[PM-20225] Block no-userkey legacy users (#5640)

* Block legacy users on all clients over 2025.5 * Update message * Fix test * Fix test * Update blocked version
2025-12-24 20:23:21 +00:00 · 2025-06-02 22:04:01 +02:00
parent 8bac7f0145
commit 14e68428f6
5 changed files with 7 additions and 6 deletions
--- a/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs
@@ -27,6 +27,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
 {
    private readonly UserManager<User> _userManager;
    private readonly IUpdateInstallationCommand _updateInstallationCommand;
+    private readonly Version _denyLegacyUserMinimumVersion = new(Constants.DenyLegacyUserMinimumVersion);

    public CustomTokenRequestValidator(
        UserManager<User> userManager,
@@ -73,7 +74,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
        {
            // Force legacy users to the web for migration
            if (await _userService.IsLegacyUser(GetSubject(context)?.GetSubjectId()) &&
-                context.Result.ValidatedRequest.ClientId != "web")
+                (context.Result.ValidatedRequest.ClientId != "web" || CurrentContext.ClientVersion >= _denyLegacyUserMinimumVersion))
            {
                await FailAuthForLegacyUserAsync(null, context);
                return;