* update send api models to support new `email` field
* normalize authentication field evaluation order
* document send response converters
* add FIXME to remove unused constructor argument
* add FIXME to remove unused constructor argument
* introduce `tools-send-email-otp-listing` feature flag
* add `ISendOwnerQuery` to dependency graph
* fix broken tests
* added AuthType prop to send related models with test coverage and debt cleanup
* dotnet format
* add migrations
* dotnet format
* make SendsController null safe (tech debt)
* add AuthType col to Sends table, change Emails col length to 4000, and run migrations
* dotnet format
* update SPs to expect AuthType
* include SP updates in migrations
* remove migrations not intended for merge
* Revert "remove migrations not intended for merge"
This reverts commit 7df56e346a.
undo migrations removal
* extract AuthType inference to util method and remove SQLite file
* fix lints
* address review comments
* fix incorrect assignment and adopt SQL conventions
* fix column assignment order in Send_Update.sql
* remove space added to email list
* assign SQL default value of NULL to AuthType
* update SPs to match migration changes
---------
Co-authored-by: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
Co-authored-by: Alex Dragovich <46065570+itsadrago@users.noreply.github.com>
Co-authored-by: John Harrington <84741727+harr1424@users.noreply.github.com>
* implement the ticket request
* resolve the build lint error
* Resolve the build lint error
* Address review comments
* Fixt the lint and failing unit test
* Fix NSubstitute mock - use concrete ClaimsPrincipal instead of Arg.Any in Returns()
* resolve InjectUser issues
* Fix the failing testing
* Fix the failing unit test
* feat(global-settings) [PM-20109]: Add WebAuthN global settings.
* feat(webauthn) [PM-20109]: Update maximum allowed WebAuthN credentials to use new settings.
* test(webauthn) [PM-20109]: Update command tests to use global configs.
* feat(global-settings) [PM-20109]: Set defaults for maximum allowed credentials.
* feat(two-factor-request-model) [PM-20109]: Remove hard-coded 5 limit on ID validation.
* Revert "test(webauthn) [PM-20109]: Update command tests to use global configs."
This reverts commit ba9f0d5fb6.
* Revert "feat(webauthn) [PM-20109]: Update maximum allowed WebAuthN credentials to use new settings."
This reverts commit d2faef0c13.
* feat(global-settings) [PM-20109]: Add WebAuthNSettings to interface for User Service consumption.
* feat(user-service) [PM-20109]: Add boundary and persistence-time validation for maximum allowed WebAuthN 2FA credentials.
* test(user-service) [PM-20109]: Update tests for WebAuthN limit scenarios.
* refactor(user-service) [PM-20109]: Typo in variable name.
* refactor(user-service) [PM-20109]: Remove unnecessary pending check.
* refactor(user-service) [PM-20109]: Pending check is necessary.
* refactor(webauthn) [PM-20109]: Re-spell WebAuthN => WebAuthn.
* refactor(user-service) [PM-20109]: Re-format pending checks for consistency.
* refactor(user-service) [PM-20109]: Fix type spelling in comments.
* test(user-service) [PM-20109]: Combine premium and non-premium test cases with AutoData.
* refactor(user-service) [PM-20109]: Swap HasPremiumAccessQuery in for CanAccessPremium.
* refactor(user-service) [PM-20109]: Convert limit check to positive, edit comments.
Main fix: only assign new key value where old keys are not set
and new keys have been provided.
Refactors:
- use consistent DTO model for keypairs
- delete duplicate property assignment for new orgs
* account v2 registration for key connector
* use new user repository functions
* test coverage
* integration test coverage
* documentation
* code review
* missing test coverage
* fix failing test
* failing test
* incorrect ticket number
* moved back request model to Api, created dedicated data class in Core
* sql stored procedure type mismatch, simplification
* key connector authorization handler
* Integration test around getting and saving collection with group/user permissions
* This adds groups to the collections returned.
* Added new stored procedures so we don't accidentally wipe out access due to null parameters.
* wrapping all calls in transaction in the event that there is an error.
* move billing services+tests to billing namespaces
* reorganized methods in file and added comment headers
* renamed StripeAdapter methods for better clarity
* clean up redundant qualifiers
* Upgrade Stripe.net to v48.4.0
* Update PreviewTaxAmountCommand
* Remove unused UpcomingInvoiceOptionExtensions
* Added SubscriptionExtensions with GetCurrentPeriodEnd
* Update PremiumUserBillingService
* Update OrganizationBillingService
* Update GetOrganizationWarningsQuery
* Update BillingHistoryInfo
* Update SubscriptionInfo
* Remove unused Sql Billing folder
* Update StripeAdapter
* Update StripePaymentService
* Update InvoiceCreatedHandler
* Update PaymentFailedHandler
* Update PaymentSucceededHandler
* Update ProviderEventService
* Update StripeEventUtilityService
* Update SubscriptionDeletedHandler
* Update SubscriptionUpdatedHandler
* Update UpcomingInvoiceHandler
* Update ProviderSubscriptionResponse
* Remove unused Stripe Subscriptions Admin Tool
* Update RemoveOrganizationFromProviderCommand
* Update ProviderBillingService
* Update RemoveOrganizatinoFromProviderCommandTests
* Update PreviewTaxAmountCommandTests
* Update GetCloudOrganizationLicenseQueryTests
* Update GetOrganizationWarningsQueryTests
* Update StripePaymentServiceTests
* Update ProviderBillingControllerTests
* Update ProviderEventServiceTests
* Update SubscriptionDeletedHandlerTests
* Update SubscriptionUpdatedHandlerTests
* Resolve Billing test failures
I completely removed tests for the StripeEventService as they were using a system I setup a while back that read JSON files of the Stripe event structure. I did not anticipate how frequently these structures would change with each API version and the cost of trying to update these specific JSON files to test a very static data retrieval service far outweigh the benefit.
* Resolve Core test failures
* Run dotnet format
* Remove unused provider migration
* Fixed failing tests
* Run dotnet format
* Replace the old webhook secret key with new one (#6223)
* Fix compilation failures in additions
* Run dotnet format
* Bump Stripe API version
* Fix recent addition: CreatePremiumCloudHostedSubscriptionCommand
* Fix new code in main according to Stripe update
* Fix InvoiceExtensions
* Bump SDK version to match API Version
* cleanup
* fixing items missed after the merge
* use expression body for all simple returns
* forgot fixes, format, and pr feedback
* claude pr feedback
* pr feedback and cleanup
* more claude feedback
---------
Co-authored-by: Alex Morask <amorask@bitwarden.com>
Co-authored-by: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
* add folders and favorites when sharing a cipher
* refactor folders and favorites assignment to consider existing folders/favorite assignments on a cipher
* remove unneeded string manipulation
* remove comment
* add unit test for folder/favorite sharing
* add migration for sharing a cipher to org and collect reprompt, favorite and folders
* update date timestamp of migration
* fix(two-factor-controller) [PM-24211]: Update send email validation to use auth request's IsValidForAuthentication.
* refactor(login-features) [PM-24211]: Remove Core.LoginFeatures as no longer used; AuthRequest.IsValidForAuthentication should be used for any applicable use cases.
* feat(auth-request) [PM-24211]: Add tests for AuthRequest.IsValidForAuthentication.
* fix(two-factor-controller) [PM-24211]: Branching logic should return on successful send.
* chore(auth-request) [PM-24211]: Remove some old comments (solved-for).
* fix(two-factor-controller) [PM-24211]: Update some comments (clarification/naming).
* fix(two-factor-controller) [PM-24211]: Rephrase a comment (accuracy).
* Add CQRS and caching support for OrganizationIntegrations
* Use primary constructor for Delete command, per Claude suggestion
* Fix namespace
* Add XMLDoc for new commands / queries
* Remove unnecessary extra call to AddExtendedCache in Startup (call in EventIntegrationsServiceCollectionExtensions handles this instead)
* Alter strategy to use one cache / database call to retrieve all configurations for an event (including wildcards)
* Updated README documentation to reflect updated Caching doc and updated CQRS approach
* Implement optimized bulk invite resend command
- Added IBulkResendOrganizationInvitesCommand interface to define the bulk resend operation.
- Created BulkResendOrganizationInvitesCommand class to handle the logic for resending invites to multiple organization users.
- Integrated logging and validation to ensure only valid users receive invites.
- Included error handling for non-existent organizations and invalid user statuses.
* Add unit tests for BulkResendOrganizationInvitesCommand
- Implemented comprehensive test cases for the BulkResendOrganizationInvitesCommand class.
- Validated user statuses and ensured correct handling of valid and invalid users during bulk invite resends.
- Included tests for scenarios such as organization not found and empty user lists.
- Utilized Xunit and NSubstitute for effective testing and mocking of dependencies.
* Add IBulkResendOrganizationInvitesCommand to service collection
- Registered IBulkResendOrganizationInvitesCommand in the service collection for dependency injection.
* Update OrganizationUsersController to utilize IBulkResendOrganizationInvitesCommand
- Added IBulkResendOrganizationInvitesCommand to the OrganizationUsersController for handling bulk invite resends based on feature flag.
- Updated BulkReinvite method to conditionally use the new command or the legacy service based on the feature flag status.
- Enhanced unit tests to verify correct command usage depending on feature flag state, ensuring robust testing for both scenarios.
* Fix the license validation bug
* resolve the failing test
* fix the failing test
* Revert changes and Add the ui display fix
* remove empty spaces
* revert the changes on licensing file
* revert changes to the test signup
* Revert the org license file changes
* revert the empty spaces
* revert the empty spaces changes
* remove the empty spaces
* revert
* Remove the duplicate code
* Add the expire date fix for premium
* Fix the failing test
* Fix the lint error
* Adding SecretVersion table to server
* making the names singular not plural for new table
* removing migration
* fixing migration
* Adding indexes for serviceacct and orguserId
* indexes for sqllite
* fixing migrations
* adding indexes to secretVeriosn.sql
* tests
* removing tests
* adding GO
* api repository and controller additions for SecretVersion table, as well as tests
* test fix sqllite
* improvements
* removing comments
* making files nullable safe
* Justin Baurs suggested changes
* claude suggestions
* Claude fixes
* test fixes
* fix: Return 200 OK with empty array for HIBP breach endpoint when no breaches found
Changes the HIBP breach check endpoint to return HTTP 200 OK with an empty
JSON array `[]` instead of 404 Not Found when no breaches are found. This
follows proper REST API semantics where 404 should indicate the endpoint
doesn't exist, not that a query returned no results.
Changes:
- src/Api/Dirt/Controllers/HibpController.cs: Lines 67-71
- Changed: return new NotFoundResult(); → return Content("[]", "application/json");
Backward Compatible:
- Clients handle both 200 with [] (new) and 404 (old)
- No breaking changes
- Safe to deploy independently
API Response Changes:
- Before: GET /api/hibp/breach?username=safe@example.com → 404 Not Found
- After: GET /api/hibp/breach?username=safe@example.com → 200 OK, Body: []
Impact:
- No user-facing changes
- Correct REST semantics
- Industry-standard API response pattern
* Address PR feedback: enhance comment and add comprehensive unit tests
Addresses feedback from PR #6661:
1. Enhanced comment per @prograhamming's feedback (lines 69-71):
- Added date stamp (12/1/2025)
- Explained HIBP API behavior: returns 404 when no breaches found
- Clarified HIBP API specification about 404 meaning
- Maintained REST semantics justification
2. Created comprehensive unit tests per Claude bot's Finding 1:
- New file: test/Api.Test/Dirt/HibpControllerTests.cs
- 9 test cases covering all critical scenarios:
* Missing API key validation
* No breaches found (404 → 200 with []) - KEY TEST FOR PR CHANGE
* Breaches found (200 with data)
* Rate limiting with retry logic
* Server error handling (500, 400)
* URL encoding of special characters
* Required headers validation
* Self-hosted vs cloud User-Agent differences
Test Coverage:
- Before: 0% coverage for HibpController
- After: ~90% coverage (all public methods and major paths)
- Uses xUnit, NSubstitute, BitAutoData patterns
- Matches existing Dirt controller test conventions
Changes:
- src/Api/Dirt/Controllers/HibpController.cs: Enhanced comment (+3 lines)
- test/Api.Test/Dirt/HibpControllerTests.cs: New test file (327 lines, 9 tests)
Addresses:
- @prograhamming's comment about enhancing the code comment
- Claude bot's Finding 1: Missing unit tests for HibpController
Related: PM-6979
* fix test/formating errors
* PM-28616 Add flag UsePhishingBlocker to dbo.Organization
* PM-28616 updated as per comments from claude
* PM-28616 updated ToLicense Method to copy the license file
* PM-28616 allow phishing blocker to be imported via license files for self-hosted
* PM-28616 updated PR comments - added more views to be refreshed
* PM-28616 removed proeprty from constructor as it is not used anymore. We have moved to claims based properties
* [deps] Platform: Update azure azure-sdk-for-net monorepo
* Remove bump of Azure.Extensions.AspNetCore.DataProtection.Blobs because it require Microsoft.AspNetCore.DataProtection >= 8.0.11
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
And other refactors:
- move update organization method to a command
- separate authorization from business logic
- add tests
- move Billing Team logic into their service
* Remove feature flag and move StaticStore plans to MockPlans for tests
* Remove old plan models / move sponsored plans out of StaticStore
* Run dotnet format
* Add pricing URI to Development appsettings for local development and integration tests
* Updated Api Integration tests to get current plan type
* Run dotnet format
* Fix failing tests
* Adding auto confirm endpoint and initial command work.
* Adding validator
* Finished command implementation.
* Enabled the feature renomved used method. Enabled the policy in the tests.
* Added extension functions to allow for railroad programming.
* Removed guid from route template. Added xml docs
* Added validation for command.
* Added default collection creation to command.
* formatting.
* Added additional error types and mapped to appropriate results.
* Added tests for auto confirm validator
* Adding tests
* fixing file name
* Cleaned up OrgUserController. Added integration tests.
* Consolidated CommandResult and validation result stuff into a v2 directory.
* changing result to match handle method.
* Moves validation thenasync method.
* Added brackets.
* Updated XML comment
* Adding idempotency comment.
* Fixed up merge problems. Fixed return types for handle.
* Renamed to ValidationRequest
* I added some methods for CommandResult to cover some future use cases. Added ApplyAsync method to execute multiple functions against CommandResult without an error stopping the workflow for side-effects.
* Fixed up logic around should create default colleciton. Added more methods for chaining ValidationResult together. Added logic for user type.
* Clearing nullable enable.
* Fixed up validator tests.
* Tests for auto confirm command
* Fixed up command result and AutoConfirmCommand.
* Removed some unused methods.
* Moved autoconfirm tests to their own class.
* Moved some stuff around. Need to clean up creation of accepted org user yet.
* Moved some more code around. Folded Key into accepted constructor. removed unneeded tests since key and accepted are now a part of AcceptedOrgUser Creation.
* Clean up clean up everybody everywhere. Clean up clean up everybody do your share.
* Another quick one
* Removed aggregate Errors.cs
* Cleaned up validator and fixed up tests.
* Fixed auto confirm repo
* Cleaned up command tests.
* Unused method.
* Restoring Bulk command back to what it was. deleted handle method for bulk.
* Remove unused method.
* removed unnecssary lines and comments
* fixed layout.
* Fixed test.
* fixed spelling mistake. removed unused import.
* Update test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUsers/AutomaticallyConfirmUsersCommandTests.cs
Co-authored-by: Rui Tomé <108268980+r-tome@users.noreply.github.com>
* Ensuring collection is created before full sync. Cleaning up tests and added a few more. Added check that the policy is enabled.
* Added org cleanup
* Lowering to 5 to see if that helps the runner.
* 🤷
* Trying this
* Maybe this time will be different.
* seeing if awaiting and checking independently will work in ci
* I figured it out. Locally, it would be fast enough to all return NoContent, however in CI, its slow enough for it to return 400 due to the user already being confirmed via validation.
* Updated tests and validator
* Fixed name
---------
Co-authored-by: Rui Tomé <108268980+r-tome@users.noreply.github.com>
* adding event filters
* allow user to see deleted secret event logs through public api
* nullable changes to event controller
* fixing tests
* fixing permissions issues with public API
* fix for bug
* Update src/Api/AdminConsole/Public/Controllers/EventsController.cs
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
* Update src/Api/AdminConsole/Public/Controllers/EventsController.cs
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
---------
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
* The discount badge implementation
* Address the claude pr comments
* Add more unit testing
* Add more test
* used existing flag
* Add the coupon Ids
* Add more code documentation
* Add some recommendation from claude
* Fix addition comments and prs
* Add more integration test
* Fix some comment and add more test
* rename the test methods
* Add more unit test and comments
* Resolve the null issues
* Add more test
* reword the comments
* Rename Variable
* Some code refactoring
* Change the coupon ID to milestone-2c
* Fix the failing Test
* Remove EventBasedOrganizationIntegrations feature flag
* Remove unnecessary nullable enable
* Refactored service collection extensions to follow a more direct path: ASB, RabbitMQ, Azure Queue, Repository, No-op
* Use TryAdd instead of Add
* Enhance PolicyRequestModel and SavePolicyRequest with validation for policy data and metadata.
* Add integration tests for policy updates to validate handling of invalid data types in PolicyRequestModel and SavePolicyRequest.
* Add missing using
* Update PolicyRequestModel for null safety by making Data and ValidateAndSerializePolicyData nullable
* Add integration tests for public PoliciesController to validate handling of invalid data types in policy updates.
* Add PolicyDataValidator class for validating and serializing policy data and metadata based on policy type.
* Refactor PolicyRequestModel, SavePolicyRequest, and PolicyUpdateRequestModel to utilize PolicyDataValidator for data validation and serialization, removing redundant methods and improving code clarity.
* Update PolicyRequestModel and SavePolicyRequest to initialize Data and Metadata properties with empty dictionaries.
* Refactor PolicyDataValidator to remove null checks for input data in validation methods
* Rename test methods in SavePolicyRequestTests to reflect handling of empty data and metadata, and remove null assignments in test cases for improved clarity.
* Remove Type property from PolicyRequestModel to use route parameter only
* Run dotnet format
* Enhance error handling in PolicyDataValidator to include field-specific details in BadRequestException messages.
* Enhance PoliciesControllerTests to verify error messages for BadRequest responses by checking for specific field names in the response content.
* refactor: Update PolicyRequestModel and SavePolicyRequest to use nullable dictionaries for Data and Metadata properties; enhance validation methods in PolicyDataValidator to handle null cases.
* test: Add integration tests for handling policies with null data in PoliciesController
* fix: Catch specific JsonException in PolicyDataValidator to improve error handling
* test: Add unit tests for PolicyDataValidator to validate and serialize policy data and metadata
* test: Remove PolicyType from PolicyRequestModel in PoliciesControllerTests
* test: Update PolicyDataValidatorTests to validate organization data ownership metadata
* Refactor PoliciesControllerTests to include policy type in PutVNext method calls
* Add PolicyValidatorsRefactor constant to FeatureFlagKeys in Constants.cs
* Add Metadata property and ToSavePolicyModel method to PolicyUpdateRequestModel
* Refactor PoliciesController to utilize IVNextSavePolicyCommand based on feature flag
- Added IFeatureService and IVNextSavePolicyCommand dependencies to PoliciesController.
- Updated PutVNext method to conditionally use VNextSavePolicyCommand or SavePolicyCommand based on the PolicyValidatorsRefactor feature flag.
- Enhanced unit tests to verify behavior for both enabled and disabled states of the feature flag.
* Update public PoliciesController to to utilize IVNextSavePolicyCommand based on feature flag
- Introduced IFeatureService and IVNextSavePolicyCommand to manage policy saving based on the PolicyValidatorsRefactor feature flag.
- Updated the Put method to conditionally use the new VNextSavePolicyCommand or the legacy SavePolicyCommand.
- Added unit tests to validate the behavior of the Put method for both enabled and disabled states of the feature flag.
* Refactor VerifyOrganizationDomainCommand to utilize IVNextSavePolicyCommand based on feature flag
- Added IFeatureService and IVNextSavePolicyCommand dependencies to VerifyOrganizationDomainCommand.
- Updated EnableSingleOrganizationPolicyAsync method to conditionally use VNextSavePolicyCommand or SavePolicyCommand based on the PolicyValidatorsRefactor feature flag.
- Enhanced unit tests to validate the behavior when the feature flag is enabled.
* Enhance SsoConfigService to utilize IVNextSavePolicyCommand based on feature flag
- Added IFeatureService and IVNextSavePolicyCommand dependencies to SsoConfigService.
- Updated SaveAsync method to conditionally use VNextSavePolicyCommand or SavePolicyCommand based on the PolicyValidatorsRefactor feature flag.
- Added unit tests to validate the behavior when the feature flag is enabled.
* Refactor SavePolicyModel to simplify constructor usage by removing EmptyMetadataModel parameter. Update related usages across the codebase to reflect the new constructor overloads.
* Update PolicyUpdateRequestModel to make Metadata property nullable for improved null safety
