[PM-27515] Fix 2fa settings not working after KDF change (#17070)

* Always derive authentication data fresh for UV * Cleanup * Add tests * Fix remote UV * Fix test * Fix test * Address feedback * Fix build * Update libs/common/src/auth/types/verification.ts Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com> * Remove unused var * Fix relative import * Fix types --------- Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
2025-12-16 08:13:42 +00:00 · 2025-11-07 18:36:02 +01:00
parent 40ec682b78
commit 4f9ae78598
6 changed files with 159 additions and 42 deletions
--- a/libs/common/src/auth/services/user-verification/user-verification.service.ts
+++ b/libs/common/src/auth/services/user-verification/user-verification.service.ts
@@ -37,6 +37,7 @@ import {
  VerificationWithSecret,
  verificationHasSecret,
 } from "../../types/verification";
+import { getUserId } from "../account.service";

 /**
 * Used for general-purpose user verification throughout the app.
@@ -101,7 +102,6 @@ export class UserVerificationService implements UserVerificationServiceAbstracti
  async buildRequest<T extends SecretVerificationRequest>(
    verification: ServerSideVerification,
    requestClass?: new () => T,
-    alreadyHashed?: boolean,
  ) {
    this.validateSecretInput(verification);

@@ -111,20 +111,17 @@ export class UserVerificationService implements UserVerificationServiceAbstracti
    if (verification.type === VerificationType.OTP) {
      request.otp = verification.secret;
    } else {
-      const [userId, email] = await firstValueFrom(
-        this.accountService.activeAccount$.pipe(map((a) => [a?.id, a?.email])),
-      );
-      let masterKey = await firstValueFrom(this.masterPasswordService.masterKey$(userId));
-      if (!masterKey && !alreadyHashed) {
-        masterKey = await this.keyService.makeMasterKey(
+      const userId = await firstValueFrom(this.accountService.activeAccount$.pipe(getUserId));
+      const kdf = await this.kdfConfigService.getKdfConfig(userId as UserId);
+      const salt = await firstValueFrom(this.masterPasswordService.saltForUser$(userId as UserId));
+
+      const authenticationData =
+        await this.masterPasswordService.makeMasterPasswordAuthenticationData(
          verification.secret,
-          email,
-          await this.kdfConfigService.getKdfConfig(userId),
+          kdf,
+          salt,
        );
-      }
-      request.masterPasswordHash = alreadyHashed
-        ? verification.secret
-        : await this.keyService.hashMasterKey(verification.secret, masterKey);
+      request.authenticateWith(authenticationData);
    }

    return request;
@@ -239,7 +236,7 @@ export class UserVerificationService implements UserVerificationServiceAbstracti
    );
    await this.masterPasswordService.setMasterKeyHash(localKeyHash, userId);
    await this.masterPasswordService.setMasterKey(masterKey, userId);
-    return { policyOptions, masterKey, kdfConfig, email };
+    return { policyOptions, masterKey, email };
  }

  private async verifyUserByPIN(verification: PinVerification, userId: UserId): Promise<boolean> {