Merge branch 'main' into auth/pm-9115/implement-view-data-persistence-in-2FA-flows

libs/common/src/enums/feature-flag.enum.spec.ts

@@ -0,0 +1,38 @@
+import { mock } from "jest-mock-extended";
+
+import { ServerConfig } from "../platform/abstractions/config/server-config";
+
+import { getFeatureFlagValue, FeatureFlag, DefaultFeatureFlagValue } from "./feature-flag.enum";
+
+describe("getFeatureFlagValue", () => {
+  const testFlag = Object.values(FeatureFlag)[0];
+  const testFlagDefaultValue = DefaultFeatureFlagValue[testFlag];
+
+  it("returns default flag value when serverConfig is null", () => {
+    const result = getFeatureFlagValue(null, testFlag);
+    expect(result).toBe(testFlagDefaultValue);
+  });
+
+  it("returns default flag value when serverConfig.featureStates is undefined", () => {
+    const serverConfig = {} as ServerConfig;
+    const result = getFeatureFlagValue(serverConfig, testFlag);
+    expect(result).toBe(testFlagDefaultValue);
+  });
+
+  it("returns default flag value when the feature flag is not in serverConfig.featureStates", () => {
+    const serverConfig = mock<ServerConfig>();
+    serverConfig.featureStates = {};
+
+    const result = getFeatureFlagValue(serverConfig, testFlag);
+    expect(result).toBe(testFlagDefaultValue);
+  });
+
+  it("returns the flag value from serverConfig.featureStates when the feature flag exists", () => {
+    const expectedValue = true;
+    const serverConfig = mock<ServerConfig>();
+    serverConfig.featureStates = { [testFlag]: expectedValue };
+
+    const result = getFeatureFlagValue(serverConfig, testFlag);
+    expect(result).toBe(expectedValue);
+  });
+});

libs/common/src/enums/feature-flag.enum.ts

@@ -1,3 +1,5 @@
+import { ServerConfig } from "../platform/abstractions/config/server-config";
+
 /**
  * Feature flags.
  *
@@ -125,3 +127,14 @@ export const DefaultFeatureFlagValue = {
 export type DefaultFeatureFlagValueType = typeof DefaultFeatureFlagValue;
 
 export type FeatureFlagValueType<Flag extends FeatureFlag> = DefaultFeatureFlagValueType[Flag];
+
+export function getFeatureFlagValue<Flag extends FeatureFlag>(
+  serverConfig: ServerConfig | null,
+  flag: Flag,
+) {
+  if (serverConfig?.featureStates == null || serverConfig.featureStates[flag] == null) {
+    return DefaultFeatureFlagValue[flag];
+  }
+
+  return serverConfig.featureStates[flag] as FeatureFlagValueType<Flag>;
+}

libs/common/src/key-management/crypto/abstractions/bulk-encrypt.service.ts

@@ -1,10 +1,13 @@
-import { Decryptable } from "@bitwarden/common/platform/interfaces/decryptable.interface";
-import { InitializerMetadata } from "@bitwarden/common/platform/interfaces/initializer-metadata.interface";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import { ServerConfig } from "../../../platform/abstractions/config/server-config";
+import { Decryptable } from "../../../platform/interfaces/decryptable.interface";
+import { InitializerMetadata } from "../../../platform/interfaces/initializer-metadata.interface";
+import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
 
 export abstract class BulkEncryptService {
   abstract decryptItems<T extends InitializerMetadata>(
     items: Decryptable<T>[],
     key: SymmetricCryptoKey,
   ): Promise<T[]>;
+
+  abstract onServerConfigChange(newConfig: ServerConfig): void;
 }

libs/common/src/key-management/crypto/abstractions/encrypt.service.ts

@@ -1,9 +1,10 @@
-import { Decryptable } from "@bitwarden/common/platform/interfaces/decryptable.interface";
-import { Encrypted } from "@bitwarden/common/platform/interfaces/encrypted";
-import { InitializerMetadata } from "@bitwarden/common/platform/interfaces/initializer-metadata.interface";
-import { EncArrayBuffer } from "@bitwarden/common/platform/models/domain/enc-array-buffer";
-import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import { ServerConfig } from "../../../platform/abstractions/config/server-config";
+import { Decryptable } from "../../../platform/interfaces/decryptable.interface";
+import { Encrypted } from "../../../platform/interfaces/encrypted";
+import { InitializerMetadata } from "../../../platform/interfaces/initializer-metadata.interface";
+import { EncArrayBuffer } from "../../../platform/models/domain/enc-array-buffer";
+import { EncString } from "../../../platform/models/domain/enc-string";
+import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
 
 export abstract class EncryptService {
   abstract encrypt(plainValue: string | Uint8Array, key: SymmetricCryptoKey): Promise<EncString>;
@@ -54,4 +55,6 @@ export abstract class EncryptService {
     value: string | Uint8Array,
     algorithm: "sha1" | "sha256" | "sha512",
   ): Promise<string>;
+
+  abstract onServerConfigChange(newConfig: ServerConfig): void;
 }

libs/common/src/key-management/crypto/services/bulk-encrypt.service.impementation.spec.ts

@@ -0,0 +1,170 @@
+import { mock, MockProxy } from "jest-mock-extended";
+import * as rxjs from "rxjs";
+
+import { ServerConfig } from "../../../platform/abstractions/config/server-config";
+import { CryptoFunctionService } from "../../../platform/abstractions/crypto-function.service";
+import { LogService } from "../../../platform/abstractions/log.service";
+import { Decryptable } from "../../../platform/interfaces/decryptable.interface";
+import { InitializerMetadata } from "../../../platform/interfaces/initializer-metadata.interface";
+import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
+import { buildSetConfigMessage } from "../types/worker-command.type";
+
+import { BulkEncryptServiceImplementation } from "./bulk-encrypt.service.implementation";
+
+describe("BulkEncryptServiceImplementation", () => {
+  const cryptoFunctionService = mock<CryptoFunctionService>();
+  const logService = mock<LogService>();
+
+  let sut: BulkEncryptServiceImplementation;
+
+  beforeEach(() => {
+    sut = new BulkEncryptServiceImplementation(cryptoFunctionService, logService);
+  });
+
+  afterEach(() => {
+    jest.resetAllMocks();
+  });
+
+  describe("decryptItems", () => {
+    const key = mock<SymmetricCryptoKey>();
+    const serverConfig = mock<ServerConfig>();
+    const mockWorker = mock<Worker>();
+    let globalWindow: any;
+
+    beforeEach(() => {
+      globalWindow = global.window;
+
+      // Mock creating a worker.
+      global.Worker = jest.fn().mockImplementation(() => mockWorker);
+      global.URL = jest.fn().mockImplementation(() => "url") as unknown as typeof URL;
+      global.URL.createObjectURL = jest.fn().mockReturnValue("blob:url");
+      global.URL.revokeObjectURL = jest.fn();
+      global.URL.canParse = jest.fn().mockReturnValue(true);
+
+      // Mock the workers returned response.
+      const mockMessageEvent = {
+        id: "mock-guid",
+        data: ["decrypted1", "decrypted2"],
+      };
+      const mockMessageEvent$ = rxjs.from([mockMessageEvent]);
+      jest.spyOn(rxjs, "fromEvent").mockReturnValue(mockMessageEvent$);
+    });
+
+    afterEach(() => {
+      global.window = globalWindow;
+    });
+
+    it("throws error if key is null", async () => {
+      const nullKey = null as unknown as SymmetricCryptoKey;
+      await expect(sut.decryptItems([], nullKey)).rejects.toThrow("No encryption key provided.");
+    });
+
+    it("returns an empty array when items is null", async () => {
+      const result = await sut.decryptItems(null as any, key);
+      expect(result).toEqual([]);
+    });
+
+    it("returns an empty array when items is empty", async () => {
+      const result = await sut.decryptItems([], key);
+      expect(result).toEqual([]);
+    });
+
+    it("decrypts items sequentially when window is undefined", async () => {
+      // Make global window undefined.
+      delete (global as any).window;
+
+      const mockItems = [createMockDecryptable("item1"), createMockDecryptable("item2")];
+
+      const result = await sut.decryptItems(mockItems, key);
+
+      expect(logService.info).toHaveBeenCalledWith(
+        "Window not available in BulkEncryptService, decrypting sequentially",
+      );
+      expect(result).toEqual(["item1", "item2"]);
+      expect(mockItems[0].decrypt).toHaveBeenCalledWith(key);
+      expect(mockItems[1].decrypt).toHaveBeenCalledWith(key);
+    });
+
+    it("uses workers for decryption when window is available", async () => {
+      const mockDecryptedItems = ["decrypted1", "decrypted2"];
+      jest
+        .spyOn<any, any>(sut, "getDecryptedItemsFromWorkers")
+        .mockResolvedValue(mockDecryptedItems);
+
+      const mockItems = [createMockDecryptable("item1"), createMockDecryptable("item2")];
+
+      const result = await sut.decryptItems(mockItems, key);
+
+      expect(sut["getDecryptedItemsFromWorkers"]).toHaveBeenCalledWith(mockItems, key);
+      expect(result).toEqual(mockDecryptedItems);
+    });
+
+    it("creates new worker when none exist", async () => {
+      (sut as any).currentServerConfig = undefined;
+      const mockItems = [createMockDecryptable("item1"), createMockDecryptable("item2")];
+
+      await sut.decryptItems(mockItems, key);
+
+      expect(global.Worker).toHaveBeenCalled();
+      expect(mockWorker.postMessage).toHaveBeenCalledTimes(1);
+      expect(mockWorker.postMessage).not.toHaveBeenCalledWith(
+        buildSetConfigMessage({ newConfig: serverConfig }),
+      );
+    });
+
+    it("sends a SetConfigMessage to the new worker when there is a current server config", async () => {
+      (sut as any).currentServerConfig = serverConfig;
+      const mockItems = [createMockDecryptable("item1"), createMockDecryptable("item2")];
+
+      await sut.decryptItems(mockItems, key);
+
+      expect(global.Worker).toHaveBeenCalled();
+      expect(mockWorker.postMessage).toHaveBeenCalledTimes(2);
+      expect(mockWorker.postMessage).toHaveBeenCalledWith(
+        buildSetConfigMessage({ newConfig: serverConfig }),
+      );
+    });
+
+    it("does not create worker if one exists", async () => {
+      (sut as any).currentServerConfig = serverConfig;
+      (sut as any).workers = [mockWorker];
+      const mockItems = [createMockDecryptable("item1"), createMockDecryptable("item2")];
+
+      await sut.decryptItems(mockItems, key);
+
+      expect(global.Worker).not.toHaveBeenCalled();
+      expect(mockWorker.postMessage).toHaveBeenCalledTimes(1);
+      expect(mockWorker.postMessage).not.toHaveBeenCalledWith(
+        buildSetConfigMessage({ newConfig: serverConfig }),
+      );
+    });
+  });
+
+  describe("onServerConfigChange", () => {
+    it("updates internal currentServerConfig to new config", () => {
+      const newConfig = mock<ServerConfig>();
+
+      sut.onServerConfigChange(newConfig);
+
+      expect((sut as any).currentServerConfig).toBe(newConfig);
+    });
+
+    it("does send a SetConfigMessage to workers when there is a worker", () => {
+      const newConfig = mock<ServerConfig>();
+      const mockWorker = mock<Worker>();
+      (sut as any).workers = [mockWorker];
+
+      sut.onServerConfigChange(newConfig);
+
+      expect(mockWorker.postMessage).toHaveBeenCalledWith(buildSetConfigMessage({ newConfig }));
+    });
+  });
+});
+
+function createMockDecryptable<T extends InitializerMetadata>(
+  returnValue: any,
+): MockProxy<Decryptable<T>> {
+  const mockDecryptable = mock<Decryptable<T>>();
+  mockDecryptable.decrypt.mockResolvedValue(returnValue);
+  return mockDecryptable;
+}

libs/common/src/key-management/crypto/services/bulk-encrypt.service.implementation.ts

@@ -12,6 +12,9 @@ import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { getClassInitializer } from "@bitwarden/common/platform/services/cryptography/get-class-initializer";
 
+import { ServerConfig } from "../../../platform/abstractions/config/server-config";
+import { buildDecryptMessage, buildSetConfigMessage } from "../types/worker-command.type";
+
 // TTL (time to live) is not strictly required but avoids tying up memory resources if inactive
 const workerTTL = 60000; // 1 minute
 const maxWorkers = 8;
@@ -20,6 +23,7 @@ const minNumberOfItemsForMultithreading = 400;
 export class BulkEncryptServiceImplementation implements BulkEncryptService {
   private workers: Worker[] = [];
   private timeout: any;
+  private currentServerConfig: ServerConfig | undefined = undefined;
 
   private clear$ = new Subject<void>();
 
@@ -57,6 +61,11 @@ export class BulkEncryptServiceImplementation implements BulkEncryptService {
     return decryptedItems;
   }
 
+  onServerConfigChange(newConfig: ServerConfig): void {
+    this.currentServerConfig = newConfig;
+    this.updateWorkerServerConfigs(newConfig);
+  }
+
   /**
    * Sends items to a set of web workers to decrypt them. This utilizes multiple workers to decrypt items
    * faster without interrupting other operations (e.g. updating UI).
@@ -93,6 +102,9 @@ export class BulkEncryptServiceImplementation implements BulkEncryptService {
           ),
         );
       }
+      if (this.currentServerConfig != undefined) {
+        this.updateWorkerServerConfigs(this.currentServerConfig);
+      }
     }
 
     const itemsPerWorker = Math.floor(items.length / this.workers.length);
@@ -108,17 +120,18 @@ export class BulkEncryptServiceImplementation implements BulkEncryptService {
         itemsForWorker.push(...items.slice(end));
       }
 
-      const request = {
-        id: Utils.newGuid(),
+      const id = Utils.newGuid();
+      const request = buildDecryptMessage({
+        id,
         items: itemsForWorker,
         key: key,
-      };
+      });
 
-      worker.postMessage(JSON.stringify(request));
+      worker.postMessage(request);
       results.push(
         firstValueFrom(
           fromEvent(worker, "message").pipe(
-            filter((response: MessageEvent) => response.data?.id === request.id),
+            filter((response: MessageEvent) => response.data?.id === id),
             map((response) => JSON.parse(response.data.items)),
             map((items) =>
               items.map((jsonItem: Jsonify<T>) => {
@@ -143,6 +156,13 @@ export class BulkEncryptServiceImplementation implements BulkEncryptService {
     return decryptedItems;
   }
 
+  private updateWorkerServerConfigs(newConfig: ServerConfig) {
+    this.workers.forEach((worker) => {
+      const request = buildSetConfigMessage({ newConfig });
+      worker.postMessage(request);
+    });
+  }
+
   private clear() {
     this.clear$.next();
     for (const worker of this.workers) {

libs/common/src/key-management/crypto/services/encrypt.service.implementation.ts

@@ -15,6 +15,7 @@ import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
 import { EncryptedObject } from "@bitwarden/common/platform/models/domain/encrypted-object";
 import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 
+import { ServerConfig } from "../../../platform/abstractions/config/server-config";
 import { EncryptService } from "../abstractions/encrypt.service";
 
 export class EncryptServiceImplementation implements EncryptService {
@@ -24,6 +25,11 @@ export class EncryptServiceImplementation implements EncryptService {
     protected logMacFailures: boolean,
   ) {}
 
+  // Handle updating private properties to turn on/off feature flags.
+  onServerConfigChange(newConfig: ServerConfig): void {
+    return;
+  }
+
   async encrypt(plainValue: string | Uint8Array, key: SymmetricCryptoKey): Promise<EncString> {
     if (key == null) {
       throw new Error("No encryption key provided.");

libs/common/src/key-management/crypto/services/encrypt.worker.ts

@@ -2,12 +2,19 @@
 // @ts-strict-ignore
 import { Jsonify } from "type-fest";
 
-import { Decryptable } from "@bitwarden/common/platform/interfaces/decryptable.interface";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
-import { ConsoleLogService } from "@bitwarden/common/platform/services/console-log.service";
-import { ContainerService } from "@bitwarden/common/platform/services/container.service";
-import { getClassInitializer } from "@bitwarden/common/platform/services/cryptography/get-class-initializer";
-import { WebCryptoFunctionService } from "@bitwarden/common/platform/services/web-crypto-function.service";
+import { ServerConfig } from "../../../platform/abstractions/config/server-config";
+import { LogService } from "../../../platform/abstractions/log.service";
+import { Decryptable } from "../../../platform/interfaces/decryptable.interface";
+import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
+import { ConsoleLogService } from "../../../platform/services/console-log.service";
+import { ContainerService } from "../../../platform/services/container.service";
+import { getClassInitializer } from "../../../platform/services/cryptography/get-class-initializer";
+import { WebCryptoFunctionService } from "../../../platform/services/web-crypto-function.service";
+import {
+  DECRYPT_COMMAND,
+  SET_CONFIG_COMMAND,
+  ParsedDecryptCommandData,
+} from "../types/worker-command.type";
 
 import { EncryptServiceImplementation } from "./encrypt.service.implementation";
 
@@ -15,13 +22,14 @@ const workerApi: Worker = self as any;
 
 let inited = false;
 let encryptService: EncryptServiceImplementation;
+let logService: LogService;
 
 /**
  * Bootstrap the worker environment with services required for decryption
  */
 export function init() {
   const cryptoFunctionService = new WebCryptoFunctionService(self);
-  const logService = new ConsoleLogService(false);
+  logService = new ConsoleLogService(false);
   encryptService = new EncryptServiceImplementation(cryptoFunctionService, logService, true);
 
   const bitwardenContainerService = new ContainerService(null, encryptService);
@@ -39,11 +47,22 @@ workerApi.addEventListener("message", async (event: { data: string }) => {
   }
 
   const request: {
-    id: string;
-    items: Jsonify<Decryptable<any>>[];
-    key: Jsonify<SymmetricCryptoKey>;
+    command: string;
   } = JSON.parse(event.data);
 
+  switch (request.command) {
+    case DECRYPT_COMMAND:
+      return await handleDecrypt(request as unknown as ParsedDecryptCommandData);
+    case SET_CONFIG_COMMAND: {
+      const newConfig = (request as unknown as { newConfig: Jsonify<ServerConfig> }).newConfig;
+      return await handleSetConfig(newConfig);
+    }
+    default:
+      logService.error(`[EncryptWorker] unknown worker command`, request.command, request);
+  }
+});
+
+async function handleDecrypt(request: ParsedDecryptCommandData) {
   const key = SymmetricCryptoKey.fromJSON(request.key);
   const items = request.items.map((jsonItem) => {
     const initializer = getClassInitializer<Decryptable<any>>(jsonItem.initializerKey);
@@ -55,4 +74,8 @@ workerApi.addEventListener("message", async (event: { data: string }) => {
     id: request.id,
     items: JSON.stringify(result),
   });
-});
+}
+
+async function handleSetConfig(newConfig: Jsonify<ServerConfig>) {
+  encryptService.onServerConfigChange(ServerConfig.fromJSON(newConfig));
+}

libs/common/src/key-management/crypto/services/fallback-bulk-encrypt.service.spec.ts

@@ -0,0 +1,97 @@
+import { mock } from "jest-mock-extended";
+
+import { ServerConfig } from "../../../platform/abstractions/config/server-config";
+import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
+import { BulkEncryptService } from "../abstractions/bulk-encrypt.service";
+import { EncryptService } from "../abstractions/encrypt.service";
+
+import { FallbackBulkEncryptService } from "./fallback-bulk-encrypt.service";
+
+describe("FallbackBulkEncryptService", () => {
+  const encryptService = mock<EncryptService>();
+  const featureFlagEncryptService = mock<BulkEncryptService>();
+  const serverConfig = mock<ServerConfig>();
+
+  let sut: FallbackBulkEncryptService;
+
+  beforeEach(() => {
+    sut = new FallbackBulkEncryptService(encryptService);
+  });
+
+  afterEach(() => {
+    jest.resetAllMocks();
+  });
+
+  describe("decryptItems", () => {
+    const key = mock<SymmetricCryptoKey>();
+    const mockItems = [{ id: "guid", name: "encryptedValue" }] as any[];
+    const mockDecryptedItems = [{ id: "guid", name: "decryptedValue" }] as any[];
+
+    it("calls decryptItems on featureFlagEncryptService when it is set", async () => {
+      featureFlagEncryptService.decryptItems.mockResolvedValue(mockDecryptedItems);
+      await sut.setFeatureFlagEncryptService(featureFlagEncryptService);
+
+      const result = await sut.decryptItems(mockItems, key);
+
+      expect(featureFlagEncryptService.decryptItems).toHaveBeenCalledWith(mockItems, key);
+      expect(encryptService.decryptItems).not.toHaveBeenCalled();
+      expect(result).toEqual(mockDecryptedItems);
+    });
+
+    it("calls decryptItems on encryptService when featureFlagEncryptService is not set", async () => {
+      encryptService.decryptItems.mockResolvedValue(mockDecryptedItems);
+
+      const result = await sut.decryptItems(mockItems, key);
+
+      expect(encryptService.decryptItems).toHaveBeenCalledWith(mockItems, key);
+      expect(result).toEqual(mockDecryptedItems);
+    });
+  });
+
+  describe("setFeatureFlagEncryptService", () => {
+    it("sets the featureFlagEncryptService property", async () => {
+      await sut.setFeatureFlagEncryptService(featureFlagEncryptService);
+
+      expect((sut as any).featureFlagEncryptService).toBe(featureFlagEncryptService);
+    });
+
+    it("does not call onServerConfigChange when currentServerConfig is undefined", async () => {
+      await sut.setFeatureFlagEncryptService(featureFlagEncryptService);
+
+      expect(featureFlagEncryptService.onServerConfigChange).not.toHaveBeenCalled();
+      expect((sut as any).featureFlagEncryptService).toBe(featureFlagEncryptService);
+    });
+
+    it("calls onServerConfigChange with currentServerConfig when it is defined", async () => {
+      sut.onServerConfigChange(serverConfig);
+
+      await sut.setFeatureFlagEncryptService(featureFlagEncryptService);
+
+      expect(featureFlagEncryptService.onServerConfigChange).toHaveBeenCalledWith(serverConfig);
+      expect((sut as any).featureFlagEncryptService).toBe(featureFlagEncryptService);
+    });
+  });
+
+  describe("onServerConfigChange", () => {
+    it("updates internal currentServerConfig to new config", async () => {
+      sut.onServerConfigChange(serverConfig);
+
+      expect((sut as any).currentServerConfig).toBe(serverConfig);
+    });
+
+    it("calls onServerConfigChange on featureFlagEncryptService when it is set", async () => {
+      await sut.setFeatureFlagEncryptService(featureFlagEncryptService);
+
+      sut.onServerConfigChange(serverConfig);
+
+      expect(featureFlagEncryptService.onServerConfigChange).toHaveBeenCalledWith(serverConfig);
+      expect(encryptService.onServerConfigChange).not.toHaveBeenCalled();
+    });
+
+    it("calls onServerConfigChange on encryptService when featureFlagEncryptService is not set", () => {
+      sut.onServerConfigChange(serverConfig);
+
+      expect(encryptService.onServerConfigChange).toHaveBeenCalledWith(serverConfig);
+    });
+  });
+});

libs/common/src/key-management/crypto/services/fallback-bulk-encrypt.service.ts

@@ -5,6 +5,7 @@ import { Decryptable } from "@bitwarden/common/platform/interfaces/decryptable.i
 import { InitializerMetadata } from "@bitwarden/common/platform/interfaces/initializer-metadata.interface";
 import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 
+import { ServerConfig } from "../../../platform/abstractions/config/server-config";
 import { EncryptService } from "../abstractions/encrypt.service";
 
 /**
@@ -12,6 +13,7 @@ import { EncryptService } from "../abstractions/encrypt.service";
  */
 export class FallbackBulkEncryptService implements BulkEncryptService {
   private featureFlagEncryptService: BulkEncryptService;
+  private currentServerConfig: ServerConfig | undefined = undefined;
 
   constructor(protected encryptService: EncryptService) {}
 
@@ -31,6 +33,14 @@ export class FallbackBulkEncryptService implements BulkEncryptService {
   }
 
   async setFeatureFlagEncryptService(featureFlagEncryptService: BulkEncryptService) {
+    if (this.currentServerConfig !== undefined) {
+      featureFlagEncryptService.onServerConfigChange(this.currentServerConfig);
+    }
     this.featureFlagEncryptService = featureFlagEncryptService;
   }
+
+  onServerConfigChange(newConfig: ServerConfig): void {
+    this.currentServerConfig = newConfig;
+    (this.featureFlagEncryptService ?? this.encryptService).onServerConfigChange(newConfig);
+  }
 }

libs/common/src/key-management/crypto/services/multithread-encrypt.service.implementation.spec.ts

@@ -0,0 +1,123 @@
+import { mock } from "jest-mock-extended";
+import * as rxjs from "rxjs";
+
+import { ServerConfig } from "../../../platform/abstractions/config/server-config";
+import { CryptoFunctionService } from "../../../platform/abstractions/crypto-function.service";
+import { LogService } from "../../../platform/abstractions/log.service";
+import { Decryptable } from "../../../platform/interfaces/decryptable.interface";
+import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
+import { buildSetConfigMessage } from "../types/worker-command.type";
+
+import { EncryptServiceImplementation } from "./encrypt.service.implementation";
+import { MultithreadEncryptServiceImplementation } from "./multithread-encrypt.service.implementation";
+
+describe("MultithreadEncryptServiceImplementation", () => {
+  const cryptoFunctionService = mock<CryptoFunctionService>();
+  const logService = mock<LogService>();
+  const serverConfig = mock<ServerConfig>();
+
+  let sut: MultithreadEncryptServiceImplementation;
+
+  beforeEach(() => {
+    sut = new MultithreadEncryptServiceImplementation(cryptoFunctionService, logService, true);
+  });
+
+  afterEach(() => {
+    jest.resetAllMocks();
+  });
+
+  describe("decryptItems", () => {
+    const key = mock<SymmetricCryptoKey>();
+    const mockWorker = mock<Worker>();
+
+    beforeEach(() => {
+      // Mock creating a worker.
+      global.Worker = jest.fn().mockImplementation(() => mockWorker);
+      global.URL = jest.fn().mockImplementation(() => "url") as unknown as typeof URL;
+      global.URL.createObjectURL = jest.fn().mockReturnValue("blob:url");
+      global.URL.revokeObjectURL = jest.fn();
+      global.URL.canParse = jest.fn().mockReturnValue(true);
+
+      // Mock the workers returned response.
+      const mockMessageEvent = {
+        id: "mock-guid",
+        data: ["decrypted1", "decrypted2"],
+      };
+      const mockMessageEvent$ = rxjs.from([mockMessageEvent]);
+      jest.spyOn(rxjs, "fromEvent").mockReturnValue(mockMessageEvent$);
+    });
+
+    it("returns empty array if items is null", async () => {
+      const items = null as unknown as Decryptable<any>[];
+      const result = await sut.decryptItems(items, key);
+      expect(result).toEqual([]);
+    });
+
+    it("returns empty array if items is empty", async () => {
+      const result = await sut.decryptItems([], key);
+      expect(result).toEqual([]);
+    });
+
+    it("creates worker if none exists", async () => {
+      // Make sure currentServerConfig is undefined so a SetConfigMessage is not sent.
+      (sut as any).currentServerConfig = undefined;
+
+      await sut.decryptItems([mock<Decryptable<any>>(), mock<Decryptable<any>>()], key);
+
+      expect(global.Worker).toHaveBeenCalled();
+      expect(mockWorker.postMessage).toHaveBeenCalledTimes(1);
+      expect(mockWorker.postMessage).not.toHaveBeenCalledWith(
+        buildSetConfigMessage({ newConfig: serverConfig }),
+      );
+    });
+
+    it("sends a SetConfigMessage to the new worker when there is a current server config", async () => {
+      // Populate currentServerConfig so a SetConfigMessage is sent.
+      (sut as any).currentServerConfig = serverConfig;
+
+      await sut.decryptItems([mock<Decryptable<any>>(), mock<Decryptable<any>>()], key);
+
+      expect(global.Worker).toHaveBeenCalled();
+      expect(mockWorker.postMessage).toHaveBeenCalledTimes(2);
+      expect(mockWorker.postMessage).toHaveBeenCalledWith(
+        buildSetConfigMessage({ newConfig: serverConfig }),
+      );
+    });
+
+    it("does not create worker if one exists", async () => {
+      (sut as any).currentServerConfig = serverConfig;
+      (sut as any).worker = mockWorker;
+
+      await sut.decryptItems([mock<Decryptable<any>>(), mock<Decryptable<any>>()], key);
+
+      expect(global.Worker).not.toHaveBeenCalled();
+      expect(mockWorker.postMessage).toHaveBeenCalledTimes(1);
+      expect(mockWorker.postMessage).not.toHaveBeenCalledWith(
+        buildSetConfigMessage({ newConfig: serverConfig }),
+      );
+    });
+  });
+
+  describe("onServerConfigChange", () => {
+    it("updates internal currentServerConfig to new config and calls super", () => {
+      const superSpy = jest.spyOn(EncryptServiceImplementation.prototype, "onServerConfigChange");
+
+      sut.onServerConfigChange(serverConfig);
+
+      expect(superSpy).toHaveBeenCalledWith(serverConfig);
+      expect((sut as any).currentServerConfig).toBe(serverConfig);
+    });
+
+    it("sends config update to worker if worker exists", () => {
+      const mockWorker = mock<Worker>();
+      (sut as any).worker = mockWorker;
+
+      sut.onServerConfigChange(serverConfig);
+
+      expect(mockWorker.postMessage).toHaveBeenCalledTimes(1);
+      expect(mockWorker.postMessage).toHaveBeenCalledWith(
+        buildSetConfigMessage({ newConfig: serverConfig }),
+      );
+    });
+  });
+});

libs/common/src/key-management/crypto/services/multithread-encrypt.service.implementation.ts

@@ -9,6 +9,9 @@ import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { getClassInitializer } from "@bitwarden/common/platform/services/cryptography/get-class-initializer";
 
+import { ServerConfig } from "../../../platform/abstractions/config/server-config";
+import { buildDecryptMessage, buildSetConfigMessage } from "../types/worker-command.type";
+
 import { EncryptServiceImplementation } from "./encrypt.service.implementation";
 
 // TTL (time to live) is not strictly required but avoids tying up memory resources if inactive
@@ -20,6 +23,7 @@ const workerTTL = 3 * 60000; // 3 minutes
 export class MultithreadEncryptServiceImplementation extends EncryptServiceImplementation {
   private worker: Worker;
   private timeout: any;
+  private currentServerConfig: ServerConfig | undefined = undefined;
 
   private clear$ = new Subject<void>();
 
@@ -37,27 +41,33 @@ export class MultithreadEncryptServiceImplementation extends EncryptServiceImple
 
     this.logService.info("Starting decryption using multithreading");
 
-    this.worker ??= new Worker(
-      new URL(
-        /* webpackChunkName: 'encrypt-worker' */
-        "@bitwarden/common/key-management/crypto/services/encrypt.worker.ts",
-        import.meta.url,
-      ),
-    );
+    if (this.worker == null) {
+      this.worker = new Worker(
+        new URL(
+          /* webpackChunkName: 'encrypt-worker' */
+          "@bitwarden/common/key-management/crypto/services/encrypt.worker.ts",
+          import.meta.url,
+        ),
+      );
+      if (this.currentServerConfig !== undefined) {
+        this.updateWorkerServerConfig(this.currentServerConfig);
+      }
+    }
 
     this.restartTimeout();
 
-    const request = {
-      id: Utils.newGuid(),
+    const id = Utils.newGuid();
+    const request = buildDecryptMessage({
+      id,
       items: items,
       key: key,
-    };
+    });
 
-    this.worker.postMessage(JSON.stringify(request));
+    this.worker.postMessage(request);
 
     return await firstValueFrom(
       fromEvent(this.worker, "message").pipe(
-        filter((response: MessageEvent) => response.data?.id === request.id),
+        filter((response: MessageEvent) => response.data?.id === id),
         map((response) => JSON.parse(response.data.items)),
         map((items) =>
           items.map((jsonItem: Jsonify<T>) => {
@@ -71,6 +81,19 @@ export class MultithreadEncryptServiceImplementation extends EncryptServiceImple
     );
   }
 
+  override onServerConfigChange(newConfig: ServerConfig): void {
+    this.currentServerConfig = newConfig;
+    super.onServerConfigChange(newConfig);
+    this.updateWorkerServerConfig(newConfig);
+  }
+
+  private updateWorkerServerConfig(newConfig: ServerConfig) {
+    if (this.worker != null) {
+      const request = buildSetConfigMessage({ newConfig });
+      this.worker.postMessage(request);
+    }
+  }
+
   private clear() {
     this.clear$.next();
     this.worker?.terminate();

libs/common/src/key-management/crypto/types/worker-command.type.spec.ts

@@ -0,0 +1,67 @@
+import { mock } from "jest-mock-extended";
+
+import { makeStaticByteArray } from "../../../../spec";
+import { ServerConfig } from "../../../platform/abstractions/config/server-config";
+import { Decryptable } from "../../../platform/interfaces/decryptable.interface";
+import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
+
+import {
+  DECRYPT_COMMAND,
+  DecryptCommandData,
+  SET_CONFIG_COMMAND,
+  buildDecryptMessage,
+  buildSetConfigMessage,
+} from "./worker-command.type";
+
+describe("Worker command types", () => {
+  describe("buildDecryptMessage", () => {
+    it("builds a message with the correct command", () => {
+      const commandData = createDecryptCommandData();
+
+      const result = buildDecryptMessage(commandData);
+
+      const parsedResult = JSON.parse(result);
+      expect(parsedResult.command).toBe(DECRYPT_COMMAND);
+    });
+
+    it("includes the provided data in the message", () => {
+      const mockItems = [{ encrypted: "test-encrypted" } as unknown as Decryptable<any>];
+      const commandData = createDecryptCommandData(mockItems);
+
+      const result = buildDecryptMessage(commandData);
+
+      const parsedResult = JSON.parse(result);
+      expect(parsedResult.command).toBe(DECRYPT_COMMAND);
+      expect(parsedResult.id).toBe("test-id");
+      expect(parsedResult.items).toEqual(mockItems);
+      expect(SymmetricCryptoKey.fromJSON(parsedResult.key)).toEqual(commandData.key);
+    });
+  });
+
+  describe("buildSetConfigMessage", () => {
+    it("builds a message with the correct command", () => {
+      const result = buildSetConfigMessage({ newConfig: mock<ServerConfig>() });
+
+      const parsedResult = JSON.parse(result);
+      expect(parsedResult.command).toBe(SET_CONFIG_COMMAND);
+    });
+
+    it("includes the provided data in the message", () => {
+      const serverConfig = { version: "test-version" } as unknown as ServerConfig;
+
+      const result = buildSetConfigMessage({ newConfig: serverConfig });
+
+      const parsedResult = JSON.parse(result);
+      expect(parsedResult.command).toBe(SET_CONFIG_COMMAND);
+      expect(ServerConfig.fromJSON(parsedResult.newConfig).version).toEqual(serverConfig.version);
+    });
+  });
+});
+
+function createDecryptCommandData(items?: Decryptable<any>[]): DecryptCommandData {
+  return {
+    id: "test-id",
+    items: items ?? [],
+    key: new SymmetricCryptoKey(makeStaticByteArray(64)),
+  };
+}

libs/common/src/key-management/crypto/types/worker-command.type.ts

@@ -0,0 +1,36 @@
+import { Jsonify } from "type-fest";
+
+import { ServerConfig } from "../../../platform/abstractions/config/server-config";
+import { Decryptable } from "../../../platform/interfaces/decryptable.interface";
+import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
+
+export const DECRYPT_COMMAND = "decrypt";
+export const SET_CONFIG_COMMAND = "updateConfig";
+
+export type DecryptCommandData = {
+  id: string;
+  items: Decryptable<any>[];
+  key: SymmetricCryptoKey;
+};
+
+export type ParsedDecryptCommandData = {
+  id: string;
+  items: Jsonify<Decryptable<any>>[];
+  key: Jsonify<SymmetricCryptoKey>;
+};
+
+type SetConfigCommandData = { newConfig: ServerConfig };
+
+export function buildDecryptMessage(data: DecryptCommandData): string {
+  return JSON.stringify({
+    command: DECRYPT_COMMAND,
+    ...data,
+  });
+}
+
+export function buildSetConfigMessage(data: SetConfigCommandData): string {
+  return JSON.stringify({
+    command: SET_CONFIG_COMMAND,
+    ...data,
+  });
+}

libs/common/src/platform/services/config/default-config.service.ts

@@ -17,11 +17,7 @@ import { SemVer } from "semver";
 
 import { AuthService } from "../../../auth/abstractions/auth.service";
 import { AuthenticationStatus } from "../../../auth/enums/authentication-status";
-import {
-  DefaultFeatureFlagValue,
-  FeatureFlag,
-  FeatureFlagValueType,
-} from "../../../enums/feature-flag.enum";
+import { FeatureFlag, getFeatureFlagValue } from "../../../enums/feature-flag.enum";
 import { UserId } from "../../../types/guid";
 import { ConfigApiServiceAbstraction } from "../../abstractions/config/config-api.service.abstraction";
 import { ConfigService } from "../../abstractions/config/config.service";
@@ -123,26 +119,13 @@ export class DefaultConfigService implements ConfigService {
   }
 
   getFeatureFlag$<Flag extends FeatureFlag>(key: Flag) {
-    return this.serverConfig$.pipe(
-      map((serverConfig) => this.getFeatureFlagValue(serverConfig, key)),
-    );
-  }
-
-  private getFeatureFlagValue<Flag extends FeatureFlag>(
-    serverConfig: ServerConfig | null,
-    flag: Flag,
-  ) {
-    if (serverConfig?.featureStates == null || serverConfig.featureStates[flag] == null) {
-      return DefaultFeatureFlagValue[flag];
-    }
-
-    return serverConfig.featureStates[flag] as FeatureFlagValueType<Flag>;
+    return this.serverConfig$.pipe(map((serverConfig) => getFeatureFlagValue(serverConfig, key)));
   }
 
   userCachedFeatureFlag$<Flag extends FeatureFlag>(key: Flag, userId: UserId) {
     return this.stateProvider
       .getUser(userId, USER_SERVER_CONFIG)
-      .state$.pipe(map((config) => this.getFeatureFlagValue(config, key)));
+      .state$.pipe(map((config) => getFeatureFlagValue(config, key)));
   }
 
   async getFeatureFlag<Flag extends FeatureFlag>(key: Flag) {

libs/common/src/platform/state/state-definitions.ts

@@ -206,3 +206,4 @@ export const VAULT_APPEARANCE = new StateDefinition("vaultAppearance", "disk");
 export const SECURITY_TASKS_DISK = new StateDefinition("securityTasks", "disk");
 export const AT_RISK_PASSWORDS_PAGE_DISK = new StateDefinition("atRiskPasswordsPage", "disk");
 export const NOTIFICATION_DISK = new StateDefinition("notifications", "disk");
+export const VAULT_NUDGES_DISK = new StateDefinition("vaultNudges", "disk");

libs/common/src/vault/abstractions/cipher.service.ts

@@ -31,7 +31,7 @@ export abstract class CipherService implements UserKeyRotationDataProvider<Ciphe
    *
    * An empty array indicates that all ciphers were successfully decrypted.
    */
-  abstract failedToDecryptCiphers$(userId: UserId): Observable<CipherView[]>;
+  abstract failedToDecryptCiphers$(userId: UserId): Observable<CipherView[] | null>;
   abstract clearCache(userId: UserId): Promise<void>;
   abstract encrypt(
     model: CipherView,

libs/common/src/vault/tasks/abstractions/task.service.ts

@@ -0,0 +1,46 @@
+import { Observable } from "rxjs";
+
+import { SecurityTaskId, UserId } from "@bitwarden/common/types/guid";
+
+import { SecurityTask } from "../models";
+
+export abstract class TaskService {
+  /**
+   * Observable indicating if tasks are enabled for a given user.
+   *
+   * @remarks Internally, this checks the user's organization details to determine if tasks are enabled.
+   * @param userId
+   */
+  abstract tasksEnabled$(userId: UserId): Observable<boolean>;
+
+  /**
+   * Observable of all tasks for a given user.
+   * @param userId
+   */
+  abstract tasks$(userId: UserId): Observable<SecurityTask[]>;
+
+  /**
+   * Observable of pending tasks for a given user.
+   * @param userId
+   */
+  abstract pendingTasks$(userId: UserId): Observable<SecurityTask[]>;
+
+  /**
+   * Retrieves tasks from the API for a given user and updates the local state.
+   * @param userId
+   */
+  abstract refreshTasks(userId: UserId): Promise<void>;
+
+  /**
+   * Clears all the tasks from state for the given user.
+   * @param userId
+   */
+  abstract clear(userId: UserId): Promise<void>;
+
+  /**
+   * Marks a task as complete in local state and updates the server.
+   * @param taskId - The ID of the task to mark as complete.
+   * @param userId - The user who is completing the task.
+   */
+  abstract markAsComplete(taskId: SecurityTaskId, userId: UserId): Promise<void>;
+}

libs/common/src/vault/tasks/enums/index.ts

@@ -0,0 +1,2 @@
+export * from "./security-task-status.enum";
+export * from "./security-task-type.enum";

libs/common/src/vault/tasks/enums/security-task-status.enum.ts

@@ -0,0 +1,11 @@
+export enum SecurityTaskStatus {
+  /**
+   * Default status for newly created tasks that have not been completed.
+   */
+  Pending = 0,
+
+  /**
+   * Status when a task is considered complete and has no remaining actions
+   */
+  Completed = 1,
+}

libs/common/src/vault/tasks/enums/security-task-type.enum.ts

@@ -0,0 +1,6 @@
+export enum SecurityTaskType {
+  /**
+   * Task to update a cipher's password that was found to be at-risk by an administrator
+   */
+  UpdateAtRiskCredential = 0,
+}

libs/common/src/vault/tasks/index.ts

@@ -0,0 +1,5 @@
+export * from "./enums";
+export * from "./models";
+
+export * from "./abstractions/task.service";
+export * from "./services/default-task.service";

libs/common/src/vault/tasks/models/index.ts

@@ -0,0 +1,3 @@
+export * from "./security-task";
+export * from "./security-task.data";
+export * from "./security-task.response";

libs/common/src/vault/tasks/models/security-task.data.ts

@@ -0,0 +1,34 @@
+import { Jsonify } from "type-fest";
+
+import { CipherId, OrganizationId, SecurityTaskId } from "@bitwarden/common/types/guid";
+
+import { SecurityTaskStatus, SecurityTaskType } from "../enums";
+
+import { SecurityTaskResponse } from "./security-task.response";
+
+export class SecurityTaskData {
+  id: SecurityTaskId;
+  organizationId: OrganizationId;
+  cipherId: CipherId | undefined;
+  type: SecurityTaskType;
+  status: SecurityTaskStatus;
+  creationDate: Date;
+  revisionDate: Date;
+
+  constructor(response: SecurityTaskResponse) {
+    this.id = response.id;
+    this.organizationId = response.organizationId;
+    this.cipherId = response.cipherId;
+    this.type = response.type;
+    this.status = response.status;
+    this.creationDate = response.creationDate;
+    this.revisionDate = response.revisionDate;
+  }
+
+  static fromJSON(obj: Jsonify<SecurityTaskData>) {
+    return Object.assign(new SecurityTaskData({} as SecurityTaskResponse), obj, {
+      creationDate: new Date(obj.creationDate),
+      revisionDate: new Date(obj.revisionDate),
+    });
+  }
+}

libs/common/src/vault/tasks/models/security-task.response.ts

@@ -0,0 +1,28 @@
+import { BaseResponse } from "@bitwarden/common/models/response/base.response";
+import { CipherId, OrganizationId, SecurityTaskId } from "@bitwarden/common/types/guid";
+
+import { SecurityTaskStatus, SecurityTaskType } from "../enums";
+
+export class SecurityTaskResponse extends BaseResponse {
+  id: SecurityTaskId;
+  organizationId: OrganizationId;
+  /**
+   * Optional cipherId for tasks that are related to a cipher.
+   */
+  cipherId: CipherId | undefined;
+  type: SecurityTaskType;
+  status: SecurityTaskStatus;
+  creationDate: Date;
+  revisionDate: Date;
+
+  constructor(response: any) {
+    super(response);
+    this.id = this.getResponseProperty("Id");
+    this.organizationId = this.getResponseProperty("OrganizationId");
+    this.cipherId = this.getResponseProperty("CipherId") || undefined;
+    this.type = this.getResponseProperty("Type");
+    this.status = this.getResponseProperty("Status");
+    this.creationDate = this.getResponseProperty("CreationDate");
+    this.revisionDate = this.getResponseProperty("RevisionDate");
+  }
+}

libs/common/src/vault/tasks/models/security-task.ts

@@ -0,0 +1,28 @@
+import { CipherId, OrganizationId, SecurityTaskId } from "@bitwarden/common/types/guid";
+
+import { SecurityTaskStatus, SecurityTaskType } from "../enums";
+
+import { SecurityTaskData } from "./security-task.data";
+
+export class SecurityTask {
+  id: SecurityTaskId;
+  organizationId: OrganizationId;
+  /**
+   * Optional cipherId for tasks that are related to a cipher.
+   */
+  cipherId: CipherId | undefined;
+  type: SecurityTaskType;
+  status: SecurityTaskStatus;
+  creationDate: Date;
+  revisionDate: Date;
+
+  constructor(obj: SecurityTaskData) {
+    this.id = obj.id;
+    this.organizationId = obj.organizationId;
+    this.cipherId = obj.cipherId;
+    this.type = obj.type;
+    this.status = obj.status;
+    this.creationDate = obj.creationDate;
+    this.revisionDate = obj.revisionDate;
+  }
+}

libs/common/src/vault/tasks/services/default-task.service.spec.ts

@@ -0,0 +1,260 @@
+import { BehaviorSubject, firstValueFrom } from "rxjs";
+
+import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
+import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
+import { SecurityTaskId, UserId } from "@bitwarden/common/types/guid";
+
+import { FakeStateProvider, mockAccountServiceWith } from "../../../../spec";
+import { SecurityTaskStatus } from "../enums";
+import { SecurityTaskData, SecurityTaskResponse } from "../models";
+import { SECURITY_TASKS } from "../state/security-task.state";
+
+import { DefaultTaskService } from "./default-task.service";
+
+describe("Default task service", () => {
+  let fakeStateProvider: FakeStateProvider;
+
+  const mockApiSend = jest.fn();
+  const mockGetAllOrgs$ = jest.fn();
+  const mockGetFeatureFlag$ = jest.fn();
+
+  let service: DefaultTaskService;
+
+  beforeEach(async () => {
+    mockApiSend.mockClear();
+    mockGetAllOrgs$.mockClear();
+    mockGetFeatureFlag$.mockClear();
+
+    fakeStateProvider = new FakeStateProvider(mockAccountServiceWith("user-id" as UserId));
+    service = new DefaultTaskService(
+      fakeStateProvider,
+      { send: mockApiSend } as unknown as ApiService,
+      { organizations$: mockGetAllOrgs$ } as unknown as OrganizationService,
+      { getFeatureFlag$: mockGetFeatureFlag$ } as unknown as ConfigService,
+    );
+  });
+
+  describe("tasksEnabled$", () => {
+    it("should emit true if any organization uses risk insights", async () => {
+      mockGetFeatureFlag$.mockReturnValue(new BehaviorSubject(true));
+      mockGetAllOrgs$.mockReturnValue(
+        new BehaviorSubject([
+          {
+            useRiskInsights: false,
+          },
+          {
+            useRiskInsights: true,
+          },
+        ] as Organization[]),
+      );
+
+      const { tasksEnabled$ } = service;
+
+      const result = await firstValueFrom(tasksEnabled$("user-id" as UserId));
+
+      expect(result).toBe(true);
+    });
+
+    it("should emit false if no organization uses risk insights", async () => {
+      mockGetFeatureFlag$.mockReturnValue(new BehaviorSubject(true));
+      mockGetAllOrgs$.mockReturnValue(
+        new BehaviorSubject([
+          {
+            useRiskInsights: false,
+          },
+          {
+            useRiskInsights: false,
+          },
+        ] as Organization[]),
+      );
+
+      const { tasksEnabled$ } = service;
+
+      const result = await firstValueFrom(tasksEnabled$("user-id" as UserId));
+
+      expect(result).toBe(false);
+    });
+
+    it("should emit false if the feature flag is off", async () => {
+      mockGetFeatureFlag$.mockReturnValue(new BehaviorSubject(false));
+      mockGetAllOrgs$.mockReturnValue(
+        new BehaviorSubject([
+          {
+            useRiskInsights: true,
+          },
+        ] as Organization[]),
+      );
+
+      const { tasksEnabled$ } = service;
+
+      const result = await firstValueFrom(tasksEnabled$("user-id" as UserId));
+
+      expect(result).toBe(false);
+    });
+  });
+
+  describe("tasks$", () => {
+    it("should fetch tasks from the API when the state is null", async () => {
+      mockApiSend.mockResolvedValue({
+        data: [
+          {
+            id: "task-id",
+          },
+        ] as SecurityTaskResponse[],
+      });
+
+      fakeStateProvider.singleUser.mockFor("user-id" as UserId, SECURITY_TASKS, null as any);
+
+      const { tasks$ } = service;
+
+      const result = await firstValueFrom(tasks$("user-id" as UserId));
+
+      expect(result.length).toBe(1);
+      expect(mockApiSend).toHaveBeenCalledWith("GET", "/tasks", null, true, true);
+    });
+
+    it("should use the tasks from state when not null", async () => {
+      fakeStateProvider.singleUser.mockFor("user-id" as UserId, SECURITY_TASKS, [
+        {
+          id: "task-id" as SecurityTaskId,
+        } as SecurityTaskData,
+      ]);
+
+      const { tasks$ } = service;
+
+      const result = await firstValueFrom(tasks$("user-id" as UserId));
+
+      expect(result.length).toBe(1);
+      expect(mockApiSend).not.toHaveBeenCalled();
+    });
+
+    it("should share the same observable for the same user", async () => {
+      const { tasks$ } = service;
+
+      const first = tasks$("user-id" as UserId);
+      const second = tasks$("user-id" as UserId);
+
+      expect(first).toBe(second);
+    });
+  });
+
+  describe("pendingTasks$", () => {
+    it("should filter tasks to only pending tasks", async () => {
+      fakeStateProvider.singleUser.mockFor("user-id" as UserId, SECURITY_TASKS, [
+        {
+          id: "completed-task-id" as SecurityTaskId,
+          status: SecurityTaskStatus.Completed,
+        },
+        {
+          id: "pending-task-id" as SecurityTaskId,
+          status: SecurityTaskStatus.Pending,
+        },
+      ] as SecurityTaskData[]);
+
+      const { pendingTasks$ } = service;
+
+      const result = await firstValueFrom(pendingTasks$("user-id" as UserId));
+
+      expect(result.length).toBe(1);
+      expect(result[0].id).toBe("pending-task-id" as SecurityTaskId);
+    });
+  });
+
+  describe("refreshTasks()", () => {
+    it("should fetch tasks from the API", async () => {
+      mockApiSend.mockResolvedValue({
+        data: [
+          {
+            id: "task-id",
+          },
+        ] as SecurityTaskResponse[],
+      });
+
+      await service.refreshTasks("user-id" as UserId);
+
+      expect(mockApiSend).toHaveBeenCalledWith("GET", "/tasks", null, true, true);
+    });
+
+    it("should update the local state with refreshed tasks", async () => {
+      mockApiSend.mockResolvedValue({
+        data: [
+          {
+            id: "task-id",
+          },
+        ] as SecurityTaskResponse[],
+      });
+
+      const mock = fakeStateProvider.singleUser.mockFor(
+        "user-id" as UserId,
+        SECURITY_TASKS,
+        null as any,
+      );
+
+      await service.refreshTasks("user-id" as UserId);
+
+      expect(mock.nextMock).toHaveBeenCalledWith([
+        {
+          id: "task-id" as SecurityTaskId,
+        } as SecurityTaskData,
+      ]);
+    });
+  });
+
+  describe("clear()", () => {
+    it("should clear the local state for the user", async () => {
+      const mock = fakeStateProvider.singleUser.mockFor("user-id" as UserId, SECURITY_TASKS, [
+        {
+          id: "task-id" as SecurityTaskId,
+        } as SecurityTaskData,
+      ]);
+
+      await service.clear("user-id" as UserId);
+
+      expect(mock.nextMock).toHaveBeenCalledWith([]);
+    });
+  });
+
+  describe("markAsComplete()", () => {
+    it("should send an API request to mark the task as complete", async () => {
+      await service.markAsComplete("task-id" as SecurityTaskId, "user-id" as UserId);
+
+      expect(mockApiSend).toHaveBeenCalledWith(
+        "PATCH",
+        "/tasks/task-id/complete",
+        null,
+        true,
+        false,
+      );
+    });
+
+    it("should refresh all tasks for the user after marking the task as complete", async () => {
+      mockApiSend
+        .mockResolvedValueOnce(null) // Mark as complete
+        .mockResolvedValueOnce({
+          // Refresh tasks
+          data: [
+            {
+              id: "new-task-id",
+            },
+          ] as SecurityTaskResponse[],
+        });
+
+      const mockState = fakeStateProvider.singleUser.mockFor("user-id" as UserId, SECURITY_TASKS, [
+        {
+          id: "old-task-id" as SecurityTaskId,
+        } as SecurityTaskData,
+      ]);
+
+      await service.markAsComplete("task-id" as SecurityTaskId, "user-id" as UserId);
+
+      expect(mockApiSend).toHaveBeenCalledWith("GET", "/tasks", null, true, true);
+      expect(mockState.nextMock).toHaveBeenCalledWith([
+        {
+          id: "new-task-id",
+        } as SecurityTaskData,
+      ]);
+    });
+  });
+});

libs/common/src/vault/tasks/services/default-task.service.ts

@@ -0,0 +1,100 @@
+import { combineLatest, map, switchMap } from "rxjs";
+
+import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { ListResponse } from "@bitwarden/common/models/response/list.response";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
+import { StateProvider } from "@bitwarden/common/platform/state";
+import { SecurityTaskId, UserId } from "@bitwarden/common/types/guid";
+
+import { filterOutNullish, perUserCache$ } from "../../utils/observable-utilities";
+import { TaskService } from "../abstractions/task.service";
+import { SecurityTaskStatus } from "../enums";
+import { SecurityTask, SecurityTaskData, SecurityTaskResponse } from "../models";
+import { SECURITY_TASKS } from "../state/security-task.state";
+
+export class DefaultTaskService implements TaskService {
+  constructor(
+    private stateProvider: StateProvider,
+    private apiService: ApiService,
+    private organizationService: OrganizationService,
+    private configService: ConfigService,
+  ) {}
+
+  tasksEnabled$ = perUserCache$((userId) => {
+    return combineLatest([
+      this.organizationService
+        .organizations$(userId)
+        .pipe(map((orgs) => orgs.some((o) => o.useRiskInsights))),
+      this.configService.getFeatureFlag$(FeatureFlag.SecurityTasks),
+    ]).pipe(map(([atLeastOneOrgEnabled, flagEnabled]) => atLeastOneOrgEnabled && flagEnabled));
+  });
+
+  tasks$ = perUserCache$((userId) => {
+    return this.taskState(userId).state$.pipe(
+      switchMap(async (tasks) => {
+        if (tasks == null) {
+          await this.fetchTasksFromApi(userId);
+        }
+        return tasks;
+      }),
+      filterOutNullish(),
+      map((tasks) => tasks.map((t) => new SecurityTask(t))),
+    );
+  });
+
+  pendingTasks$ = perUserCache$((userId) => {
+    return this.tasks$(userId).pipe(
+      map((tasks) => tasks.filter((t) => t.status === SecurityTaskStatus.Pending)),
+    );
+  });
+
+  async refreshTasks(userId: UserId): Promise<void> {
+    await this.fetchTasksFromApi(userId);
+  }
+
+  async clear(userId: UserId): Promise<void> {
+    await this.updateTaskState(userId, []);
+  }
+
+  async markAsComplete(taskId: SecurityTaskId, userId: UserId): Promise<void> {
+    await this.apiService.send("PATCH", `/tasks/${taskId}/complete`, null, true, false);
+    await this.refreshTasks(userId);
+  }
+
+  /**
+   * Fetches the tasks from the API and updates the local state
+   * @param userId
+   * @private
+   */
+  private async fetchTasksFromApi(userId: UserId): Promise<void> {
+    const r = await this.apiService.send("GET", "/tasks", null, true, true);
+    const response = new ListResponse(r, SecurityTaskResponse);
+
+    const taskData = response.data.map((t) => new SecurityTaskData(t));
+    await this.updateTaskState(userId, taskData);
+  }
+
+  /**
+   * Returns the local state for the tasks
+   * @param userId
+   * @private
+   */
+  private taskState(userId: UserId) {
+    return this.stateProvider.getUser(userId, SECURITY_TASKS);
+  }
+
+  /**
+   * Updates the local state with the provided tasks and returns the updated state
+   * @param userId
+   * @param tasks
+   * @private
+   */
+  private updateTaskState(
+    userId: UserId,
+    tasks: SecurityTaskData[],
+  ): Promise<SecurityTaskData[] | null> {
+    return this.taskState(userId).update(() => tasks);
+  }
+}

libs/common/src/vault/tasks/state/security-task.state.ts

@@ -0,0 +1,14 @@
+import { Jsonify } from "type-fest";
+
+import { SECURITY_TASKS_DISK, UserKeyDefinition } from "@bitwarden/common/platform/state";
+
+import { SecurityTaskData } from "../models/security-task.data";
+
+export const SECURITY_TASKS = UserKeyDefinition.array<SecurityTaskData>(
+  SECURITY_TASKS_DISK,
+  "securityTasks",
+  {
+    deserializer: (task: Jsonify<SecurityTaskData>) => SecurityTaskData.fromJSON(task),
+    clearOn: ["logout", "lock"],
+  },
+);

libs/common/src/vault/utils/observable-utilities.ts

@@ -0,0 +1,37 @@
+import { filter, Observable, OperatorFunction, shareReplay } from "rxjs";
+
+import { UserId } from "@bitwarden/common/types/guid";
+
+/**
+ * Builds an observable once per userId and caches it for future requests.
+ * The built observables are shared among subscribers with a replay buffer size of 1.
+ * @param create - A function that creates an observable for a given userId.
+ */
+export function perUserCache$<TValue>(
+  create: (userId: UserId) => Observable<TValue>,
+): (userId: UserId) => Observable<TValue> {
+  const cache = new Map<UserId, Observable<TValue>>();
+  return (userId: UserId) => {
+    let observable = cache.get(userId);
+    if (!observable) {
+      observable = create(userId).pipe(shareReplay({ bufferSize: 1, refCount: false }));
+      cache.set(userId, observable);
+    }
+    return observable;
+  };
+}
+
+/**
+ * Strongly typed observable operator that filters out null/undefined values and adjusts the return type to
+ * be non-nullable.
+ *
+ * @example
+ * ```ts
+ * const source$ = of(1, null, 2, undefined, 3);
+ * source$.pipe(filterOutNullish()).subscribe(console.log);
+ * // Output: 1, 2, 3
+ * ```
+ */
+export function filterOutNullish<T>(): OperatorFunction<T | undefined | null, T> {
+  return filter((v): v is T => v != null);
+}