Merge branch 'master' into feature/flexible-collections

Directory.Build.props

@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
-    <Version>2023.8.2</Version>
+    <Version>2023.8.3</Version>
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
     <ImplicitUsings>enable</ImplicitUsings>

bitwarden_license/src/Commercial.Core/SecretsManager/Queries/Projects/MaxProjectsQuery.cs

@@ -20,7 +20,7 @@ public class MaxProjectsQuery : IMaxProjectsQuery
         _projectRepository = projectRepository;
     }
 
-    public async Task<(short? max, bool? atMax)> GetByOrgIdAsync(Guid organizationId)
+    public async Task<(short? max, bool? overMax)> GetByOrgIdAsync(Guid organizationId, int projectsToAdd)
     {
         var org = await _organizationRepository.GetByIdAsync(organizationId);
         if (org == null)
@@ -37,7 +37,7 @@ public class MaxProjectsQuery : IMaxProjectsQuery
         if (plan.Type == PlanType.Free)
         {
             var projects = await _projectRepository.GetProjectCountByOrganizationIdAsync(organizationId);
-            return projects >= plan.MaxProjects ? (plan.MaxProjects, true) : (plan.MaxProjects, false);
+            return projects + projectsToAdd > plan.MaxProjects ? (plan.MaxProjects, true) : (plan.MaxProjects, false);
         }
 
         return (null, null);

bitwarden_license/test/Commercial.Core.Test/SecretsManager/Queries/Projects/MaxProjectsQueryTests.cs

@@ -22,7 +22,7 @@ public class MaxProjectsQueryTests
     {
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(default).ReturnsNull();
 
-        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.GetByOrgIdAsync(organizationId));
+        await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.GetByOrgIdAsync(organizationId, 1));
 
         await sutProvider.GetDependency<IProjectRepository>().DidNotReceiveWithAnyArgs()
             .GetProjectCountByOrganizationIdAsync(organizationId);
@@ -43,7 +43,7 @@ public class MaxProjectsQueryTests
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
 
         await Assert.ThrowsAsync<BadRequestException>(
-            async () => await sutProvider.Sut.GetByOrgIdAsync(organization.Id));
+            async () => await sutProvider.Sut.GetByOrgIdAsync(organization.Id, 1));
 
         await sutProvider.GetDependency<IProjectRepository>().DidNotReceiveWithAnyArgs()
             .GetProjectCountByOrganizationIdAsync(organization.Id);
@@ -60,7 +60,7 @@ public class MaxProjectsQueryTests
         organization.PlanType = planType;
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
 
-        var (limit, overLimit) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id);
+        var (limit, overLimit) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id, 1);
 
         Assert.Null(limit);
         Assert.Null(overLimit);
@@ -70,13 +70,31 @@ public class MaxProjectsQueryTests
     }
 
     [Theory]
-    [BitAutoData(PlanType.Free, 0, false)]
+    [BitAutoData(PlanType.Free, 0, 1, false)]
-    [BitAutoData(PlanType.Free, 1, false)]
+    [BitAutoData(PlanType.Free, 1, 1, false)]
-    [BitAutoData(PlanType.Free, 2, false)]
+    [BitAutoData(PlanType.Free, 2, 1, false)]
-    [BitAutoData(PlanType.Free, 3, true)]
+    [BitAutoData(PlanType.Free, 3, 1, true)]
-    [BitAutoData(PlanType.Free, 4, true)]
+    [BitAutoData(PlanType.Free, 4, 1, true)]
-    [BitAutoData(PlanType.Free, 40, true)]
+    [BitAutoData(PlanType.Free, 40, 1, true)]
-    public async Task GetByOrgIdAsync_SmFreePlan_Success(PlanType planType, int projects, bool shouldBeAtMax,
+    [BitAutoData(PlanType.Free, 0, 2, false)]
+    [BitAutoData(PlanType.Free, 1, 2, false)]
+    [BitAutoData(PlanType.Free, 2, 2, true)]
+    [BitAutoData(PlanType.Free, 3, 2, true)]
+    [BitAutoData(PlanType.Free, 4, 2, true)]
+    [BitAutoData(PlanType.Free, 40, 2, true)]
+    [BitAutoData(PlanType.Free, 0, 3, false)]
+    [BitAutoData(PlanType.Free, 1, 3, true)]
+    [BitAutoData(PlanType.Free, 2, 3, true)]
+    [BitAutoData(PlanType.Free, 3, 3, true)]
+    [BitAutoData(PlanType.Free, 4, 3, true)]
+    [BitAutoData(PlanType.Free, 40, 3, true)]
+    [BitAutoData(PlanType.Free, 0, 4, true)]
+    [BitAutoData(PlanType.Free, 1, 4, true)]
+    [BitAutoData(PlanType.Free, 2, 4, true)]
+    [BitAutoData(PlanType.Free, 3, 4, true)]
+    [BitAutoData(PlanType.Free, 4, 4, true)]
+    [BitAutoData(PlanType.Free, 40, 4, true)]
+    public async Task GetByOrgIdAsync_SmFreePlan__Success(PlanType planType, int projects, int projectsToAdd, bool expectedOverMax,
         SutProvider<MaxProjectsQuery> sutProvider, Organization organization)
     {
         organization.PlanType = planType;
@@ -84,12 +102,12 @@ public class MaxProjectsQueryTests
         sutProvider.GetDependency<IProjectRepository>().GetProjectCountByOrganizationIdAsync(organization.Id)
             .Returns(projects);
 
-        var (max, atMax) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id);
+        var (max, overMax) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id, projectsToAdd);
 
         Assert.NotNull(max);
-        Assert.NotNull(atMax);
+        Assert.NotNull(overMax);
         Assert.Equal(3, max.Value);
-        Assert.Equal(shouldBeAtMax, atMax);
+        Assert.Equal(expectedOverMax, overMax);
 
         await sutProvider.GetDependency<IProjectRepository>().Received(1)
             .GetProjectCountByOrganizationIdAsync(organization.Id);

dev/docker-compose.yml

@@ -68,7 +68,7 @@ services:
       - mysql
 
   idp:
-    image: kenchan0130/simplesamlphp:1.19.3
+    image: kenchan0130/simplesamlphp:1.19.8
     container_name: idp
     ports:
       - "8090:8080"

src/Api/SecretsManager/Controllers/ProjectsController.cs

@@ -79,8 +79,8 @@ public class ProjectsController : Controller
             throw new NotFoundException();
         }
 
-        var (max, atMax) = await _maxProjectsQuery.GetByOrgIdAsync(organizationId);
+        var (max, overMax) = await _maxProjectsQuery.GetByOrgIdAsync(organizationId, 1);
-        if (atMax != null && atMax.Value)
+        if (overMax != null && overMax.Value)
         {
             throw new BadRequestException($"You have reached the maximum number of projects ({max}) for this plan.");
         }

src/Api/SecretsManager/Controllers/SecretsManagerPortingController.cs

@@ -4,6 +4,7 @@ using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.SecretsManager.Commands.Porting.Interfaces;
+using Bit.Core.SecretsManager.Queries.Projects.Interfaces;
 using Bit.Core.SecretsManager.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
@@ -19,14 +20,18 @@ public class SecretsManagerPortingController : Controller
     private readonly ISecretRepository _secretRepository;
     private readonly IProjectRepository _projectRepository;
     private readonly IUserService _userService;
+    private readonly IMaxProjectsQuery _maxProjectsQuery;
     private readonly IImportCommand _importCommand;
     private readonly ICurrentContext _currentContext;
 
-    public SecretsManagerPortingController(ISecretRepository secretRepository, IProjectRepository projectRepository, IUserService userService, IImportCommand importCommand, ICurrentContext currentContext)
+    public SecretsManagerPortingController(ISecretRepository secretRepository, IProjectRepository projectRepository,
+        IUserService userService, IMaxProjectsQuery maxProjectsQuery, IImportCommand importCommand,
+        ICurrentContext currentContext)
     {
         _secretRepository = secretRepository;
         _projectRepository = projectRepository;
         _userService = userService;
+        _maxProjectsQuery = maxProjectsQuery;
         _importCommand = importCommand;
         _currentContext = currentContext;
     }
@@ -69,6 +74,16 @@ public class SecretsManagerPortingController : Controller
             throw new BadRequestException("A secret can only be in one project at a time.");
         }
 
+        var projectsToAdd = importRequest.Projects?.Count();
+        if (projectsToAdd is > 0)
+        {
+            var (max, overMax) = await _maxProjectsQuery.GetByOrgIdAsync(organizationId, projectsToAdd.Value);
+            if (overMax != null && overMax.Value)
+            {
+                throw new BadRequestException($"The maximum number of projects for this plan is ({max}).");
+            }
+        }
+
         await _importCommand.ImportAsync(organizationId, importRequest.ToSMImport());
     }
 }

src/Core/Auth/Services/Implementations/AuthRequestService.cs

@@ -82,27 +82,32 @@ public class AuthRequestService : IAuthRequestService
     /// </remarks>
     public async Task<AuthRequest> CreateAuthRequestAsync(AuthRequestCreateRequestModel model)
     {
-        var user = await _userRepository.GetByEmailAsync(model.Email);
-        if (user == null)
-        {
-            throw new NotFoundException();
-        }
-
         if (!_currentContext.DeviceType.HasValue)
         {
             throw new BadRequestException("Device type not provided.");
         }
 
-        if (_globalSettings.PasswordlessAuth.KnownDevicesOnly)
+        var userNotFound = false;
+        var user = await _userRepository.GetByEmailAsync(model.Email);
+        if (user == null)
+        {
+            userNotFound = true;
+        }
+        else if (_globalSettings.PasswordlessAuth.KnownDevicesOnly)
         {
             var devices = await _deviceRepository.GetManyByUserIdAsync(user.Id);
             if (devices == null || !devices.Any(d => d.Identifier == model.DeviceIdentifier))
             {
-                throw new BadRequestException(
+                userNotFound = true;
-                    "Login with device is only available on devices that have been previously logged in.");
             }
         }
 
+        // Anonymous endpoints must not leak that a user exists or not
+        if (userNotFound)
+        {
+            throw new BadRequestException("User or known device not found.");
+        }
+
         // AdminApproval requests require correlating the user and their organization
         if (model.Type == AuthRequestType.AdminApproval)
         {

src/Core/Context/CurrentContext.cs

@@ -358,7 +358,9 @@ public class CurrentContext : ICurrentContext
 
     public async Task<bool> ViewAssignedCollections(Guid orgId)
     {
-        return await EditAssignedCollections(orgId) || await DeleteAssignedCollections(orgId);
+        return await CreateNewCollections(orgId) // Required to display the existing collections under which the new collection can be nested
+               || await EditAssignedCollections(orgId)
+               || await DeleteAssignedCollections(orgId);
     }
 
     public async Task<bool> ManageGroups(Guid orgId)

src/Core/Models/Business/TaxInfo.cs

@@ -35,14 +35,23 @@ public class TaxInfo
                 return _taxIdType;
             }
 
-            switch (BillingAddressCountry)
+            switch (BillingAddressCountry.ToUpper())
             {
+                case "AD":
+                    _taxIdType = "ad_nrt";
+                    break;
                 case "AE":
                     _taxIdType = "ae_trn";
                     break;
+                case "AR":
+                    _taxIdType = "ar_cuit";
+                    break;
                 case "AU":
                     _taxIdType = "au_abn";
                     break;
+                case "BO":
+                    _taxIdType = "bo_tin";
+                    break;
                 case "BR":
                     _taxIdType = "br_cnpj";
                     break;
@@ -55,9 +64,45 @@ public class TaxInfo
                     }
                     _taxIdType = "ca_bn";
                     break;
+                case "CH":
+                    _taxIdType = "ch_vat";
+                    break;
                 case "CL":
                     _taxIdType = "cl_tin";
                     break;
+                case "CN":
+                    _taxIdType = "cn_tin";
+                    break;
+                case "CO":
+                    _taxIdType = "co_nit";
+                    break;
+                case "CR":
+                    _taxIdType = "cr_tin";
+                    break;
+                case "DO":
+                    _taxIdType = "do_rcn";
+                    break;
+                case "EC":
+                    _taxIdType = "ec_ruc";
+                    break;
+                case "EG":
+                    _taxIdType = "eg_tin";
+                    break;
+                case "GE":
+                    _taxIdType = "ge_vat";
+                    break;
+                case "ID":
+                    _taxIdType = "id_npwp";
+                    break;
+                case "IL":
+                    _taxIdType = "il_vat";
+                    break;
+                case "IS":
+                    _taxIdType = "is_vat";
+                    break;
+                case "KE":
+                    _taxIdType = "ke_pin";
+                    break;
                 case "AT":
                 case "BE":
                 case "BG":
@@ -115,6 +160,15 @@ public class TaxInfo
                 case "NZ":
                     _taxIdType = "nz_gst";
                     break;
+                case "PE":
+                    _taxIdType = "pe_ruc";
+                    break;
+                case "PH":
+                    _taxIdType = "ph_tin";
+                    break;
+                case "RS":
+                    _taxIdType = "rs_pib";
+                    break;
                 case "RU":
                     _taxIdType = "ru_inn";
                     break;
@@ -124,15 +178,33 @@ public class TaxInfo
                 case "SG":
                     _taxIdType = "sg_gst";
                     break;
+                case "SV":
+                    _taxIdType = "sv_nit";
+                    break;
                 case "TH":
                     _taxIdType = "th_vat";
                     break;
+                case "TR":
+                    _taxIdType = "tr_tin";
+                    break;
                 case "TW":
                     _taxIdType = "tw_vat";
                     break;
+                case "UA":
+                    _taxIdType = "ua_vat";
+                    break;
                 case "US":
                     _taxIdType = "us_ein";
                     break;
+                case "UY":
+                    _taxIdType = "uy_ruc";
+                    break;
+                case "VE":
+                    _taxIdType = "ve_rif";
+                    break;
+                case "VN":
+                    _taxIdType = "vn_tin";
+                    break;
                 case "ZA":
                     _taxIdType = "za_vat";
                     break;

src/Core/SecretsManager/Queries/Projects/Interfaces/IMaxProjectsQuery.cs

@@ -2,5 +2,5 @@
 
 public interface IMaxProjectsQuery
 {
-    Task<(short? max, bool? atMax)> GetByOrgIdAsync(Guid organizationId);
+    Task<(short? max, bool? overMax)> GetByOrgIdAsync(Guid organizationId, int projectsToAdd);
 }

src/Core/Services/IOrganizationService.cs

@@ -39,6 +39,12 @@ public interface IOrganizationService
         OrganizationUserType type, bool accessAll, string externalId, IEnumerable<CollectionAccessSelection> collections, IEnumerable<Guid> groups);
     Task<IEnumerable<Tuple<OrganizationUser, string>>> ResendInvitesAsync(Guid organizationId, Guid? invitingUserId, IEnumerable<Guid> organizationUsersId);
     Task ResendInviteAsync(Guid organizationId, Guid? invitingUserId, Guid organizationUserId, bool initOrganization = false);
+    /// <summary>
+    /// Moves an OrganizationUser into the Accepted status and marks their email as verified.
+    /// This method is used where the user has clicked the invitation link sent by email.
+    /// </summary>
+    /// <param name="token">The token embedded in the email invitation link</param>
+    /// <returns>The accepted OrganizationUser.</returns>
     Task<OrganizationUser> AcceptUserAsync(Guid organizationUserId, User user, string token, IUserService userService);
     Task<OrganizationUser> AcceptUserAsync(string orgIdentifier, User user, IUserService userService);
     Task<OrganizationUser> AcceptUserAsync(Guid organizationId, User user, IUserService userService);

src/Core/Services/Implementations/OrganizationService.cs

@@ -1093,7 +1093,15 @@ public class OrganizationService : IOrganizationService
             throw new BadRequestException("User email does not match invite.");
         }
 
-        return await AcceptUserAsync(orgUser, user, userService);
+        var organizationUser = await AcceptUserAsync(orgUser, user, userService);
+
+        if (user.EmailVerified == false)
+        {
+            user.EmailVerified = true;
+            await _userRepository.ReplaceAsync(user);
+        }
+
+        return organizationUser;
     }
 
     public async Task<OrganizationUser> AcceptUserAsync(string orgIdentifier, User user, IUserService userService)

src/Identity/IdentityServer/BaseRequestValidator.cs

@@ -26,6 +26,7 @@ using Bit.Core.Utilities;
 using Bit.Identity.Utilities;
 using IdentityServer4.Validation;
 using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Caching.Distributed;
 
 namespace Bit.Identity.IdentityServer;
 
@@ -45,6 +46,8 @@ public abstract class BaseRequestValidator<T> where T : class
     private readonly GlobalSettings _globalSettings;
     private readonly IUserRepository _userRepository;
     private readonly IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> _tokenDataFactory;
+    private readonly IDistributedCache _distributedCache;
+    private readonly DistributedCacheEntryOptions _cacheEntryOptions;
 
     protected ICurrentContext CurrentContext { get; }
     protected IPolicyService PolicyService { get; }
@@ -69,7 +72,8 @@ public abstract class BaseRequestValidator<T> where T : class
         IPolicyService policyService,
         IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory,
         IFeatureService featureService,
-        ISsoConfigRepository ssoConfigRepository)
+        ISsoConfigRepository ssoConfigRepository,
+        IDistributedCache distributedCache)
     {
         _userManager = userManager;
         _deviceRepository = deviceRepository;
@@ -89,6 +93,14 @@ public abstract class BaseRequestValidator<T> where T : class
         _tokenDataFactory = tokenDataFactory;
         FeatureService = featureService;
         SsoConfigRepository = ssoConfigRepository;
+        _distributedCache = distributedCache;
+        _cacheEntryOptions = new DistributedCacheEntryOptions
+        {
+            // This sets the time an item is cached to 15 minutes. This value is hard coded 
+            // to 15 because to it covers all time-out windows for both Authenticators and
+            // Email TOTP.
+            AbsoluteExpirationRelativeToNow = new TimeSpan(0, 15, 0)
+        };
     }
 
     protected async Task ValidateAsync(T context, ValidatedTokenRequest request,
@@ -135,6 +147,15 @@ public abstract class BaseRequestValidator<T> where T : class
             var verified = await VerifyTwoFactor(user, twoFactorOrganization,
                 twoFactorProviderType, twoFactorToken);
 
+            var cacheKey = "TOTP_" + user.Email;
+
+            var isOtpCached = Core.Utilities.DistributedCacheExtensions.TryGetValue(_distributedCache, cacheKey, out string _);
+            if (isOtpCached)
+            {
+                await BuildErrorResultAsync("Two-step token is invalid. Try again.", true, context, user);
+                return;
+            }
+
             if ((!verified || isBot) && twoFactorProviderType != TwoFactorProviderType.Remember)
             {
                 await UpdateFailedAuthDetailsAsync(user, true, !validatorContext.KnownDevice);
@@ -148,6 +169,7 @@ public abstract class BaseRequestValidator<T> where T : class
                 await BuildTwoFactorResultAsync(user, twoFactorOrganization, context);
                 return;
             }
+            await Core.Utilities.DistributedCacheExtensions.SetAsync(_distributedCache, cacheKey, twoFactorToken, _cacheEntryOptions);
         }
         else
         {

src/Identity/IdentityServer/CustomTokenRequestValidator.cs

@@ -14,6 +14,7 @@ using IdentityModel;
 using IdentityServer4.Extensions;
 using IdentityServer4.Validation;
 using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Caching.Distributed;
 
 #nullable enable
 
@@ -42,11 +43,13 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
         IUserRepository userRepository,
         IPolicyService policyService,
         IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory,
-        IFeatureService featureService)
+        IFeatureService featureService,
+        IDistributedCache distributedCache)
         : base(userManager, deviceRepository, deviceService, userService, eventService,
             organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
             applicationCacheService, mailService, logger, currentContext, globalSettings,
-            userRepository, policyService, tokenDataFactory, featureService, ssoConfigRepository)
+            userRepository, policyService, tokenDataFactory, featureService, ssoConfigRepository,
+            distributedCache)
     {
         _userManager = userManager;
     }

src/Identity/IdentityServer/ResourceOwnerPasswordValidator.cs

@@ -13,6 +13,7 @@ using Bit.Core.Utilities;
 using IdentityServer4.Models;
 using IdentityServer4.Validation;
 using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Caching.Distributed;
 
 namespace Bit.Identity.IdentityServer;
 
@@ -44,11 +45,12 @@ public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwner
         IPolicyService policyService,
         IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory,
         IFeatureService featureService,
-        ISsoConfigRepository ssoConfigRepository)
+        ISsoConfigRepository ssoConfigRepository,
+        IDistributedCache distributedCache)
         : base(userManager, deviceRepository, deviceService, userService, eventService,
               organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
               applicationCacheService, mailService, logger, currentContext, globalSettings, userRepository, policyService,
-              tokenDataFactory, featureService, ssoConfigRepository)
+              tokenDataFactory, featureService, ssoConfigRepository, distributedCache)
     {
         _userManager = userManager;
         _userService = userService;

test/Api.Test/SecretsManager/Controllers/ProjectsControllerTests.cs

@@ -132,7 +132,7 @@ public class ProjectsControllerTests
             .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data.ToProject(orgId),
                 Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
         sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
-        sutProvider.GetDependency<IMaxProjectsQuery>().GetByOrgIdAsync(orgId).Returns(((short)3, true));
+        sutProvider.GetDependency<IMaxProjectsQuery>().GetByOrgIdAsync(orgId, 1).Returns(((short)3, true));
 
 
         await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAsync(orgId, data));

test/Core.Test/Auth/Services/AuthRequestServiceTests.cs

@@ -142,15 +142,19 @@ public class AuthRequestServiceTests
     }
 
     [Theory, BitAutoData]
-    public async Task CreateAuthRequestAsync_NoUser_ThrowsNotFound(
+    public async Task CreateAuthRequestAsync_NoUser_ThrowsBadRequest(
         SutProvider<AuthRequestService> sutProvider,
         AuthRequestCreateRequestModel createModel)
     {
+        sutProvider.GetDependency<ICurrentContext>()
+            .DeviceType
+            .Returns(DeviceType.Android);
+
         sutProvider.GetDependency<IUserRepository>()
             .GetByEmailAsync(createModel.Email)
             .Returns((User?)null);
 
-        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CreateAuthRequestAsync(createModel));
+        await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAuthRequestAsync(createModel));
     }
 
     [Theory, BitAutoData]

test/Core.Test/AutoFixture/OrganizationFixtures.cs

@@ -10,6 +10,7 @@ using Bit.Core.Models.Data;
 using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.DataProtection;
 
 namespace Bit.Core.Test.AutoFixture.OrganizationFixtures;
 
@@ -187,3 +188,31 @@ internal class SecretsManagerOrganizationCustomizeAttribute : BitCustomizeAttrib
     public override ICustomization GetCustomization() =>
         new SecretsManagerOrganizationCustomization();
 }
+
+internal class EphemeralDataProtectionCustomization : ICustomization
+{
+    public void Customize(IFixture fixture)
+    {
+        fixture.Customizations.Add(new EphemeralDataProtectionProviderBuilder());
+    }
+
+    private class EphemeralDataProtectionProviderBuilder : ISpecimenBuilder
+    {
+        public object Create(object request, ISpecimenContext context)
+        {
+            var type = request as Type;
+            if (type == null || type != typeof(IDataProtectionProvider))
+            {
+                return new NoSpecimen();
+            }
+
+            return new EphemeralDataProtectionProvider();
+        }
+    }
+}
+
+internal class EphemeralDataProtectionAutoDataAttribute : CustomAutoDataAttribute
+{
+    public EphemeralDataProtectionAutoDataAttribute() : base(new SutProviderCustomization(), new EphemeralDataProtectionCustomization())
+    { }
+}

test/Core.Test/Services/OrganizationServiceTests.cs

@@ -28,6 +28,7 @@ using Bit.Core.Tools.Services;
 using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.DataProtection;
 using NSubstitute;
 using NSubstitute.ExceptionExtensions;
 using Xunit;
@@ -1835,6 +1836,42 @@ public class OrganizationServiceTests
         sutProvider.Sut.ValidateSecretsManagerPlan(plan, signup);
     }
 
+    [Theory]
+    [EphemeralDataProtectionAutoData]
+    public async Task AcceptUserAsync_Success([OrganizationUser(OrganizationUserStatusType.Invited)] OrganizationUser organizationUser,
+        User user, SutProvider<OrganizationService> sutProvider)
+    {
+        var token = SetupAcceptUserAsyncTest(sutProvider, user, organizationUser);
+        var userService = Substitute.For<IUserService>();
+
+        await sutProvider.Sut.AcceptUserAsync(organizationUser.Id, user, token, userService);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1).ReplaceAsync(
+            Arg.Is<OrganizationUser>(ou => ou.Id == organizationUser.Id && ou.Status == OrganizationUserStatusType.Accepted));
+        await sutProvider.GetDependency<IUserRepository>().Received(1).ReplaceAsync(
+            Arg.Is<User>(u => u.Id == user.Id && u.Email == user.Email && user.EmailVerified == true));
+    }
+
+    private string SetupAcceptUserAsyncTest(SutProvider<OrganizationService> sutProvider, User user,
+        OrganizationUser organizationUser)
+    {
+        user.Email = organizationUser.Email;
+        user.EmailVerified = false;
+
+        var dataProtector = sutProvider.GetDependency<IDataProtectionProvider>()
+            .CreateProtector("OrganizationServiceDataProtector");
+        // Token matching the format used in OrganizationService.InviteUserAsync
+        var token = dataProtector.Protect(
+            $"OrganizationUserInvite {organizationUser.Id} {organizationUser.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
+
+        sutProvider.GetDependency<IGlobalSettings>().OrganizationInviteExpirationHours.Returns(24);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(organizationUser.Id)
+            .Returns(organizationUser);
+
+        return token;
+    }
+
     [Theory]
     [OrganizationInviteCustomize(
          InviteeUserType = OrganizationUserType.Owner,

util/Migrator/DbScripts/2023-08-10_00_ClientSecretHashDataMigration.sql

@@ -6,14 +6,6 @@ The final migration is in util/Migrator/DbScripts/2023-08-10_01_RemoveClientSecr
 IF COL_LENGTH('[dbo].[ApiKey]', 'ClientSecretHash') IS NOT NULL AND COL_LENGTH('[dbo].[ApiKey]', 'ClientSecret')  IS NOT NULL
 BEGIN
 
-  -- Add index
-  IF NOT EXISTS(SELECT name FROM sys.indexes WHERE name = 'IX_ApiKey_ClientSecretHash')
-  BEGIN
-   CREATE NONCLUSTERED INDEX [IX_ApiKey_ClientSecretHash]
-   ON [dbo].[ApiKey]([ClientSecretHash] ASC)
-   WITH (ONLINE = ON)
-  END
-
   -- Data Migration
   DECLARE @BatchSize INT = 10000
   WHILE @BatchSize > 0
@@ -34,9 +26,5 @@ BEGIN
     COMMIT TRANSACTION Migrate_ClientSecretHash
   END
 
-  -- Drop index
-  DROP INDEX IF EXISTS [IX_ApiKey_ClientSecretHash]
-      ON [dbo].[ApiKey];
-
 END
 GO