billing/pm-24665/license-file-generation-should-fail-for-unpaid-subscription

[cyprain-okeke]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-24665

📔 Objective

The PR adds validation to the license generation endpoint that blocks license file downloads when an organization's subscription is in any of these statuses:

• canceled - Subscription has been canceled
• incomplete - Payment setup incomplete
• incomplete_expired - Payment setup expired before completion
• unpaid - Payment failed and not resolved (bonus validation)

Technical Implementation

Location: src/Core/Billing/Organizations/Queries/GetCloudOrganizationLicenseQuery.cs

Changes:

1. Added ValidateSubscriptionForLicenseGeneration() method that checks subscription status before allowing license generation
2. Throws a BadRequestException with user-friendly error message: "Unable to generate license due to a payment issue. Please update your billing information or contact support for assistance."
3. Validates at the API endpoint: GET /organizations/{id}/license

Test Coverage:

• Added 8 comprehensive test cases covering all blocked statuses and ensuring valid statuses (active, trialing, past_due) still work

📸 Screenshots

[github-actions]

Checkmarx One – Scan Summary & Details – 205bc8c7-0f62-4fd6-bcf8-10e6c63d5ba8

---

New Issues (4)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		Path_Traversal	/src/Api/Controllers/SelfHosted/SelfHostedOrganizationLicensesController.cs: 56	details Method at line 56 of /src/Api/Controllers/SelfHosted/SelfHostedOrganizationLicensesController.cs gets dynamic data from the model element. This ... Attack Vector
2		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1558	details Method at line 1558 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
3		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 452	details Method at line 452 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
4		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1385	details Method at line 1385 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector

---

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 287

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.74%. Comparing base (9e49955) to head (47a8813).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7444      +/-   ##
==========================================
+ Coverage   58.71%   58.74%   +0.02%     
==========================================
  Files        2069     2070       +1     
  Lines       91207    91227      +20     
  Branches     8123     8127       +4     
==========================================
+ Hits        53551    53587      +36     
+ Misses      35742    35737       -5     
+ Partials     1914     1903      -11     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[amorask-bitwarden]

What about premium?

[amorask-bitwarden]

❌ I don't think there's any reason for this to take a SubscriptionInfo when we can just pass in Subscription.

[amorask-bitwarden]

❌ This work should be done in the query itself and it should just use the StripeAdapter to get the subscription per the comment here: https://github.com/bitwarden/server/pull/7444/changes#r3081694476

[amorask-bitwarden]

See comment here: https://github.com/bitwarden/server/pull/7444/changes#r3081694476

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud