Merge branch 'main' into billing/aspire

Author: sbrown-livefront

.github/workflows/build.yml

@@ -263,7 +263,7 @@ jobs:
 
       - name: Scan Docker image
         id: container-scan
-        uses: anchore/scan-action@0d444ed77d83ee2ba7f5ced0d90d640a1281d762 # v7.3.0
+        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
         with:
           image: ${{ steps.image-tags.outputs.primary_tag }}
           fail-build: false

.github/workflows/test.yml

@@ -35,7 +35,7 @@ jobs:
         uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
 
       - name: Install rust
-        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # stable
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # stable
         with:
           toolchain: stable
 

src/Api/Auth/Controllers/TwoFactorController.cs

@@ -11,6 +11,7 @@
 using Bit.Core.Auth.Identity.TokenProviders;
 using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Auth.Services;
+using Bit.Core.Auth.UserFeatures.TwoFactorAuth;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
@@ -39,6 +40,9 @@ public class TwoFactorController : Controller
     private readonly IDataProtectorTokenFactory<TwoFactorAuthenticatorUserVerificationTokenable> _twoFactorAuthenticatorDataProtector;
     private readonly IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> _ssoEmailTwoFactorSessionDataProtector;
     private readonly ITwoFactorEmailService _twoFactorEmailService;
+    private readonly IStartTwoFactorWebAuthnRegistrationCommand _startTwoFactorWebAuthnRegistrationCommand;
+    private readonly ICompleteTwoFactorWebAuthnRegistrationCommand _completeTwoFactorWebAuthnRegistrationCommand;
+    private readonly IDeleteTwoFactorWebAuthnCredentialCommand _deleteTwoFactorWebAuthnCredentialCommand;
 
     public TwoFactorController(
         IUserService userService,
@@ -50,7 +54,10 @@ public TwoFactorController(
         IDuoUniversalTokenService duoUniversalConfigService,
         IDataProtectorTokenFactory<TwoFactorAuthenticatorUserVerificationTokenable> twoFactorAuthenticatorDataProtector,
         IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> ssoEmailTwoFactorSessionDataProtector,
-        ITwoFactorEmailService twoFactorEmailService)
+        ITwoFactorEmailService twoFactorEmailService,
+        IStartTwoFactorWebAuthnRegistrationCommand startTwoFactorWebAuthnRegistrationCommand,
+        ICompleteTwoFactorWebAuthnRegistrationCommand completeTwoFactorWebAuthnRegistrationCommand,
+        IDeleteTwoFactorWebAuthnCredentialCommand deleteTwoFactorWebAuthnCredentialCommand)
     {
         _userService = userService;
         _organizationRepository = organizationRepository;
@@ -62,6 +69,9 @@ public TwoFactorController(
         _twoFactorAuthenticatorDataProtector = twoFactorAuthenticatorDataProtector;
         _ssoEmailTwoFactorSessionDataProtector = ssoEmailTwoFactorSessionDataProtector;
         _twoFactorEmailService = twoFactorEmailService;
+        _startTwoFactorWebAuthnRegistrationCommand = startTwoFactorWebAuthnRegistrationCommand;
+        _completeTwoFactorWebAuthnRegistrationCommand = completeTwoFactorWebAuthnRegistrationCommand;
+        _deleteTwoFactorWebAuthnCredentialCommand = deleteTwoFactorWebAuthnCredentialCommand;
     }
 
     [HttpGet("")]
@@ -282,7 +292,7 @@ public async Task<TwoFactorWebAuthnResponseModel> GetWebAuthn([FromBody] SecretV
     public async Task<CredentialCreateOptions> GetWebAuthnChallenge([FromBody] SecretVerificationRequestModel model)
     {
         var user = await CheckAsync(model, false, true);
-        var reg = await _userService.StartWebAuthnRegistrationAsync(user);
+        var reg = await _startTwoFactorWebAuthnRegistrationCommand.StartTwoFactorWebAuthnRegistrationAsync(user);
         return reg;
     }
 
@@ -291,7 +301,7 @@ public async Task<TwoFactorWebAuthnResponseModel> PutWebAuthn([FromBody] TwoFact
     {
         var user = await CheckAsync(model, false);
 
-        var success = await _userService.CompleteWebAuthRegistrationAsync(
+        var success = await _completeTwoFactorWebAuthnRegistrationCommand.CompleteTwoFactorWebAuthnRegistrationAsync(
             user, model.Id.Value, model.Name, model.DeviceResponse);
         if (!success)
         {
@@ -314,7 +324,18 @@ public async Task<TwoFactorWebAuthnResponseModel> DeleteWebAuthn(
         [FromBody] TwoFactorWebAuthnDeleteRequestModel model)
     {
         var user = await CheckAsync(model, false);
-        await _userService.DeleteWebAuthnKeyAsync(user, model.Id.Value);
+
+        if (!model.Id.HasValue)
+        {
+            throw new BadRequestException("Unable to delete WebAuthn credential.");
+        }
+
+        var success = await _deleteTwoFactorWebAuthnCredentialCommand.DeleteTwoFactorWebAuthnCredentialAsync(user, model.Id.Value);
+        if (!success)
+        {
+            throw new BadRequestException("Unable to delete WebAuthn credential.");
+        }
+
         var response = new TwoFactorWebAuthnResponseModel(user);
         return response;
     }

src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs

@@ -102,7 +102,7 @@ public async Task<IResult> GetSubscriptionAsync(
         [BindNever] User user)
     {
         var subscription = await getBitwardenSubscriptionQuery.Run(user);
-        return TypedResults.Ok(subscription);
+        return subscription == null ? TypedResults.NotFound() : TypedResults.Ok(subscription);
     }
 
     [HttpPost("subscription/reinstate")]

src/Billing/Services/Implementations/PaymentMethodAttachedHandler.cs

@@ -104,35 +104,56 @@ await _stripeFacade.UpdateSubscription(invoicedProviderSubscription.Id,
         var unpaidSubscriptions = subscriptions?.Data.Where(subscription =>
             subscription.Status == StripeConstants.SubscriptionStatus.Unpaid).ToList();
 
-        if (unpaidSubscriptions == null || unpaidSubscriptions.Count == 0)
+        var incompleteSubscriptions = subscriptions?.Data.Where(subscription =>
+            subscription.Status == StripeConstants.SubscriptionStatus.Incomplete).ToList();
+
+        // Process unpaid subscriptions
+        if (unpaidSubscriptions != null && unpaidSubscriptions.Count > 0)
+        {
+            foreach (var subscription in unpaidSubscriptions)
+            {
+                await AttemptToPayOpenSubscriptionAsync(subscription);
+            }
+        }
+
+        // Process incomplete subscriptions - only if there's exactly one to avoid overcharging
+        if (incompleteSubscriptions == null || incompleteSubscriptions.Count == 0)
         {
             return;
         }
 
-        foreach (var unpaidSubscription in unpaidSubscriptions)
+        if (incompleteSubscriptions.Count > 1)
         {
-            await AttemptToPayOpenSubscriptionAsync(unpaidSubscription);
+            _logger.LogWarning(
+                "Customer {CustomerId} has {Count} incomplete subscriptions. Skipping automatic payment retry to avoid overcharging. Subscription IDs: {SubscriptionIds}",
+                customer.Id,
+                incompleteSubscriptions.Count,
+                string.Join(", ", incompleteSubscriptions.Select(s => s.Id)));
+            return;
         }
+
+        // Exactly one incomplete subscription - safe to retry
+        await AttemptToPayOpenSubscriptionAsync(incompleteSubscriptions.First());
     }
 
-    private async Task AttemptToPayOpenSubscriptionAsync(Subscription unpaidSubscription)
+    private async Task AttemptToPayOpenSubscriptionAsync(Subscription subscription)
     {
-        var latestInvoice = unpaidSubscription.LatestInvoice;
+        var latestInvoice = subscription.LatestInvoice;
 
-        if (unpaidSubscription.LatestInvoice is null)
+        if (subscription.LatestInvoice is null)
         {
             _logger.LogWarning(
-                "Attempted to pay unpaid subscription {SubscriptionId} but latest invoice didn't exist",
-                unpaidSubscription.Id);
+                "Attempted to pay subscription {SubscriptionId} with status {Status} but latest invoice didn't exist",
+                subscription.Id, subscription.Status);
 
             return;
         }
 
         if (latestInvoice.Status != StripeInvoiceStatus.Open)
         {
             _logger.LogWarning(
-                "Attempted to pay unpaid subscription {SubscriptionId} but latest invoice wasn't \"open\"",
-                unpaidSubscription.Id);
+                "Attempted to pay subscription {SubscriptionId} with status {Status} but latest invoice wasn't \"open\"",
+                subscription.Id, subscription.Status);
 
             return;
         }
@@ -144,8 +165,8 @@ private async Task AttemptToPayOpenSubscriptionAsync(Subscription unpaidSubscrip
         catch (Exception e)
         {
             _logger.LogError(e,
-                "Attempted to pay open invoice {InvoiceId} on unpaid subscription {SubscriptionId} but encountered an error",
-                latestInvoice.Id, unpaidSubscription.Id);
+                "Attempted to pay open invoice {InvoiceId} on subscription {SubscriptionId} with status {Status} but encountered an error",
+                latestInvoice.Id, subscription.Id, subscription.Status);
             throw;
         }
     }

src/Billing/Services/Implementations/SubscriptionUpdatedHandler.cs

@@ -69,7 +69,8 @@ public async Task HandleAsync(Event parsedEvent)
 
         var currentPeriodEnd = subscription.GetCurrentPeriodEnd();
 
-        if (SubscriptionWentUnpaid(parsedEvent, subscription))
+        if (SubscriptionWentUnpaid(parsedEvent, subscription) ||
+            SubscriptionWentIncompleteExpired(parsedEvent, subscription))
         {
             await DisableSubscriberAsync(subscriberId, currentPeriodEnd);
             await SetSubscriptionToCancelAsync(subscription);
@@ -111,6 +112,18 @@ SubscriptionStatus.Active or
             LatestInvoice.BillingReason: BillingReasons.SubscriptionCreate or BillingReasons.SubscriptionCycle
         };
 
+    private static bool SubscriptionWentIncompleteExpired(
+        Event parsedEvent,
+        Subscription currentSubscription) =>
+        parsedEvent.Data.PreviousAttributes.ToObject<Subscription>() is Subscription
+        {
+            Status: SubscriptionStatus.Incomplete
+        } && currentSubscription is
+        {
+            Status: SubscriptionStatus.IncompleteExpired,
+            LatestInvoice.BillingReason: BillingReasons.SubscriptionCreate or BillingReasons.SubscriptionCycle
+        };
+
     private static bool SubscriptionBecameActive(
         Event parsedEvent,
         Subscription currentSubscription) =>