Skip to content

Fix SSO_ONLY users unable to accept org invites (#7072)#7079

Open
pmhnam wants to merge 1 commit intodani-garcia:mainfrom
pmhnam:fix/sso-only-org-invite-7072
Open

Fix SSO_ONLY users unable to accept org invites (#7072)#7079
pmhnam wants to merge 1 commit intodani-garcia:mainfrom
pmhnam:fix/sso-only-org-invite-7072

Conversation

@pmhnam
Copy link
Copy Markdown

@pmhnam pmhnam commented Apr 10, 2026
edited
Loading

Summary

Fixes #7072

SSO_ONLY users (users who authenticate via SSO and have no master password) cannot accept organization invites because the invite acceptance flow requires a master password login.

Changes

  • In send_invite: Auto-set membership status to Accepted for existing SSO_ONLY users when they are invited to an organization
  • In _reinvite_member: Prioritize SSO_ONLY auto-accept before attempting to send an email invite that the user cannot act on

How it works

When SSO_ENABLED=true and SSO_ONLY=true, users who have an empty password_hash (indicating they authenticated only via SSO) are automatically moved to Accepted status when invited. The admin can then confirm them normally through the admin console.

Testing

  • Tested with SSO_ONLY=true, inviting an SSO-created user to an org
  • User membership status correctly set to Accepted (status=1)
  • Admin can confirm the user, user can access collections

Copilot AI review requested due to automatic review settings April 10, 2026 17:02
Copilot AI reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a gap in the organization invitation flow where SSO_ONLY users (no master password) can’t complete the email-based invite acceptance step, by auto-accepting invites for already-existing SSO_ONLY users so an admin can proceed to the confirmation step.

Changes:

  • Auto-accept organization invitations for existing SSO_ONLY users during invite creation.
  • Auto-accept invitations for SSO_ONLY users during the reinvite flow (and clear any stored invitation).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/api/core/organizations.rs
Comment thread src/api/core/organizations.rs Outdated
@pmhnam
Fix SSO_ONLY users unable to accept org invites (dani-garcia#7072)
994ee0d 
SSO_ONLY users have no master password and cannot use the email-based
invite acceptance flow. This change auto-accepts organization invitations
for SSO_ONLY users who already exist, allowing them to proceed directly
to the confirmation step by an admin.

Fixes dani-garcia#7072
@pmhnam pmhnam force-pushed the fix/sso-only-org-invite-7072 branch from 69899a6 to 994ee0d Compare April 10, 2026 17:29
@pmhnam pmhnam requested a review from Copilot April 10, 2026 17:32
Copilot AI reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/api/core/organizations.rs
Comment on lines +1121 to +1124
// Only send the invite email if the member is still in the Invited state.
// SSO_ONLY users are auto-accepted above and should not receive an invite
// email with a link they cannot use.
if CONFIG.mail_enabled() && member_status == MembershipStatus::Invited as i32 {
Copy link

Copilot AI Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When member_status is force-set to Accepted (e.g., for SSO_ONLY users), the org policy checks that normally run during acceptance (OrgPolicy::check_user_allowed, see src/api/core/mod.rs:275+) are bypassed here. This can leave members in Accepted state even if 2FA/SingleOrg policies would forbid joining. Consider running OrgPolicy::check_user_allowed before persisting an Accepted status (or otherwise ensuring policies are enforced at this transition).

Copilot uses AI. Check for mistakes.
Comment thread src/api/core/organizations.rs
Comment on lines +1264 to +1266
let mut member = member;
member.status = MembershipStatus::Accepted as i32;
member.save(conn).await?;
Copy link

Copilot AI Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This auto-accept path sets member.status = Accepted without enforcing OrgPolicy::check_user_allowed (2FA / SingleOrg). The regular acceptance flow enforces these policies; consider applying the same check here before saving the updated membership status.

Copilot uses AI. Check for mistakes.
BlackDex
BlackDex requested changes Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@BlackDex BlackDex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if this will work at all, not tested it, not looked at it that good.
But the main flow i see that there is an assumption that there is no master-password for SSO users, which is not correct.

Maybe this changes your way of thinking regarding this PR.
Again, i have not validated if this works or not, but since there are master-passwords needed for SSO users, this whole PR is probably wrong.

Comment thread src/api/core/organizations.rs
Comment on lines +1105 to +1106
// SSO_ONLY users have no master password and cannot use the email invite
// acceptance flow, so automatically accept them
Copy link
Copy Markdown
Collaborator

@BlackDex BlackDex Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SSO_ONLY User do have a master-password, not sure why you think this isn't the case.
I'm not sure regarding the flow though how that works. But every user still needs a master-password.

SSO In Bitwarden isn't just login.

Comment thread src/api/core/organizations.rs

if CONFIG.mail_enabled() {
if CONFIG.sso_enabled() && CONFIG.sso_only() && user.password_hash.is_empty() {
// SSO_ONLY users have no master password and cannot use the email invite
Copy link
Copy Markdown
Collaborator

@BlackDex BlackDex Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, this statement is not true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@BlackDex BlackDex BlackDex requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SSO_ONLY users don't receive organisation invites

3 participants

@pmhnam @BlackDex