From 6d0ef650941edd03445439a29cd5601d6fe705e0 Mon Sep 17 00:00:00 2001 From: Bernd Schoolmann Date: Thu, 30 May 2024 11:08:47 +0200 Subject: [PATCH] [PM-5938] Prevent vault coruption on key-rotation on desycned vault (#9235) * Prevent key-rotation when local vault is desynced * Prevent key-rotation on non-decrypted vault * Remove cipher check that is done on server side --- .../auth/key-rotation/user-key-rotation.service.spec.ts | 4 ++++ .../app/auth/key-rotation/user-key-rotation.service.ts | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/apps/web/src/app/auth/key-rotation/user-key-rotation.service.spec.ts b/apps/web/src/app/auth/key-rotation/user-key-rotation.service.spec.ts index 792ae15690f..c3d568e1187 100644 --- a/apps/web/src/app/auth/key-rotation/user-key-rotation.service.spec.ts +++ b/apps/web/src/app/auth/key-rotation/user-key-rotation.service.spec.ts @@ -17,6 +17,7 @@ import { UserId } from "@bitwarden/common/types/guid"; import { UserKey } from "@bitwarden/common/types/key"; import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service"; import { FolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction"; +import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction"; import { CipherType } from "@bitwarden/common/vault/enums/cipher-type"; import { Cipher } from "@bitwarden/common/vault/models/domain/cipher"; import { Folder } from "@bitwarden/common/vault/models/domain/folder"; @@ -49,6 +50,7 @@ describe("KeyRotationService", () => { let mockStateService: MockProxy; let mockConfigService: MockProxy; let mockKdfConfigService: MockProxy; + let mockSyncService: MockProxy; const mockUserId = Utils.newGuid() as UserId; const mockAccountService: FakeAccountService = mockAccountServiceWith(mockUserId); @@ -68,6 +70,7 @@ describe("KeyRotationService", () => { mockStateService = mock(); mockConfigService = mock(); mockKdfConfigService = mock(); + mockSyncService = mock(); keyRotationService = new UserKeyRotationService( mockMasterPasswordService, @@ -83,6 +86,7 @@ describe("KeyRotationService", () => { mockStateService, mockAccountService, mockKdfConfigService, + mockSyncService, ); }); diff --git a/apps/web/src/app/auth/key-rotation/user-key-rotation.service.ts b/apps/web/src/app/auth/key-rotation/user-key-rotation.service.ts index 4b8d6ca1392..cac2dafd518 100644 --- a/apps/web/src/app/auth/key-rotation/user-key-rotation.service.ts +++ b/apps/web/src/app/auth/key-rotation/user-key-rotation.service.ts @@ -13,6 +13,7 @@ import { SendService } from "@bitwarden/common/tools/send/services/send.service. import { UserKey } from "@bitwarden/common/types/key"; import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service"; import { FolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction"; +import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction"; import { CipherWithIdRequest } from "@bitwarden/common/vault/models/request/cipher-with-id.request"; import { FolderWithIdRequest } from "@bitwarden/common/vault/models/request/folder-with-id.request"; @@ -38,6 +39,7 @@ export class UserKeyRotationService { private stateService: StateService, private accountService: AccountService, private kdfConfigService: KdfConfigService, + private syncService: SyncService, ) {} /** @@ -49,6 +51,12 @@ export class UserKeyRotationService { throw new Error("Invalid master password"); } + if ((await this.syncService.getLastSync()) === null) { + throw new Error( + "The local vault is de-synced and the keys cannot be rotated. Please log out and log back in to resolve this issue.", + ); + } + // Create master key to validate the master password const masterKey = await this.cryptoService.makeMasterKey( masterPassword,