Auth/PM-3287 - Remove deprecated ResetMasterPassword property from IdentityTokenResponse

[JaredSnider-Bitwarden]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-3287
Clients PR: bitwarden/clients#17794
Depends on #6627 merging first.

📔 Objective

To remove the 2 year old, deprecated ResetMasterPassword property which used to indicate if a user had a master password set or not. It has been replaced by the UserDecryptionOptions property. I also confirmed with mobile that this removal will not cause issues for them.

📸 Screenshots

n/a

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Checkmarx One – Scan Summary & Details – 28591304-550a-4632-ab88-28b3f213e29f

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.87%. Comparing base (3de2f98) to head (4ce0fa0).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6676      +/-   ##
==========================================
+ Coverage   53.86%   53.87%   +0.01%     
==========================================
  Files        1917     1917              
  Lines       85126    85116      -10     
  Branches     7620     7618       -2     
==========================================
+ Hits        45853    45858       +5     
+ Misses      37508    37495      -13     
+ Partials     1765     1763       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

The base branch was changed.

[claude]

Claude finished @JaredSnider-Bitwarden's task —— View job

---

Code Review Complete ✅

Tasks

• Review PR changes with bitwarden-code-reviewer agent
• Complete review

---

Review Summary

I've completed a comprehensive security and code review of this PR. The changes cleanly remove the deprecated ResetMasterPassword property that has been replaced by UserDecryptionOptions since 2020.

Key Findings:

✅ Security: No security concerns identified. The change preserves zero-knowledge principles and doesn't impact authentication flow.

✅ Completeness: All references to ResetMasterPassword have been removed. The codebase is clean.

✅ Testing: Integration test updates are appropriate. Existing comprehensive tests for UserDecryptionOptions remain intact.

✅ Breaking Change Justification: This is a well-justified breaking change:

• Property deprecated for ~5 years
• Superior replacement exists and has been available since 2020
• Mobile team confirmed compatibility
• Part of proper technical debt cleanup

Files Changed:

• BaseRequestValidator.cs: Removed property from token response (1 line)
• CustomTokenRequestValidator.cs: Removed backward compatibility code (11 lines)
• IdentityServerTests.cs: Updated test assertions (1 line)

Status: APPROVED - Ready to merge. This is a clean, focused change that successfully removes deprecated code while maintaining security and functionality.

---