[PM-6794] block legacy users from authN (#4088)

* block legacy users from authN * undo change to GetDeviceFromRequest * lint * add feature flag * format * add web vault url to error message * fix test * format
2025-06-30 15:42:48 -05:00 · 2024-06-03 09:19:56 -04:00
parent 21a02054af
commit b072fc56b1
6 changed files with 107 additions and 0 deletions
--- a/test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs
+++ b/test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs
@ -331,6 +331,53 @@ public class IdentityServerTests : IClassFixture<IdentityApplicationFactory>
        await AssertDefaultTokenBodyAsync(context, "api");
    }

+    [Theory, BitAutoData]
+    public async Task TokenEndpoint_GrantTypeClientCredentials_AsLegacyUser_NotOnWebClient_Fails(string deviceId)
+    {
+        var server = _factory.WithWebHostBuilder(builder =>
+        {
+            builder.UseSetting("globalSettings:launchDarkly:flagValues:block-legacy-users", "true");
+        }).Server;
+
+        var username = "test+tokenclientcredentials@email.com";
+
+
+        await server.PostAsync("/accounts/register", JsonContent.Create(new RegisterRequestModel
+        {
+            Email = username,
+            MasterPasswordHash = "master_password_hash"
+        }));
+
+
+        var database = _factory.GetDatabaseContext();
+        var user = await database.Users
+            .FirstAsync(u => u.Email == username);
+
+        user.PrivateKey = "EncryptedPrivateKey";
+        await database.SaveChangesAsync();
+
+        var context = await server.PostAsync("/connect/token", new FormUrlEncodedContent(
+            new Dictionary<string, string>
+            {
+                { "scope", "api offline_access" },
+                { "client_id", "browser" },
+                { "deviceType", DeviceTypeAsString(DeviceType.ChromeBrowser) },
+                { "deviceIdentifier", deviceId },
+                { "deviceName", "chrome" },
+                { "grant_type", "password" },
+                { "username", username },
+                { "password", "master_password_hash" },
+            }), context => context.SetAuthEmail(username));
+
+        Assert.Equal(StatusCodes.Status400BadRequest, context.Response.StatusCode);
+
+        var errorBody = await AssertHelper.AssertResponseTypeIs<JsonDocument>(context);
+        var error = AssertHelper.AssertJsonProperty(errorBody.RootElement, "ErrorModel", JsonValueKind.Object);
+        var message = AssertHelper.AssertJsonProperty(error, "Message", JsonValueKind.String).GetString();
+        Assert.StartsWith("Encryption key migration is required.", message);
+    }
+
+
    [Theory, BitAutoData]
    public async Task TokenEndpoint_GrantTypeClientCredentials_AsOrganization_Success(Organization organization, Bit.Core.Entities.OrganizationApiKey organizationApiKey)
    {