refactor(auth-guard): [PM-22822] Update AuthGuard to explicitly handle each forceSetPasswordReason (#15252)

Update the `authGuard` to explicitly handle each `ForceSetPasswordReason`

libs/common/src/auth/models/domain/force-set-password-reason.ts

@@ -1,41 +1,58 @@
-/*
- * This enum is used to determine if a user should be forced to initially set or reset their password
- * on login (server flag) or unlock via MP (client evaluation).
+/**
+ * This enum is used to determine if a user should be forced to set an initial password or
+ * change their existing password upon login (communicated via server flag) or upon unlocking
+ * with their master password (set via client evaluation).
  */
 // FIXME: update to use a const object instead of a typescript enum
 // eslint-disable-next-line @bitwarden/platform/no-enums
 export enum ForceSetPasswordReason {
   /**
-   * A password reset should not be forced.
+   * A password set/change should not be forced.
    */
   None,
 
-  /**
-   * Occurs when an organization admin forces a user to reset their password.
-   * Communicated via server flag.
-   */
-  AdminForcePasswordReset,
+  /*--------------------------
+      Set Initial Password  
+  ---------------------------*/
 
   /**
-   * Occurs when a user logs in / unlocks their vault with a master password that does not meet an organization's
-   * master password policy that is enforced on login/unlock.
-   * Only set client side b/c server can't evaluate MP.
+   * Occurs when a user JIT provisions into a master-password-encryption org via SSO and must set their initial password.
    */
-  WeakMasterPassword,
+  SsoNewJitProvisionedUser,
 
   /**
-   * Occurs when a TDE user without a password obtains the password reset permission.
+   * Occurs when a TDE org user without a password obtains the password reset ("manage account recovery")
+   * permission, which requires the TDE user to have/set a password.
+   *
    * Set post login & decryption client side and by server in sync (to catch logged in users).
    */
   TdeUserWithoutPasswordHasPasswordResetPermission,
 
   /**
-   * Occurs when TDE is disabled and master password has to be set.
+   * Occurs when an org admin switches the org from trusted-device-encryption to master-password-encryption,
+   * which forces the org user to set an initial password. User must not already have a master password,
+   * and they must be on a previously trusted device.
+   *
+   * Communicated via server flag.
    */
   TdeOffboarding,
 
+  /*----------------------------
+      Change Existing Password  
+  -----------------------------*/
+
   /**
-   * Occurs when a new SSO user is JIT provisioned and needs to set their master password.
+   * Occurs when an org admin forces a user to change their password via Account Recovery.
+   *
+   * Communicated via server flag.
    */
-  SsoNewJitProvisionedUser,
+  AdminForcePasswordReset,
+
+  /**
+   * Occurs when a user logs in / unlocks their vault with a master password that does not meet an org's
+   * master password policy that is enforced on login/unlock.
+   *
+   * Only set client side b/c server can't evaluate MP.
+   */
+  WeakMasterPassword,
 }

libs/common/src/enums/feature-flag.enum.ts

@@ -15,6 +15,7 @@ export enum FeatureFlag {
   OptimizeNestedTraverseTypescript = "pm-21695-optimize-nested-traverse-typescript",
 
   /* Auth */
+  PM16117_SetInitialPasswordRefactor = "pm-16117-set-initial-password-refactor",
   PM16117_ChangeExistingPasswordRefactor = "pm-16117-change-existing-password-refactor",
   PM9115_TwoFactorExtensionDataPersistence = "pm-9115-two-factor-extension-data-persistence",
 
@@ -101,6 +102,7 @@ export const DefaultFeatureFlagValue = {
   [FeatureFlag.RemoveCardItemTypePolicy]: FALSE,
 
   /* Auth */
+  [FeatureFlag.PM16117_SetInitialPasswordRefactor]: FALSE,
   [FeatureFlag.PM16117_ChangeExistingPasswordRefactor]: FALSE,
   [FeatureFlag.PM9115_TwoFactorExtensionDataPersistence]: FALSE,