billing/pm-24665/license-file-generation-should-fail-for-unpaid-subscription

[cyprain-okeke]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-24665

📔 Objective

The PR adds validation to the license generation endpoint that blocks license file downloads when an organization's subscription is in any of these statuses:

• canceled - Subscription has been canceled
• incomplete - Payment setup incomplete
• incomplete_expired - Payment setup expired before completion
• unpaid - Payment failed and not resolved (bonus validation)

Technical Implementation

Location: src/Core/Billing/Organizations/Queries/GetCloudOrganizationLicenseQuery.cs

Changes:

1. Added ValidateSubscriptionForLicenseGeneration() method that checks subscription status before allowing license generation
2. Throws a BadRequestException with user-friendly error message: "Unable to generate license due to a payment issue. Please update your billing information or contact support for assistance."
3. Validates at the API endpoint: GET /organizations/{id}/license

Test Coverage:

• Added 8 comprehensive test cases covering all blocked statuses and ensuring valid statuses (active, trialing, past_due) still work

📸 Screenshots

[github-actions]

Checkmarx One – Scan Summary & Details – 9ca5736f-d9a0-412f-95c7-4716323a0e62

---

New Issues (4)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		Path_Traversal	/src/Api/Controllers/SelfHosted/SelfHostedOrganizationLicensesController.cs: 56	details Method at line 56 of /src/Api/Controllers/SelfHosted/SelfHostedOrganizationLicensesController.cs gets dynamic data from the model element. This ... Attack Vector
2		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1558	details Method at line 1558 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
3		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 452	details Method at line 452 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
4		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1385	details Method at line 1385 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector

---

Fixed Issues (4)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 145
	CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 97
	CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 173
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 287

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.77%. Comparing base (d9aef5c) to head (e61fd83).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7444      +/-   ##
==========================================
+ Coverage   58.75%   58.77%   +0.02%     
==========================================
  Files        2071     2071              
  Lines       91252    91270      +18     
  Branches     8130     8134       +4     
==========================================
+ Hits        53611    53646      +35     
+ Misses      35726    35721       -5     
+ Partials     1915     1903      -12     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[amorask-bitwarden]

What about premium?

[amorask-bitwarden]

❌ I don't think there's any reason for this to take a SubscriptionInfo when we can just pass in Subscription.

[amorask-bitwarden]

❌ This work should be done in the query itself and it should just use the StripeAdapter to get the subscription per the comment here: https://github.com/bitwarden/server/pull/7444/changes#r3081694476

[amorask-bitwarden]

See comment here: https://github.com/bitwarden/server/pull/7444/changes#r3081694476

[amorask-bitwarden]

Looking at this further, I'm not sure an entirely new validator is required for this work, which is evidenced by fact we're only checking the subscription status to make sure the subscription isn't terminal. Is there any reason we can't just check the subscription status in each license query? That way you don't have to double fetch the subscription in the org license query nor did you need an entirely new file.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud