From 509af7b7bd1be178da7e9348032890ed383d9462 Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Thu, 5 Jun 2025 18:52:48 +0200
Subject: [PATCH] [PM-20235] Disable login with device masterpasswordhash flow
 (#14236)

* Disable login with device masterpasswordhash flow

* Remove old test

* Fix tests

* Undo changes to cargo lock
---
 .../auth-request/auth-request.service.spec.ts | 56 -------------------
 .../auth-request/auth-request.service.ts      | 38 ++++---------
 2 files changed, 11 insertions(+), 83 deletions(-)

diff --git a/libs/auth/src/common/services/auth-request/auth-request.service.spec.ts b/libs/auth/src/common/services/auth-request/auth-request.service.spec.ts
index 0d2df969f8..c3d6f78f3c 100644
--- a/libs/auth/src/common/services/auth-request/auth-request.service.spec.ts
+++ b/libs/auth/src/common/services/auth-request/auth-request.service.spec.ts
@@ -105,23 +105,6 @@ describe("AuthRequestService", () => {
       );
     });
 
-    it("should use the master key and hash if they exist", async () => {
-      masterPasswordService.masterKeySubject.next(
-        new SymmetricCryptoKey(new Uint8Array(32)) as MasterKey,
-      );
-      masterPasswordService.masterKeyHashSubject.next("MASTER_KEY_HASH");
-
-      await sut.approveOrDenyAuthRequest(
-        true,
-        new AuthRequestResponse({ id: "123", publicKey: "KEY" }),
-      );
-
-      expect(encryptService.encapsulateKeyUnsigned).toHaveBeenCalledWith(
-        new SymmetricCryptoKey(new Uint8Array(32)),
-        expect.anything(),
-      );
-    });
-
     it("should use the user key if the master key and hash do not exist", async () => {
       keyService.getUserKey.mockResolvedValueOnce(
         new SymmetricCryptoKey(new Uint8Array(64)) as UserKey,
@@ -246,45 +229,6 @@ describe("AuthRequestService", () => {
     });
   });
 
-  describe("decryptAuthReqPubKeyEncryptedMasterKeyAndHash", () => {
-    it("returns a decrypted master key and hash when given a valid public key encrypted master key, public key encrypted master key hash, and an auth req private key", async () => {
-      // Arrange
-      const mockPubKeyEncryptedMasterKey = "pubKeyEncryptedMasterKey";
-      const mockPubKeyEncryptedMasterKeyHash = "pubKeyEncryptedMasterKeyHash";
-
-      const mockDecryptedMasterKeyBytes = new Uint8Array(64);
-      const mockDecryptedMasterKey = new SymmetricCryptoKey(
-        mockDecryptedMasterKeyBytes,
-      ) as MasterKey;
-      const mockDecryptedMasterKeyHashBytes = new Uint8Array(64);
-      const mockDecryptedMasterKeyHash = Utils.fromBufferToUtf8(mockDecryptedMasterKeyHashBytes);
-
-      encryptService.rsaDecrypt.mockResolvedValueOnce(mockDecryptedMasterKeyHashBytes);
-      encryptService.decapsulateKeyUnsigned.mockResolvedValueOnce(
-        new SymmetricCryptoKey(mockDecryptedMasterKeyBytes),
-      );
-
-      // Act
-      const result = await sut.decryptPubKeyEncryptedMasterKeyAndHash(
-        mockPubKeyEncryptedMasterKey,
-        mockPubKeyEncryptedMasterKeyHash,
-        mockPrivateKey,
-      );
-
-      // Assert
-      expect(encryptService.decapsulateKeyUnsigned).toHaveBeenCalledWith(
-        new EncString(mockPubKeyEncryptedMasterKey),
-        mockPrivateKey,
-      );
-      expect(encryptService.rsaDecrypt).toHaveBeenCalledWith(
-        new EncString(mockPubKeyEncryptedMasterKeyHash),
-        mockPrivateKey,
-      );
-      expect(result.masterKey).toEqual(mockDecryptedMasterKey);
-      expect(result.masterKeyHash).toEqual(mockDecryptedMasterKeyHash);
-    });
-  });
-
   describe("getFingerprintPhrase", () => {
     it("returns the same fingerprint regardless of email casing", () => {
       const email = "test@email.com";
diff --git a/libs/auth/src/common/services/auth-request/auth-request.service.ts b/libs/auth/src/common/services/auth-request/auth-request.service.ts
index 226403d9c8..fca68b76bb 100644
--- a/libs/auth/src/common/services/auth-request/auth-request.service.ts
+++ b/libs/auth/src/common/services/auth-request/auth-request.service.ts
@@ -103,32 +103,12 @@ export class AuthRequestService implements AuthRequestServiceAbstraction {
     }
     const pubKey = Utils.fromB64ToArray(authRequest.publicKey);
 
-    const userId = (await firstValueFrom(this.accountService.activeAccount$)).id;
-    const masterKey = await firstValueFrom(this.masterPasswordService.masterKey$(userId));
-    const masterKeyHash = await firstValueFrom(this.masterPasswordService.masterKeyHash$(userId));
-    let encryptedMasterKeyHash;
-    let keyToEncrypt;
-
-    if (masterKey && masterKeyHash) {
-      // Only encrypt the master password hash if masterKey exists as
-      // we won't have a masterKeyHash without a masterKey
-      encryptedMasterKeyHash = await this.encryptService.rsaEncrypt(
-        Utils.fromUtf8ToArray(masterKeyHash),
-        pubKey,
-      );
-      keyToEncrypt = masterKey;
-    } else {
-      keyToEncrypt = await this.keyService.getUserKey();
-    }
-
-    const encryptedKey = await this.encryptService.encapsulateKeyUnsigned(
-      keyToEncrypt as SymmetricCryptoKey,
-      pubKey,
-    );
+    const keyToEncrypt = await this.keyService.getUserKey();
+    const encryptedKey = await this.encryptService.encapsulateKeyUnsigned(keyToEncrypt, pubKey);
 
     const response = new PasswordlessAuthRequest(
       encryptedKey.encryptedString,
-      encryptedMasterKeyHash?.encryptedString,
+      undefined,
       await this.appIdService.getAppId(),
       approve,
     );
@@ -173,10 +153,12 @@ export class AuthRequestService implements AuthRequestServiceAbstraction {
     pubKeyEncryptedUserKey: string,
     privateKey: Uint8Array,
   ): Promise<UserKey> {
-    return (await this.encryptService.decapsulateKeyUnsigned(
+    const decryptedUserKey = await this.encryptService.decapsulateKeyUnsigned(
       new EncString(pubKeyEncryptedUserKey),
       privateKey,
-    )) as UserKey;
+    );
+
+    return decryptedUserKey as UserKey;
   }
 
   async decryptPubKeyEncryptedMasterKeyAndHash(
@@ -184,15 +166,17 @@ export class AuthRequestService implements AuthRequestServiceAbstraction {
     pubKeyEncryptedMasterKeyHash: string,
     privateKey: Uint8Array,
   ): Promise<{ masterKey: MasterKey; masterKeyHash: string }> {
-    const masterKey = (await this.encryptService.decapsulateKeyUnsigned(
+    const decryptedMasterKeyArrayBuffer = await this.encryptService.rsaDecrypt(
       new EncString(pubKeyEncryptedMasterKey),
       privateKey,
-    )) as MasterKey;
+    );
 
     const decryptedMasterKeyHashArrayBuffer = await this.encryptService.rsaDecrypt(
       new EncString(pubKeyEncryptedMasterKeyHash),
       privateKey,
     );
+
+    const masterKey = new SymmetricCryptoKey(decryptedMasterKeyArrayBuffer) as MasterKey;
     const masterKeyHash = Utils.fromBufferToUtf8(decryptedMasterKeyHashArrayBuffer);
 
     return {