[PM-34595] Add provider authorization attributes

[eliykat]

Tracking

https://bitwarden.atlassian.net/browse/PM-34595

Objective

Introduces the declarative authorization pattern for Provider endpoints, following the same approach as the existing Organization authorization infrastructure (see OrganizationRequirementHandler).

This will let us change from the current imperative pattern, which relies on the CurrentContext god class:

    [HttpGet("")]
    public async Task<ListResponseModel<ProviderOrganizationOrganizationDetailsResponseModel>> Get(Guid providerId)
    {
        if (!_currentContext.AccessProviderOrganizations(providerId))
        {
            throw new NotFoundException();
        }

To a declarative pattern:

    [HttpGet("")]
    [Authorize<ProviderUserRequirement>]
    public async Task<ListResponseModel<ProviderOrganizationOrganizationDetailsResponseModel>> Get(Guid providerId)
    {

This PR is plumbing only — no controller behavior changes. The handler and requirements are registered but not yet wired to any endpoints. A follow-up PR will update the controllers to use these requirements.

There is also some reorganization of the file structure to better accommodate these new files.

Code changes

New types:

• IProviderRequirement — base interface for provider authorization requirements
• ProviderRequirementHandler — central handler that extracts the provider from route/claims and delegates to requirement implementations
• ProviderClaimsExtensions — helpers to parse CurrentContextProvider from a ClaimsPrincipal
• HttpContextExtensions.GetProviderId() — route param helper mirroring existing GetOrganizationId()
• requirements for Provider Users, Provider Admins, and a semantic ManageProviderUsers requirement.

[github-actions]

Checkmarx One – Scan Summary & Details – f777faed-e306-4273-a989-7ca2473a7723

---

New Issues (121)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		Stored_XSS	/src/SharedWeb/Health/HealthCheckServiceExtensions.cs: 61	details The method embeds untrusted data in generated output with WriteAsync, at line 60 of /src/SharedWeb/Health/HealthCheckServiceExtensions.cs. This ... Attack Vector
2		Stored_XSS	/util/Server/Startup.cs: 57	details The method embeds untrusted data in generated output with WriteAsync, at line 59 of /util/Server/Startup.cs. This untrusted data is embedded int... Attack Vector
3		CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 55	details Method at line 55 of /src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs gets a parameter from a user request from user. This pa... Attack Vector
4		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 145	details Method at line 145 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from request. T... Attack Vector
5		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 145	details Method at line 145 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from request. T... Attack Vector
6		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 97	details Method at line 97 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. This... Attack Vector
7		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 97	details Method at line 97 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. This... Attack Vector
8		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 534	details Method at line 534 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
9		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 229	details Method at line 229 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. Thi... Attack Vector
10		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1558	details Method at line 1558 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
11		CSRF	/src/Api/Tools/Controllers/SendsController.cs: 73	details Method at line 73 of /src/Api/Tools/Controllers/SendsController.cs gets a parameter from a user request from id. This parameter value flows thro... Attack Vector
12		CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 145	details Method at line 145 of /src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs gets a parameter from a user request from user. This p... Attack Vector
13		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 217	details Method at line 217 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
14		CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91	details Method at line 91 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
15		CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91	details Method at line 91 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
16		CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91	details Method at line 91 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
17		CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91	details Method at line 91 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
18		CSRF	/src/Api/Controllers/CollectionsController.cs: 176	details Method at line 176 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
19		CSRF	/src/Api/Controllers/CollectionsController.cs: 176	details Method at line 176 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
20		CSRF	/src/Api/Controllers/CollectionsController.cs: 176	details Method at line 176 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
21		CSRF	/src/Api/Controllers/CollectionsController.cs: 176	details Method at line 176 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
22		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 173	details Method at line 173 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. Thi... Attack Vector
23		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 452	details Method at line 452 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
24		CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 189	details Method at line 189 of /src/Api/Dirt/Controllers/OrganizationReportsController.cs gets a parameter from a user request from request. This paramet... Attack Vector
25		CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 104	details Method at line 104 of /src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs gets a parameter from a user request from user. This p... Attack Vector
26		CSRF	/src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs: 107	details Method at line 107 of /src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs gets a parameter from a user request from organiza... Attack Vector
27		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1417	details Method at line 1417 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
28		CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 233	details Method at line 233 of /src/Api/Dirt/Controllers/OrganizationReportsController.cs gets a parameter from a user request from request. This paramet... Attack Vector
29		CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 286	details Method at line 286 of /src/Api/Dirt/Controllers/OrganizationReportsController.cs gets a parameter from a user request from request. This paramet... Attack Vector
30		CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 189	details Method at line 189 of /src/Api/Dirt/Controllers/OrganizationReportsController.cs gets a parameter from a user request from request. This paramet... Attack Vector
31		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1417	details Method at line 1417 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
32		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1417	details Method at line 1417 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
33		CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 289	details Method at line 289 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from orgUserId. This parameter ... Attack Vector
34		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1385	details Method at line 1385 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
35		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1446	details Method at line 1446 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
36		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1148	details Method at line 1148 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
37		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1032	details Method at line 1032 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
38		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1281	details Method at line 1281 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from organizationId. This parameter ... Attack Vector
39		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 394	details Method at line 394 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
40		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 385	details Method at line 385 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
41		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 385	details Method at line 385 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from id. This parame... Attack Vector
42		CSRF	/src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs: 95	details Method at line 95 of /src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs gets a parameter from a user request from organizat... Attack Vector
43		CSRF	/src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs: 82	details Method at line 82 of /src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs gets a parameter from a user request from provider. Th... Attack Vector
44		CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 93	details Method at line 93 of /src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs gets a parameter from a user request from user. This pa... Attack Vector
45		CSRF	/src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs: 49	details Method at line 49 of /src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs gets a parameter from a user request from organizat... Attack Vector
46		CSRF	/src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs: 40	details Method at line 40 of /src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs gets a parameter from a user request from provider. Th... Attack Vector
47		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1226	details Method at line 1226 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flo... Attack Vector
48		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 173	details Method at line 173 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. Thi... Attack Vector
49		CSRF	/src/Api/Vault/Controllers/SecurityTaskController.cs: 66	details Method at line 66 of /src/Api/Vault/Controllers/SecurityTaskController.cs gets a parameter from a user request from taskId. This parameter value... Attack Vector
50		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 721	details Method at line 721 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from request. This parameter value fl... Attack Vector
51		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 192	details Method at line 192 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
52		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 641	details Method at line 641 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
53		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 126	details Method at line 126 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
54		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 664	details Method at line 664 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
55		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 412	details Method at line 412 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
56		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 385	details Method at line 385 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
57		CSRF	/src/Api/Auth/Controllers/EmergencyAccessController.cs: 173	details Method at line 173 of /src/Api/Auth/Controllers/EmergencyAccessController.cs gets a parameter from a user request from model. This parameter val... Attack Vector
58		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 825	details Method at line 825 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
59		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 825	details Method at line 825 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
60		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 825	details Method at line 825 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
61		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 825	details Method at line 825 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
62		CSRF	/src/Api/NotificationCenter/Controllers/NotificationsController.cs: 61	details Method at line 61 of /src/Api/NotificationCenter/Controllers/NotificationsController.cs gets a parameter from a user request from id. This param... Attack Vector
63		CSRF	/src/Api/NotificationCenter/Controllers/NotificationsController.cs: 67	details Method at line 67 of /src/Api/NotificationCenter/Controllers/NotificationsController.cs gets a parameter from a user request from id. This param... Attack Vector
64		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1446	details Method at line 1446 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
65		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 763	details Method at line 763 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
66		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 763	details Method at line 763 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
67		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 790	details Method at line 790 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
68		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 790	details Method at line 790 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
69		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 790	details Method at line 790 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
70		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 790	details Method at line 790 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
71		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 763	details Method at line 763 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
72		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 763	details Method at line 763 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
73		CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 138	details Method at line 138 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from model. This parameter valu... Attack Vector
74		CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 166	details Method at line 166 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from model. This parameter valu... Attack Vector
75		CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 166	details Method at line 166 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from model. This parameter valu... Attack Vector
76		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 414	details Method at line 414 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
77		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 414	details Method at line 414 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
78		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 558	details Method at line 558 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector

More results are available on the CxOne platform

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.46%. Comparing base (2b7ba20) to head (a890524).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7389      +/-   ##
==========================================
+ Coverage   58.44%   58.46%   +0.02%     
==========================================
  Files        2060     2064       +4     
  Lines       91178    91226      +48     
  Branches     8114     8122       +8     
==========================================
+ Hits        53287    53335      +48     
  Misses      36002    36002              
  Partials     1889     1889              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR introduces declarative authorization infrastructure for Provider endpoints, mirroring the existing Organization authorization pattern. The changes include a new IProviderRequirement interface, ProviderRequirementHandler, ProviderClaimsExtensions, three concrete requirement implementations (ProviderAdminRequirement, ProviderUserRequirement, ManageProviderUsersRequirement), and corresponding test coverage. No endpoints are wired yet -- this is plumbing only.

No issues found. The implementation is consistent with established patterns, fails closed on missing authentication, and has thorough test coverage for all new types.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud