Open-Source Wikis

/

Bitwarden Server

/

Cleanup opportunities

bitwarden/server

Cleanup opportunities

A small, opinionated list of areas in bitwarden/server where targeted refactor work would pay off. None of these are urgent; they are tracked here for future work.

Oversized files

The largest production C# files in the repo are unusually long:

File Lines
src/Api/Vault/Controllers/CiphersController.cs 1,713
src/Core/Platform/Mail/HandlebarsMailService.cs 1,648
src/Core/AdminConsole/Services/Implementations/OrganizationService.cs 1,219
src/Core/Services/Implementations/UserService.cs 1,218
src/Core/Vault/Services/Implementations/CipherService.cs 1,175
src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs 1,116

The Auth team has been incrementally extracting from UserService (e.g. IMasterPasswordService in PR #7530, 2026-04-22); the same pattern would help in the cipher and organisation services. Extracting bulk operations out of CiphersController into per-route command/query handlers would shrink it considerably.

Nullable-reference-types migration

The codebase has 709 FIXME comments, the majority of which read:

// FIXME: Update this file to be null safe and then delete the line below
#nullable disable

These mark files awaiting the nullable-reference-types migration. Files that have already migrated have removed the #nullable disable. Picking off a few files per PR would cut the FIXME count meaningfully and improve compile-time guarantees.

Old TODOs

234 TODO comments live across .cs files. Many have a Bitwarden Jira-style key (PM-…, AC-…, SM-…) that links them to tickets; a good housekeeping pass is to look for orphan TODOs without keys. Tools team's PR #5891 "PM-20532 - Remove TODO" (2025-05-30) is the kind of cleanup PR worth replicating per team.

Service / Command split

OrganizationService (1,219 lines) and UserService (1,218 lines) have been gradually split into narrower commands under OrganizationFeatures/ and Auth/UserFeatures/. New code should follow the new pattern. Old paths still work, but anything you touch is a candidate for moving into a dedicated command/query class.

Dapper / EF parity

Every domain has the dual Dapper + EF repository pair. The integration test suite (test/Infrastructure.IntegrationTest/) catches behavioural drift, but new methods are sometimes only added to one side. A periodic audit against IXxxRepository interfaces makes sure both sides stay in sync.

Migration script naming

util/Migrator/DbScripts/ files are date-prefixed but not always strictly ordered (some scripts are renamed and re-dated when their merge target changes — see PR commits like "update migration filenames", 2026-04-29). The verify_migrations.ps1 script catches problems, but a documented naming convention would help avoid the renames in the first place.

Unused or stale enum values

Some enums (PolicyType, EventType, DeviceType) carry deprecated entries kept for backward compatibility. A periodic review with the matching client teams would identify which values can finally be dropped.

Test parity

908 test .cs files vs. ~3,500 production files. Critical-path coverage is high but some newer features (Secrets Manager event integrations, some Provider billing flows) lean more on integration tests than unit tests. A targeted pass to add unit tests for command classes that only have integration coverage would help iteration speed.

Mail templates

The 80+ methods on HandlebarsMailService are mostly trivial wrappers (build a model, render, enqueue). A [GenerateMailService] source generator could eliminate the boilerplate in favour of one method per template attribute.


If you take any of these on, coordinate with the relevant CODEOWNERS team — see maintainers.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Cleanup opportunities – Bitwarden Server wiki | Factory