[PM-20225] Block no-userkey legacy users (#5640)

* Block legacy users on all clients over 2025.5

* Update message

* Fix test

* Fix test

* Update blocked version

src/Core/Constants.cs

@@ -23,6 +23,7 @@ public static class Constants
 
     public const string Fido2KeyCipherMinimumVersion = "2023.10.0";
     public const string SSHKeyCipherMinimumVersion = "2024.12.0";
+    public const string DenyLegacyUserMinimumVersion = "2025.6.0";
 
     /// <summary>
     /// Used by IdentityServer to identify our own provider.

src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs

@@ -193,7 +193,7 @@ public abstract class BaseRequestValidator<T> where T : class
     protected async Task FailAuthForLegacyUserAsync(User user, T context)
     {
         await BuildErrorResultAsync(
-            $"Encryption key migration is required. Please log in to the web vault at {_globalSettings.BaseServiceUri.VaultWithHash}",
+            $"Legacy encryption without a userkey is no longer supported. To recover your account, please contact support",
             false, context, user);
     }
 

src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs

@@ -27,6 +27,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
 {
     private readonly UserManager<User> _userManager;
     private readonly IUpdateInstallationCommand _updateInstallationCommand;
+    private readonly Version _denyLegacyUserMinimumVersion = new(Constants.DenyLegacyUserMinimumVersion);
 
     public CustomTokenRequestValidator(
         UserManager<User> userManager,
@@ -73,7 +74,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
         {
             // Force legacy users to the web for migration
             if (await _userService.IsLegacyUser(GetSubject(context)?.GetSubjectId()) &&
-                context.Result.ValidatedRequest.ClientId != "web")
+                (context.Result.ValidatedRequest.ClientId != "web" || CurrentContext.ClientVersion >= _denyLegacyUserMinimumVersion))
             {
                 await FailAuthForLegacyUserAsync(null, context);
                 return;

test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs

@@ -238,7 +238,7 @@ public class IdentityServerTests : IClassFixture<IdentityApplicationFactory>
     }
 
     [Theory, BitAutoData, RegisterFinishRequestModelCustomize]
-    public async Task TokenEndpoint_GrantTypeClientCredentials_AsLegacyUser_NotOnWebClient_Fails(
+    public async Task TokenEndpoint_GrantTypeClientCredentials_AsLegacyUser_Fails(
         RegisterFinishRequestModel model,
         string deviceId)
     {
@@ -277,7 +277,7 @@ public class IdentityServerTests : IClassFixture<IdentityApplicationFactory>
         var errorBody = await AssertHelper.AssertResponseTypeIs<JsonDocument>(context);
         var error = AssertHelper.AssertJsonProperty(errorBody.RootElement, "ErrorModel", JsonValueKind.Object);
         var message = AssertHelper.AssertJsonProperty(error, "Message", JsonValueKind.String).GetString();
-        Assert.StartsWith("Encryption key migration is required.", message);
+        Assert.StartsWith("Legacy encryption without a userkey is no longer supported.", message);
     }
 
 

test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs

@@ -373,8 +373,7 @@ public class BaseRequestValidatorTests
         // Assert
         Assert.True(context.GrantResult.IsError);
         var errorResponse = (ErrorResponseModel)context.GrantResult.CustomResponse["ErrorModel"];
-        var expectedMessage = $"Encryption key migration is required. Please log in to the web " +
-                              $"vault at {_globalSettings.BaseServiceUri.VaultWithHash}";
+        var expectedMessage = "Legacy encryption without a userkey is no longer supported. To recover your account, please contact support";
         Assert.Equal(expectedMessage, errorResponse.Message);
     }