E528 [PM-30563] Change error response on Send Access token request by ike-kottlowski · Pull Request #6911 · bitwarden/server · GitHub
[go: up one dir, main page]
Skip to content

[PM-30563] Change error response on Send Access token request #6911

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ike-kottlowski wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[PM-30563] Change error response on Send Access token request #6911

ike-kottlowski wants to merge 3 commits into from

Conversation

@ike-kottlowski
Copy link
Contributor
@ike-kottlowski ike-kottlowski commented Jan 28, 2026
edited
Loading

🎟️ Tracking

PM-30563

SDK PR: #717
Client PR: #18620

📔 Objective

To ensure that we return the same response for a valid and invalid email, while still sending the OTP to when the email is correct.

⏰ Reminders before review

  • Contributor guidelines followed
  • All formatters and local linters executed and passed
  • Written new unit and / or integration tests where applicable
  • Protected functional changes with optionality (feature flags)
  • Used internationalization (i18n) for all UI strings
  • CI builds passed
  • Communicated to DevOps any deployment requirements
  • Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

  • 👍 (:+1:) or similar for great changes
  • 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
  • ❓ (:question:) for questions
  • 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
  • 🎨 (:art:) for suggestions / improvements
  • ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
  • 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
  • ⛏ (:pick:) for minor or nitpick changes

@ike-kottlowski
feat: remove invalid email response and instead return email and OTP …
41348b3 
…required to protect against enumeration attacks.
@ike-kottlowski ike-kottlowski mentioned this pull request Jan 28, 2026
Merged
@ike-kottlowski
chore: dotnet format
6fa4429 
test: updating tests to match new approach.
@github-actions
Copy link
Contributor
github-actions bot commented Jan 28, 2026
edited
Loading

Logo
Checkmarx One – Scan Summary & Details4f20647c-1cd8-4a13-a161-8cbf2be6ca75

New Issues (1)

Checkmarx found the following issues in this Pull Request

# Severity Issue Source File / Package Checkmarx Insight
1 MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 291
detailsMethod at line 291 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow...
Attack Vector
Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity Issue Source File / Package
MEDIUM CSRF /src/Api/Tools/Controllers/SendsController.cs: 68

@ike-kottlowski ike-kottlowski changed the title [PM-30563] Change error response to protect against enumeration [PM-30563] Change error response on Send Access token request Jan 28, 2026
@ike-kottlowski ike-kottlowski mentioned this pull request Jan 28, 2026
Draft
@ike-kottlowski ike-kottlowski added the ai-review Request a Claude code review label Jan 28, 2026
@claude
Copy link
Contributor
claude bot commented Jan 28, 2026
edited
Loading

Claude finished @ike-kottlowski's task in 2m 10s —— View job

Code Review: PM-30563 - Change error response on Send Access token request

Status: Approved

Summary

This PR improves enumeration protection for the Send access email OTP flow by ensuring identical error responses regardless of whether an email address is valid. This is a well-implemented security improvement.

Changes Reviewed

File Assessment
SendAccessConstants.cs Removed EmailInvalid, renamed EmailOtpSent to EmailAndOtpRequired
SendEmailOtpRequestValidator.cs Invalid emails now return same response as valid emails needing OTP
SendNeverAuthenticateRequestValidator.cs Updated to use new constant names
Test files (5 files) Properly updated to reflect new behavior

Security Verification

The enumeration protection is correctly implemented:

  • Invalid email: Returns email_and_otp_required, no OTP generated or sent (returns early at line 50)
  • Valid email, no OTP: Returns email_and_otp_required, OTP generated and sent
  • Result: Identical HTTP responses prevent email enumeration attacks

Code Quality

  • Clear comment at lines 41-47 in SendEmailOtpRequestValidator.cs documenting the design decision
  • Snapshot tests ensure SDK compatibility
  • All removed constants (EmailInvalid, EmailOtpSent) have no remaining references

Verdict

No issues found. This is a clean, focused security improvement that follows best practices for enumeration protection.

Reviewed by Claude Code

@codecov
Copy link
codecov bot commented Jan 28, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.06%. Comparing base (2a45880) to head (bce0c19).
⚠️ Report is 15 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #6911      +/-   ##
==========================================
- Coverage   56.08%   56.06%   -0.03%     
==========================================
  Files        1968     1969       +1     
  Lines       86974    87077     +103     
  Branches     7748     7757       +9     
==========================================
+ Hits        48783    48820      +37     
- Misses      36385    36448      +63     
- Partials     1806     1809       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ike-kottlowski ike-kottlowski marked this pull request as ready for review January 28, 2026 16:26
@ike-kottlowski ike-kottlowski requested a review from a team as a code owner January 28, 2026 16:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Patrick-Pimentel-Bitwarden Patrick-Pimentel-Bitwarden Awaiting requested review from Patrick-Pimentel-Bitwarden Patrick-Pimentel-Bitwarden is a code owner automatically assigned from bitwarden/team-auth-dev

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

ai-review Request a Claude code review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ike-kottlowski
0