* Initial implementation of new policy query
* Remove unused using
* Adjusts method name to better match repository method
* Correct namespace
* Initial refactor of policy loading
* Add xml doc, incorporate shim data model
* Updates usages to reflect new shim model
* Prune extranneous data from policy detail response model, format code
* Fix broken test, delete inapplicable test
* Adds test cases covering query
* Adjust codebase to use new PolicyQueryçˆ
* Format code
* Fix incorrect mock on test
* Fix formatting
* Adjust method name
* More naming adjustments
* Add PolicyData constructor, update test usages
* Rename PolicyData -> PolicyStatus
* Remove unused using
* models, entity, and stored procs updated to work with EmailHashes with migrations
* configure data protection for EmailHashes
* update SendAuthenticationQuery to use EmailHashes and perform validation
* respond to Claude's comments and update tests
* fix send.sql alignment
Co-authored-by: mkincaid-bw <mkincaid@bitwarden.com>
---------
Co-authored-by: Alex Dragovich <46065570+itsadrago@users.noreply.github.com>
Co-authored-by: mkincaid-bw <mkincaid@bitwarden.com>
* update send api models to support new `email` field
* normalize authentication field evaluation order
* document send response converters
* add FIXME to remove unused constructor argument
* add FIXME to remove unused constructor argument
* introduce `tools-send-email-otp-listing` feature flag
* add `ISendOwnerQuery` to dependency graph
* fix broken tests
* added AuthType prop to send related models with test coverage and debt cleanup
* dotnet format
* add migrations
* dotnet format
* make SendsController null safe (tech debt)
* add AuthType col to Sends table, change Emails col length to 4000, and run migrations
* dotnet format
* update SPs to expect AuthType
* include SP updates in migrations
* remove migrations not intended for merge
* Revert "remove migrations not intended for merge"
This reverts commit 7df56e346a.
undo migrations removal
* extract AuthType inference to util method and remove SQLite file
* fix lints
* address review comments
* fix incorrect assignment and adopt SQL conventions
* fix column assignment order in Send_Update.sql
* remove space added to email list
* assign SQL default value of NULL to AuthType
* update SPs to match migration changes
* remove FF, update SendAuthQuery, and update tests
* new endpoints added but lack test coverage
* dotnet format
* add PutRemoveAuth endpoint with test coverage and tests for new non-anon endpoints
* update RequireFeatureFlag comment for clarity
* respond to Claude's findings
* add additional validation logic to new auth endpoints
* enforce auth policies on individual action methods
* remove JsonConverter directive for AuthType
* remove tools-send-email-otp-listing feature flag
---------
Co-authored-by: ✨ Audrey ✨ <audrey@audreyality.com>
Co-authored-by: ✨ Audrey ✨ <ajensen@bitwarden.com>
Co-authored-by: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
Co-authored-by: Alex Dragovich <46065570+itsadrago@users.noreply.github.com>
* Add the ticket implementation
* Add the unit test
* Fix the lint and test issues
* resolve pr comments
* Fix the error on the test file
* Review suggestion and fixes
* resolve the api access comments
* Gte the key from the client
* Add the gateway type as stripe
* Address the legacy plans issues
* Resolve the misunderstanding
* Add additional storage that we will need if they revert
* Add the previous premium UserId
* V2 prep, rename existing SSO JIT MP command to V1
* set initial master password for account registraton V2
* later removel docs
* TDE MP onboarding split
* revert separate TDE onboarding controller api
* Server side hash of the user master password hash
* use `ValidationResult` instead for validation errors
* unit test coverage
* integration test coverage
* update sql migration script date
* revert validate password change
* better requests validation
* explicit error message when org sso identifier invalid
* more unit test coverage
* renamed onboarding to set, hash naming clarifications
* update db sql script, formatting
* use raw json as request instead of request models for integration test
* v1 integration test coverage
* change of name
* Add OrganizationUser_SelfRevoked event type to EventType enum
* Add SelfRevokeOrganizationUserCommand implementation and interface for user self-revocation from organizations
* Add unit tests for SelfRevokeOrganizationUserCommand to validate user self-revocation logic, including success scenarios and various failure conditions.
* Add ISelfRevokeOrganizationUserCommand registration to OrganizationServiceCollectionExtensions for user self-revocation functionality
* Add self-revoke user functionality to OrganizationUsersController with new endpoint for user-initiated revocation
* Add integration tests for self-revoke functionality in OrganizationUsersController, covering scenarios for eligible users, non-members, and users with owner/admin roles.
* Add unit test for SelfRevokeOrganizationUserCommand to validate behavior when a user attempts to self-revoke without confirmation. This test checks for a BadRequestException with an appropriate message.
* Add MemberRequirement class for organization membership authorization
- Implemented MemberRequirement to check if a user is a member of the organization.
- Added unit tests for MemberRequirement to validate authorization logic for different user types.
* Update authorization requirement for self-revoke endpoint and add integration test for provider users
- Changed authorization attribute from MemberOrProviderRequirement to MemberRequirement in the RevokeSelfAsync method.
- Added a new integration test to verify that provider users who are not members receive a forbidden response when attempting to revoke themselves.
* Add EligibleForSelfRevoke method to OrganizationDataOwnershipPolicyRequirement
- Implemented the EligibleForSelfRevoke method to determine if a user can self-revoke their data ownership based on their membership status and policy state.
- Added unit tests to validate the eligibility logic for confirmed, invited, and non-policy users, as well as for different organization IDs.
* Refactor self-revoke user command to enhance eligibility checks
- Updated the SelfRevokeOrganizationUserCommand to utilize policy requirements for determining user eligibility for self-revocation.
- Implemented checks to prevent the last owner from revoking themselves, ensuring organizational integrity.
- Modified unit tests to reflect changes in eligibility logic and added scenarios for confirmed owners and admins.
- Removed deprecated policy checks and streamlined the command's dependencies.
* Use CommandResult pattern in self-revoke command
* Clearer documentation
* update account storage endpoint
* Fix the failing test
* Added flag and refactor base on pr comments
* fix the lint error
* Resolve the pr comments
* Fix the failing test
* Fix the failing test
* Return none
* Resolve the lint error
* Fix the failing test
* Add the missing test
* Formatting issues fixed
* update send api models to support new `email` field
* normalize authentication field evaluation order
* document send response converters
* add FIXME to remove unused constructor argument
* add FIXME to remove unused constructor argument
* introduce `tools-send-email-otp-listing` feature flag
* add `ISendOwnerQuery` to dependency graph
* fix broken tests
* added AuthType prop to send related models with test coverage and debt cleanup
* dotnet format
* add migrations
* dotnet format
* make SendsController null safe (tech debt)
* add AuthType col to Sends table, change Emails col length to 4000, and run migrations
* dotnet format
* update SPs to expect AuthType
* include SP updates in migrations
* remove migrations not intended for merge
* Revert "remove migrations not intended for merge"
This reverts commit 7df56e346a.
undo migrations removal
* extract AuthType inference to util method and remove SQLite file
* fix lints
* address review comments
* fix incorrect assignment and adopt SQL conventions
* fix column assignment order in Send_Update.sql
* remove space added to email list
* assign SQL default value of NULL to AuthType
* update SPs to match migration changes
---------
Co-authored-by: Daniel James Smith <2670567+djsmith85@users.noreply.github.com>
Co-authored-by: Alex Dragovich <46065570+itsadrago@users.noreply.github.com>
Co-authored-by: John Harrington <84741727+harr1424@users.noreply.github.com>
* implement the ticket request
* resolve the build lint error
* Resolve the build lint error
* Address review comments
* Fixt the lint and failing unit test
* Fix NSubstitute mock - use concrete ClaimsPrincipal instead of Arg.Any in Returns()
* resolve InjectUser issues
* Fix the failing testing
* Fix the failing unit test
Main fix: only assign new key value where old keys are not set
and new keys have been provided.
Refactors:
- use consistent DTO model for keypairs
- delete duplicate property assignment for new orgs
* account v2 registration for key connector
* use new user repository functions
* test coverage
* integration test coverage
* documentation
* code review
* missing test coverage
* fix failing test
* failing test
* incorrect ticket number
* moved back request model to Api, created dedicated data class in Core
* sql stored procedure type mismatch, simplification
* key connector authorization handler
* move billing services+tests to billing namespaces
* reorganized methods in file and added comment headers
* renamed StripeAdapter methods for better clarity
* clean up redundant qualifiers
* Upgrade Stripe.net to v48.4.0
* Update PreviewTaxAmountCommand
* Remove unused UpcomingInvoiceOptionExtensions
* Added SubscriptionExtensions with GetCurrentPeriodEnd
* Update PremiumUserBillingService
* Update OrganizationBillingService
* Update GetOrganizationWarningsQuery
* Update BillingHistoryInfo
* Update SubscriptionInfo
* Remove unused Sql Billing folder
* Update StripeAdapter
* Update StripePaymentService
* Update InvoiceCreatedHandler
* Update PaymentFailedHandler
* Update PaymentSucceededHandler
* Update ProviderEventService
* Update StripeEventUtilityService
* Update SubscriptionDeletedHandler
* Update SubscriptionUpdatedHandler
* Update UpcomingInvoiceHandler
* Update ProviderSubscriptionResponse
* Remove unused Stripe Subscriptions Admin Tool
* Update RemoveOrganizationFromProviderCommand
* Update ProviderBillingService
* Update RemoveOrganizatinoFromProviderCommandTests
* Update PreviewTaxAmountCommandTests
* Update GetCloudOrganizationLicenseQueryTests
* Update GetOrganizationWarningsQueryTests
* Update StripePaymentServiceTests
* Update ProviderBillingControllerTests
* Update ProviderEventServiceTests
* Update SubscriptionDeletedHandlerTests
* Update SubscriptionUpdatedHandlerTests
* Resolve Billing test failures
I completely removed tests for the StripeEventService as they were using a system I setup a while back that read JSON files of the Stripe event structure. I did not anticipate how frequently these structures would change with each API version and the cost of trying to update these specific JSON files to test a very static data retrieval service far outweigh the benefit.
* Resolve Core test failures
* Run dotnet format
* Remove unused provider migration
* Fixed failing tests
* Run dotnet format
* Replace the old webhook secret key with new one (#6223)
* Fix compilation failures in additions
* Run dotnet format
* Bump Stripe API version
* Fix recent addition: CreatePremiumCloudHostedSubscriptionCommand
* Fix new code in main according to Stripe update
* Fix InvoiceExtensions
* Bump SDK version to match API Version
* cleanup
* fixing items missed after the merge
* use expression body for all simple returns
* forgot fixes, format, and pr feedback
* claude pr feedback
* pr feedback and cleanup
* more claude feedback
---------
Co-authored-by: Alex Morask <amorask@bitwarden.com>
Co-authored-by: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com>
* add folders and favorites when sharing a cipher
* refactor folders and favorites assignment to consider existing folders/favorite assignments on a cipher
* remove unneeded string manipulation
* remove comment
* add unit test for folder/favorite sharing
* add migration for sharing a cipher to org and collect reprompt, favorite and folders
* update date timestamp of migration
* Add CQRS and caching support for OrganizationIntegrations
* Use primary constructor for Delete command, per Claude suggestion
* Fix namespace
* Add XMLDoc for new commands / queries
* Remove unnecessary extra call to AddExtendedCache in Startup (call in EventIntegrationsServiceCollectionExtensions handles this instead)
* Alter strategy to use one cache / database call to retrieve all configurations for an event (including wildcards)
* Updated README documentation to reflect updated Caching doc and updated CQRS approach
* Implement optimized bulk invite resend command
- Added IBulkResendOrganizationInvitesCommand interface to define the bulk resend operation.
- Created BulkResendOrganizationInvitesCommand class to handle the logic for resending invites to multiple organization users.
- Integrated logging and validation to ensure only valid users receive invites.
- Included error handling for non-existent organizations and invalid user statuses.
* Add unit tests for BulkResendOrganizationInvitesCommand
- Implemented comprehensive test cases for the BulkResendOrganizationInvitesCommand class.
- Validated user statuses and ensured correct handling of valid and invalid users during bulk invite resends.
- Included tests for scenarios such as organization not found and empty user lists.
- Utilized Xunit and NSubstitute for effective testing and mocking of dependencies.
* Add IBulkResendOrganizationInvitesCommand to service collection
- Registered IBulkResendOrganizationInvitesCommand in the service collection for dependency injection.
* Update OrganizationUsersController to utilize IBulkResendOrganizationInvitesCommand
- Added IBulkResendOrganizationInvitesCommand to the OrganizationUsersController for handling bulk invite resends based on feature flag.
- Updated BulkReinvite method to conditionally use the new command or the legacy service based on the feature flag status.
- Enhanced unit tests to verify correct command usage depending on feature flag state, ensuring robust testing for both scenarios.
* Fix the license validation bug
* resolve the failing test
* fix the failing test
* Revert changes and Add the ui display fix
* remove empty spaces
* revert the changes on licensing file
* revert changes to the test signup
* Revert the org license file changes
* revert the empty spaces
* revert the empty spaces changes
* remove the empty spaces
* revert
* Remove the duplicate code
* Add the expire date fix for premium
* Fix the failing test
* Fix the lint error
* Adding SecretVersion table to server
* making the names singular not plural for new table
* removing migration
* fixing migration
* Adding indexes for serviceacct and orguserId
* indexes for sqllite
* fixing migrations
* adding indexes to secretVeriosn.sql
* tests
* removing tests
* adding GO
* api repository and controller additions for SecretVersion table, as well as tests
* test fix sqllite
* improvements
* removing comments
* making files nullable safe
* Justin Baurs suggested changes
* claude suggestions
* Claude fixes
* test fixes
* fix: Return 200 OK with empty array for HIBP breach endpoint when no breaches found
Changes the HIBP breach check endpoint to return HTTP 200 OK with an empty
JSON array `[]` instead of 404 Not Found when no breaches are found. This
follows proper REST API semantics where 404 should indicate the endpoint
doesn't exist, not that a query returned no results.
Changes:
- src/Api/Dirt/Controllers/HibpController.cs: Lines 67-71
- Changed: return new NotFoundResult(); → return Content("[]", "application/json");
Backward Compatible:
- Clients handle both 200 with [] (new) and 404 (old)
- No breaking changes
- Safe to deploy independently
API Response Changes:
- Before: GET /api/hibp/breach?username=safe@example.com → 404 Not Found
- After: GET /api/hibp/breach?username=safe@example.com → 200 OK, Body: []
Impact:
- No user-facing changes
- Correct REST semantics
- Industry-standard API response pattern
* Address PR feedback: enhance comment and add comprehensive unit tests
Addresses feedback from PR #6661:
1. Enhanced comment per @prograhamming's feedback (lines 69-71):
- Added date stamp (12/1/2025)
- Explained HIBP API behavior: returns 404 when no breaches found
- Clarified HIBP API specification about 404 meaning
- Maintained REST semantics justification
2. Created comprehensive unit tests per Claude bot's Finding 1:
- New file: test/Api.Test/Dirt/HibpControllerTests.cs
- 9 test cases covering all critical scenarios:
* Missing API key validation
* No breaches found (404 → 200 with []) - KEY TEST FOR PR CHANGE
* Breaches found (200 with data)
* Rate limiting with retry logic
* Server error handling (500, 400)
* URL encoding of special characters
* Required headers validation
* Self-hosted vs cloud User-Agent differences
Test Coverage:
- Before: 0% coverage for HibpController
- After: ~90% coverage (all public methods and major paths)
- Uses xUnit, NSubstitute, BitAutoData patterns
- Matches existing Dirt controller test conventions
Changes:
- src/Api/Dirt/Controllers/HibpController.cs: Enhanced comment (+3 lines)
- test/Api.Test/Dirt/HibpControllerTests.cs: New test file (327 lines, 9 tests)
Addresses:
- @prograhamming's comment about enhancing the code comment
- Claude bot's Finding 1: Missing unit tests for HibpController
Related: PM-6979
* fix test/formating errors
* PM-28616 Add flag UsePhishingBlocker to dbo.Organization
* PM-28616 updated as per comments from claude
* PM-28616 updated ToLicense Method to copy the license file
* PM-28616 allow phishing blocker to be imported via license files for self-hosted
* PM-28616 updated PR comments - added more views to be refreshed
* PM-28616 removed proeprty from constructor as it is not used anymore. We have moved to claims based properties
And other refactors:
- move update organization method to a command
- separate authorization from business logic
- add tests
- move Billing Team logic into their service
* Remove feature flag and move StaticStore plans to MockPlans for tests
* Remove old plan models / move sponsored plans out of StaticStore
* Run dotnet format
* Add pricing URI to Development appsettings for local development and integration tests
* Updated Api Integration tests to get current plan type
* Run dotnet format
* Fix failing tests
* Adding auto confirm endpoint and initial command work.
* Adding validator
* Finished command implementation.
* Enabled the feature renomved used method. Enabled the policy in the tests.
* Added extension functions to allow for railroad programming.
* Removed guid from route template. Added xml docs
* Added validation for command.
* Added default collection creation to command.
* formatting.
* Added additional error types and mapped to appropriate results.
* Added tests for auto confirm validator
* Adding tests
* fixing file name
* Cleaned up OrgUserController. Added integration tests.
* Consolidated CommandResult and validation result stuff into a v2 directory.
* changing result to match handle method.
* Moves validation thenasync method.
* Added brackets.
* Updated XML comment
* Adding idempotency comment.
* Fixed up merge problems. Fixed return types for handle.
* Renamed to ValidationRequest
* I added some methods for CommandResult to cover some future use cases. Added ApplyAsync method to execute multiple functions against CommandResult without an error stopping the workflow for side-effects.
* Fixed up logic around should create default colleciton. Added more methods for chaining ValidationResult together. Added logic for user type.
* Clearing nullable enable.
* Fixed up validator tests.
* Tests for auto confirm command
* Fixed up command result and AutoConfirmCommand.
* Removed some unused methods.
* Moved autoconfirm tests to their own class.
* Moved some stuff around. Need to clean up creation of accepted org user yet.
* Moved some more code around. Folded Key into accepted constructor. removed unneeded tests since key and accepted are now a part of AcceptedOrgUser Creation.
* Clean up clean up everybody everywhere. Clean up clean up everybody do your share.
* Another quick one
* Removed aggregate Errors.cs
* Cleaned up validator and fixed up tests.
* Fixed auto confirm repo
* Cleaned up command tests.
* Unused method.
* Restoring Bulk command back to what it was. deleted handle method for bulk.
* Remove unused method.
* removed unnecssary lines and comments
* fixed layout.
* Fixed test.
* fixed spelling mistake. removed unused import.
* Update test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUsers/AutomaticallyConfirmUsersCommandTests.cs
Co-authored-by: Rui Tomé <108268980+r-tome@users.noreply.github.com>
* Ensuring collection is created before full sync. Cleaning up tests and added a few more. Added check that the policy is enabled.
* Added org cleanup
* Lowering to 5 to see if that helps the runner.
* 🤷
* Trying this
* Maybe this time will be different.
* seeing if awaiting and checking independently will work in ci
* I figured it out. Locally, it would be fast enough to all return NoContent, however in CI, its slow enough for it to return 400 due to the user already being confirmed via validation.
* Updated tests and validator
* Fixed name
---------
Co-authored-by: Rui Tomé <108268980+r-tome@users.noreply.github.com>
* The discount badge implementation
* Address the claude pr comments
* Add more unit testing
* Add more test
* used existing flag
* Add the coupon Ids
* Add more code documentation
* Add some recommendation from claude
* Fix addition comments and prs
* Add more integration test
* Fix some comment and add more test
* rename the test methods
* Add more unit test and comments
* Resolve the null issues
* Add more test
* reword the comments
* Rename Variable
* Some code refactoring
* Change the coupon ID to milestone-2c
* Fix the failing Test
* Enhance PolicyRequestModel and SavePolicyRequest with validation for policy data and metadata.
* Add integration tests for policy updates to validate handling of invalid data types in PolicyRequestModel and SavePolicyRequest.
* Add missing using
* Update PolicyRequestModel for null safety by making Data and ValidateAndSerializePolicyData nullable
* Add integration tests for public PoliciesController to validate handling of invalid data types in policy updates.
* Add PolicyDataValidator class for validating and serializing policy data and metadata based on policy type.
* Refactor PolicyRequestModel, SavePolicyRequest, and PolicyUpdateRequestModel to utilize PolicyDataValidator for data validation and serialization, removing redundant methods and improving code clarity.
* Update PolicyRequestModel and SavePolicyRequest to initialize Data and Metadata properties with empty dictionaries.
* Refactor PolicyDataValidator to remove null checks for input data in validation methods
* Rename test methods in SavePolicyRequestTests to reflect handling of empty data and metadata, and remove null assignments in test cases for improved clarity.
* Remove Type property from PolicyRequestModel to use route parameter only
* Run dotnet format
* Enhance error handling in PolicyDataValidator to include field-specific details in BadRequestException messages.
* Enhance PoliciesControllerTests to verify error messages for BadRequest responses by checking for specific field names in the response content.
* refactor: Update PolicyRequestModel and SavePolicyRequest to use nullable dictionaries for Data and Metadata properties; enhance validation methods in PolicyDataValidator to handle null cases.
* test: Add integration tests for handling policies with null data in PoliciesController
* fix: Catch specific JsonException in PolicyDataValidator to improve error handling
* test: Add unit tests for PolicyDataValidator to validate and serialize policy data and metadata
* test: Remove PolicyType from PolicyRequestModel in PoliciesControllerTests
* test: Update PolicyDataValidatorTests to validate organization data ownership metadata
* Refactor PoliciesControllerTests to include policy type in PutVNext method calls
* Add PolicyValidatorsRefactor constant to FeatureFlagKeys in Constants.cs
* Add Metadata property and ToSavePolicyModel method to PolicyUpdateRequestModel
* Refactor PoliciesController to utilize IVNextSavePolicyCommand based on feature flag
- Added IFeatureService and IVNextSavePolicyCommand dependencies to PoliciesController.
- Updated PutVNext method to conditionally use VNextSavePolicyCommand or SavePolicyCommand based on the PolicyValidatorsRefactor feature flag.
- Enhanced unit tests to verify behavior for both enabled and disabled states of the feature flag.
* Update public PoliciesController to to utilize IVNextSavePolicyCommand based on feature flag
- Introduced IFeatureService and IVNextSavePolicyCommand to manage policy saving based on the PolicyValidatorsRefactor feature flag.
- Updated the Put method to conditionally use the new VNextSavePolicyCommand or the legacy SavePolicyCommand.
- Added unit tests to validate the behavior of the Put method for both enabled and disabled states of the feature flag.
* Refactor VerifyOrganizationDomainCommand to utilize IVNextSavePolicyCommand based on feature flag
- Added IFeatureService and IVNextSavePolicyCommand dependencies to VerifyOrganizationDomainCommand.
- Updated EnableSingleOrganizationPolicyAsync method to conditionally use VNextSavePolicyCommand or SavePolicyCommand based on the PolicyValidatorsRefactor feature flag.
- Enhanced unit tests to validate the behavior when the feature flag is enabled.
* Enhance SsoConfigService to utilize IVNextSavePolicyCommand based on feature flag
- Added IFeatureService and IVNextSavePolicyCommand dependencies to SsoConfigService.
- Updated SaveAsync method to conditionally use VNextSavePolicyCommand or SavePolicyCommand based on the PolicyValidatorsRefactor feature flag.
- Added unit tests to validate the behavior when the feature flag is enabled.
* Refactor SavePolicyModel to simplify constructor usage by removing EmptyMetadataModel parameter. Update related usages across the codebase to reflect the new constructor overloads.
* Update PolicyUpdateRequestModel to make Metadata property nullable for improved null safety
* Enhance PolicyRequestModel and SavePolicyRequest with validation for policy data and metadata.
* Add integration tests for policy updates to validate handling of invalid data types in PolicyRequestModel and SavePolicyRequest.
* Add missing using
* Update PolicyRequestModel for null safety by making Data and ValidateAndSerializePolicyData nullable
* Add integration tests for public PoliciesController to validate handling of invalid data types in policy updates.
* Add PolicyDataValidator class for validating and serializing policy data and metadata based on policy type.
* Refactor PolicyRequestModel, SavePolicyRequest, and PolicyUpdateRequestModel to utilize PolicyDataValidator for data validation and serialization, removing redundant methods and improving code clarity.
* Update PolicyRequestModel and SavePolicyRequest to initialize Data and Metadata properties with empty dictionaries.
* Refactor PolicyDataValidator to remove null checks for input data in validation methods
* Rename test methods in SavePolicyRequestTests to reflect handling of empty data and metadata, and remove null assignments in test cases for improved clarity.
* Enhance error handling in PolicyDataValidator to include field-specific details in BadRequestException messages.
* Enhance PoliciesControllerTests to verify error messages for BadRequest responses by checking for specific field names in the response content.
* refactor: Update PolicyRequestModel and SavePolicyRequest to use nullable dictionaries for Data and Metadata properties; enhance validation methods in PolicyDataValidator to handle null cases.
* test: Add integration tests for handling policies with null data in PoliciesController
* fix: Catch specific JsonException in PolicyDataValidator to improve error handling
* test: Add unit tests for PolicyDataValidator to validate and serialize policy data and metadata
* test: Update PolicyDataValidatorTests to validate organization data ownership metadata
* Move account recovery logic to command
(temporarily duplicated behind feature flag)
* Move permission checks to authorization handler
* Prevent user from recovering provider member account
unless they are also provider member
