Ac/pm 17449/add managed user validation to email token (#5437)

2025-06-30 15:42:48 -05:00 · 2025-02-24 10:42:04 -05:00
parent 6bc579f51e
commit 6ca98df721
5 changed files with 52 additions and 11 deletions
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@ -149,6 +149,12 @@ public class AccountsController : Controller
            throw new BadRequestException("MasterPasswordHash", "Invalid password.");
        }

+        var managedUserValidationResult = await _userService.ValidateManagedUserDomainAsync(user, model.NewEmail);
+
+        if (!managedUserValidationResult.Succeeded)
+        {
+            throw new BadRequestException(managedUserValidationResult.Errors);
+        }

        await _userService.InitiateEmailChangeAsync(user, model.NewEmail);
    }
@ -167,7 +173,6 @@ public class AccountsController : Controller
            throw new BadRequestException("You cannot change your email when using Key Connector.");
        }

-
        var result = await _userService.ChangeEmailAsync(user, model.MasterPasswordHash, model.NewEmail,
            model.NewMasterPasswordHash, model.Token, model.Key);
        if (result.Succeeded)
--- a/src/Core/Exceptions/BadRequestException.cs
+++ b/src/Core/Exceptions/BadRequestException.cs
@ -1,4 +1,5 @@
-using Microsoft.AspNetCore.Mvc.ModelBinding;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc.ModelBinding;

 namespace Bit.Core.Exceptions;

@ -29,5 +30,16 @@ public class BadRequestException : Exception
        ModelState = modelState;
    }

+    public BadRequestException(IEnumerable<IdentityError> identityErrors)
+    : base("The model state is invalid.")
+    {
+        ModelState = new ModelStateDictionary();
+
+        foreach (var error in identityErrors)
+        {
+            ModelState.AddModelError(error.Code, error.Description);
+        }
+    }
+
    public ModelStateDictionary ModelState { get; set; }
 }
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@ -136,6 +136,16 @@ public interface IUserService
    /// </returns>
    Task<bool> IsManagedByAnyOrganizationAsync(Guid userId);

+    /// <summary>
+    /// Verify whether the new email domain meets the requirements for managed users.
+    /// </summary>
+    /// <remarks>
+    /// </remarks>
+    /// <returns>
+    /// IdentityResult 
+    /// </returns>
+    Task<IdentityResult> ValidateManagedUserDomainAsync(User user, string newEmail);
+
    /// <summary>
    /// Gets the organizations that manage the user.
    /// </summary>
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@ -545,7 +545,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
            return IdentityResult.Failed(_identityErrorDescriber.PasswordMismatch());
        }

-        var managedUserValidationResult = await ValidateManagedUserAsync(user, newEmail);
+        var managedUserValidationResult = await ValidateManagedUserDomainAsync(user, newEmail);

        if (!managedUserValidationResult.Succeeded)
        {
@ -617,7 +617,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
        return IdentityResult.Success;
    }

-    private async Task<IdentityResult> ValidateManagedUserAsync(User user, string newEmail)
+    public async Task<IdentityResult> ValidateManagedUserDomainAsync(User user, string newEmail)
    {
        var managingOrganizations = await GetOrganizationsManagingUserAsync(user.Id);