Auth/PM-3515 - Lock component Tech Debt Clean up (#10332)

* PM-3515 - Lock component - remove isUnlocked check on lock comp load b/c lock guard should cover all cases with its existing logic for all clients.

* PM-3515 - VaultTimeoutSettingsSvc - Add new canLock method

* PM-3515 - Refactor logic out of lock component that belongs in lock guard. Update lock guard to reject route activation if a user can't lock whereas we used to log the user out when they landed on the lock comp.

* PM-3515 - WIP on testing all lock guard scenarios

* PM-3515 - Refactor lock guard tests + add more tests

* PM-3515 - LockGuard - if TDE user that is authN directly navigates from login-init to lock for whatever reason (only possible on web with url bar), reject that navigation directly instead of throwing them up to the redirect guard

* PM-3515 - More LockGuard tests

* PM-3515 - Update comment

libs/angular/src/auth/guards/lock.guard.ts

@@ -7,6 +7,8 @@ import {
 } from "@angular/router";
 import { firstValueFrom } from "rxjs";
 
+import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
 import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
@@ -19,7 +21,7 @@ import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/pl
 /**
  * Only allow access to this route if the vault is locked.
  * If TDE is enabled then the user must also have had a user key at some point.
- * Otherwise redirect to root.
+ * Otherwise reject navigation.
  *
  * TODO: This should return Observable<boolean | UrlTree> once we can remove all the promises
  */
@@ -35,12 +37,22 @@ export function lockGuard(): CanActivateFn {
     const messagingService = inject(MessagingService);
     const router = inject(Router);
     const userVerificationService = inject(UserVerificationService);
+    const vaultTimeoutSettingsService = inject(VaultTimeoutSettingsService);
+    const accountService = inject(AccountService);
 
-    const authStatus = await authService.getAuthStatus();
+    const activeUser = await firstValueFrom(accountService.activeAccount$);
+
+    const authStatus = await firstValueFrom(authService.authStatusFor$(activeUser.id));
     if (authStatus !== AuthenticationStatus.Locked) {
       return router.createUrlTree(["/"]);
     }
 
+    // if user can't lock, they can't access the lock screen
+    const canLock = await vaultTimeoutSettingsService.canLock(activeUser.id);
+    if (!canLock) {
+      return false;
+    }
+
     // If legacy user on web, redirect to migration page
     if (await cryptoService.isLegacyUser()) {
       if (platformUtilService.getClientType() === ClientType.Web) {
@@ -65,11 +77,10 @@ export function lockGuard(): CanActivateFn {
       return true;
     }
 
-    // If authN user with TDE directly navigates to lock, kick them upwards so redirect guard can
-    // properly route them to the login decryption options component.
+    // If authN user with TDE directly navigates to lock, reject that navigation
     const everHadUserKey = await firstValueFrom(cryptoService.everHadUserKey$);
     if (tdeEnabled && !everHadUserKey) {
-      return router.createUrlTree(["/"]);
+      return false;
     }
 
     return true;