From f578dab94f2e92d460a39b2b8d8f9db596fadae5 Mon Sep 17 00:00:00 2001
From: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
Date: Tue, 27 Jan 2026 21:38:09 +0100
Subject: [PATCH] user reset password key can be empty string (#6871)

---
 .../OrganizationUserRotationValidator.cs      |  3 +-
 .../OrganizationUserRotationValidatorTests.cs | 38 +++++++++++++++++++
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/src/Api/KeyManagement/Validators/OrganizationUserRotationValidator.cs b/src/Api/KeyManagement/Validators/OrganizationUserRotationValidator.cs
index 5023521fe3..835965e2d6 100644
--- a/src/Api/KeyManagement/Validators/OrganizationUserRotationValidator.cs
+++ b/src/Api/KeyManagement/Validators/OrganizationUserRotationValidator.cs
@@ -34,8 +34,7 @@ public class OrganizationUserRotationValidator : IRotationValidator<IEnumerable<
         }
 
         // Exclude any account recovery that do not have a key.
-        existing = existing.Where(o => o.ResetPasswordKey != null).ToList();
-
+        existing = existing.Where(o => !string.IsNullOrEmpty(o.ResetPasswordKey)).ToList();
 
         foreach (var ou in existing)
         {
diff --git a/test/Api.Test/KeyManagement/Validators/OrganizationUserRotationValidatorTests.cs b/test/Api.Test/KeyManagement/Validators/OrganizationUserRotationValidatorTests.cs
index 964c801903..a939636fc2 100644
--- a/test/Api.Test/KeyManagement/Validators/OrganizationUserRotationValidatorTests.cs
+++ b/test/Api.Test/KeyManagement/Validators/OrganizationUserRotationValidatorTests.cs
@@ -69,6 +69,44 @@ public class OrganizationUserRotationValidatorTests
         Assert.Empty(result);
     }
 
+    [Theory]
+    [BitAutoData([null])]
+    [BitAutoData("")]
+    public async Task ValidateAsync_OrgUsersWithNullOrEmptyResetPasswordKey_FiltersOutInvalidKeys(
+        string? invalidResetPasswordKey,
+        SutProvider<OrganizationUserRotationValidator> sutProvider, User user,
+        ResetPasswordWithOrgIdRequestModel validResetPasswordKey)
+    {
+        // Arrange
+        var existingUserResetPassword = new List<OrganizationUser>
+        {
+            // Valid org user with reset password key
+            new OrganizationUser
+            {
+                Id = Guid.NewGuid(),
+                OrganizationId = validResetPasswordKey.OrganizationId,
+                ResetPasswordKey = validResetPasswordKey.ResetPasswordKey
+            },
+            // Invalid org user with null or empty reset password key - should be filtered out
+            new OrganizationUser
+            {
+                Id = Guid.NewGuid(),
+                OrganizationId = Guid.NewGuid(),
+                ResetPasswordKey = invalidResetPasswordKey
+            }
+        };
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(user.Id)
+            .Returns(existingUserResetPassword);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(user, new[] { validResetPasswordKey });
+
+        // Assert
+        Assert.NotNull(result);
+        Assert.Single(result);
+        Assert.Equal(validResetPasswordKey.OrganizationId, result[0].OrganizationId);
+    }
+
     [Theory]
     [BitAutoData]
     public async Task ValidateAsync_MissingResetPassword_Throws(