From 60066830a0d75208cc26b88b0e6506153e480d2c Mon Sep 17 00:00:00 2001
From: rr-bw <102181210+rr-bw@users.noreply.github.com>
Date: Tue, 1 Apr 2025 21:41:37 -0700
Subject: [PATCH] update InputPasswordComponent to work with currentPassword
 and current password related crypto properties

---
 .../change-existing-password.component.ts     | 112 +++++++-------
 .../input-password.component.html             |   7 +-
 .../input-password.component.ts               | 141 ++++++++++--------
 .../input-password/password-input-result.ts   |  17 ++-
 4 files changed, 150 insertions(+), 127 deletions(-)

diff --git a/libs/auth/src/angular/change-existing-password/change-existing-password.component.ts b/libs/auth/src/angular/change-existing-password/change-existing-password.component.ts
index 86064e9ea15..758fa785f3e 100644
--- a/libs/auth/src/angular/change-existing-password/change-existing-password.component.ts
+++ b/libs/auth/src/angular/change-existing-password/change-existing-password.component.ts
@@ -102,6 +102,62 @@ export class ChangeExistingPasswordComponent implements OnInit {
     }
   }
 
+  // todo: move this to a service
+  // https://bitwarden.atlassian.net/browse/PM-17108
+  async updatePassword(currentPassword: string, newPassword: string, hint: string) {
+    const { userId, email } = await firstValueFrom(
+      this.accountService.activeAccount$.pipe(map((a) => ({ userId: a?.id, email: a?.email }))),
+    );
+    const kdfConfig = await firstValueFrom(this.kdfConfigService.getKdfConfig$(userId));
+
+    const currentMasterKey = await this.keyService.makeMasterKey(currentPassword, email, kdfConfig);
+    const decryptedUserKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
+      currentMasterKey,
+      userId,
+    );
+    if (decryptedUserKey == null) {
+      this.toastService.showToast({
+        variant: "error",
+        title: null,
+        message: this.i18nService.t("invalidMasterPassword"),
+      });
+      return;
+    }
+
+    const newMasterKey = await this.keyService.makeMasterKey(newPassword, email, kdfConfig);
+    const newMasterKeyEncryptedUserKey = await this.keyService.encryptUserKeyWithMasterKey(
+      newMasterKey,
+      decryptedUserKey,
+    );
+
+    const request = new PasswordRequest();
+    request.masterPasswordHash = await this.keyService.hashMasterKey(
+      currentPassword,
+      currentMasterKey,
+    );
+    request.masterPasswordHint = hint;
+    request.newMasterPasswordHash = await this.keyService.hashMasterKey(newPassword, newMasterKey);
+    request.key = newMasterKeyEncryptedUserKey[1].encryptedString;
+
+    try {
+      await this.masterPasswordApiService.postPassword(request);
+
+      this.toastService.showToast({
+        variant: "success",
+        title: this.i18nService.t("masterPasswordChanged"),
+        message: this.i18nService.t("masterPasswordChangedDesc"),
+      });
+
+      this.messagingService.send("logout");
+    } catch {
+      this.toastService.showToast({
+        variant: "error",
+        title: null,
+        message: this.i18nService.t("errorOccurred"),
+      });
+    }
+  }
+
   async submitOld(passwordInputResult: PasswordInputResult) {
     if (passwordInputResult.rotateUserKey) {
       await this.syncService.fullSync(true);
@@ -171,62 +227,6 @@ export class ChangeExistingPasswordComponent implements OnInit {
     }
   }
 
-  // todo: move this to a service
-  // https://bitwarden.atlassian.net/browse/PM-17108
-  async updatePassword(currentPassword: string, newPassword: string, hint: string) {
-    const { userId, email } = await firstValueFrom(
-      this.accountService.activeAccount$.pipe(map((a) => ({ userId: a?.id, email: a?.email }))),
-    );
-    const kdfConfig = await firstValueFrom(this.kdfConfigService.getKdfConfig$(userId));
-
-    const currentMasterKey = await this.keyService.makeMasterKey(currentPassword, email, kdfConfig);
-    const decryptedUserKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
-      currentMasterKey,
-      userId,
-    );
-    if (decryptedUserKey == null) {
-      this.toastService.showToast({
-        variant: "error",
-        title: null,
-        message: this.i18nService.t("invalidMasterPassword"),
-      });
-      return;
-    }
-
-    const newMasterKey = await this.keyService.makeMasterKey(newPassword, email, kdfConfig);
-    const newMasterKeyEncryptedUserKey = await this.keyService.encryptUserKeyWithMasterKey(
-      newMasterKey,
-      decryptedUserKey,
-    );
-
-    const request = new PasswordRequest();
-    request.masterPasswordHash = await this.keyService.hashMasterKey(
-      currentPassword,
-      currentMasterKey,
-    );
-    request.masterPasswordHint = hint;
-    request.newMasterPasswordHash = await this.keyService.hashMasterKey(newPassword, newMasterKey);
-    request.key = newMasterKeyEncryptedUserKey[1].encryptedString;
-
-    try {
-      await this.masterPasswordApiService.postPassword(request);
-
-      this.toastService.showToast({
-        variant: "success",
-        title: this.i18nService.t("masterPasswordChanged"),
-        message: this.i18nService.t("masterPasswordChangedDesc"),
-      });
-
-      this.messagingService.send("logout");
-    } catch {
-      this.toastService.showToast({
-        variant: "error",
-        title: null,
-        message: this.i18nService.t("errorOccurred"),
-      });
-    }
-  }
-
   private async updateKey(newPassword: string) {
     const user = await firstValueFrom(this.accountService.activeAccount$);
     await this.changePasswordService.rotateUserKeyAndEncryptedDataLegacy(newPassword, user);
diff --git a/libs/auth/src/angular/input-password/input-password.component.html b/libs/auth/src/angular/input-password/input-password.component.html
index d5c0578e646..c57fd994671 100644
--- a/libs/auth/src/angular/input-password/input-password.component.html
+++ b/libs/auth/src/angular/input-password/input-password.component.html
@@ -63,7 +63,7 @@
       id="input-password-form_confirm-new-password"
       bitInput
       type="password"
-      formControlName="confirmNewPassword"
+      formControlName="newPasswordConfirm"
     />
     <button
       type="button"
@@ -78,7 +78,10 @@
     <bit-label>{{ "masterPassHintLabel" | i18n }}</bit-label>
     <input bitInput formControlName="hint" />
     <bit-hint>
-      {{ "masterPassHintText" | i18n: formGroup.value.hint.length : maxHintLength.toString() }}
+      {{
+        "masterPassHintText"
+          | i18n: formGroup.value.newPasswordHint.length : maxHintLength.toString()
+      }}
     </bit-hint>
   </bit-form-field>
 
diff --git a/libs/auth/src/angular/input-password/input-password.component.ts b/libs/auth/src/angular/input-password/input-password.component.ts
index f8518edf9c4..e47b4c257b9 100644
--- a/libs/auth/src/angular/input-password/input-password.component.ts
+++ b/libs/auth/src/angular/input-password/input-password.component.ts
@@ -1,6 +1,6 @@
 import { Component, EventEmitter, Input, OnInit, Output } from "@angular/core";
 import { ReactiveFormsModule, FormBuilder, Validators, FormGroup } from "@angular/forms";
-import { firstValueFrom, map } from "rxjs";
+import { firstValueFrom } from "rxjs";
 
 import { JslibModule } from "@bitwarden/angular/jslib.module";
 import {
@@ -29,7 +29,12 @@ import {
   ToastService,
   Translation,
 } from "@bitwarden/components";
-import { DEFAULT_KDF_CONFIG, KdfConfigService, KeyService } from "@bitwarden/key-management";
+import {
+  DEFAULT_KDF_CONFIG,
+  KdfConfig,
+  KdfConfigService,
+  KeyService,
+} from "@bitwarden/key-management";
 
 // FIXME: remove `src` and fix import
 // eslint-disable-next-line no-restricted-imports
@@ -97,6 +102,7 @@ export class InputPasswordComponent implements OnInit {
   protected secondaryButtonTextStr: string = "";
 
   protected InputPasswordFlow = InputPasswordFlow;
+  private kdfConfig: KdfConfig = DEFAULT_KDF_CONFIG; // TODO-rr-bw: verify
   private minHintLength = 0;
   protected maxHintLength = 50;
   protected minPasswordLength = Utils.minimumPasswordLength;
@@ -108,8 +114,8 @@ export class InputPasswordComponent implements OnInit {
   protected formGroup = this.formBuilder.nonNullable.group(
     {
       newPassword: ["", [Validators.required, Validators.minLength(this.minPasswordLength)]],
-      confirmNewPassword: ["", Validators.required],
-      hint: [
+      newPasswordConfirm: ["", Validators.required],
+      newPasswordHint: [
         "", // must be string (not null) because we check length in validation
         [Validators.minLength(this.minHintLength), Validators.maxLength(this.maxHintLength)],
       ],
@@ -120,7 +126,7 @@ export class InputPasswordComponent implements OnInit {
         compareInputs(
           ValidationGoal.InputsShouldMatch,
           "newPassword",
-          "confirmNewPassword",
+          "newPasswordConfirm",
           this.i18nService.t("masterPassDoesntMatch"),
         ),
         compareInputs(
@@ -133,30 +139,6 @@ export class InputPasswordComponent implements OnInit {
     },
   );
 
-  get currentPassword() {
-    return this.formGroup.controls.currentPassword.value;
-  }
-
-  get newPassword() {
-    return this.formGroup.controls.newPassword.value;
-  }
-
-  get confirmNewPassword() {
-    return this.formGroup.controls.confirmNewPassword.value;
-  }
-
-  get hint() {
-    return this.formGroup.controls.hint.value;
-  }
-
-  get checkForBreaches() {
-    return this.formGroup.controls.checkForBreaches.value;
-  }
-
-  get rotateAccountEncryptionKey() {
-    return this.formGroup.controls.rotateAccountEncryptionKey.value;
-  }
-
   constructor(
     private accountService: AccountService,
     private auditService: AuditService,
@@ -230,68 +212,91 @@ export class InputPasswordComponent implements OnInit {
       return;
     }
 
-    // 1. Evaluate current password
+    if (this.email == null) {
+      throw new Error("Email is required to create master key.");
+    }
+
+    this.kdfConfig = (await this.kdfConfigService.getKdfConfig()) || DEFAULT_KDF_CONFIG; // TODO-rr-bw: confirm this
+
+    const currentPassword = this.formGroup.get("currentPassword")?.value;
+    const { newPassword, newPasswordHint, checkForBreaches } = this.formGroup.value;
+
+    // 1. Verify current password is correct (if necessary)
     if (
       this.inputPasswordFlow === InputPasswordFlow.ChangeExistingPassword ||
       this.inputPasswordFlow ===
         InputPasswordFlow.ChangeExistingPasswordAndOptionallyRotateAccountEncryptionKey
     ) {
-      const currentPasswordEvaluatedSuccessfully = await this.evaluateCurrentPassword();
-      if (!currentPasswordEvaluatedSuccessfully) {
+      const currentPasswordIsCorrect = await this.verifyCurrentPassword(currentPassword);
+      if (!currentPasswordIsCorrect) {
         return;
       }
     }
 
     // 2. Evaluate new password
     const newPasswordEvaluatedSuccessfully = await this.evaluateNewPassword(
-      this.newPassword,
+      newPassword,
       this.passwordStrengthScore,
-      this.checkForBreaches,
+      checkForBreaches,
     );
     if (!newPasswordEvaluatedSuccessfully) {
       return;
     }
 
     // 3. Create cryptographic keys
-    if (this.email == null) {
-      throw new Error("Email is required to create master key.");
-    }
-
-    const kdfConfig = (await this.kdfConfigService.getKdfConfig()) || DEFAULT_KDF_CONFIG; // TODO-rr-bw: confirm this
-
     const newMasterKey = await this.keyService.makeMasterKey(
-      this.newPassword,
+      newPassword,
       this.email.trim().toLowerCase(),
-      kdfConfig,
+      this.kdfConfig,
     );
 
-    const serverMasterKeyHash = await this.keyService.hashMasterKey(
-      this.newPassword,
+    const newServerMasterKeyHash = await this.keyService.hashMasterKey(
+      newPassword,
       newMasterKey,
       HashPurpose.ServerAuthorization,
     );
 
-    const localMasterKeyHash = await this.keyService.hashMasterKey(
-      this.newPassword,
+    const newLocalMasterKeyHash = await this.keyService.hashMasterKey(
+      newPassword,
       newMasterKey,
       HashPurpose.LocalAuthorization,
     );
 
-    // 3. Emit cryptographic keys and other password related properties
     const passwordInputResult: PasswordInputResult = {
-      newPassword: this.newPassword,
-      hint: this.hint,
-      kdfConfig,
+      newPassword,
       newMasterKey,
-      serverMasterKeyHash,
-      localMasterKeyHash,
+      newServerMasterKeyHash,
+      newLocalMasterKeyHash,
+      newPasswordHint,
+      kdfConfig: this.kdfConfig,
     };
 
     if (
       this.inputPasswordFlow === InputPasswordFlow.ChangePassword ||
       this.inputPasswordFlow === InputPasswordFlow.ChangePasswordWithOptionalUserKeyRotation
     ) {
-      passwordInputResult.currentPassword = this.currentPassword;
+      const currentMasterKey = await this.keyService.makeMasterKey(
+        currentPassword,
+        this.email.trim().toLowerCase(),
+        this.kdfConfig,
+      );
+
+      const currentServerMasterKeyHash = await this.keyService.hashMasterKey(
+        currentPassword,
+        currentMasterKey,
+        HashPurpose.ServerAuthorization,
+      );
+
+      const currentLocalMasterKeyHash = await this.keyService.hashMasterKey(
+        currentPassword,
+        currentMasterKey,
+        HashPurpose.LocalAuthorization,
+      );
+
+      passwordInputResult.currentPassword = this.formGroup.get("currentPassword")?.value;
+      passwordInputResult.currentMasterKey = currentMasterKey;
+      passwordInputResult.currentServerMasterKeyHash = currentServerMasterKeyHash;
+      passwordInputResult.currentLocalMasterKeyHash = currentLocalMasterKeyHash;
     }
 
     if (
@@ -301,22 +306,28 @@ export class InputPasswordComponent implements OnInit {
       passwordInputResult.rotateAccountEncryptionKey = this.rotateAccountEncryptionKey;
     }
 
+    // 4. Emit cryptographic keys and other password related properties
     this.onPasswordFormSubmit.emit(passwordInputResult);
   };
 
-  // Returns true if the current password is correct, false otherwise
-  private async evaluateCurrentPassword(): Promise<boolean> {
+  /**
+   * Returns true if the current password is correct, false otherwise
+   */
+  private async verifyCurrentPassword(currentPassword: string): Promise<boolean> {
     const userId = await firstValueFrom(getUserId(this.accountService.activeAccount$));
 
-    const masterKey = await this.keyService.makeMasterKey(
-      this.currentPassword,
-      await firstValueFrom(this.accountService.activeAccount$.pipe(map((a) => a?.email))),
-      await this.kdfConfigService.getKdfConfig(),
+    const currentMasterKey = await this.keyService.makeMasterKey(
+      currentPassword,
+      this.email.trim().toLowerCase(),
+      this.kdfConfig,
     );
 
-    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey, userId);
+    const decryptedUserKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
+      currentMasterKey,
+      userId,
+    );
 
-    if (userKey == null) {
+    if (decryptedUserKey == null) {
       this.toastService.showToast({
         variant: "error",
         title: null,
@@ -329,7 +340,9 @@ export class InputPasswordComponent implements OnInit {
     return true;
   }
 
-  // Returns true if the password passes all checks, false otherwise
+  /**
+   * Returns true if the new password passes all checks, false otherwise
+   */
   private async evaluateNewPassword(
     newPassword: string,
     passwordStrengthScore: PasswordStrengthScore,
@@ -395,7 +408,9 @@ export class InputPasswordComponent implements OnInit {
   }
 
   async rotateUserKeyClicked() {
-    if (this.rotateUserKey) {
+    const rotateUserKey = this.formGroup.get("rotateUserKey")?.value;
+
+    if (rotateUserKey) {
       const activeUserId = await firstValueFrom(this.accountService.activeAccount$.pipe(getUserId));
 
       const ciphers = await this.cipherService.getAllDecrypted(activeUserId);
diff --git a/libs/auth/src/angular/input-password/password-input-result.ts b/libs/auth/src/angular/input-password/password-input-result.ts
index cc834e30a32..b6f2af69469 100644
--- a/libs/auth/src/angular/input-password/password-input-result.ts
+++ b/libs/auth/src/angular/input-password/password-input-result.ts
@@ -2,12 +2,17 @@ import { MasterKey } from "@bitwarden/common/types/key";
 import { KdfConfig } from "@bitwarden/key-management";
 
 export interface PasswordInputResult {
-  newPassword: string;
-  hint: string;
-  kdfConfig: KdfConfig;
-  newMasterKey: MasterKey;
-  serverMasterKeyHash: string;
-  localMasterKeyHash: string;
   currentPassword?: string;
+  currentMasterKey?: MasterKey;
+  currentServerMasterKeyHash?: string;
+  currentLocalMasterKeyHash?: string;
+
+  newPassword: string;
+  newPasswordHint: string;
+  newMasterKey: MasterKey;
+  newServerMasterKeyHash: string;
+  newLocalMasterKeyHash: string;
+
+  kdfConfig: KdfConfig;
   rotateUserKey?: boolean;
 }