bitwarden/server
Cleanup opportunities
A small, opinionated list of areas in bitwarden/server where targeted refactor work would pay off. None of these are urgent; they are tracked here for future work.
Oversized files
The largest production C# files in the repo are unusually long:
| File | Lines |
|---|---|
src/Api/Vault/Controllers/CiphersController.cs |
1,713 |
src/Core/Platform/Mail/HandlebarsMailService.cs |
1,648 |
src/Core/AdminConsole/Services/Implementations/OrganizationService.cs |
1,219 |
src/Core/Services/Implementations/UserService.cs |
1,218 |
src/Core/Vault/Services/Implementations/CipherService.cs |
1,175 |
src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs |
1,116 |
The Auth team has been incrementally extracting from UserService (e.g. IMasterPasswordService in PR #7530, 2026-04-22); the same pattern would help in the cipher and organisation services. Extracting bulk operations out of CiphersController into per-route command/query handlers would shrink it considerably.
Nullable-reference-types migration
The codebase has 709 FIXME comments, the majority of which read:
// FIXME: Update this file to be null safe and then delete the line below
#nullable disableThese mark files awaiting the nullable-reference-types migration. Files that have already migrated have removed the #nullable disable. Picking off a few files per PR would cut the FIXME count meaningfully and improve compile-time guarantees.
Old TODOs
234 TODO comments live across .cs files. Many have a Bitwarden Jira-style key (PM-…, AC-…, SM-…) that links them to tickets; a good housekeeping pass is to look for orphan TODOs without keys. Tools team's PR #5891 "PM-20532 - Remove TODO" (2025-05-30) is the kind of cleanup PR worth replicating per team.
Service / Command split
OrganizationService (1,219 lines) and UserService (1,218 lines) have been gradually split into narrower commands under OrganizationFeatures/ and Auth/UserFeatures/. New code should follow the new pattern. Old paths still work, but anything you touch is a candidate for moving into a dedicated command/query class.
Dapper / EF parity
Every domain has the dual Dapper + EF repository pair. The integration test suite (test/Infrastructure.IntegrationTest/) catches behavioural drift, but new methods are sometimes only added to one side. A periodic audit against IXxxRepository interfaces makes sure both sides stay in sync.
Migration script naming
util/Migrator/DbScripts/ files are date-prefixed but not always strictly ordered (some scripts are renamed and re-dated when their merge target changes — see PR commits like "update migration filenames", 2026-04-29). The verify_migrations.ps1 script catches problems, but a documented naming convention would help avoid the renames in the first place.
Unused or stale enum values
Some enums (PolicyType, EventType, DeviceType) carry deprecated entries kept for backward compatibility. A periodic review with the matching client teams would identify which values can finally be dropped.
Test parity
908 test .cs files vs. ~3,500 production files. Critical-path coverage is high but some newer features (Secrets Manager event integrations, some Provider billing flows) lean more on integration tests than unit tests. A targeted pass to add unit tests for command classes that only have integration coverage would help iteration speed.
Mail templates
The 80+ methods on HandlebarsMailService are mostly trivial wrappers (build a model, render, enqueue). A [GenerateMailService] source generator could eliminate the boilerplate in favour of one method per template attribute.
If you take any of these on, coordinate with the relevant CODEOWNERS team — see maintainers.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.