Auth/pm 35392/master password service foundation

[enmande]

🎟️ Tracking

PM-35392

📔 Objective

Introduces the MasterPasswordService, an orchestrating/coordinating surface for Master Password initial set and update operations.

No call sites are connected as part of this PR. For ease of review, those are specced in detail in connected tickets:

• PM-35393 (Auth APIs)
• PM-35394 (Admin Console APIs)
• PM-35395 (Key Management APIs)

A suite of unit tests has been added for the service.

📸 Screenshots

N/A

[github-actions]

Bitwarden Claude Code Review

Overall Assessment: APPROVE

Reviewed the new MasterPasswordService foundation (interface, implementation, four data carriers, DI registration, repository TODO comments, and unit tests). The change introduces a single coordinating surface for master-password set/update flows with a Prepare/Save/Build verb model, validates inputs via ValidateDataForUser per data carrier, and is correctly registered as internal with TryAddScoped. No call sites are wired in this PR, which is consistent with the stated objective and the linked follow-up tickets (PM-35393/4/5).

The crypto contract is preserved: the server stores a hash-of-hash of the client-supplied authentication hash, plaintext master passwords are never received, KDF/salt invariants are enforced on the update paths, and SecurityStamp rotation is correctly composed into all three verb tiers. Known gaps in IUserRepository.SetMasterPassword (no persistence of SecurityStamp and LastPasswordChangeDate) are explicitly disclosed via TODO comments tracked under PM-35501 and PM-34905.

Test coverage is thorough — happy paths, validation failures, KDF rotation directions, salt/KDF independence per field, hydration guards, security-stamp flag behavior across all three tiers, and the deferred-validation contract for Build*. Prior review threads (27 resolved) addressed documentation structure, naming consistency, and OneOf usage; the deferred KDF-consistency check on UpdateExistingPasswordAndKdfData is intentionally scoped to PM-35395.

Code Review Details

No new findings. All previously identified items are either resolved in earlier commits on this PR or tracked in linked Jira tasks (PM-34905, PM-35395, PM-35501).

[codecov]

Codecov Report

❌ Patch coverage is 99.25373% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.81%. Comparing base (995ccbb) to head (c221552).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...atures/UserMasterPassword/MasterPasswordService.cs	98.91%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7530      +/-   ##
==========================================
+ Coverage   59.25%   63.81%   +4.56%     
==========================================
  Files        2082     2087       +5     
  Lines       91994    92262     +268     
  Branches     8177     8200      +23     
==========================================
+ Hits        54507    58880    +4373     
+ Misses      35549    31356    -4193     
- Partials     1938     2026      +88     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Patrick-Pimentel-Bitwarden]

I can't begin to say how giddy I am with the changes you've made. I'm so stoked to see that the job you've done is top notch. Thank you 🙏

1. Do a verbiage check to make sure we are always using set initial or update existing. No concept of "change" anymore as it's ambiguous and we need to be crystal clear about the operations we are performing. This will be feedback to bring into all the rest of the prs as well.
2. ⛏️ Throughout the MasterPasswordService I left comments on some of the operations happening throughout the set initial and update existing functions and didn't make the comments uniform. Would you mind addressing that? For example the PrepareSetInitialMasterPasswordAsync says // Update time markers on the user but I omitted that on PrepareUpdateExistingMasterPasswordAsync.

[github-actions]

Checkmarx One – Scan Summary & Details – 5cf0c728-c249-423a-8690-2e60712d4a46

---

New Issues (4)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CSRF	src/Api/Vault/Controllers/CiphersController.cs: 1558	details Method at line 1558 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
2		CSRF	src/Api/Auth/Controllers/AccountsController.cs: 291	details Method at line 291 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
3		CSRF	src/Api/Auth/Controllers/AccountsController.cs: 452	details Method at line 452 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
4		CSRF	src/Api/Vault/Controllers/CiphersController.cs: 1385	details Method at line 1385 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector

---

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 173

[JaredSnider-Bitwarden]

Really excellent work here. Most of the items I found were small improvements or nit picks. Thank you for your efforts to build this foundation!

[JaredSnider-Bitwarden]

Stellar work. 🏅 !

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud