[PM-40152] feat: Require verified email to accept organization invite link#7949
Conversation
🤖 Bitwarden Claude Code ReviewOverall Assessment: APPROVE This PR adds a Code Review DetailsNo findings. The guard is correctly ordered ahead of state mutation, |
… link The invite-link accept flow bound a user to an organization solely via the email-domain allowlist, without asserting the email was verified. Unlike the email-invite flow, the link carries no per-email token proving ownership of the address, so the allowlist was the only binding. Assert EmailVerified in the read-only validation phase, before any seat is consumed, so an account that never proved ownership of an email at an allowed domain cannot join.
51f50d3 to
2e4fd20
Compare
|
@JaredSnider-Bitwarden tagging you here because this PR requires |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7949 +/- ##
==========================================
+ Coverage 61.43% 61.45% +0.01%
==========================================
Files 2245 2245
Lines 98830 98859 +29
Branches 8941 8946 +5
==========================================
+ Hits 60715 60749 +34
+ Misses 35965 35960 -5
Partials 2150 2150 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Investigated by Auth. SSO JIT-provisioned users are not affected. The JIT flow creates the org user in an invited state and accepts them via |
🎟️ Tracking
Resolves PM-40152
📔 Objective
The invite-link accept flow (
AcceptOrganizationInviteLinkCommand) gated organization membership on the accepting user's email domain being in the link'sAllowedDomains, but never asserted the email was verified. Unlike the email-invite flow — where the token delivered to the mailbox proves ownership — the invite link carries no per-email token, so the domain allowlist was the only binding between the user and an allowed domain. An account holding an unverified email at an allowed domain could therefore join the organization.This PR adds a
!user.EmailVerifiedguard in the read-only validation phase of the accept command, before anyOrganizationUseris created or seat is consumed. Unverified users receive a newEmailNotVerifiederror (HTTP 400). New unit tests cover the rejection and confirm no membership/seat side effects occur.SSO JIT-provisioned users are not affected: the JIT flow creates an org user in an invited state and accepts them via
IAcceptOrgUserCommand(through the MP, TDE, or Key Connector paths), never throughAcceptOrganizationInviteLinkCommand.Surfaced by the AppSec review of the invite-link tech breakdown.