[AC-1070] Enforce master password policy on login (#4795)

* [EC-1070] Introduce flag for enforcing master password policy on login * [EC-1070] Update master password policy form Add the ability to toggle enforceOnLogin flag in web * [EC-1070] Add API method to retrieve all policies for the current user * [EC-1070] Refactor forcePasswordReset in state service to support more options - Use an options class to provide a reason and optional organization id - Use the OnDiskMemory storage location so the option persists between the same auth session * [AC-1070] Retrieve single master password policy from identity token response Additionally, store the policy in the login strategy for future use * [EC-1070] Introduce master password evaluation in the password login strategy - If a master password policy is returned from the identity result, evaluate the password. - If the password does not meet the requirements, save the forcePasswordReset options - Add support for 2FA by storing the results of the password evaluation on the login strategy instance - Add unit tests to password login strategy * [AC-1070] Modify admin password reset component to support update master password on login - Modify the warning message to depend on the reason - Use the forcePasswordResetOptions in the update temp password component * [EC-1070] Require current master password when updating weak mp on login - Inject user verification service to verify the user - Conditionally show the current master password field only when updating a weak mp. Admin reset does not require the current master password. * [EC-1070] Implement password policy check during vault unlock Checking the master password during unlock is the only applicable place to enforce the master password policy check for SSO users. * [EC-1070] CLI - Add ability to load MP policies on login Inject policyApi and organization services into the login command * [EC-1070] CLI - Refactor update temp password logic to support updating weak passwords - Introduce new shared method for collecting a valid and confirmed master password from the CLI and generating a new encryption key - Add separate methods for updating temp passwords and weak passwords. - Utilize those methods during login flow if not using an API key * [EC-1070] Add route guard to force password reset when required * [AC-1070] Use master password policy from verify password response in lock component * [EC-1070] Update labels in update password component * [AC-1070] Fix policy service tests * [AC-1070] CLI - Force sync before any password reset flow Move up the call to sync the vault before attempting to collect a new master password. Ensures the master password policies are available. * [AC-1070] Remove unused getAllPolicies method from policy api service * [AC-1070] Fix missing enforceOnLogin copy in policy service * [AC-1070] Include current master password on desktop/browser update password page templates * [AC-1070] Check for forced password reset on account switch in Desktop * [AC-1070] Rename WeakMasterPasswordOnLogin to WeakMasterPassword * [AC-1070] Update AuthServiceInitOptions * [AC-1070] Add None force reset password reason * [AC-1070] Remove redundant ForcePasswordResetOptions class and replace with ForcePasswordResetReason enum * [AC-1070] Rename ForceResetPasswordReason file * [AC-1070] Simplify conditional * [AC-1070] Refactor logic that saves password reset flag * [AC-1070] Remove redundant constructors * [AC-1070] Remove unnecessary state service call * [AC-1070] Update master password policy component - Use typed reactive form - Use CL form components - Remove bootstrap - Update error component to support min/max - Use Utils.minimumPasswordLength value for min value form validation * [AC-1070] Cleanup leftover html comment * [AC-1070] Remove overridden default values from MasterPasswordPolicyResponse * [AC-1070] Hide current master password input in browser for admin password reset * [AC-1070] Remove clientside user verification * [AC-1070] Update temp password web component to use CL - Use CL for form inputs in the Web component template - Remove most of the bootstrap classes in the Web component template - Use userVerificationService to build the password request - Remove redundant current master password null check * [AC-1070] Replace repeated user inputs email parsing helpers - Update passwordStrength() method to accept an optional email argument that will be parsed into separate user inputs for use with zxcvbn - Remove all other repeated getUserInput helper methods that parsed user emails and use the new passwordStrength signature * [AC-1070] Fix broken login command after forcePasswordReset enum refactor * [AC-1070] Reduce side effects in base login strategy - Remove masterPasswordPolicy property from base login.strategy.ts - Include an IdentityResponse in base startLogin() in addition to AuthResult - Use the new IdentityResponse to parse the master password policy info only in the PasswordLoginStrategy * [AC-1070] Cleanup password login strategy tests * [AC-1070] Remove unused field * [AC-1070] Strongly type postAccountVerifyPassword API service method - Remove redundant verify master password response - Use MasterPasswordPolicyResponse instead * [AC-1070] Use ForceResetPassword.None during account switch check * [AC-1070] Fix check for forcePasswordReset reason after addition of None * [AC-1070] Redirect a user home if on the update temp password page without a reason * [AC-1070] Use bit-select and bit-option * [AC-1070] Reduce explicit form control definitions for readability * [AC-1070] Import SelectModule in Shared web module * [AC-1070] Add check for missing 'at' symbol * [AC-1070] Remove redundant unpacking and null coalescing * [AC-1070] Update passwordStrength signature and add jsdocs * [AC-1070] Remove variable abbreviation * [AC-1070] Restore Id attributes on form inputs * [AC-1070] Clarify input value min/max error messages * [AC-1070] Add input min/max value example to storybook * [AC-1070] Add missing spinner to update temp password form * [AC-1070] Add missing ids to form elements * [AC-1070] Remove duplicate force sync and update comment * [AC-1070] Switch backticks to quotation marks --------- Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
2025-12-14 07:13:32 +00:00 · 2023-04-17 07:35:37 -07:00
parent ad0c460687
commit 07c2c2af20
60 changed files with 1057 additions and 503 deletions
--- a/libs/common/src/auth/models/domain/auth-result.ts
+++ b/libs/common/src/auth/models/domain/auth-result.ts
@@ -1,10 +1,12 @@
 import { Utils } from "../../../misc/utils";
 import { TwoFactorProviderType } from "../../enums/two-factor-provider-type";

+import { ForceResetPasswordReason } from "./force-reset-password-reason";
+
 export class AuthResult {
  captchaSiteKey = "";
  resetMasterPassword = false;
-  forcePasswordReset = false;
+  forcePasswordReset: ForceResetPasswordReason = ForceResetPasswordReason.None;
  twoFactorProviders: Map<TwoFactorProviderType, { [key: string]: string }> = null;

  get requiresCaptcha() {
--- a/libs/common/src/auth/models/domain/force-reset-password-reason.ts
+++ b/libs/common/src/auth/models/domain/force-reset-password-reason.ts
@@ -0,0 +1,17 @@
+export enum ForceResetPasswordReason {
+  /**
+   * A password reset should not be forced.
+   */
+  None,
+
+  /**
+   * Occurs when an organization admin forces a user to reset their password.
+   */
+  AdminForcePasswordReset,
+
+  /**
+   * Occurs when a user logs in / unlocks their vault with a master password that does not meet an organization's
+   * master password policy that is enforced on login/unlock.
+   */
+  WeakMasterPassword,
+}
--- a/libs/common/src/auth/models/response/identity-token.response.ts
+++ b/libs/common/src/auth/models/response/identity-token.response.ts
@@ -1,6 +1,8 @@
 import { KdfType } from "../../../enums";
 import { BaseResponse } from "../../../models/response/base.response";

+import { MasterPasswordPolicyResponse } from "./master-password-policy.response";
+
 export class IdentityTokenResponse extends BaseResponse {
  accessToken: string;
  expiresIn: number;
@@ -16,6 +18,7 @@ export class IdentityTokenResponse extends BaseResponse {
  kdfMemory?: number;
  kdfParallelism?: number;
  forcePasswordReset: boolean;
+  masterPasswordPolicy: MasterPasswordPolicyResponse;
  apiUseKeyConnector: boolean;
  keyConnectorUrl: string;

@@ -37,5 +40,8 @@ export class IdentityTokenResponse extends BaseResponse {
    this.forcePasswordReset = this.getResponseProperty("ForcePasswordReset");
    this.apiUseKeyConnector = this.getResponseProperty("ApiUseKeyConnector");
    this.keyConnectorUrl = this.getResponseProperty("KeyConnectorUrl");
+    this.masterPasswordPolicy = new MasterPasswordPolicyResponse(
+      this.getResponseProperty("MasterPasswordPolicy")
+    );
  }
 }
--- a/libs/common/src/auth/models/response/identity-two-factor.response.ts
+++ b/libs/common/src/auth/models/response/identity-two-factor.response.ts
@@ -1,10 +1,13 @@
 import { BaseResponse } from "../../../models/response/base.response";
 import { TwoFactorProviderType } from "../../enums/two-factor-provider-type";

+import { MasterPasswordPolicyResponse } from "./master-password-policy.response";
+
 export class IdentityTwoFactorResponse extends BaseResponse {
  twoFactorProviders: TwoFactorProviderType[];
  twoFactorProviders2 = new Map<TwoFactorProviderType, { [key: string]: string }>();
  captchaToken: string;
+  masterPasswordPolicy: MasterPasswordPolicyResponse;

  constructor(response: any) {
    super(response);
@@ -19,5 +22,8 @@ export class IdentityTwoFactorResponse extends BaseResponse {
        }
      }
    }
+    this.masterPasswordPolicy = new MasterPasswordPolicyResponse(
+      this.getResponseProperty("MasterPasswordPolicy")
+    );
  }
 }
--- a/libs/common/src/auth/models/response/master-password-policy.response.ts
+++ b/libs/common/src/auth/models/response/master-password-policy.response.ts
@@ -0,0 +1,29 @@
+import { BaseResponse } from "../../../models/response/base.response";
+
+export class MasterPasswordPolicyResponse extends BaseResponse {
+  minComplexity: number;
+  minLength: number;
+  requireUpper: boolean;
+  requireLower: boolean;
+  requireNumbers: boolean;
+  requireSpecial: boolean;
+
+  /**
+   * Flag to indicate if the policy should be enforced on login.
+   * If true, and the user's password does not meet the policy requirements,
+   * the user will be forced to update their password.
+   */
+  enforceOnLogin: boolean;
+
+  constructor(response: any) {
+    super(response);
+
+    this.minComplexity = this.getResponseProperty("MinComplexity");
+    this.minLength = this.getResponseProperty("MinLength");
+    this.requireUpper = this.getResponseProperty("RequireUpper");
+    this.requireLower = this.getResponseProperty("RequireLower");
+    this.requireNumbers = this.getResponseProperty("RequireNumbers");
+    this.requireSpecial = this.getResponseProperty("RequireSpecial");
+    this.enforceOnLogin = this.getResponseProperty("EnforceOnLogin");
+  }
+}