Auth/PM-38742 - SSO Invited Existing User Flow Improvement - Redirect on error #7785
Conversation
…back Replace the thrown exception at the invited-user gate with a typed SsoAuthnRequiresInviteAcceptanceException caught in ExternalCallback, which signs out the temp external cookie and redirects to the web vault's /login with the email, org name, and an error code. The web client renders a toast prompting the user to sign in with master password and accept the invite. Preserves the Prevented Bypass 1 security gate — no SsoUser row is written and no auth session is established for invited users.
JaredSnider-Bitwarden
changed the title
🤖 Bitwarden Claude Code ReviewOverall Assessment: APPROVE Reviewed the SSO invited-existing-user flow change in the SSO Code Review DetailsNo findings. The change is well-scoped and thoroughly tested across unit, integration, and exception-level tests. The cookie-cleanup mirrors the success path, the email carried in the redirect comes from the canonical non-nullable |
JaredSnider-Bitwarden
changed the title
The existing integration test for an existing user with an invited org user was asserting the prior 500-error behavior. With the redirect change in 6a9e708, the endpoint now returns 302 to the web vault /login carrying the email, org name, and error code. Rename the test and update assertions to verify the redirect status, the Location path, the error query param, and that the seeded user's email + organization display name flow through into the URL (which the unit test cannot exercise because it has no real DB roundtrip).
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #7785 +/- ##
==========================================
- Coverage 61.27% 61.23% -0.04%
==========================================
Files 2194 2211 +17
Lines 97468 97747 +279
Branches 8792 8815 +23
==========================================
+ Hits 59722 59855 +133
- Misses 35625 35768 +143
- Partials 2121 2124 +3 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Extend SsoRedirectUrlBuilder with an optional autoSubmit boolean that appends &autoSubmit=true when set; pass autoSubmit: true from the catch site so the client can skip the email-entry step and land directly on master-password entry. Also remove the now-orphaned AcceptInviteBeforeUsingSSO resx string — no C# code references it after the previous commit moved the message to the client side.
…-invited-existing-users
Patrick-Pimentel-Bitwarden
left a comment
Patrick-Pimentel-Bitwarden
left a comment
There was a problem hiding this comment.
The forethought is clear for how this can be expanded in the future with the sso redirect url builder. What I thought would be errors in docs turned out to be incorrect. Tests look great too, no notes!
…-invited-existing-users
…-invited-existing-users
…bmit
Extend SsoAuthnRequiresInviteAcceptanceException with the org id and emit
it as &organizationId={guid} in the BuildLoginRedirectUrl output so the
web client can match the redirect against its stashed invite by a stable
key (display names can drift between invite send-time and SSO attempt).
Drop the autoSubmit parameter — the client now derives auto-progression
from its own stash state, so the server-side hint is redundant.
|
|
Recent changes are to fix bug: https://bitwarden.atlassian.net/browse/PM-39149 |
2 participants
🎟️ Tracking
https://bitwarden.atlassian.net/browse/PM-38742
Clients PR: bitwarden/clients#21134
📔 Objective
Redirect invited existing users back to /login on SSO callback
Replace the thrown exception at the invited-user gate with a typed
SsoAuthnRequiresInviteAcceptanceExceptioncaught inExternalCallback, which signs out the temp external cookie and redirects to the web vault's/loginwith the email, org name, and an error code. The web client renders a toast prompting the user to sign in with master password and accept the invite. Preserves the security gate — noSsoUserrow is written and no auth session is established for invited users.📸 Screenshots
See clients PR: bitwarden/clients#21134