[PM-18026] Implement forced, automatic KDF upgrades (#15937)

* Implement automatic kdf upgrades * Fix kdf config not being updated * Update legacy kdf state on master password unlock sync * Fix cli build * Fix * Deduplicate prompts * Fix dismiss time * Fix default kdf setting * Fix build * Undo changes * Fix test * Fix prettier * Fix test * Update libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.ts Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com> * Update libs/common/src/key-management/master-password/abstractions/master-password.service.abstraction.ts Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com> * Update libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.ts Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com> * Only sync when there is at least one migration * Relative imports * Add tech debt comment * Resolve inconsistent prefix * Clean up * Update docs * Use default PBKDF2 iteratinos instead of custom threshold * Undo type check * Fix build * Add comment * Cleanup * Cleanup * Address component feedback * Use isnullorwhitespace * Fix tests * Allow migration only on vault * Fix tests * Run prettier * Fix tests * Prevent await race condition * Fix min and default values in kdf migration * Run sync only when a migration was run * Update libs/common/src/key-management/encrypted-migrator/default-encrypted-migrator.ts Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com> * Fix link not being blue * Fix later button on browser --------- Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
2025-12-22 19:23:52 +00:00 · 2025-12-03 19:04:18 +01:00
parent 6ae096485a
commit 6e2203d6d4
48 changed files with 1471 additions and 31 deletions
--- a/libs/auth/src/angular/login-via-auth-request/login-via-auth-request.component.ts
+++ b/libs/auth/src/angular/login-via-auth-request/login-via-auth-request.component.ts
@@ -822,7 +822,7 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
  }

  private async handleSuccessfulLoginNavigation(userId: UserId) {
-    await this.loginSuccessHandlerService.run(userId);
+    await this.loginSuccessHandlerService.run(userId, null);
    await this.router.navigate(["vault"]);
  }
 }
--- a/libs/auth/src/angular/login/login.component.ts
+++ b/libs/auth/src/angular/login/login.component.ts
@@ -382,7 +382,7 @@ export class LoginComponent implements OnInit, OnDestroy {
    }

    // User logged in successfully so execute side effects
-    await this.loginSuccessHandlerService.run(authResult.userId);
+    await this.loginSuccessHandlerService.run(authResult.userId, authResult.masterPassword);

    // Determine where to send the user next
    // The AuthGuard will handle routing to change-password based on state
--- a/libs/auth/src/angular/new-device-verification/new-device-verification.component.ts
+++ b/libs/auth/src/angular/new-device-verification/new-device-verification.component.ts
@@ -152,9 +152,7 @@ export class NewDeviceVerificationComponent implements OnInit, OnDestroy {
        return;
      }

-      // FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
-      // eslint-disable-next-line @typescript-eslint/no-floating-promises
-      this.loginSuccessHandlerService.run(authResult.userId);
+      await this.loginSuccessHandlerService.run(authResult.userId, authResult.masterPassword);

      // TODO: PM-22663 use the new service to handle routing.
      const activeUserId = await firstValueFrom(this.accountService.activeAccount$.pipe(getUserId));
--- a/libs/auth/src/angular/registration/registration-finish/registration-finish.component.ts
+++ b/libs/auth/src/angular/registration/registration-finish/registration-finish.component.ts
@@ -206,7 +206,10 @@ export class RegistrationFinishComponent implements OnInit, OnDestroy {
        return;
      }

-      await this.loginSuccessHandlerService.run(authenticationResult.userId);
+      await this.loginSuccessHandlerService.run(
+        authenticationResult.userId,
+        authenticationResult.masterPassword ?? null,
+      );

      if (this.premiumInterest) {
        await this.premiumInterestStateService.setPremiumInterest(
--- a/libs/auth/src/angular/sso/sso.component.ts
+++ b/libs/auth/src/angular/sso/sso.component.ts
@@ -437,7 +437,7 @@ export class SsoComponent implements OnInit {

      // Everything after the 2FA check is considered a successful login
      // Just have to figure out where to send the user
-      await this.loginSuccessHandlerService.run(authResult.userId);
+      await this.loginSuccessHandlerService.run(authResult.userId, null);

      // Save off the OrgSsoIdentifier for use in the TDE flows (or elsewhere)
      // - TDE login decryption options component
--- a/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts
+++ b/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts
@@ -450,7 +450,7 @@ export class TwoFactorAuthComponent implements OnInit, OnDestroy {
    }

    // User is fully logged in so handle any post login logic before executing navigation
-    await this.loginSuccessHandlerService.run(authResult.userId);
+    await this.loginSuccessHandlerService.run(authResult.userId, authResult.masterPassword);

    // Save off the OrgSsoIdentifier for use in the TDE flows
    // - TDE login decryption options component
--- a/libs/auth/src/common/abstractions/login-success-handler.service.ts
+++ b/libs/auth/src/common/abstractions/login-success-handler.service.ts
@@ -5,6 +5,7 @@ export abstract class LoginSuccessHandlerService {
   * Runs any service calls required after a successful login.
   * Service calls that should be included in this method are only those required to be awaited after successful login.
   * @param userId The user id.
+   * @param masterPassword The master password, if available. Null when logging in with SSO or other non-master-password methods.
   */
-  abstract run(userId: UserId): Promise<void>;
+  abstract run(userId: UserId, masterPassword: string | null): Promise<void>;
 }
--- a/libs/auth/src/common/login-strategies/login.strategy.spec.ts
+++ b/libs/auth/src/common/login-strategies/login.strategy.spec.ts
@@ -308,6 +308,7 @@ describe("LoginStrategy", () => {
      const result = await passwordLoginStrategy.logIn(credentials);

      const expected = new AuthResult();
+      expected.masterPassword = "password";
      expected.userId = userId;
      expected.resetMasterPassword = true;
      expected.twoFactorProviders = null;
@@ -323,6 +324,7 @@ describe("LoginStrategy", () => {
      const result = await passwordLoginStrategy.logIn(credentials);

      const expected = new AuthResult();
+      expected.masterPassword = "password";
      expected.userId = userId;
      expected.resetMasterPassword = false;
      expected.twoFactorProviders = null;
--- a/libs/auth/src/common/login-strategies/login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/login.strategy.ts
@@ -108,6 +108,8 @@ export abstract class LoginStrategy {
    data.tokenRequest.setTwoFactor(twoFactor);
    this.cache.next(data);
    const [authResult] = await this.startLogIn();
+    // There is an import cycle between PasswordLoginStrategyData and LoginStrategy, which means this cast is necessary, which is solved by extracting the data classes.
+    authResult.masterPassword = (this.cache.value as any)["masterPassword"] ?? null;
    return authResult;
  }

@@ -264,6 +266,9 @@ export abstract class LoginStrategy {
    await this.processForceSetPasswordReason(response.forcePasswordReset, userId);

    this.messagingService.send("loggedIn");
+    // There is an import cycle between PasswordLoginStrategyData and LoginStrategy, which means this cast is necessary, which is solved by extracting the data classes.
+    // TODO: https://bitwarden.atlassian.net/browse/PM-27573
+    result.masterPassword = (this.cache.value as any)["masterPassword"] ?? null;

    return result;
  }
--- a/libs/auth/src/common/login-strategies/password-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/password-login.strategy.ts
@@ -33,6 +33,8 @@ export class PasswordLoginStrategyData implements LoginStrategyData {
  localMasterKeyHash: string;
  /** The user's master key */
  masterKey: MasterKey;
+  /** The user's master password */
+  masterPassword: string;
  /**
   * Tracks if the user needs to update their password due to
   * a password that does not meet an organization's master password policy.
@@ -83,6 +85,7 @@ export class PasswordLoginStrategy extends LoginStrategy {
      masterPassword,
      email,
    );
+    data.masterPassword = masterPassword;
    data.userEnteredEmail = email;

    // Hash the password early (before authentication) so we don't persist it in memory in plaintext
@@ -251,6 +254,7 @@ export class PasswordLoginStrategy extends LoginStrategy {
    this.cache.next(data);

    const [authResult] = await this.startLogIn();
+    authResult.masterPassword = this.cache.value["masterPassword"] ?? null;
    return authResult;
  }

--- a/libs/auth/src/common/services/login-success-handler/default-login-success-handler.service.spec.ts
+++ b/libs/auth/src/common/services/login-success-handler/default-login-success-handler.service.spec.ts
@@ -1,6 +1,7 @@
 import { MockProxy, mock } from "jest-mock-extended";

 import { SsoLoginServiceAbstraction } from "@bitwarden/common/auth/abstractions/sso-login.service.abstraction";
+import { EncryptedMigrator } from "@bitwarden/common/key-management/encrypted-migrator/encrypted-migrator.abstraction";
 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { SyncService } from "@bitwarden/common/platform/sync";
 import { UserId } from "@bitwarden/common/types/guid";
@@ -19,6 +20,7 @@ describe("DefaultLoginSuccessHandlerService", () => {
  let ssoLoginService: MockProxy<SsoLoginServiceAbstraction>;
  let syncService: MockProxy<SyncService>;
  let userAsymmetricKeysRegenerationService: MockProxy<UserAsymmetricKeysRegenerationService>;
+  let encryptedMigrator: MockProxy<EncryptedMigrator>;
  let logService: MockProxy<LogService>;

  const userId = "USER_ID" as UserId;
@@ -30,6 +32,7 @@ describe("DefaultLoginSuccessHandlerService", () => {
    ssoLoginService = mock<SsoLoginServiceAbstraction>();
    syncService = mock<SyncService>();
    userAsymmetricKeysRegenerationService = mock<UserAsymmetricKeysRegenerationService>();
+    encryptedMigrator = mock<EncryptedMigrator>();
    logService = mock<LogService>();

    service = new DefaultLoginSuccessHandlerService(
@@ -38,6 +41,7 @@ describe("DefaultLoginSuccessHandlerService", () => {
      ssoLoginService,
      syncService,
      userAsymmetricKeysRegenerationService,
+      encryptedMigrator,
      logService,
    );

@@ -50,7 +54,7 @@ describe("DefaultLoginSuccessHandlerService", () => {

  describe("run", () => {
    it("should call required services on successful login", async () => {
-      await service.run(userId);
+      await service.run(userId, null);

      expect(syncService.fullSync).toHaveBeenCalledWith(true, { skipTokenRefresh: true });
      expect(userAsymmetricKeysRegenerationService.regenerateIfNeeded).toHaveBeenCalledWith(userId);
@@ -58,7 +62,7 @@ describe("DefaultLoginSuccessHandlerService", () => {
    });

    it("should get SSO email", async () => {
-      await service.run(userId);
+      await service.run(userId, null);

      expect(ssoLoginService.getSsoEmail).toHaveBeenCalled();
    });
@@ -68,8 +72,8 @@ describe("DefaultLoginSuccessHandlerService", () => {
        ssoLoginService.getSsoEmail.mockResolvedValue(null);
      });

-      it("should log error and return early", async () => {
-        await service.run(userId);
+      it("should not check SSO requirements", async () => {
+        await service.run(userId, null);

        expect(logService.debug).toHaveBeenCalledWith("SSO login email not found.");
        expect(ssoLoginService.updateSsoRequiredCache).not.toHaveBeenCalled();
@@ -82,7 +86,7 @@ describe("DefaultLoginSuccessHandlerService", () => {
      });

      it("should call updateSsoRequiredCache() and clearSsoEmail()", async () => {
-        await service.run(userId);
+        await service.run(userId, null);

        expect(ssoLoginService.updateSsoRequiredCache).toHaveBeenCalledWith(testEmail, userId);
        expect(ssoLoginService.clearSsoEmail).toHaveBeenCalled();
--- a/libs/auth/src/common/services/login-success-handler/default-login-success-handler.service.ts
+++ b/libs/auth/src/common/services/login-success-handler/default-login-success-handler.service.ts
@@ -1,4 +1,5 @@
 import { SsoLoginServiceAbstraction } from "@bitwarden/common/auth/abstractions/sso-login.service.abstraction";
+import { EncryptedMigrator } from "@bitwarden/common/key-management/encrypted-migrator/encrypted-migrator.abstraction";
 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { SyncService } from "@bitwarden/common/platform/sync";
 import { UserId } from "@bitwarden/common/types/guid";
@@ -15,12 +16,19 @@ export class DefaultLoginSuccessHandlerService implements LoginSuccessHandlerSer
    private ssoLoginService: SsoLoginServiceAbstraction,
    private syncService: SyncService,
    private userAsymmetricKeysRegenerationService: UserAsymmetricKeysRegenerationService,
+    private encryptedMigrator: EncryptedMigrator,
    private logService: LogService,
  ) {}
-  async run(userId: UserId): Promise<void> {
+
+  async run(userId: UserId, masterPassword: string | null): Promise<void> {
    await this.syncService.fullSync(true, { skipTokenRefresh: true });
    await this.userAsymmetricKeysRegenerationService.regenerateIfNeeded(userId);
    await this.loginEmailService.clearLoginEmail();
+    try {
+      await this.encryptedMigrator.runMigrations(userId, masterPassword);
+    } catch {
+      // Don't block login success on migration failure
+    }

    const ssoLoginEmail = await this.ssoLoginService.getSsoEmail();