bitwarden · sven-bitwarden · Feb 10, 2026 · Feb 10, 2026 · Feb 11, 2026 · Feb 11, 2026
@@ -74,12 +74,18 @@ public async Task<OrganizationUser> AcceptOrgUserByEmailTokenAsync(Guid organiza
             throw new BadRequestException("User invalid.");
         }
 
-        var tokenValid = OrgUserInviteTokenable.ValidateOrgUserInviteStringToken(
-            _orgUserInviteTokenDataFactory, emailToken, orgUser);
-
-        if (!tokenValid)
+        var tokenValidationError = _orgUserInviteTokenDataFactory.TryUnprotect(emailToken, out var decryptedToken) switch
+        {
+            // Used by clients to show better error message on token expiration, adjust both as-needed
+            true when decryptedToken.IsExpired => "Expired token.",
+            true when !(decryptedToken.Valid && decryptedToken.TokenIsValid(orgUser)) => "Invalid token.",
+            false => "Invalid token.",
+            _ => null
+        };
+
+        if (tokenValidationError != null)
         {
-            throw new BadRequestException("Invalid token.");
+            throw new BadRequestException(tokenValidationError);
         }
 
         var existingOrgUserCount = await _organizationUserRepository.GetCountByOrganizationAsync(

@@ -63,7 +63,6 @@ public bool TokenIsValid(Guid orgUserId, string orgUserEmail)
     protected override bool TokenIsValid() =>
         Identifier == TokenIdentifier && OrgUserId != default && !string.IsNullOrWhiteSpace(OrgUserEmail);
 
-
     public static bool ValidateOrgUserInviteStringToken(
         IDataProtectorTokenFactory<OrgUserInviteTokenable> orgUserInviteTokenDataFactory,
         string orgUserInviteToken, OrganizationUser orgUser)

diff --git a/src/Core/Tokens/ExpiringTokenable.cs b/src/Core/Tokens/ExpiringTokenable.cs
@@ -12,7 +12,9 @@ public abstract class ExpiringTokenable : Tokenable
     /// Checks if the token is still within its valid duration and if its data is valid.
     /// <para>For data validation, this property relies on the <see cref="TokenIsValid"/> method.</para>
     /// </summary>
-    public override bool Valid => ExpirationDate > DateTime.UtcNow && TokenIsValid();
+    public override bool Valid => !IsExpired && TokenIsValid();
+
+    public bool IsExpired => ExpirationDate < DateTime.UtcNow;
 
     /// <summary>
     /// Validates that the token data properties are correct.

@@ -451,8 +451,39 @@ public async Task AcceptOrgUserByToken_ExpiredNewToken_ThrowsBadRequest(
         var exception = await Assert.ThrowsAsync<BadRequestException>(
             () => sutProvider.Sut.AcceptOrgUserByEmailTokenAsync(orgUser.Id, user, newToken, _userService));
 
-        Assert.Equal("Invalid token.", exception.Message);
+        Assert.Equal("Expired token.", exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AcceptOrgUserByToken_InvalidNewToken_ThrowsBadRequest(
+        SutProvider<AcceptOrgUserCommand> sutProvider,
+        User user, OrganizationUser orgUser)
+    {
+        // Arrange
+        // Setup FakeDataProtectorTokenFactory for creating new tokens - this must come first in order
+        // to avoid resetting mocks
+        sutProvider.SetDependency(_orgUserInviteTokenDataFactory, "orgUserInviteTokenDataFactory");
+        sutProvider.Create();
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(orgUser.Id)
+            .Returns(Task.FromResult(orgUser));
+
+        // Must come after common mocks as they mutate the org user.
+        // Send a null org-user to force an invalid token result
+        _orgUserInviteTokenableFactory.CreateToken(orgUser).Returns(new OrgUserInviteTokenable(null!)
+        {
+            ExpirationDate = DateTime.UtcNow.AddDays(1),
+        });
 
+        var newToken = CreateToken(orgUser);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.AcceptOrgUserByEmailTokenAsync(orgUser.Id, user, newToken, _userService));
+
+        Assert.Equal("Invalid token.", exception.Message);
     }
 
     [Theory]