[PM-31631] update password pre-login salt response

[ike-kottlowski]

🎟️ Tracking

PM-31631

📔 Objective

With the addition of the salt property used to calculate hash values for passwords we need to add salt to the response object for password/prelogin. Otherwise the client won't know which algorithm and salt to use to when validating for password authentication.

📸 Screenshots

Insomnia API Tooling showing request getting both email and null responses from prelogin/password endpoint

insomnia-12.5.0_Xs8Iy93mz0.mp4

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

Reviewed the latest commits (dfbc28aee, 460cdb59f) on top of the original change. The PR returns the user's stored MasterPasswordSalt from /accounts/prelogin/password and routes non-existent users through EnumerationProtectionHelpers to deterministically pick a salt (email or null). Both prior review threads are resolved: the self-hosted startup warning now uses CoreHelpers.SettingHasValue to align with the controller's enable check, and the email-normalization rationale is now documented inline. Unit and integration test coverage exercises the new branches (stored salt, null stored salt, default-KDF determinism, casing independence).

Code Review Details

• ♻️ : Stale XML comment on Salt property says "Not used yet, just the email from the request at this time" — after this PR Salt is sourced from UserKdfInformation.MasterPasswordSalt or the deterministic default-KDF path, so the comment is now misleading.
  • src/Identity/Models/Response/Accounts/PasswordPreloginResponseModel.cs:36

[codecov]

Codecov Report

❌ Patch coverage is 75.00000% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.62%. Comparing base (27ae3d5) to head (460cdb5).
⚠️ Report is 9 commits behind head on main.

Files with missing lines	Patch %	Lines
src/Identity/Startup.cs	0.00%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7469      +/-   ##
==========================================
- Coverage   63.87%   59.62%   -4.25%     
==========================================
  Files        2088     2096       +8     
  Lines       92350    92574     +224     
  Branches     8205     8231      +26     
==========================================
- Hits        58987    55201    -3786     
- Misses      31337    35427    +4090     
+ Partials     2026     1946      -80     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Checkmarx One – Scan Summary & Details – ddd1c08e-7f72-4bbc-bd35-7f5a036f6ee3

Great job! No new security vulnerabilities introduced in this pull request

[JaredSnider-Bitwarden]

Excellent work.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud