fix : add try catch blocks

src/Api/Auth/Controllers/OpaqueKeyExchangeController.cs

@@ -1,68 +1,50 @@
-using Bit.Api.Auth.Models.Request.Opaque;
+using Bit.Core;
-using Bit.Api.Auth.Models.Response.Opaque;
 using Bit.Core.Auth.Models.Api.Request.Opaque;
 using Bit.Core.Auth.Models.Api.Response.Opaque;
 using Bit.Core.Auth.Services;
 using Bit.Core.Services;
+using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
 namespace Bit.Api.Auth.Controllers;
 
+[RequireFeature(FeatureFlagKeys.OpaqueKeyExchange)]
 [Route("opaque")]
-public class OpaqueKeyExchangeController : Controller
+[Authorize("Web")]
+public class OpaqueKeyExchangeController(
+    IOpaqueKeyExchangeService opaqueKeyExchangeService,
+    IUserService userService
+    ) : Controller
 {
-    private readonly IOpaqueKeyExchangeService _opaqueKeyExchangeService;
+    private readonly IOpaqueKeyExchangeService _opaqueKeyExchangeService = opaqueKeyExchangeService;
-    private readonly IUserService _userService;
+    private readonly IUserService _userService = userService;
 
-    public OpaqueKeyExchangeController(
+    [HttpPost("start-registration")]
-        IOpaqueKeyExchangeService opaqueKeyExchangeService,
+    public async Task<OpaqueRegistrationStartResponse> StartRegistrationAsync(
-        IUserService userService
+        [FromBody] OpaqueRegistrationStartRequest request)
-    )
     {
-        _opaqueKeyExchangeService = opaqueKeyExchangeService;
+        var user = await _userService.GetUserByPrincipalAsync(User)
-        _userService = userService;
+            ?? throw new UnauthorizedAccessException();
-    }
+        var result = await _opaqueKeyExchangeService.StartRegistration(
-
+            Convert.FromBase64String(request.RegistrationRequest), user, request.CipherConfiguration);
-    [Authorize("Web")]
-    [HttpPost("~/opaque/start-registration")]
-    public async Task<OpaqueRegistrationStartResponse> StartRegistrationAsync([FromBody] OpaqueRegistrationStartRequest request)
-    {
-        var user = await _userService.GetUserByPrincipalAsync(User);
-        var result = await _opaqueKeyExchangeService.StartRegistration(Convert.FromBase64String(request.RegistrationRequest), user, request.CipherConfiguration);
         return result;
     }
 
-
+    [HttpPost("finish-registration")]
-    [Authorize("Web")]
+    public async Task FinishRegistrationAsync([FromBody] OpaqueRegistrationFinishRequest request)
-    [HttpPost("~/opaque/finish-registration")]
-    public async void FinishRegistrationAsync([FromBody] OpaqueRegistrationFinishRequest request)
     {
-        var user = await _userService.GetUserByPrincipalAsync(User);
+        var user = await _userService.GetUserByPrincipalAsync(User)
-        await _opaqueKeyExchangeService.FinishRegistration(request.SessionId, Convert.FromBase64String(request.RegistrationUpload), user, request.KeySet);
+            ?? throw new UnauthorizedAccessException();
+        await _opaqueKeyExchangeService.FinishRegistration(
+            request.SessionId, Convert.FromBase64String(request.RegistrationUpload), user, request.KeySet);
     }
 
-    [Authorize("Web")]
+    [HttpPost("set-registration-active")]
-    [HttpPost("~/opaque/set-registration-active")]
+    public async Task SetRegistrationActiveAsync([FromBody] OpaqueSetRegistrationActiveRequest request)
-    public async void SetRegistrationActive([FromBody] OpaqueSetRegistrationActiveRequest request)
     {
-        var user = await _userService.GetUserByPrincipalAsync(User);
+        var user = await _userService.GetUserByPrincipalAsync(User)
-        await _opaqueKeyExchangeService.SetRegistrationActiveForAccount(request.SessionId, user);
+            ?? throw new UnauthorizedAccessException();
-    }
+        await _opaqueKeyExchangeService.WriteCacheCredentialToDatabase(request.SessionId, user);
-
-    // TODO: Remove and move to token endpoint
-    [HttpPost("~/opaque/start-login")]
-    public async Task<OpaqueLoginStartResponse> StartLoginAsync([FromBody] OpaqueLoginStartRequest request)
-    {
-        var result = await _opaqueKeyExchangeService.StartLogin(Convert.FromBase64String(request.CredentialRequest), request.Email);
-        return new OpaqueLoginStartResponse(result.Item1, Convert.ToBase64String(result.Item2));
-    }
-
-    // TODO: Remove and move to token endpoint
-    [HttpPost("~/opaque/finish-login")]
-    public async Task<bool> FinishLoginAsync([FromBody] OpaqueLoginFinishRequest request)
-    {
-        var result = await _opaqueKeyExchangeService.FinishLogin(request.SessionId, Convert.FromBase64String(request.CredentialFinalization));
-        return result;
     }
 }

src/Core/Auth/Models/Api/Request/Opaque/OpaqueLoginStartRequest.cs

@@ -1,6 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 
-namespace Bit.Api.Auth.Models.Request.Opaque;
+namespace Bit.Core.Auth.Models.Api.Request.Opaque;
 
 public class OpaqueLoginStartRequest
 {
@@ -8,5 +8,4 @@ public class OpaqueLoginStartRequest
     public string Email { get; set; }
     [Required]
     public string CredentialRequest { get; set; }
-
 }

src/Core/Auth/Services/IOpaqueKeyExchangeService.cs

@@ -18,14 +18,15 @@ public interface IOpaqueKeyExchangeService
     /// <returns>void</returns>
     public Task<OpaqueRegistrationStartResponse> StartRegistration(byte[] request, User user, OpaqueKeyExchangeCipherConfiguration cipherConfiguration);
     /// <summary>
-    /// This doesn't actually finish registration. It updates the cache with the server setup and cipher configuration so that the clearly named "SetActive" method can finish registration.
+    /// This updates the cache with the server setup and cipher configuration so that WriteCacheCredentialToDatabase method can finish registration
+    /// by writing the credential to the database.
     /// </summary>
     /// <param name="sessionId">Cache Id</param>
     /// <param name="registrationUpload">Byte Array for Rust Magic</param>
     /// <param name="user">User being acted on</param>
     /// <param name="keyset">Key Pair that can be used for vault decryption</param>
     /// <returns>void</returns>
-    public Task FinishRegistration(Guid sessionId, byte[] registrationUpload, User user, RotateableOpaqueKeyset keyset);
+    public Task<bool> FinishRegistration(Guid sessionId, byte[] registrationUpload, User user, RotateableOpaqueKeyset keyset);
     /// <summary>
     /// Returns server crypto material for the client to consume and reply with a login request to the identity/token endpoint.
     /// To protect against account enumeration we will always return a deterministic response based on the user's email.
@@ -52,21 +53,21 @@ public interface IOpaqueKeyExchangeService
     /// <summary>
     /// Clears the authentication session from the cache.
     /// </summary>
-    /// <param name="sessionId"></param>
+    /// <param name="sessionId">session being acted on.</param>
-    /// <returns></returns>
+    /// <returns>void</returns>
     public Task ClearAuthenticationSession(Guid sessionId);
     /// <summary>
-    /// This is where registration really finishes. This method writes the Credential to the database. If a credential already exists then it will be removed before the new one is added.
+    /// This method writes the Credential to the database. If a credential already exists then it will be removed before the new one is added.
     /// A user can only have one credential.
     /// </summary>
     /// <param name="sessionId">cache value</param>
     /// <param name="user">user being acted on</param>
-    /// <returns>void</returns>
+    /// <returns>bool based on action result</returns>
-    public Task SetRegistrationActiveForAccount(Guid sessionId, User user);
+    public Task<bool> WriteCacheCredentialToDatabase(Guid sessionId, User user);
     /// <summary>
-    /// Removes the credential for the user.
+    /// Removes the credential for the user. If the user does not exist then this does nothing.
     /// </summary>
-    /// <param name="user">user being acted on</param>
+    /// <param name="user">User being acted on.</param>
     /// <returns>void</returns>
-    public Task Unenroll(User user);
+    public Task RemoveUserOpaqueKeyExchangeCredential(User user);
 }

src/Core/Auth/Services/Implementations/OpaqueKeyExchangeService.cs

@@ -10,6 +10,7 @@ using Bit.Core.Entities;
 using Bit.Core.Repositories;
 using Bitwarden.Opaque;
 using Microsoft.Extensions.Caching.Distributed;
+using Microsoft.Extensions.Logging;
 
 namespace Bit.Core.Auth.Services;
 
@@ -21,6 +22,7 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService
     private readonly IOpaqueKeyExchangeCredentialRepository _opaqueKeyExchangeCredentialRepository;
     private readonly IDistributedCache _distributedCache;
     private readonly IUserRepository _userRepository;
+    private readonly ILogger<OpaqueKeyExchangeService> _logger;
 
     const string REGISTER_SESSION_KEY = "opaque_register_session_{0}";
     const string LOGIN_SESSION_KEY = "opaque_login_session_{0}";
@@ -28,104 +30,119 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService
     public OpaqueKeyExchangeService(
         IOpaqueKeyExchangeCredentialRepository opaqueKeyExchangeCredentialRepository,
         IDistributedCache distributedCache,
-        IUserRepository userRepository
+        IUserRepository userRepository,
+        ILogger<OpaqueKeyExchangeService> logger
         )
     {
         _bitwardenOpaque = new BitwardenOpaqueServer();
         _opaqueKeyExchangeCredentialRepository = opaqueKeyExchangeCredentialRepository;
         _distributedCache = distributedCache;
         _userRepository = userRepository;
+        _logger = logger;
     }
 
-    public async Task<OpaqueRegistrationStartResponse> StartRegistration(byte[] request, User user, OpaqueKeyExchangeCipherConfiguration cipherConfiguration)
+    public async Task<OpaqueRegistrationStartResponse> StartRegistration(
+        byte[] request, User user, OpaqueKeyExchangeCipherConfiguration cipherConfiguration)
     {
-        var registrationRequest = _bitwardenOpaque.StartRegistration(cipherConfiguration.ToNativeConfiguration(), null, request, user.Id.ToString());
+        var registrationRequest = _bitwardenOpaque.StartRegistration(
+            cipherConfiguration.ToNativeConfiguration(), null, request, user.Id.ToString());
 
         var sessionId = Guid.NewGuid();
-        var registerSession = new OpaqueKeyExchangeRegisterSession() { SessionId = sessionId, ServerSetup = registrationRequest.serverSetup, CipherConfiguration = cipherConfiguration, UserId = user.Id };
+        var registerSession = new OpaqueKeyExchangeRegisterSession()
-        await _distributedCache.SetAsync(string.Format(REGISTER_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(registerSession)));
+        {
+            SessionId = sessionId,
+            ServerSetup = registrationRequest.serverSetup,
+            CipherConfiguration = cipherConfiguration,
+            UserId = user.Id
+        };
+        await _distributedCache.SetAsync(
+            string.Format(REGISTER_SESSION_KEY, sessionId),
+            Encoding.ASCII.GetBytes(JsonSerializer.Serialize(registerSession)));
 
-        return new OpaqueRegistrationStartResponse(sessionId, Convert.ToBase64String(registrationRequest.registrationResponse));
+        return new OpaqueRegistrationStartResponse(
+            sessionId, Convert.ToBase64String(registrationRequest.registrationResponse));
     }
 
-    public async Task FinishRegistration(Guid sessionId, byte[] registrationUpload, User user, RotateableOpaqueKeyset keyset)
+    public async Task<bool> FinishRegistration(Guid sessionId, byte[] registrationUpload, User user, RotateableOpaqueKeyset keyset)
     {
-        var serializedRegisterSession = await _distributedCache.GetAsync(string.Format(REGISTER_SESSION_KEY, sessionId));
-        if (serializedRegisterSession == null)
-        {
-            throw new InvalidOperationException("Session not found");
-        }
-
         try
         {
+            var serializedRegisterSession = await _distributedCache.GetAsync(string.Format(REGISTER_SESSION_KEY, sessionId))
+                ?? throw new Exception("Session not found");
             var registerSession = JsonSerializer.Deserialize<OpaqueKeyExchangeRegisterSession>(Encoding.ASCII.GetString(serializedRegisterSession))!;
             var registrationFinish = _bitwardenOpaque.FinishRegistration(registerSession.CipherConfiguration.ToNativeConfiguration(), registrationUpload);
             registerSession.PasswordFile = registrationFinish.serverRegistration;
             registerSession.KeySet = Encoding.ASCII.GetBytes(JsonSerializer.Serialize(keyset));
             await _distributedCache.SetAsync(string.Format(REGISTER_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(registerSession)));
+            return true;
         }
         catch (Exception e)
         {
             await _distributedCache.RemoveAsync(string.Format(REGISTER_SESSION_KEY, sessionId));
-            throw new Exception(e.Message);
+            _logger.LogError(e, "Error finishing registration for user {UserId}", user.Id);
+            return false;
         }
     }
 
     public async Task<(Guid, byte[])> StartLogin(byte[] request, string email)
     {
-        var user = await _userRepository.GetByEmailAsync(email);
+        try
-        if (user == null)
         {
-            // todo don't allow user enumeration
+            // todo: don't allow user enumeration
-            throw new InvalidOperationException("User not found");
+            var user = await _userRepository.GetByEmailAsync(email)
+                ?? throw new InvalidOperationException("User not found");
+
+            // todo: generate fake credential
+            var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(user.Id)
+                ?? throw new InvalidOperationException("Credential not found");
+
+            var cipherConfiguration = JsonSerializer.Deserialize<OpaqueKeyExchangeCipherConfiguration>(credential.CipherConfiguration)!;
+            var credentialBlob = JsonSerializer.Deserialize<OpaqueKeyExchangeCredentialBlob>(credential.CredentialBlob)!;
+            var serverSetup = credentialBlob.ServerSetup;
+            var serverRegistration = credentialBlob.PasswordFile;
+
+            var loginResponse = _bitwardenOpaque.StartLogin(
+                cipherConfiguration.ToNativeConfiguration(), serverSetup, serverRegistration, request, user.Id.ToString());
+
+            var sessionId = MakeCryptoGuid();
+            var loginSession = new OpaqueKeyExchangeLoginSession()
+            {
+                UserId = user.Id,
+                LoginState = loginResponse.state,
+                CipherConfiguration = cipherConfiguration,
+                IsAuthenticated = false
+            };
+            await _distributedCache.SetAsync(string.Format(LOGIN_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(loginSession)));
+            return (sessionId, loginResponse.credentialResponse);
         }
-
+        catch (InvalidOperationException e)
-        var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(user.Id);
-        if (credential == null)
         {
-            // generate fake credential
+            _logger.LogError(e, "Error starting login for user {Email}", email);
-            throw new InvalidOperationException("Credential not found");
+            return (Guid.Empty, []);
         }
-
-        var cipherConfiguration = JsonSerializer.Deserialize<OpaqueKeyExchangeCipherConfiguration>(credential.CipherConfiguration)!;
-        var credentialBlob = JsonSerializer.Deserialize<OpaqueKeyExchangeCredentialBlob>(credential.CredentialBlob)!;
-        var serverSetup = credentialBlob.ServerSetup;
-        var serverRegistration = credentialBlob.PasswordFile;
-
-        var loginResponse = _bitwardenOpaque.StartLogin(cipherConfiguration.ToNativeConfiguration(), serverSetup, serverRegistration, request, user.Id.ToString());
-        var sessionId = MakeCryptoGuid();
-        var loginSession = new OpaqueKeyExchangeLoginSession()
-        {
-            UserId = user.Id,
-            LoginState = loginResponse.state,
-            CipherConfiguration = cipherConfiguration,
-            IsAuthenticated = false
-        };
-        await _distributedCache.SetAsync(string.Format(LOGIN_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(loginSession)));
-        return (sessionId, loginResponse.credentialResponse);
     }
 
     public async Task<bool> FinishLogin(Guid sessionId, byte[] credentialFinalization)
     {
-        var serializedLoginSession = await _distributedCache.GetAsync(string.Format(LOGIN_SESSION_KEY, sessionId));
-        if (serializedLoginSession == null)
-        {
-            throw new InvalidOperationException("Session not found");
-        }
-        var loginSession = JsonSerializer.Deserialize<OpaqueKeyExchangeLoginSession>(Encoding.ASCII.GetString(serializedLoginSession))!;
-
-        var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(loginSession.UserId);
-        if (credential == null)
-        {
-            throw new InvalidOperationException("Credential not found");
-        }
-
-        var loginState = loginSession.LoginState;
-        var cipherConfiguration = loginSession.CipherConfiguration;
-        await _distributedCache.RemoveAsync(string.Format(LOGIN_SESSION_KEY, sessionId));
-
         try
         {
+            var serializedLoginSession = await _distributedCache.GetAsync(string.Format(LOGIN_SESSION_KEY, sessionId));
+            if (serializedLoginSession == null)
+            {
+                throw new InvalidOperationException("Session not found");
+            }
+            var loginSession = JsonSerializer.Deserialize<OpaqueKeyExchangeLoginSession>(Encoding.ASCII.GetString(serializedLoginSession))!;
+
+            var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(loginSession.UserId);
+            if (credential == null)
+            {
+                throw new InvalidOperationException("Credential not found");
+            }
+
+            var loginState = loginSession.LoginState;
+            var cipherConfiguration = loginSession.CipherConfiguration;
+            await _distributedCache.RemoveAsync(string.Format(LOGIN_SESSION_KEY, sessionId));
+
             var success = _bitwardenOpaque.FinishLogin(cipherConfiguration.ToNativeConfiguration(), loginState, credentialFinalization);
             loginSession.IsAuthenticated = true;
             await _distributedCache.SetAsync(string.Format(LOGIN_SESSION_KEY, sessionId), Encoding.ASCII.GetBytes(JsonSerializer.Serialize(loginSession)));
@@ -141,66 +158,78 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService
 
     public async Task<User?> GetUserForAuthenticatedSession(Guid sessionId)
     {
-        var serializedLoginSession = await _distributedCache.GetAsync(string.Format(LOGIN_SESSION_KEY, sessionId));
+        try
-        if (serializedLoginSession == null)
         {
-            throw new InvalidOperationException("Session not found");
+            var serializedLoginSession = await _distributedCache.GetAsync(string.Format(LOGIN_SESSION_KEY, sessionId))
-        }
+                ?? throw new InvalidOperationException("Session not found");
-        var loginSession = JsonSerializer.Deserialize<OpaqueKeyExchangeLoginSession>(Encoding.ASCII.GetString(serializedLoginSession))!;
 
-        if (!loginSession.IsAuthenticated)
+            var loginSession = JsonSerializer.Deserialize<OpaqueKeyExchangeLoginSession>(Encoding.ASCII.GetString(serializedLoginSession))!;
+
+            if (!loginSession.IsAuthenticated)
+            {
+                throw new InvalidOperationException("Session not authenticated");
+            }
+
+            return await _userRepository.GetByIdAsync(loginSession.UserId!)!;
+        }
+        catch (InvalidOperationException e)
         {
-            throw new InvalidOperationException("Session not authenticated");
+            _logger.LogError(e, "Error authenticating user session {SessionId}", sessionId);
+            return null;
         }
-
-        return await _userRepository.GetByIdAsync(loginSession.UserId!)!;
     }
 
-    public async Task SetRegistrationActiveForAccount(Guid sessionId, User user)
+    public async Task<bool> WriteCacheCredentialToDatabase(Guid sessionId, User user)
     {
-        var serializedRegisterSession = await _distributedCache.GetAsync(string.Format(REGISTER_SESSION_KEY, sessionId));
+        try
-        if (serializedRegisterSession == null)
         {
-            throw new InvalidOperationException("Session not found");
+            var serializedRegisterSession = await _distributedCache.GetAsync(string.Format(REGISTER_SESSION_KEY, sessionId))
-        }
+                ?? throw new InvalidOperationException("Session not found");
-        var session = JsonSerializer.Deserialize<OpaqueKeyExchangeRegisterSession>(Encoding.ASCII.GetString(serializedRegisterSession))!;
 
-        if (session.UserId != user.Id)
+            var session = JsonSerializer.Deserialize<OpaqueKeyExchangeRegisterSession>(Encoding.ASCII.GetString(serializedRegisterSession))!;
-        {
+            if (session.UserId != user.Id)
-            throw new InvalidOperationException("Session does not belong to user");
+            {
-        }
+                throw new InvalidOperationException("Session does not belong to user");
-        if (session.PasswordFile == null)
+            }
-        {
+            if (session.PasswordFile == null)
-            throw new InvalidOperationException("Session did not complete registration");
+            {
-        }
+                throw new InvalidOperationException("Session did not complete registration");
-        if (session.KeySet == null)
+            }
-        {
+            if (session.KeySet == null)
-            throw new InvalidOperationException("Session did not complete registration");
+            {
-        }
+                throw new InvalidOperationException("Session did not complete registration");
+            }
 
-        var keyset = JsonSerializer.Deserialize<RotateableOpaqueKeyset>(Encoding.ASCII.GetString(session.KeySet))!;
+            var keyset = JsonSerializer.Deserialize<RotateableOpaqueKeyset>(Encoding.ASCII.GetString(session.KeySet))!;
-        var credentialBlob = new OpaqueKeyExchangeCredentialBlob()
+            var credentialBlob = new OpaqueKeyExchangeCredentialBlob()
-        {
+            {
-            PasswordFile = session.PasswordFile,
+                PasswordFile = session.PasswordFile,
-            ServerSetup = session.ServerSetup
+                ServerSetup = session.ServerSetup
-        };
+            };
 
-        var credential = new OpaqueKeyExchangeCredential()
+            var credential = new OpaqueKeyExchangeCredential()
-        {
+            {
-            UserId = user.Id,
+                UserId = user.Id,
-            CipherConfiguration = JsonSerializer.Serialize(session.CipherConfiguration),
+                CipherConfiguration = JsonSerializer.Serialize(session.CipherConfiguration),
-            CredentialBlob = JsonSerializer.Serialize(credentialBlob),
+                CredentialBlob = JsonSerializer.Serialize(credentialBlob),
-            EncryptedPrivateKey = keyset.EncryptedPrivateKey,
+                EncryptedPrivateKey = keyset.EncryptedPrivateKey,
-            EncryptedPublicKey = keyset.EncryptedPublicKey,
+                EncryptedPublicKey = keyset.EncryptedPublicKey,
-            EncryptedUserKey = keyset.EncryptedUserKey,
+                EncryptedUserKey = keyset.EncryptedUserKey,
-            CreationDate = DateTime.UtcNow
+                CreationDate = DateTime.UtcNow
-        };
+            };
 
-        await Unenroll(user);
+            await RemoveUserOpaqueKeyExchangeCredential(user);
-        await _opaqueKeyExchangeCredentialRepository.CreateAsync(credential);
+            await _opaqueKeyExchangeCredentialRepository.CreateAsync(credential);
+            return true;
+        }
+        catch (InvalidOperationException e)
+        {
+            _logger.LogError(e, "Error writing cache opaque credential to database for user {UserId}", user.Id);
+            return false;
+        }
     }
 
-    public async Task Unenroll(User user)
+    public async Task RemoveUserOpaqueKeyExchangeCredential(User user)
     {
         var credential = await _opaqueKeyExchangeCredentialRepository.GetByUserIdAsync(user.Id);
         if (credential != null)
@@ -209,10 +238,14 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService
         }
     }
 
+    /// <summary>
+    /// Makes a cryptographically secure GUID to use as a session Id.
+    /// </summary>
+    /// <returns>GUID</returns>
     private static Guid MakeCryptoGuid()
     {
         // Get 16 cryptographically random bytes
-        byte[] data = RandomNumberGenerator.GetBytes(16);
+        var data = RandomNumberGenerator.GetBytes(16);
 
         // Mark it as a version 4 GUID
         data[7] = (byte)((data[7] | (byte)0x40) & (byte)0x4f);
@@ -227,6 +260,11 @@ public class OpaqueKeyExchangeService : IOpaqueKeyExchangeService
     }
 }
 
+/// <summary>
+/// Object saved to the cache for a registration session. We store the registration object in
+/// the cache so we can maintain key material separation between the client and server.
+/// If we used a Tokenable then it could expose the Server Key material to the client.
+/// </summary>
 public class OpaqueKeyExchangeRegisterSession
 {
     public required Guid SessionId { get; set; }
@@ -237,6 +275,11 @@ public class OpaqueKeyExchangeRegisterSession
     public byte[]? KeySet { get; set; }
 }
 
+/// <summary>
+/// This object is used to accomplish a Pushed Authorization Request (PAR) "adjacent" type action. Where we
+/// track authentication state in the cache so when a user finishes authentication they only need
+/// the Cryptographically secure GUID sessionId.
+/// </summary>
 public class OpaqueKeyExchangeLoginSession
 {
     public required Guid UserId { get; set; }

src/Core/Services/Implementations/UserService.cs

@@ -670,11 +670,11 @@ public class UserService : UserManager<User>, IUserService, IDisposable
 
             if (opaqueSessionId != null)
             {
-                await _opaqueKeyExchangeService.SetRegistrationActiveForAccount((Guid)opaqueSessionId, user);
+                await _opaqueKeyExchangeService.WriteCacheCredentialToDatabase((Guid)opaqueSessionId, user);
             }
             else
             {
-                await _opaqueKeyExchangeService.Unenroll(user);
+                await _opaqueKeyExchangeService.RemoveUserOpaqueKeyExchangeCredential(user);
             }
             await _userRepository.ReplaceAsync(user);
             await _eventService.LogUserEventAsync(user.Id, EventType.User_ChangedPassword);
@@ -817,7 +817,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         user.Key = key;
 
         // TODO: Add Opaque-KE support
-        await _opaqueKeyExchangeService.Unenroll(user);
+        await _opaqueKeyExchangeService.RemoveUserOpaqueKeyExchangeCredential(user);
         await _userRepository.ReplaceAsync(user);
         await _mailService.SendAdminResetPasswordEmailAsync(user.Email, user.Name, org.DisplayName());
         await _eventService.LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_AdminResetPassword);
@@ -845,7 +845,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         user.MasterPasswordHint = hint;
 
         // TODO: Add Opaque-KE support
-        await _opaqueKeyExchangeService.Unenroll(user);
+        await _opaqueKeyExchangeService.RemoveUserOpaqueKeyExchangeCredential(user);
         await _userRepository.ReplaceAsync(user);
         await _mailService.SendUpdatedTempPasswordEmailAsync(user.Email, user.Name);
         await _eventService.LogUserEventAsync(user.Id, EventType.User_UpdatedTempPassword);

src/Identity/Controllers/AccountsController.cs

@@ -1,7 +1,6 @@
 using System.Diagnostics;
 using System.Text;
 using System.Text.Json;
-using Bit.Api.Auth.Models.Request.Opaque;
 using Bit.Api.Auth.Models.Response.Opaque;
 using Bit.Core;
 using Bit.Core.Auth.Enums;