Auth/PM-7467- Fix Refresh token issues (#8757)

* PM-7467 - Login Strategy bug - VaultTimeoutSettings will be undefined before the account is activated unless you pass in user ids to retrieve the data. This resulted in refresh tokens always being set into secure storage regardless of a user's vault timeout settings (logout should translate to memory) * PM-7467 - TokenSvc - Fix bug in getRefreshToken which would retrieve the user's refresh token from secure storage even if the user had changed their vault timeout setting to log out which moved the refresh token into memory. Includes a migration to remove the no longer required REFRESH_TOKEN_MIGRATED_TO_SECURE_STORAGE state provider flag. * PM-7467 - Per PR feedback, use IRREVERSIBLE for rollback. Co-authored-by: Jake Fink <jfink@bitwarden.com> * PM-7467 - fix tests * PM-7467 - Fix migrator based on PR feedback. * PM-7467 - Bump migration version --------- Co-authored-by: Jake Fink <jfink@bitwarden.com>
2025-12-15 07:43:35 +00:00 · 2024-04-16 14:05:47 -04:00
parent cbb7e1840d
commit 51a6b34cc2
8 changed files with 125 additions and 67 deletions
--- a/libs/common/src/state-migrations/migrations/58-remove-refresh-token-migrated-state-provider-flag.ts
+++ b/libs/common/src/state-migrations/migrations/58-remove-refresh-token-migrated-state-provider-flag.ts
@@ -0,0 +1,34 @@
+import { KeyDefinitionLike, MigrationHelper } from "../migration-helper";
+import { IRREVERSIBLE, Migrator } from "../migrator";
+
+type ExpectedAccountType = NonNullable<unknown>;
+
+export const REFRESH_TOKEN_MIGRATED_TO_SECURE_STORAGE: KeyDefinitionLike = {
+  key: "refreshTokenMigratedToSecureStorage", // matches KeyDefinition.key in DeviceTrustCryptoService
+  stateDefinition: {
+    name: "token", // matches StateDefinition.name in StateDefinitions
+  },
+};
+
+export class RemoveRefreshTokenMigratedFlagMigrator extends Migrator<57, 58> {
+  async migrate(helper: MigrationHelper): Promise<void> {
+    const accounts = await helper.getAccounts<ExpectedAccountType>();
+    async function migrateAccount(userId: string, account: ExpectedAccountType): Promise<void> {
+      const refreshTokenMigratedFlag = await helper.getFromUser(
+        userId,
+        REFRESH_TOKEN_MIGRATED_TO_SECURE_STORAGE,
+      );
+
+      if (refreshTokenMigratedFlag != null) {
+        // Only delete the flag if it exists
+        await helper.removeFromUser(userId, REFRESH_TOKEN_MIGRATED_TO_SECURE_STORAGE);
+      }
+    }
+
+    await Promise.all([...accounts.map(({ userId, account }) => migrateAccount(userId, account))]);
+  }
+
+  async rollback(helper: MigrationHelper): Promise<void> {
+    throw IRREVERSIBLE;
+  }
+}