From 6696104e9dd8b4f7ffa3d49ee2b486028631b6eb Mon Sep 17 00:00:00 2001
From: Patrick Pimentel <ppimentel@bitwarden.com>
Date: Tue, 2 Dec 2025 16:13:26 -0500
Subject: [PATCH] fix(auth-validator): [PM-22975] Client Version Validator -
 Fixed more tests. Checking in with CI to see how it's looking.

---
 .../Endpoints/IdentityServerSsoTests.cs               |  9 ++-------
 .../Endpoints/IdentityServerTests.cs                  | 11 +++++++++++
 .../Factories/IdentityApplicationFactory.cs           |  9 +++++++++
 .../Factories/WebApplicationFactoryBase.cs            |  4 ++++
 4 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs b/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs
index 22447593b4..0ef761a112 100644
--- a/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs
+++ b/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs
@@ -630,11 +630,6 @@ public class IdentityServerSsoTests
                 .Returns(Task.FromResult(true));
         });
 
-        // Compute PKCE S256 code challenge explicitly (base64url of SHA256)
-        var challengeBytes = System.Text.Encoding.ASCII.GetBytes(challenge);
-        var hash = System.Security.Cryptography.SHA256.HashData(challengeBytes);
-        var codeChallenge = Duende.IdentityModel.Base64Url.Encode(hash);
-
         var authorizationCode = new AuthorizationCode
         {
             ClientId = "web",
@@ -642,8 +637,8 @@ public class IdentityServerSsoTests
             Lifetime = (int)TimeSpan.FromMinutes(5).TotalSeconds,
             RedirectUri = "https://localhost:8080/sso-connector.html",
             RequestedScopes = ["api", "offline_access"],
-            CodeChallenge = codeChallenge,
-            CodeChallengeMethod = "S256",
+            CodeChallenge = challenge.Sha256(),
+            CodeChallengeMethod = "plain",
             Subject = null!, // Temporarily set it to null
         };
 
diff --git a/test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs b/test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs
index 6f10f22002..fb298b9677 100644
--- a/test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs
+++ b/test/Identity.IntegrationTest/Endpoints/IdentityServerTests.cs
@@ -9,11 +9,14 @@ using Bit.Core.Enums;
 using Bit.Core.Platform.Installations;
 using Bit.Core.Repositories;
 using Bit.Core.Test.Auth.AutoFixture;
+using Bit.Identity.IdentityServer;
+using Bit.Identity.IdentityServer.RequestValidators;
 using Bit.IntegrationTestCommon.Factories;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Bit.Test.Common.Helpers;
 using Microsoft.AspNetCore.TestHost;
 using Microsoft.EntityFrameworkCore;
+using NSubstitute;
 using Xunit;
 
 namespace Bit.Identity.IntegrationTest.Endpoints;
@@ -29,6 +32,14 @@ public class IdentityServerTests : IClassFixture<IdentityApplicationFactory>
     public IdentityServerTests(IdentityApplicationFactory factory)
     {
         _factory = factory;
+
+        // Bypass client version gating to isolate SSO test behavior
+        _factory.SubstituteService<IClientVersionValidator>(svc =>
+        {
+            svc.ValidateAsync(Arg.Any<User>(), Arg.Any<CustomValidatorRequestContext>())
+                .Returns(Task.FromResult(true));
+        });
+
         ReinitializeDbForTests(_factory);
     }
 
diff --git a/test/IntegrationTestCommon/Factories/IdentityApplicationFactory.cs b/test/IntegrationTestCommon/Factories/IdentityApplicationFactory.cs
index 529f8459fd..b8642cc49e 100644
--- a/test/IntegrationTestCommon/Factories/IdentityApplicationFactory.cs
+++ b/test/IntegrationTestCommon/Factories/IdentityApplicationFactory.cs
@@ -9,6 +9,8 @@ using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Services;
 using Bit.Identity;
+using Bit.Identity.IdentityServer;
+using Bit.Identity.IdentityServer.RequestValidators;
 using Bit.Test.Common.Helpers;
 using LinqToDB;
 using Microsoft.AspNetCore.Hosting;
@@ -46,6 +48,13 @@ public class IdentityApplicationFactory : WebApplicationFactoryBase<Startup>
                 });
         });
 
+        // Bypass client version gating to isolate tests from client version behavior
+        SubstituteService<IClientVersionValidator>(svc =>
+        {
+            svc.ValidateAsync(Arg.Any<User>(), Arg.Any<CustomValidatorRequestContext>())
+                .Returns(Task.FromResult(true));
+        });
+
         base.ConfigureWebHost(builder);
     }
 
diff --git a/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs b/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
index a41cd43923..983e5f6102 100644
--- a/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
+++ b/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
@@ -131,6 +131,10 @@ public abstract class WebApplicationFactoryBase<T> : WebApplicationFactory<T>
             { "globalSettings:databaseProvider", "postgres" },
             { "globalSettings:postgreSql:connectionString", "Host=localhost;Username=test;Password=test;Database=test" },
 
+            // Ensure base service URIs are defined for tests (used for client redirect URIs)
+            { "globalSettings:baseServiceUri:vault", "https://localhost:8080" },
+            { "globalSettings:baseServiceUri:internalVault", "https://localhost:8080" },
+
             // Clear the redis connection string for distributed caching, forcing an in-memory implementation
             { "globalSettings:redis:connectionString", "" },