[AC-1585] Automatically verify managed members on an organization with a verified domain (#3207)

bitwarden_license/src/Sso/Controllers/AccountController.cs

@@ -47,6 +47,7 @@ public class AccountController : Controller
     private readonly IGlobalSettings _globalSettings;
     private readonly Core.Services.IEventService _eventService;
     private readonly IDataProtectorTokenFactory<SsoTokenable> _dataProtector;
+    private readonly IOrganizationDomainRepository _organizationDomainRepository;
 
     public AccountController(
         IAuthenticationSchemeProvider schemeProvider,
@@ -65,7 +66,8 @@ public class AccountController : Controller
         UserManager<User> userManager,
         IGlobalSettings globalSettings,
         Core.Services.IEventService eventService,
-        IDataProtectorTokenFactory<SsoTokenable> dataProtector)
+        IDataProtectorTokenFactory<SsoTokenable> dataProtector,
+        IOrganizationDomainRepository organizationDomainRepository)
     {
         _schemeProvider = schemeProvider;
         _clientStore = clientStore;
@@ -84,6 +86,7 @@ public class AccountController : Controller
         _eventService = eventService;
         _globalSettings = globalSettings;
         _dataProtector = dataProtector;
+        _organizationDomainRepository = organizationDomainRepository;
     }
 
     [HttpGet]
@@ -513,11 +516,21 @@ public class AccountController : Controller
             }
         }
 
+        // If the email domain is verified, we can mark the email as verified
+        var emailVerified = false;
+        var emailDomain = CoreHelpers.GetEmailDomain(email);
+        if (!string.IsNullOrWhiteSpace(emailDomain))
+        {
+            var organizationDomain = await _organizationDomainRepository.GetDomainByOrgIdAndDomainNameAsync(orgId, emailDomain);
+            emailVerified = organizationDomain?.VerifiedDate.HasValue ?? false;
+        }
+
         // Create user record - all existing user flows are handled above
         var user = new User
         {
             Name = name,
             Email = email,
+            EmailVerified = emailVerified,
             ApiKey = CoreHelpers.SecureRandomString(30)
         };
         await _userService.RegisterUserAsync(user);

src/Core/Utilities/CoreHelpers.cs

@@ -817,4 +817,19 @@ public static class CoreHelpers
             .ToString();
 
     }
+
+    public static string GetEmailDomain(string email)
+    {
+        if (!string.IsNullOrWhiteSpace(email))
+        {
+            var emailParts = email.Split('@', StringSplitOptions.RemoveEmptyEntries);
+
+            if (emailParts.Length == 2)
+            {
+                return emailParts[1].Trim();
+            }
+        }
+
+        return null;
+    }
 }

test/Core.Test/Utilities/CoreHelpersTests.cs

@@ -416,4 +416,25 @@ public class CoreHelpersTests
     {
         Assert.Equal(expected, CoreHelpers.ObfuscateEmail(input));
     }
+
+    [Theory]
+    [InlineData("user@example.com")]
+    [InlineData("user@example.com ")]
+    [InlineData("user.name@example.com")]
+    public void GetEmailDomain_Success(string email)
+    {
+        Assert.Equal("example.com", CoreHelpers.GetEmailDomain(email));
+    }
+
+    [Theory]
+    [InlineData("")]
+    [InlineData(null)]
+    [InlineData("userexample.com")]
+    [InlineData("user@")]
+    [InlineData("@example.com")]
+    [InlineData("user@ex@ample.com")]
+    public void GetEmailDomain_ReturnsNull(string wrongEmail)
+    {
+        Assert.Null(CoreHelpers.GetEmailDomain(wrongEmail));
+    }
 }