Return 404 when user public_key is empty #1271

New Issue

MrUnknownDE · 2026-04-06T01:42:57+02:00

MrUnknownDE commented

2026-04-06 01:42:57 +02:00

Originally created by @Timshel on 1/23/2024

Hey,

So, when working on the SSO PR, I introduced a bug with the SSO_ACCEPTALL_INVITES which made possible for a user to be UserOrgStatus::Accepted while not yet having a public key.

What made the issue worse is that then the admin can confirm the user while using a public key with a null value.
When the user finally login the vault will be broken and does not load.

So of course fixed the issue, but this change would make it so that the admin can't confirm the user and prevent entering a broken state. Sadly the error is not displayed (be it a 400 or 404).

Lastly this would be more inline with the official server implementation which In believe throw a NotFoundException in this case.

*Originally created by @Timshel on 1/23/2024* Hey, So, when working on the SSO PR, I introduced a bug with the `SSO_ACCEPTALL_INVITES` which made possible for a user to be `UserOrgStatus::Accepted` while not yet having a public key. What made the issue worse is that then the admin can confirm the user while using a public key with a `null` value. When the user finally login the vault will be broken and does not load. So of course fixed the issue, but this change would make it so that the admin can't confirm the user and prevent entering a broken state. Sadly the error is not displayed (be it a `400` or `404`). Lastly this would be more inline with the official server implementation which In believe throw a `NotFoundException` in this [case](https://github.com/bitwarden/server/blob/aeca1722fc61680715e5b439aea8bf6cc4e7b300/src/Api/Controllers/UsersController.cs#L28).

MrUnknownDE closed this issue

2026-04-06 01:42:57 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1271