[PM-30993] Better Error Message for Expired Invitation Tokens

[sven-bitwarden]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-30993

📔 Objective

The server currently sends a nondescript Invalid token. error message when accepting an invalid token. While technically true, we want to be kinder to users accepting expired tokens, giving them a better error message.

Other Considerations

I thought about enhancing the Tokenable API to be return a TokenableValidationResult, which could mirror the existing inheritance hierarchy to return objects that indicate what went wrong. For example, Tokenable returns TokenableValidationResult, ExpiringTokenable returns ExpiringTokenableValidationResult.. each tacking on new metadata.

I opted not to do this, as this is so far the only Tokenable area that is interested in knowing what validation failed, and I didn't want to force the creation of N result classes (one for each Tokenable derivative).

📸 Screenshots

[github-actions]

Checkmarx One – Scan Summary & Details – 30e95b61-3abb-4918-bebd-31cbc9e2bfb2

---

New Issues (2)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		Path_Traversal	/src/Api/Controllers/SelfHosted/SelfHostedOrganizationLicensesController.cs: 56	details Method at line 56 of /src/Api/Controllers/SelfHosted/SelfHostedOrganizationLicensesController.cs gets dynamic data from the model element. This ... Attack Vector
2		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 291	details Method at line 291 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector

---

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 146

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.08%. Comparing base (4732d7f) to head (896474a).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #6971   +/-   ##
=======================================
  Coverage   57.08%   57.08%           
=======================================
  Files        2028     2028           
  Lines       88794    88801    +7     
  Branches     7914     7917    +3     
=======================================
+ Hits        50684    50691    +7     
  Misses      36279    36279           
  Partials     1831     1831           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

Claude finished @sven-bitwarden's task in 2m 25s —— View job

---

Code Review: PM-30993 Better Error Message for Expired Invitation Tokens

Reviewed commit: 896474a (Merge branch 'main' into ac/pm-30993/update-expired-token-exception-message)

Files reviewed (4):

• src/Core/Tokens/ExpiringTokenable.cs
• src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AcceptOrgUserCommand.cs
• src/Core/Auth/Models/Business/Tokenables/OrgUserInviteTokenable.cs
• test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/AcceptOrgUserCommandTests.cs

Summary

This PR adds a public IsExpired property to ExpiringTokenable and uses it in AcceptOrgUserCommand to distinguish expired tokens from invalid tokens, returning a more helpful "Expired token." error message to clients. The switch expression in AcceptOrgUserCommand correctly prioritizes the expired check before the general invalidity check, and the fallback for failed decryption returns the generic "Invalid token." message.

Findings

No issues found. The implementation is clean and correct:

• Logic correctness: The switch expression in AcceptOrgUserCommand (lines 77-84) properly differentiates all cases: expired token, invalid-but-decryptable token, undecryptable token, and valid token. The ordering of arms ensures expired tokens are caught before the general validity check, which is correct since Valid would already be false for expired tokens.
• Security: Distinguishing "Expired token." from "Invalid token." in an invitation flow is an acceptable UX trade-off. These are not authentication tokens, and the information revealed (that a token was once valid) has negligible attacker value given the token was already sent via email.
• Backward compatibility: The existing ValidateOrgUserInviteStringToken static method remains intact and is still used by other callers (PoliciesController, InitPendingOrganizationValidator, InitPendingOrganizationCommand, RegisterUserCommand).
• Test coverage: The PR updates the existing expired-token test to expect the new message and adds a dedicated test for the invalid-token path using a null org-user to force token data mismatch. Codecov confirms all modified lines are covered.

✅ This PR looks good to merge.

[JaredSnider-Bitwarden]

Nice work!

[sven-bitwarden]

@JaredScar @JaredSnider-Bitwarden sorry y'all, my prior PR #6972 had a conflict here 🙏

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud