HasMaxLength(200)
+ .HasColumnType("varchar(200)");
+
+ b.Property("SessionId")
+ .HasMaxLength(100)
+ .HasColumnType("varchar(100)");
+
+ b.Property("SubjectId")
+ .HasMaxLength(200)
+ .HasColumnType("varchar(200)");
+
+ b.Property("Type")
+ .IsRequired()
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.HasKey("Id")
+ .HasName("PK_Grant")
+ .HasAnnotation("SqlServer:Clustered", true);
+
+ b.HasIndex("ExpirationDate")
+ .HasAnnotation("SqlServer:Clustered", false);
+
+ b.HasIndex("Key")
+ .IsUnique();
+
+ b.ToTable("Grant", (string)null);
+ });
+
+ modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoConfig", b =>
+ {
+ b.Property("Id")
+ .ValueGeneratedOnAdd()
+ .HasColumnType("bigint");
+
+ MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property("Id"));
+
+ b.Property("CreationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("Data")
+ .HasColumnType("longtext");
+
+ b.Property("Enabled")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("OrganizationId")
+ .HasColumnType("char(36)");
+
+ b.Property("RevisionDate")
+ .HasColumnType("datetime(6)");
+
+ b.HasKey("Id");
+
+ b.HasIndex("OrganizationId");
+
+ b.ToTable("SsoConfig", (string)null);
+ });
+
+ modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.SsoUser", b =>
+ {
+ b.Property("Id")
+ .ValueGeneratedOnAdd()
+ .HasColumnType("bigint");
+
+ MySqlPropertyBuilderExtensions.UseMySqlIdentityColumn(b.Property("Id"));
+
+ b.Property("CreationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("ExternalId")
+ .HasMaxLength(300)
+ .HasColumnType("varchar(300)");
+
+ b.Property("OrganizationId")
+ .HasColumnType("char(36)");
+
+ b.Property("UserId")
+ .HasColumnType("char(36)");
+
+ b.HasKey("Id");
+
+ b.HasIndex("OrganizationId")
+ .HasAnnotation("SqlServer:Clustered", false);
+
+ b.HasIndex("UserId");
+
+ b.HasIndex("OrganizationId", "ExternalId")
+ .IsUnique()
+ .HasAnnotation("Npgsql:IndexInclude", new[] { "UserId" })
+ .HasAnnotation("SqlServer:Clustered", false);
+
+ b.HasIndex("OrganizationId", "UserId")
+ .IsUnique()
+ .HasAnnotation("SqlServer:Clustered", false);
+
+ b.ToTable("SsoUser", (string)null);
+ });
+
+ modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.WebAuthnCredential", b =>
+ {
+ b.Property("Id")
+ .HasColumnType("char(36)");
+
+ b.Property("AaGuid")
+ .HasColumnType("char(36)");
+
+ b.Property("Counter")
+ .HasColumnType("int");
+
+ b.Property("CreationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("CredentialId")
+ .HasMaxLength(256)
+ .HasColumnType("varchar(256)");
+
+ b.Property("EncryptedPrivateKey")
+ .HasMaxLength(2000)
+ .HasColumnType("varchar(2000)");
+
+ b.Property("EncryptedPublicKey")
+ .HasMaxLength(2000)
+ .HasColumnType("varchar(2000)");
+
+ b.Property("EncryptedUserKey")
+ .HasMaxLength(2000)
+ .HasColumnType("varchar(2000)");
+
+ b.Property("Name")
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("PublicKey")
+ .HasMaxLength(256)
+ .HasColumnType("varchar(256)");
+
+ b.Property("RevisionDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("SupportsPrf")
+ .HasColumnType("tinyint(1)");
+
+ b.Property("Type")
+ .HasMaxLength(20)
+ .HasColumnType("varchar(20)");
+
+ b.Property("UserId")
+ .HasColumnType("char(36)");
+
+ b.HasKey("Id");
+
+ b.HasIndex("UserId");
+
+ b.ToTable("WebAuthnCredential", (string)null);
+ });
+
+ modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ClientOrganizationMigrationRecord", b =>
+ {
+ b.Property("Id")
+ .HasColumnType("char(36)");
+
+ b.Property("ExpirationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("GatewayCustomerId")
+ .IsRequired()
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("GatewaySubscriptionId")
+ .IsRequired()
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("MaxAutoscaleSeats")
+ .HasColumnType("int");
+
+ b.Property("MaxStorageGb")
+ .HasColumnType("smallint");
+
+ b.Property("OrganizationId")
+ .HasColumnType("char(36)");
+
+ b.Property("PlanType")
+ .HasColumnType("tinyint unsigned");
+
+ b.Property("ProviderId")
+ .HasColumnType("char(36)");
+
+ b.Property("Seats")
+ .HasColumnType("int");
+
+ b.Property("Status")
+ .HasColumnType("tinyint unsigned");
+
+ b.HasKey("Id");
+
+ b.HasIndex("ProviderId", "OrganizationId")
+ .IsUnique();
+
+ b.ToTable("ClientOrganizationMigrationRecord", (string)null);
+ });
+
+ modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.OrganizationInstallation", b =>
+ {
+ b.Property("Id")
+ .HasColumnType("char(36)");
+
+ b.Property("CreationDate")
+ .HasColumnType("datetime(6)");
+
+ b.Property("InstallationId")
+ .HasColumnType("char(36)");
+
+ b.Property("OrganizationId")
+ .HasColumnType("char(36)");
+
+ b.Property("RevisionDate")
+ .HasColumnType("datetime(6)");
+
+ b.HasKey("Id")
+ .HasAnnotation("SqlServer:Clustered", true);
+
+ b.HasIndex("InstallationId")
+ .HasAnnotation("SqlServer:Clustered", false);
+
+ b.HasIndex("OrganizationId")
+ .HasAnnotation("SqlServer:Clustered", false);
+
+ b.ToTable("OrganizationInstallation", (string)null);
+ });
+
+ modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderInvoiceItem", b =>
+ {
+ b.Property("Id")
+ .HasColumnType("char(36)");
+
+ b.Property("AssignedSeats")
+ .HasColumnType("int");
+
+ b.Property("ClientId")
+ .HasColumnType("char(36)");
+
+ b.Property("ClientName")
+ .IsRequired()
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("Created")
+ .HasColumnType("datetime(6)");
+
+ b.Property("InvoiceId")
+ .IsRequired()
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("InvoiceNumber")
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("PlanName")
+ .IsRequired()
+ .HasMaxLength(50)
+ .HasColumnType("varchar(50)");
+
+ b.Property("ProviderId")
+ .HasColumnType("char(36)");
+
+ b.Property("Total")
+ .HasColumnType("decimal(65,30)");
+
+ b.Property("UsedSeats")
+ .HasColumnType("int");
+
+ b.HasKey("Id");
+
+ b.HasIndex("ProviderId");
+
+ b.ToTable("ProviderInvoiceItem", (string)null);
+ });
+
+ modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Billing.Models.ProviderPlan", b =>
+ {
+ b.Property("Id")
+ .HasColumnType("char(36)");
+
+ b.Property("AllocatedSeats")
+ .HasColumnType("int");
+
+ b.Property