PM-3444 - TDE - Admin Acct Recovery should prompt users to change MP for non MP decryption flows (#6109)

* PM-3444 - SSO Login Strategy - Should setForcePasswordResetReason if server sends it down so that the auth.guard can direct the user accordingly after decryption * PM-3444 - (1) Sso Comp - Adjust force password reset logic to handle the only scenario that can occur here - admin acct recovery - not weak mp (can't evaluate as user won't have entered it yet) (2) Add comments explaining the scenarios + update tests. * PM-3444 - Update SSO Login strategy to only check for ForceResetPasswordReason.AdminForcePasswordReset as that's the only scenario that can happen here. * PM-3444 - Finish updating tests to pass * PM-3444 - Resolve PR feedback by updating ForceResetPasswordReason comments
2025-12-14 23:33:31 +00:00 · 2023-09-18 12:21:30 -04:00
parent 2e76bc40b9
commit 4a8741e7b6
6 changed files with 22 additions and 7 deletions
--- a/libs/common/src/auth/models/domain/force-reset-password-reason.ts
+++ b/libs/common/src/auth/models/domain/force-reset-password-reason.ts
@@ -1,3 +1,7 @@
+/*
+ * This enum is used to determine if a user should be forced to reset their password
+ * on login (server flag) or unlock via MP (client evaluation).
+ */
 export enum ForceResetPasswordReason {
  /**
   * A password reset should not be forced.
@@ -6,12 +10,14 @@ export enum ForceResetPasswordReason {

  /**
   * Occurs when an organization admin forces a user to reset their password.
+   * Communicated via server flag.
   */
  AdminForcePasswordReset,

  /**
   * Occurs when a user logs in / unlocks their vault with a master password that does not meet an organization's
   * master password policy that is enforced on login/unlock.
+   * Only set client side b/c server can't evaluate MP.
   */
  WeakMasterPassword,
 }