From cff2f5df6dd50bf1acbb77e1d971df97108424bb Mon Sep 17 00:00:00 2001
From: Patrick Pimentel <ppimentel@bitwarden.com>
Date: Thu, 4 Dec 2025 09:24:27 -0500
Subject: [PATCH] fix(auth-validator): [PM-22975] Client Version Validator -
 Added more tests and added comment.

---
 src/Core/Entities/User.cs                     |  5 +++
 ...etMinimumClientVersionForUserQueryTests.cs | 37 +++++++++++++++++++
 2 files changed, 42 insertions(+)

diff --git a/src/Core/Entities/User.cs b/src/Core/Entities/User.cs
index 8b3b242c8f..ff0ec2f31e 100644
--- a/src/Core/Entities/User.cs
+++ b/src/Core/Entities/User.cs
@@ -222,6 +222,11 @@ public class User : ITableObject<Guid>, IStorableSubscriber, IRevisable, ITwoFac
         return EncryptionParsing.GetEncryptionType(PrivateKey) == EncryptionType.XChaCha20Poly1305_B64;
     }
 
+    /// <summary>
+    /// This technically is correct but all versions after 1 are considered v2 encryption. Leaving for now with
+    /// KM's blessing that when a new version comes along they will handle migration.
+    /// </summary>
+    /// <returns></returns>
     private bool IsSecurityVersionTwo()
     {
         return SecurityVersion == 2;
diff --git a/test/Core.Test/KeyManagement/Queries/GetMinimumClientVersionForUserQueryTests.cs b/test/Core.Test/KeyManagement/Queries/GetMinimumClientVersionForUserQueryTests.cs
index b9bbbcd60b..010eb23586 100644
--- a/test/Core.Test/KeyManagement/Queries/GetMinimumClientVersionForUserQueryTests.cs
+++ b/test/Core.Test/KeyManagement/Queries/GetMinimumClientVersionForUserQueryTests.cs
@@ -26,6 +26,43 @@ public class GetMinimumClientVersionForUserQueryTests
         var version = await sut.Run(new User
         {
             SecurityVersion = 1,
+            PrivateKey = TestEncryptionConstants.V1EncryptedBase64,
+        });
+        Assert.Null(version);
+    }
+
+    [Fact]
+    public async Task Run_ReturnsNull_ForSecurityVersion1ButPrivateKeyV2User()
+    {
+        var sut = new GetMinimumClientVersionForUserQuery();
+        var version = await sut.Run(new User
+        {
+            SecurityVersion = 1,
+            PrivateKey = TestEncryptionConstants.V2PrivateKey,
+        });
+        Assert.Null(version);
+    }
+
+    [Fact]
+    public async Task Run_ReturnsNull_ForPrivateKeyV1ButSecurityVersion2User()
+    {
+        var sut = new GetMinimumClientVersionForUserQuery();
+        var version = await sut.Run(new User
+        {
+            SecurityVersion = 2,
+            PrivateKey = TestEncryptionConstants.V1EncryptedBase64,
+        });
+        Assert.Null(version);
+    }
+
+
+    [Fact]
+    public async Task Run_ReturnsNull_ForV1UserWithNull()
+    {
+        var sut = new GetMinimumClientVersionForUserQuery();
+        var version = await sut.Run(new User
+        {
+            SecurityVersion = null,
             PrivateKey = TestEncryptionConstants.V2PrivateKey,
         });
         Assert.Null(version);