[PM-10059] alert server if device trust is lost (#10235)

* alert server if device trust is lost * add test * add tests for extra errors * fix build --------- Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
2025-12-16 08:13:42 +00:00 · 2024-07-24 10:25:57 -04:00
parent 768b5393e9
commit 4c26ab5a9e
11 changed files with 109 additions and 3 deletions
--- a/libs/auth/src/common/login-strategies/sso-login.strategy.spec.ts
+++ b/libs/auth/src/common/login-strategies/sso-login.strategy.spec.ts
@@ -312,6 +312,27 @@ describe("SsoLoginStrategy", () => {
      expect(cryptoService.setUserKey).not.toHaveBeenCalled();
    });

+    it("logs when a device key is found but no decryption keys were recieved in token response", async () => {
+      // Arrange
+      const userDecryptionOpts = userDecryptionOptsServerResponseWithTdeOption;
+      userDecryptionOpts.TrustedDeviceOption.EncryptedPrivateKey = null;
+      userDecryptionOpts.TrustedDeviceOption.EncryptedUserKey = null;
+
+      const idTokenResponse: IdentityTokenResponse = identityTokenResponseFactory(
+        null,
+        userDecryptionOpts,
+      );
+
+      apiService.postIdentityToken.mockResolvedValue(idTokenResponse);
+      deviceTrustService.getDeviceKey.mockResolvedValue(mockDeviceKey);
+
+      // Act
+      await ssoLoginStrategy.logIn(credentials);
+
+      // Assert
+      expect(deviceTrustService.recordDeviceTrustLoss).toHaveBeenCalledTimes(1);
+    });
+
    describe("AdminAuthRequest", () => {
      let tokenResponse: IdentityTokenResponse;

--- a/libs/auth/src/common/login-strategies/sso-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/sso-login.strategy.ts
@@ -296,16 +296,20 @@ export class SsoLoginStrategy extends LoginStrategy {

    if (!deviceKey || !encDevicePrivateKey || !encUserKey) {
      if (!deviceKey) {
-        await this.logService.warning("Unable to set user key due to missing device key.");
+        this.logService.warning("Unable to set user key due to missing device key.");
+      } else if (!encDevicePrivateKey || !encUserKey) {
+        // Tell the server that we have a device key, but received no decryption keys
+        await this.deviceTrustService.recordDeviceTrustLoss();
      }
      if (!encDevicePrivateKey) {
-        await this.logService.warning(
+        this.logService.warning(
          "Unable to set user key due to missing encrypted device private key.",
        );
      }
      if (!encUserKey) {
-        await this.logService.warning("Unable to set user key due to missing encrypted user key.");
+        this.logService.warning("Unable to set user key due to missing encrypted user key.");
      }
+
      return;
    }