allow org user reg. when reg. is disabled

src/Core/Services/Implementations/OrganizationService.cs

@@ -1012,26 +1012,7 @@ namespace Bit.Core.Services
                 throw new BadRequestException("You are already part of this organization.");
             }
 
-            var tokenValidationFailed = true;
-            try
-            {
-                var unprotectedData = _dataProtector.Unprotect(token);
-                var dataParts = unprotectedData.Split(' ');
-                if(dataParts.Length == 4 &&
-                    dataParts[0] == "OrganizationUserInvite" &&
-                    new Guid(dataParts[1]) == orgUser.Id &&
-                    dataParts[2].Equals(user.Email, StringComparison.InvariantCultureIgnoreCase))
-                {
-                    var creationTime = CoreHelpers.FromEpocMilliseconds(Convert.ToInt64(dataParts[3]));
-                    tokenValidationFailed = creationTime.AddDays(5) < DateTime.UtcNow;
-                }
-            }
-            catch
-            {
-                tokenValidationFailed = true;
-            }
-
-            if(tokenValidationFailed)
+            if(!CoreHelpers.UserInviteTokenIsValid(_dataProtector, token, user.Email, orgUser.Id))
             {
                 throw new BadRequestException("Invalid token.");
             }

src/Core/Services/Implementations/UserService.cs

@@ -18,6 +18,7 @@ using Bit.Core.Exceptions;
 using Bit.Core.Utilities;
 using System.IO;
 using Newtonsoft.Json;
+using Microsoft.AspNetCore.DataProtection;
 
 namespace Bit.Core.Services
 {
@@ -38,6 +39,7 @@ namespace Bit.Core.Services
         private readonly IEnumerable<IPasswordValidator<User>> _passwordValidators;
         private readonly ILicensingService _licenseService;
         private readonly IEventService _eventService;
+        private readonly IDataProtector _organizationServiceDataProtector;
         private readonly CurrentContext _currentContext;
         private readonly GlobalSettings _globalSettings;
 
@@ -59,6 +61,7 @@ namespace Bit.Core.Services
             ILogger<UserManager<User>> logger,
             ILicensingService licenseService,
             IEventService eventService,
+            IDataProtectionProvider dataProtectionProvider,
             CurrentContext currentContext,
             GlobalSettings globalSettings)
             : base(
@@ -84,6 +87,8 @@ namespace Bit.Core.Services
             _passwordValidators = passwordValidators;
             _licenseService = licenseService;
             _eventService = eventService;
+            _organizationServiceDataProtector = dataProtectionProvider.CreateProtector(
+                "OrganizationServiceDataProtector");
             _currentContext = currentContext;
             _globalSettings = globalSettings;
         }
@@ -204,11 +209,19 @@ namespace Bit.Core.Services
             await _mailService.SendVerifyDeleteEmailAsync(user.Email, user.Id, token);
         }
 
-        public async Task<IdentityResult> RegisterUserAsync(User user, string masterPassword)
+        public async Task<IdentityResult> RegisterUserAsync(User user, string masterPassword,
+            string token, Guid? orgUserId)
         {
-            if(_globalSettings.DisableUserRegistration)
+            var tokenValid = false;
+            if(!string.IsNullOrWhiteSpace(token) && orgUserId.HasValue)
             {
-                throw new BadRequestException("Registration has been disabled by the system administrator.");
+                tokenValid = CoreHelpers.UserInviteTokenIsValid(_organizationServiceDataProtector, token, 
+                    user.Email, orgUserId.Value);
+            }
+
+            if(_globalSettings.DisableUserRegistration && !tokenValid)
+            {
+                throw new BadRequestException("Open registration has been disabled by the system administrator.");
             }
 
             var result = await base.CreateAsync(user, masterPassword);