bitwarden · Patrick-Pimentel-Bitwarden · Mar 26, 2026 · Mar 26, 2026 · Mar 30, 2026 · Mar 30, 2026
@@ -41,6 +41,7 @@
 using Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using AccountRecoveryV2 = Bit.Core.AdminConsole.OrganizationFeatures.AccountRecovery.v2;
 using V1_RevokeOrganizationUserCommand = Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1.IRevokeOrganizationUserCommand;
@@ -533,14 +534,25 @@ public async Task<IResult> PutRecoverAccount(Guid orgId, Guid id, [FromBody] Org
             return Handle(await _adminRecoverAccountCommandV2.RecoverAccountAsync(commandRequest));
         }
 
-        var result = await _adminRecoverAccountCommand.RecoverAccountAsync(
-            orgId, targetOrganizationUser, model.NewMasterPasswordHash!, model.Key!);
-        if (result.Succeeded)
+        IdentityResult identityResult;
+        if (model.RequestHasNewDataTypes())
+        {
+            identityResult = await _adminRecoverAccountCommand.RecoverAccountAsync(
+                orgId, targetOrganizationUser, model.UnlockData!.ToData(), model.AuthenticationData!.ToData());
+        }
+        // To be removed in PM-33141
+        else
+        {
+            identityResult = await _adminRecoverAccountCommand.RecoverAccountAsync(
+                orgId, targetOrganizationUser, model.NewMasterPasswordHash!, model.Key!);
+        }
+
+        if (identityResult.Succeeded)
         {
             return TypedResults.Ok();
         }
 
-        foreach (var error in result.Errors)
+        foreach (var error in identityResult.Errors)
         {
             ModelState.AddModelError(string.Empty, error.Description);
         }

@@ -13,7 +13,9 @@
 using Bit.Core.Auth.Models.Api.Request.Accounts;
 using Bit.Core.Auth.Services;
 using Bit.Core.Auth.UserFeatures.TdeOffboardingPassword.Interfaces;
+using Bit.Core.Auth.UserFeatures.TempPassword.Interfaces;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Auth.UserFeatures.UserMasterPassword.Data;
 using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -25,64 +27,47 @@
 using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 
 namespace Bit.Api.Auth.Controllers;
 
 [Route("accounts")]
 [Authorize(Policies.Application)]
-public class AccountsController : Controller
+public class AccountsController(
+    IOrganizationService organizationService,
+    IOrganizationUserRepository organizationUserRepository,
+    IProviderUserRepository providerUserRepository,
+    IUserService userService,
+    IMasterPasswordService masterPasswordService,
+    IPolicyService policyService,
+    IFinishSsoJitProvisionMasterPasswordCommand finishSsoJitProvisionMasterPasswordCommand,
+    ISetInitialMasterPasswordCommandV1 setInitialMasterPasswordCommandV1,
+    ITdeSetPasswordCommand tdeSetPasswordCommand,
+    ITdeOffboardingPasswordCommand tdeOffboardingPasswordCommand,
+    IUpdateTempPasswordCommand updateTempPasswordCommand,
+    ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
+    IUserAccountKeysQuery userAccountKeysQuery,
+    ITwoFactorEmailService twoFactorEmailService,
+    IChangeKdfCommand changeKdfCommand,
+    IUserRepository userRepository) : Controller
 {
-    private readonly IOrganizationService _organizationService;
-    private readonly IOrganizationUserRepository _organizationUserRepository;
-    private readonly IProviderUserRepository _providerUserRepository;
-    private readonly IUserService _userService;
-    private readonly IPolicyService _policyService;
-    private readonly ISetInitialMasterPasswordCommandV1 _setInitialMasterPasswordCommandV1;
-    private readonly IFinishSsoJitProvisionMasterPasswordCommand _finishSsoJitProvisionMasterPasswordCommand;
-    private readonly ITdeSetPasswordCommand _tdeSetPasswordCommand;
-    private readonly ITdeOffboardingPasswordCommand _tdeOffboardingPasswordCommand;
-    private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
-    private readonly IFeatureService _featureService;
-    private readonly IUserAccountKeysQuery _userAccountKeysQuery;
-    private readonly ITwoFactorEmailService _twoFactorEmailService;
-    private readonly IChangeKdfCommand _changeKdfCommand;
-    private readonly IUserRepository _userRepository;
-
-    public AccountsController(
-        IOrganizationService organizationService,
-        IOrganizationUserRepository organizationUserRepository,
-        IProviderUserRepository providerUserRepository,
-        IUserService userService,
-        IPolicyService policyService,
-        IFinishSsoJitProvisionMasterPasswordCommand finishSsoJitProvisionMasterPasswordCommand,
-        ISetInitialMasterPasswordCommandV1 setInitialMasterPasswordCommandV1,
-        ITdeSetPasswordCommand tdeSetPasswordCommand,
-        ITdeOffboardingPasswordCommand tdeOffboardingPasswordCommand,
-        ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
-        IFeatureService featureService,
-        IUserAccountKeysQuery userAccountKeysQuery,
-        ITwoFactorEmailService twoFactorEmailService,
-        IChangeKdfCommand changeKdfCommand,
-        IUserRepository userRepository
-        )
-    {
-        _organizationService = organizationService;
-        _organizationUserRepository = organizationUserRepository;
-        _providerUserRepository = providerUserRepository;
-        _userService = userService;
-        _policyService = policyService;
-        _finishSsoJitProvisionMasterPasswordCommand = finishSsoJitProvisionMasterPasswordCommand;
-        _setInitialMasterPasswordCommandV1 = setInitialMasterPasswordCommandV1;
-        _tdeSetPasswordCommand = tdeSetPasswordCommand;
-        _tdeOffboardingPasswordCommand = tdeOffboardingPasswordCommand;
-        _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
-        _featureService = featureService;
-        _userAccountKeysQuery = userAccountKeysQuery;
-        _twoFactorEmailService = twoFactorEmailService;
-        _changeKdfCommand = changeKdfCommand;
-        _userRepository = userRepository;
-    }
+    private readonly IOrganizationService _organizationService = organizationService;
+    private readonly IOrganizationUserRepository _organizationUserRepository = organizationUserRepository;
+    private readonly IProviderUserRepository _providerUserRepository = providerUserRepository;
+    private readonly IUserService _userService = userService;
+    private readonly IMasterPasswordService _masterPasswordService = masterPasswordService;
+    private readonly IPolicyService _policyService = policyService;
+    private readonly ISetInitialMasterPasswordCommandV1 _setInitialMasterPasswordCommandV1 = setInitialMasterPasswordCommandV1;
+    private readonly IFinishSsoJitProvisionMasterPasswordCommand _finishSsoJitProvisionMasterPasswordCommand = finishSsoJitProvisionMasterPasswordCommand;
+    private readonly ITdeSetPasswordCommand _tdeSetPasswordCommand = tdeSetPasswordCommand;
+    private readonly ITdeOffboardingPasswordCommand _tdeOffboardingPasswordCommand = tdeOffboardingPasswordCommand;
+    private readonly IUpdateTempPasswordCommand _updateTempPasswordCommand = updateTempPasswordCommand;
+    private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
+    private readonly IUserAccountKeysQuery _userAccountKeysQuery = userAccountKeysQuery;
+    private readonly ITwoFactorEmailService _twoFactorEmailService = twoFactorEmailService;
+    private readonly IChangeKdfCommand _changeKdfCommand = changeKdfCommand;
+    private readonly IUserRepository _userRepository = userRepository;
 
 
     [HttpPost("password-hint")]
@@ -188,6 +173,16 @@ public async Task PostVerifyEmailToken([FromBody] VerifyEmailRequestModel model)
         throw new BadRequestException(ModelState);
     }
 
+    /// <summary>
+    /// For a user updating an existing password.
+    ///
+    /// If calling this when a user does not have a master password, it will fail.
+    /// I don't think is a new boundary that has been introduced.
+    /// Need to double check this / get feedback from Jared.
+    /// </summary>
+    /// <param name="model"></param>
+    /// <exception cref="UnauthorizedAccessException"></exception>
+    /// <exception cref="BadRequestException"></exception>
     [HttpPost("password")]
     public async Task PostPassword([FromBody] PasswordRequestModel model)
     {
@@ -197,8 +192,31 @@ public async Task PostPassword([FromBody] PasswordRequestModel model)
             throw new UnauthorizedAccessException();
         }
 
-        var result = await _userService.ChangePasswordAsync(user, model.MasterPasswordHash,
-            model.NewMasterPasswordHash, model.MasterPasswordHint, model.Key);
+        IdentityResult result;
+        if (model.RequestHasNewDataTypes())
+        {
+            // Jared, I'm unsure if check password should be turned into a query as a part of this work.
+            if (await _userService.CheckPasswordAsync(user, model.AuthenticationData!.MasterPasswordAuthenticationHash))
+            {
+                result = await _masterPasswordService.UpdateExistingMasterPasswordAndSaveAsync(user, new UpdateExistingPasswordData
+                {
+                    MasterPasswordUnlock = model.UnlockData!.ToData(),
+                    MasterPasswordAuthentication = model.AuthenticationData!.ToData(),
+                    MasterPasswordHint = model.MasterPasswordHint
+                });
+            }
+            else
+            {
+                throw new BadRequestException("Passwords do not match.");
+            }
+        }
+        // To be removed in PM-33141
+        else
+        {
+            result = await _userService.ChangePasswordAsync(user, model.MasterPasswordHash,
+                model.NewMasterPasswordHash, model.MasterPasswordHint, model.Key);
+        }
+
         if (result.Succeeded)
         {
             return;
@@ -222,7 +240,7 @@ public async Task PostSetPasswordAsync([FromBody] SetInitialPasswordRequestModel
             throw new UnauthorizedAccessException();
         }
 
-        if (model.IsV2Request())
+        if (model.RequestHasNewDataTypes())
         {
             if (model.IsTdeSetPasswordRequest())
             {
@@ -248,8 +266,8 @@ public async Task PostSetPasswordAsync([FromBody] SetInitialPasswordRequestModel
 
             var result = await _setInitialMasterPasswordCommandV1.SetInitialMasterPasswordAsync(
                 user,
-                model.MasterPasswordHash,
-                model.Key,
+                model.MasterPasswordHash!,
+                model.Key!,
                 model.OrgIdentifier);
 
             if (result.Succeeded)
@@ -288,7 +306,7 @@ public async Task<MasterPasswordPolicyResponseModel> PostVerifyPassword([FromBod
     }
 
     [HttpPost("kdf")]
-    public async Task PostKdf([FromBody] PasswordRequestModel model)
+    public async Task PostKdf([FromBody] ChangeKdfRequestModel model)
     {
         var user = await _userService.GetUserByPrincipalAsync(User);
         if (user == null)
@@ -646,7 +664,25 @@ public async Task PutUpdateTempPasswordAsync([FromBody] UpdateTempPasswordReques
             throw new UnauthorizedAccessException();
         }
 
-        var result = await _userService.UpdateTempPasswordAsync(user, model.NewMasterPasswordHash, model.Key, model.MasterPasswordHint);
+        IdentityResult result;
+        if (model.RequestHasNewDataTypes())
+        {
+            result = await _updateTempPasswordCommand.UpdateTempPasswordAsync(
+                user,
+                model.UnlockData!.ToData(),
+                model.AuthenticationData!.ToData(),
+                model.MasterPasswordHint);
+        }
+        // To be removed in PM-33141
+        else
+        {
+            result = await _userService.UpdateTempPasswordAsync(
+                user,
+                model.NewMasterPasswordHash,
+                model.Key,
+                model.MasterPasswordHint);
+        }
+
         if (result.Succeeded)
         {
             return;
@@ -669,7 +705,17 @@ public async Task PutUpdateTdePasswordAsync([FromBody] UpdateTdeOffboardingPassw
             throw new UnauthorizedAccessException();
         }
 
-        var result = await _tdeOffboardingPasswordCommand.UpdateTdeOffboardingPasswordAsync(user, model.NewMasterPasswordHash, model.Key, model.MasterPasswordHint);
+        IdentityResult result;
+        if (model.RequestHasNewDataTypes())
+        {
+            result = await _tdeOffboardingPasswordCommand.UpdateTdeOffboardingPasswordAsync(user, model.UnlockData!.ToData(), model.AuthenticationData!.ToData(), model.MasterPasswordHint);
+        }
+        // To be removed in PM-33141
+        else
+        {
+            result = await _tdeOffboardingPasswordCommand.UpdateTdeOffboardingPasswordAsync(user, model.NewMasterPasswordHash!, model.Key!, model.MasterPasswordHint);
+        }
+
         if (result.Succeeded)
         {
             return;

@@ -173,7 +173,16 @@ public async Task<EmergencyAccessTakeoverResponseModel> Takeover(Guid id)
     public async Task Password(Guid id, [FromBody] EmergencyAccessPasswordRequestModel model)
     {
         var user = await _userService.GetUserByPrincipalAsync(User);
-        await _emergencyAccessService.PasswordAsync(id, user, model.NewMasterPasswordHash, model.Key);
+
+        if (model.RequestHasNewDataTypes())
+        {
+            await _emergencyAccessService.FinishRecoveryTakeoverAsync(id, user, model.UnlockData!.ToData(), model.AuthenticationData!.ToData());
+        }
+        // To be removed in PM-33141
+        else
+        {
+            await _emergencyAccessService.FinishRecoveryTakeoverAsync(id, user, model.NewMasterPasswordHash!, model.Key!);
+        }
     }
 
     [HttpPost("{id}/view")]

@@ -0,0 +1,39 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.KeyManagement.Models.Api.Request;
+
+namespace Bit.Api.Auth.Models.Request.Accounts;
+
+public class ChangeKdfRequestModel : IValidatableObject
+{
+    [Required]
+    public required string MasterPasswordHash { get; set; }
+    [Obsolete("To be removed in PM-33141")]
+    [StringLength(300)]
+    public string? NewMasterPasswordHash { get; set; }
+    [Obsolete("To be removed in PM-33141")]
+    public string? Key { get; set; }
+
+    public MasterPasswordAuthenticationDataRequestModel? AuthenticationData { get; set; }
+    public MasterPasswordUnlockDataRequestModel? UnlockData { get; set; }
+
+    // To be removed in PM-33141
+    public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
+    {
+        var hasNewPayloads = AuthenticationData is not null && UnlockData is not null;
+        var hasLegacyPayloads = NewMasterPasswordHash is not null && Key is not null;
+
+        if (hasNewPayloads && hasLegacyPayloads)
+        {
+            yield return new ValidationResult(
+                "Cannot provide both new payloads (UnlockData/AuthenticationData) and legacy payloads (NewMasterPasswordHash/Key).",
+                [nameof(AuthenticationData), nameof(UnlockData), nameof(NewMasterPasswordHash), nameof(Key)]);
+        }
+
+        if (!hasNewPayloads && !hasLegacyPayloads)
+        {
+            yield return new ValidationResult(
+                "Must provide either new payloads (UnlockData/AuthenticationData) or legacy payloads (NewMasterPasswordHash/Key).",
+                [nameof(AuthenticationData), nameof(UnlockData), nameof(NewMasterPasswordHash), nameof(Key)]);
+        }
+    }
+}
@@ -3,17 +3,45 @@
 
 namespace Bit.Api.Auth.Models.Request.Accounts;
 
-public class PasswordRequestModel : SecretVerificationRequestModel
+public class PasswordRequestModel : IValidatableObject
 {
     [Required]
+    public required string MasterPasswordHash { get; set; }
+    [Obsolete("To be removed in PM-33141")]
     [StringLength(300)]
-    public required string NewMasterPasswordHash { get; set; }
+    public string? NewMasterPasswordHash { get; set; }
+    [Obsolete("To be removed in PM-33141")]
+    public string? Key { get; set; }
     [StringLength(50)]
     public string? MasterPasswordHint { get; set; }
-    [Required]
-    public required string Key { get; set; }
 
-    // Note: These will eventually become required, but not all consumers are moved over yet.
     public MasterPasswordAuthenticationDataRequestModel? AuthenticationData { get; set; }
     public MasterPasswordUnlockDataRequestModel? UnlockData { get; set; }
+
+    // To be removed in PM-33141
+    public bool RequestHasNewDataTypes()
+    {
+        return UnlockData is not null && AuthenticationData is not null;
+    }
+
+    // To be removed in PM-33141
+    public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
+    {
+        var hasNewPayloads = AuthenticationData is not null && UnlockData is not null;
+        var hasLegacyPayloads = NewMasterPasswordHash is not null && Key is not null;
+
+        if (hasNewPayloads && hasLegacyPayloads)
+        {
+            yield return new ValidationResult(
+                "Cannot provide both new payloads (UnlockData/AuthenticationData) and legacy payloads (NewMasterPasswordHash/Key).",
+                [nameof(AuthenticationData), nameof(UnlockData), nameof(NewMasterPasswordHash), nameof(Key)]);
+        }
+
+        if (!hasNewPayloads && !hasLegacyPayloads)
+        {
+            yield return new ValidationResult(
+                "Must provide either new payloads (UnlockData/AuthenticationData) or legacy payloads (NewMasterPasswordHash/Key).",
+                [nameof(AuthenticationData), nameof(UnlockData), nameof(NewMasterPasswordHash), nameof(Key)]);
+        }
+    }
 }
@@ -58,7 +58,7 @@ public User ToUser(User existingUser)
 
     public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
     {
-        if (IsV2Request())
+        if (RequestHasNewDataTypes())
         {
             // V2 registration
 
@@ -134,7 +134,7 @@ public IEnumerable<ValidationResult> Validate(ValidationContext validationContex
         }
     }
 
-    public bool IsV2Request()
+    public bool RequestHasNewDataTypes()
     {
         // AccountKeys can be null for TDE users, so we don't check that here
         return MasterPasswordAuthentication != null && MasterPasswordUnlock != null;