Auth/PM-3515 - Lock component Tech Debt Clean up (#10332)

* PM-3515 - Lock component - remove isUnlocked check on lock comp load b/c lock guard should cover all cases with its existing logic for all clients.

* PM-3515 - VaultTimeoutSettingsSvc - Add new canLock method

* PM-3515 - Refactor logic out of lock component that belongs in lock guard. Update lock guard to reject route activation if a user can't lock whereas we used to log the user out when they landed on the lock comp.

* PM-3515 - WIP on testing all lock guard scenarios

* PM-3515 - Refactor lock guard tests + add more tests

* PM-3515 - LockGuard - if TDE user that is authN directly navigates from login-init to lock for whatever reason (only possible on web with url bar), reject that navigation directly instead of throwing them up to the redirect guard

* PM-3515 - More LockGuard tests

* PM-3515 - Update comment

libs/common/src/abstractions/vault-timeout/vault-timeout-settings.service.ts

@@ -25,6 +25,12 @@ export abstract class VaultTimeoutSettingsService {
    */
   availableVaultTimeoutActions$: (userId?: string) => Observable<VaultTimeoutAction[]>;
 
+  /**
+   * Evaluates the user's available vault timeout actions and returns a boolean representing
+   * if the user can lock or not
+   */
+  canLock: (userId: string) => Promise<boolean>;
+
   /**
    * Gets the vault timeout action for the given user id. The returned value is
    * calculated based on the current state, if a max vault timeout policy applies to the user,

libs/common/src/services/vault-timeout/vault-timeout-settings.service.spec.ts

@@ -127,6 +127,38 @@ describe("VaultTimeoutSettingsService", () => {
     });
   });
 
+  describe("canLock", () => {
+    it("returns true if the user can lock", async () => {
+      jest
+        .spyOn(vaultTimeoutSettingsService, "availableVaultTimeoutActions$")
+        .mockReturnValue(of([VaultTimeoutAction.Lock]));
+
+      const result = await vaultTimeoutSettingsService.canLock("userId" as UserId);
+
+      expect(result).toBe(true);
+    });
+
+    it("returns false if the user only has the log out vault timeout action", async () => {
+      jest
+        .spyOn(vaultTimeoutSettingsService, "availableVaultTimeoutActions$")
+        .mockReturnValue(of([VaultTimeoutAction.LogOut]));
+
+      const result = await vaultTimeoutSettingsService.canLock("userId" as UserId);
+
+      expect(result).toBe(false);
+    });
+
+    it("returns false if the user has no vault timeout actions", async () => {
+      jest
+        .spyOn(vaultTimeoutSettingsService, "availableVaultTimeoutActions$")
+        .mockReturnValue(of([]));
+
+      const result = await vaultTimeoutSettingsService.canLock("userId" as UserId);
+
+      expect(result).toBe(false);
+    });
+  });
+
   describe("getVaultTimeoutActionByUserId$", () => {
     it("should throw an error if no user id is provided", async () => {
       expect(() => vaultTimeoutSettingsService.getVaultTimeoutActionByUserId$(null)).toThrow(

libs/common/src/services/vault-timeout/vault-timeout-settings.service.ts

@@ -90,10 +90,17 @@ export class VaultTimeoutSettingsService implements VaultTimeoutSettingsServiceA
     await this.cryptoService.refreshAdditionalKeys();
   }
 
-  availableVaultTimeoutActions$(userId?: string) {
+  availableVaultTimeoutActions$(userId?: string): Observable<VaultTimeoutAction[]> {
     return defer(() => this.getAvailableVaultTimeoutActions(userId));
   }
 
+  async canLock(userId: UserId): Promise<boolean> {
+    const availableVaultTimeoutActions: VaultTimeoutAction[] = await firstValueFrom(
+      this.availableVaultTimeoutActions$(userId),
+    );
+    return availableVaultTimeoutActions?.includes(VaultTimeoutAction.Lock) || false;
+  }
+
   async isBiometricLockSet(userId?: string): Promise<boolean> {
     const biometricUnlockPromise =
       userId == null