validate and email on sso privisioning (#6734)

kspearrin · web-flow · commit bead4f1d5a3a · 2025-12-15T15:19:17.000-05:00
diff --git a/src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs b/src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs
@@ -99,6 +99,9 @@ public async Task<IdentityResult> RegisterUser(User user)
 
     public async Task<IdentityResult> RegisterSSOAutoProvisionedUserAsync(User user, Organization organization)
     {
+        // Validate that the email domain is not blocked by another organization's policy
+        await ValidateEmailDomainNotBlockedAsync(user.Email, organization.Id);
+
         var result = await _userService.CreateUserAsync(user);
         if (result == IdentityResult.Success)
         {
diff --git a/test/Core.Test/Auth/UserFeatures/Registration/RegisterUserCommandTests.cs b/test/Core.Test/Auth/UserFeatures/Registration/RegisterUserCommandTests.cs
@@ -1382,4 +1382,90 @@ await sutProvider.GetDependency<IMailService>()
             .Received(1)
             .SendOrganizationUserWelcomeEmailAsync(user, organization.DisplayName());
     }
+
+    [Theory, BitAutoData]
+    public async Task RegisterSSOAutoProvisionedUserAsync_WithBlockedDomain_ThrowsException(
+        User user,
+        Organization organization,
+        SutProvider<RegisterUserCommand> sutProvider)
+    {
+        // Arrange
+        user.Email = "user@blocked-domain.com";
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.BlockClaimedDomainAccountCreation)
+            .Returns(true);
+
+        sutProvider.GetDependency<IOrganizationDomainRepository>()
+            .HasVerifiedDomainWithBlockClaimedDomainPolicyAsync("blocked-domain.com", organization.Id)
+            .Returns(true);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.RegisterSSOAutoProvisionedUserAsync(user, organization));
+        Assert.Equal("This email address is claimed by an organization using Bitwarden.", exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RegisterSSOAutoProvisionedUserAsync_WithOwnClaimedDomain_Succeeds(
+        User user,
+        Organization organization,
+        SutProvider<RegisterUserCommand> sutProvider)
+    {
+        // Arrange
+        user.Email = "user@company-domain.com";
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.BlockClaimedDomainAccountCreation)
+            .Returns(true);
+
+        // Domain is claimed by THIS organization, so it should be allowed
+        sutProvider.GetDependency<IOrganizationDomainRepository>()
+            .HasVerifiedDomainWithBlockClaimedDomainPolicyAsync("company-domain.com", organization.Id)
+            .Returns(false); // Not blocked because organization.Id is excluded
+
+        sutProvider.GetDependency<IUserService>()
+            .CreateUserAsync(user)
+            .Returns(IdentityResult.Success);
+
+        // Act
+        var result = await sutProvider.Sut.RegisterSSOAutoProvisionedUserAsync(user, organization);
+
+        // Assert
+        Assert.True(result.Succeeded);
+        await sutProvider.GetDependency<IUserService>()
+            .Received(1)
+            .CreateUserAsync(user);
+    }
+
+    [Theory, BitAutoData]
+    public async Task RegisterSSOAutoProvisionedUserAsync_WithNonClaimedDomain_Succeeds(
+        User user,
+        Organization organization,
+        SutProvider<RegisterUserCommand> sutProvider)
+    {
+        // Arrange
+        user.Email = "user@unclaimed-domain.com";
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.BlockClaimedDomainAccountCreation)
+            .Returns(true);
+
+        sutProvider.GetDependency<IOrganizationDomainRepository>()
+            .HasVerifiedDomainWithBlockClaimedDomainPolicyAsync("unclaimed-domain.com", organization.Id)
+            .Returns(false); // Domain is not claimed by any org
+
+        sutProvider.GetDependency<IUserService>()
+            .CreateUserAsync(user)
+            .Returns(IdentityResult.Success);
+
+        // Act
+        var result = await sutProvider.Sut.RegisterSSOAutoProvisionedUserAsync(user, organization);
+
+        // Assert
+        Assert.True(result.Succeeded);
+        await sutProvider.GetDependency<IUserService>()
+            .Received(1)
+            .CreateUserAsync(user);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,9 @@ public async Task<IdentityResult> RegisterUser(User user)`
`99`	`99`
`100`	`100`	`public async Task<IdentityResult> RegisterSSOAutoProvisionedUserAsync(User user, Organization organization)`
`101`	`101`	`{`
	`102`	`+ // Validate that the email domain is not blocked by another organization's policy`
	`103`	`+ await ValidateEmailDomainNotBlockedAsync(user.Email, organization.Id);`
	`104`	`+`
`102`	`105`	`var result = await _userService.CreateUserAsync(user);`
`103`	`106`	`if (result == IdentityResult.Success)`
`104`	`107`	`{`