[PM-4142] Clean Up Pre-Tokenable Token Validation

[sven-bitwarden]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-4142

📔 Objective

This ticket was slated to be done a few releases after Tokenables were introduced, to clean up backwards compatible code left to support both old and new token validation. Given that is has been at least a few releases since now and then, we're free to clean up this code - all tokens are provisioned with the newer APIs.

📸 Screenshots

[claude]

Claude finished @sven-bitwarden's task in 1m 20s —— View job

---

Code Review: PM-4142 Clean Up Pre-Tokenable Token Validation

Status: Approved

Summary: This PR removes backwards-compatible token validation code that was kept for migration from the old data protector-based tokens to the new Tokenable system. The changes are well-scoped and remove the correct code paths across multiple files.

Changes Reviewed

File	Change
PoliciesController.cs	Remove old token validation fallback and unused dependencies
AcceptOrgUserCommand.cs	Remove old token validation fallback and unused dependencies
InitPendingOrganizationCommand.cs	Remove unused IDataProtector and IGlobalSettings dependencies
RegisterUserCommand.cs	Inline tokenable validation, remove IsOrgInviteTokenValid helper method
CoreHelpers.cs	Remove UserInviteTokenIsValid method (note: TokenIsValid is kept as it's used for provider invites)
AcceptOrgUserCommandTests.cs	Remove tests for old token validation and dead helper code

Review History

Commit	Finding	Status
fde10f2	Initial cleanup - remove old pre-tokenable code	Reviewed
192116f	Remove unused CreateOldToken helper, rename CreateNewToken to CreateToken	Addressed
7c62786	Remove unused imports (Microsoft.AspNetCore.DataProtection, Bit.Core.Utilities)	Addressed

Observations

• The PR correctly preserves CoreHelpers.TokenIsValid which is still used for ProviderUserInvite tokens
• All TODO comments referencing PM-4142 have been addressed
• The dependency injection cleanup is consistent across all modified files
• Test coverage remains appropriate with tests for the new tokenable validation
• All previous review feedback has been addressed

---

Robot Review | Powered by Claude

[github-actions]

Checkmarx One – Scan Summary & Details – a11f10c1-ef06-4ef6-955f-5fdfbbdc8f09

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.23%. Comparing base (6d43cc4) to head (7c62786).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #6972       +/-   ##
===========================================
+ Coverage   13.57%   56.23%   +42.65%     
===========================================
  Files        1207     1982      +775     
  Lines       52379    87621    +35242     
  Branches     4089     7814     +3725     
===========================================
+ Hits         7111    49272    +42161     
+ Misses      45135    36521     -8614     
- Partials      133     1828     +1695     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[JaredSnider-Bitwarden]

LGTM! Thank you for cleaning this up!
For the QA notes, please ensure that you request testing of the standard accept org invite flow (+ accepting an org invite into an org where MP policy requirements are in place) and registration via org invite flow.

[r-tome]

Great work!