[PM-37168] Fix missing expiration check.

[JimmyVo16]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-38128

📔 Objective

I added fixes to the identified locations and added test coverage for them.
It's a simple change, and I think the automated tests are sufficient.

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR adds a missing token expiration check to two delete-recovery flows (OrganizationsController.PostDeleteRecoverToken and ProviderService.DeleteAsync) by including !data.Valid in the guard alongside the existing IsValid(entity) check. Since ExpiringTokenable.Valid is defined as !IsExpired && TokenIsValid(), this correctly closes a VULN where expired tokens with a matching entity Id would have been accepted. Both code paths receive a focused new test that constructs a tokenable with a matching Id but a 2-hour-past expiration and asserts BadRequestException is thrown and the downstream delete is never invoked. A repo-wide search confirms these were the only two TryUnprotect(...) || !data.IsValid(...) sites missing the expiration guard.

Code Review Details

No findings.

Note on existing bot threads: the github-code-quality "useless assignment to expiredTokenData" comments on ProviderServiceTests.cs:1339 and OrganizationsControllerTests.cs:355 are false positives — the variable is reassigned via the out parameter on TryUnprotect and must be declared for the NSubstitute .Returns(true) setup pattern. The author has already clarified this in both threads.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[JimmyVo16]

expiredTokenData is being used in an out statement a few lines below. Looks like the compiler just didn't pick it up.

[JimmyVo16]

expiredTokenData is being used in an out statement a few lines below. Looks like the compiler just didn't pick it up.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.84%. Comparing base (0cab8e2) to head (10dc45a).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...cial.Core/AdminConsole/Services/ProviderService.cs	0.00%	0 Missing and 1 partial ⚠️
...dminConsole/Controllers/OrganizationsController.cs	0.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7760   +/-   ##
=======================================
  Coverage   60.84%   60.84%           
=======================================
  Files        2167     2167           
  Lines       96089    96089           
  Branches     8652     8652           
=======================================
+ Hits        58464    58469    +5     
+ Misses      35539    35532    -7     
- Partials     2086     2088    +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.