verify master password on reset password enrollment

src/Api/Controllers/OrganizationUsersController.cs

@@ -267,10 +267,23 @@ namespace Bit.Api.Controllers
         }
         
         [HttpPut("{userId}/reset-password-enrollment")]
-        public async Task PutResetPasswordEnrollment(string orgId, string userId, [FromBody]OrganizationUserResetPasswordEnrollmentRequestModel model)
+        public async Task PutResetPasswordEnrollment(string orgId, string userId,
+            [FromBody]OrganizationUserResetPasswordEnrollmentRequestModel model)
         {
-            var callingUserId = _userService.GetProperUserId(User);
+            var user = await _userService.GetUserByPrincipalAsync(User);
-            await _organizationService.UpdateUserResetPasswordEnrollmentAsync(new Guid(orgId), new Guid(userId), model.ResetPasswordKey, callingUserId);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
+            if(!await _userService.CheckPasswordAsync(user, model.MasterPasswordHash))
+            {
+                await Task.Delay(2000);
+                throw new BadRequestException("MasterPasswordHash", "Invalid password.");
+            }
+
+            await _organizationService.UpdateUserResetPasswordEnrollmentAsync(new Guid(orgId),
+                new Guid(userId), model.ResetPasswordKey, user.Id);
         }
         
         [HttpPut("{id}/reset-password")]

src/Core/Models/Api/Request/Organizations/OrganizationUserRequestModels.cs

@@ -80,6 +80,10 @@ namespace Bit.Core.Models.Api
     
     public class OrganizationUserResetPasswordEnrollmentRequestModel
     {
+
+        [Required]
+        [StringLength(300)]
+        public string MasterPasswordHash { get; set; }
         public string ResetPasswordKey { get; set; }
     }