[PM-20235] Disable login with device masterpasswordhash flow (#14236)

* Disable login with device masterpasswordhash flow * Remove old test * Fix tests * Undo changes to cargo lock
2025-12-06 00:13:28 +00:00 · 2025-06-05 18:52:48 +02:00
parent 299976e55a
commit 509af7b7bd
2 changed files with 11 additions and 83 deletions
--- a/libs/auth/src/common/services/auth-request/auth-request.service.spec.ts
+++ b/libs/auth/src/common/services/auth-request/auth-request.service.spec.ts
@@ -105,23 +105,6 @@ describe("AuthRequestService", () => {
      );
    });
    it("should use the master key and hash if they exist", async () => {
      masterPasswordService.masterKeySubject.next(
        new SymmetricCryptoKey(new Uint8Array(32)) as MasterKey,
      );
      masterPasswordService.masterKeyHashSubject.next("MASTER_KEY_HASH");
      await sut.approveOrDenyAuthRequest(
        true,
        new AuthRequestResponse({ id: "123", publicKey: "KEY" }),
      );
      expect(encryptService.encapsulateKeyUnsigned).toHaveBeenCalledWith(
        new SymmetricCryptoKey(new Uint8Array(32)),
        expect.anything(),
      );
    });
    it("should use the user key if the master key and hash do not exist", async () => {
      keyService.getUserKey.mockResolvedValueOnce(
        new SymmetricCryptoKey(new Uint8Array(64)) as UserKey,
@@ -246,45 +229,6 @@ describe("AuthRequestService", () => {
    });
  });
  describe("decryptAuthReqPubKeyEncryptedMasterKeyAndHash", () => {
    it("returns a decrypted master key and hash when given a valid public key encrypted master key, public key encrypted master key hash, and an auth req private key", async () => {
      // Arrange
      const mockPubKeyEncryptedMasterKey = "pubKeyEncryptedMasterKey";
      const mockPubKeyEncryptedMasterKeyHash = "pubKeyEncryptedMasterKeyHash";
      const mockDecryptedMasterKeyBytes = new Uint8Array(64);
      const mockDecryptedMasterKey = new SymmetricCryptoKey(
        mockDecryptedMasterKeyBytes,
      ) as MasterKey;
      const mockDecryptedMasterKeyHashBytes = new Uint8Array(64);
      const mockDecryptedMasterKeyHash = Utils.fromBufferToUtf8(mockDecryptedMasterKeyHashBytes);
      encryptService.rsaDecrypt.mockResolvedValueOnce(mockDecryptedMasterKeyHashBytes);
      encryptService.decapsulateKeyUnsigned.mockResolvedValueOnce(
        new SymmetricCryptoKey(mockDecryptedMasterKeyBytes),
      );
      // Act
      const result = await sut.decryptPubKeyEncryptedMasterKeyAndHash(
        mockPubKeyEncryptedMasterKey,
        mockPubKeyEncryptedMasterKeyHash,
        mockPrivateKey,
      );
      // Assert
      expect(encryptService.decapsulateKeyUnsigned).toHaveBeenCalledWith(
        new EncString(mockPubKeyEncryptedMasterKey),
        mockPrivateKey,
      );
      expect(encryptService.rsaDecrypt).toHaveBeenCalledWith(
        new EncString(mockPubKeyEncryptedMasterKeyHash),
        mockPrivateKey,
      );
      expect(result.masterKey).toEqual(mockDecryptedMasterKey);
      expect(result.masterKeyHash).toEqual(mockDecryptedMasterKeyHash);
    });
  });
  describe("getFingerprintPhrase", () => {
    it("returns the same fingerprint regardless of email casing", () => {
      const email = "test@email.com";
--- a/libs/auth/src/common/services/auth-request/auth-request.service.ts
+++ b/libs/auth/src/common/services/auth-request/auth-request.service.ts
@@ -103,32 +103,12 @@ export class AuthRequestService implements AuthRequestServiceAbstraction {
    }
    const pubKey = Utils.fromB64ToArray(authRequest.publicKey);
-    const userId = (await firstValueFrom(this.accountService.activeAccount$)).id;
+    const keyToEncrypt = await this.keyService.getUserKey();
-    const masterKey = await firstValueFrom(this.masterPasswordService.masterKey$(userId));
+    const encryptedKey = await this.encryptService.encapsulateKeyUnsigned(keyToEncrypt, pubKey);
    const masterKeyHash = await firstValueFrom(this.masterPasswordService.masterKeyHash$(userId));
    let encryptedMasterKeyHash;
    let keyToEncrypt;
    if (masterKey && masterKeyHash) {
      // Only encrypt the master password hash if masterKey exists as
      // we won't have a masterKeyHash without a masterKey
      encryptedMasterKeyHash = await this.encryptService.rsaEncrypt(
        Utils.fromUtf8ToArray(masterKeyHash),
        pubKey,
      );
      keyToEncrypt = masterKey;
    } else {
      keyToEncrypt = await this.keyService.getUserKey();
    }
    const encryptedKey = await this.encryptService.encapsulateKeyUnsigned(
      keyToEncrypt as SymmetricCryptoKey,
      pubKey,
    );
    const response = new PasswordlessAuthRequest(
      encryptedKey.encryptedString,
-      encryptedMasterKeyHash?.encryptedString,
+      undefined,
      await this.appIdService.getAppId(),
      approve,
    );
@@ -173,10 +153,12 @@ export class AuthRequestService implements AuthRequestServiceAbstraction {
    pubKeyEncryptedUserKey: string,
    privateKey: Uint8Array,
  ): Promise<UserKey> {
-    return (await this.encryptService.decapsulateKeyUnsigned(
+    const decryptedUserKey = await this.encryptService.decapsulateKeyUnsigned(
      new EncString(pubKeyEncryptedUserKey),
      privateKey,
-    )) as UserKey;
+    );
    return decryptedUserKey as UserKey;
  }
  async decryptPubKeyEncryptedMasterKeyAndHash(
@@ -184,15 +166,17 @@ export class AuthRequestService implements AuthRequestServiceAbstraction {
    pubKeyEncryptedMasterKeyHash: string,
    privateKey: Uint8Array,
  ): Promise<{ masterKey: MasterKey; masterKeyHash: string }> {
-    const masterKey = (await this.encryptService.decapsulateKeyUnsigned(
+    const decryptedMasterKeyArrayBuffer = await this.encryptService.rsaDecrypt(
      new EncString(pubKeyEncryptedMasterKey),
      privateKey,
-    )) as MasterKey;
+    );
    const decryptedMasterKeyHashArrayBuffer = await this.encryptService.rsaDecrypt(
      new EncString(pubKeyEncryptedMasterKeyHash),
      privateKey,
    );
    const masterKey = new SymmetricCryptoKey(decryptedMasterKeyArrayBuffer) as MasterKey;
    const masterKeyHash = Utils.fromBufferToUtf8(decryptedMasterKeyHashArrayBuffer);
    return {