Skip to content

[PM-21411] Refactor interface for determining premium status and features #6688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
r-tome wants to merge 52 commits into
base: main
Choose a base branch
from
+11,701 โˆ’21
Open

[PM-21411] Refactor interface for determining premium status and features #6688

Show file tree
Hide file tree
Changes from 18 commits
Commits
Show all changes
52 commits
Select commit Hold shift + click to select a range
5629d6f
Removed 2FA user interface from premium method signatures
trmartin4 Dec 4, 2025
c09a973
Added some more comments for clarity and small touchups.
Patrick-Pimentel-Bitwarden Dec 4, 2025
f83a790
Add PremiumAccessCacheCheck feature flag to Constants.cs
r-tome Dec 4, 2025
d30f3bd
Add IPremiumAccessQuery interface and PremiumAccessQuery implementatiโ€ฆ
r-tome Dec 4, 2025
377ae31
Add unit tests for PremiumAccessQuery to validate user premium accessโ€ฆ
r-tome Dec 4, 2025
683a6cb
Add XML documentation to Premium in OrganizationUserUserDetails and Uโ€ฆ
r-tome Dec 4, 2025
08e1413
Add PremiumAccessQueries to UserServiceCollectionExtensions
r-tome Dec 4, 2025
e494a10
Refactor TwoFactorIsEnabledQuery to incorporate PremiumAccessQuery anโ€ฆ
r-tome Dec 4, 2025
0cdadd1
Mark methods in IUserRepository and IUserService as obsolete, directiโ€ฆ
r-tome Dec 4, 2025
192052b
Rename CanAccessPremiumBulkAsync to CanAccessPremiumAsync in IPremiumโ€ฆ
r-tome Dec 5, 2025
2d31237
Update TwoFactorIsEnabledQuery to use CanAccessPremiumAsync for premiโ€ฆ
r-tome Dec 5, 2025
123f579
Refactor TwoFactorIsEnabledQuery to introduce VNextAsync methods for โ€ฆ
r-tome Dec 5, 2025
57252a7
Refactor IPremiumAccessQuery and PremiumAccessQuery to remove the oveโ€ฆ
r-tome Dec 5, 2025
bf0cc7a
Add new sync static method to determine if TwoFactor is enabled
r-tome Dec 5, 2025
65941d4
Enhance XML documentation for Premium property in OrganizationUserUseโ€ฆ
r-tome Dec 5, 2025
2a966e3
Refactor IPremiumAccessQuery and PremiumAccessQuery to replace User pโ€ฆ
r-tome Dec 5, 2025
96a3615
Update feature flag references in IUserRepository and IUserService toโ€ฆ
r-tome Dec 5, 2025
516824a
Rename IPremiumAccessQuery to IHasPremiumAccessQuery and move to Billโ€ฆ
r-tome Dec 5, 2025
b8ff0ea
Remove unnecessary whitespace from IHasPremiumAccessQuery interface.
r-tome Dec 8, 2025
415a0b9
Refactor HasPremiumAccessQuery to throw NotFoundException for null users
r-tome Dec 8, 2025
303b81c
Add NotFoundException handling in HasPremiumAccessQuery for mismatcheโ€ฆ
r-tome Dec 8, 2025
30ff3da
Refactor TwoFactorIsEnabledQuery to optimize premium access checks anโ€ฆ
r-tome Dec 8, 2025
02c2aa8
Refactor TwoFactorIsEnabledQueryTests to enhance clarity and optimizeโ€ฆ
r-tome Dec 8, 2025
2184296
Add UserPremiumAccess model to represent user premium access status fโ€ฆ
r-tome Dec 8, 2025
5257dc5
Add User_ReadPremiumAccessByIds stored procedure and UserPremiumAccesโ€ฆ
r-tome Dec 8, 2025
97bcf41
Add SQL migration script
r-tome Dec 8, 2025
0a42c9e
Add premium access retrieval methods to IUserRepository and implementโ€ฆ
r-tome Dec 8, 2025
651d5e3
Refactor HasPremiumAccessQuery and IHasPremiumAccessQuery to streamliโ€ฆ
r-tome Dec 8, 2025
353a07a
Update IUserRepository to reflect new method names for premium accessโ€ฆ
r-tome Dec 8, 2025
da9f0a1
Refactor TwoFactorIsEnabledQuery to utilize IFeatureService for premiโ€ฆ
r-tome Dec 8, 2025
df7bd08
Enhance EF UserRepository to improve premium access retrieval by inclโ€ฆ
r-tome Dec 8, 2025
cd0b3da
Add unit tests for premium access retrieval in UserRepositoryTests.
r-tome Dec 8, 2025
245ce71
Optimize HasPremiumAccessQuery to eliminate duplicate user IDs beforeโ€ฆ
r-tome Dec 8, 2025
0279cb5
Refactor TwoFactorIsEnabledQuery to improve handling of users withoutโ€ฆ
r-tome Dec 8, 2025
1415517
Merge branch 'main' into ac/pm-21411/refactor-interface-for-premium-sโ€ฆ
r-tome Dec 9, 2025
2bd00c2
Update HasPremiumAccessQueryTests to use simplified exception handlinโ€ฆ
r-tome Dec 9, 2025
dbb8619
Enhance TwoFactorIsEnabledQuery to throw NotFoundException for non-exโ€ฆ
r-tome Dec 9, 2025
2f11c13
Move premium access query to Billing owned ServiceCollectionExtensions
r-tome Dec 9, 2025
9a68a97
Refactor IUserService to enhance premium access checks
r-tome Dec 9, 2025
1cd5749
Update IUserRepository to clarify usage of premium access methods
r-tome Dec 9, 2025
61775fb
Update IUserRepository and IUserService to clarify deprecation of preโ€ฆ
r-tome Dec 9, 2025
19627f4
Refactor TwoFactorIsEnabledQuery to streamline user ID retrieval
r-tome Dec 9, 2025
6a783ff
Rename migration script to fix the date
r-tome Dec 9, 2025
85e0e1a
Merge branch 'main' into ac/pm-21411/refactor-interface-for-premium-sโ€ฆ
r-tome Dec 11, 2025
f833040
Merge branch 'main' into ac/pm-21411/refactor-interface-for-premium-sโ€ฆ
r-tome Dec 12, 2025
de13a7c
Update migration script to create the index with DROP_EXISTING = ON
r-tome Dec 12, 2025
03b0431
Refactor UserPremiumAccessView to use LEFT JOINs and GROUP BY for impโ€ฆ
r-tome Dec 12, 2025
125b4de
Update HasPremiumAccessQueryTests to return null for GetPremiumAccessโ€ฆ
r-tome Dec 12, 2025
2081dd4
Add unit tests for premium access scenarios in UserRepositoryTests
r-tome Dec 12, 2025
de42f20
Bump date on migration script
r-tome Dec 12, 2025
33a464a
Update OrganizationEntityTypeConfiguration to include UsersGetPremiumโ€ฆ
r-tome Dec 12, 2025
97bf24e
Add migration scripts for OrganizationUsersGetPremiumIndex across MySโ€ฆ
r-tome Dec 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions ...e/AdminConsole/Models/Data/Organizations/OrganizationUsers/OrganizationUserUserDetails.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,12 @@ public class OrganizationUserUserDetails : IExternal, ITwoFactorProvidersUser, I
public string Email { get; set; }
public string AvatarColor { get; set; }
public string TwoFactorProviders { get; set; }
/// <summary>
/// Indicates whether the user has a personal premium subscription.
/// Does not include premium access from organizations -
/// do not use this to check whether the user can access premium features.
/// Null when the organization user is in Invited status (UserId is null).
/// </summary>
public bool? Premium { get; set; }
public OrganizationUserStatusType Status { get; set; }
public OrganizationUserType Type { get; set; }
Expand Down Expand Up @@ -63,11 +69,6 @@ public Dictionary<TwoFactorProviderType, TwoFactorProvider> GetTwoFactorProvider
return UserId;
}

public bool GetPremium()
{
return Premium.GetValueOrDefault(false);
}

public Permissions GetPermissions()
{
return string.IsNullOrWhiteSpace(Permissions) ? null
Expand Down
17 changes: 10 additions & 7 deletions src/Core/Auth/Models/ITwoFactorProvidersUser.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,25 @@
๏ปฟ// FIXME: Update this file to be null safe and then delete the line below
#nullable disable

using Bit.Core.Auth.Enums;
๏ปฟusing Bit.Core.Auth.Enums;
using Bit.Core.Services;

namespace Bit.Core.Auth.Models;

/// <summary>
/// An interface representing a user entity that supports two-factor providers
/// </summary>
public interface ITwoFactorProvidersUser
{
string TwoFactorProviders { get; }
string? TwoFactorProviders { get; }
/// <summary>
/// Get the two factor providers for the user. Currently it can be assumed providers are enabled
/// if they exists in the dictionary. When two factor providers are disabled they are removed
/// from the dictionary. <see cref="IUserService.DisableTwoFactorProviderAsync"/>
/// <see cref="IOrganizationService.DisableTwoFactorProviderAsync"/>
/// </summary>
/// <returns>Dictionary of providers with the type enum as the key</returns>
Dictionary<TwoFactorProviderType, TwoFactorProvider> GetTwoFactorProviders();
Dictionary<TwoFactorProviderType, TwoFactorProvider>? GetTwoFactorProviders();
/// <summary>
/// The unique `UserId` of the user entity for which there are two-factor providers configured.
/// </summary>
/// <returns>The unique identifier for the user</returns>
Guid? GetUserId();
bool GetPremium();
}
22 changes: 22 additions & 0 deletions src/Core/Auth/UserFeatures/TwoFactorAuth/Interfaces/ITwoFactorIsEnabledQuery.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
๏ปฟusing Bit.Core.Auth.Models;
using Bit.Core.Entities;

namespace Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;

Expand All @@ -22,4 +23,25 @@ public interface ITwoFactorIsEnabledQuery
/// </summary>
/// <param name="user">The user to check.</param>
Task<bool> TwoFactorIsEnabledAsync(ITwoFactorProvidersUser user);

/// <summary>
/// Returns a list of user IDs and whether two factor is enabled for each user.
/// This version uses HasPremiumAccessQuery with cached organization abilities for better performance.
/// </summary>
/// <param name="userIds">The list of user IDs to check.</param>
Task<IEnumerable<(Guid userId, bool twoFactorIsEnabled)>> TwoFactorIsEnabledVNextAsync(IEnumerable<Guid> userIds);
/// <summary>
/// Returns a list of users and whether two factor is enabled for each user.
/// This version uses HasPremiumAccessQuery with cached organization abilities for better performance.
/// </summary>
/// <param name="users">The list of users to check.</param>
/// <typeparam name="T">The type of user in the list. Must implement <see cref="ITwoFactorProvidersUser"/>.</typeparam>
Task<IEnumerable<(T user, bool twoFactorIsEnabled)>> TwoFactorIsEnabledVNextAsync<T>(IEnumerable<T> users) where T : ITwoFactorProvidersUser;
/// <summary>
/// Returns whether two factor is enabled for the user. A user is able to have a TwoFactorProvider that is enabled but requires Premium.
/// If the user does not have premium then the TwoFactorProvider is considered _not_ enabled.
/// This version uses HasPremiumAccessQuery with cached organization abilities for better performance.
/// </summary>
/// <param name="user">The user to check.</param>
Task<bool> TwoFactorIsEnabledVNextAsync(User user);
}
128 changes: 120 additions & 8 deletions src/Core/Auth/UserFeatures/TwoFactorAuth/TwoFactorIsEnabledQuery.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,24 @@
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Models;
using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
using Bit.Core.Billing.Premium.Queries;
using Bit.Core.Entities;
using Bit.Core.Repositories;

namespace Bit.Core.Auth.UserFeatures.TwoFactorAuth;

public class TwoFactorIsEnabledQuery(IUserRepository userRepository) : ITwoFactorIsEnabledQuery
public class TwoFactorIsEnabledQuery : ITwoFactorIsEnabledQuery
{
private readonly IUserRepository _userRepository = userRepository;
private readonly IUserRepository _userRepository;
private readonly IHasPremiumAccessQuery _hasPremiumAccessQuery;

public TwoFactorIsEnabledQuery(
IUserRepository userRepository,
IHasPremiumAccessQuery hasPremiumAccessQuery)
{
_userRepository = userRepository;
_hasPremiumAccessQuery = hasPremiumAccessQuery;
}

public async Task<IEnumerable<(Guid userId, bool twoFactorIsEnabled)>> TwoFactorIsEnabledAsync(IEnumerable<Guid> userIds)
{
Expand Down Expand Up @@ -72,12 +83,113 @@ public async Task<bool> TwoFactorIsEnabledAsync(ITwoFactorProvidersUser user)
}

return await TwoFactorEnabledAsync(
user.GetTwoFactorProviders(),
async () =>
{
var calcUser = await _userRepository.GetCalculatedPremiumAsync(userId.Value);
return calcUser?.HasPremiumAccess ?? false;
});
user.GetTwoFactorProviders(),
async () =>
{
var calcUser = await _userRepository.GetCalculatedPremiumAsync(userId.Value);
return calcUser?.HasPremiumAccess ?? false;
});
}

public async Task<IEnumerable<(Guid userId, bool twoFactorIsEnabled)>> TwoFactorIsEnabledVNextAsync(IEnumerable<Guid> userIds)
{
var result = new List<(Guid userId, bool hasTwoFactor)>();
if (userIds == null || !userIds.Any())
{
return result;
}

var users = await _userRepository.GetManyAsync([.. userIds]);
Copy link
Contributor

@claude claude bot Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

โš ๏ธ Missing validation: users count != userIds count

If some user IDs don't exist in the database, GetManyAsync will return fewer users than requested. This could lead to silent failures where non-existent users are treated as having 2FA disabled.

Suggested fix:

var users = await _userRepository.GetManyAsync([.. userIds]);

if (users.Count() != userIds.Distinct().Count())
{
    var foundUserIds = users.Select(u => u.Id).ToHashSet();
    var missingIds = userIds.Where(id => !foundUserIds.Contains(id));
    throw new NotFoundException($"Users not found: {string.Join(", ", missingIds)}");
}

This is especially important since the single-user overload throws NotFoundException when a user isn't found (line 105).

var premiumStatus = await _hasPremiumAccessQuery.HasPremiumAccessAsync(userIds);

foreach (var user in users)
{
var twoFactorProviders = user.GetTwoFactorProviders();
var hasPremiumAccess = premiumStatus.GetValueOrDefault(user.Id, false);
var twoFactorIsEnabled = TwoFactorIsEnabled(twoFactorProviders, hasPremiumAccess);

result.Add((user.Id, twoFactorIsEnabled));
}

return result;
}

public async Task<IEnumerable<(T user, bool twoFactorIsEnabled)>> TwoFactorIsEnabledVNextAsync<T>(IEnumerable<T> users)
where T : ITwoFactorProvidersUser
{
var userIds = users
.Select(u => u.GetUserId())
.Where(u => u.HasValue)
.Select(u => u.Value)
.ToList();

var twoFactorResults = await TwoFactorIsEnabledVNextAsync(userIds);

var result = new List<(T user, bool twoFactorIsEnabled)>();

foreach (var user in users)
{
var userId = user.GetUserId();
if (userId.HasValue)
{
var hasTwoFactor = twoFactorResults.FirstOrDefault(res => res.userId == userId.Value).twoFactorIsEnabled;
Copy link
Contributor

@claude claude bot Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

โš ๏ธ Potential issue: FirstOrDefault returns default tuple, not null

When userId is found but twoFactorResults doesn't contain it, FirstOrDefault will return (Guid.Empty, false) instead of indicating a missing user. This could mask bugs where users are expected but not found.

Consider:

var twoFactorResult = twoFactorResults.FirstOrDefault(res => res.userId == userId.Value);
if (twoFactorResult == default)
{
    throw new NotFoundException($"Two-factor status not found for user {userId.Value}");
}
result.Add((user, twoFactorResult.twoFactorIsEnabled));

This would make failures more explicit and easier to debug.

result.Add((user, hasTwoFactor));
}
else
{
result.Add((user, false));
}
}

return result;
}

public async Task<bool> TwoFactorIsEnabledVNextAsync(User user)
{
var providers = user.GetTwoFactorProviders();
var hasPremium = await _hasPremiumAccessQuery.HasPremiumAccessAsync(user.Id);

return TwoFactorIsEnabled(providers, hasPremium);
}

/// <summary>
/// Checks to see what kind of two-factor is enabled.
/// Synchronous version used when premium access status is already known.
/// </summary>
/// <param name="providers">dictionary of two factor providers</param>
/// <param name="hasPremiumAccess">whether the user has premium access</param>
/// <returns>true if the user has two factor enabled; false otherwise</returns>
private static bool TwoFactorIsEnabled(
Dictionary<TwoFactorProviderType, TwoFactorProvider> providers,
bool hasPremiumAccess)
{
// If there are no providers, then two factor is not enabled
if (providers == null || providers.Count == 0)
{
return false;
}

// Get all enabled providers
// TODO: PM-21210: In practice we don't save disabled providers to the database, worth looking into.
var enabledProviderKeys = from provider in providers
where provider.Value?.Enabled ?? false
select provider.Key;

// If no providers are enabled then two factor is not enabled
if (!enabledProviderKeys.Any())
{
return false;
}

// If there are only premium two factor options then check premium access
var onlyHasPremiumTwoFactor = enabledProviderKeys.All(TwoFactorProvider.RequiresPremium);
if (onlyHasPremiumTwoFactor)
{
return hasPremiumAccess;
}

// The user has at least one non-premium two factor option
return true;
}

/// <summary>
Expand Down
7 changes: 7 additions & 0 deletions src/Core/Auth/UserFeatures/UserServiceCollectionExtensions.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
using Bit.Core.Auth.UserFeatures.WebAuthnLogin;
using Bit.Core.Auth.UserFeatures.WebAuthnLogin.Implementations;
using Bit.Core.Billing.Premium.Queries;
using Bit.Core.KeyManagement.UserKey;
using Bit.Core.KeyManagement.UserKey.Implementations;
using Bit.Core.Services;
Expand All @@ -27,6 +28,7 @@ public static void AddUserServices(this IServiceCollection services, IGlobalSett
services.AddUserRegistrationCommands();
services.AddWebAuthnLoginCommands();
services.AddTdeOffboardingPasswordCommands();
services.AddPremiumAccessQueries();
services.AddTwoFactorQueries();
services.AddSsoQueries();
}
Expand Down Expand Up @@ -65,6 +67,11 @@ private static void AddWebAuthnLoginCommands(this IServiceCollection services)
services.AddScoped<IAssertWebAuthnLoginCredentialCommand, AssertWebAuthnLoginCredentialCommand>();
}

private static void AddPremiumAccessQueries(this IServiceCollection services)
{
services.AddScoped<IHasPremiumAccessQuery, HasPremiumAccessQuery>();
}

private static void AddTwoFactorQueries(this IServiceCollection services)
{
services.AddScoped<ITwoFactorIsEnabledQuery, TwoFactorIsEnabledQuery>();
Expand Down
44 changes: 44 additions & 0 deletions src/Core/Billing/Premium/Queries/HasPremiumAccessQuery.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
๏ปฟusing Bit.Core.Repositories;

namespace Bit.Core.Billing.Premium.Queries;

/// <summary>
/// Query for checking premium access status for users using the existing stored procedure
/// that calculates premium access from personal subscriptions and organization memberships.
/// </summary>
public class HasPremiumAccessQuery : IHasPremiumAccessQuery
{
private readonly IUserRepository _userRepository;

public HasPremiumAccessQuery(IUserRepository userRepository)
{
_userRepository = userRepository;
}

public async Task<bool> HasPremiumAccessAsync(Guid userId)
{
var user = await _userRepository.GetCalculatedPremiumAsync(userId);

Check warning on line 20 in src/Core/Billing/Premium/Queries/HasPremiumAccessQuery.cs

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

'IUserRepository.GetCalculatedPremiumAsync(Guid)' is obsolete: 'Use IUserService.CanAccessPremium instead. This method is only used when feature flag 'PremiumAccessQuery' is disabled.' 


See more on https://sonarcloud.io/project/issues?id=bitwarden_server&issues=AZrviTT9rh6_zY1RwvBt&open=AZrviTT9rh6_zY1RwvBt&pullRequest=6688
return user?.HasPremiumAccess ?? false;
}

public async Task<Dictionary<Guid, bool>> HasPremiumAccessAsync(IEnumerable<Guid> userIds)
{
var usersWithPremium = await _userRepository.GetManyWithCalculatedPremiumAsync(userIds);

Check warning on line 26 in src/Core/Billing/Premium/Queries/HasPremiumAccessQuery.cs

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

'IUserRepository.GetManyWithCalculatedPremiumAsync(IEnumerable<Guid>)' is obsolete: 'Use IUserService.CanAccessPremiumBulk instead. This method is only used when feature flag 'PremiumAccessQuery' is disabled.' 


See more on https://sonarcloud.io/project/issues?id=bitwarden_server&issues=AZrviTT9rh6_zY1RwvBu&open=AZrviTT9rh6_zY1RwvBu&pullRequest=6688
return usersWithPremium.ToDictionary(u => u.Id, u => u.HasPremiumAccess);
}

public async Task<bool> HasPremiumFromOrganizationAsync(Guid userId)
{
var user = await _userRepository.GetCalculatedPremiumAsync(userId);

Check warning on line 32 in src/Core/Billing/Premium/Queries/HasPremiumAccessQuery.cs

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

'IUserRepository.GetCalculatedPremiumAsync(Guid)' is obsolete: 'Use IUserService.CanAccessPremium instead. This method is only used when feature flag 'PremiumAccessQuery' is disabled.' 


See more on https://sonarcloud.io/project/issues?id=bitwarden_server&issues=AZrviTT9rh6_zY1RwvBv&open=AZrviTT9rh6_zY1RwvBv&pullRequest=6688
if (user == null)
{
return false;
}

// Has org premium if has premium access but not personal premium
return user.HasPremiumAccess && !user.Premium;
Copy link
Member

@eliykat eliykat Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is subtly different to the current implementation in UserService.HasPremiumFromOrganization: that current logic will return false if the user is not a part of any orgs, but will not return false if they have both personal premium and premium from an org. That doesn't seem right either, but it's unclear what the intent is.

That said, I have no idea why we need this logic: it's only synced to clients but doesn't seem to be used there either. I would be interested to know if we could remove it.

Any ideas @amorask-bitwarden ?

Copy link
Contributor Author

@r-tome r-tome Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have updated the new implementation to match the logic in UserService.

HasPremiumFromOrganization is used through SyncController for billing logic.

}
}



41 changes: 41 additions & 0 deletions src/Core/Billing/Premium/Queries/IHasPremiumAccessQuery.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
๏ปฟnamespace Bit.Core.Billing.Premium.Queries;

/// <summary>
/// Query for checking premium access status for users.
/// This is the centralized location for determining if a user can access premium features
/// (either through personal subscription or organization membership).
///
/// <para>
/// <strong>Note:</strong> This is different from checking User.Premium, which only indicates
/// personal subscription status. Use these methods to check actual premium feature access.
/// </para>
/// </summary>
public interface IHasPremiumAccessQuery
{
/// <summary>
/// Checks if a user has access to premium features (personal subscription or organization).
/// This is the definitive way to check premium access for a single user.
/// </summary>
/// <param name="userId">The user ID to check for premium access</param>
/// <returns>True if user can access premium features; false otherwise</returns>
Task<bool> HasPremiumAccessAsync(Guid userId);

/// <summary>
/// Checks if a user has access to premium features through organization membership only.
/// This is useful for determining the source of premium access (personal vs organization).
/// </summary>
/// <param name="userId">The user ID to check for organization premium access</param>
/// <returns>True if user has premium access through any organization; false otherwise</returns>
Task<bool> HasPremiumFromOrganizationAsync(Guid userId);

/// <summary>
/// Checks if multiple users have access to premium features (optimized bulk operation).
/// Uses existing stored procedure that calculates premium from personal subscriptions and organizations.
/// </summary>
/// <param name="userIds">The user IDs to check for premium access</param>
/// <returns>Dictionary mapping user IDs to their premium access status (personal or through organization)</returns>
Task<Dictionary<Guid, bool>> HasPremiumAccessAsync(IEnumerable<Guid> userIds);
}



1 change: 1 addition & 0 deletions src/Core/Constants.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ public static class FeatureFlagKeys
public const string BlockClaimedDomainAccountCreation = "pm-28297-block-uninvited-claimed-domain-registration";
public const string PolicyValidatorsRefactor = "pm-26423-refactor-policy-side-effects";
public const string IncreaseBulkReinviteLimitForCloud = "pm-28251-increase-bulk-reinvite-limit-for-cloud";
public const string PremiumAccessQuery = "pm-21411-premium-access-query";

/* Architecture */
public const string DesktopMigrationMilestone1 = "desktop-ui-migration-milestone-1";
Expand Down
10 changes: 5 additions & 5 deletions src/Core/Entities/User.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,11 @@ public class User : ITableObject<Guid>, IStorableSubscriber, IRevisable, ITwoFac
/// The security state is a signed object attesting to the version of the user's account.
/// </summary>
public string? SecurityState { get; set; }
/// <summary>
/// Indicates whether the user has a personal premium subscription.
/// Does not include premium access from organizations -
/// do not use this to check whether the user can access premium features.
/// </summary>
public bool Premium { get; set; }
public DateTime? PremiumExpirationDate { get; set; }
public DateTime? RenewalReminderDate { get; set; }
Expand Down Expand Up @@ -200,11 +205,6 @@ given user does or doesn't have this enabled. It is a non-zero chance.
return Id;
}

public bool GetPremium()
{
return Premium;
}

public int GetSecurityVersion()
{
// If no security version is set, it is version 1. The minimum initialized version is 2.
Expand Down
2 changes: 2 additions & 0 deletions src/Core/Repositories/IUserRepository.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ public interface IUserRepository : IRepository<User, Guid>
/// Retrieves the data for the requested user IDs and includes an additional property indicating
/// whether the user has premium access directly or through an organization.
/// </summary>
[Obsolete("Use IUserService.CanAccessPremiumBulk instead. This method is only used when feature flag 'PremiumAccessQuery' is disabled.")]
Task<IEnumerable<UserWithCalculatedPremium>> GetManyWithCalculatedPremiumAsync(IEnumerable<Guid> ids);
/// <summary>
/// Retrieves the data for the requested user ID and includes additional property indicating
Expand All @@ -33,6 +34,7 @@ public interface IUserRepository : IRepository<User, Guid>
/// </summary>
/// <param name="userId">The user ID to retrieve data for.</param>
/// <returns>User data with calculated premium access; null if nothing is found</returns>
[Obsolete("Use IUserService.CanAccessPremium instead. This method is only used when feature flag 'PremiumAccessQuery' is disabled.")]
Task<UserWithCalculatedPremium?> GetCalculatedPremiumAsync(Guid userId);
/// <summary>
/// Sets a new user key and updates all encrypted data.
Expand Down
Loading
Loading