[PM-34774] Add GET endpoint for organization invite links

[r-tome]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-34774

📔 Objective

Adds GET /organizations/{orgId}/invite-link to retrieve an organization's existing invite link. Returns 404 if none exists.

[github-actions]

Checkmarx One – Scan Summary & Details – 51f5d63d-abb8-406d-b8ca-2c950e5c7011

---

Fixed Issues (2)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	src/Api/Vault/Controllers/CiphersController.cs: 1558
	CSRF	src/Api/Vault/Controllers/CiphersController.cs: 1385

[codecov]

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 14.45%. Comparing base (59c220e) to head (c34522f).

Files with missing lines	Patch %	Lines
...eatures/OrganizationServiceCollectionExtensions.cs	0.00%	1 Missing ⚠️

Additional details and impacted files

@@                            Coverage Diff                             @@
##           ac/pm-34387/create-invite-link-command    #7534      +/-   ##
==========================================================================
- Coverage                                   14.45%   14.45%   -0.01%     
==========================================================================
  Files                                        1281     1281              
  Lines                                       55596    55607      +11     
  Branches                                     4303     4305       +2     
==========================================================================
  Hits                                         8037     8037              
- Misses                                      47419    47430      +11     
  Partials                                      140      140              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

Adds GET /organizations/{orgId}/invite-link to retrieve an organization's existing invite link, returning 404 when none exists. Authorization uses ManageUsersRequirement and the controller-level RequireFeature(GenerateInviteLink) flag, and the change is covered by unit tests and an updated integration test. The changes are small, focused, and align with the parent PR (pm-34387/create-invite-link-command).

Code Review Details

• 🎨 : Controller calls the repository directly instead of a query class; branch name and renamed AddOrganizationInviteLinkCommandsQueries extension both imply a query was intended, and sibling OrganizationDomains follows the CQS pattern.
  • src/Api/AdminConsole/Controllers/OrganizationInviteLinksController.cs:26
• ❓ : Get does not check the UseInviteLinks organization ability, while CreateOrganizationInviteLinkCommand does — is this intentional?
  • src/Api/AdminConsole/Controllers/OrganizationInviteLinksController.cs:22

[claude]

🎨 SUGGESTED: Controller calls repository directly instead of a query class; breaks the CQS pattern used elsewhere in this codebase.

Details and fix

The branch name (get-invite-link-query-and-endpoint) and the renamed DI extension (AddOrganizationInviteLinkCommandsQueries, plural) both imply a query class was intended, but only a command is still registered. The controller now injects IOrganizationInviteLinkRepository directly.

The sibling feature OrganizationDomains follows the expected pattern — see GetOrganizationDomainByOrganizationIdQuery registered alongside its commands. Per ADR-0008 (CQS), new features should use query classes for reads.

Suggested fix: introduce IGetOrganizationInviteLinkByOrganizationIdQuery / GetOrganizationInviteLinkByOrganizationIdQuery in src/Core/AdminConsole/OrganizationFeatures/InviteLinks/, register it in AddOrganizationInviteLinkCommandsQueries, and inject it into the controller instead of the repository. This also gives a natural home for the UseInviteLinks ability check raised in the other comment.

[claude]

❓ QUESTION: Should Get also check the UseInviteLinks organization ability, consistent with CreateOrganizationInviteLinkCommand?

Details

CreateOrganizationInviteLinkCommand gates creation on OrganizationAbility.UseInviteLinks (commit 7acba07). If that ability is later disabled for an org that already has a link, this Get endpoint will still return the link, while Create would reject a new one. The controller-level RequireFeature(GenerateInviteLink) is a platform-wide flag, and ManageUsersRequirement is RBAC — neither is equivalent to the per-org ability check.

Is the intent for admins to continue to see/manage an existing link after the ability is turned off, or should Get also 404 when UseInviteLinks is false? A short comment or a consistency check here would clarify.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud