Merge remote-tracking branch 'origin' into auth/pm-18720/change-password-component-non-dialog-v3

libs/angular/src/auth/guards/lock.guard.spec.ts

@@ -44,7 +44,7 @@ describe("lockGuard", () => {
 
     const keyService: MockProxy<KeyService> = mock<KeyService>();
     keyService.isLegacyUser.mockResolvedValue(setupParams.isLegacyUser);
-    keyService.everHadUserKey$ = of(setupParams.everHadUserKey);
+    keyService.everHadUserKey$.mockReturnValue(of(setupParams.everHadUserKey));
 
     const platformUtilService: MockProxy<PlatformUtilsService> = mock<PlatformUtilsService>();
     platformUtilService.getClientType.mockReturnValue(setupParams.clientType);

libs/angular/src/auth/guards/lock.guard.ts

@@ -84,7 +84,7 @@ export function lockGuard(): CanActivateFn {
     }
 
     // If authN user with TDE directly navigates to lock, reject that navigation
-    const everHadUserKey = await firstValueFrom(keyService.everHadUserKey$);
+    const everHadUserKey = await firstValueFrom(keyService.everHadUserKey$(activeUser.id));
     if (tdeEnabled && !everHadUserKey) {
       return false;
     }

libs/angular/src/auth/guards/redirect.guard.ts

@@ -2,8 +2,10 @@ import { inject } from "@angular/core";
 import { CanActivateFn, Router } from "@angular/router";
 import { firstValueFrom } from "rxjs";
 
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
+import { getUserId } from "@bitwarden/common/auth/services/account.service";
 import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { KeyService } from "@bitwarden/key-management";
@@ -33,6 +35,7 @@ export function redirectGuard(overrides: Partial<RedirectRoutes> = {}): CanActiv
     const authService = inject(AuthService);
     const keyService = inject(KeyService);
     const deviceTrustService = inject(DeviceTrustServiceAbstraction);
+    const accountService = inject(AccountService);
     const logService = inject(LogService);
     const router = inject(Router);
 
@@ -49,7 +52,8 @@ export function redirectGuard(overrides: Partial<RedirectRoutes> = {}): CanActiv
     // If locked, TDE is enabled, and the user hasn't decrypted yet, then redirect to the
     // login decryption options component.
     const tdeEnabled = await firstValueFrom(deviceTrustService.supportsDeviceTrust$);
-    const everHadUserKey = await firstValueFrom(keyService.everHadUserKey$);
+    const userId = await firstValueFrom(accountService.activeAccount$.pipe(getUserId));
+    const everHadUserKey = await firstValueFrom(keyService.everHadUserKey$(userId));
     if (authStatus === AuthenticationStatus.Locked && tdeEnabled && !everHadUserKey) {
       logService.info(
         "Sending user to TDE decryption options. AuthStatus is %s. TDE support is %s. Ever had user key is %s.",

libs/angular/src/auth/guards/tde-decryption-required.guard.spec.ts

@@ -0,0 +1,107 @@
+import { TestBed } from "@angular/core/testing";
+import { Router, provideRouter } from "@angular/router";
+import { mock } from "jest-mock-extended";
+import { BehaviorSubject, of } from "rxjs";
+
+import { EmptyComponent } from "@bitwarden/angular/platform/guard/feature-flag.guard.spec";
+import { Account, AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
+import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
+import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
+import { UserId } from "@bitwarden/common/types/guid";
+import { KeyService } from "@bitwarden/key-management";
+
+import { tdeDecryptionRequiredGuard } from "./tde-decryption-required.guard";
+
+describe("tdeDecryptionRequiredGuard", () => {
+  const activeUser: Account = {
+    id: "fake_user_id" as UserId,
+    email: "test@email.com",
+    emailVerified: true,
+    name: "Test User",
+  };
+
+  const setup = (
+    activeUser: Account | null,
+    authStatus: AuthenticationStatus | null = null,
+    tdeEnabled: boolean = false,
+    everHadUserKey: boolean = false,
+  ) => {
+    const accountService = mock<AccountService>();
+    const authService = mock<AuthService>();
+    const keyService = mock<KeyService>();
+    const deviceTrustService = mock<DeviceTrustServiceAbstraction>();
+    const logService = mock<LogService>();
+
+    accountService.activeAccount$ = new BehaviorSubject<Account | null>(activeUser);
+    if (authStatus !== null) {
+      authService.getAuthStatus.mockResolvedValue(authStatus);
+    }
+    keyService.everHadUserKey$.mockReturnValue(of(everHadUserKey));
+    deviceTrustService.supportsDeviceTrust$ = of(tdeEnabled);
+
+    const testBed = TestBed.configureTestingModule({
+      providers: [
+        { provide: AccountService, useValue: accountService },
+        { provide: AuthService, useValue: authService },
+        { provide: KeyService, useValue: keyService },
+        { provide: DeviceTrustServiceAbstraction, useValue: deviceTrustService },
+        { provide: LogService, useValue: logService },
+        provideRouter([
+          { path: "", component: EmptyComponent },
+          {
+            path: "protected-route",
+            component: EmptyComponent,
+            canActivate: [tdeDecryptionRequiredGuard()],
+          },
+        ]),
+      ],
+    });
+
+    return {
+      router: testBed.inject(Router),
+    };
+  };
+
+  it("redirects to root when the active account is null", async () => {
+    const { router } = setup(null, null);
+    await router.navigate(["protected-route"]);
+    expect(router.url).toBe("/");
+  });
+
+  test.each([AuthenticationStatus.Unlocked, AuthenticationStatus.LoggedOut])(
+    "redirects to root when the user isn't locked",
+    async (authStatus) => {
+      const { router } = setup(activeUser, authStatus);
+
+      await router.navigate(["protected-route"]);
+
+      expect(router.url).toBe("/");
+    },
+  );
+
+  it("redirects to root when TDE is not enabled", async () => {
+    const { router } = setup(activeUser, AuthenticationStatus.Locked, false, true);
+
+    await router.navigate(["protected-route"]);
+
+    expect(router.url).toBe("/");
+  });
+
+  it("redirects to root when user has had a user key", async () => {
+    const { router } = setup(activeUser, AuthenticationStatus.Locked, true, true);
+
+    await router.navigate(["protected-route"]);
+
+    expect(router.url).toBe("/");
+  });
+
+  it("allows access when user is locked, TDE is enabled, and user has never had a user key", async () => {
+    const { router } = setup(activeUser, AuthenticationStatus.Locked, true, false);
+
+    const result = await router.navigate(["protected-route"]);
+    expect(result).toBe(true);
+    expect(router.url).toBe("/protected-route");
+  });
+});

libs/angular/src/auth/guards/tde-decryption-required.guard.ts

@@ -5,8 +5,9 @@ import {
   RouterStateSnapshot,
   CanActivateFn,
 } from "@angular/router";
-import { firstValueFrom } from "rxjs";
+import { firstValueFrom, map } from "rxjs";
 
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
 import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
@@ -24,12 +25,18 @@ export function tdeDecryptionRequiredGuard(): CanActivateFn {
     const authService = inject(AuthService);
     const keyService = inject(KeyService);
     const deviceTrustService = inject(DeviceTrustServiceAbstraction);
+    const accountService = inject(AccountService);
     const logService = inject(LogService);
     const router = inject(Router);
 
+    const userId = await firstValueFrom(accountService.activeAccount$.pipe(map((a) => a?.id)));
+    if (userId == null) {
+      return router.createUrlTree(["/"]);
+    }
+
     const authStatus = await authService.getAuthStatus();
     const tdeEnabled = await firstValueFrom(deviceTrustService.supportsDeviceTrust$);
-    const everHadUserKey = await firstValueFrom(keyService.everHadUserKey$);
+    const everHadUserKey = await firstValueFrom(keyService.everHadUserKey$(userId));
 
     // We need to determine if we should bypass the decryption options and send the user to the vault.
     // The ONLY time that we want to send a user to the decryption options is when:

libs/angular/src/auth/guards/unauth.guard.spec.ts

@@ -2,7 +2,7 @@ import { TestBed } from "@angular/core/testing";
 import { Router } from "@angular/router";
 import { RouterTestingModule } from "@angular/router/testing";
 import { MockProxy, mock } from "jest-mock-extended";
-import { BehaviorSubject } from "rxjs";
+import { BehaviorSubject, of } from "rxjs";
 
 import { EmptyComponent } from "@bitwarden/angular/platform/guard/feature-flag.guard.spec";
 import { Account, AccountService } from "@bitwarden/common/auth/abstractions/account.service";
@@ -43,7 +43,7 @@ describe("UnauthGuard", () => {
       authService.authStatusFor$.mockReturnValue(activeAccountStatusObservable);
     }
 
-    keyService.everHadUserKey$ = new BehaviorSubject<boolean>(everHadUserKey);
+    keyService.everHadUserKey$.mockReturnValue(of(everHadUserKey));
     deviceTrustService.supportsDeviceTrustByUserId$.mockReturnValue(
       new BehaviorSubject<boolean>(tdeEnabled),
     );

libs/angular/src/auth/guards/unauth.guard.ts

@@ -50,7 +50,7 @@ async function unauthGuard(
   const tdeEnabled = await firstValueFrom(
     deviceTrustService.supportsDeviceTrustByUserId$(activeUser.id),
   );
-  const everHadUserKey = await firstValueFrom(keyService.everHadUserKey$);
+  const everHadUserKey = await firstValueFrom(keyService.everHadUserKey$(activeUser.id));
 
   // If locked, TDE is enabled, and the user hasn't decrypted yet, then redirect to the
   // login decryption options component.

libs/angular/src/platform/view-cache/README.md

@@ -43,12 +43,9 @@ on any component.
 The persistence layer ensures that the popup will open at the same route as was active when it
 closed, provided that none of the lifetime expiration events have occurred.
 
-:::tip Excluding a route
-
-If a particular route should be excluded from the history and not persisted, add
-`doNotSaveUrl: true` to the `data` property on the route.
-
-:::
+> [!TIP]
+> If a particular route should be excluded from the history and not persisted, add
+> `doNotSaveUrl: true` to the `data` property on the route.
 
 ### View data persistence
 
@@ -85,13 +82,10 @@ const mySignal = this.viewCacheService.signal({
 mySignal.set("value")
 ```
 
-:::note Equality comparison
-
-By default, signals use `Object.is` to determine equality, and `set()` will only trigger updates if
-the updated value is not equal to the current signal state. See documentation
-[here](https://angular.dev/guide/signals#signal-equality-functions).
-
-:::
+> [!NOTE]
+> By default, signals use `Object.is` to determine equality, and `set()` will only trigger updates if
+> the updated value is not equal to the current signal state. See documentation
+> [here](https://angular.dev/guide/signals#signal-equality-functions).
 
 Putting this together, the most common implementation pattern would be:
 

libs/angular/src/vault/components/add-edit.component.ts

@@ -26,11 +26,13 @@ import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/pl
 import { SdkService } from "@bitwarden/common/platform/abstractions/sdk/sdk.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { CollectionId, UserId } from "@bitwarden/common/types/guid";
-import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
+import {
+  CipherService,
+  EncryptionContext,
+} from "@bitwarden/common/vault/abstractions/cipher.service";
 import { FolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction";
 import { CipherType, SecureNoteType } from "@bitwarden/common/vault/enums";
 import { CipherRepromptType } from "@bitwarden/common/vault/enums/cipher-reprompt-type";
-import { Cipher } from "@bitwarden/common/vault/models/domain/cipher";
 import { CardView } from "@bitwarden/common/vault/models/view/card.view";
 import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
 import { FolderView } from "@bitwarden/common/vault/models/view/folder.view";
@@ -740,17 +742,17 @@ export class AddEditComponent implements OnInit, OnDestroy {
     return this.cipherService.encrypt(this.cipher, userId);
   }
 
-  protected saveCipher(cipher: Cipher) {
+  protected saveCipher(data: EncryptionContext) {
     let orgAdmin = this.organization?.canEditAllCiphers;
 
     // if a cipher is unassigned we want to check if they are an admin or have permission to edit any collection
-    if (!cipher.collectionIds) {
+    if (!data.cipher.collectionIds) {
       orgAdmin = this.organization?.canEditUnassignedCiphers;
     }
 
     return this.cipher.id == null
-      ? this.cipherService.createWithServer(cipher, orgAdmin)
-      : this.cipherService.updateWithServer(cipher, orgAdmin);
+      ? this.cipherService.createWithServer(data, orgAdmin)
+      : this.cipherService.updateWithServer(data, orgAdmin);
   }
 
   protected deleteCipher(userId: UserId) {