refactor(IdentityTokenResponse): [Auth/PM-3287] Remove deprecated resetMasterPassword property from IdentityTokenResponse (#17794)

* PM-3287 - Remove resetMasterPassword from authResult and identityTokenResponse and replace with userDecryptionOptions where relevant * PM-3287 - (1) Move SSO code to SSO section (2) Update error scenario conditional + log user out upon error. * PM-3287 - Fix comment per PR feedback * PM-3287 - CLI Login with SSO - move MP validation logic back to original location to avoid putting it before 2FA rejection handling. * PM-3287 - Update returns
2026-03-02 11:31:44 +00:00 · 2025-12-17 10:34:42 -05:00
parent 78d57577f9
commit 0f02fdc700
11 changed files with 43 additions and 29 deletions
--- a/libs/auth/src/angular/sso/sso.component.ts
+++ b/libs/auth/src/angular/sso/sso.component.ts
@@ -478,7 +478,7 @@ export class SsoComponent implements OnInit {
        !userDecryptionOpts.hasMasterPassword &&
        userDecryptionOpts.keyConnectorOption === undefined;

-      if (requireSetPassword || authResult.resetMasterPassword) {
+      if (requireSetPassword) {
        // Change implies going no password -> password in this case
        return await this.handleChangePasswordRequired(orgSsoIdentifier);
      }
--- a/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts
+++ b/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts
@@ -487,7 +487,7 @@ export class TwoFactorAuthComponent implements OnInit, OnDestroy {
      !userDecryptionOpts.hasMasterPassword && userDecryptionOpts.keyConnectorOption === undefined;

    // New users without a master password must set a master password before advancing.
-    if (requireSetPassword || authResult.resetMasterPassword) {
+    if (requireSetPassword) {
      // Change implies going no password -> password in this case
      return await this.handleChangePasswordRequired(this.orgSsoIdentifier);
    }
--- a/libs/auth/src/common/login-strategies/login.strategy.spec.ts
+++ b/libs/auth/src/common/login-strategies/login.strategy.spec.ts
@@ -101,7 +101,6 @@ export function identityTokenResponseFactory(
    KdfIterations: kdfIterations,
    Key: encryptedUserKey,
    PrivateKey: privateKey,
-    ResetMasterPassword: false,
    access_token: accessToken,
    expires_in: 3600,
    refresh_token: refreshToken,
@@ -301,7 +300,6 @@ describe("LoginStrategy", () => {
    it("builds AuthResult", async () => {
      const tokenResponse = identityTokenResponseFactory();
      tokenResponse.forcePasswordReset = true;
-      tokenResponse.resetMasterPassword = true;

      apiService.postIdentityToken.mockResolvedValue(tokenResponse);

@@ -310,7 +308,6 @@ describe("LoginStrategy", () => {
      const expected = new AuthResult();
      expected.masterPassword = "password";
      expected.userId = userId;
-      expected.resetMasterPassword = true;
      expected.twoFactorProviders = null;
      expect(result).toEqual(expected);
    });
@@ -326,7 +323,6 @@ describe("LoginStrategy", () => {
      const expected = new AuthResult();
      expected.masterPassword = "password";
      expected.userId = userId;
-      expected.resetMasterPassword = false;
      expected.twoFactorProviders = null;
      expect(result).toEqual(expected);

--- a/libs/auth/src/common/login-strategies/login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/login.strategy.ts
@@ -254,8 +254,6 @@ export abstract class LoginStrategy {
    const userId = await this.saveAccountInformation(response);
    result.userId = userId;

-    result.resetMasterPassword = response.resetMasterPassword;
-
    if (response.twoFactorToken != null) {
      // note: we can read email from access token b/c it was saved in saveAccountInformation
      const userEmail = await this.tokenService.getEmail();
--- a/libs/auth/src/common/login-strategies/password-login.strategy.spec.ts
+++ b/libs/auth/src/common/login-strategies/password-login.strategy.spec.ts
@@ -390,7 +390,6 @@ describe("PasswordLoginStrategy", () => {
        newDeviceOtp: deviceVerificationOtp,
      }),
    );
-    expect(result.resetMasterPassword).toBe(false);
    expect(result.userId).toBe(userId);
  });
 });
--- a/libs/auth/src/common/login-strategies/webauthn-login.strategy.spec.ts
+++ b/libs/auth/src/common/login-strategies/webauthn-login.strategy.spec.ts
@@ -212,7 +212,6 @@ describe("WebAuthnLoginStrategy", () => {

    expect(authResult).toBeInstanceOf(AuthResult);
    expect(authResult).toMatchObject({
-      resetMasterPassword: false,
      twoFactorProviders: null,
      requiresTwoFactor: false,
    });
--- a/libs/auth/src/common/services/login-strategies/login-strategy.service.spec.ts
+++ b/libs/auth/src/common/services/login-strategies/login-strategy.service.spec.ts
@@ -491,7 +491,6 @@ describe("LoginStrategyService", () => {
        KdfParallelism: 1,
        Key: "KEY",
        PrivateKey: "PRIVATE_KEY",
-        ResetMasterPassword: false,
        access_token: "ACCESS_TOKEN",
        expires_in: 3600,
        refresh_token: "REFRESH_TOKEN",
@@ -559,7 +558,6 @@ describe("LoginStrategyService", () => {
        KdfParallelism: 1,
        Key: "KEY",
        PrivateKey: "PRIVATE_KEY",
-        ResetMasterPassword: false,
        access_token: "ACCESS_TOKEN",
        expires_in: 3600,
        refresh_token: "REFRESH_TOKEN",
@@ -625,7 +623,6 @@ describe("LoginStrategyService", () => {
        KdfIterations: PBKDF2KdfConfig.PRELOGIN_ITERATIONS_MIN - 1,
        Key: "KEY",
        PrivateKey: "PRIVATE_KEY",
-        ResetMasterPassword: false,
        access_token: "ACCESS_TOKEN",
        expires_in: 3600,
        refresh_token: "REFRESH_TOKEN",
@@ -689,7 +686,6 @@ describe("LoginStrategyService", () => {
        KdfParallelism: 1,
        Key: "KEY",
        PrivateKey: "PRIVATE_KEY",
-        ResetMasterPassword: false,
        access_token: "ACCESS_TOKEN",
        expires_in: 3600,
        refresh_token: "REFRESH_TOKEN",
--- a/libs/common/src/auth/models/domain/auth-result.ts
+++ b/libs/common/src/auth/models/domain/auth-result.ts
@@ -7,14 +7,6 @@ import { TwoFactorProviderType } from "../../enums/two-factor-provider-type";

 export class AuthResult {
  userId: UserId;
-  // TODO: PM-3287 - Remove this after 3 releases of backwards compatibility. - Target release 2023.12 for removal
-  /**
-   * @deprecated
-   * Replace with using UserDecryptionOptions to determine if the user does
-   * not have a master password and is not using Key Connector.
-   * */
-  resetMasterPassword = false;
-
  twoFactorProviders: Partial<Record<TwoFactorProviderType, Record<string, string>>> = null;
  ssoEmail2FaSessionToken?: string;
  email: string;
--- a/libs/common/src/auth/models/response/identity-token.response.ts
+++ b/libs/common/src/auth/models/response/identity-token.response.ts
@@ -18,7 +18,6 @@ export class IdentityTokenResponse extends BaseResponse {
  tokenType: string;

  // Decryption Information
-  resetMasterPassword: boolean;
  privateKey: string; // userKeyEncryptedPrivateKey
  key?: EncString; // masterKeyEncryptedUserKey
  twoFactorToken: string;
@@ -52,7 +51,6 @@ export class IdentityTokenResponse extends BaseResponse {
      this.refreshToken = refreshToken;
    }

-    this.resetMasterPassword = this.getResponseProperty("ResetMasterPassword");
    this.privateKey = this.getResponseProperty("PrivateKey");
    const key = this.getResponseProperty("Key");
    if (key) {