diff --git a/apps/browser/src/_locales/en/messages.json b/apps/browser/src/_locales/en/messages.json index 29223942fd..68f303dd53 100644 --- a/apps/browser/src/_locales/en/messages.json +++ b/apps/browser/src/_locales/en/messages.json @@ -1365,8 +1365,8 @@ "featureUnavailable": { "message": "Feature unavailable" }, - "encryptionKeyMigrationRequired": { - "message": "Encryption key migration required. Please login through the web vault to update your encryption key." + "legacyEncryptionUnsupported": { + "message": "Legacy encryption is no longer supported. Please contact support to recover your account." }, "premiumMembership": { "message": "Premium membership" diff --git a/apps/cli/src/auth/commands/login.command.ts b/apps/cli/src/auth/commands/login.command.ts index cd5c8ef9bc..a8e525e220 100644 --- a/apps/cli/src/auth/commands/login.command.ts +++ b/apps/cli/src/auth/commands/login.command.ts @@ -34,6 +34,7 @@ import { CryptoFunctionService } from "@bitwarden/common/key-management/crypto/a import { KeyConnectorService } from "@bitwarden/common/key-management/key-connector/abstractions/key-connector.service"; import { MasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction"; import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service"; +import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service"; import { Utils } from "@bitwarden/common/platform/misc/utils"; import { EncString } from "@bitwarden/common/platform/models/domain/enc-string"; @@ -77,6 +78,7 @@ export class LoginCommand { protected logoutCallback: () => Promise, protected kdfConfigService: KdfConfigService, protected ssoUrlService: SsoUrlService, + protected i18nService: I18nService, protected masterPasswordService: MasterPasswordServiceAbstraction, ) {} @@ -227,9 +229,7 @@ export class LoginCommand { ); } if (response.requiresEncryptionKeyMigration) { - return Response.error( - "Encryption key migration required. Please login through the web vault to update your encryption key.", - ); + return Response.error(this.i18nService.t("legacyEncryptionUnsupported")); } if (response.requiresTwoFactor) { const twoFactorProviders = await this.twoFactorService.getSupportedProviders(null); diff --git a/apps/cli/src/locales/en/messages.json b/apps/cli/src/locales/en/messages.json index 9149e25c5b..815939c0c9 100644 --- a/apps/cli/src/locales/en/messages.json +++ b/apps/cli/src/locales/en/messages.json @@ -185,6 +185,9 @@ } } }, + "legacyEncryptionUnsupported": { + "message": "Legacy encryption is no longer supported. Please contact support to recover your account." + }, "organizationUsingKeyConnectorOptInLoggedOut": { "message": "An organization you are a member of is using Key Connector. In order to access the vault, you must opt-in to Key Connector now via the web vault. You have been logged out." }, diff --git a/apps/cli/src/program.ts b/apps/cli/src/program.ts index e7e25d6634..468901282b 100644 --- a/apps/cli/src/program.ts +++ b/apps/cli/src/program.ts @@ -175,6 +175,7 @@ export class Program extends BaseProgram { async () => await this.serviceContainer.logout(), this.serviceContainer.kdfConfigService, this.serviceContainer.ssoUrlService, + this.serviceContainer.i18nService, this.serviceContainer.masterPasswordService, ); const response = await command.run(email, password, options); diff --git a/apps/desktop/src/locales/en/messages.json b/apps/desktop/src/locales/en/messages.json index 9d668d464a..0cc466196f 100644 --- a/apps/desktop/src/locales/en/messages.json +++ b/apps/desktop/src/locales/en/messages.json @@ -691,8 +691,8 @@ "maxFileSize": { "message": "Maximum file size is 500 MB." }, - "encryptionKeyMigrationRequired": { - "message": "Encryption key migration required. Please login through the web vault to update your encryption key." + "legacyEncryptionUnsupported": { + "message": "Legacy encryption is no longer supported. Please contact support to recover your account." }, "editedFolder": { "message": "Folder saved" diff --git a/apps/web/src/app/auth/core/services/two-factor-auth/index.ts b/apps/web/src/app/auth/core/services/two-factor-auth/index.ts index ba2697fdee..4ca57b3473 100644 --- a/apps/web/src/app/auth/core/services/two-factor-auth/index.ts +++ b/apps/web/src/app/auth/core/services/two-factor-auth/index.ts @@ -1,2 +1 @@ -export * from "./web-two-factor-auth-component.service"; export * from "./web-two-factor-auth-duo-component.service"; diff --git a/apps/web/src/app/auth/core/services/two-factor-auth/web-two-factor-auth-component.service.ts b/apps/web/src/app/auth/core/services/two-factor-auth/web-two-factor-auth-component.service.ts deleted file mode 100644 index 451cec57dd..0000000000 --- a/apps/web/src/app/auth/core/services/two-factor-auth/web-two-factor-auth-component.service.ts +++ /dev/null @@ -1,14 +0,0 @@ -import { - DefaultTwoFactorAuthComponentService, - TwoFactorAuthComponentService, - LegacyKeyMigrationAction, -} from "@bitwarden/auth/angular"; - -export class WebTwoFactorAuthComponentService - extends DefaultTwoFactorAuthComponentService - implements TwoFactorAuthComponentService -{ - override determineLegacyKeyMigrationAction(): LegacyKeyMigrationAction { - return LegacyKeyMigrationAction.NAVIGATE_TO_MIGRATION_COMPONENT; - } -} diff --git a/apps/web/src/app/core/core.module.ts b/apps/web/src/app/core/core.module.ts index e812edd8f3..46435981a5 100644 --- a/apps/web/src/app/core/core.module.ts +++ b/apps/web/src/app/core/core.module.ts @@ -32,7 +32,6 @@ import { SetPasswordJitService, SsoComponentService, LoginDecryptionOptionsService, - TwoFactorAuthComponentService, TwoFactorAuthDuoComponentService, ChangePasswordService, } from "@bitwarden/auth/angular"; @@ -116,7 +115,6 @@ import { WebRegistrationFinishService, WebLoginComponentService, WebLoginDecryptionOptionsService, - WebTwoFactorAuthComponentService, WebTwoFactorAuthDuoComponentService, LinkSsoService, } from "../auth"; @@ -269,12 +267,6 @@ const safeProviders: SafeProvider[] = [ useClass: WebLockComponentService, deps: [], }), - // TODO: PM-18182 - Refactor component services into lazy loaded modules - safeProvider({ - provide: TwoFactorAuthComponentService, - useClass: WebTwoFactorAuthComponentService, - deps: [], - }), safeProvider({ provide: SetPasswordJitService, useClass: WebSetPasswordJitService, diff --git a/apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.html b/apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.html deleted file mode 100644 index 7ed1efeb46..0000000000 --- a/apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.html +++ /dev/null @@ -1,36 +0,0 @@ -
-
-
-

{{ "updateEncryptionKey" | i18n }}

-
-

- {{ "updateEncryptionSchemeDesc" | i18n }} - {{ "learnMore" | i18n }} -

- {{ "updateEncryptionKeyWarning" | i18n }} - - - {{ "masterPass" | i18n }} - - - - -
-
-
-
diff --git a/apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.ts b/apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.ts deleted file mode 100644 index f6685a749a..0000000000 --- a/apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.ts +++ /dev/null @@ -1,100 +0,0 @@ -import { Component } from "@angular/core"; -import { FormControl, FormGroup, Validators } from "@angular/forms"; -import { firstValueFrom } from "rxjs"; - -import { AccountService } from "@bitwarden/common/auth/abstractions/account.service"; -import { ErrorResponse } from "@bitwarden/common/models/response/error.response"; -import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; -import { LogService } from "@bitwarden/common/platform/abstractions/log.service"; -import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service"; -import { FolderApiServiceAbstraction } from "@bitwarden/common/vault/abstractions/folder/folder-api.service.abstraction"; -import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction"; -import { DialogService, ToastService } from "@bitwarden/components"; -import { KeyService } from "@bitwarden/key-management"; - -import { SharedModule } from "../../shared"; -import { UserKeyRotationModule } from "../key-rotation/user-key-rotation.module"; -import { UserKeyRotationService } from "../key-rotation/user-key-rotation.service"; - -// The master key was originally used to encrypt user data, before the user key was introduced. -// This component is used to migrate from the old encryption scheme to the new one. -@Component({ - imports: [SharedModule, UserKeyRotationModule], - templateUrl: "migrate-legacy-encryption.component.html", -}) -export class MigrateFromLegacyEncryptionComponent { - protected formGroup = new FormGroup({ - masterPassword: new FormControl("", [Validators.required]), - }); - - constructor( - private accountService: AccountService, - private keyRotationService: UserKeyRotationService, - private i18nService: I18nService, - private keyService: KeyService, - private messagingService: MessagingService, - private logService: LogService, - private syncService: SyncService, - private toastService: ToastService, - private dialogService: DialogService, - private folderApiService: FolderApiServiceAbstraction, - ) {} - - submit = async () => { - this.formGroup.markAsTouched(); - - if (this.formGroup.invalid) { - return; - } - - const activeUser = await firstValueFrom(this.accountService.activeAccount$); - if (activeUser == null) { - throw new Error("No active user."); - } - - const hasUserKey = await this.keyService.hasUserKey(activeUser.id); - if (hasUserKey) { - this.messagingService.send("logout"); - throw new Error("User key already exists, cannot migrate legacy encryption."); - } - - const masterPassword = this.formGroup.value.masterPassword!; - - try { - await this.syncService.fullSync(false, true); - - await this.keyRotationService.rotateUserKeyAndEncryptedDataLegacy(masterPassword, activeUser); - - this.toastService.showToast({ - variant: "success", - title: this.i18nService.t("keyUpdated"), - message: this.i18nService.t("logBackInOthersToo"), - timeout: 15000, - }); - this.messagingService.send("logout"); - } catch (e) { - // If the error is due to missing folders, we can delete all folders and try again - if ( - e instanceof ErrorResponse && - e.message === "All existing folders must be included in the rotation." - ) { - const deleteFolders = await this.dialogService.openSimpleDialog({ - type: "warning", - title: { key: "encryptionKeyUpdateCannotProceed" }, - content: { key: "keyUpdateFoldersFailed" }, - acceptButtonText: { key: "ok" }, - cancelButtonText: { key: "cancel" }, - }); - - if (deleteFolders) { - await this.folderApiService.deleteAll(activeUser.id); - await this.syncService.fullSync(true, true); - await this.submit(); - return; - } - } - this.logService.error(e); - throw e; - } - }; -} diff --git a/apps/web/src/app/oss-routing.module.ts b/apps/web/src/app/oss-routing.module.ts index 0d6ffb88ad..6a7cc51d3b 100644 --- a/apps/web/src/app/oss-routing.module.ts +++ b/apps/web/src/app/oss-routing.module.ts @@ -151,13 +151,6 @@ const routes: Routes = [ canActivate: [authGuard], data: { titleId: "updatePassword" } satisfies RouteDataProperties, }, - { - path: "migrate-legacy-encryption", - loadComponent: () => - import("./key-management/migrate-encryption/migrate-legacy-encryption.component").then( - (mod) => mod.MigrateFromLegacyEncryptionComponent, - ), - }, ], }, { diff --git a/apps/web/src/locales/en/messages.json b/apps/web/src/locales/en/messages.json index e1a2d3cbef..a217b38e65 100644 --- a/apps/web/src/locales/en/messages.json +++ b/apps/web/src/locales/en/messages.json @@ -4473,9 +4473,6 @@ } } }, - "encryptionKeyUpdateCannotProceed": { - "message": "Encryption key update cannot proceed" - }, "editFieldLabel": { "message": "Edit $LABEL$", "placeholders": { @@ -4528,24 +4525,15 @@ } } }, - "keyUpdateFoldersFailed": { - "message": "When updating your encryption key, your folders could not be decrypted. To continue with the update, your folders must be deleted. No vault items will be deleted if you proceed." - }, - "keyUpdated": { - "message": "Key updated" - }, - "updateEncryptionKey": { - "message": "Update encryption key" - }, - "updateEncryptionSchemeDesc": { - "message": "We've changed the encryption scheme to provide better security. Update your encryption key now by entering your master password below." - }, "updateEncryptionKeyWarning": { "message": "After updating your encryption key, you are required to log out and back in to all Bitwarden applications that you are currently using (such as the mobile app or browser extensions). Failure to log out and back in (which downloads your new encryption key) may result in data corruption. We will attempt to log you out automatically, however, it may be delayed." }, "updateEncryptionKeyAccountExportWarning": { "message": "Any account restricted exports you have saved will become invalid." }, + "legacyEncryptionUnsupported": { + "message": "Legacy encryption is no longer supported. Please contact support to recover your account." + }, "subscription": { "message": "Subscription" }, diff --git a/libs/angular/src/auth/guards/lock.guard.spec.ts b/libs/angular/src/auth/guards/lock.guard.spec.ts index ed77f9bdeb..2085e0f348 100644 --- a/libs/angular/src/auth/guards/lock.guard.spec.ts +++ b/libs/angular/src/auth/guards/lock.guard.spec.ts @@ -79,7 +79,6 @@ describe("lockGuard", () => { { path: "", component: EmptyComponent }, { path: "lock", component: EmptyComponent, canActivate: [lockGuard()] }, { path: "non-lock-route", component: EmptyComponent }, - { path: "migrate-legacy-encryption", component: EmptyComponent }, ]), ], providers: [ @@ -182,18 +181,6 @@ describe("lockGuard", () => { expect(messagingService.send).toHaveBeenCalledWith("logout"); }); - it("should send the user to migrate-legacy-encryption if they are a legacy user on a web client", async () => { - const { router } = setup({ - authStatus: AuthenticationStatus.Locked, - canLock: true, - isLegacyUser: true, - clientType: ClientType.Web, - }); - - await router.navigate(["lock"]); - expect(router.url).toBe("/migrate-legacy-encryption"); - }); - it("should allow navigation to the lock route when device trust is supported, the user has a MP, and the user is coming from the login-initiated page", async () => { const { router } = setup({ authStatus: AuthenticationStatus.Locked, diff --git a/libs/angular/src/auth/guards/lock.guard.ts b/libs/angular/src/auth/guards/lock.guard.ts index 01d03dc718..4b09ddeee1 100644 --- a/libs/angular/src/auth/guards/lock.guard.ts +++ b/libs/angular/src/auth/guards/lock.guard.ts @@ -11,11 +11,9 @@ import { AccountService } from "@bitwarden/common/auth/abstractions/account.serv import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service"; import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction"; import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status"; -import { ClientType } from "@bitwarden/common/enums"; import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction"; import { VaultTimeoutSettingsService } from "@bitwarden/common/key-management/vault-timeout"; import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service"; -import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service"; import { KeyService } from "@bitwarden/key-management"; /** @@ -33,7 +31,6 @@ export function lockGuard(): CanActivateFn { const authService = inject(AuthService); const keyService = inject(KeyService); const deviceTrustService = inject(DeviceTrustServiceAbstraction); - const platformUtilService = inject(PlatformUtilsService); const messagingService = inject(MessagingService); const router = inject(Router); const userVerificationService = inject(UserVerificationService); @@ -59,12 +56,7 @@ export function lockGuard(): CanActivateFn { return false; } - // If legacy user on web, redirect to migration page if (await keyService.isLegacyUser()) { - if (platformUtilService.getClientType() === ClientType.Web) { - return router.createUrlTree(["migrate-legacy-encryption"]); - } - // Log out legacy users on other clients messagingService.send("logout"); return false; } diff --git a/libs/auth/src/angular/login/login.component.ts b/libs/auth/src/angular/login/login.component.ts index 8674453cf1..425260ec2e 100644 --- a/libs/auth/src/angular/login/login.component.ts +++ b/libs/auth/src/angular/login/login.component.ts @@ -282,16 +282,12 @@ export class LoginComponent implements OnInit, OnDestroy { private async handleAuthResult(authResult: AuthResult): Promise { if (authResult.requiresEncryptionKeyMigration) { /* Legacy accounts used the master key to encrypt data. - Migration is required but only performed on Web. */ - if (this.clientType === ClientType.Web) { - await this.router.navigate(["migrate-legacy-encryption"]); - } else { - this.toastService.showToast({ - variant: "error", - title: this.i18nService.t("errorOccured"), - message: this.i18nService.t("encryptionKeyMigrationRequired"), - }); - } + This is now unsupported and requires a downgraded client */ + this.toastService.showToast({ + variant: "error", + title: this.i18nService.t("errorOccured"), + message: this.i18nService.t("legacyEncryptionUnsupported"), + }); return; } diff --git a/libs/auth/src/angular/two-factor-auth/default-two-factor-auth-component.service.ts b/libs/auth/src/angular/two-factor-auth/default-two-factor-auth-component.service.ts index f68c1d3451..1ce0cba5af 100644 --- a/libs/auth/src/angular/two-factor-auth/default-two-factor-auth-component.service.ts +++ b/libs/auth/src/angular/two-factor-auth/default-two-factor-auth-component.service.ts @@ -1,6 +1,5 @@ import { DuoLaunchAction, - LegacyKeyMigrationAction, TwoFactorAuthComponentService, } from "./two-factor-auth-component.service"; @@ -9,10 +8,6 @@ export class DefaultTwoFactorAuthComponentService implements TwoFactorAuthCompon return false; } - determineLegacyKeyMigrationAction() { - return LegacyKeyMigrationAction.PREVENT_LOGIN_AND_SHOW_REQUIRE_MIGRATION_WARNING; - } - determineDuoLaunchAction(): DuoLaunchAction { return DuoLaunchAction.DIRECT_LAUNCH; } diff --git a/libs/auth/src/angular/two-factor-auth/two-factor-auth-component.service.ts b/libs/auth/src/angular/two-factor-auth/two-factor-auth-component.service.ts index c99722fb8e..2d2cdba3a1 100644 --- a/libs/auth/src/angular/two-factor-auth/two-factor-auth-component.service.ts +++ b/libs/auth/src/angular/two-factor-auth/two-factor-auth-component.service.ts @@ -1,12 +1,5 @@ import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type"; -// FIXME: update to use a const object instead of a typescript enum -// eslint-disable-next-line @bitwarden/platform/no-enums -export enum LegacyKeyMigrationAction { - PREVENT_LOGIN_AND_SHOW_REQUIRE_MIGRATION_WARNING, - NAVIGATE_TO_MIGRATION_COMPONENT, -} - // FIXME: update to use a const object instead of a typescript enum // eslint-disable-next-line @bitwarden/platform/no-enums export enum DuoLaunchAction { @@ -38,18 +31,6 @@ export abstract class TwoFactorAuthComponentService { */ abstract removePopupWidthExtension?(): void; - /** - * We used to use the user's master key to encrypt their data. We deprecated that approach - * and now use a user key. This method should be called if we detect that the user - * is still using the old master key encryption scheme (server sends down a flag to - * indicate this). This method then determines what action to take based on the client. - * - * We have two possible actions: - * 1. Prevent the user from logging in and show a warning that they need to migrate their key on the web client today. - * 2. Navigate the user to the key migration component on the web client. - */ - abstract determineLegacyKeyMigrationAction(): LegacyKeyMigrationAction; - /** * Optionally closes any single action popouts (extension only). * @returns true if we are in a single action popout and it was closed, false otherwise. diff --git a/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts b/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts index 57637fe911..85184283ef 100644 --- a/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts +++ b/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts @@ -69,7 +69,6 @@ import { } from "./two-factor-auth-component-cache.service"; import { DuoLaunchAction, - LegacyKeyMigrationAction, TwoFactorAuthComponentService, } from "./two-factor-auth-component.service"; import { @@ -388,22 +387,12 @@ export class TwoFactorAuthComponent implements OnInit, OnDestroy { if (!result.requiresEncryptionKeyMigration) { return false; } - // Migration is forced so prevent login via return - const legacyKeyMigrationAction: LegacyKeyMigrationAction = - this.twoFactorAuthComponentService.determineLegacyKeyMigrationAction(); - switch (legacyKeyMigrationAction) { - case LegacyKeyMigrationAction.NAVIGATE_TO_MIGRATION_COMPONENT: - await this.router.navigate(["migrate-legacy-encryption"]); - break; - case LegacyKeyMigrationAction.PREVENT_LOGIN_AND_SHOW_REQUIRE_MIGRATION_WARNING: - this.toastService.showToast({ - variant: "error", - title: this.i18nService.t("errorOccured"), - message: this.i18nService.t("encryptionKeyMigrationRequired"), - }); - break; - } + this.toastService.showToast({ + variant: "error", + title: this.i18nService.t("errorOccured"), + message: this.i18nService.t("legacyEncryptionUnsupported"), + }); return true; } diff --git a/libs/auth/src/common/login-strategies/login.strategy.ts b/libs/auth/src/common/login-strategies/login.strategy.ts index 6e66d65b65..f1b7d236fb 100644 --- a/libs/auth/src/common/login-strategies/login.strategy.ts +++ b/libs/auth/src/common/login-strategies/login.strategy.ts @@ -17,7 +17,6 @@ import { IdentityDeviceVerificationResponse } from "@bitwarden/common/auth/model import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response"; import { IdentityTwoFactorResponse } from "@bitwarden/common/auth/models/response/identity-two-factor.response"; import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions/account/billing-account-profile-state.service"; -import { ClientType } from "@bitwarden/common/enums"; import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service"; import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction"; import { @@ -254,13 +253,10 @@ export abstract class LoginStrategy { protected async processTokenResponse(response: IdentityTokenResponse): Promise { const result = new AuthResult(); - // Old encryption keys must be migrated, but is currently only available on web. - // Other clients shouldn't continue the login process. + // Encryption key migration of legacy users (with no userkey) is not supported anymore if (this.encryptionKeyMigrationRequired(response)) { result.requiresEncryptionKeyMigration = true; - if (this.platformUtilsService.getClientType() !== ClientType.Web) { - return result; - } + return result; } // Must come before setting keys, user key needs email to update additional keys.