[PM-34595] Update provider controllers to use authz attribute

[eliykat]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-34595

📔 Objective

Primary objective: update provider controllers to use the Authorize attribute and the requirements added in #7389 . Add some basic tests for each controller - each endpoint is not tested comprehensively, but there are 'sentinel' tests to assure us that the attributes are working as intended end-to-end.

Secondary objective: break inheritance relationship between ProviderClientsController and the base controller classes still owned and used by Billing. This should be done to clarify our cross-team interfaces, and because the base controller implements its own authorization checks which are now duplicative. Changes:

• bring the TryGetBillableProvider logic into our controller as a private method - remove the role check which is handled by the attribute
• update our base controller class to expose response types directly, so that we can use these instead of the equivalent methods on the base billing controller

📸 Screenshots

[eliykat]

I have not used the base class helper here because I'm not sure this should be a 401 (more likely a 403) and I don't want to encourage other consumers to include error messages in their 401 responses. However, it was out of scope to address further here.

[github-actions]

Checkmarx One – Scan Summary & Details – bc40ca89-d5b4-4cc5-bde1-d7bf4865c054

Great job! No new security vulnerabilities introduced in this pull request

[github-actions]

Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR migrates four provider controllers (ProvidersController, ProviderUsersController, ProviderOrganizationsController, ProviderClientsController) from imperative ICurrentContext authorization checks to declarative [Authorize<T>] attributes. The authorization mapping was verified correct: ProviderUser maps to ProviderUserRequirement, ProviderProviderAdmin/ManageProviderOrganizations map to ProviderAdminRequirement, and ProviderManageUsers maps to ManageProviderUsersRequirement. The ProviderClientsController cleanly breaks its inheritance from BaseProviderController, inlining TryGetBillableProviderAsync as a private method with the role check correctly removed since it is now handled by the attribute. The new NoopAuthorizeAttribute preserves class-level authentication while signaling intentional absence of additional authorization, and integration tests comprehensively verify the expected HTTP status codes for each role.

Code Review Details

No findings.

[eliykat]

@JimmyVo16 and @sven-bitwarden this will be of interest to you given our tech debt priorities - this is just some work that I already had stashed, and I expect the other controllers will follow this pattern.

[codecov]

Codecov Report

❌ Patch coverage is 86.20690% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.87%. Comparing base (f2141b9) to head (65ffd54).

Files with missing lines	Patch %	Lines
...pi/AdminConsole/Controllers/ProvidersController.cs	25.00%	6 Missing ⚠️
...nConsole/Controllers/BaseAdminConsoleController.cs	90.00%	1 Missing ⚠️
...inConsole/Controllers/ProviderClientsController.cs	97.29%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7450      +/-   ##
==========================================
+ Coverage   58.66%   58.87%   +0.20%     
==========================================
  Files        2066     2066              
  Lines       91089    91059      -30     
  Branches     8106     8092      -14     
==========================================
+ Hits        53440    53610     +170     
+ Misses      35740    35534     -206     
- Partials     1909     1915       +6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[JimmyVo16]

Overall looks good and approved. Just one question about the [AllowAnonymous].

[sonarqubecloud]

Quality Gate passed

Issues
5 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud