[PM-31040] Replace ISetupIntentCache with customer-based approach

[amorask-bitwarden]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-31040

📔 Objective

Replace the ISetupIntentCache distributed cache with a customer-based approach that directly associates Stripe SetupIntent objects with Stripe Customer objects. This eliminates infrastructure dependencies on the distributed cache and simplifies the codebase by removing dead code paths.

Problem

The SetupIntentDistributedCache maintained a bidirectional mapping between subscriber IDs and SetupIntent IDs, which was fragile and caused issues with the bank account payment method flow for organizations and providers.

Solution

Instead of caching the SetupIntent-to-subscriber relationship:

1. Set the customer field on the SetupIntent when it's retrieved (during subscription creation or payment method update)
2. Query subscribers by GatewayCustomerId when webhooks arrive, using new repository methods
3. Remove all cache-related code and dead code paths

Changes

Database Infrastructure (Phase 1-3)

• Add new stored procedures for querying Organizations, Providers, and Users by GatewayCustomerId and GatewaySubscriptionId
• Add filtered indexes on GatewayCustomerId and GatewaySubscriptionId columns for all three entity tables
• Add corresponding repository methods (both Dapper and Entity Framework implementations)
• Generate EF migrations for MySQL, PostgreSQL, and SQLite

SetupIntent Handling Updates (Phase 4-5)

• Update SetupIntentSucceededHandler to query repositories by customer ID instead of using the cache
• Simplify StripeEventService by expanding customer data directly from SetupIntent
• Update GetPaymentMethodQuery and HasPaymentMethodQuery to query Stripe by customer ID
• Update OrganizationBillingService, ProviderBillingService, and UpdatePaymentMethodCommand to set the customer on SetupIntents

Dead Code Removal (Phase 6-7)

• Remove bank account support from CreatePremiumCloudHostedSubscriptionCommand (premium users cannot use bank accounts)
• Remove UpdatePaymentMethod from OrganizationBillingService, ProviderBillingService, and PremiumUserBillingService (replaced by UpdatePaymentMethodCommand)
• Remove UpdatePaymentSource from SubscriberService
• Remove SignUpPremiumAsync and ReplacePaymentMethodAsync from UserService (orphaned at API layer)
• Remove Finalize from PremiumUserBillingService
• Remove ISetupIntentCache and SetupIntentDistributedCache

📸 Screenshots

Screen.Recording.2026-02-05.at.1.40.26.PM.mov

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[codecov]

Codecov Report

❌ Patch coverage is 35.16484% with 118 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.42%. Comparing base (bf9cc01) to head (37bc1b3).

Files with missing lines	Patch %	Lines
...frastructure.Dapper/Repositories/UserRepository.cs	0.00%	20 Missing ⚠️
...dminConsole/Repositories/OrganizationRepository.cs	0.00%	18 Missing ⚠️
...er/AdminConsole/Repositories/ProviderRepository.cs	0.00%	18 Missing ⚠️
...dminConsole/Repositories/OrganizationRepository.cs	0.00%	18 Missing ⚠️
...rk/AdminConsole/Repositories/ProviderRepository.cs	0.00%	18 Missing ⚠️
...ure.EntityFramework/Repositories/UserRepository.cs	0.00%	16 Missing ⚠️
...ganizations/Services/OrganizationBillingService.cs	0.00%	7 Missing ⚠️
...vices/Implementations/PremiumUserBillingService.cs	0.00%	1 Missing ⚠️
.../Billing/Services/Implementations/StripeAdapter.cs	0.00%	1 Missing ⚠️
...ling/Services/Implementations/SubscriberService.cs	83.33%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6954      +/-   ##
==========================================
+ Coverage   56.31%   60.42%   +4.11%     
==========================================
  Files        1987     1987              
  Lines       87730    87329     -401     
  Branches     7821     7769      -52     
==========================================
+ Hits        49403    52772    +3369     
+ Misses      36496    32651    -3845     
- Partials     1831     1906      +75     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Checkmarx One – Scan Summary & Details – 4f71bf7e-3c42-4f70-96e5-b1b2ef1ab934

New Issues (5)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 217	details Method at line 217 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
2		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 291	details Method at line 291 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
3		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 452	details Method at line 452 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
4		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1527	details Method at line 1527 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
5		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1403	details Method at line 1403 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector

Fixed Issues (2)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 145
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 293

[sbrown-livefront]

Super solid cleanup and behavior change. Only a few non-blocking questions

[mkincaid-bw]

Couple questions.

[sonarqubecloud]

Quality Gate passed

Issues
12 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
23.1% Duplication on New Code

See analysis details on SonarQube Cloud

[mkincaid-bw]

LGTM