[PM-33897] Schedule Aware Cancellation and Reinstatement

[sbrown-livefront]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-33897

📔 Objective

Introduces enhancements to the subscription cancellation and reinstatement workflows to support deferred price migration, gated behind the PM32645_DeferPriceMigrationToRenewal feature flag. The main changes involve updating how subscription schedules are managed during cancellation and reinstatement, ensuring that price migration logic is correctly applied and reversible.

[claude]

Claude finished @sbrown-livefront's task in 4m 15s —— View job

---

Code Review: PM-33897 Schedule Aware Cancellation and Reinstatement

• Gather context and read changed files
• Review PriceIncreaseScheduler.cs changes
• Review SubscriberService.cs changes
• Review ReinstateSubscriptionCommand.cs changes
• Review test files for coverage
• Check for security, correctness, and style issues

Assessment: ✅ APPROVE

No actionable findings. The implementation is well-structured and the previous review feedback from @amorask-bitwarden has been addressed in the latest commits.

Key observations:

• Feature flag gating is properly applied via PM32645_DeferPriceMigrationToRenewal, ensuring schedule-aware logic only activates when the flag is enabled.
• Cancellation refactoring in SubscriberService.cs cleanly separates immediate vs. end-of-period cancellation, with the schedule-aware path correctly handling 0-phase, 1-phase, and 2+-phase scenarios.
• Reinstatement logic in ReinstateSubscriptionCommand.cs correctly re-adds Phase 2 via PriceIncreaseScheduler.ResolvePhase2Async when reinstating a subscription that had a pending price migration schedule.
• PriceIncreaseScheduler.ResolvePhase2Async is now public (with interface declaration) and includes a feature flag guard, making it safely reusable from the reinstatement command.
• Test coverage is comprehensive — new tests cover all schedule state permutations for both cancellation and reinstatement, including edge cases like missing schedules, single-phase schedules, and multi-phase schedules.

---

[github-actions]

Checkmarx One – Scan Summary & Details – 68c0b7c2-64a3-460b-a017-42588bc519e4

---

New Issues (121)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		Stored_XSS	/src/SharedWeb/Health/HealthCheckServiceExtensions.cs: 61	details The method embeds untrusted data in generated output with WriteAsync, at line 60 of /src/SharedWeb/Health/HealthCheckServiceExtensions.cs. This ... Attack Vector
2		Stored_XSS	/util/Server/Startup.cs: 57	details The method embeds untrusted data in generated output with WriteAsync, at line 59 of /util/Server/Startup.cs. This untrusted data is embedded int... Attack Vector
3		CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 55	details Method at line 55 of /src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs gets a parameter from a user request from user. This pa... Attack Vector
4		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 145	details Method at line 145 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from request. T... Attack Vector
5		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 145	details Method at line 145 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from request. T... Attack Vector
6		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 97	details Method at line 97 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. This... Attack Vector
7		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 97	details Method at line 97 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. This... Attack Vector
8		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 534	details Method at line 534 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
9		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 229	details Method at line 229 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. Thi... Attack Vector
10		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1558	details Method at line 1558 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
11		CSRF	/src/Api/Tools/Controllers/SendsController.cs: 73	details Method at line 73 of /src/Api/Tools/Controllers/SendsController.cs gets a parameter from a user request from id. This parameter value flows thro... Attack Vector
12		CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 145	details Method at line 145 of /src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs gets a parameter from a user request from user. This p... Attack Vector
13		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 217	details Method at line 217 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
14		CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91	details Method at line 91 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
15		CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91	details Method at line 91 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
16		CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91	details Method at line 91 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
17		CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91	details Method at line 91 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
18		CSRF	/src/Api/Controllers/CollectionsController.cs: 176	details Method at line 176 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
19		CSRF	/src/Api/Controllers/CollectionsController.cs: 176	details Method at line 176 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
20		CSRF	/src/Api/Controllers/CollectionsController.cs: 176	details Method at line 176 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
21		CSRF	/src/Api/Controllers/CollectionsController.cs: 176	details Method at line 176 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
22		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 173	details Method at line 173 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. Thi... Attack Vector
23		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 452	details Method at line 452 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
24		CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 189	details Method at line 189 of /src/Api/Dirt/Controllers/OrganizationReportsController.cs gets a parameter from a user request from request. This paramet... Attack Vector
25		CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 104	details Method at line 104 of /src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs gets a parameter from a user request from user. This p... Attack Vector
26		CSRF	/src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs: 107	details Method at line 107 of /src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs gets a parameter from a user request from organiza... Attack Vector
27		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1417	details Method at line 1417 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
28		CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 233	details Method at line 233 of /src/Api/Dirt/Controllers/OrganizationReportsController.cs gets a parameter from a user request from request. This paramet... Attack Vector
29		CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 286	details Method at line 286 of /src/Api/Dirt/Controllers/OrganizationReportsController.cs gets a parameter from a user request from request. This paramet... Attack Vector
30		CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 189	details Method at line 189 of /src/Api/Dirt/Controllers/OrganizationReportsController.cs gets a parameter from a user request from request. This paramet... Attack Vector
31		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1417	details Method at line 1417 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
32		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1417	details Method at line 1417 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
33		CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 289	details Method at line 289 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from orgUserId. This parameter ... Attack Vector
34		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1385	details Method at line 1385 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
35		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1446	details Method at line 1446 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
36		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1148	details Method at line 1148 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
37		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1032	details Method at line 1032 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
38		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1281	details Method at line 1281 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from organizationId. This parameter ... Attack Vector
39		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 394	details Method at line 394 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
40		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 385	details Method at line 385 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
41		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 385	details Method at line 385 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from id. This parame... Attack Vector
42		CSRF	/src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs: 95	details Method at line 95 of /src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs gets a parameter from a user request from organizat... Attack Vector
43		CSRF	/src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs: 82	details Method at line 82 of /src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs gets a parameter from a user request from provider. Th... Attack Vector
44		CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 93	details Method at line 93 of /src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs gets a parameter from a user request from user. This pa... Attack Vector
45		CSRF	/src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs: 49	details Method at line 49 of /src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs gets a parameter from a user request from organizat... Attack Vector
46		CSRF	/src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs: 40	details Method at line 40 of /src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs gets a parameter from a user request from provider. Th... Attack Vector
47		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1226	details Method at line 1226 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flo... Attack Vector
48		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 173	details Method at line 173 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. Thi... Attack Vector
49		CSRF	/src/Api/Vault/Controllers/SecurityTaskController.cs: 66	details Method at line 66 of /src/Api/Vault/Controllers/SecurityTaskController.cs gets a parameter from a user request from taskId. This parameter value... Attack Vector
50		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 721	details Method at line 721 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from request. This parameter value fl... Attack Vector
51		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 385	details Method at line 385 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
52		CSRF	/src/Api/Auth/Controllers/EmergencyAccessController.cs: 173	details Method at line 173 of /src/Api/Auth/Controllers/EmergencyAccessController.cs gets a parameter from a user request from model. This parameter val... Attack Vector
53		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 641	details Method at line 641 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
54		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 192	details Method at line 192 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
55		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 126	details Method at line 126 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
56		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 664	details Method at line 664 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
57		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 412	details Method at line 412 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
58		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 825	details Method at line 825 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
59		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 825	details Method at line 825 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
60		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 825	details Method at line 825 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
61		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 825	details Method at line 825 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
62		CSRF	/src/Api/NotificationCenter/Controllers/NotificationsController.cs: 61	details Method at line 61 of /src/Api/NotificationCenter/Controllers/NotificationsController.cs gets a parameter from a user request from id. This param... Attack Vector
63		CSRF	/src/Api/NotificationCenter/Controllers/NotificationsController.cs: 67	details Method at line 67 of /src/Api/NotificationCenter/Controllers/NotificationsController.cs gets a parameter from a user request from id. This param... Attack Vector
64		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1446	details Method at line 1446 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
65		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 763	details Method at line 763 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
66		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 790	details Method at line 790 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
67		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 763	details Method at line 763 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
68		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 790	details Method at line 790 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
69		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 790	details Method at line 790 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
70		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 790	details Method at line 790 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
71		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 763	details Method at line 763 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
72		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 763	details Method at line 763 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
73		CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 138	details Method at line 138 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from model. This parameter valu... Attack Vector
74		CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 166	details Method at line 166 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from model. This parameter valu... Attack Vector
75		CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 166	details Method at line 166 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from model. This parameter valu... Attack Vector
76		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 414	details Method at line 414 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector

More results are available on the CxOne platform

[codecov]

Codecov Report

❌ Patch coverage is 87.91946% with 18 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.31%. Comparing base (1fac799) to head (3b2a730).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...ling/Services/Implementations/SubscriberService.cs	88.60%	6 Missing and 3 partials ⚠️
...criptions/Commands/ReinstateSubscriptionCommand.cs	86.56%	9 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7374      +/-   ##
==========================================
+ Coverage   58.23%   58.31%   +0.07%     
==========================================
  Files        2060     2060              
  Lines       90965    91088     +123     
  Branches     8085     8093       +8     
==========================================
+ Hits        52977    53114     +137     
+ Misses      36115    36098      -17     
- Partials     1873     1876       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[amorask-bitwarden]

Looking good - just a few ⛏️ and questions.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud