bitwarden · r-tome · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025
@@ -20,6 +20,12 @@ public class OrganizationUserUserDetails : IExternal, ITwoFactorProvidersUser, I
     public string Email { get; set; }
     public string AvatarColor { get; set; }
     public string TwoFactorProviders { get; set; }
+    /// <summary>
+    /// Indicates whether the user has a personal premium subscription.
+    /// Does not include premium access from organizations -
+    /// do not use this to check whether the user can access premium features.
+    /// Null when the organization user is in Invited status (UserId is null).
+    /// </summary>
     public bool? Premium { get; set; }
     public OrganizationUserStatusType Status { get; set; }
     public OrganizationUserType Type { get; set; }

@@ -1,4 +1,5 @@
 using Bit.Core.Auth.Models;
+using Bit.Core.Entities;
 
 namespace Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 
@@ -22,4 +23,25 @@ public interface ITwoFactorIsEnabledQuery
     /// </summary>
     /// <param name="user">The user to check.</param>
     Task<bool> TwoFactorIsEnabledAsync(ITwoFactorProvidersUser user);
+
+    /// <summary>
+    /// Returns a list of user IDs and whether two factor is enabled for each user.
+    /// This version uses HasPremiumAccessQuery with cached organization abilities for better performance.
+    /// </summary>
+    /// <param name="userIds">The list of user IDs to check.</param>
+    Task<IEnumerable<(Guid userId, bool twoFactorIsEnabled)>> TwoFactorIsEnabledVNextAsync(IEnumerable<Guid> userIds);
+    /// <summary>
+    /// Returns a list of users and whether two factor is enabled for each user.
+    /// This version uses HasPremiumAccessQuery with cached organization abilities for better performance.
+    /// </summary>
+    /// <param name="users">The list of users to check.</param>
+    /// <typeparam name="T">The type of user in the list. Must implement <see cref="ITwoFactorProvidersUser"/>.</typeparam>
+    Task<IEnumerable<(T user, bool twoFactorIsEnabled)>> TwoFactorIsEnabledVNextAsync<T>(IEnumerable<T> users) where T : ITwoFactorProvidersUser;
+    /// <summary>
+    /// Returns whether two factor is enabled for the user. A user is able to have a TwoFactorProvider that is enabled but requires Premium.
+    /// If the user does not have premium then the TwoFactorProvider is considered _not_ enabled.
+    /// This version uses HasPremiumAccessQuery with cached organization abilities for better performance.
+    /// </summary>
+    /// <param name="user">The user to check.</param>
+    Task<bool> TwoFactorIsEnabledVNextAsync(User user);
 }
@@ -4,13 +4,24 @@
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Billing.Premium.Queries;
+using Bit.Core.Entities;
 using Bit.Core.Repositories;
 
 namespace Bit.Core.Auth.UserFeatures.TwoFactorAuth;
 
-public class TwoFactorIsEnabledQuery(IUserRepository userRepository) : ITwoFactorIsEnabledQuery
+public class TwoFactorIsEnabledQuery : ITwoFactorIsEnabledQuery
 {
-    private readonly IUserRepository _userRepository = userRepository;
+    private readonly IUserRepository _userRepository;
+    private readonly IHasPremiumAccessQuery _hasPremiumAccessQuery;
+
+    public TwoFactorIsEnabledQuery(
+        IUserRepository userRepository,
+        IHasPremiumAccessQuery hasPremiumAccessQuery)
+    {
+        _userRepository = userRepository;
+        _hasPremiumAccessQuery = hasPremiumAccessQuery;
+    }
 
     public async Task<IEnumerable<(Guid userId, bool twoFactorIsEnabled)>> TwoFactorIsEnabledAsync(IEnumerable<Guid> userIds)
     {
@@ -72,12 +83,113 @@ public async Task<bool> TwoFactorIsEnabledAsync(ITwoFactorProvidersUser user)
         }
 
         return await TwoFactorEnabledAsync(
-                        user.GetTwoFactorProviders(),
-                        async () =>
-                        {
-                            var calcUser = await _userRepository.GetCalculatedPremiumAsync(userId.Value);
-                            return calcUser?.HasPremiumAccess ?? false;
-                        });
+            user.GetTwoFactorProviders(),
+            async () =>
+            {
+                var calcUser = await _userRepository.GetCalculatedPremiumAsync(userId.Value);
+                return calcUser?.HasPremiumAccess ?? false;
+            });
+    }
+
+    public async Task<IEnumerable<(Guid userId, bool twoFactorIsEnabled)>> TwoFactorIsEnabledVNextAsync(IEnumerable<Guid> userIds)
+    {
+        var result = new List<(Guid userId, bool hasTwoFactor)>();
+        if (userIds == null || !userIds.Any())
+        {
+            return result;
+        }
+
+        var users = await _userRepository.GetManyAsync([.. userIds]);
+        var premiumStatus = await _hasPremiumAccessQuery.HasPremiumAccessAsync(userIds);
+
+        foreach (var user in users)
+        {
+            var twoFactorProviders = user.GetTwoFactorProviders();
+            var hasPremiumAccess = premiumStatus.GetValueOrDefault(user.Id, false);
+            var twoFactorIsEnabled = TwoFactorIsEnabled(twoFactorProviders, hasPremiumAccess);
+
+            result.Add((user.Id, twoFactorIsEnabled));
+        }
+
+        return result;
+    }
+
+    public async Task<IEnumerable<(T user, bool twoFactorIsEnabled)>> TwoFactorIsEnabledVNextAsync<T>(IEnumerable<T> users)
+        where T : ITwoFactorProvidersUser
+    {
+        var userIds = users
+            .Select(u => u.GetUserId())
+            .Where(u => u.HasValue)
+            .Select(u => u.Value)
+            .ToList();
+
+        var twoFactorResults = await TwoFactorIsEnabledVNextAsync(userIds);
+
+        var result = new List<(T user, bool twoFactorIsEnabled)>();
+
+        foreach (var user in users)
+        {
+            var userId = user.GetUserId();
+            if (userId.HasValue)
+            {
+                var hasTwoFactor = twoFactorResults.FirstOrDefault(res => res.userId == userId.Value).twoFactorIsEnabled;
+                result.Add((user, hasTwoFactor));
+            }
+            else
+            {
+                result.Add((user, false));
+            }
+        }
+
+        return result;
+    }
+
+    public async Task<bool> TwoFactorIsEnabledVNextAsync(User user)
+    {
+        var providers = user.GetTwoFactorProviders();
+        var hasPremium = await _hasPremiumAccessQuery.HasPremiumAccessAsync(user.Id);
+
+        return TwoFactorIsEnabled(providers, hasPremium);
+    }
+
+    /// <summary>
+    /// Checks to see what kind of two-factor is enabled.
+    /// Synchronous version used when premium access status is already known.
+    /// </summary>
+    /// <param name="providers">dictionary of two factor providers</param>
+    /// <param name="hasPremiumAccess">whether the user has premium access</param>
+    /// <returns>true if the user has two factor enabled; false otherwise</returns>
+    private static bool TwoFactorIsEnabled(
+        Dictionary<TwoFactorProviderType, TwoFactorProvider> providers,
+        bool hasPremiumAccess)
+    {
+        // If there are no providers, then two factor is not enabled
+        if (providers == null || providers.Count == 0)
+        {
+            return false;
+        }
+
+        // Get all enabled providers
+        // TODO: PM-21210: In practice we don't save disabled providers to the database, worth looking into.
+        var enabledProviderKeys = from provider in providers
+                                  where provider.Value?.Enabled ?? false
+                                  select provider.Key;
+
+        // If no providers are enabled then two factor is not enabled
+        if (!enabledProviderKeys.Any())
+        {
+            return false;
+        }
+
+        // If there are only premium two factor options then check premium access
+        var onlyHasPremiumTwoFactor = enabledProviderKeys.All(TwoFactorProvider.RequiresPremium);
+        if (onlyHasPremiumTwoFactor)
+        {
+            return hasPremiumAccess;
+        }
+
+        // The user has at least one non-premium two factor option
+        return true;
     }
 
     /// <summary>

@@ -9,6 +9,7 @@
 using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
 using Bit.Core.Auth.UserFeatures.WebAuthnLogin;
 using Bit.Core.Auth.UserFeatures.WebAuthnLogin.Implementations;
+using Bit.Core.Billing.Premium.Queries;
 using Bit.Core.KeyManagement.UserKey;
 using Bit.Core.KeyManagement.UserKey.Implementations;
 using Bit.Core.Services;
@@ -27,6 +28,7 @@ public static void AddUserServices(this IServiceCollection services, IGlobalSett
         services.AddUserRegistrationCommands();
         services.AddWebAuthnLoginCommands();
         services.AddTdeOffboardingPasswordCommands();
+        services.AddPremiumAccessQueries();
         services.AddTwoFactorQueries();
         services.AddSsoQueries();
     }
@@ -65,6 +67,11 @@ private static void AddWebAuthnLoginCommands(this IServiceCollection services)
         services.AddScoped<IAssertWebAuthnLoginCredentialCommand, AssertWebAuthnLoginCredentialCommand>();
     }
 
+    private static void AddPremiumAccessQueries(this IServiceCollection services)
+    {
+        services.AddScoped<IHasPremiumAccessQuery, HasPremiumAccessQuery>();
+    }
+
     private static void AddTwoFactorQueries(this IServiceCollection services)
     {
         services.AddScoped<ITwoFactorIsEnabledQuery, TwoFactorIsEnabledQuery>();

@@ -0,0 +1,44 @@
+using Bit.Core.Repositories;
+
+namespace Bit.Core.Billing.Premium.Queries;
+
+/// <summary>
+/// Query for checking premium access status for users using the existing stored procedure
+/// that calculates premium access from personal subscriptions and organization memberships.
+/// </summary>
+public class HasPremiumAccessQuery : IHasPremiumAccessQuery
+{
+    private readonly IUserRepository _userRepository;
+
+    public HasPremiumAccessQuery(IUserRepository userRepository)
+    {
+        _userRepository = userRepository;
+    }
+
+    public async Task<bool> HasPremiumAccessAsync(Guid userId)
+    {
+        var user = await _userRepository.GetCalculatedPremiumAsync(userId);
+        return user?.HasPremiumAccess ?? false;
+    }
+
+    public async Task<Dictionary<Guid, bool>> HasPremiumAccessAsync(IEnumerable<Guid> userIds)
+    {
+        var usersWithPremium = await _userRepository.GetManyWithCalculatedPremiumAsync(userIds);
+        return usersWithPremium.ToDictionary(u => u.Id, u => u.HasPremiumAccess);
+    }
+
+    public async Task<bool> HasPremiumFromOrganizationAsync(Guid userId)
+    {
+        var user = await _userRepository.GetCalculatedPremiumAsync(userId);
+        if (user == null)
+        {
+            return false;
+        }
+
+        // Has org premium if has premium access but not personal premium
+        return user.HasPremiumAccess && !user.Premium;
+    }
+}
+
+
+
@@ -0,0 +1,41 @@
+namespace Bit.Core.Billing.Premium.Queries;
+
+/// <summary>
+/// Query for checking premium access status for users.
+/// This is the centralized location for determining if a user can access premium features
+/// (either through personal subscription or organization membership).
+/// 
+/// <para>
+/// <strong>Note:</strong> This is different from checking User.Premium, which only indicates
+/// personal subscription status. Use these methods to check actual premium feature access.
+/// </para>
+/// </summary>
+public interface IHasPremiumAccessQuery
+{
+    /// <summary>
+    /// Checks if a user has access to premium features (personal subscription or organization).
+    /// This is the definitive way to check premium access for a single user.
+    /// </summary>
+    /// <param name="userId">The user ID to check for premium access</param>
+    /// <returns>True if user can access premium features; false otherwise</returns>
+    Task<bool> HasPremiumAccessAsync(Guid userId);
+
+    /// <summary>
+    /// Checks if a user has access to premium features through organization membership only.
+    /// This is useful for determining the source of premium access (personal vs organization).
+    /// </summary>
+    /// <param name="userId">The user ID to check for organization premium access</param>
+    /// <returns>True if user has premium access through any organization; false otherwise</returns>
+    Task<bool> HasPremiumFromOrganizationAsync(Guid userId);
 public async Task<bool> HasPremiumFromOrganization(ITwoFactorProvidersUser user) 
 public async Task<bool> HasPremiumFromOrganization(ITwoFactorProvidersUser user) 
+
+    /// <summary>
+    /// Checks if multiple users have access to premium features (optimized bulk operation).
+    /// Uses existing stored procedure that calculates premium from personal subscriptions and organizations.
+    /// </summary>
+    /// <param name="userIds">The user IDs to check for premium access</param>
+    /// <returns>Dictionary mapping user IDs to their premium access status (personal or through organization)</returns>
+    Task<Dictionary<Guid, bool>> HasPremiumAccessAsync(IEnumerable<Guid> userIds);
+}
+
+
+
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
@@ -144,6 +144,7 @@ public static class FeatureFlagKeys
     public const string BlockClaimedDomainAccountCreation = "pm-28297-block-uninvited-claimed-domain-registration";
     public const string PolicyValidatorsRefactor = "pm-26423-refactor-policy-side-effects";
     public const string IncreaseBulkReinviteLimitForCloud = "pm-28251-increase-bulk-reinvite-limit-for-cloud";
+    public const string PremiumAccessQuery = "pm-21411-premium-access-query";
 
     /* Architecture */
     public const string DesktopMigrationMilestone1 = "desktop-ui-migration-milestone-1";

diff --git a/src/Core/Entities/User.cs b/src/Core/Entities/User.cs
@@ -69,6 +69,11 @@ public class User : ITableObject<Guid>, IStorableSubscriber, IRevisable, ITwoFac
     /// The security state is a signed object attesting to the version of the user's account.
     /// </summary>
     public string? SecurityState { get; set; }
+    /// <summary>
+    /// Indicates whether the user has a personal premium subscription.
+    /// Does not include premium access from organizations -
+    /// do not use this to check whether the user can access premium features.
+    /// </summary>
     public bool Premium { get; set; }
     public DateTime? PremiumExpirationDate { get; set; }
     public DateTime? RenewalReminderDate { get; set; }

diff --git a/src/Core/Repositories/IUserRepository.cs b/src/Core/Repositories/IUserRepository.cs
@@ -23,6 +23,7 @@ public interface IUserRepository : IRepository<User, Guid>
     /// Retrieves the data for the requested user IDs and includes an additional property indicating
     /// whether the user has premium access directly or through an organization.
     /// </summary>
+    [Obsolete("Use IUserService.CanAccessPremiumBulk instead. This method is only used when feature flag 'PremiumAccessQuery' is disabled.")]
     Task<IEnumerable<UserWithCalculatedPremium>> GetManyWithCalculatedPremiumAsync(IEnumerable<Guid> ids);
     /// <summary>
     /// Retrieves the data for the requested user ID and includes additional property indicating
@@ -33,6 +34,7 @@ public interface IUserRepository : IRepository<User, Guid>
     /// </summary>
     /// <param name="userId">The user ID to retrieve data for.</param>
     /// <returns>User data with calculated premium access; null if nothing is found</returns>
+    [Obsolete("Use IUserService.CanAccessPremium instead. This method is only used when feature flag 'PremiumAccessQuery' is disabled.")]
     Task<UserWithCalculatedPremium?> GetCalculatedPremiumAsync(Guid userId);
     /// <summary>
     /// Sets a new user key and updates all encrypted data.

diff --git a/src/Core/Services/IUserService.cs b/src/Core/Services/IUserService.cs
@@ -64,6 +64,7 @@ Task<UserLicense> GenerateLicenseAsync(User user, SubscriptionInfo subscriptionI
     /// </summary>
     /// <param name="user">user being acted on</param>
     /// <returns>true if they can access premium; false otherwise.</returns>
+    [Obsolete("Use IHasPremiumAccessQuery.HasPremiumAccessAsync instead. This method is only used when feature flag 'PremiumAccessQuery' is disabled.")]
     Task<bool> CanAccessPremium(User user);
 
     /// <summary>
@@ -74,6 +75,7 @@ Task<UserLicense> GenerateLicenseAsync(User user, SubscriptionInfo subscriptionI
     /// </summary>
     /// <param name="user"></param>
     /// <returns></returns>
+    [Obsolete("Use IHasPremiumAccessQuery.HasPremiumFromOrganizationAsync instead. This method is only used when feature flag 'PremiumAccessQuery' is disabled.")]
     Task<bool> HasPremiumFromOrganization(User user);
     Task<string> GenerateSignInTokenAsync(User user, string purpose);