bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2025-12-15 15:53:27 +00:00
Code Issues Releases Wiki Activity

[PM-8027] Merging main into branch

Browse Source
This commit is contained in:
Cesar Gonzalez
2024-06-17 04:58:45 -05:00
parent 70d00a59ce 18b56c0b5a
commit 42825a405a
324 changed files with 4948 additions and 4076 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
libs/common/src/abstractions/api.service.ts
View File

@@ -61,7 +61,6 @@ import { IdentityCaptchaResponse } from "../auth/models/response/identity-captch
import { IdentityTokenResponse } from "../auth/models/response/identity-token.response";
import { IdentityTwoFactorResponse } from "../auth/models/response/identity-two-factor.response";
import { KeyConnectorUserKeyResponse } from "../auth/models/response/key-connector-user-key.response";
import { MasterPasswordPolicyResponse } from "../auth/models/response/master-password-policy.response";
import { PreloginResponse } from "../auth/models/response/prelogin.response";
import { RegisterResponse } from "../auth/models/response/register.response";
import { SsoPreValidateResponse } from "../auth/models/response/sso-pre-validate.response";
@@ -175,9 +174,6 @@ export abstract class ApiService {
postAccountKeys: (request: KeysRequest) => Promise<any>;
postAccountVerifyEmail: () => Promise<any>;
postAccountVerifyEmailToken: (request: VerifyEmailRequest) => Promise<any>;
postAccountVerifyPassword: (
request: SecretVerificationRequest,
) => Promise<MasterPasswordPolicyResponse>;
postAccountRecoverDelete: (request: DeleteRecoverRequest) => Promise<any>;
postAccountRecoverDeleteToken: (request: VerifyDeleteRecoverRequest) => Promise<any>;
postAccountKdf: (request: KdfRequest) => Promise<any>;

3
libs/common/src/admin-console/abstractions/organization/organization.service.abstraction.ts
View File

@@ -117,6 +117,9 @@ export abstract class OrganizationService {
hasOrganizations: () => Promise<boolean>;
get$: (id: string) => Observable<Organization | undefined>;
get: (id: string) => Promise<Organization>;
/**
* @deprecated This method is only used in key connector and will be removed soon as part of https://bitwarden.atlassian.net/browse/AC-2252.
*/
getAll: (userId?: string) => Promise<Organization[]>;
/**

4
libs/common/src/admin-console/models/data/organization.data.spec.ts
View File

@@ -1,4 +1,4 @@
import { ProductType } from "../../../enums/product-type.enum";
import { ProductTierType } from "../../../billing/enums/product-tier-type.enum";
import { OrganizationUserStatusType, OrganizationUserType } from "../../enums";
import { ORGANIZATIONS } from "../../services/organization/organization.service";
@@ -47,7 +47,7 @@ describe("ORGANIZATIONS state", () => {
isMember: false,
familySponsorshipFriendlyName: "fsfn",
familySponsorshipAvailable: false,
planProductType: ProductType.Free,
productTierType: ProductTierType.Free,
keyConnectorEnabled: false,
keyConnectorUrl: "kcu",
accessSecretsManager: false,

6
libs/common/src/admin-console/models/data/organization.data.ts
View File

@@ -1,6 +1,6 @@
import { Jsonify } from "type-fest";
import { ProductType } from "../../../enums";
import { ProductTierType } from "../../../billing/enums";
import { OrganizationUserStatusType, OrganizationUserType, ProviderType } from "../../enums";
import { PermissionsApi } from "../api/permissions.api";
import { ProfileOrganizationResponse } from "../response/profile-organization.response";
@@ -45,7 +45,7 @@ export class OrganizationData {
isMember: boolean;
familySponsorshipFriendlyName: string;
familySponsorshipAvailable: boolean;
planProductType: ProductType;
productTierType: ProductTierType;
keyConnectorEnabled: boolean;
keyConnectorUrl: string;
familySponsorshipLastSyncDate?: Date;
@@ -104,7 +104,7 @@ export class OrganizationData {
this.providerType = response.providerType;
this.familySponsorshipFriendlyName = response.familySponsorshipFriendlyName;
this.familySponsorshipAvailable = response.familySponsorshipAvailable;
this.planProductType = response.planProductType;
this.productTierType = response.planProductType;
this.keyConnectorEnabled = response.keyConnectorEnabled;
this.keyConnectorUrl = response.keyConnectorUrl;
this.familySponsorshipLastSyncDate = response.familySponsorshipLastSyncDate;

6
libs/common/src/admin-console/models/domain/organization.ts
View File

@@ -1,6 +1,6 @@
import { Jsonify } from "type-fest";
import { ProductType } from "../../../enums";
import { ProductTierType } from "../../../billing/enums";
import { OrganizationUserStatusType, OrganizationUserType, ProviderType } from "../../enums";
import { PermissionsApi } from "../api/permissions.api";
import { OrganizationData } from "../data/organization.data";
@@ -58,7 +58,7 @@ export class Organization {
isMember: boolean;
familySponsorshipFriendlyName: string;
familySponsorshipAvailable: boolean;
planProductType: ProductType;
productTierType: ProductTierType;
keyConnectorEnabled: boolean;
keyConnectorUrl: string;
familySponsorshipLastSyncDate?: Date;
@@ -123,7 +123,7 @@ export class Organization {
this.isMember = obj.isMember;
this.familySponsorshipFriendlyName = obj.familySponsorshipFriendlyName;
this.familySponsorshipAvailable = obj.familySponsorshipAvailable;
this.planProductType = obj.planProductType;
this.productTierType = obj.productTierType;
this.keyConnectorEnabled = obj.keyConnectorEnabled;
this.keyConnectorUrl = obj.keyConnectorUrl;
this.familySponsorshipLastSyncDate = obj.familySponsorshipLastSyncDate;

4
libs/common/src/admin-console/models/response/profile-organization.response.ts
View File

@@ -1,4 +1,4 @@
import { ProductType } from "../../../enums";
import { ProductTierType } from "../../../billing/enums";
import { BaseResponse } from "../../../models/response/base.response";
import { OrganizationUserStatusType, OrganizationUserType, ProviderType } from "../../enums";
import { PermissionsApi } from "../api/permissions.api";
@@ -42,7 +42,7 @@ export class ProfileOrganizationResponse extends BaseResponse {
providerType?: ProviderType;
familySponsorshipFriendlyName: string;
familySponsorshipAvailable: boolean;
planProductType: ProductType;
planProductType: ProductTierType;
keyConnectorEnabled: boolean;
keyConnectorUrl: string;
familySponsorshipLastSyncDate?: Date;

22
libs/common/src/auth/abstractions/account-api.service.ts
View File

@@ -1,5 +1,27 @@
import { RegisterSendVerificationEmailRequest } from "../models/request/registration/register-send-verification-email.request";
import { Verification } from "../types/verification";
export abstract class AccountApiService {
/**
* Deletes an account that has confirmed the operation is authorized
*
* @param verification - authorizes the account deletion operation.
* @returns A promise that resolves when the account is
* successfully deleted.
*/
abstract deleteAccount(verification: Verification): Promise<void>;
/**
* Sends a verification email as part of the registration process.
*
* @param request - The request object containing
* information needed to send the verification email, such as the user's email address.
* @returns A promise that resolves to a string tokencontaining the user's encrypted
* information which must be submitted to complete registration or `null` if
* email verification is enabled (users must get the token by clicking a
* link in the email that will be sent to them).
*/
abstract registerSendVerificationEmail(
request: RegisterSendVerificationEmailRequest,
): Promise<null | string>;
}

5
libs/common/src/auth/abstractions/user-verification/user-verification-api.service.abstraction.ts
View File

@@ -1,6 +1,11 @@
import { SecretVerificationRequest } from "../../models/request/secret-verification.request";
import { VerifyOTPRequest } from "../../models/request/verify-otp.request";
import { MasterPasswordPolicyResponse } from "../../models/response/master-password-policy.response";
export abstract class UserVerificationApiServiceAbstraction {
postAccountVerifyOTP: (request: VerifyOTPRequest) => Promise<void>;
postAccountRequestOTP: () => Promise<void>;
postAccountVerifyPassword: (
request: SecretVerificationRequest,
) => Promise<MasterPasswordPolicyResponse>;
}

57
libs/common/src/auth/abstractions/user-verification/user-verification.service.abstraction.ts
View File

@@ -1,19 +1,53 @@
import { UserId } from "../../../types/guid";
import { SecretVerificationRequest } from "../../models/request/secret-verification.request";
import { UserVerificationOptions } from "../../types/user-verification-options";
import { Verification } from "../../types/verification";
import {
MasterPasswordVerification,
MasterPasswordVerificationResponse,
Verification,
} from "../../types/verification";
export abstract class UserVerificationService {
/**
* Returns the available verification options for the user, can be
* restricted to a specific type of verification.
* @param verificationType Type of verification to restrict the options to
* @returns Available verification options for the user
*/
getAvailableVerificationOptions: (
verificationType: keyof UserVerificationOptions,
) => Promise<UserVerificationOptions>;
/**
* Create a new request model to be used for server-side verification
* @param verification User-supplied verification data (Master Password or OTP)
* @param requestClass The request model to create
* @param alreadyHashed Whether the master password is already hashed
* @throws Error if the verification data is invalid
*/
buildRequest: <T extends SecretVerificationRequest>(
verification: Verification,
requestClass?: new () => T,
alreadyHashed?: boolean,
) => Promise<T>;
/**
* Verifies the user using the provided verification data.
* PIN or biometrics are verified client-side.
* OTP is sent to the server for verification (with no other data)
* Master Password verifies client-side first if there is a MP hash, or server-side if not.
* @param verification User-supplied verification data (OTP, MP, PIN, or biometrics)
* @throws Error if the verification data is invalid or the verification fails
*/
verifyUser: (verification: Verification) => Promise<boolean>;
/**
* Request a one-time password (OTP) to be sent to the user's email
*/
requestOTP: () => Promise<void>;
/**
* Check if user has master password or only uses passwordless technologies to log in
* Check if user has master password or can only use passwordless technologies to log in
* Note: This only checks the server, not the local state
* @param userId The user id to check. If not provided, the current user is used
* @returns True if the user has a master password
* @deprecated Use UserDecryptionOptionsService.hasMasterPassword$ instead
*/
hasMasterPassword: (userId?: string) => Promise<boolean>;
/**
@@ -22,8 +56,19 @@ export abstract class UserVerificationService {
* @returns True if the user has a master password and has used it in the current session
*/
hasMasterPasswordAndMasterKeyHash: (userId?: string) => Promise<boolean>;
getAvailableVerificationOptions: (
verificationType: keyof UserVerificationOptions,
) => Promise<UserVerificationOptions>;
/**
* Verifies the user using the provided master password.
* Attempts to verify client-side first, then server-side if necessary.
* IMPORTANT: Will throw an error if the master password is invalid.
* @param verification Master Password verification data
* @param userId The user to verify
* @param email The user's email
* @throws Error if the master password is invalid
* @returns An object containing the master key, and master password policy options if verified on server.
*/
verifyUserByMasterPassword: (
verification: MasterPasswordVerification,
userId: UserId,
email: string,
) => Promise<MasterPasswordVerificationResponse>;
}

7
libs/common/src/auth/models/request/registration/register-send-verification-email.request.ts Normal file
View File

@@ -0,0 +1,7 @@
export class RegisterSendVerificationEmailRequest {
constructor(
public email: string,
public name: string,
public receiveMarketingEmails: boolean,
) {}
}

35
libs/common/src/auth/services/account-api.service.ts
View File

@@ -1,8 +1,13 @@
import { firstValueFrom } from "rxjs";
import { ApiService } from "../../abstractions/api.service";
import { ErrorResponse } from "../../models/response/error.response";
import { EnvironmentService } from "../../platform/abstractions/environment.service";
import { LogService } from "../../platform/abstractions/log.service";
import { AccountApiService } from "../abstractions/account-api.service";
import { InternalAccountService } from "../abstractions/account.service";
import { UserVerificationService } from "../abstractions/user-verification/user-verification.service.abstraction";
import { RegisterSendVerificationEmailRequest } from "../models/request/registration/register-send-verification-email.request";
import { Verification } from "../types/verification";
export class AccountApiServiceImplementation implements AccountApiService {
@@ -11,6 +16,7 @@ export class AccountApiServiceImplementation implements AccountApiService {
private userVerificationService: UserVerificationService,
private logService: LogService,
private accountService: InternalAccountService,
private environmentService: EnvironmentService,
) {}
async deleteAccount(verification: Verification): Promise<void> {
@@ -23,4 +29,33 @@ export class AccountApiServiceImplementation implements AccountApiService {
throw e;
}
}
async registerSendVerificationEmail(
request: RegisterSendVerificationEmailRequest,
): Promise<null | string> {
const env = await firstValueFrom(this.environmentService.environment$);
try {
const response = await this.apiService.send(
"POST",
"/accounts/register/send-verification-email",
request,
false,
true,
env.getIdentityUrl(),
);
return response;
} catch (e: unknown) {
if (e instanceof ErrorResponse) {
if (e.statusCode === 204) {
// No content is a success response.
return null;
}
}
this.logService.error(e);
throw e;
}
}
}

7
libs/common/src/auth/services/user-verification/user-verification-api.service.ts
View File

@@ -1,6 +1,8 @@
import { ApiService } from "../../../abstractions/api.service";
import { UserVerificationApiServiceAbstraction } from "../../abstractions/user-verification/user-verification-api.service.abstraction";
import { SecretVerificationRequest } from "../../models/request/secret-verification.request";
import { VerifyOTPRequest } from "../../models/request/verify-otp.request";
import { MasterPasswordPolicyResponse } from "../../models/response/master-password-policy.response";
export class UserVerificationApiService implements UserVerificationApiServiceAbstraction {
constructor(private apiService: ApiService) {}
@@ -11,4 +13,9 @@ export class UserVerificationApiService implements UserVerificationApiServiceAbs
async postAccountRequestOTP(): Promise<void> {
return this.apiService.send("POST", "/accounts/request-otp", null, true, false);
}
postAccountVerifyPassword(
request: SecretVerificationRequest,
): Promise<MasterPasswordPolicyResponse> {
return this.apiService.send("POST", "/accounts/verify-password", request, true, true);
}
}

418
libs/common/src/auth/services/user-verification/user-verification.service.spec.ts Normal file
View File

@@ -0,0 +1,418 @@
import { mock } from "jest-mock-extended";
import { of } from "rxjs";
import {
PinLockType,
PinServiceAbstraction,
UserDecryptionOptions,
UserDecryptionOptionsServiceAbstraction,
} from "@bitwarden/auth/common";
import { FakeAccountService, mockAccountServiceWith } from "../../../../spec";
import { VaultTimeoutSettingsService } from "../../../abstractions/vault-timeout/vault-timeout-settings.service";
import { CryptoService } from "../../../platform/abstractions/crypto.service";
import { I18nService } from "../../../platform/abstractions/i18n.service";
import { LogService } from "../../../platform/abstractions/log.service";
import { PlatformUtilsService } from "../../../platform/abstractions/platform-utils.service";
import { HashPurpose } from "../../../platform/enums";
import { Utils } from "../../../platform/misc/utils";
import { UserId } from "../../../types/guid";
import { MasterKey } from "../../../types/key";
import { KdfConfigService } from "../../abstractions/kdf-config.service";
import { InternalMasterPasswordServiceAbstraction } from "../../abstractions/master-password.service.abstraction";
import { UserVerificationApiServiceAbstraction } from "../../abstractions/user-verification/user-verification-api.service.abstraction";
import { VerificationType } from "../../enums/verification-type";
import { KdfConfig } from "../../models/domain/kdf-config";
import { MasterPasswordPolicyResponse } from "../../models/response/master-password-policy.response";
import { MasterPasswordVerification } from "../../types/verification";
import { UserVerificationService } from "./user-verification.service";
describe("UserVerificationService", () => {
let sut: UserVerificationService;
const cryptoService = mock<CryptoService>();
const masterPasswordService = mock<InternalMasterPasswordServiceAbstraction>();
const i18nService = mock<I18nService>();
const userVerificationApiService = mock<UserVerificationApiServiceAbstraction>();
const userDecryptionOptionsService = mock<UserDecryptionOptionsServiceAbstraction>();
const pinService = mock<PinServiceAbstraction>();
const logService = mock<LogService>();
const vaultTimeoutSettingsService = mock<VaultTimeoutSettingsService>();
const platformUtilsService = mock<PlatformUtilsService>();
const kdfConfigService = mock<KdfConfigService>();
const mockUserId = Utils.newGuid() as UserId;
let accountService: FakeAccountService;
beforeEach(() => {
jest.clearAllMocks();
accountService = mockAccountServiceWith(mockUserId);
sut = new UserVerificationService(
cryptoService,
accountService,
masterPasswordService,
i18nService,
userVerificationApiService,
userDecryptionOptionsService,
pinService,
logService,
vaultTimeoutSettingsService,
platformUtilsService,
kdfConfigService,
);
});
describe("getAvailableVerificationOptions", () => {
describe("client verification type", () => {
it("correctly returns master password availability", async () => {
setMasterPasswordAvailability(true);
setPinAvailability("DISABLED");
disableBiometricsAvailability();
const result = await sut.getAvailableVerificationOptions("client");
expect(result).toEqual({
client: {
masterPassword: true,
pin: false,
biometrics: false,
},
server: {
masterPassword: false,
otp: false,
},
});
});
test.each([
[true, "PERSISTENT"],
[true, "EPHEMERAL"],
[false, "DISABLED"],
])(
"returns %s for PIN availability when pin lock type is %s",
async (expectedPin: boolean, pinLockType: PinLockType) => {
setMasterPasswordAvailability(false);
setPinAvailability(pinLockType);
disableBiometricsAvailability();
const result = await sut.getAvailableVerificationOptions("client");
expect(result).toEqual({
client: {
masterPassword: false,
pin: expectedPin,
biometrics: false,
},
server: {
masterPassword: false,
otp: false,
},
});
},
);
test.each([
[true, true, true, true],
[true, true, true, false],
[true, true, false, false],
[false, true, false, true],
[false, false, false, false],
[false, false, true, false],
[false, false, false, true],
])(
"returns %s for biometrics availability when isBiometricLockSet is %s, hasUserKeyStored is %s, and supportsSecureStorage is %s",
async (
expectedReturn: boolean,
isBiometricsLockSet: boolean,
isBiometricsUserKeyStored: boolean,
platformSupportSecureStorage: boolean,
) => {
setMasterPasswordAvailability(false);
setPinAvailability("DISABLED");
vaultTimeoutSettingsService.isBiometricLockSet.mockResolvedValue(isBiometricsLockSet);
cryptoService.hasUserKeyStored.mockResolvedValue(isBiometricsUserKeyStored);
platformUtilsService.supportsSecureStorage.mockReturnValue(platformSupportSecureStorage);
const result = await sut.getAvailableVerificationOptions("client");
expect(result).toEqual({
client: {
masterPassword: false,
pin: false,
biometrics: expectedReturn,
},
server: {
masterPassword: false,
otp: false,
},
});
},
);
});
describe("server verification type", () => {
it("correctly returns master password availability", async () => {
userDecryptionOptionsService.userDecryptionOptionsById$.mockReturnValue(
of({
hasMasterPassword: true,
} as UserDecryptionOptions),
);
const result = await sut.getAvailableVerificationOptions("server");
expect(result).toEqual({
client: {
masterPassword: false,
pin: false,
biometrics: false,
},
server: {
masterPassword: true,
otp: false,
},
});
});
it("correctly returns OTP availability", async () => {
userDecryptionOptionsService.userDecryptionOptionsById$.mockReturnValue(
of({
hasMasterPassword: false,
} as UserDecryptionOptions),
);
const result = await sut.getAvailableVerificationOptions("server");
expect(result).toEqual({
client: {
masterPassword: false,
pin: false,
biometrics: false,
},
server: {
masterPassword: false,
otp: true,
},
});
});
});
});
describe("verifyUserByMasterPassword", () => {
beforeAll(() => {
i18nService.t.calledWith("invalidMasterPassword").mockReturnValue("Invalid master password");
kdfConfigService.getKdfConfig.mockResolvedValue("kdfConfig" as unknown as KdfConfig);
masterPasswordService.masterKey$.mockReturnValue(of("masterKey" as unknown as MasterKey));
cryptoService.hashMasterKey
.calledWith("password", "masterKey" as unknown as MasterKey, HashPurpose.LocalAuthorization)
.mockResolvedValue("localHash");
});
describe("client-side verification", () => {
beforeEach(() => {
setMasterPasswordAvailability(true);
});
it("returns if verification is successful", async () => {
cryptoService.compareAndUpdateKeyHash.mockResolvedValueOnce(true);
const result = await sut.verifyUserByMasterPassword(
{
type: VerificationType.MasterPassword,
secret: "password",
} as MasterPasswordVerification,
mockUserId,
"email",
);
expect(cryptoService.compareAndUpdateKeyHash).toHaveBeenCalled();
expect(masterPasswordService.setMasterKeyHash).toHaveBeenCalledWith(
"localHash",
mockUserId,
);
expect(masterPasswordService.setMasterKey).toHaveBeenCalledWith("masterKey", mockUserId);
expect(result).toEqual({
policyOptions: null,
masterKey: "masterKey",
});
});
it("throws if verification fails", async () => {
cryptoService.compareAndUpdateKeyHash.mockResolvedValueOnce(false);
await expect(
sut.verifyUserByMasterPassword(
{
type: VerificationType.MasterPassword,
secret: "password",
} as MasterPasswordVerification,
mockUserId,
"email",
),
).rejects.toThrow("Invalid master password");
expect(cryptoService.compareAndUpdateKeyHash).toHaveBeenCalled();
expect(masterPasswordService.setMasterKeyHash).not.toHaveBeenCalledWith();
expect(masterPasswordService.setMasterKey).not.toHaveBeenCalledWith();
});
});
describe("server-side verification", () => {
beforeEach(() => {
setMasterPasswordAvailability(false);
});
it("returns if verification is successful", async () => {
cryptoService.hashMasterKey
.calledWith(
"password",
"masterKey" as unknown as MasterKey,
HashPurpose.ServerAuthorization,
)
.mockResolvedValueOnce("serverHash");
userVerificationApiService.postAccountVerifyPassword.mockResolvedValueOnce(
"MasterPasswordPolicyOptions" as unknown as MasterPasswordPolicyResponse,
);
const result = await sut.verifyUserByMasterPassword(
{
type: VerificationType.MasterPassword,
secret: "password",
} as MasterPasswordVerification,
mockUserId,
"email",
);
expect(cryptoService.compareAndUpdateKeyHash).not.toHaveBeenCalled();
expect(masterPasswordService.setMasterKeyHash).toHaveBeenCalledWith(
"localHash",
mockUserId,
);
expect(masterPasswordService.setMasterKey).toHaveBeenCalledWith("masterKey", mockUserId);
expect(result).toEqual({
policyOptions: "MasterPasswordPolicyOptions",
masterKey: "masterKey",
});
});
it("throws if verification fails", async () => {
cryptoService.hashMasterKey
.calledWith(
"password",
"masterKey" as unknown as MasterKey,
HashPurpose.ServerAuthorization,
)
.mockResolvedValueOnce("serverHash");
userVerificationApiService.postAccountVerifyPassword.mockRejectedValueOnce(new Error());
await expect(
sut.verifyUserByMasterPassword(
{
type: VerificationType.MasterPassword,
secret: "password",
} as MasterPasswordVerification,
mockUserId,
"email",
),
).rejects.toThrow("Invalid master password");
expect(cryptoService.compareAndUpdateKeyHash).not.toHaveBeenCalled();
expect(masterPasswordService.setMasterKeyHash).not.toHaveBeenCalledWith();
expect(masterPasswordService.setMasterKey).not.toHaveBeenCalledWith();
});
});
describe("error handling", () => {
it("throws if any of the parameters are nullish", async () => {
await expect(
sut.verifyUserByMasterPassword(
{
type: VerificationType.MasterPassword,
secret: null,
} as MasterPasswordVerification,
mockUserId,
"email",
),
).rejects.toThrow(
"Master Password is required. Cannot verify user without a master password.",
);
await expect(
sut.verifyUserByMasterPassword(
{
type: VerificationType.MasterPassword,
secret: "password",
} as MasterPasswordVerification,
null,
"email",
),
).rejects.toThrow("User ID is required. Cannot verify user by master password.");
await expect(
sut.verifyUserByMasterPassword(
{
type: VerificationType.MasterPassword,
secret: "password",
} as MasterPasswordVerification,
mockUserId,
null,
),
).rejects.toThrow("Email is required. Cannot verify user by master password.");
});
it("throws if kdf config is not available", async () => {
kdfConfigService.getKdfConfig.mockResolvedValueOnce(null);
await expect(
sut.verifyUserByMasterPassword(
{
type: VerificationType.MasterPassword,
secret: "password",
} as MasterPasswordVerification,
mockUserId,
"email",
),
).rejects.toThrow("KDF config is required. Cannot verify user by master password.");
});
it("throws if master key cannot be created", async () => {
kdfConfigService.getKdfConfig.mockResolvedValueOnce("kdfConfig" as unknown as KdfConfig);
masterPasswordService.masterKey$.mockReturnValueOnce(of(null));
cryptoService.makeMasterKey.mockResolvedValueOnce(null);
await expect(
sut.verifyUserByMasterPassword(
{
type: VerificationType.MasterPassword,
secret: "password",
} as MasterPasswordVerification,
mockUserId,
"email",
),
).rejects.toThrow("Master key could not be created to verify the master password.");
});
});
});
// Helpers
function setMasterPasswordAvailability(hasMasterPassword: boolean) {
userDecryptionOptionsService.userDecryptionOptionsById$.mockReturnValue(
of({
hasMasterPassword: hasMasterPassword,
} as UserDecryptionOptions),
);
masterPasswordService.masterKeyHash$.mockReturnValue(
of(hasMasterPassword ? "masterKeyHash" : null),
);
}
function setPinAvailability(type: PinLockType) {
pinService.getPinLockType.mockResolvedValue(type);
}
function disableBiometricsAvailability() {
vaultTimeoutSettingsService.isBiometricLockSet.mockResolvedValue(false);
}
});

99
libs/common/src/auth/services/user-verification/user-verification.service.ts
View File

@@ -8,7 +8,7 @@ import { CryptoService } from "../../../platform/abstractions/crypto.service";
import { I18nService } from "../../../platform/abstractions/i18n.service";
import { LogService } from "../../../platform/abstractions/log.service";
import { PlatformUtilsService } from "../../../platform/abstractions/platform-utils.service";
import { StateService } from "../../../platform/abstractions/state.service";
import { HashPurpose } from "../../../platform/enums";
import { KeySuffixOptions } from "../../../platform/enums/key-suffix-options.enum";
import { UserId } from "../../../types/guid";
import { UserKey } from "../../../types/key";
@@ -20,9 +20,11 @@ import { UserVerificationService as UserVerificationServiceAbstraction } from ".
import { VerificationType } from "../../enums/verification-type";
import { SecretVerificationRequest } from "../../models/request/secret-verification.request";
import { VerifyOTPRequest } from "../../models/request/verify-otp.request";
import { MasterPasswordPolicyResponse } from "../../models/response/master-password-policy.response";
import { UserVerificationOptions } from "../../types/user-verification-options";
import {
MasterPasswordVerification,
MasterPasswordVerificationResponse,
OtpVerification,
PinVerification,
ServerSideVerification,
@@ -37,7 +39,6 @@ import {
*/
export class UserVerificationService implements UserVerificationServiceAbstraction {
constructor(
private stateService: StateService,
private cryptoService: CryptoService,
private accountService: AccountService,
private masterPasswordService: InternalMasterPasswordServiceAbstraction,
@@ -54,14 +55,14 @@ export class UserVerificationService implements UserVerificationServiceAbstracti
async getAvailableVerificationOptions(
verificationType: keyof UserVerificationOptions,
): Promise<UserVerificationOptions> {
const userId = (await firstValueFrom(this.accountService.activeAccount$))?.id;
if (verificationType === "client") {
const userId = (await firstValueFrom(this.accountService.activeAccount$))?.id;
const [userHasMasterPassword, pinLockType, biometricsLockSet, biometricsUserKeyStored] =
await Promise.all([
this.hasMasterPasswordAndMasterKeyHash(),
this.hasMasterPasswordAndMasterKeyHash(userId),
this.pinService.getPinLockType(userId),
this.vaultTimeoutSettingsService.isBiometricLockSet(),
this.cryptoService.hasUserKeyStored(KeySuffixOptions.Biometric),
this.vaultTimeoutSettingsService.isBiometricLockSet(userId),
this.cryptoService.hasUserKeyStored(KeySuffixOptions.Biometric, userId),
]);
// note: we do not need to check this.platformUtilsService.supportsBiometric() because
@@ -83,7 +84,7 @@ export class UserVerificationService implements UserVerificationServiceAbstracti
} else {
// server
// Don't check if have MP hash locally, because we are going to send the secret to the server to be verified.
const userHasMasterPassword = await this.hasMasterPassword();
const userHasMasterPassword = await this.hasMasterPassword(userId);
return {
client: {
@@ -96,12 +97,6 @@ export class UserVerificationService implements UserVerificationServiceAbstracti
}
}
/**
* Create a new request model to be used for server-side verification
* @param verification User-supplied verification data (Master Password or OTP)
* @param requestClass The request model to create
* @param alreadyHashed Whether the master password is already hashed
*/
async buildRequest<T extends SecretVerificationRequest>(
verification: ServerSideVerification,
requestClass?: new () => T,
@@ -134,11 +129,6 @@ export class UserVerificationService implements UserVerificationServiceAbstracti
return request;
}
/**
* Used to verify Master Password, PIN, or biometrics client-side, or send the OTP to the server for verification (with no other data)
* Generally used for client-side verification only.
* @param verification User-supplied verification data (OTP, MP, PIN, or biometrics)
*/
async verifyUser(verification: Verification): Promise<boolean> {
if (verification == null) {
throw new Error("Verification is required.");
@@ -156,7 +146,8 @@ export class UserVerificationService implements UserVerificationServiceAbstracti
case VerificationType.OTP:
return this.verifyUserByOTP(verification);
case VerificationType.MasterPassword:
return this.verifyUserByMasterPassword(verification, userId, email);
await this.verifyUserByMasterPassword(verification, userId, email);
return true;
case VerificationType.PIN:
return this.verifyUserByPIN(verification, userId);
case VerificationType.Biometrics:
@@ -179,33 +170,70 @@ export class UserVerificationService implements UserVerificationServiceAbstracti
return true;
}
private async verifyUserByMasterPassword(
async verifyUserByMasterPassword(
verification: MasterPasswordVerification,
userId: UserId,
email: string,
): Promise<boolean> {
): Promise<MasterPasswordVerificationResponse> {
if (!verification.secret) {
throw new Error("Master Password is required. Cannot verify user without a master password.");
}
if (!userId) {
throw new Error("User ID is required. Cannot verify user by master password.");
}
if (!email) {
throw new Error("Email is required. Cannot verify user by master password.");
}
const kdfConfig = await this.kdfConfigService.getKdfConfig();
if (!kdfConfig) {
throw new Error("KDF config is required. Cannot verify user by master password.");
}
let masterKey = await firstValueFrom(this.masterPasswordService.masterKey$(userId));
if (!masterKey) {
masterKey = await this.cryptoService.makeMasterKey(
verification.secret,
email,
await this.kdfConfigService.getKdfConfig(),
);
masterKey = await this.cryptoService.makeMasterKey(verification.secret, email, kdfConfig);
}
const passwordValid = await this.cryptoService.compareAndUpdateKeyHash(
if (!masterKey) {
throw new Error("Master key could not be created to verify the master password.");
}
let policyOptions: MasterPasswordPolicyResponse | null;
// Client-side verification
if (await this.hasMasterPasswordAndMasterKeyHash(userId)) {
const passwordValid = await this.cryptoService.compareAndUpdateKeyHash(
verification.secret,
masterKey,
);
if (!passwordValid) {
throw new Error(this.i18nService.t("invalidMasterPassword"));
}
policyOptions = null;
} else {
// Server-side verification
const request = new SecretVerificationRequest();
const serverKeyHash = await this.cryptoService.hashMasterKey(
verification.secret,
masterKey,
HashPurpose.ServerAuthorization,
);
request.masterPasswordHash = serverKeyHash;
try {
policyOptions = await this.userVerificationApiService.postAccountVerifyPassword(request);
} catch (e) {
throw new Error(this.i18nService.t("invalidMasterPassword"));
}
}
const localKeyHash = await this.cryptoService.hashMasterKey(
verification.secret,
masterKey,
HashPurpose.LocalAuthorization,
);
if (!passwordValid) {
throw new Error(this.i18nService.t("invalidMasterPassword"));
}
// TODO: we should re-evaluate later on if user verification should have the side effect of modifying state. Probably not.
await this.masterPasswordService.setMasterKeyHash(localKeyHash, userId);
await this.masterPasswordService.setMasterKey(masterKey, userId);
return true;
return { policyOptions, masterKey };
}
private async verifyUserByPIN(verification: PinVerification, userId: UserId): Promise<boolean> {
@@ -236,13 +264,6 @@ export class UserVerificationService implements UserVerificationServiceAbstracti
await this.userVerificationApiService.postAccountRequestOTP();
}
/**
* Check if user has master password or can only use passwordless technologies to log in
* Note: This only checks the server, not the local state
* @param userId The user id to check. If not provided, the current user is used
* @returns True if the user has a master password
* @deprecated Use UserDecryptionOptionsService.hasMasterPassword$ instead
*/
async hasMasterPassword(userId?: string): Promise<boolean> {
if (userId) {
const decryptionOptions = await firstValueFrom(

7
libs/common/src/auth/types/verification.ts
View File

@@ -1,4 +1,6 @@
import { MasterKey } from "../../types/key";
import { VerificationType } from "../enums/verification-type";
import { MasterPasswordPolicyResponse } from "../models/response/master-password-policy.response";
export type OtpVerification = { type: VerificationType.OTP; secret: string };
export type MasterPasswordVerification = { type: VerificationType.MasterPassword; secret: string };
@@ -17,3 +19,8 @@ export function verificationHasSecret(
}
export type ServerSideVerification = OtpVerification | MasterPasswordVerification;
export type MasterPasswordVerificationResponse = {
masterKey: MasterKey;
policyOptions: MasterPasswordPolicyResponse;
};

5
libs/common/src/billing/abstractions/billilng-api.service.abstraction.ts
View File

@@ -2,6 +2,7 @@ import { PaymentMethodType } from "@bitwarden/common/billing/enums";
import { ExpandedTaxInfoUpdateRequest } from "@bitwarden/common/billing/models/request/expanded-tax-info-update.request";
import { TokenizedPaymentMethodRequest } from "@bitwarden/common/billing/models/request/tokenized-payment-method.request";
import { VerifyBankAccountRequest } from "@bitwarden/common/billing/models/request/verify-bank-account.request";
import { InvoicesResponse } from "@bitwarden/common/billing/models/response/invoices.response";
import { PaymentInformationResponse } from "@bitwarden/common/billing/models/response/payment-information.response";
import { SubscriptionCancellationRequest } from "../../billing/models/request/subscription-cancellation.request";
@@ -41,6 +42,10 @@ export abstract class BillingApiServiceAbstraction {
getPlans: () => Promise<ListResponse<PlanResponse>>;
getProviderClientInvoiceReport: (providerId: string, invoiceId: string) => Promise<string>;
getProviderInvoices: (providerId: string) => Promise<InvoicesResponse>;
getProviderPaymentInformation: (providerId: string) => Promise<PaymentInformationResponse>;
getProviderSubscription: (providerId: string) => Promise<ProviderSubscriptionResponse>;

1
libs/common/src/billing/enums/index.ts
View File

@@ -3,3 +3,4 @@ export * from "./plan-sponsorship-type.enum";
export * from "./plan-type.enum";
export * from "./transaction-type.enum";
export * from "./bitwarden-product-type.enum";
export * from "./product-tier-type.enum";

2
libs/common/src/enums/product-type.enum.ts → libs/common/src/billing/enums/product-tier-type.enum.ts
View File

@@ -1,4 +1,4 @@
export enum ProductType {
export enum ProductTierType {
Free = 0,
Families = 1,
Teams = 2,

4
libs/common/src/billing/enums/product-type.enum.ts Normal file
View File

@@ -0,0 +1,4 @@
export enum ProductType {
PasswordManager = 0,
SecretsManager = 1,
}

34
libs/common/src/billing/models/response/invoices.response.ts Normal file
View File

@@ -0,0 +1,34 @@
import { BaseResponse } from "@bitwarden/common/models/response/base.response";
export class InvoicesResponse extends BaseResponse {
invoices: InvoiceResponse[] = [];
constructor(response: any) {
super(response);
const invoices = this.getResponseProperty("Invoices");
if (invoices && invoices.length) {
this.invoices = invoices.map((t: any) => new InvoiceResponse(t));
}
}
}
export class InvoiceResponse extends BaseResponse {
id: string;
date: string;
number: string;
total: number;
status: string;
url: string;
pdfUrl: string;
constructor(response: any) {
super(response);
this.id = this.getResponseProperty("Id");
this.date = this.getResponseProperty("Date");
this.number = this.getResponseProperty("Number");
this.total = this.getResponseProperty("Total");
this.status = this.getResponseProperty("Status");
this.url = this.getResponseProperty("Url");
this.pdfUrl = this.getResponseProperty("PdfUrl");
}
}

7
libs/common/src/billing/models/response/plan.response.ts
View File

@@ -1,10 +1,9 @@
import { ProductType } from "../../../enums";
import { ProductTierType, PlanType } from "../../../billing/enums";
import { BaseResponse } from "../../../models/response/base.response";
import { PlanType } from "../../enums";
export class PlanResponse extends BaseResponse {
type: PlanType;
product: ProductType;
productTier: ProductTierType;
name: string;
isAnnual: boolean;
nameLocalizationKey: string;
@@ -32,7 +31,7 @@ export class PlanResponse extends BaseResponse {
constructor(response: any) {
super(response);
this.type = this.getResponseProperty("Type");
this.product = this.getResponseProperty("Product");
this.productTier = this.getResponseProperty("ProductTier");
this.name = this.getResponseProperty("Name");
this.isAnnual = this.getResponseProperty("IsAnnual");
this.nameLocalizationKey = this.getResponseProperty("NameLocalizationKey");

24
libs/common/src/billing/services/billing-api.service.ts
View File

@@ -1,3 +1,5 @@
import { InvoicesResponse } from "@bitwarden/common/billing/models/response/invoices.response";
import { ApiService } from "../../abstractions/api.service";
import { BillingApiServiceAbstraction } from "../../billing/abstractions";
import { PaymentMethodType } from "../../billing/enums";
@@ -106,6 +108,28 @@ export class BillingApiService implements BillingApiServiceAbstraction {
return new ListResponse(r, PlanResponse);
}
async getProviderClientInvoiceReport(providerId: string, invoiceId: string): Promise<string> {
const response = await this.apiService.send(
"GET",
"/providers/" + providerId + "/billing/invoices/" + invoiceId,
null,
true,
true,
);
return response as string;
}
async getProviderInvoices(providerId: string): Promise<InvoicesResponse> {
const response = await this.apiService.send(
"GET",
"/providers/" + providerId + "/billing/invoices",
null,
true,
true,
);
return new InvoicesResponse(response);
}
async getProviderPaymentInformation(providerId: string): Promise<PaymentInformationResponse> {
const response = await this.apiService.send(
"GET",

2
libs/common/src/enums/feature-flag.enum.ts
View File

@@ -17,6 +17,7 @@ export enum FeatureFlag {
RestrictProviderAccess = "restrict-provider-access",
UseTreeWalkerApiForPageDetailsCollection = "use-tree-walker-api-for-page-details-collection",
BulkDeviceApproval = "bulk-device-approval",
EmailVerification = "email-verification",
UseBasicInlineMenuFieldQualification = "use-basic-inline-menu-field-qualification",
}
@@ -45,6 +46,7 @@ export const DefaultFeatureFlagValue = {
[FeatureFlag.RestrictProviderAccess]: FALSE,
[FeatureFlag.UseTreeWalkerApiForPageDetailsCollection]: FALSE,
[FeatureFlag.BulkDeviceApproval]: FALSE,
[FeatureFlag.EmailVerification]: FALSE,
[FeatureFlag.UseBasicInlineMenuFieldQualification]: FALSE,
} satisfies Record<FeatureFlag, AllowedFeatureFlagTypes>;

1
libs/common/src/enums/index.ts
View File

@@ -6,4 +6,3 @@ export * from "./http-status-code.enum";
export * from "./integration-type.enum";
export * from "./native-messaging-version.enum";
export * from "./notification-type.enum";
export * from "./product-type.enum";

10
libs/common/src/services/api.service.ts
View File

@@ -70,7 +70,6 @@ import { IdentityCaptchaResponse } from "../auth/models/response/identity-captch
import { IdentityTokenResponse } from "../auth/models/response/identity-token.response";
import { IdentityTwoFactorResponse } from "../auth/models/response/identity-two-factor.response";
import { KeyConnectorUserKeyResponse } from "../auth/models/response/key-connector-user-key.response";
import { MasterPasswordPolicyResponse } from "../auth/models/response/master-password-policy.response";
import { PreloginResponse } from "../auth/models/response/prelogin.response";
import { RegisterResponse } from "../auth/models/response/register.response";
import { SsoPreValidateResponse } from "../auth/models/response/sso-pre-validate.response";
@@ -424,12 +423,6 @@ export class ApiService implements ApiServiceAbstraction {
return this.send("POST", "/accounts/verify-email-token", request, false, false);
}
postAccountVerifyPassword(
request: SecretVerificationRequest,
): Promise<MasterPasswordPolicyResponse> {
return this.send("POST", "/accounts/verify-password", request, true, true);
}
postAccountRecoverDelete(request: DeleteRecoverRequest): Promise<any> {
return this.send("POST", "/accounts/delete-recover", request, false, false);
}
@@ -1883,9 +1876,12 @@ export class ApiService implements ApiServiceAbstraction {
const responseType = response.headers.get("content-type");
const responseIsJson = responseType != null && responseType.indexOf("application/json") !== -1;
const responseIsCsv = responseType != null && responseType.indexOf("text/csv") !== -1;
if (hasResponse && response.status === 200 && responseIsJson) {
const responseJson = await response.json();
return responseJson;
} else if (hasResponse && response.status === 200 && responseIsCsv) {
return await response.text();
} else if (response.status !== 200) {
const error = await this.handleError(response, false, authed);
return Promise.reject(error);

2
libs/common/src/tools/generator/passphrase/passphrase-generator-strategy.ts
View File

@@ -51,7 +51,7 @@ export class PassphraseGeneratorStrategy
// select which word gets the number, if any
let luckyNumber = -1;
if (o.includeNumber) {
luckyNumber = await this.randomizer.uniform(0, o.numWords);
luckyNumber = await this.randomizer.uniform(0, o.numWords - 1);
}
// generate the passphrase