[PM-20225] Prevent legacy users without userkey from logging in (#14267)

* Prevent legacy users without userkey from logging in * Remove further web-migration code for legacy users * Add i18n for legacy user error message * Update comment * Remove migrate legacy component * Remove i18n messages * Remove migrate legacy encryption reference
2025-12-06 00:13:28 +00:00 · 2025-06-02 23:56:29 +02:00
parent 26caeb3083
commit 23ec6bacc9
19 changed files with 27 additions and 265 deletions
--- a/apps/browser/src/_locales/en/messages.json
+++ b/apps/browser/src/_locales/en/messages.json
@@ -1365,8 +1365,8 @@
  "featureUnavailable": {
    "message": "Feature unavailable"
  },
-  "encryptionKeyMigrationRequired": {
-    "message": "Encryption key migration required. Please login through the web vault to update your encryption key."
+  "legacyEncryptionUnsupported": {
+    "message": "Legacy encryption is no longer supported. Please contact support to recover your account."
  },
  "premiumMembership": {
    "message": "Premium membership"
--- a/apps/cli/src/auth/commands/login.command.ts
+++ b/apps/cli/src/auth/commands/login.command.ts
@@ -34,6 +34,7 @@ import { CryptoFunctionService } from "@bitwarden/common/key-management/crypto/a
 import { KeyConnectorService } from "@bitwarden/common/key-management/key-connector/abstractions/key-connector.service";
 import { MasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
@@ -77,6 +78,7 @@ export class LoginCommand {
    protected logoutCallback: () => Promise<void>,
    protected kdfConfigService: KdfConfigService,
    protected ssoUrlService: SsoUrlService,
+    protected i18nService: I18nService,
    protected masterPasswordService: MasterPasswordServiceAbstraction,
  ) {}

@@ -227,9 +229,7 @@ export class LoginCommand {
        );
      }
      if (response.requiresEncryptionKeyMigration) {
-        return Response.error(
-          "Encryption key migration required. Please login through the web vault to update your encryption key.",
-        );
+        return Response.error(this.i18nService.t("legacyEncryptionUnsupported"));
      }
      if (response.requiresTwoFactor) {
        const twoFactorProviders = await this.twoFactorService.getSupportedProviders(null);
--- a/apps/cli/src/locales/en/messages.json
+++ b/apps/cli/src/locales/en/messages.json
@@ -185,6 +185,9 @@
      }
    }
  },
+  "legacyEncryptionUnsupported": {
+    "message": "Legacy encryption is no longer supported. Please contact support to recover your account."
+  },
  "organizationUsingKeyConnectorOptInLoggedOut": {
    "message": "An organization you are a member of is using Key Connector. In order to access the vault, you must opt-in to Key Connector now via the web vault. You have been logged out."
  },
--- a/apps/cli/src/program.ts
+++ b/apps/cli/src/program.ts
@@ -175,6 +175,7 @@ export class Program extends BaseProgram {
            async () => await this.serviceContainer.logout(),
            this.serviceContainer.kdfConfigService,
            this.serviceContainer.ssoUrlService,
+            this.serviceContainer.i18nService,
            this.serviceContainer.masterPasswordService,
          );
          const response = await command.run(email, password, options);
--- a/apps/desktop/src/locales/en/messages.json
+++ b/apps/desktop/src/locales/en/messages.json
@@ -691,8 +691,8 @@
  "maxFileSize": {
    "message": "Maximum file size is 500 MB."
  },
-  "encryptionKeyMigrationRequired": {
-    "message": "Encryption key migration required. Please login through the web vault to update your encryption key."
+  "legacyEncryptionUnsupported": {
+    "message": "Legacy encryption is no longer supported. Please contact support to recover your account."
  },
  "editedFolder": {
    "message": "Folder saved"
--- a/apps/web/src/app/auth/core/services/two-factor-auth/index.ts
+++ b/apps/web/src/app/auth/core/services/two-factor-auth/index.ts
@@ -1,2 +1 @@
-export * from "./web-two-factor-auth-component.service";
 export * from "./web-two-factor-auth-duo-component.service";
--- a/apps/web/src/app/auth/core/services/two-factor-auth/web-two-factor-auth-component.service.ts
+++ b/apps/web/src/app/auth/core/services/two-factor-auth/web-two-factor-auth-component.service.ts
@@ -1,14 +0,0 @@
-import {
-  DefaultTwoFactorAuthComponentService,
-  TwoFactorAuthComponentService,
-  LegacyKeyMigrationAction,
-} from "@bitwarden/auth/angular";
-
-export class WebTwoFactorAuthComponentService
-  extends DefaultTwoFactorAuthComponentService
-  implements TwoFactorAuthComponentService
-{
-  override determineLegacyKeyMigrationAction(): LegacyKeyMigrationAction {
-    return LegacyKeyMigrationAction.NAVIGATE_TO_MIGRATION_COMPONENT;
-  }
-}
--- a/apps/web/src/app/core/core.module.ts
+++ b/apps/web/src/app/core/core.module.ts
@@ -32,7 +32,6 @@ import {
  SetPasswordJitService,
  SsoComponentService,
  LoginDecryptionOptionsService,
-  TwoFactorAuthComponentService,
  TwoFactorAuthDuoComponentService,
  ChangePasswordService,
 } from "@bitwarden/auth/angular";
@@ -116,7 +115,6 @@ import {
  WebRegistrationFinishService,
  WebLoginComponentService,
  WebLoginDecryptionOptionsService,
-  WebTwoFactorAuthComponentService,
  WebTwoFactorAuthDuoComponentService,
  LinkSsoService,
 } from "../auth";
@@ -269,12 +267,6 @@ const safeProviders: SafeProvider[] = [
    useClass: WebLockComponentService,
    deps: [],
  }),
-  // TODO: PM-18182 - Refactor component services into lazy loaded modules
-  safeProvider({
-    provide: TwoFactorAuthComponentService,
-    useClass: WebTwoFactorAuthComponentService,
-    deps: [],
-  }),
  safeProvider({
    provide: SetPasswordJitService,
    useClass: WebSetPasswordJitService,
--- a/apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.html
+++ b/apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.html
@@ -1,36 +0,0 @@
-<form [formGroup]="formGroup" [bitSubmit]="submit">
-  <div class="tw-mt-12 tw-flex tw-justify-center">
-    <div class="tw-max-w-xl">
-      <h1 bitTypography="h1" class="tw-mb-4 tw-text-center">{{ "updateEncryptionKey" | i18n }}</h1>
-      <div
-        class="tw-block tw-rounded tw-border tw-border-solid tw-border-secondary-300 tw-bg-background tw-p-8"
-      >
-        <p>
-          {{ "updateEncryptionSchemeDesc" | i18n }}
-          <a
-            href="https://bitwarden.com/help/account-encryption-key/#rotate-your-encryption-key"
-            target="_blank"
-            rel="noreferrer"
-            >{{ "learnMore" | i18n }}</a
-          >
-        </p>
-        <bit-callout type="warning">{{ "updateEncryptionKeyWarning" | i18n }}</bit-callout>
-
-        <bit-form-field>
-          <bit-label>{{ "masterPass" | i18n }}</bit-label>
-          <input
-            id="masterPassword"
-            bitInput
-            type="password"
-            formControlName="masterPassword"
-            appAutofocus
-          />
-          <button type="button" bitIconButton bitSuffix bitPasswordInputToggle></button>
-        </bit-form-field>
-        <button type="submit" bitButton bitFormButton buttonType="primary" block>
-          {{ "updateEncryptionKey" | i18n }}
-        </button>
-      </div>
-    </div>
-  </div>
-</form>
--- a/apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.ts
+++ b/apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.ts
@@ -1,100 +0,0 @@
-import { Component } from "@angular/core";
-import { FormControl, FormGroup, Validators } from "@angular/forms";
-import { firstValueFrom } from "rxjs";
-
-import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
-import { ErrorResponse } from "@bitwarden/common/models/response/error.response";
-import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
-import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
-import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
-import { FolderApiServiceAbstraction } from "@bitwarden/common/vault/abstractions/folder/folder-api.service.abstraction";
-import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
-import { DialogService, ToastService } from "@bitwarden/components";
-import { KeyService } from "@bitwarden/key-management";
-
-import { SharedModule } from "../../shared";
-import { UserKeyRotationModule } from "../key-rotation/user-key-rotation.module";
-import { UserKeyRotationService } from "../key-rotation/user-key-rotation.service";
-
-// The master key was originally used to encrypt user data, before the user key was introduced.
-// This component is used to migrate from the old encryption scheme to the new one.
-@Component({
-  imports: [SharedModule, UserKeyRotationModule],
-  templateUrl: "migrate-legacy-encryption.component.html",
-})
-export class MigrateFromLegacyEncryptionComponent {
-  protected formGroup = new FormGroup({
-    masterPassword: new FormControl("", [Validators.required]),
-  });
-
-  constructor(
-    private accountService: AccountService,
-    private keyRotationService: UserKeyRotationService,
-    private i18nService: I18nService,
-    private keyService: KeyService,
-    private messagingService: MessagingService,
-    private logService: LogService,
-    private syncService: SyncService,
-    private toastService: ToastService,
-    private dialogService: DialogService,
-    private folderApiService: FolderApiServiceAbstraction,
-  ) {}
-
-  submit = async () => {
-    this.formGroup.markAsTouched();
-
-    if (this.formGroup.invalid) {
-      return;
-    }
-
-    const activeUser = await firstValueFrom(this.accountService.activeAccount$);
-    if (activeUser == null) {
-      throw new Error("No active user.");
-    }
-
-    const hasUserKey = await this.keyService.hasUserKey(activeUser.id);
-    if (hasUserKey) {
-      this.messagingService.send("logout");
-      throw new Error("User key already exists, cannot migrate legacy encryption.");
-    }
-
-    const masterPassword = this.formGroup.value.masterPassword!;
-
-    try {
-      await this.syncService.fullSync(false, true);
-
-      await this.keyRotationService.rotateUserKeyAndEncryptedDataLegacy(masterPassword, activeUser);
-
-      this.toastService.showToast({
-        variant: "success",
-        title: this.i18nService.t("keyUpdated"),
-        message: this.i18nService.t("logBackInOthersToo"),
-        timeout: 15000,
-      });
-      this.messagingService.send("logout");
-    } catch (e) {
-      // If the error is due to missing folders, we can delete all folders and try again
-      if (
-        e instanceof ErrorResponse &&
-        e.message === "All existing folders must be included in the rotation."
-      ) {
-        const deleteFolders = await this.dialogService.openSimpleDialog({
-          type: "warning",
-          title: { key: "encryptionKeyUpdateCannotProceed" },
-          content: { key: "keyUpdateFoldersFailed" },
-          acceptButtonText: { key: "ok" },
-          cancelButtonText: { key: "cancel" },
-        });
-
-        if (deleteFolders) {
-          await this.folderApiService.deleteAll(activeUser.id);
-          await this.syncService.fullSync(true, true);
-          await this.submit();
-          return;
-        }
-      }
-      this.logService.error(e);
-      throw e;
-    }
-  };
-}
--- a/apps/web/src/app/oss-routing.module.ts
+++ b/apps/web/src/app/oss-routing.module.ts
@@ -151,13 +151,6 @@ const routes: Routes = [
        canActivate: [authGuard],
        data: { titleId: "updatePassword" } satisfies RouteDataProperties,
      },
-      {
-        path: "migrate-legacy-encryption",
-        loadComponent: () =>
-          import("./key-management/migrate-encryption/migrate-legacy-encryption.component").then(
-            (mod) => mod.MigrateFromLegacyEncryptionComponent,
-          ),
-      },
    ],
  },
  {
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -4473,9 +4473,6 @@
      }
    }
  },
-  "encryptionKeyUpdateCannotProceed": {
-    "message": "Encryption key update cannot proceed"
-  },
  "editFieldLabel": {
    "message": "Edit $LABEL$",
    "placeholders": {
@@ -4528,24 +4525,15 @@
      }
    }
  },
-  "keyUpdateFoldersFailed": {
-    "message": "When updating your encryption key, your folders could not be decrypted. To continue with the update, your folders must be deleted. No vault items will be deleted if you proceed."
-  },
-  "keyUpdated": {
-    "message": "Key updated"
-  },
-  "updateEncryptionKey": {
-    "message": "Update encryption key"
-  },
-  "updateEncryptionSchemeDesc": {
-    "message": "We've changed the encryption scheme to provide better security. Update your encryption key now by entering your master password below."
-  },
  "updateEncryptionKeyWarning": {
    "message": "After updating your encryption key, you are required to log out and back in to all Bitwarden applications that you are currently using (such as the mobile app or browser extensions). Failure to log out and back in (which downloads your new encryption key) may result in data corruption. We will attempt to log you out automatically, however, it may be delayed."
  },
  "updateEncryptionKeyAccountExportWarning": {
    "message": "Any account restricted exports you have saved will become invalid."
  },
+  "legacyEncryptionUnsupported": {
+    "message": "Legacy encryption is no longer supported. Please contact support to recover your account."
+  },
  "subscription": {
    "message": "Subscription"
  },
--- a/libs/angular/src/auth/guards/lock.guard.spec.ts
+++ b/libs/angular/src/auth/guards/lock.guard.spec.ts
@@ -79,7 +79,6 @@ describe("lockGuard", () => {
          { path: "", component: EmptyComponent },
          { path: "lock", component: EmptyComponent, canActivate: [lockGuard()] },
          { path: "non-lock-route", component: EmptyComponent },
-          { path: "migrate-legacy-encryption", component: EmptyComponent },
        ]),
      ],
      providers: [
@@ -182,18 +181,6 @@ describe("lockGuard", () => {
    expect(messagingService.send).toHaveBeenCalledWith("logout");
  });

-  it("should send the user to migrate-legacy-encryption if they are a legacy user on a web client", async () => {
-    const { router } = setup({
-      authStatus: AuthenticationStatus.Locked,
-      canLock: true,
-      isLegacyUser: true,
-      clientType: ClientType.Web,
-    });
-
-    await router.navigate(["lock"]);
-    expect(router.url).toBe("/migrate-legacy-encryption");
-  });
-
  it("should allow navigation to the lock route when device trust is supported, the user has a MP, and the user is coming from the login-initiated page", async () => {
    const { router } = setup({
      authStatus: AuthenticationStatus.Locked,
--- a/libs/angular/src/auth/guards/lock.guard.ts
+++ b/libs/angular/src/auth/guards/lock.guard.ts
@@ -11,11 +11,9 @@ import { AccountService } from "@bitwarden/common/auth/abstractions/account.serv
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
-import { ClientType } from "@bitwarden/common/enums";
 import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
 import { VaultTimeoutSettingsService } from "@bitwarden/common/key-management/vault-timeout";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
-import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { KeyService } from "@bitwarden/key-management";

 /**
@@ -33,7 +31,6 @@ export function lockGuard(): CanActivateFn {
    const authService = inject(AuthService);
    const keyService = inject(KeyService);
    const deviceTrustService = inject(DeviceTrustServiceAbstraction);
-    const platformUtilService = inject(PlatformUtilsService);
    const messagingService = inject(MessagingService);
    const router = inject(Router);
    const userVerificationService = inject(UserVerificationService);
@@ -59,12 +56,7 @@ export function lockGuard(): CanActivateFn {
      return false;
    }

-    // If legacy user on web, redirect to migration page
    if (await keyService.isLegacyUser()) {
-      if (platformUtilService.getClientType() === ClientType.Web) {
-        return router.createUrlTree(["migrate-legacy-encryption"]);
-      }
-      // Log out legacy users on other clients
      messagingService.send("logout");
      return false;
    }
--- a/libs/auth/src/angular/login/login.component.ts
+++ b/libs/auth/src/angular/login/login.component.ts
@@ -282,16 +282,12 @@ export class LoginComponent implements OnInit, OnDestroy {
  private async handleAuthResult(authResult: AuthResult): Promise<void> {
    if (authResult.requiresEncryptionKeyMigration) {
      /* Legacy accounts used the master key to encrypt data.
-         Migration is required but only performed on Web. */
-      if (this.clientType === ClientType.Web) {
-        await this.router.navigate(["migrate-legacy-encryption"]);
-      } else {
-        this.toastService.showToast({
-          variant: "error",
-          title: this.i18nService.t("errorOccured"),
-          message: this.i18nService.t("encryptionKeyMigrationRequired"),
-        });
-      }
+         This is now unsupported and requires a downgraded client */
+      this.toastService.showToast({
+        variant: "error",
+        title: this.i18nService.t("errorOccured"),
+        message: this.i18nService.t("legacyEncryptionUnsupported"),
+      });
      return;
    }

--- a/libs/auth/src/angular/two-factor-auth/default-two-factor-auth-component.service.ts
+++ b/libs/auth/src/angular/two-factor-auth/default-two-factor-auth-component.service.ts
@@ -1,6 +1,5 @@
 import {
  DuoLaunchAction,
-  LegacyKeyMigrationAction,
  TwoFactorAuthComponentService,
 } from "./two-factor-auth-component.service";

@@ -9,10 +8,6 @@ export class DefaultTwoFactorAuthComponentService implements TwoFactorAuthCompon
    return false;
  }

-  determineLegacyKeyMigrationAction() {
-    return LegacyKeyMigrationAction.PREVENT_LOGIN_AND_SHOW_REQUIRE_MIGRATION_WARNING;
-  }
-
  determineDuoLaunchAction(): DuoLaunchAction {
    return DuoLaunchAction.DIRECT_LAUNCH;
  }
--- a/libs/auth/src/angular/two-factor-auth/two-factor-auth-component.service.ts
+++ b/libs/auth/src/angular/two-factor-auth/two-factor-auth-component.service.ts
@@ -1,12 +1,5 @@
 import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";

-// FIXME: update to use a const object instead of a typescript enum
-// eslint-disable-next-line @bitwarden/platform/no-enums
-export enum LegacyKeyMigrationAction {
-  PREVENT_LOGIN_AND_SHOW_REQUIRE_MIGRATION_WARNING,
-  NAVIGATE_TO_MIGRATION_COMPONENT,
-}
-
 // FIXME: update to use a const object instead of a typescript enum
 // eslint-disable-next-line @bitwarden/platform/no-enums
 export enum DuoLaunchAction {
@@ -38,18 +31,6 @@ export abstract class TwoFactorAuthComponentService {
   */
  abstract removePopupWidthExtension?(): void;

-  /**
-   * We used to use the user's master key to encrypt their data. We deprecated that approach
-   * and now use a user key. This method should be called if we detect that the user
-   * is still using the old master key encryption scheme (server sends down a flag to
-   * indicate this). This method then determines what action to take based on the client.
-   *
-   * We have two possible actions:
-   * 1. Prevent the user from logging in and show a warning that they need to migrate their key on the web client today.
-   * 2. Navigate the user to the key migration component on the web client.
-   */
-  abstract determineLegacyKeyMigrationAction(): LegacyKeyMigrationAction;
-
  /**
   * Optionally closes any single action popouts (extension only).
   * @returns true if we are in a single action popout and it was closed, false otherwise.
--- a/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts
+++ b/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts
@@ -69,7 +69,6 @@ import {
 } from "./two-factor-auth-component-cache.service";
 import {
  DuoLaunchAction,
-  LegacyKeyMigrationAction,
  TwoFactorAuthComponentService,
 } from "./two-factor-auth-component.service";
 import {
@@ -388,22 +387,12 @@ export class TwoFactorAuthComponent implements OnInit, OnDestroy {
    if (!result.requiresEncryptionKeyMigration) {
      return false;
    }
-    // Migration is forced so prevent login via return
-    const legacyKeyMigrationAction: LegacyKeyMigrationAction =
-      this.twoFactorAuthComponentService.determineLegacyKeyMigrationAction();

-    switch (legacyKeyMigrationAction) {
-      case LegacyKeyMigrationAction.NAVIGATE_TO_MIGRATION_COMPONENT:
-        await this.router.navigate(["migrate-legacy-encryption"]);
-        break;
-      case LegacyKeyMigrationAction.PREVENT_LOGIN_AND_SHOW_REQUIRE_MIGRATION_WARNING:
-        this.toastService.showToast({
-          variant: "error",
-          title: this.i18nService.t("errorOccured"),
-          message: this.i18nService.t("encryptionKeyMigrationRequired"),
-        });
-        break;
-    }
+    this.toastService.showToast({
+      variant: "error",
+      title: this.i18nService.t("errorOccured"),
+      message: this.i18nService.t("legacyEncryptionUnsupported"),
+    });
    return true;
  }

--- a/libs/auth/src/common/login-strategies/login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/login.strategy.ts
@@ -17,7 +17,6 @@ import { IdentityDeviceVerificationResponse } from "@bitwarden/common/auth/model
 import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
 import { IdentityTwoFactorResponse } from "@bitwarden/common/auth/models/response/identity-two-factor.response";
 import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions/account/billing-account-profile-state.service";
-import { ClientType } from "@bitwarden/common/enums";
 import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
 import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
 import {
@@ -254,13 +253,10 @@ export abstract class LoginStrategy {
  protected async processTokenResponse(response: IdentityTokenResponse): Promise<AuthResult> {
    const result = new AuthResult();

-    // Old encryption keys must be migrated, but is currently only available on web.
-    // Other clients shouldn't continue the login process.
+    // Encryption key migration of legacy users (with no userkey) is not supported anymore
    if (this.encryptionKeyMigrationRequired(response)) {
      result.requiresEncryptionKeyMigration = true;
-      if (this.platformUtilsService.getClientType() !== ClientType.Web) {
-        return result;
-      }
+      return result;
    }

    // Must come before setting keys, user key needs email to update additional keys.