Add a master password hash check to account recovery enrollment (#4154)

src/Api/AdminConsole/Controllers/OrganizationUsersController.cs

@@ -456,6 +456,11 @@ public class OrganizationUsersController : Controller
             throw new UnauthorizedAccessException();
         }
 
+        if (!string.IsNullOrWhiteSpace(model.ResetPasswordKey) && !await _userService.VerifySecretAsync(user, model.Secret))
+        {
+            throw new BadRequestException("Incorrect password");
+        }
+
         var callingUserId = user.Id;
         await _organizationService.UpdateUserResetPasswordEnrollmentAsync(
             orgId, userId, model.ResetPasswordKey, callingUserId);

src/Api/AdminConsole/Models/Request/Organizations/OrganizationUserRequestModels.cs

@@ -1,4 +1,5 @@
 using System.ComponentModel.DataAnnotations;
+using Bit.Api.Auth.Models.Request.Accounts;
 using Bit.Api.Models.Request;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -98,7 +99,7 @@ public class OrganizationUserUpdateRequestModel
     }
 }
 
-public class OrganizationUserResetPasswordEnrollmentRequestModel
+public class OrganizationUserResetPasswordEnrollmentRequestModel : SecretVerificationRequestModel
 {
     public string ResetPasswordKey { get; set; }
 }