From 5967cf05394c8ef65c4a7c4cd6039e6d8a32b940 Mon Sep 17 00:00:00 2001
From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com>
Date: Tue, 2 Sep 2025 15:09:20 -0500
Subject: [PATCH] [PM-14571] At Risk Passwords - Badge Update (#15983)

* add exclamation badge for at risk passwords on tab

* add berry icon for the badge when pending tasks are present

* remove integration wtih autofill for pending task badge

* add ability to override Never match strategy
- This is helpful for non-autofill purposes but cipher matching is still needed. This will default to the domain.

* add at-risk-cipher badge updater service

* Revert "add exclamation badge for at risk passwords on tab"

This reverts commit a9643c03d5ff812a88d554b4a4bcb13f0d5444f0.

* remove nullish-coalescing

* ensure that all user related observables use the same user.id

---------

Co-authored-by: Shane Melton <smelton@bitwarden.com>
---
 .../browser/src/background/main.background.ts |  11 ++
 apps/browser/src/images/berry19.png           | Bin 0 -> 1702 bytes
 apps/browser/src/images/berry38.png           | Bin 0 -> 1244 bytes
 apps/browser/src/platform/badge/icon.ts       |   4 +
 ...-risk-cipher-badge-updater.service.spec.ts |  84 +++++++++
 .../at-risk-cipher-badge-updater.service.ts   | 163 ++++++++++++++++++
 .../src/vault/abstractions/cipher.service.ts  |   4 +
 .../vault/models/view/login-uri-view.spec.ts  |  27 +++
 .../src/vault/models/view/login-uri.view.ts   |   8 +
 .../src/vault/models/view/login.view.ts       |   6 +-
 .../src/vault/services/cipher.service.ts      |  11 +-
 .../src/vault/utils/cipher-view-like-utils.ts |  10 +-
 12 files changed, 324 insertions(+), 4 deletions(-)
 create mode 100644 apps/browser/src/images/berry19.png
 create mode 100644 apps/browser/src/images/berry38.png
 create mode 100644 apps/browser/src/vault/services/at-risk-cipher-badge-updater.service.spec.ts
 create mode 100644 apps/browser/src/vault/services/at-risk-cipher-badge-updater.service.ts

diff --git a/apps/browser/src/background/main.background.ts b/apps/browser/src/background/main.background.ts
index df29502edeb..75481dde8cf 100644
--- a/apps/browser/src/background/main.background.ts
+++ b/apps/browser/src/background/main.background.ts
@@ -302,6 +302,7 @@ import { OffscreenStorageService } from "../platform/storage/offscreen-storage.s
 import { SyncServiceListener } from "../platform/sync/sync-service.listener";
 import { BrowserSystemNotificationService } from "../platform/system-notifications/browser-system-notification.service";
 import { fromChromeRuntimeMessaging } from "../platform/utils/from-chrome-runtime-messaging";
+import { AtRiskCipherBadgeUpdaterService } from "../vault/services/at-risk-cipher-badge-updater.service";
 
 import CommandsBackground from "./commands.background";
 import IdleBackground from "./idle.background";
@@ -433,6 +434,7 @@ export default class MainBackground {
   badgeService: BadgeService;
   authStatusBadgeUpdaterService: AuthStatusBadgeUpdaterService;
   autofillBadgeUpdaterService: AutofillBadgeUpdaterService;
+  atRiskCipherUpdaterService: AtRiskCipherBadgeUpdaterService;
 
   onUpdatedRan: boolean;
   onReplacedRan: boolean;
@@ -1838,6 +1840,14 @@ export default class MainBackground {
       this.logService,
     );
 
+    this.atRiskCipherUpdaterService = new AtRiskCipherBadgeUpdaterService(
+      this.badgeService,
+      this.accountService,
+      this.cipherService,
+      this.logService,
+      this.taskService,
+    );
+
     this.tabsBackground = new TabsBackground(
       this,
       this.notificationBackground,
@@ -1847,6 +1857,7 @@ export default class MainBackground {
     await this.overlayBackground.init();
     await this.tabsBackground.init();
     await this.autofillBadgeUpdaterService.init();
+    await this.atRiskCipherUpdaterService.init();
   }
 
   generatePassword = async (): Promise<string> => {
diff --git a/apps/browser/src/images/berry19.png b/apps/browser/src/images/berry19.png
new file mode 100644
index 0000000000000000000000000000000000000000..51deb3b8d68de97ce8521d376b2823eaecd12824
GIT binary patch
literal 1702
zcmeAS@N?(olHy`uVBq!ia0vp^!XV7S1|*9D%+3HQmUKs7M+SzC{oH>NS%G|oWRD<U
z28Jp%28M<f28Lfip@tU>45bDP46hOx7_4S6Fo+k-*%fF5lxRtf@J#ddWzYh$IT%<O
zg&3HDEJh$?V3cA2nFeGrcri-D*+GmNP&G^p4DFc=EKoI3KpF%*fEc6)LNhO5M3}gM
z39edr0W*RP(snu2b}5kJEbxddW?<k3dXih1kzv*x2?hoxgUpbKk_cZPtK|G#y~LFK
zq*T3%+yam;2Ac{iATu|$BvGLvHz%*ys=`(YtilS&1_|pcDS(xfWZNo5_y#CA=NF|a
znCThl87SFtDJUq|6s4qD1-ZCEwF7y!N*N_31y=g{<>lpi<;HsXMd|v6mX?<K21fcu
zM!G;1y2X`wC5aWfdBw^QLty5(q!uR^WfqiV=I1GZ%uP(nFD<cEQUX~72M~9rR%9Y<
z$}5I?3+O?8kc_^eo`F6#Z6%p$IJALeAlktGf>>t*GR!I<vm!Mo(j_xDHLn=xG&^Gp
z8?Y@H5(sx9X^g<75lI4FqjP>veo=5iVsfgTA=EA;AtcoxS6lfPWu^iH6clVA<rrd6
z^)~vTFhvSuNCbjKfiY;uWup&I4R%}+Pu^BAFfa#rx;Tbd2=<0}X9x$1*ygL9%#gmk
ztS)QqRkl?TE`Jm|lvc#<ELa%9^4d=zN<1vE;IZ4rutLQhAGcp<UGTuqQSgf17L5>|
zx>w8XSLgoSaxLxF3?HMJAMbFkT&z^}F!kM@-|uD?zqi%r+Vb-D{cEorudZS)mCp_3
zxjyx6ebmHvYKs|5%@cRFtF6<mS<0dza7pgfLXVOYQtq)KiYplFEN(Mi+Qz-~(+|Gp
zhYJoRa8=~C8{RhCzts5Ltp<ZxfiXh0KcCGm-MRD1jh&Thn<UlepGZ-ZydYY#?tbor
z&8@!e>}%^>770$x;Qincd%%qGvf;DyTuzVOG?w^o5@-lCZhs!@`GSXQiR(1)tS*D?
zcMi;1d8*>$O_!C9GHIgKx{s!B-dR(~XI^sc$p*Pz2HR$_YuD?Ul3KU~-um%<x7ONN
z_teBEMb&+p*0c*tPKF=lI?uFs!JMe2$)TS6=D(fI&}=I_*^BENcSPdn@5_(dJXV^R
z%55RDWa;#uT7S}2ztlfF|MmC2H~-l`tNwk{yk52EKg;9mTvnf+`~G^<`y#u`r1P&(
zypD&hM2Pj$8SKLBjtZH7TlXK4<l1~#_Hl_^N<d1+iJ-IJtBe<16I5JqTt{`1MsUTK
zW0Oq$PM9m@x7()(|9_QqUunVTKvuEyVFkx8zsQ-{`b?B-y_<%z<?p#yR-H20vZdBt
z-&ECBuvhfVVY677h;;=y{+5eu^*?TT$TRPa#p9p4cZ41IeLj6sE-(0W${<K&QAepz
zz=d}y8?v({&$Jho<XHB8S(_NKz1`OS;ND}uGUR+DJ{(IByg4`9`{9e$euLn?a&^_T
zkL%vq2|BL1<Z%CJSxX>quH1UL=|5_p-ww1rUeG%8%l%@voCVvQ4u72O`6f%&;X3=O
z$=h-q1<%RN>7L;8v0w3IZK<s9<*CQGc2CXwaCfVv08jAKt)f=z_Mb?2_>VDWmtj-N
zt%Hw$NL1NHbeOI^$a3#s<@~3cCLX$-;~PA8nt^d_R+{tovb!Adt&>}4f3{oQ^2$W%
zc|_HJb@q)~vbBFL-$br`7*cF`Ozz0uOD%!EkKNXm+zl!@-fp&Ga|44GultXn!{PZF
zoAiI_EZp{Ed#e_6#j%g?pSsN6<{B7#Qf{Nk<eq(Bdfu(OE0F!0k!!2l=Sg12L6rxC
Mr>mdKI;Vst08`R>5C8xG

literal 0
HcmV?d00001

diff --git a/apps/browser/src/images/berry38.png b/apps/browser/src/images/berry38.png
new file mode 100644
index 0000000000000000000000000000000000000000..44a670637010dc0a565f5d67efc796a85120dff2
GIT binary patch
literal 1244
zcmV<21S9*2P)<h;3K|Lk000e1NJLTq001Tc001Tk1^@s6s6FYf00001b5ch_0Itp)
z=>Px#L}ge>W=%~1DgXcg2mk?xX#fNO00031000^Q000001E2u_0{{R30RRC20H6W@
z1ONa40RR91CZGcV1ONa40RR91CIA2c0EF@&TL1tAMoC0LR9Fe^SZ{1oRTTfdx4Mem
z6p^it$ow!Mgds+VZkS<&7>yWbB9yU2gBlYt86Wf$Ve-X<WYNU%0sjUSBL-qMQ%pob
z4FLk|gG1E0ITjPCTkV*G+7{NXeb4*5&u;B&-`lJ0@Jmnf(s$4KopXQh+;h);uL?{u
zul;;ug$vKBIv&)4dPPyHOpuZcbzP4tzy(dgkyH|U#}6#-%M2`R|BA1#vbM7FHK@w-
zLaC<J*Wy<sK!c{gIhshk2!CUOa~i}1DX-goSd7+P3nG?t==d%ak3URuGBYw$|2HWk
zP3t5VW{frEaw$LNTfRNd)ndcFRS<P%`H=tBAZiSso{FO5?a{0dT-Ib#U!k(l^N}KY
zwn#BHAC~dWLN0Riarc>x>G5o2Djl1@R`JQnC0jx!x`_Laj{S}O;<A&K4Q}juvc?Vq
za&igQx%sqpvo;1VC2{t*xHUjns^`qyiO6YYl<hRLXDkydG`Ho9l`~do1`5TOYpk5H
zLNib(-nPaPNpYN(SgvzTzuVcxw<Q+3oGdXd;Px8VR7|`0w#0sz;Z0#`1_w9y&AkHu
zLkV=YC`iTP@|qV8OC4=ynWk^Hi1AmwF+6%tac@P}D=8dUuc6u32u01#gGaoZt!bE#
zmUazi{DWx!QpJQ`A(_|`JJb`!&bC`{>&>>XJdb3kNb2O)Ik;{0LTHI3M)sXX$bS~G
zfsh1vmU`j!-G#cRny|WUDNfc0(DK$*NiO>lOjAszfUZx*O<LzeW{RZZBVqJDum?li
z4<Yh>09q^|FWyr}8!^Pvhhj^NfP*I@`1V|kw*?97rrEbdX6mQS?<4ke(9)kaVwhF>
z(04{+jJEZSQT#eAKaeehn+@BVT(YKu`+96irTs`Q_(6~Kp|2xik*gXuc8y@L0CIOW
z86O<1DW?+p*ubv1yT%zY2EG_h;jvxAIPpvF*3O*RJGTPwba>&ZtCs3?p=V;O?$cP$
zf@<f)80=D1!{%3l*n1?LH}?8f9-Ml$9<4>T81a>)tNc4C?<^L|l-M*c?H|LI-J&MO
zvrmR)^=^3FMs*}cjj(J9P9=?v1tU763^{eo#C_d+1#7lnz`IAoNT#ySRE~!Sj5fnQ
z<y5?z4D9dcLSurM@`Y1JGcG!zqw~WttnCcobJ2{sNxIKOaQ}_~b{w97u4%G)dY0Fj
zU3137)NN@3#1i)RM_yK{eCKO!aAQcU>y0_+A{E__Ov;YV=4sc<Na~J*Ps6?7CiHdp
z|F!(_W%JdjfAK{@^BM84Q1*HhNs8_~`~El`kQ1)_rUQ$*T2Z}fAyiMLym(I?Z6x()
zPhj%s@z5grPQ4t}J~6mK4Bsnt=B5wvB{_#U2}lvk*Z0}LI7z**d+lZFrigK1EUU6j
zWUy5X8~Eo2^`#IVGwkSWp6pX>3EX`wbk<bc&gR!M=lKW3kdP#dJ+@o`0000<MNUMn
GLSTZ_SV?^V

literal 0
HcmV?d00001

diff --git a/apps/browser/src/platform/badge/icon.ts b/apps/browser/src/platform/badge/icon.ts
index d6dcdcc5f7d..d60633a0ef1 100644
--- a/apps/browser/src/platform/badge/icon.ts
+++ b/apps/browser/src/platform/badge/icon.ts
@@ -1,4 +1,8 @@
 export const BadgeIcon = {
+  Berry: {
+    19: "/images/berry19.png",
+    38: "/images/berry38.png",
+  },
   LoggedOut: {
     19: "/images/icon19_gray.png",
     38: "/images/icon38_gray.png",
diff --git a/apps/browser/src/vault/services/at-risk-cipher-badge-updater.service.spec.ts b/apps/browser/src/vault/services/at-risk-cipher-badge-updater.service.spec.ts
new file mode 100644
index 00000000000..f2567ef4267
--- /dev/null
+++ b/apps/browser/src/vault/services/at-risk-cipher-badge-updater.service.spec.ts
@@ -0,0 +1,84 @@
+import { BehaviorSubject } from "rxjs";
+
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
+import { SecurityTask, TaskService } from "@bitwarden/common/vault/tasks";
+import { LogService } from "@bitwarden/logging";
+import { UserId } from "@bitwarden/user-core";
+
+import { BadgeService } from "../../platform/badge/badge.service";
+import { BadgeIcon } from "../../platform/badge/icon";
+import { BadgeStatePriority } from "../../platform/badge/priority";
+import { Unset } from "../../platform/badge/state";
+import { BrowserApi } from "../../platform/browser/browser-api";
+
+import { AtRiskCipherBadgeUpdaterService } from "./at-risk-cipher-badge-updater.service";
+
+describe("AtRiskCipherBadgeUpdaterService", () => {
+  let service: AtRiskCipherBadgeUpdaterService;
+
+  let setState: jest.Mock;
+  let clearState: jest.Mock;
+  let warning: jest.Mock;
+  let getAllDecryptedForUrl: jest.Mock;
+  let getTab: jest.Mock;
+  let addListener: jest.Mock;
+
+  const activeAccount$ = new BehaviorSubject({ id: "test-account-id" });
+  const cipherViews$ = new BehaviorSubject([]);
+  const pendingTasks$ = new BehaviorSubject<SecurityTask[]>([]);
+  const userId = "test-user-id" as UserId;
+
+  beforeEach(async () => {
+    setState = jest.fn().mockResolvedValue(undefined);
+    clearState = jest.fn().mockResolvedValue(undefined);
+    warning = jest.fn();
+    getAllDecryptedForUrl = jest.fn().mockResolvedValue([]);
+    getTab = jest.fn();
+    addListener = jest.fn();
+
+    jest.spyOn(BrowserApi, "addListener").mockImplementation(addListener);
+    jest.spyOn(BrowserApi, "getTab").mockImplementation(getTab);
+
+    service = new AtRiskCipherBadgeUpdaterService(
+      { setState, clearState } as unknown as BadgeService,
+      { activeAccount$ } as unknown as AccountService,
+      { cipherViews$, getAllDecryptedForUrl } as unknown as CipherService,
+      { warning } as unknown as LogService,
+      { pendingTasks$ } as unknown as TaskService,
+    );
+
+    await service.init();
+  });
+
+  afterEach(() => {
+    jest.restoreAllMocks();
+  });
+
+  it("clears the tab state when there are no ciphers and no pending tasks", async () => {
+    const tab = { id: 1 } as chrome.tabs.Tab;
+
+    await service["setTabState"](tab, userId, []);
+
+    expect(clearState).toHaveBeenCalledWith("at-risk-cipher-badge-1");
+  });
+
+  it("sets state when there are pending tasks for the tab", async () => {
+    const tab = { id: 3, url: "https://bitwarden.com" } as chrome.tabs.Tab;
+    const pendingTasks: SecurityTask[] = [{ id: "task1", cipherId: "cipher1" } as SecurityTask];
+    getAllDecryptedForUrl.mockResolvedValueOnce([{ id: "cipher1" }]);
+
+    await service["setTabState"](tab, userId, pendingTasks);
+
+    expect(setState).toHaveBeenCalledWith(
+      "at-risk-cipher-badge-3",
+      BadgeStatePriority.High,
+      {
+        icon: BadgeIcon.Berry,
+        text: Unset,
+        backgroundColor: Unset,
+      },
+      3,
+    );
+  });
+});
diff --git a/apps/browser/src/vault/services/at-risk-cipher-badge-updater.service.ts b/apps/browser/src/vault/services/at-risk-cipher-badge-updater.service.ts
new file mode 100644
index 00000000000..47364958ad8
--- /dev/null
+++ b/apps/browser/src/vault/services/at-risk-cipher-badge-updater.service.ts
@@ -0,0 +1,163 @@
+import { combineLatest, map, mergeMap, of, Subject, switchMap } from "rxjs";
+
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
+import { UserId } from "@bitwarden/common/types/guid";
+import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
+import { SecurityTask, SecurityTaskType, TaskService } from "@bitwarden/common/vault/tasks";
+import { filterOutNullish } from "@bitwarden/common/vault/utils/observable-utilities";
+
+import { BadgeService } from "../../platform/badge/badge.service";
+import { BadgeIcon } from "../../platform/badge/icon";
+import { BadgeStatePriority } from "../../platform/badge/priority";
+import { Unset } from "../../platform/badge/state";
+import { BrowserApi } from "../../platform/browser/browser-api";
+
+const StateName = (tabId: number) => `at-risk-cipher-badge-${tabId}`;
+
+export class AtRiskCipherBadgeUpdaterService {
+  private tabReplaced$ = new Subject<{ addedTab: chrome.tabs.Tab; removedTabId: number }>();
+  private tabUpdated$ = new Subject<chrome.tabs.Tab>();
+  private tabRemoved$ = new Subject<number>();
+  private tabActivated$ = new Subject<chrome.tabs.Tab>();
+
+  private activeUserData$ = this.accountService.activeAccount$.pipe(
+    filterOutNullish(),
+    switchMap((user) =>
+      combineLatest([
+        of(user.id),
+        this.taskService
+          .pendingTasks$(user.id)
+          .pipe(
+            map((tasks) => tasks.filter((t) => t.type === SecurityTaskType.UpdateAtRiskCredential)),
+          ),
+        this.cipherService.cipherViews$(user.id).pipe(filterOutNullish()),
+      ]),
+    ),
+  );
+
+  constructor(
+    private badgeService: BadgeService,
+    private accountService: AccountService,
+    private cipherService: CipherService,
+    private logService: LogService,
+    private taskService: TaskService,
+  ) {
+    combineLatest({
+      replaced: this.tabReplaced$,
+      activeUserData: this.activeUserData$,
+    })
+      .pipe(
+        mergeMap(async ({ replaced, activeUserData: [userId, pendingTasks] }) => {
+          await this.clearTabState(replaced.removedTabId);
+          await this.setTabState(replaced.addedTab, userId, pendingTasks);
+        }),
+      )
+      .subscribe(() => {});
+
+    combineLatest({
+      tab: this.tabActivated$,
+      activeUserData: this.activeUserData$,
+    })
+      .pipe(
+        mergeMap(async ({ tab, activeUserData: [userId, pendingTasks] }) => {
+          await this.setTabState(tab, userId, pendingTasks);
+        }),
+      )
+      .subscribe();
+
+    combineLatest({
+      tab: this.tabUpdated$,
+      activeUserData: this.activeUserData$,
+    })
+      .pipe(
+        mergeMap(async ({ tab, activeUserData: [userId, pendingTasks] }) => {
+          await this.setTabState(tab, userId, pendingTasks);
+        }),
+      )
+      .subscribe();
+
+    this.tabRemoved$
+      .pipe(
+        mergeMap(async (tabId) => {
+          await this.clearTabState(tabId);
+        }),
+      )
+      .subscribe();
+  }
+
+  init() {
+    BrowserApi.addListener(chrome.tabs.onReplaced, async (addedTabId, removedTabId) => {
+      const newTab = await BrowserApi.getTab(addedTabId);
+      if (!newTab) {
+        this.logService.warning(
+          `Tab replaced event received but new tab not found (id: ${addedTabId})`,
+        );
+        return;
+      }
+
+      this.tabReplaced$.next({
+        removedTabId,
+        addedTab: newTab,
+      });
+    });
+
+    BrowserApi.addListener(chrome.tabs.onUpdated, (_, changeInfo, tab) => {
+      if (changeInfo.url) {
+        this.tabUpdated$.next(tab);
+      }
+    });
+
+    BrowserApi.addListener(chrome.tabs.onActivated, async (activeInfo) => {
+      const tab = await BrowserApi.getTab(activeInfo.tabId);
+      if (!tab) {
+        this.logService.warning(
+          `Tab activated event received but tab not found (id: ${activeInfo.tabId})`,
+        );
+        return;
+      }
+
+      this.tabActivated$.next(tab);
+    });
+
+    BrowserApi.addListener(chrome.tabs.onRemoved, (tabId, _) => this.tabRemoved$.next(tabId));
+  }
+
+  /** Sets the pending task state for the tab */
+  private async setTabState(tab: chrome.tabs.Tab, userId: UserId, pendingTasks: SecurityTask[]) {
+    if (!tab.id) {
+      this.logService.warning("Tab event received but tab id is undefined");
+      return;
+    }
+
+    const ciphers = tab.url
+      ? await this.cipherService.getAllDecryptedForUrl(tab.url, userId, [], undefined, true)
+      : [];
+
+    const hasPendingTasksForTab = pendingTasks.some((task) =>
+      ciphers.some((cipher) => cipher.id === task.cipherId && !cipher.isDeleted),
+    );
+
+    if (!hasPendingTasksForTab) {
+      await this.clearTabState(tab.id);
+      return;
+    }
+
+    await this.badgeService.setState(
+      StateName(tab.id),
+      BadgeStatePriority.High,
+      {
+        icon: BadgeIcon.Berry,
+        // Unset text and background color to use default badge appearance
+        text: Unset,
+        backgroundColor: Unset,
+      },
+      tab.id,
+    );
+  }
+
+  /** Clears the pending task state from a tab */
+  private async clearTabState(tabId: number) {
+    await this.badgeService.clearState(StateName(tabId));
+  }
+}
diff --git a/libs/common/src/vault/abstractions/cipher.service.ts b/libs/common/src/vault/abstractions/cipher.service.ts
index 2f4fcf0ef51..7eb2d4b0656 100644
--- a/libs/common/src/vault/abstractions/cipher.service.ts
+++ b/libs/common/src/vault/abstractions/cipher.service.ts
@@ -65,12 +65,16 @@ export abstract class CipherService implements UserKeyRotationDataProvider<Ciphe
     userId: UserId,
     includeOtherTypes?: CipherType[],
     defaultMatch?: UriMatchStrategySetting,
+    /** When true, will override the match strategy for the cipher if it is Never. */
+    overrideNeverMatchStrategy?: true,
   ): Promise<CipherView[]>;
   abstract filterCiphersForUrl<C extends CipherViewLike = CipherView>(
     ciphers: C[],
     url: string,
     includeOtherTypes?: CipherType[],
     defaultMatch?: UriMatchStrategySetting,
+    /** When true, will override the match strategy for the cipher if it is Never. */
+    overrideNeverMatchStrategy?: true,
   ): Promise<C[]>;
   abstract getAllFromApiForOrganization(organizationId: string): Promise<CipherView[]>;
   /**
diff --git a/libs/common/src/vault/models/view/login-uri-view.spec.ts b/libs/common/src/vault/models/view/login-uri-view.spec.ts
index 155d3d59f7c..aae9438df2e 100644
--- a/libs/common/src/vault/models/view/login-uri-view.spec.ts
+++ b/libs/common/src/vault/models/view/login-uri-view.spec.ts
@@ -111,6 +111,33 @@ describe("LoginUriView", () => {
 
         expect(actual).toBe(false);
       });
+
+      it("overrides Never match strategy with Domain when parameter is set", () => {
+        const loginUri = new LoginUriView();
+        loginUri.uri = "https://example.org";
+        loginUri.match = UriMatchStrategy.Never;
+
+        expect(loginUri.matchesUri("https://example.org", new Set(), undefined, true)).toBe(true);
+        expect(loginUri.matchesUri("https://example.org", new Set(), undefined)).toBe(false);
+      });
+
+      it("overrides Never match strategy when passed in as default strategy", () => {
+        const loginUriNoMatch = new LoginUriView();
+        loginUriNoMatch.uri = "https://example.org";
+
+        expect(
+          loginUriNoMatch.matchesUri(
+            "https://example.org",
+            new Set(),
+            UriMatchStrategy.Never,
+            true,
+          ),
+        ).toBe(true);
+
+        expect(
+          loginUriNoMatch.matchesUri("https://example.org", new Set(), UriMatchStrategy.Never),
+        ).toBe(false);
+      });
     });
 
     describe("using host matching", () => {
diff --git a/libs/common/src/vault/models/view/login-uri.view.ts b/libs/common/src/vault/models/view/login-uri.view.ts
index 38cd517e542..49ac9c6278f 100644
--- a/libs/common/src/vault/models/view/login-uri.view.ts
+++ b/libs/common/src/vault/models/view/login-uri.view.ts
@@ -142,6 +142,8 @@ export class LoginUriView implements View {
     targetUri: string,
     equivalentDomains: Set<string>,
     defaultUriMatch: UriMatchStrategySetting = null,
+    /** When present, will override the match strategy for the cipher if it is `Never` with `Domain` */
+    overrideNeverMatchStrategy?: true,
   ): boolean {
     if (!this.uri || !targetUri) {
       return false;
@@ -150,6 +152,12 @@ export class LoginUriView implements View {
     let matchType = this.match ?? defaultUriMatch;
     matchType ??= UriMatchStrategy.Domain;
 
+    // Override the match strategy with `Domain` when it is `Never` and `overrideNeverMatchStrategy` is true.
+    // This is useful in scenarios when the cipher should be matched to rely other information other than autofill.
+    if (overrideNeverMatchStrategy && matchType === UriMatchStrategy.Never) {
+      matchType = UriMatchStrategy.Domain;
+    }
+
     const targetDomain = Utils.getDomain(targetUri);
     const matchDomains = equivalentDomains.add(targetDomain);
 
diff --git a/libs/common/src/vault/models/view/login.view.ts b/libs/common/src/vault/models/view/login.view.ts
index d268cf4afaa..44c6ee8f2e9 100644
--- a/libs/common/src/vault/models/view/login.view.ts
+++ b/libs/common/src/vault/models/view/login.view.ts
@@ -82,12 +82,16 @@ export class LoginView extends ItemView {
     targetUri: string,
     equivalentDomains: Set<string>,
     defaultUriMatch: UriMatchStrategySetting = null,
+    /** When present, will override the match strategy for the cipher if it is `Never` with `Domain` */
+    overrideNeverMatchStrategy?: true,
   ): boolean {
     if (this.uris == null) {
       return false;
     }
 
-    return this.uris.some((uri) => uri.matchesUri(targetUri, equivalentDomains, defaultUriMatch));
+    return this.uris.some((uri) =>
+      uri.matchesUri(targetUri, equivalentDomains, defaultUriMatch, overrideNeverMatchStrategy),
+    );
   }
 
   static fromJSON(obj: Partial<DeepJsonify<LoginView>>): LoginView {
diff --git a/libs/common/src/vault/services/cipher.service.ts b/libs/common/src/vault/services/cipher.service.ts
index d89a41aba1f..f6e12e71edd 100644
--- a/libs/common/src/vault/services/cipher.service.ts
+++ b/libs/common/src/vault/services/cipher.service.ts
@@ -601,6 +601,7 @@ export class CipherService implements CipherServiceAbstraction {
     userId: UserId,
     includeOtherTypes?: CipherType[],
     defaultMatch: UriMatchStrategySetting = null,
+    overrideNeverMatchStrategy?: true,
   ): Promise<CipherView[]> {
     return await firstValueFrom(
       this.cipherViews$(userId).pipe(
@@ -612,6 +613,7 @@ export class CipherService implements CipherServiceAbstraction {
               url,
               includeOtherTypes,
               defaultMatch,
+              overrideNeverMatchStrategy,
             ),
         ),
       ),
@@ -623,6 +625,7 @@ export class CipherService implements CipherServiceAbstraction {
     url: string,
     includeOtherTypes?: CipherType[],
     defaultMatch: UriMatchStrategySetting = null,
+    overrideNeverMatchStrategy?: true,
   ): Promise<C[]> {
     if (url == null && includeOtherTypes == null) {
       return [];
@@ -647,7 +650,13 @@ export class CipherService implements CipherServiceAbstraction {
       }
 
       if (cipherIsLogin) {
-        return CipherViewLikeUtils.matchesUri(cipher, url, equivalentDomains, defaultMatch);
+        return CipherViewLikeUtils.matchesUri(
+          cipher,
+          url,
+          equivalentDomains,
+          defaultMatch,
+          overrideNeverMatchStrategy,
+        );
       }
 
       return false;
diff --git a/libs/common/src/vault/utils/cipher-view-like-utils.ts b/libs/common/src/vault/utils/cipher-view-like-utils.ts
index 1c7a4382a04..5ef1d9bdc75 100644
--- a/libs/common/src/vault/utils/cipher-view-like-utils.ts
+++ b/libs/common/src/vault/utils/cipher-view-like-utils.ts
@@ -174,13 +174,19 @@ export class CipherViewLikeUtils {
     targetUri: string,
     equivalentDomains: Set<string>,
     defaultUriMatch: UriMatchStrategySetting = UriMatchStrategy.Domain,
+    overrideNeverMatchStrategy?: true,
   ): boolean => {
     if (CipherViewLikeUtils.getType(cipher) !== CipherType.Login) {
       return false;
     }
 
     if (!this.isCipherListView(cipher)) {
-      return cipher.login.matchesUri(targetUri, equivalentDomains, defaultUriMatch);
+      return cipher.login.matchesUri(
+        targetUri,
+        equivalentDomains,
+        defaultUriMatch,
+        overrideNeverMatchStrategy,
+      );
     }
 
     const login = this.getLogin(cipher);
@@ -198,7 +204,7 @@ export class CipherViewLikeUtils {
       });
 
     return loginUriViews.some((uriView) =>
-      uriView.matchesUri(targetUri, equivalentDomains, defaultUriMatch),
+      uriView.matchesUri(targetUri, equivalentDomains, defaultUriMatch, overrideNeverMatchStrategy),
     );
   };