[deps]: Update nuget minor

Api.dockerfile

@@ -1,6 +1,6 @@
 # ** Build
 
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0-bookworm-slim AS build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:9.0-bookworm-slim AS build
 
 # Expose the target architecture set by the `docker build --platform` option, so that
 # we can build the assembly for the correct platform.
@@ -27,7 +27,7 @@ RUN dotnet publish src/Api/ \
 # ** Run
 
 # Use `runtime-deps` instead of `runtime` because we have a self-contained assembly
-FROM --platform=$TARGETPLATFORM mcr.microsoft.com/dotnet/runtime-deps:8.0 AS run
+FROM --platform=$TARGETPLATFORM mcr.microsoft.com/dotnet/runtime-deps:9.0 AS run
 
 LABEL org.opencontainers.image.title="Passwordless API Test Server"
 LABEL org.opencontainers.image.description="Docker image of the Passwordless API, intended solely for development and integration testing purposes."

global.json

@@ -1,6 +1,6 @@
 {
   "sdk": {
-    "version": "9.0.0",
+    "version": "9.0.101",
     "rollForward": "latestFeature"
   }
 }

self-host/Dockerfile

@@ -2,7 +2,7 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0-bookworm-slim AS build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:9.0-bookworm-slim AS build
 
 # Docker buildx supplies the value for this arg
 ARG TARGETPLATFORM
@@ -59,7 +59,7 @@ RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Api --no-restore --no-se
 ###############################################
 #                  App stage                  #
 ###############################################
-FROM mcr.microsoft.com/dotnet/aspnet:8.0-bookworm-slim
+FROM mcr.microsoft.com/dotnet/aspnet:9.0-bookworm-slim
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 LABEL com.bitwarden.project="passwordless"

src/AdminConsole/AdminConsole.csproj

@@ -5,7 +5,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Keys" Version="1.2.4" />
+    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Keys" Version="1.3.0" />
     <PackageReference Include="Azure.Identity" Version="1.13.1" />
     <PackageReference Include="Datadog.Trace" Version="3.2.0" />
     <PackageReference Include="Humanizer.Core" Version="2.14.1" />
@@ -69,6 +69,7 @@
   </Target>
 
   <Target Name="Run NPM Build" AfterTargets="PostBuildEvent">
+    <Exec Command="npm ci" />
     <Exec Command="npm run build" />
 
     <!-- Passwordless.dev Javascript Client -->

src/AdminConsole/package.json

@@ -5,7 +5,7 @@
   "main": "index.js",
   "scripts": {
     "tw:watch": "tailwindcss -i ./Styles/tailwind.css -o ./wwwroot/css/tailwind.css --watch",
-    "build": "tailwindcss -i ./Styles/tailwind.css -o ./wwwroot/css/tailwind.css"
+    "build": "npx tailwindcss -i ./Styles/tailwind.css -o ./wwwroot/css/tailwind.css"
   },
   "keywords": [],
   "author": "",

src/Api/Program.cs

@@ -30,7 +30,7 @@
 WebApplicationBuilder builder = WebApplication.CreateBuilder(args);
 
 builder.Services.AddEndpointsApiExplorer();
-builder.Services.AddOpenApi();
+builder.Services.AddPasswordlessOpenApi();
 
 if (builder.Configuration.IsSelfHosted())
 {

src/Common/Common.csproj

@@ -5,20 +5,20 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Fido2" Version="4.0.0-beta.14" />
-    <PackageReference Include="Fido2.Models" Version="4.0.0-beta.14" />
+    <PackageReference Include="Fido2" Version="4.0.0-beta.16" />
+    <PackageReference Include="Fido2.Models" Version="4.0.0-beta.16" />
     <PackageReference Include="HtmlSanitizer" Version="8.2.871-beta" />
-    <PackageReference Include="MailKit" Version="4.8.0" />
+    <PackageReference Include="MailKit" Version="4.9.0" />
     <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="9.0.0" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="9.0.0" />
     <PackageReference Include="Serilog.AspNetCore" Version="8.0.3" />
     <PackageReference Include="Serilog.Enrichers.Environment" Version="3.0.1" />
     <PackageReference Include="Serilog.Expressions" Version="5.0.0" />
-    <PackageReference Include="Serilog.Sinks.Datadog.Logs" Version="0.5.3" />
+    <PackageReference Include="Serilog.Sinks.Datadog.Logs" Version="0.5.4" />
     <PackageReference Include="Serilog.Sinks.Seq" Version="8.0.0" />
     <PackageReference Include="Swashbuckle.AspNetCore" Version="7.2.0" />
     <PackageReference Include="System.Configuration.ConfigurationManager" Version="9.0.0" />
-    <PackageReference Include="AWSSDK.SimpleEmailV2" Version="3.7.404.3" />
+    <PackageReference Include="AWSSDK.SimpleEmailV2" Version="3.7.406.5" />
     <PackageReference Include="SendGrid" Version="9.29.3" />
   </ItemGroup>
 

src/Service/Fido2Service.cs

@@ -1,4 +1,5 @@
-using System.Collections.Immutable;
+using System.Buffers.Text;
+using System.Collections.Immutable;
 using System.Diagnostics;
 using System.Security.Cryptography;
 using System.Text;
@@ -142,15 +143,19 @@ public async Task<SessionResponse<CredentialCreateOptions>> RegisterBeginAsync(F
 
             var attestation = token.Attestation.ToEnum<AttestationConveyancePreference>();
 
-            var options = fido2.RequestNewCredential(
-                user,
-                keyIds,
-                authenticatorSelection,
-                attestation,
-                new AuthenticationExtensionsClientInputs
+            var requestNewCredentialParameters = new RequestNewCredentialParams
+            {
+                User = user,
+                AttestationPreference = attestation,
+                AuthenticatorSelection = authenticatorSelection,
+                ExcludeCredentials = keyIds,
+                Extensions = new AuthenticationExtensionsClientInputs
                 {
                     CredProps = true
-                });
+                }
+            };
+
+            var options = fido2.RequestNewCredential(requestNewCredentialParameters);
 
             options.Hints = token.Hints;
 
@@ -381,20 +386,18 @@ public async Task<TokenResponse> SignInCompleteAsync(SignInCompleteDTO request,
         var credential = await _storage.GetCredential(request.Response.Id);
         if (credential == null)
         {
-            throw new UnknownCredentialException(Base64Url.Encode(request.Response.Id));
+            throw new UnknownCredentialException(Base64Url.EncodeToString(request.Response.Id));
         }
 
         // Create callback to check if userhandle owns the credentialId
         IsUserHandleOwnerOfCredentialIdAsync callback = (args, _) => Task.FromResult(credential.UserHandle.SequenceEqual(args.UserHandle));
 
         // Make the assertion
-        var storedCredentials = (await _storage.GetCredentialsByUserIdAsync(request.Session)).Select(c => c.PublicKey).ToList();
         var makeAssertionParams = new MakeAssertionParams
         {
             AssertionResponse = request.Response,
             OriginalOptions = authenticationSessionConfiguration.Options,
             StoredPublicKey = credential.PublicKey,
-            StoredDevicePublicKeys = storedCredentials,
             StoredSignatureCounter = credential.SignatureCounter,
             IsUserHandleOwnerOfCredentialIdCallback = callback
         };

src/Service/Service.csproj

@@ -1,12 +1,12 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <ItemGroup>
-    <PackageReference Include="Fido2" Version="4.0.0-beta.14" />
-    <PackageReference Include="Fido2.AspNet" Version="4.0.0-beta.14" />
-    <PackageReference Include="Fido2.Models" Version="4.0.0-beta.14" />
+    <PackageReference Include="Fido2" Version="4.0.0-beta.16" />
+    <PackageReference Include="Fido2.AspNet" Version="4.0.0-beta.16" />
+    <PackageReference Include="Fido2.Models" Version="4.0.0-beta.16" />
     <PackageReference Include="Humanizer.Core" Version="2.14.1" />
-    <PackageReference Include="MessagePack" Version="2.5.187" />
-    <PackageReference Include="MessagePackAnalyzer" Version="2.5.187">
+    <PackageReference Include="MessagePack" Version="2.5.192" />
+    <PackageReference Include="MessagePackAnalyzer" Version="2.5.192">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>

src/Service/Storage/Ef/EfTenantStorage.cs

@@ -177,7 +177,9 @@ await db.AppFeatures.ExecuteUpdateAsync(x => x
                 existing => features.EnableMagicLinks ?? existing.IsMagicLinksEnabled
             )
             .SetProperty(f => f.EventLoggingRetentionPeriod,
-                existing => features.EventLoggingRetentionPeriod ?? existing.EventLoggingRetentionPeriod
+                existing => features.EventLoggingRetentionPeriod.HasValue
+                    ? features.EventLoggingRetentionPeriod.Value
+                    : existing.EventLoggingRetentionPeriod
             )
         );
 

src/Service/TokenService.cs

@@ -1,6 +1,6 @@
-using System.Security.Cryptography;
+using System.Buffers.Text;
+using System.Security.Cryptography;
 using System.Text;
-using Fido2NetLib;
 using MessagePack;
 using MessagePack.Resolvers;
 using Microsoft.Extensions.Configuration;
@@ -80,7 +80,7 @@ public async Task<T> DecodeTokenAsync<T>(string token, string prefix, bool contr
         MacEnvelope envelope;
         try
         {
-            var envelopeBytes = Base64Url.Decode(token);
+            var envelopeBytes = Base64Url.DecodeFromChars(token);
             envelope = MessagePackSerializer.Deserialize<MacEnvelope>(envelopeBytes);
         }
         // Can happen if the token starts with the right prefix, but is otherwise syntactically incorrect
@@ -160,7 +160,7 @@ public async Task<string> EncodeTokenAsync<T>(T token, string prefix, bool contr
 
         var envelope = new MacEnvelope { Mac = mac, Token = msgpack, KeyId = keyId };
         var envelopeBinary = MessagePackSerializer.Serialize(envelope);
-        var envelopeBinaryB64 = Base64Url.Encode(envelopeBinary);
+        var envelopeBinaryB64 = Base64Url.EncodeToString(envelopeBinary);
 
         if (!string.IsNullOrEmpty(prefix))
         {

tests/AdminConsole.Tests/AdminConsole.Tests.csproj

@@ -2,9 +2,9 @@
 
   <ItemGroup>
     <PackageReference Include="AutoFixture" Version="4.18.1" />
-    <PackageReference Include="bunit" Version="1.34.0" />
+    <PackageReference Include="bunit" Version="1.37.7" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="9.0.0" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.11.1" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageReference Include="Moq" Version="4.20.72" />
     <PackageReference Include="xunit" Version="2.9.2"/>
     <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2">

tests/Api.IntegrationTests/Api.IntegrationTests.csproj

@@ -3,12 +3,12 @@
   <ItemGroup>
     <PackageReference Include="Bogus" Version="35.6.1"/>
     <PackageReference Include="FluentAssertions" Version="7.0.0"/>
-    <PackageReference Include="MartinCostello.Logging.XUnit" Version="0.4.0" />
+    <PackageReference Include="MartinCostello.Logging.XUnit" Version="0.5.0" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="9.0.0"/>
     <PackageReference Include="Microsoft.Extensions.TimeProvider.Testing" Version="9.0.0" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.11.1"/>
-    <PackageReference Include="Selenium.WebDriver" Version="4.26.1"/>
-    <PackageReference Include="Testcontainers.MsSql" Version="4.0.0"/>
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0"/>
+    <PackageReference Include="Selenium.WebDriver" Version="4.27.0"/>
+    <PackageReference Include="Testcontainers.MsSql" Version="4.1.0"/>
     <PackageReference Include="xunit" Version="2.9.2"/>
     <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>

tests/Api.IntegrationTests/AuthorizationTests.cs

@@ -1,4 +1,6 @@
 using System.Net;
+using System.Net.Http.Json;
+using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Routing;
 using Microsoft.AspNetCore.Routing.Patterns;
 using Microsoft.Extensions.DependencyInjection;
@@ -79,17 +81,11 @@ public async Task ValidateThatMissingApiSecretThrowsAsync()
         using var response = await client.GetAsync("/credentials/list?userId=1");
 
         // Assert
-        var body = await response.Content.ReadAsStringAsync();
+        var actual = await response.Content.ReadFromJsonAsync<ProblemDetails>();
+        Assert.Equal("https://docs.passwordless.dev/guide/errors.html#ApiSecret", actual?.Type);
+        Assert.Equal("A valid 'ApiSecret' header is required.", actual?.Title);
         Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
-
-        AssertHelper.AssertEqualJson("""
-        {
-            "type": "https://docs.passwordless.dev/guide/errors.html#ApiSecret",
-            "title": "A valid 'ApiSecret' header is required.",
-            "status": 401,
-            "detail": "A valid 'ApiSecret' header is required."
-        }
-        """, body);
+        Assert.Equal("A valid 'ApiSecret' header is required.", actual?.Detail);
     }
 
     [Fact]
@@ -110,17 +106,11 @@ public async Task ValidateThatInvalidApiSecretThrowsAsync()
         using var response = await client.GetAsync("/credentials/list?userId=1");
 
         // Assert
-        var body = await response.Content.ReadAsStringAsync();
+        var actual = await response.Content.ReadFromJsonAsync<ProblemDetails>();
+        Assert.Equal("https://docs.passwordless.dev/guide/errors.html#ApiSecret", actual?.Type);
+        Assert.Equal("A valid 'ApiSecret' header is required.", actual?.Title);
         Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
-
-        AssertHelper.AssertEqualJson("""
-        {
-            "type": "https://docs.passwordless.dev/guide/errors.html#ApiSecret",
-            "title": "A valid 'ApiSecret' header is required.",
-            "status": 401,
-            "detail": "The value of your 'ApiSecret' is not valid."
-        }
-        """, body);
+        Assert.Equal("The value of your 'ApiSecret' is not valid.", actual?.Detail);
     }
 
     [Theory]
@@ -155,17 +145,11 @@ public async Task ApiSecretGivesHelpfulAdviceAsync(string input, string details)
         using var response = await client.SendAsync(request);
 
         // Assert
-        var body = await response.Content.ReadAsStringAsync();
+        var actual = await response.Content.ReadFromJsonAsync<ProblemDetails>();
+        Assert.Equal("https://docs.passwordless.dev/guide/errors.html#ApiSecret", actual?.Type);
+        Assert.Equal("A valid 'ApiSecret' header is required.", actual?.Title);
         Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
-
-        AssertHelper.AssertEqualJson($$"""
-        {
-            "type": "https://docs.passwordless.dev/guide/errors.html#ApiSecret",
-            "title": "A valid 'ApiSecret' header is required.",
-            "status": 401,
-            "detail": "{{details}}"
-        }
-        """, body);
+        Assert.Equal(details, actual?.Detail);
     }
 
     [Theory]
@@ -201,17 +185,11 @@ public async Task ApiPublicGivesHelpfulAdviceAsync(string input, string details)
         using var response = await client.SendAsync(request);
 
         // Assert
-        var body = await response.Content.ReadAsStringAsync();
+        var actual = await response.Content.ReadFromJsonAsync<ProblemDetails>();
+        Assert.Equal("https://docs.passwordless.dev/guide/errors.html#ApiKey", actual?.Type);
+        Assert.Equal("A valid 'ApiKey' header is required.", actual?.Title);
         Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
-
-        AssertHelper.AssertEqualJson($$"""
-        {
-            "type": "https://docs.passwordless.dev/guide/errors.html#ApiKey",
-            "title": "A valid 'ApiKey' header is required.",
-            "status": 401,
-            "detail": "{{details}}"
-        }
-        """, body);
+        Assert.Equal(details, actual?.Detail);
     }
 
     private static string? CreateRoute(RoutePattern pattern)