fix(auth-routing): [PM-19018] SSO TDE Routing Fix - Fixed routing logic. (#13778)

* fix(auth-routing): [PM-19018] SSO TDE Routing Fix - Fixed routing logic. * PM-19018 - TwoFactorAuthTests - remove tests that are no longer applicable as 2FA comp isn't responsible for setting admin account recovery flag into state. * PM-19018 - LoginStrategyTests - add test for processing forcePasswordReset response --------- Co-authored-by: Jared Snider <jsnider@bitwarden.com>
2025-12-21 18:53:29 +00:00 · 2025-03-10 21:20:11 -04:00
parent 992be1d054
commit 3b9be21fd7
5 changed files with 44 additions and 88 deletions
--- a/libs/auth/src/common/login-strategies/login.strategy.spec.ts
+++ b/libs/auth/src/common/login-strategies/login.strategy.spec.ts
@@ -306,6 +306,31 @@ describe("LoginStrategy", () => {
      expect(result).toEqual(expected);
    });

+    it("processes a forcePasswordReset response properly", async () => {
+      const tokenResponse = identityTokenResponseFactory();
+      tokenResponse.forcePasswordReset = true;
+
+      apiService.postIdentityToken.mockResolvedValue(tokenResponse);
+
+      const result = await passwordLoginStrategy.logIn(credentials);
+
+      const expected = new AuthResult();
+      expected.userId = userId;
+      expected.forcePasswordReset = ForceSetPasswordReason.AdminForcePasswordReset;
+      expected.resetMasterPassword = false;
+      expected.twoFactorProviders = {} as Partial<
+        Record<TwoFactorProviderType, Record<string, string>>
+      >;
+      expected.captchaSiteKey = "";
+      expected.twoFactorProviders = null;
+      expect(result).toEqual(expected);
+
+      expect(masterPasswordService.mock.setForceSetPasswordReason).toHaveBeenCalledWith(
+        ForceSetPasswordReason.AdminForcePasswordReset,
+        userId,
+      );
+    });
+
    it("rejects login if CAPTCHA is required", async () => {
      // Sample CAPTCHA response
      const tokenResponse = new IdentityCaptchaResponse({
--- a/libs/auth/src/common/login-strategies/login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/login.strategy.ts
@@ -271,17 +271,24 @@ export abstract class LoginStrategy {
      }
    }

-    result.resetMasterPassword = response.resetMasterPassword;
-
-    // Convert boolean to enum
-    if (response.forcePasswordReset) {
-      result.forcePasswordReset = ForceSetPasswordReason.AdminForcePasswordReset;
-    }
-
-    // Must come before setting keys, user key needs email to update additional keys
+    // Must come before setting keys, user key needs email to update additional keys.
    const userId = await this.saveAccountInformation(response);
    result.userId = userId;

+    result.resetMasterPassword = response.resetMasterPassword;
+
+    // Convert boolean to enum and set the state for the master password service to
+    // so we know when we reach the auth guard that we need to guide them properly to admin
+    // password reset.
+    if (response.forcePasswordReset) {
+      result.forcePasswordReset = ForceSetPasswordReason.AdminForcePasswordReset;
+
+      await this.masterPasswordService.setForceSetPasswordReason(
+        ForceSetPasswordReason.AdminForcePasswordReset,
+        userId,
+      );
+    }
+
    if (response.twoFactorToken != null) {
      // note: we can read email from access token b/c it was saved in saveAccountInformation
      const userEmail = await this.tokenService.getEmail();
@@ -300,7 +307,9 @@ export abstract class LoginStrategy {

  // The keys comes from different sources depending on the login strategy
  protected abstract setMasterKey(response: IdentityTokenResponse, userId: UserId): Promise<void>;
+
  protected abstract setUserKey(response: IdentityTokenResponse, userId: UserId): Promise<void>;
+
  protected abstract setPrivateKey(response: IdentityTokenResponse, userId: UserId): Promise<void>;

  // Old accounts used master key for encryption. We are forcing migrations but only need to
--- a/libs/auth/src/common/login-strategies/sso-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/sso-login.strategy.ts
@@ -6,7 +6,6 @@ import { Jsonify } from "type-fest";
 import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
 import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
 import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
-import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
 import { SsoTokenRequest } from "@bitwarden/common/auth/models/request/identity-token/sso-token.request";
 import { AuthRequestResponse } from "@bitwarden/common/auth/models/response/auth-request.response";
 import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
@@ -108,14 +107,6 @@ export class SsoLoginStrategy extends LoginStrategy {
    const email = ssoAuthResult.email;
    const ssoEmail2FaSessionToken = ssoAuthResult.ssoEmail2FaSessionToken;

-    // Auth guard currently handles redirects for this.
-    if (ssoAuthResult.forcePasswordReset == ForceSetPasswordReason.AdminForcePasswordReset) {
-      await this.masterPasswordService.setForceSetPasswordReason(
-        ssoAuthResult.forcePasswordReset,
-        ssoAuthResult.userId,
-      );
-    }
-
    this.cache.next({
      ...this.cache.value,
      email,