[SSO] New user provision flow

bitwarden_license/src/Sso/Controllers/AccountController.cs

@@ -465,7 +465,7 @@ private async Task<User> AutoProvisionUserAsync(string provider, string provider
                         OrganizationId = orgId.Value,
                         UserId = user.Id,
                         Type = OrganizationUserType.User,
-                        Status = OrganizationUserStatusType.Accepted
+                        Status = OrganizationUserStatusType.Invited
                     };
                     await _organizationUserRepository.CreateAsync(orgUser);
                 }

src/Core/Models/Api/Request/Accounts/SetPasswordRequestModel.cs

@@ -19,6 +19,7 @@ public class SetPasswordRequestModel
         public KdfType Kdf { get; set; }
         [Required]
         public int KdfIterations { get; set; }
+        public string OrgIdentifier { get; set; }
 
         public User ToUser(User existingUser)
         {

src/Core/Services/IOrganizationService.cs

@@ -38,6 +38,7 @@ Task<List<OrganizationUser>> InviteUserAsync(Guid organizationId, Guid? inviting
         Task ResendInviteAsync(Guid organizationId, Guid? invitingUserId, Guid organizationUserId);
         Task<OrganizationUser> AcceptUserAsync(Guid organizationUserId, User user, string token,
             IUserService userService);
+        Task<OrganizationUser> AcceptUserAsync(string orgIdentifier, User user, IUserService userService);
         Task<OrganizationUser> ConfirmUserAsync(Guid organizationId, Guid organizationUserId, string key,
             Guid confirmingUserId, IUserService userService);
         Task SaveUserAsync(OrganizationUser user, Guid? savingUserId, IEnumerable<SelectionReadOnly> collections);

src/Core/Services/IUserService.cs

@@ -32,7 +32,7 @@ public interface IUserService
         Task<IdentityResult> ChangeEmailAsync(User user, string masterPassword, string newEmail, string newMasterPassword,
             string token, string key);
         Task<IdentityResult> ChangePasswordAsync(User user, string masterPassword, string newMasterPassword, string key);
-        Task<IdentityResult> SetPasswordAsync(User user, string newMasterPassword, string key);
+        Task<IdentityResult> SetPasswordAsync(User user, string newMasterPassword, string key, string orgIdentifier = null);
         Task<IdentityResult> ChangeKdfAsync(User user, string masterPassword, string newMasterPassword, string key,
             KdfType kdf, int kdfIterations);
         Task<IdentityResult> UpdateKeyAsync(User user, string masterPassword, string key, string privateKey,

src/Core/Services/Implementations/OrganizationService.cs

@@ -1074,9 +1074,9 @@ public async Task<OrganizationUser> AcceptUserAsync(Guid organizationUserId, Use
                 throw new BadRequestException("User invalid.");
             }
 
-            if (orgUser.Status != OrganizationUserStatusType.Invited)
+            if (!CoreHelpers.UserInviteTokenIsValid(_dataProtector, token, user.Email, orgUser.Id, _globalSettings))
             {
-                throw new BadRequestException("Already accepted.");
+                throw new BadRequestException("Invalid token.");
             }
 
             if (string.IsNullOrWhiteSpace(orgUser.Email) ||
@@ -1085,6 +1085,42 @@ public async Task<OrganizationUser> AcceptUserAsync(Guid organizationUserId, Use
                 throw new BadRequestException("User email does not match invite.");
             }
 
+            var existingOrgUserCount = await _organizationUserRepository.GetCountByOrganizationAsync(
+                orgUser.OrganizationId, user.Email, true);
+            if (existingOrgUserCount > 0)
+            {
+                throw new BadRequestException("You are already part of this organization.");
+            }
+
+            return await AcceptUserAsync(orgUser, user, userService);
+        }
+
+        public async Task<OrganizationUser> AcceptUserAsync(string orgIdentifier, User user, IUserService userService)
+        {
+            var org = await _organizationRepository.GetByIdentifierAsync(orgIdentifier);
+            if (org == null)
+            {
+                throw new BadRequestException("Organization invalid.");
+            }
+
+            var usersOrgs = await _organizationUserRepository.GetManyByUserAsync(user.Id);
+            var orgUser = usersOrgs.FirstOrDefault(u => u.OrganizationId == org.Id);
+            if (orgUser == null)
+            {
+                throw new BadRequestException("User not found within organization.");
+            }
+
+            return await AcceptUserAsync(orgUser, user, userService);
+        }
+
+        private async Task<OrganizationUser> AcceptUserAsync(OrganizationUser orgUser, User user, 
+            IUserService userService)
+        {
+            if (orgUser.Status != OrganizationUserStatusType.Invited)
+            {
+                throw new BadRequestException("Already accepted.");
+            }
+
             if (orgUser.Type == OrganizationUserType.Owner || orgUser.Type == OrganizationUserType.Admin)
             {
                 var org = await GetOrgById(orgUser.OrganizationId);
@@ -1099,18 +1135,6 @@ public async Task<OrganizationUser> AcceptUserAsync(Guid organizationUserId, Use
                 }
             }
 
-            var existingOrgUserCount = await _organizationUserRepository.GetCountByOrganizationAsync(
-                orgUser.OrganizationId, user.Email, true);
-            if (existingOrgUserCount > 0)
-            {
-                throw new BadRequestException("You are already part of this organization.");
-            }
-
-            if (!CoreHelpers.UserInviteTokenIsValid(_dataProtector, token, user.Email, orgUser.Id, _globalSettings))
-            {
-                throw new BadRequestException("Invalid token.");
-            }
-
             if (!await userService.TwoFactorIsEnabledAsync(user))
             {
                 var policies = await _policyRepository.GetManyByOrganizationIdAsync(orgUser.OrganizationId);
@@ -1124,10 +1148,10 @@ public async Task<OrganizationUser> AcceptUserAsync(Guid organizationUserId, Use
             orgUser.Status = OrganizationUserStatusType.Accepted;
             orgUser.UserId = user.Id;
             orgUser.Email = null;
+
             await _organizationUserRepository.ReplaceAsync(orgUser);
 
             // TODO: send notification emails to org admins and accepting user?
-
             return orgUser;
         }
 

src/Core/Services/Implementations/UserService.cs

@@ -48,6 +48,7 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         private readonly IReferenceEventService _referenceEventService;
         private readonly CurrentContext _currentContext;
         private readonly GlobalSettings _globalSettings;
+        private readonly IOrganizationService _organizationService;
 
         public UserService(
             IUserRepository userRepository,
@@ -74,7 +75,8 @@ public UserService(
             IPolicyRepository policyRepository,
             IReferenceEventService referenceEventService,
             CurrentContext currentContext,
-            GlobalSettings globalSettings)
+            GlobalSettings globalSettings,
+            IOrganizationService organizationService)
             : base(
                   store,
                   optionsAccessor,
@@ -107,6 +109,7 @@ public UserService(
             _referenceEventService = referenceEventService;
             _currentContext = currentContext;
             _globalSettings = globalSettings;
+            _organizationService = organizationService;
         }
 
         public Guid? GetProperUserId(ClaimsPrincipal principal)
@@ -579,7 +582,8 @@ public async Task<IdentityResult> ChangePasswordAsync(User user, string masterPa
             return IdentityResult.Failed(_identityErrorDescriber.PasswordMismatch());
         }
 
-        public async Task<IdentityResult> SetPasswordAsync(User user, string masterPassword, string key)
+        public async Task<IdentityResult> SetPasswordAsync(User user, string masterPassword, string key, 
+            string orgIdentifier = null)
         {
             if (user == null)
             {
@@ -603,7 +607,12 @@ public async Task<IdentityResult> SetPasswordAsync(User user, string masterPassw
 
             await _userRepository.ReplaceAsync(user);
             await _eventService.LogUserEventAsync(user.Id, EventType.User_ChangedPassword);
-
+
+            if (!string.IsNullOrWhiteSpace(orgIdentifier))
+            {
+                await _organizationService.AcceptUserAsync(orgIdentifier, user, this);
+            }
+
             return IdentityResult.Success;
         }
 

test/Core.Test/Services/UserServiceTests.cs

@@ -41,6 +41,7 @@ public class UserServiceTests
         private readonly IReferenceEventService _referenceEventService;
         private readonly CurrentContext _currentContext;
         private readonly GlobalSettings _globalSettings;
+        private readonly IOrganizationService _organizationService;
 
         public UserServiceTests()
         {
@@ -69,6 +70,7 @@ public UserServiceTests()
             _referenceEventService = Substitute.For<IReferenceEventService>();
             _currentContext = new CurrentContext();
             _globalSettings = new GlobalSettings();
+            _organizationService = Substitute.For<IOrganizationService>();
 
             _sut = new UserService(
                 _userRepository,
@@ -95,7 +97,8 @@ public UserServiceTests()
                 _policyRepository,
                 _referenceEventService,
                 _currentContext,
-                _globalSettings
+                _globalSettings,
+                _organizationService
             );
         }