[PM-17210] Prevent unintentionally corrupting private keys (#5285)

* Prevent unintentionally corrupting private keys * Deny key update only when replacing existing keys * Fix incorrect use of existing user public/encrypted private key * Fix test * Fix tests * Re-add test * Pass through error for set-password * Fix test * Increase test coverage and simplify checks
2025-06-30 15:42:48 -05:00 · 2025-02-06 21:38:50 +01:00
parent f7d882d760
commit 58d2a7ddaa
3 changed files with 108 additions and 55 deletions
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@ -266,8 +266,18 @@ public class AccountsController : Controller
            throw new UnauthorizedAccessException();
        }

+        try
+        {
+            user = model.ToUser(user);
+        }
+        catch (Exception e)
+        {
+            ModelState.AddModelError(string.Empty, e.Message);
+            throw new BadRequestException(ModelState);
+        }
+
        var result = await _setInitialMasterPasswordCommand.SetInitialMasterPasswordAsync(
-            model.ToUser(user),
+            user,
            model.MasterPasswordHash,
            model.Key,
            model.OrgIdentifier);