From 1bc214b6af3227b2ed78df7c1ab486086989c9ec Mon Sep 17 00:00:00 2001
From: rr-bw <102181210+rr-bw@users.noreply.github.com>
Date: Tue, 16 Dec 2025 13:39:11 -0800
Subject: [PATCH] [PM-27086] add new methods to Web and Desktop services

---
 .../desktop-set-initial-password.service.ts   | 14 ++++++++
 .../web-set-initial-password.service.ts       | 36 +++++++++++++++++++
 2 files changed, 50 insertions(+)

diff --git a/apps/desktop/src/app/services/set-initial-password/desktop-set-initial-password.service.ts b/apps/desktop/src/app/services/set-initial-password/desktop-set-initial-password.service.ts
index cedfa3fe589..1406e822860 100644
--- a/apps/desktop/src/app/services/set-initial-password/desktop-set-initial-password.service.ts
+++ b/apps/desktop/src/app/services/set-initial-password/desktop-set-initial-password.service.ts
@@ -2,6 +2,7 @@ import { OrganizationUserApiService } from "@bitwarden/admin-console/common";
 import { DefaultSetInitialPasswordService } from "@bitwarden/angular/auth/password-management/set-initial-password/default-set-initial-password.service.implementation";
 import {
   SetInitialPasswordCredentials,
+  SetInitialPasswordCredentialsV2,
   SetInitialPasswordService,
   SetInitialPasswordUserType,
 } from "@bitwarden/angular/auth/password-management/set-initial-password/set-initial-password.service.abstraction";
@@ -50,6 +51,9 @@ export class DesktopSetInitialPasswordService
     );
   }
 
+  /**
+   * @deprecated To be removed in PM-28143
+   */
   override async setInitialPassword(
     credentials: SetInitialPasswordCredentials,
     userType: SetInitialPasswordUserType,
@@ -59,4 +63,14 @@ export class DesktopSetInitialPasswordService
 
     this.messagingService.send("redrawMenu");
   }
+
+  override async setInitialPasswordV2(
+    credentials: SetInitialPasswordCredentialsV2,
+    userType: SetInitialPasswordUserType,
+    userId: UserId,
+  ) {
+    await super.setInitialPasswordV2(credentials, userType, userId);
+
+    this.messagingService.send("redrawMenu");
+  }
 }
diff --git a/apps/web/src/app/auth/core/services/password-management/set-initial-password/web-set-initial-password.service.ts b/apps/web/src/app/auth/core/services/password-management/set-initial-password/web-set-initial-password.service.ts
index 303b9148e8e..8a2290b140c 100644
--- a/apps/web/src/app/auth/core/services/password-management/set-initial-password/web-set-initial-password.service.ts
+++ b/apps/web/src/app/auth/core/services/password-management/set-initial-password/web-set-initial-password.service.ts
@@ -2,6 +2,7 @@ import { OrganizationUserApiService } from "@bitwarden/admin-console/common";
 import { DefaultSetInitialPasswordService } from "@bitwarden/angular/auth/password-management/set-initial-password/default-set-initial-password.service.implementation";
 import {
   SetInitialPasswordCredentials,
+  SetInitialPasswordCredentialsV2,
   SetInitialPasswordService,
   SetInitialPasswordUserType,
 } from "@bitwarden/angular/auth/password-management/set-initial-password/set-initial-password.service.abstraction";
@@ -52,6 +53,9 @@ export class WebSetInitialPasswordService
     );
   }
 
+  /**
+   * @deprecated To be removed in PM-28143
+   */
   override async setInitialPassword(
     credentials: SetInitialPasswordCredentials,
     userType: SetInitialPasswordUserType,
@@ -83,4 +87,36 @@ export class WebSetInitialPasswordService
     await this.routerService.getAndClearLoginRedirectUrl();
     await this.organizationInviteService.clearOrganizationInvitation();
   }
+
+  override async setInitialPasswordV2(
+    credentials: SetInitialPasswordCredentialsV2,
+    userType: SetInitialPasswordUserType,
+    userId: UserId,
+  ) {
+    await super.setInitialPasswordV2(credentials, userType, userId);
+
+    /**
+     * TODO: Investigate refactoring the following logic in https://bitwarden.atlassian.net/browse/PM-22615
+     * ---
+     * When a user has been invited to an org, they can be accepted into the org in two different ways:
+     *
+     *  1) By clicking the email invite link, which triggers the normal AcceptOrganizationComponent flow
+     *     a. This flow sets an org invite in state
+     *     b. However, if the user does not already have an account AND the org has SSO enabled AND the require
+     *        SSO policy enabled, the AcceptOrganizationComponent will send the user to /sso to accelerate
+     *        the user through the SSO JIT provisioning process (see #2 below)
+     *
+     *  2) By logging in via SSO, which triggers the JIT provisioning process
+     *     a. This flow does NOT (itself) set an org invite in state
+     *     b. The set initial password process on the server accepts the user into the org after successfully
+     *        setting the password (see server - SetInitialMasterPasswordCommand.cs)
+     *
+     * If a user clicks the email link but gets accelerated through the SSO JIT process (see 1b),
+     * the SSO JIT process will accept the user into the org upon setting their initial password (see 2b),
+     * at which point we must remember to clear the deep linked URL used for accepting the org invite, as well
+     * as clear the org invite itself that was originally set in state by the AcceptOrganizationComponent.
+     */
+    await this.routerService.getAndClearLoginRedirectUrl();
+    await this.organizationInviteService.clearOrganizationInvitation();
+  }
 }