update InputPasswordComponent to work with currentPassword and current password related crypto properties

2026-02-09 13:10:17 +00:00 · 2025-04-01 21:41:37 -07:00
parent 38e1988f3e
commit 60066830a0
4 changed files with 150 additions and 127 deletions
--- a/libs/auth/src/angular/change-existing-password/change-existing-password.component.ts
+++ b/libs/auth/src/angular/change-existing-password/change-existing-password.component.ts
@@ -102,6 +102,62 @@ export class ChangeExistingPasswordComponent implements OnInit {
    }
  }

+  // todo: move this to a service
+  // https://bitwarden.atlassian.net/browse/PM-17108
+  async updatePassword(currentPassword: string, newPassword: string, hint: string) {
+    const { userId, email } = await firstValueFrom(
+      this.accountService.activeAccount$.pipe(map((a) => ({ userId: a?.id, email: a?.email }))),
+    );
+    const kdfConfig = await firstValueFrom(this.kdfConfigService.getKdfConfig$(userId));
+
+    const currentMasterKey = await this.keyService.makeMasterKey(currentPassword, email, kdfConfig);
+    const decryptedUserKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
+      currentMasterKey,
+      userId,
+    );
+    if (decryptedUserKey == null) {
+      this.toastService.showToast({
+        variant: "error",
+        title: null,
+        message: this.i18nService.t("invalidMasterPassword"),
+      });
+      return;
+    }
+
+    const newMasterKey = await this.keyService.makeMasterKey(newPassword, email, kdfConfig);
+    const newMasterKeyEncryptedUserKey = await this.keyService.encryptUserKeyWithMasterKey(
+      newMasterKey,
+      decryptedUserKey,
+    );
+
+    const request = new PasswordRequest();
+    request.masterPasswordHash = await this.keyService.hashMasterKey(
+      currentPassword,
+      currentMasterKey,
+    );
+    request.masterPasswordHint = hint;
+    request.newMasterPasswordHash = await this.keyService.hashMasterKey(newPassword, newMasterKey);
+    request.key = newMasterKeyEncryptedUserKey[1].encryptedString;
+
+    try {
+      await this.masterPasswordApiService.postPassword(request);
+
+      this.toastService.showToast({
+        variant: "success",
+        title: this.i18nService.t("masterPasswordChanged"),
+        message: this.i18nService.t("masterPasswordChangedDesc"),
+      });
+
+      this.messagingService.send("logout");
+    } catch {
+      this.toastService.showToast({
+        variant: "error",
+        title: null,
+        message: this.i18nService.t("errorOccurred"),
+      });
+    }
+  }
+
  async submitOld(passwordInputResult: PasswordInputResult) {
    if (passwordInputResult.rotateUserKey) {
      await this.syncService.fullSync(true);
@@ -171,62 +227,6 @@ export class ChangeExistingPasswordComponent implements OnInit {
    }
  }

-  // todo: move this to a service
-  // https://bitwarden.atlassian.net/browse/PM-17108
-  async updatePassword(currentPassword: string, newPassword: string, hint: string) {
-    const { userId, email } = await firstValueFrom(
-      this.accountService.activeAccount$.pipe(map((a) => ({ userId: a?.id, email: a?.email }))),
-    );
-    const kdfConfig = await firstValueFrom(this.kdfConfigService.getKdfConfig$(userId));
-
-    const currentMasterKey = await this.keyService.makeMasterKey(currentPassword, email, kdfConfig);
-    const decryptedUserKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
-      currentMasterKey,
-      userId,
-    );
-    if (decryptedUserKey == null) {
-      this.toastService.showToast({
-        variant: "error",
-        title: null,
-        message: this.i18nService.t("invalidMasterPassword"),
-      });
-      return;
-    }
-
-    const newMasterKey = await this.keyService.makeMasterKey(newPassword, email, kdfConfig);
-    const newMasterKeyEncryptedUserKey = await this.keyService.encryptUserKeyWithMasterKey(
-      newMasterKey,
-      decryptedUserKey,
-    );
-
-    const request = new PasswordRequest();
-    request.masterPasswordHash = await this.keyService.hashMasterKey(
-      currentPassword,
-      currentMasterKey,
-    );
-    request.masterPasswordHint = hint;
-    request.newMasterPasswordHash = await this.keyService.hashMasterKey(newPassword, newMasterKey);
-    request.key = newMasterKeyEncryptedUserKey[1].encryptedString;
-
-    try {
-      await this.masterPasswordApiService.postPassword(request);
-
-      this.toastService.showToast({
-        variant: "success",
-        title: this.i18nService.t("masterPasswordChanged"),
-        message: this.i18nService.t("masterPasswordChangedDesc"),
-      });
-
-      this.messagingService.send("logout");
-    } catch {
-      this.toastService.showToast({
-        variant: "error",
-        title: null,
-        message: this.i18nService.t("errorOccurred"),
-      });
-    }
-  }
-
  private async updateKey(newPassword: string) {
    const user = await firstValueFrom(this.accountService.activeAccount$);
    await this.changePasswordService.rotateUserKeyAndEncryptedDataLegacy(newPassword, user);
--- a/libs/auth/src/angular/input-password/input-password.component.html
+++ b/libs/auth/src/angular/input-password/input-password.component.html
@@ -63,7 +63,7 @@
      id="input-password-form_confirm-new-password"
      bitInput
      type="password"
-      formControlName="confirmNewPassword"
+      formControlName="newPasswordConfirm"
    />
    <button
      type="button"
@@ -78,7 +78,10 @@
    <bit-label>{{ "masterPassHintLabel" | i18n }}</bit-label>
    <input bitInput formControlName="hint" />
    <bit-hint>
-      {{ "masterPassHintText" | i18n: formGroup.value.hint.length : maxHintLength.toString() }}
+      {{
+        "masterPassHintText"
+          | i18n: formGroup.value.newPasswordHint.length : maxHintLength.toString()
+      }}
    </bit-hint>
  </bit-form-field>

--- a/libs/auth/src/angular/input-password/input-password.component.ts
+++ b/libs/auth/src/angular/input-password/input-password.component.ts
@@ -1,6 +1,6 @@
 import { Component, EventEmitter, Input, OnInit, Output } from "@angular/core";
 import { ReactiveFormsModule, FormBuilder, Validators, FormGroup } from "@angular/forms";
-import { firstValueFrom, map } from "rxjs";
+import { firstValueFrom } from "rxjs";

 import { JslibModule } from "@bitwarden/angular/jslib.module";
 import {
@@ -29,7 +29,12 @@ import {
  ToastService,
  Translation,
 } from "@bitwarden/components";
-import { DEFAULT_KDF_CONFIG, KdfConfigService, KeyService } from "@bitwarden/key-management";
+import {
+  DEFAULT_KDF_CONFIG,
+  KdfConfig,
+  KdfConfigService,
+  KeyService,
+} from "@bitwarden/key-management";

 // FIXME: remove `src` and fix import
 // eslint-disable-next-line no-restricted-imports
@@ -97,6 +102,7 @@ export class InputPasswordComponent implements OnInit {
  protected secondaryButtonTextStr: string = "";

  protected InputPasswordFlow = InputPasswordFlow;
+  private kdfConfig: KdfConfig = DEFAULT_KDF_CONFIG; // TODO-rr-bw: verify
  private minHintLength = 0;
  protected maxHintLength = 50;
  protected minPasswordLength = Utils.minimumPasswordLength;
@@ -108,8 +114,8 @@ export class InputPasswordComponent implements OnInit {
  protected formGroup = this.formBuilder.nonNullable.group(
    {
      newPassword: ["", [Validators.required, Validators.minLength(this.minPasswordLength)]],
-      confirmNewPassword: ["", Validators.required],
-      hint: [
+      newPasswordConfirm: ["", Validators.required],
+      newPasswordHint: [
        "", // must be string (not null) because we check length in validation
        [Validators.minLength(this.minHintLength), Validators.maxLength(this.maxHintLength)],
      ],
@@ -120,7 +126,7 @@ export class InputPasswordComponent implements OnInit {
        compareInputs(
          ValidationGoal.InputsShouldMatch,
          "newPassword",
-          "confirmNewPassword",
+          "newPasswordConfirm",
          this.i18nService.t("masterPassDoesntMatch"),
        ),
        compareInputs(
@@ -133,30 +139,6 @@ export class InputPasswordComponent implements OnInit {
    },
  );

-  get currentPassword() {
-    return this.formGroup.controls.currentPassword.value;
-  }
-
-  get newPassword() {
-    return this.formGroup.controls.newPassword.value;
-  }
-
-  get confirmNewPassword() {
-    return this.formGroup.controls.confirmNewPassword.value;
-  }
-
-  get hint() {
-    return this.formGroup.controls.hint.value;
-  }
-
-  get checkForBreaches() {
-    return this.formGroup.controls.checkForBreaches.value;
-  }
-
-  get rotateAccountEncryptionKey() {
-    return this.formGroup.controls.rotateAccountEncryptionKey.value;
-  }
-
  constructor(
    private accountService: AccountService,
    private auditService: AuditService,
@@ -230,68 +212,91 @@ export class InputPasswordComponent implements OnInit {
      return;
    }

-    // 1. Evaluate current password
+    if (this.email == null) {
+      throw new Error("Email is required to create master key.");
+    }
+
+    this.kdfConfig = (await this.kdfConfigService.getKdfConfig()) || DEFAULT_KDF_CONFIG; // TODO-rr-bw: confirm this
+
+    const currentPassword = this.formGroup.get("currentPassword")?.value;
+    const { newPassword, newPasswordHint, checkForBreaches } = this.formGroup.value;
+
+    // 1. Verify current password is correct (if necessary)
    if (
      this.inputPasswordFlow === InputPasswordFlow.ChangeExistingPassword ||
      this.inputPasswordFlow ===
        InputPasswordFlow.ChangeExistingPasswordAndOptionallyRotateAccountEncryptionKey
    ) {
-      const currentPasswordEvaluatedSuccessfully = await this.evaluateCurrentPassword();
-      if (!currentPasswordEvaluatedSuccessfully) {
+      const currentPasswordIsCorrect = await this.verifyCurrentPassword(currentPassword);
+      if (!currentPasswordIsCorrect) {
        return;
      }
    }

    // 2. Evaluate new password
    const newPasswordEvaluatedSuccessfully = await this.evaluateNewPassword(
-      this.newPassword,
+      newPassword,
      this.passwordStrengthScore,
-      this.checkForBreaches,
+      checkForBreaches,
    );
    if (!newPasswordEvaluatedSuccessfully) {
      return;
    }

    // 3. Create cryptographic keys
-    if (this.email == null) {
-      throw new Error("Email is required to create master key.");
-    }
-
-    const kdfConfig = (await this.kdfConfigService.getKdfConfig()) || DEFAULT_KDF_CONFIG; // TODO-rr-bw: confirm this
-
    const newMasterKey = await this.keyService.makeMasterKey(
-      this.newPassword,
+      newPassword,
      this.email.trim().toLowerCase(),
-      kdfConfig,
+      this.kdfConfig,
    );

-    const serverMasterKeyHash = await this.keyService.hashMasterKey(
-      this.newPassword,
+    const newServerMasterKeyHash = await this.keyService.hashMasterKey(
+      newPassword,
      newMasterKey,
      HashPurpose.ServerAuthorization,
    );

-    const localMasterKeyHash = await this.keyService.hashMasterKey(
-      this.newPassword,
+    const newLocalMasterKeyHash = await this.keyService.hashMasterKey(
+      newPassword,
      newMasterKey,
      HashPurpose.LocalAuthorization,
    );

-    // 3. Emit cryptographic keys and other password related properties
    const passwordInputResult: PasswordInputResult = {
-      newPassword: this.newPassword,
-      hint: this.hint,
-      kdfConfig,
+      newPassword,
      newMasterKey,
-      serverMasterKeyHash,
-      localMasterKeyHash,
+      newServerMasterKeyHash,
+      newLocalMasterKeyHash,
+      newPasswordHint,
+      kdfConfig: this.kdfConfig,
    };

    if (
      this.inputPasswordFlow === InputPasswordFlow.ChangePassword ||
      this.inputPasswordFlow === InputPasswordFlow.ChangePasswordWithOptionalUserKeyRotation
    ) {
-      passwordInputResult.currentPassword = this.currentPassword;
+      const currentMasterKey = await this.keyService.makeMasterKey(
+        currentPassword,
+        this.email.trim().toLowerCase(),
+        this.kdfConfig,
+      );
+
+      const currentServerMasterKeyHash = await this.keyService.hashMasterKey(
+        currentPassword,
+        currentMasterKey,
+        HashPurpose.ServerAuthorization,
+      );
+
+      const currentLocalMasterKeyHash = await this.keyService.hashMasterKey(
+        currentPassword,
+        currentMasterKey,
+        HashPurpose.LocalAuthorization,
+      );
+
+      passwordInputResult.currentPassword = this.formGroup.get("currentPassword")?.value;
+      passwordInputResult.currentMasterKey = currentMasterKey;
+      passwordInputResult.currentServerMasterKeyHash = currentServerMasterKeyHash;
+      passwordInputResult.currentLocalMasterKeyHash = currentLocalMasterKeyHash;
    }

    if (
@@ -301,22 +306,28 @@ export class InputPasswordComponent implements OnInit {
      passwordInputResult.rotateAccountEncryptionKey = this.rotateAccountEncryptionKey;
    }

+    // 4. Emit cryptographic keys and other password related properties
    this.onPasswordFormSubmit.emit(passwordInputResult);
  };

-  // Returns true if the current password is correct, false otherwise
-  private async evaluateCurrentPassword(): Promise<boolean> {
+  /**
+   * Returns true if the current password is correct, false otherwise
+   */
+  private async verifyCurrentPassword(currentPassword: string): Promise<boolean> {
    const userId = await firstValueFrom(getUserId(this.accountService.activeAccount$));

-    const masterKey = await this.keyService.makeMasterKey(
-      this.currentPassword,
-      await firstValueFrom(this.accountService.activeAccount$.pipe(map((a) => a?.email))),
-      await this.kdfConfigService.getKdfConfig(),
+    const currentMasterKey = await this.keyService.makeMasterKey(
+      currentPassword,
+      this.email.trim().toLowerCase(),
+      this.kdfConfig,
    );

-    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey, userId);
+    const decryptedUserKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
+      currentMasterKey,
+      userId,
+    );

-    if (userKey == null) {
+    if (decryptedUserKey == null) {
      this.toastService.showToast({
        variant: "error",
        title: null,
@@ -329,7 +340,9 @@ export class InputPasswordComponent implements OnInit {
    return true;
  }

-  // Returns true if the password passes all checks, false otherwise
+  /**
+   * Returns true if the new password passes all checks, false otherwise
+   */
  private async evaluateNewPassword(
    newPassword: string,
    passwordStrengthScore: PasswordStrengthScore,
@@ -395,7 +408,9 @@ export class InputPasswordComponent implements OnInit {
  }

  async rotateUserKeyClicked() {
-    if (this.rotateUserKey) {
+    const rotateUserKey = this.formGroup.get("rotateUserKey")?.value;
+
+    if (rotateUserKey) {
      const activeUserId = await firstValueFrom(this.accountService.activeAccount$.pipe(getUserId));

      const ciphers = await this.cipherService.getAllDecrypted(activeUserId);
--- a/libs/auth/src/angular/input-password/password-input-result.ts
+++ b/libs/auth/src/angular/input-password/password-input-result.ts
@@ -2,12 +2,17 @@ import { MasterKey } from "@bitwarden/common/types/key";
 import { KdfConfig } from "@bitwarden/key-management";

 export interface PasswordInputResult {
-  newPassword: string;
-  hint: string;
-  kdfConfig: KdfConfig;
-  newMasterKey: MasterKey;
-  serverMasterKeyHash: string;
-  localMasterKeyHash: string;
  currentPassword?: string;
+  currentMasterKey?: MasterKey;
+  currentServerMasterKeyHash?: string;
+  currentLocalMasterKeyHash?: string;
+
+  newPassword: string;
+  newPasswordHint: string;
+  newMasterKey: MasterKey;
+  newServerMasterKeyHash: string;
+  newLocalMasterKeyHash: string;
+
+  kdfConfig: KdfConfig;
  rotateUserKey?: boolean;
 }