From a725802476589a0ed8ce32671fb9d67b3411ffb1 Mon Sep 17 00:00:00 2001
From: Matt Gibson <mgibson@bitwarden.com>
Date: Tue, 8 Mar 2022 09:21:54 -0500
Subject: [PATCH] Handle null user in captch tokenable (#1897)

* Handle null user in captch tokenable

* Update test/Core.Test/Models/Business/Tokenables/HCaptchaTokenableTests.cs

Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>

Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
---
 .../Business/Tokenables/HCaptchaTokenable.cs  |  9 ++++--
 .../Tokenables/HCaptchaTokenableTests.cs      | 32 +++++++++++++++++++
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/src/Core/Models/Business/Tokenables/HCaptchaTokenable.cs b/src/Core/Models/Business/Tokenables/HCaptchaTokenable.cs
index 4a7322ed08..0d5a1a0183 100644
--- a/src/Core/Models/Business/Tokenables/HCaptchaTokenable.cs
+++ b/src/Core/Models/Business/Tokenables/HCaptchaTokenable.cs
@@ -24,12 +24,17 @@ namespace Bit.Core.Models.Business.Tokenables
 
         public HCaptchaTokenable(User user) : this()
         {
-            Id = user.Id;
-            Email = user.Email;
+            Id = user?.Id ?? default;
+            Email = user?.Email;
         }
 
         public bool TokenIsValid(User user)
         {
+            if (Id == default || Email == default || user == null)
+            {
+                return false;
+            }
+
             return Id == user.Id &&
             Email.Equals(user.Email, StringComparison.InvariantCultureIgnoreCase);
         }
diff --git a/test/Core.Test/Models/Business/Tokenables/HCaptchaTokenableTests.cs b/test/Core.Test/Models/Business/Tokenables/HCaptchaTokenableTests.cs
index 3aaccfbea3..8b9c8f27f6 100644
--- a/test/Core.Test/Models/Business/Tokenables/HCaptchaTokenableTests.cs
+++ b/test/Core.Test/Models/Business/Tokenables/HCaptchaTokenableTests.cs
@@ -3,12 +3,44 @@ using AutoFixture.Xunit2;
 using Bit.Core.Entities;
 using Bit.Core.Models.Business.Tokenables;
 using Bit.Core.Tokens;
+using Bit.Test.Common.AutoFixture.Attributes;
 using Xunit;
 
 namespace Bit.Core.Test.Models.Business.Tokenables
 {
     public class HCaptchaTokenableTests
     {
+        [Fact]
+        public void CanHandleNullUser()
+        {
+            var token = new HCaptchaTokenable(null);
+
+            Assert.Equal(default, token.Id);
+            Assert.Equal(default, token.Email);
+        }
+
+        [Fact]
+        public void TokenWithNullUserIsInvalid()
+        {
+            var token = new HCaptchaTokenable(null)
+            {
+                ExpirationDate = DateTime.UtcNow + TimeSpan.FromDays(1)
+            };
+
+            Assert.False(token.Valid);
+        }
+
+        [Theory, BitAutoData]
+        public void TokenValidityCheckNullUserIdIsInvalid(User user)
+        {
+            var token = new HCaptchaTokenable(user)
+            {
+                ExpirationDate = DateTime.UtcNow + TimeSpan.FromDays(1)
+            };
+
+            Assert.False(token.TokenIsValid(null));
+        }
+
         [Theory, AutoData]
         public void CanUpdateExpirationToNonStandard(User user)
         {