bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2026-02-18 02:19:18 +00:00
Code Issues Releases Wiki Activity

Merge branch 'main' into km/default-argon2

Browse Source
This commit is contained in:
Bernd Schoolmann
2025-04-04 12:50:58 +02:00
parent 1e1a2baa17 c8069baa24
commit 753eee1306
2574 changed files with 151321 additions and 73319 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
libs/auth/src/angular/anon-layout/anon-layout-wrapper.mdx
View File

@@ -6,10 +6,6 @@ import * as stories from "./anon-layout-wrapper.stories";
# Anon Layout Wrapper
NOTE: These stories will treat "Light & Dark" mode as "Light" mode. This is done to avoid a bug with
the way that we render the same component twice in the same iframe and how that interacts with the
`router-outlet`.
## Anon Layout Wrapper Component
The auth owned `AnonLayoutWrapperComponent` orchestrates routing configuration data and feeds it

3
libs/auth/src/angular/anon-layout/anon-layout-wrapper.stories.ts
View File

@@ -18,7 +18,8 @@ import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/pl
import { ButtonModule } from "@bitwarden/components";
// FIXME: remove `/apps` import from `/libs`
// eslint-disable-next-line import/no-restricted-paths
// FIXME: remove `src` and fix import
// eslint-disable-next-line import/no-restricted-paths, no-restricted-imports
import { PreloadedEnglishI18nModule } from "../../../../../apps/web/src/app/core/tests";
import { LockIcon } from "../icons";
import { RegistrationCheckEmailIcon } from "../icons/registration-check-email.icon";

10
libs/auth/src/angular/anon-layout/anon-layout.component.html
View File

@@ -1,5 +1,5 @@
<main
class="tw-flex tw-w-full tw-mx-auto tw-flex-col tw-bg-background-alt tw-px-6 tw-pt-6 tw-pb-4 tw-text-main"
class="tw-flex tw-w-full tw-mx-auto tw-flex-col tw-bg-background-alt tw-px-6 tw-py-4 tw-text-main"
[ngClass]="{
'tw-min-h-screen': clientType === 'web',
'tw-min-h-full': clientType === 'browser' || clientType === 'desktop',
@@ -14,10 +14,10 @@
</a>
<div
class="tw-text-center tw-mb-6"
class="tw-text-center tw-mb-4 sm:tw-mb-6"
[ngClass]="{ 'tw-max-w-md tw-mx-auto': titleAreaMaxWidth === 'md' }"
>
<div class="tw-mx-auto tw-max-w-28 sm:tw-max-w-32">
<div class="tw-mx-auto tw-max-w-24 sm:tw-max-w-28 md:tw-max-w-32">
<bit-icon [icon]="icon"></bit-icon>
</div>
@@ -40,14 +40,14 @@
[ngClass]="{ 'tw-max-w-md': maxWidth === 'md', 'tw-max-w-3xl': maxWidth === '3xl' }"
>
<div
class="tw-rounded-2xl tw-mb-10 tw-mx-auto tw-w-full sm:tw-bg-background sm:tw-border sm:tw-border-solid sm:tw-border-secondary-300 sm:tw-p-8"
class="tw-rounded-2xl tw-mb-6 sm:tw-mb-10 tw-mx-auto tw-w-full sm:tw-bg-background sm:tw-border sm:tw-border-solid sm:tw-border-secondary-300 sm:tw-p-8"
>
<ng-content></ng-content>
</div>
<ng-content select="[slot=secondary]"></ng-content>
</div>
<footer *ngIf="!hideFooter" class="tw-text-center tw-mt-6">
<footer *ngIf="!hideFooter" class="tw-text-center tw-mt-4 sm:tw-mt-6">
<div *ngIf="showReadonlyHostname" bitTypography="body2">
{{ "accessing" | i18n }} {{ hostname }}
</div>

6
libs/auth/src/angular/anon-layout/anon-layout.component.ts
View File

@@ -9,8 +9,14 @@ import { ClientType } from "@bitwarden/common/enums";
import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
// FIXME: remove `src` and fix import
// eslint-disable-next-line no-restricted-imports
import { IconModule, Icon } from "../../../../components/src/icon";
// FIXME: remove `src` and fix import
// eslint-disable-next-line no-restricted-imports
import { SharedModule } from "../../../../components/src/shared";
// FIXME: remove `src` and fix import
// eslint-disable-next-line no-restricted-imports
import { TypographyModule } from "../../../../components/src/typography";
import { BitwardenLogo, BitwardenShield } from "../icons";

4
libs/auth/src/angular/anon-layout/anon-layout.stories.ts
View File

@@ -7,7 +7,11 @@ import { EnvironmentService } from "@bitwarden/common/platform/abstractions/envi
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
// FIXME: remove `src` and fix import
// eslint-disable-next-line no-restricted-imports
import { ButtonModule } from "../../../../components/src/button";
// FIXME: remove `src` and fix import
// eslint-disable-next-line no-restricted-imports
import { I18nMockService } from "../../../../components/src/utils/i18n-mock.service";
import { LockIcon } from "../icons";

2
libs/auth/src/angular/fingerprint-dialog/fingerprint-dialog.component.html
View File

@@ -1,5 +1,5 @@
<bit-simple-dialog>
<i bitDialogIcon class="bwi bwi-info-circle tw-text-3xl" aria-hidden="true"></i>
<i bitDialogIcon class="bwi bwi-info-circle tw-text-info tw-text-3xl" aria-hidden="true"></i>
<span bitDialogTitle
><strong>{{ "yourAccountsFingerprint" | i18n }}:</strong></span
>

18
libs/auth/src/angular/icons/device-verification.icon.ts Normal file
View File

@@ -0,0 +1,18 @@
import { svgIcon } from "@bitwarden/components";
export const DeviceVerificationIcon = svgIcon`
<svg viewBox="0 0 98 95" fill="none" xmlns="http://www.w3.org/2000/svg">
<path class="tw-stroke-art-primary" d="M12.1759 27.7453L2.54349 34.9329C1.57215 35.6577 1 36.7986 1 38.0105V89.6281C1 91.7489 2.71922 93.4681 4.84 93.4681H93.16C95.2808 93.4681 97 91.7489 97 89.6281V38.0276C97 36.806 96.4188 35.6574 95.4347 34.9338L85.6576 27.7453M61.8791 10.2622L50.9367 2.2168C49.5753 1.21588 47.7197 1.22245 46.3655 2.23297L35.6054 10.2622" stroke-width="1.92"/>
<path class="tw-stroke-art-primary" d="M85.7661 45.4682V12.1542C85.7661 11.0938 84.9064 10.2342 83.8461 10.2342H14.1541C13.0937 10.2342 12.2341 11.0938 12.2341 12.1542V45.4682" stroke-width="1.92" stroke-linecap="round"/>
<path class="tw-stroke-art-primary" d="M95.7335 92.1003L62.3151 61.2912C61.2514 60.3106 59.8576 59.7661 58.4109 59.7661H38.043C36.5571 59.7661 35.1286 60.3404 34.0562 61.3689L2.01148 92.1003" stroke-width="1.92"/>
<line class="tw-stroke-art-primary" x1="96.157" y1="39.125" x2="61.0395" y2="60.0979" stroke-width="1.92" stroke-linecap="round"/>
<path class="tw-stroke-art-primary" d="M1.84229 39.1248L36.673 59.7488" stroke-width="1.92" stroke-linecap="round"/>
<rect class="tw-stroke-art-accent" x="23.0046" y="25.5344" width="51.925" height="17.4487" rx="8.72434" stroke-width="0.96"/>
<circle class="tw-fill-art-accent" cx="30.2299" cy="34.2588" r="2.24846"/>
<circle class="tw-fill-art-accent" cx="45.2196" cy="34.2587" r="2.24846"/>
<circle class="tw-fill-art-accent" cx="60.2094" cy="34.2587" r="2.24846"/>
<circle class="tw-fill-art-accent" cx="37.7248" cy="34.2587" r="2.24846"/>
<circle class="tw-fill-art-accent" cx="52.7145" cy="34.2587" r="2.24846"/>
<circle class="tw-fill-art-accent" cx="67.704" cy="34.2587" r="2.24846"/>
</svg>
`;

1
libs/auth/src/angular/icons/index.ts
View File

@@ -12,3 +12,4 @@ export * from "./registration-lock-alt.icon";
export * from "./registration-expired-link.icon";
export * from "./sso-key.icon";
export * from "./two-factor-timeout.icon";
export * from "./device-verification.icon";

6
libs/auth/src/angular/icons/two-factor-auth/index.ts Normal file
View File

@@ -0,0 +1,6 @@
export * from "./two-factor-auth-authenticator.icon";
export * from "./two-factor-auth-email.icon";
export * from "./two-factor-auth-webauthn.icon";
export * from "./two-factor-auth-security-key.icon";
export * from "./two-factor-auth-duo.icon";
export * from "./two-factor-auth-yubico.icon";

39
libs/auth/src/angular/icons/two-factor-auth/two-factor-auth-authenticator.icon.ts Normal file
View File

@@ -0,0 +1,39 @@
import { svgIcon } from "@bitwarden/components";
export const TwoFactorAuthAuthenticatorIcon = svgIcon`
<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 120 100">
<g clip-path="url(#a)">
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M47.967 84.718c0-.37.3-.67.67-.67h42.904a.67.67 0 1 1 0 1.34H48.637a.67.67 0 0 1-.67-.67Z"
clip-rule="evenodd" />
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M63.4 84.848V72.111h1.34v12.737H63.4ZM77.073 84.848V72.111h1.341v12.737h-1.34Z"
clip-rule="evenodd" />
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M20.482 14.999a6.704 6.704 0 0 1 6.703-6.704h85.808A6.704 6.704 0 0 1 119.697 15v50.949a6.704 6.704 0 0 1-6.704 6.703H35.565V69.97h77.428c2.222 0 4.023-1.801 4.023-4.022V14.999a4.022 4.022 0 0 0-4.023-4.022H27.185a4.022 4.022 0 0 0-4.022 4.022v11.732h-2.681V14.999Z"
clip-rule="evenodd" />
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M25.845 15.67c0-1.111.9-2.012 2.01-2.012h84.468c1.111 0 2.011.9 2.011 2.011v49.608c0 1.11-.9 2.011-2.011 2.011H35.23v-1.34h77.093c.37 0 .67-.3.67-.67V15.668c0-.37-.3-.67-.67-.67H27.856c-.37 0-.67.3-.67.67v11.062h-1.341V15.669Z"
clip-rule="evenodd" />
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M-.3 33.1a8.045 8.045 0 0 1 8.045-8.045h21.452a8.045 8.045 0 0 1 8.044 8.044v17.43H34.56v-17.43a5.363 5.363 0 0 0-5.363-5.363H7.745A5.363 5.363 0 0 0 2.382 33.1v50.949a5.363 5.363 0 0 0 5.363 5.363h21.452a5.363 5.363 0 0 0 5.363-5.363V53.546h2.681v30.502a8.045 8.045 0 0 1-8.044 8.044H7.745A8.044 8.044 0 0 1-.3 84.048V33.099Z"
clip-rule="evenodd" />
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M17.13 32.429c0-.37.3-.67.67-.67h1.326a.67.67 0 1 1 0 1.34H17.8a.67.67 0 0 1-.67-.67Z"
clip-rule="evenodd" />
<path class="tw-fill-art-accent" fill-rule="evenodd"
d="M39.598 46.024a.67.67 0 0 1 .948.017l3.881 4.022a.67.67 0 0 1-.482 1.136H29.197a.67.67 0 0 1 0-1.34h13.17l-2.786-2.887a.67.67 0 0 1 .017-.948ZM32.947 58.162a.67.67 0 0 1-.948-.017l-3.88-4.022a.67.67 0 0 1 .482-1.136h14.748a.67.67 0 1 1 0 1.34h-13.17l2.785 2.887a.67.67 0 0 1-.017.948ZM44.615 41.144a8.715 8.715 0 0 1 8.715-8.715h37.541a8.715 8.715 0 0 1 0 17.43H53.33a8.715 8.715 0 0 1-8.715-8.715Zm8.715-7.374a7.374 7.374 0 0 0 0 14.748h37.541a7.374 7.374 0 0 0 0-14.748H53.33Z"
clip-rule="evenodd" />
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M10.761 61.682a13.408 13.408 0 0 1 7.71-2.438v2.681a10.726 10.726 0 0 0-6.838 18.99l-.854 1.034.854-1.033A10.726 10.726 0 0 0 29.007 70.64l2.634-.502a13.407 13.407 0 1 1-20.879-8.457Z"
clip-rule="evenodd" />
<path class="tw-fill-art-accent"
d="M13.411 75.183h1.537v-5.472l-1.84.878v-.941l1.83-.864h.989v6.4h1.517v.82h-4.033v-.82ZM19.806 75.178h3.357v.825h-4.44v-.825c.611-.637 1.145-1.2 1.601-1.688.457-.488.772-.833.945-1.033.326-.395.547-.713.66-.956.115-.246.172-.496.172-.752 0-.404-.12-.721-.362-.95-.238-.23-.566-.345-.984-.345-.297 0-.608.053-.935.16a5.264 5.264 0 0 0-1.037.485v-.99c.336-.158.665-.278.988-.359.327-.08.648-.121.964-.121.715 0 1.29.19 1.723.568.438.375.656.868.656 1.48 0 .31-.073.62-.22.93-.144.311-.378.654-.705 1.03-.183.21-.448.5-.798.873-.345.371-.874.928-1.585 1.668ZM53.79 37.121c.816 0 1.432.34 1.849 1.016.42.678.629 1.68.629 3.007 0 1.327-.21 2.329-.63 3.006-.416.677-1.032 1.016-1.847 1.016-.816 0-1.431-.339-1.848-1.016-.416-.677-.624-1.68-.624-3.006 0-1.327.208-2.33.624-3.007.416-.677 1.032-1.016 1.848-1.016Zm0 7.211c.485 0 .845-.262 1.08-.787.24-.524.359-1.325.359-2.401 0-.573-.034-1.091-.102-1.553l-2.437 3.882c.256.573.623.86 1.1.86Zm0-6.377c-.48 0-.84.262-1.08.787-.235.524-.352 1.325-.352 2.402 0 .49.032.948.097 1.375l2.385-3.871c-.26-.462-.609-.693-1.05-.693ZM60.106 37.121c.816 0 1.432.34 1.848 1.016.42.678.63 1.68.63 3.007 0 1.327-.21 2.329-.63 3.006-.416.677-1.032 1.016-1.848 1.016-.815 0-1.43-.339-1.847-1.016-.416-.677-.624-1.68-.624-3.006 0-1.327.208-2.33.624-3.007.416-.677 1.032-1.016 1.847-1.016Zm0 7.211c.485 0 .845-.262 1.08-.787.24-.524.359-1.325.359-2.401 0-.573-.035-1.091-.103-1.553l-2.436 3.882c.256.573.623.86 1.1.86Zm0-6.377c-.48 0-.84.262-1.08.787-.235.524-.353 1.325-.353 2.402 0 .49.033.948.098 1.375l2.385-3.871c-.26-.462-.61-.693-1.05-.693ZM66.422 37.121c.816 0 1.431.34 1.848 1.016.42.678.63 1.68.63 3.007 0 1.327-.21 2.329-.63 3.006-.416.677-1.032 1.016-1.848 1.016-.815 0-1.431-.339-1.847-1.016-.417-.677-.625-1.68-.625-3.006 0-1.327.208-2.33.624-3.007.417-.677 1.033-1.016 1.848-1.016Zm0 7.211c.485 0 .845-.262 1.08-.787.239-.524.358-1.325.358-2.401 0-.573-.034-1.091-.102-1.553l-2.436 3.882c.256.573.622.86 1.1.86Zm0-6.377c-.481 0-.84.262-1.08.787-.235.524-.353 1.325-.353 2.402 0 .49.032.948.097 1.375l2.385-3.871c-.259-.462-.609-.693-1.049-.693ZM76.433 37.121c.815 0 1.431.34 1.848 1.016.42.678.63 1.68.63 3.007 0 1.327-.21 2.329-.63 3.006-.417.677-1.033 1.016-1.848 1.016-.816 0-1.431-.339-1.848-1.016-.416-.677-.624-1.68-.624-3.006 0-1.327.208-2.33.624-3.007.417-.677 1.033-1.016 1.848-1.016Zm0 7.211c.484 0 .844-.262 1.08-.787.239-.524.358-1.325.358-2.401 0-.573-.034-1.091-.102-1.553l-2.436 3.882c.255.573.622.86 1.1.86Zm0-6.377c-.481 0-.841.262-1.08.787-.235.524-.353 1.325-.353 2.402 0 .49.032.948.097 1.375l2.385-3.871c-.26-.462-.609-.693-1.049-.693ZM82.749 37.121c.815 0 1.43.34 1.847 1.016.42.678.63 1.68.63 3.007 0 1.327-.21 2.329-.63 3.006-.416.677-1.032 1.016-1.847 1.016-.816 0-1.432-.339-1.848-1.016-.416-.677-.624-1.68-.624-3.006 0-1.327.208-2.33.624-3.007.416-.677 1.032-1.016 1.848-1.016Zm0 7.211c.484 0 .844-.262 1.08-.787.238-.524.358-1.325.358-2.401 0-.573-.034-1.091-.103-1.553l-2.436 3.882c.256.573.623.86 1.1.86Zm0-6.377c-.481 0-.841.262-1.08.787-.236.524-.353 1.325-.353 2.402 0 .49.032.948.097 1.375l2.385-3.871c-.26-.462-.61-.693-1.05-.693ZM89.064 37.121c.816 0 1.432.34 1.848 1.016.42.678.63 1.68.63 3.007 0 1.327-.21 2.329-.63 3.006-.416.677-1.032 1.016-1.848 1.016-.815 0-1.431-.339-1.847-1.016-.417-.677-.625-1.68-.625-3.006 0-1.327.208-2.33.625-3.007.416-.677 1.032-1.016 1.847-1.016Zm0 7.211c.485 0 .845-.262 1.08-.787.239-.524.358-1.325.358-2.401 0-.573-.034-1.091-.102-1.553l-2.436 3.882c.256.573.623.86 1.1.86Zm0-6.377c-.48 0-.84.262-1.08.787-.235.524-.353 1.325-.353 2.402 0 .49.033.948.097 1.375l2.385-3.871c-.259-.462-.609-.693-1.049-.693Z" />
</g>
<defs>
<clipPath id="a">
<path fill="#fff" d="M0 0h120v100H0z" />
</clipPath>
</defs>
</svg>
`;

20
libs/auth/src/angular/icons/two-factor-auth/two-factor-auth-duo.icon.ts Normal file
View File

@@ -0,0 +1,20 @@
import { svgIcon } from "@bitwarden/components";
export const TwoFactorAuthDuoIcon = svgIcon`
<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 120 40">
<g clip-path="url(#a)">
<path fill="#7BCD54" d="M19.359 39.412H0V20.97h38.694c-.505 10.27-8.968 18.44-19.335 18.44Z" />
<path fill="#63C43F"
d="M19.359.588H0V19.03h38.694C38.188 8.76 29.726.59 19.358.59ZM100.666.588c-10.367 0-18.83 8.172-19.335 18.441H120C119.496 8.76 111.033.59 100.666.59Z" />
<path fill="#7BCD54"
d="M100.666 39.412c-10.367 0-18.83-8.171-19.335-18.441H120c-.504 10.27-8.967 18.44-19.334 18.44Z" />
<path fill="#63C43F" d="M40.653.588V20c0 10.395 8.15 18.882 18.391 19.388V.588h-18.39Z" />
<path fill="#7BCD54" d="M79.37 39.412H60.98V.588h18.39v38.824Z" />
</g>
<defs>
<clipPath id="a">
<path fill="#fff" d="M0 .588h120v38.824H0z" />
</clipPath>
</defs>
</svg>
`;

18
libs/auth/src/angular/icons/two-factor-auth/two-factor-auth-email.icon.ts Normal file
View File

@@ -0,0 +1,18 @@
import { svgIcon } from "@bitwarden/components";
export const TwoFactorAuthEmailIcon = svgIcon`
<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 120 100">
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M56.791 3.994a4.8 4.8 0 0 1 5.714-.02l10.651 7.83h21.69a2.88 2.88 0 0 1 2.88 2.88V29.87l9.277 6.821a4.798 4.798 0 0 1 1.957 3.867v51.6a4.8 4.8 0 0 1-4.8 4.8H15.84a4.8 4.8 0 0 1-4.8-4.8V40.542a4.8 4.8 0 0 1 1.93-3.847l9.304-6.943V14.685a2.88 2.88 0 0 1 2.88-2.88h21.17l10.467-7.81Zm-7.256 7.81h20.38l-8.547-6.283a2.88 2.88 0 0 0-3.428.012l-8.405 6.272Zm-27.26 20.343-8.157 6.086a2.88 2.88 0 0 0-1.158 2.308v.162a.957.957 0 0 1 .371.127l8.943 5.295V32.147Zm1.92 15.114 23.887 14.145c.316-.046.637-.07.961-.07h20.368c.778 0 1.542.136 2.262.393l24.133-14.412V14.685a.96.96 0 0 0-.96-.96H25.154a.96.96 0 0 0-.96.96V47.26Zm73.531-1.091 8.939-5.339a.952.952 0 0 1 .375-.128v-.145a2.88 2.88 0 0 0-1.174-2.32l-8.14-5.985V46.17ZM12.96 92.159V42.84L45.7 62.227c-.47.27-.91.598-1.308.98L13.144 93.174a2.876 2.876 0 0 1-.184-1.015Zm94.08-49.315L73.609 62.809c.122.098.241.2.357.307l32.81 30.249a2.86 2.86 0 0 0 .264-1.206V42.844Zm-91.2 52.195a2.866 2.866 0 0 1-1.456-.395l31.337-30.052a4.8 4.8 0 0 1 3.322-1.335h20.368a4.8 4.8 0 0 1 3.253 1.27l32.773 30.214c-.385.19-.819.298-1.277.298H15.84Z"
clip-rule="evenodd" />
<path class="tw-fill-art-accent" fill-rule="evenodd"
d="M42.729 27.585h34.476a9.204 9.204 0 1 1 0 18.409H42.73a9.204 9.204 0 0 1 0-18.409Zm0 .96a8.244 8.244 0 0 0 0 16.489h34.476a8.244 8.244 0 0 0 0-16.489H42.73Z"
clip-rule="evenodd" />
<circle cx="41.23" cy="36.789" r="2.248" class="tw-fill-art-accent" />
<circle cx="56.22" cy="36.789" r="2.248" class="tw-fill-art-accent" />
<circle cx="71.209" cy="36.789" r="2.248" class="tw-fill-art-accent" />
<circle cx="48.725" cy="36.789" r="2.248" class="tw-fill-art-accent" />
<circle cx="63.715" cy="36.789" r="2.248" class="tw-fill-art-accent" />
<circle cx="78.704" cy="36.789" r="2.248" class="tw-fill-art-accent" />
</svg>
`;

52
libs/auth/src/angular/icons/two-factor-auth/two-factor-auth-security-key.icon.ts Normal file
View File

@@ -0,0 +1,52 @@
import { svgIcon } from "@bitwarden/components";
export const TwoFactorAuthSecurityKeyIcon = svgIcon`
<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 120 100">
<g clip-path="url(#a)">
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M22.852 21.578H6.656v16.365h16.196V21.578ZM5.183 20.09v19.34h19.142V20.09H5.183Z"
clip-rule="evenodd" />
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M.03 39.431c0-1.643 1.318-2.975 2.945-2.975h23.558c1.627 0 2.945 1.332 2.945 2.975v5.207h-2.945v-5.207H2.975v12.458l1.255 1.598c.413.526.638 1.178.638 1.85v16.517c0 .725-.262 1.424-.736 1.968l-1.157 1.326v13.378h23.558V75.148l-1.157-1.326a2.993 2.993 0 0 1-.736-1.968V55.337c0-.672.225-1.324.638-1.85l1.255-1.598V49.1h2.945v2.788c0 .671-.225 1.323-.638 1.85l-1.255 1.598v16.517l1.157 1.326c.474.544.736 1.243.736 1.968v13.378c0 1.644-1.318 2.976-2.945 2.976H2.975C1.348 91.502.03 90.17.03 88.526V75.148c0-.725.262-1.424.736-1.968l1.157-1.326V55.337L.668 53.738a2.995 2.995 0 0 1-.638-1.85V39.432Z"
clip-rule="evenodd" />
<path class="tw-fill-art-accent" fill-rule="evenodd"
d="M30.8 38.884a.731.731 0 0 1 1.04.043l4.07 4.464a.75.75 0 0 1 .132.802.736.736 0 0 1-.674.445h-15.46a.74.74 0 0 1-.737-.744c0-.41.33-.743.736-.743H33.69l-2.931-3.216a.75.75 0 0 1 .042-1.051ZM24.557 53.368a.73.73 0 0 1-1.04-.043l-4.069-4.463a.75.75 0 0 1-.133-.803.736.736 0 0 1 .675-.445h15.46a.74.74 0 0 1 .736.744.74.74 0 0 1-.736.744H21.669l2.93 3.215a.75.75 0 0 1-.042 1.051Z"
clip-rule="evenodd" />
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M42.452 91.904c0-.411.33-.744.736-.744h46.416a.74.74 0 0 1 .736.744.74.74 0 0 1-.736.744H43.188a.74.74 0 0 1-.736-.744Z"
clip-rule="evenodd" />
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M57.47 91.903V78.257h1.472v13.646H57.47ZM72.486 91.903V78.257h1.472v13.646h-1.472Z"
clip-rule="evenodd" />
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M11.81 17.859c0-5.752 4.614-10.414 10.306-10.414h87.608c5.692 0 10.307 4.662 10.307 10.414v50.583c0 5.752-4.615 10.414-10.307 10.414H29.11v-2.975h80.614c4.066 0 7.362-3.33 7.362-7.439V17.86c0-4.108-3.296-7.439-7.362-7.439H22.116c-4.066 0-7.362 3.33-7.362 7.439v3.72H11.81v-3.72Z"
clip-rule="evenodd" />
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M18.435 18.603c0-2.465 1.978-4.463 4.417-4.463h86.136c2.439 0 4.417 1.998 4.417 4.463V67.7c0 2.465-1.978 4.463-4.417 4.463H26.901v-1.488h82.087c1.626 0 2.945-1.332 2.945-2.975V18.603c0-1.643-1.319-2.975-2.945-2.975H22.852c-1.626 0-2.945 1.332-2.945 2.975v2.232h-1.472v-2.232Z"
clip-rule="evenodd" />
<g clip-path="url(#b)">
<path class="tw-fill-art-accent"
d="M67.118 46.886a1.062 1.062 0 0 0-.138-.531 1.037 1.037 0 0 0-.381-.386 1.006 1.006 0 0 0-1.037.018 1.059 1.059 0 0 0-.324 1.46c.099.156.237.283.4.366v1.716a.48.48 0 0 0 .126.347.461.461 0 0 0 .333.147.446.446 0 0 0 .333-.147.482.482 0 0 0 .125-.347V47.81c.168-.086.31-.219.409-.382.099-.163.152-.35.154-.543Zm5.37-6.916h-.565a.337.337 0 0 1-.312-.215.358.358 0 0 1-.026-.133v-.255a5.896 5.896 0 0 0-1.374-3.901 5.645 5.645 0 0 0-3.567-1.972 5.4 5.4 0 0 0-2.268.263c-.73.248-1.4.65-1.97 1.181a5.634 5.634 0 0 0-1.332 1.896 5.75 5.75 0 0 0-.468 2.286v.413c0 .008-.03.434-.392.44h-.509a1.686 1.686 0 0 0-1.203.514c-.32.328-.498.772-.497 1.234v10.37c0 .463.178.907.497 1.234.318.328.75.515 1.203.518h12.783c.452-.003.884-.189 1.202-.517.319-.328.497-.772.497-1.234V41.721a1.776 1.776 0 0 0-.495-1.235 1.71 1.71 0 0 0-.552-.38 1.665 1.665 0 0 0-.653-.136h.001Zm-10.637-.85a4.442 4.442 0 0 1 .41-1.877 4.346 4.346 0 0 1 1.16-1.515 4.218 4.218 0 0 1 1.685-.855 4.17 4.17 0 0 1 1.881-.029 4.335 4.335 0 0 1 2.436 1.596c.61.8.934 1.79.918 2.806v.376a.358.358 0 0 1-.1.246.336.336 0 0 1-.24.102h-7.63a.468.468 0 0 1-.352-.115.51.51 0 0 1-.169-.336v-.399h.001Zm11.091 12.97a.477.477 0 0 1-.133.332.45.45 0 0 1-.322.139H59.705a.445.445 0 0 1-.323-.139.46.46 0 0 1-.132-.331V41.72a.474.474 0 0 1 .132-.331.456.456 0 0 1 .321-.138h12.784c.121 0 .237.05.322.138a.473.473 0 0 1 .133.33v10.37Z" />
</g>
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M13.281 25.298h-3.68V23.81h3.68v1.488ZM19.907 25.298h-3.68V23.81h3.68v1.488Z"
clip-rule="evenodd" />
<path class="tw-stroke-art-accent" stroke-width=".784"
d="M20.079 63.907c0 2.913-2.336 5.267-5.21 5.267-2.872 0-5.208-2.355-5.208-5.268s2.336-5.267 5.209-5.267c2.873 0 5.209 2.354 5.209 5.267Z" />
<path class="tw-fill-art-accent" fill-rule="evenodd"
d="M11.37 63.14a.378.378 0 0 0 0 .53c.146.146.38.146.525 0a4.442 4.442 0 0 1 6.329 0c.145.146.38.146.524 0a.377.377 0 0 0 0-.53 5.179 5.179 0 0 0-7.377 0Z"
clip-rule="evenodd" />
<path class="tw-fill-art-accent" fill-rule="evenodd"
d="M12.357 64.724a.377.377 0 0 0 0 .53c.145.147.38.147.525 0a3.057 3.057 0 0 1 4.355 0c.145.147.38.147.525 0a.378.378 0 0 0 0-.53 3.794 3.794 0 0 0-5.405 0Z"
clip-rule="evenodd" />
</g>
<defs>
<clipPath id="a">
<path fill="#fff" d="M0 0h120v100H0z" />
</clipPath>
<clipPath id="b">
<path fill="#fff" d="M56.014 33.468h20.165v20.375H56.014z" />
</clipPath>
</defs>
</svg>
`;

40
libs/auth/src/angular/icons/two-factor-auth/two-factor-auth-webauthn.icon.ts Normal file
View File

@@ -0,0 +1,40 @@
import { svgIcon } from "@bitwarden/components";
export const TwoFactorAuthWebAuthnIcon = svgIcon`
<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 120 100">
<path class="tw-fill-art-primary"
d="M19.258 16.434c0-3.635 2.966-6.58 6.626-6.58H56.88c3.659 0 6.625 2.946 6.625 6.58v27.788l-2.208 2.667V16.434c0-2.423-1.978-4.387-4.417-4.387H25.884c-2.44 0-4.418 1.964-4.418 4.387v67.09c0 2.422 1.978 4.386 4.418 4.386h16.389l-.814 2.194H25.884c-3.66 0-6.626-2.947-6.626-6.58v-67.09Z" />
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M40.119 19.287a.55.55 0 0 1 .552-.548h2.208a.55.55 0 0 1 .553.548.55.55 0 0 1-.553.549h-2.208a.55.55 0 0 1-.552-.549Z"
clip-rule="evenodd" />
<path class="tw-fill-art-accent" fill-rule="evenodd"
d="M31.994 38.828c2.103-3.001 5.541-4.957 9.425-4.957 5.66 0 10.376 4.155 11.392 9.653a.567.567 0 0 1-.439.664.553.553 0 0 1-.646-.451c-.918-4.969-5.183-8.73-10.307-8.73-3.515 0-6.625 1.769-8.53 4.485a.542.542 0 0 1-.77.129.579.579 0 0 1-.125-.793Zm-.623 2.186c.282.117.42.448.305.74a10.928 10.928 0 0 0-.748 3.992v3.46a.56.56 0 0 1-.553.569.56.56 0 0 1-.552-.568v-3.461c0-1.56.294-3.051.829-4.417a.547.547 0 0 1 .718-.315Zm21.09 4.164a.56.56 0 0 1 .553.568v3.23a.56.56 0 0 1-.552.568.56.56 0 0 1-.552-.568v-3.23a.56.56 0 0 1 .552-.568Z"
clip-rule="evenodd" />
<path class="tw-fill-art-accent" fill-rule="evenodd"
d="M32.823 41.892c1.451-3.427 4.75-5.827 8.596-5.827 1.98 0 3.819.638 5.333 1.725.25.18.31.532.135.788a.544.544 0 0 1-.769.138 8.02 8.02 0 0 0-4.7-1.52c-3.382 0-6.297 2.111-7.582 5.146a.547.547 0 0 1-.726.294.57.57 0 0 1-.287-.744Zm14.94-2.495a.543.543 0 0 1 .778.066 9.936 9.936 0 0 1 2.265 6.35v7.783a.559.559 0 0 1-.552.566.559.559 0 0 1-.553-.566v-7.782a8.788 8.788 0 0 0-2.002-5.62.575.575 0 0 1 .064-.797Zm-15.06 4.804a.562.562 0 0 1 .487.625 9.062 9.062 0 0 0-.053.988v7.782a.559.559 0 0 1-.553.566.559.559 0 0 1-.552-.566v-7.782c0-.377.02-.748.06-1.114a.555.555 0 0 1 .611-.499Z"
clip-rule="evenodd" />
<path class="tw-fill-art-accent" fill-rule="evenodd"
d="M34.24 45.704c0-4.105 3.207-7.446 7.178-7.446 3.972 0 7.178 3.341 7.178 7.446V55.79a.559.559 0 0 1-.552.565.559.559 0 0 1-.552-.565V45.704c0-3.495-2.726-6.315-6.074-6.315-3.347 0-6.073 2.82-6.073 6.315v3.948a.559.559 0 0 1-.553.566.559.559 0 0 1-.552-.566v-3.948Zm.552 5.572c.305 0 .553.253.553.565v3.949a.559.559 0 0 1-.553.565.559.559 0 0 1-.552-.565V51.84c0-.312.247-.565.552-.565Z"
clip-rule="evenodd" />
<path class="tw-fill-art-accent" fill-rule="evenodd"
d="M38.89 41.142a4.955 4.955 0 0 1 2.529-.69 4.966 4.966 0 0 1 4.97 4.962v3.044a.55.55 0 0 1-.553.548.55.55 0 0 1-.552-.548v-3.044a3.865 3.865 0 0 0-5.83-3.33.554.554 0 0 1-.757-.19.546.546 0 0 1 .192-.752Zm-.911 1.45c.258.16.335.5.173.756a3.844 3.844 0 0 0-.599 2.066v11.49a.55.55 0 0 1-.552.548.55.55 0 0 1-.552-.548v-11.49c0-.974.282-1.884.768-2.651a.554.554 0 0 1 .762-.172Zm7.857 7.904a.55.55 0 0 1 .552.549v5.859a.55.55 0 0 1-.552.548.55.55 0 0 1-.552-.548v-5.86a.55.55 0 0 1 .552-.547Z"
clip-rule="evenodd" />
<path class="tw-fill-art-accent" fill-rule="evenodd"
d="M38.658 45.306c0-1.488 1.256-2.66 2.76-2.66 1.505 0 2.761 1.172 2.761 2.66v4.829a.55.55 0 0 1-.552.548.55.55 0 0 1-.552-.548v-4.828c0-.845-.722-1.564-1.657-1.564-.934 0-1.656.72-1.656 1.563v12.146a.55.55 0 0 1-.552.549.55.55 0 0 1-.552-.549V45.307Zm4.97 6.317a.55.55 0 0 1 .551.549v5.28a.55.55 0 0 1-.552.549.55.55 0 0 1-.552-.549v-5.28a.55.55 0 0 1 .552-.549Z"
clip-rule="evenodd" />
<path class="tw-fill-art-accent" fill-rule="evenodd"
d="M41.419 44.84a.55.55 0 0 1 .552.548v1.9a.55.55 0 0 1-.552.548.55.55 0 0 1-.552-.549v-1.9a.55.55 0 0 1 .552-.548Zm0 4a.55.55 0 0 1 .552.548V58a.55.55 0 0 1-.552.549.55.55 0 0 1-.552-.549v-8.612a.55.55 0 0 1 .552-.549Z"
clip-rule="evenodd" />
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M48.904 87.97c2.492 0 4.542-2.042 4.542-4.616 0-2.51-1.986-4.616-4.542-4.616-2.55 0-4.543 2.049-4.543 4.616 0 2.574 2.05 4.616 4.543 4.616Zm3.016-4.616c0 1.739-1.376 3.086-3.016 3.086-1.64 0-3.017-1.347-3.017-3.086 0-1.745 1.333-3.086 3.017-3.086 1.677 0 3.016 1.385 3.016 3.086Z"
clip-rule="evenodd" />
<path class="tw-fill-art-primary" fill-rule="evenodd"
d="M108.913 84.456a.767.767 0 0 0 0-1.074l-6.098-6.213a.76.76 0 0 0-.544-.228H70.225c-2.438-5.616-7.969-9.602-14.417-9.602-8.75 0-15.73 7.185-15.73 16.015 0 8.832 7.032 16.015 15.73 16.015 6.498 0 12.081-4.036 14.475-9.756h8.303c.204 0 .4-.082.544-.228l2.933-2.989 3.034 3.091a.762.762 0 0 0 1.088 0l.918-.934.766.78a.762.762 0 0 0 1.08.008l3.135-3.107 3.294 3.356c.143.146.339.229.543.229h7.408a.76.76 0 0 0 .544-.229l5.04-5.134Zm-5.903 3.832h-6.769l-3.606-3.674a.762.762 0 0 0-1.08-.007l-3.135 3.106-.774-.788a.762.762 0 0 0-1.087 0l-.918.935-3.034-3.091a.762.762 0 0 0-1.088 0l-3.253 3.314h-8.5c-.316 0-.6.196-.712.493-2.06 5.419-7.23 9.263-13.246 9.263-7.832 0-14.204-6.475-14.204-14.485 0-8.011 6.323-14.485 14.204-14.485 5.966 0 11.09 3.795 13.2 9.12a.763.763 0 0 0 .709.482h32.235l5.346 5.448-4.288 4.37Z"
clip-rule="evenodd" />
<path class="tw-fill-art-accent"
d="M100.357 80.991a.382.382 0 0 0-.382-.382H73.651a.382.382 0 0 0 0 .765h26.324c.211 0 .382-.171.382-.383ZM65.693 77.56c-2.04-3.686-5.74-6.133-9.95-6.133-.895 0-1.766.11-2.602.319a.382.382 0 0 1-.184-.743 11.478 11.478 0 0 1 2.785-.341c4.52 0 8.46 2.627 10.618 6.528a14.09 14.09 0 0 1 1.563 4.503.382.382 0 1 1-.752.126 13.324 13.324 0 0 0-1.478-4.258Z" />
<path class="tw-fill-art-primary tw-stroke-art-primary" fill-rule="evenodd" stroke-width=".355"
d="M75.94 32.403c8.007 0 14.498 6.51 14.498 14.538a14.542 14.542 0 0 1-9.26 13.56c8.849 1.9 15.896 8.519 18.221 17.036l-1.472.404C95.343 68.475 86.492 61.48 75.95 61.48c-6.743 0-12.796 2.861-16.96 7.404l-1.123-1.036a24.374 24.374 0 0 1 12.842-7.344 14.542 14.542 0 0 1-9.265-13.563c0-8.029 6.49-14.538 14.497-14.538Zm12.972 14.538c0-7.184-5.808-13.007-12.972-13.007S62.97 39.757 62.97 46.94c0 7.184 5.807 13.008 12.971 13.008s12.972-5.823 12.972-13.008Z"
clip-rule="evenodd" />
</svg>
`;

15
libs/auth/src/angular/icons/two-factor-auth/two-factor-auth-yubico.icon.ts Normal file
View File

@@ -0,0 +1,15 @@
import { svgIcon } from "@bitwarden/components";
export const TwoFactorAuthYubicoIcon = svgIcon`
<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 121 33">
<g fill="#84BD00" clip-path="url(#a)">
<path
d="M11.011 19.366 15.18 7.47h6.02L11.054 32.622H4.698l2.903-6.891L.5 7.47h6.147l4.364 11.895ZM42.446 25.872h-5.87V23.84c-.925.73-1.92 1.364-2.971 1.892-.9.432-1.971.648-3.216.646-2.014 0-3.562-.584-4.645-1.751-1.082-1.168-1.627-2.895-1.633-5.18V7.471h5.865v9.127c0 .929.03 1.702.09 2.319.036.533.177 1.054.414 1.532.199.396.53.71.935.884.418.186 1 .279 1.749.279a5.726 5.726 0 0 0 1.657-.28 7.101 7.101 0 0 0 1.757-.818V7.47h5.868v18.4ZM66.065 16.42c0 2.894-.793 5.254-2.38 7.078-1.586 1.824-3.565 2.736-5.935 2.736a9.864 9.864 0 0 1-2.68-.327 9.183 9.183 0 0 1-2.191-.95l-.245.916H47.01V.377h5.87v9.012a14.137 14.137 0 0 1 2.753-1.754 7.413 7.413 0 0 1 3.24-.671c2.305 0 4.08.84 5.327 2.52 1.245 1.68 1.867 3.992 1.865 6.935Zm-6.032.122c0-1.637-.276-2.897-.828-3.78-.553-.884-1.537-1.326-2.952-1.326-.577.004-1.15.09-1.704.254a6.987 6.987 0 0 0-1.67.72v9.227c.388.144.79.249 1.2.311a9.8 9.8 0 0 0 1.363.083c1.548 0 2.7-.459 3.455-1.375.755-.918 1.135-2.289 1.138-4.114h-.002ZM75.961 4.85h-6.195V.377h6.195V4.85ZM75.8 25.872h-5.87v-18.4h5.87v18.4ZM90.789 26.363a15.651 15.651 0 0 1-4.36-.572 9.575 9.575 0 0 1-3.438-1.77 8.005 8.005 0 0 1-2.244-3.015c-.53-1.211-.796-2.631-.797-4.26 0-1.716.285-3.196.854-4.44a8.377 8.377 0 0 1 2.382-3.097A9.675 9.675 0 0 1 86.6 7.504a14.864 14.864 0 0 1 4.017-.54c1.16-.01 2.319.127 3.446.408 1.013.26 1.999.616 2.944 1.066v5.03h-.83c-.225-.197-.499-.426-.82-.688a7.315 7.315 0 0 0-1.176-.77 7.73 7.73 0 0 0-1.46-.598 6.497 6.497 0 0 0-1.858-.234c-1.56 0-2.76.5-3.598 1.5-.839 1-1.255 2.357-1.25 4.072 0 1.77.43 3.114 1.29 4.03.86.918 2.08 1.376 3.662 1.376a7.202 7.202 0 0 0 1.988-.254 6.426 6.426 0 0 0 1.47-.597c.344-.201.67-.431.974-.688.282-.241.536-.475.779-.706h.829v5.041c-.931.434-1.9.778-2.896 1.028a13.455 13.455 0 0 1-3.323.383ZM120.4 16.68c0 3.027-.875 5.411-2.626 7.153-1.751 1.741-4.209 2.613-7.375 2.614-3.165 0-5.624-.871-7.374-2.614-1.751-1.743-2.627-4.127-2.627-7.153 0-3.048.882-5.44 2.644-7.176 1.763-1.735 4.215-2.603 7.357-2.605 3.187 0 5.651.874 7.391 2.622 1.74 1.747 2.61 4.134 2.61 7.16Zm-7.203 4.474a4.741 4.741 0 0 0 .852-1.696c.192-.661.287-1.576.286-2.745.018-.915-.08-1.829-.293-2.719a4.768 4.768 0 0 0-.818-1.753 2.853 2.853 0 0 0-1.251-.95 4.4 4.4 0 0 0-1.577-.28 4.607 4.607 0 0 0-1.504.229c-.489.192-.92.508-1.251.918a4.687 4.687 0 0 0-.854 1.754 10.45 10.45 0 0 0-.318 2.8c-.014.88.079 1.758.277 2.615.141.645.418 1.251.813 1.778a3.11 3.11 0 0 0 1.25.935 4.6 4.6 0 0 0 3.17.023 2.794 2.794 0 0 0 1.218-.909Z" />
</g>
<defs>
<clipPath id="a">
<path fill="#fff" d="M.5.377h120v32.247H.5z" />
</clipPath>
</defs>
</svg>
`;

6
libs/auth/src/angular/index.ts
View File

@@ -71,3 +71,9 @@ export * from "./self-hosted-env-config-dialog/self-hosted-env-config-dialog.com
// login approval
export * from "./login-approval/login-approval.component";
export * from "./login-approval/default-login-approval-component.service";
// two factor auth
export * from "./two-factor-auth";
// device verification
export * from "./new-device-verification/new-device-verification.component";

4
libs/auth/src/angular/input-password/input-password.component.ts
View File

@@ -33,7 +33,11 @@ import {
NEW_ARGON2_DEFAULT_KDF_CONFIG,
} from "@bitwarden/key-management";
// FIXME: remove `src` and fix import
// eslint-disable-next-line no-restricted-imports
import { InputsFieldMatch } from "../../../../angular/src/auth/validators/inputs-field-match.validator";
// FIXME: remove `src` and fix import
// eslint-disable-next-line no-restricted-imports
import { SharedModule } from "../../../../components/src/shared";
import { PasswordCalloutComponent } from "../password-callout/password-callout.component";

3
libs/auth/src/angular/input-password/input-password.stories.ts
View File

@@ -14,7 +14,8 @@ import { DialogService, ToastService } from "@bitwarden/components";
import { KeyService } from "@bitwarden/key-management";
// FIXME: remove `/apps` import from `/libs`
// eslint-disable-next-line import/no-restricted-paths
// FIXME: remove `src` and fix import
// eslint-disable-next-line import/no-restricted-paths, no-restricted-imports
import { PreloadedEnglishI18nModule } from "../../../../../apps/web/src/app/core/tests";
import { InputPasswordComponent } from "./input-password.component";

55
libs/auth/src/angular/login-approval/login-approval.component.html
View File

@@ -1,23 +1,34 @@
<bit-dialog>
<span bitDialogTitle>{{ "areYouTryingtoLogin" | i18n }}</span>
<span bitDialogTitle>{{ "areYouTryingToAccessYourAccount" | i18n }}</span>
<ng-container bitDialogContent>
<h4 class="tw-mb-3">{{ "logInAttemptBy" | i18n: email }}</h4>
<div>
<b>{{ "fingerprintPhraseHeader" | i18n }}</b>
<p class="tw-text-code">{{ fingerprintPhrase }}</p>
</div>
<div>
<b>{{ "deviceType" | i18n }}</b>
<p>{{ authRequestResponse?.requestDeviceType }}</p>
</div>
<div>
<b>{{ "ipAddress" | i18n }}</b>
<p>{{ authRequestResponse?.requestIpAddress }}</p>
</div>
<div>
<b>{{ "time" | i18n }}</b>
<p>{{ requestTimeText }}</p>
</div>
<ng-container *ngIf="loading">
<div class="tw-flex tw-items-center tw-justify-center" *ngIf="loading">
<i class="bwi bwi-spinner bwi-spin bwi-3x" aria-hidden="true"></i>
</div>
</ng-container>
<ng-container *ngIf="!loading">
<h4 class="tw-mb-3">{{ "accessAttemptBy" | i18n: email }}</h4>
<div>
<b>{{ "fingerprintPhraseHeader" | i18n }}</b>
<p class="tw-text-code">{{ fingerprintPhrase }}</p>
</div>
<div>
<b>{{ "deviceType" | i18n }}</b>
<p>{{ authRequestResponse?.requestDeviceType }}</p>
</div>
<div>
<b>{{ "location" | i18n }}</b>
<p>
<span class="tw-capitalize">{{ authRequestResponse?.requestCountryName }} </span>
({{ authRequestResponse?.requestIpAddress }})
</p>
</div>
<div>
<b>{{ "time" | i18n }}</b>
<p>{{ requestTimeText }}</p>
</div>
</ng-container>
</ng-container>
<ng-container bitDialogFooter>
<button
@@ -25,18 +36,18 @@
type="button"
buttonType="primary"
[bitAction]="approveLogin"
[bitDialogClose]="true"
[disabled]="loading"
>
{{ "confirmLogIn" | i18n }}
{{ "confirmAccess" | i18n }}
</button>
<button
bitButton
type="button"
buttonType="secondary"
[bitAction]="denyLogin"
[bitDialogClose]="true"
[disabled]="loading"
>
{{ "denyLogIn" | i18n }}
{{ "denyAccess" | i18n }}
</button>
</ng-container>
</bit-dialog>

4
libs/auth/src/angular/login-approval/login-approval.component.spec.ts
View File

@@ -13,6 +13,7 @@ import { AuthRequestResponse } from "@bitwarden/common/auth/models/response/auth
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
import { ValidationService } from "@bitwarden/common/platform/abstractions/validation.service";
import { UserId } from "@bitwarden/common/types/guid";
import { ToastService } from "@bitwarden/components";
import { KeyService } from "@bitwarden/key-management";
@@ -29,6 +30,7 @@ describe("LoginApprovalComponent", () => {
let i18nService: MockProxy<I18nService>;
let dialogRef: MockProxy<DialogRef>;
let toastService: MockProxy<ToastService>;
let validationService: MockProxy<ValidationService>;
const testNotificationId = "test-notification-id";
const testEmail = "test@bitwarden.com";
@@ -41,6 +43,7 @@ describe("LoginApprovalComponent", () => {
i18nService = mock<I18nService>();
dialogRef = mock<DialogRef>();
toastService = mock<ToastService>();
validationService = mock<ValidationService>();
accountService.activeAccount$ = of({
email: testEmail,
@@ -62,6 +65,7 @@ describe("LoginApprovalComponent", () => {
{ provide: KeyService, useValue: mock<KeyService>() },
{ provide: DialogRef, useValue: dialogRef },
{ provide: ToastService, useValue: toastService },
{ provide: ValidationService, useValue: validationService },
{
provide: LoginApprovalComponentServiceAbstraction,
useValue: mock<LoginApprovalComponentServiceAbstraction>(),

23
libs/auth/src/angular/login-approval/login-approval.component.ts
View File

@@ -16,6 +16,7 @@ import { AuthRequestResponse } from "@bitwarden/common/auth/models/response/auth
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
import { ValidationService } from "@bitwarden/common/platform/abstractions/validation.service";
import { Utils } from "@bitwarden/common/platform/misc/utils";
import {
AsyncActionsModule,
@@ -40,6 +41,8 @@ export interface LoginApprovalDialogParams {
imports: [CommonModule, AsyncActionsModule, ButtonModule, DialogModule, JslibModule],
})
export class LoginApprovalComponent implements OnInit, OnDestroy {
loading = true;
notificationId: string;
private destroy$ = new Subject<void>();
@@ -62,27 +65,27 @@ export class LoginApprovalComponent implements OnInit, OnDestroy {
private dialogRef: DialogRef,
private toastService: ToastService,
private loginApprovalComponentService: LoginApprovalComponentService,
private validationService: ValidationService,
) {
this.notificationId = params.notificationId;
}
async ngOnDestroy(): Promise<void> {
clearInterval(this.interval);
const closedWithButton = await firstValueFrom(this.dialogRef.closed);
if (!closedWithButton) {
// FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
// eslint-disable-next-line @typescript-eslint/no-floating-promises
this.retrieveAuthRequestAndRespond(false);
}
this.destroy$.next();
this.destroy$.complete();
}
async ngOnInit() {
if (this.notificationId != null) {
this.authRequestResponse = await this.apiService.getAuthRequest(this.notificationId);
try {
this.authRequestResponse = await this.apiService.getAuthRequest(this.notificationId);
} catch (error) {
this.validationService.showError(error);
}
const publicKey = Utils.fromB64ToArray(this.authRequestResponse.publicKey);
this.email = await await firstValueFrom(
this.email = await firstValueFrom(
this.accountService.activeAccount$.pipe(map((a) => a?.email)),
);
this.fingerprintPhrase = await this.authRequestService.getFingerprintPhrase(
@@ -96,6 +99,8 @@ export class LoginApprovalComponent implements OnInit, OnDestroy {
}, RequestTimeUpdate);
this.loginApprovalComponentService.showLoginRequestedAlertIfWindowNotVisible(this.email);
this.loading = false;
}
}
@@ -131,6 +136,8 @@ export class LoginApprovalComponent implements OnInit, OnDestroy {
);
this.showResultToast(loginResponse);
}
this.dialogRef.close(approve);
}
showResultToast(loginResponse: AuthRequestResponse) {

2
libs/auth/src/angular/login-decryption-options/login-decryption-options.component.html
View File

@@ -1,5 +1,5 @@
<ng-container *ngIf="loading">
<div class="text-center">
<div class="tw-text-center">
<i
class="bwi bwi-spinner bwi-spin bwi-2x tw-text-muted"
title="{{ 'loading' | i18n }}"

6
libs/auth/src/angular/login-decryption-options/login-decryption-options.component.ts
View File

@@ -16,10 +16,10 @@ import {
import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { OrganizationApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization/organization-api.service.abstraction";
import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
import { PasswordResetEnrollmentServiceAbstraction } from "@bitwarden/common/auth/abstractions/password-reset-enrollment.service.abstraction";
import { SsoLoginServiceAbstraction } from "@bitwarden/common/auth/abstractions/sso-login.service.abstraction";
import { ClientType } from "@bitwarden/common/enums";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
import { KeysRequest } from "@bitwarden/common/models/request/keys.request";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
@@ -107,7 +107,7 @@ export class LoginDecryptionOptionsComponent implements OnInit {
private userDecryptionOptionsService: UserDecryptionOptionsServiceAbstraction,
private validationService: ValidationService,
) {
this.clientType === this.platformUtilsService.getClientType();
this.clientType = this.platformUtilsService.getClientType();
}
async ngOnInit() {
@@ -202,7 +202,7 @@ export class LoginDecryptionOptionsComponent implements OnInit {
});
const autoEnrollStatus$ = defer(() =>
this.ssoLoginService.getActiveUserOrganizationSsoIdentifier(),
this.ssoLoginService.getActiveUserOrganizationSsoIdentifier(this.activeAccountId),
).pipe(
switchMap((organizationIdentifier) => {
if (organizationIdentifier == undefined) {

24
libs/auth/src/angular/login-via-auth-request/login-via-auth-request.component.html
View File

@@ -1,6 +1,20 @@
<div class="tw-text-center">
<ng-container *ngIf="flow === Flow.StandardAuthRequest">
<p>{{ "makeSureYourAccountIsUnlockedAndTheFingerprintEtc" | i18n }}</p>
<p *ngIf="clientType !== ClientType.Web">
{{ "notificationSentDevicePart1" | i18n }}
<a
bitLink
linkType="primary"
class="tw-cursor-pointer"
[href]="deviceManagementUrl"
target="_blank"
rel="noreferrer"
>{{ "notificationSentDeviceAnchor" | i18n }}</a
>. {{ "notificationSentDevicePart2" | i18n }}
</p>
<p *ngIf="clientType === ClientType.Web">
{{ "notificationSentDeviceComplete" | i18n }}
</p>
<div class="tw-font-semibold">{{ "fingerprintPhraseHeader" | i18n }}</div>
<code class="tw-text-code">{{ fingerprintPhrase }}</code>
@@ -12,13 +26,14 @@
block
buttonType="secondary"
class="tw-mt-4"
(click)="startStandardAuthRequestLogin()"
(click)="startStandardAuthRequestLogin(true)"
>
{{ "resendNotification" | i18n }}
</button>
<div *ngIf="clientType !== ClientType.Browser" class="tw-mt-4">
<span>{{ "needAnotherOptionV1" | i18n }}</span>
<span>{{ "needAnotherOptionV1" | i18n }}</span
>&nbsp;
<a [routerLink]="backToRoute" bitLink linkType="primary">{{
"viewAllLogInOptions" | i18n
}}</a>
@@ -32,7 +47,8 @@
<code class="tw-text-code">{{ fingerprintPhrase }}</code>
<div class="tw-mt-4">
<span>{{ "troubleLoggingIn" | i18n }}</span>
<span>{{ "troubleLoggingIn" | i18n }}</span
>&nbsp;
<a [routerLink]="backToRoute" bitLink linkType="primary">{{
"viewAllLogInOptions" | i18n
}}</a>

263
libs/auth/src/angular/login-via-auth-request/login-via-auth-request.component.ts
View File

@@ -1,5 +1,3 @@
// FIXME: Update this file to be type safe and remove this and next line
// @ts-strict-ignore
import { CommonModule } from "@angular/common";
import { Component, OnDestroy, OnInit } from "@angular/core";
import { takeUntilDestroyed } from "@angular/core/rxjs-interop";
@@ -17,7 +15,6 @@ import {
import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
import { AnonymousHubService } from "@bitwarden/common/auth/abstractions/anonymous-hub.service";
import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
import { AuthRequestType } from "@bitwarden/common/auth/enums/auth-request-type";
import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
import { AdminAuthRequestStorable } from "@bitwarden/common/auth/models/domain/admin-auth-req-storable";
@@ -25,10 +22,15 @@ import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
import { AuthRequest } from "@bitwarden/common/auth/models/request/auth.request";
import { AuthRequestResponse } from "@bitwarden/common/auth/models/response/auth-request.response";
import { LoginViaAuthRequestView } from "@bitwarden/common/auth/models/view/login-via-auth-request.view";
import { ClientType, HttpStatusCode } from "@bitwarden/common/enums";
import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
import { ErrorResponse } from "@bitwarden/common/models/response/error.response";
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
@@ -39,6 +41,7 @@ import { ButtonModule, LinkModule, ToastService } from "@bitwarden/components";
import { PasswordGenerationServiceAbstraction } from "@bitwarden/generator-legacy";
import { AuthRequestApiService } from "../../common/abstractions/auth-request-api.service";
import { LoginViaAuthRequestCacheService } from "../../common/services/auth-request/default-login-via-auth-request-cache.service";
enum Flow {
StandardAuthRequest, // when user clicks "Login with device" from /login or "Approve from your other device" from /login-initiated
@@ -56,21 +59,26 @@ const matchOptions: IsActiveMatchOptions = {
standalone: true,
templateUrl: "./login-via-auth-request.component.html",
imports: [ButtonModule, CommonModule, JslibModule, LinkModule, RouterModule],
providers: [{ provide: LoginViaAuthRequestCacheService }],
})
export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
private authRequest: AuthRequest;
private authRequestKeyPair: { publicKey: Uint8Array; privateKey: Uint8Array };
private authStatus: AuthenticationStatus;
private authRequest: AuthRequest | undefined = undefined;
private authRequestKeyPair:
| { publicKey: Uint8Array | undefined; privateKey: Uint8Array | undefined }
| undefined = undefined;
private authStatus: AuthenticationStatus | undefined = undefined;
private showResendNotificationTimeoutSeconds = 12;
protected backToRoute = "/login";
protected clientType: ClientType;
protected ClientType = ClientType;
protected email: string;
protected fingerprintPhrase: string;
protected email: string | undefined = undefined;
protected fingerprintPhrase: string | undefined = undefined;
protected showResendNotification = false;
protected Flow = Flow;
protected flow = Flow.StandardAuthRequest;
protected webVaultUrl: string | undefined = undefined;
protected deviceManagementUrl: string | undefined;
constructor(
private accountService: AccountService,
@@ -81,6 +89,7 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
private authService: AuthService,
private cryptoFunctionService: CryptoFunctionService,
private deviceTrustService: DeviceTrustServiceAbstraction,
private environmentService: EnvironmentService,
private i18nService: I18nService,
private logService: LogService,
private loginEmailService: LoginEmailServiceAbstraction,
@@ -91,6 +100,8 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
private toastService: ToastService,
private validationService: ValidationService,
private loginSuccessHandlerService: LoginSuccessHandlerService,
private loginViaAuthRequestCacheService: LoginViaAuthRequestCacheService,
private configService: ConfigService,
) {
this.clientType = this.platformUtilsService.getClientType();
@@ -109,11 +120,18 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
this.logService.error("Failed to use approved auth request: " + e.message);
});
});
// Get the web vault URL from the environment service
this.environmentService.environment$.pipe(takeUntilDestroyed()).subscribe((env) => {
this.webVaultUrl = env.getWebVaultUrl();
this.deviceManagementUrl = `${this.webVaultUrl}/#/settings/security/device-management`;
});
}
async ngOnInit(): Promise<void> {
// Get the authStatus early because we use it in both flows
this.authStatus = await firstValueFrom(this.authService.activeAccountStatus$);
await this.loginViaAuthRequestCacheService.init();
const userHasAuthenticatedViaSSO = this.authStatus === AuthenticationStatus.Locked;
@@ -123,7 +141,7 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
/**
* The LoginViaAuthRequestComponent handles both the `login-with-device` and
* the `admin-approval-requested` routes. Therefore we check the route to determine
* the `admin-approval-requested` routes. Therefore, we check the route to determine
* which flow to initialize.
*/
if (this.router.isActive("admin-approval-requested", matchOptions)) {
@@ -149,7 +167,14 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
// We only allow a single admin approval request to be active at a time
// so we must check state to see if we have an existing one or not
const userId = (await firstValueFrom(this.accountService.activeAccount$)).id;
const userId = (await firstValueFrom(this.accountService.activeAccount$))?.id;
if (!userId) {
this.logService.error(
"Not able to get a user id from the account service active account observable.",
);
return;
}
const existingAdminAuthRequest = await this.authRequestService.getAdminAuthRequest(userId);
if (existingAdminAuthRequest) {
@@ -162,7 +187,7 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
private async initStandardAuthRequestFlow(): Promise<void> {
this.flow = Flow.StandardAuthRequest;
this.email = await firstValueFrom(this.loginEmailService.loginEmail$);
this.email = (await firstValueFrom(this.loginEmailService.loginEmail$)) || undefined;
if (!this.email) {
await this.handleMissingEmail();
@@ -175,7 +200,6 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
private async handleMissingEmail(): Promise<void> {
this.toastService.showToast({
variant: "error",
title: null,
message: this.i18nService.t("userEmailMissing"),
});
@@ -184,21 +208,41 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
async ngOnDestroy(): Promise<void> {
await this.anonymousHubService.stopHubConnection();
this.loginViaAuthRequestCacheService.clearCacheLoginView();
}
private async startAdminAuthRequestLogin(): Promise<void> {
try {
await this.buildAuthRequest(AuthRequestType.AdminApproval);
if (!this.authRequest) {
this.logService.error("Auth request failed to build.");
return;
}
if (!this.authRequestKeyPair) {
this.logService.error("Key pairs failed to initialize from buildAuthRequest.");
return;
}
const authRequestResponse = await this.authRequestApiService.postAdminAuthRequest(
this.authRequest,
this.authRequest as AuthRequest,
);
const adminAuthReqStorable = new AdminAuthRequestStorable({
id: authRequestResponse.id,
privateKey: this.authRequestKeyPair.privateKey,
});
const userId = (await firstValueFrom(this.accountService.activeAccount$)).id;
const userId = (await firstValueFrom(this.accountService.activeAccount$))?.id;
if (!userId) {
this.logService.error(
"Not able to get a user id from the account service active account observable.",
);
return;
}
await this.authRequestService.setAdminAuthRequest(adminAuthReqStorable, userId);
if (authRequestResponse.id) {
@@ -209,21 +253,104 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
}
}
protected async startStandardAuthRequestLogin(): Promise<void> {
protected async startStandardAuthRequestLogin(
clearCachedRequest: boolean = false,
): Promise<void> {
this.showResendNotification = false;
try {
await this.buildAuthRequest(AuthRequestType.AuthenticateAndUnlock);
const authRequestResponse = await this.authRequestApiService.postAuthRequest(
this.authRequest,
);
if (authRequestResponse.id) {
await this.anonymousHubService.createHubConnection(authRequestResponse.id);
if (await this.configService.getFeatureFlag(FeatureFlag.PM9112_DeviceApprovalPersistence)) {
// Used for manually refreshing the auth request when clicking the resend auth request
// on the ui.
if (clearCachedRequest) {
this.loginViaAuthRequestCacheService.clearCacheLoginView();
}
try {
const loginAuthRequestView: LoginViaAuthRequestView | null =
this.loginViaAuthRequestCacheService.getCachedLoginViaAuthRequestView();
if (!loginAuthRequestView) {
await this.buildAuthRequest(AuthRequestType.AuthenticateAndUnlock);
// I tried several ways to get the IDE/linter to play nice with checking for null values
// in less code / more efficiently, but it struggles to identify code paths that
// are more complicated than this.
if (!this.authRequest) {
this.logService.error("AuthRequest failed to initialize from buildAuthRequest.");
return;
}
if (!this.fingerprintPhrase) {
this.logService.error("FingerprintPhrase failed to initialize from buildAuthRequest.");
return;
}
if (!this.authRequestKeyPair) {
this.logService.error("KeyPair failed to initialize from buildAuthRequest.");
return;
}
const authRequestResponse: AuthRequestResponse =
await this.authRequestApiService.postAuthRequest(this.authRequest);
this.loginViaAuthRequestCacheService.cacheLoginView(
this.authRequest,
authRequestResponse,
this.fingerprintPhrase,
this.authRequestKeyPair,
);
if (authRequestResponse.id) {
await this.anonymousHubService.createHubConnection(authRequestResponse.id);
}
} else {
// Grab the cached information and store it back in component state.
// We don't need the public key for handling the authentication request because
// the verifyAndHandleApprovedAuthReq function will receive the public key back
// from the looked up auth request and all we need is to make sure that
// we can use the cached private key that is associated with it.
this.authRequest = loginAuthRequestView.authRequest;
this.fingerprintPhrase = loginAuthRequestView.fingerprintPhrase;
this.authRequestKeyPair = {
privateKey: loginAuthRequestView.privateKey
? Utils.fromB64ToArray(loginAuthRequestView.privateKey)
: undefined,
publicKey: undefined,
};
if (!loginAuthRequestView.authRequestResponse) {
this.logService.error("No cached auth request response.");
return;
}
if (loginAuthRequestView.authRequestResponse.id) {
await this.anonymousHubService.createHubConnection(
loginAuthRequestView.authRequestResponse.id,
);
}
}
} catch (e) {
this.logService.error(e);
}
} else {
try {
await this.buildAuthRequest(AuthRequestType.AuthenticateAndUnlock);
if (!this.authRequest) {
this.logService.error("No auth request found.");
return;
}
const authRequestResponse = await this.authRequestApiService.postAuthRequest(
this.authRequest,
);
if (authRequestResponse.id) {
await this.anonymousHubService.createHubConnection(authRequestResponse.id);
}
} catch (e) {
this.logService.error(e);
}
} catch (e) {
this.logService.error(e);
}
setTimeout(() => {
@@ -240,12 +367,23 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
};
const deviceIdentifier = await this.appIdService.getAppId();
if (!this.authRequestKeyPair.publicKey) {
this.logService.error("AuthRequest public key not set to value in building auth request.");
return;
}
const publicKey = Utils.fromBufferToB64(this.authRequestKeyPair.publicKey);
const accessCode = await this.passwordGenerationService.generatePassword({
type: "password",
length: 25,
});
if (!this.email) {
this.logService.error("Email not defined when building auth request.");
return;
}
this.fingerprintPhrase = await this.authRequestService.getFingerprintPhrase(
this.email,
this.authRequestKeyPair.publicKey,
@@ -278,6 +416,8 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
if (error instanceof ErrorResponse && error.statusCode === HttpStatusCode.NotFound) {
return await this.handleExistingAdminAuthReqDeletedOrDenied(userId);
}
this.logService.error(error);
return;
}
// Request doesn't exist anymore
@@ -290,6 +430,12 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
const derivedPublicKeyArrayBuffer = await this.cryptoFunctionService.rsaExtractPublicKey(
adminAuthRequestStorable.privateKey,
);
if (!this.email) {
this.logService.error("Email not defined when handling an existing an admin auth request.");
return;
}
this.fingerprintPhrase = await this.authRequestService.getFingerprintPhrase(
this.email,
derivedPublicKeyArrayBuffer,
@@ -309,9 +455,12 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
);
}
// Request still pending response from admin
// set keypair and create hub connection so that any approvals will be received via push notification
this.authRequestKeyPair = { privateKey: adminAuthRequestStorable.privateKey, publicKey: null };
// Request still pending response from admin set keypair and create hub connection
// so that any approvals will be received via push notification
this.authRequestKeyPair = {
privateKey: adminAuthRequestStorable.privateKey,
publicKey: undefined,
};
await this.anonymousHubService.createHubConnection(adminAuthRequestStorable.id);
}
@@ -372,7 +521,7 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
* | Standard Flow 1 | unauthed | "Login with device" [/login] | /login-with-device | yes |
* | Standard Flow 2 | unauthed | "Login with device" [/login] | /login-with-device | no |
* | Standard Flow 3 | authed | "Approve from your other device" [/login-initiated] | /login-with-device | yes |
* | Standard Flow 4 | authed | "Approve from your other device" [/login-initiated] | /login-with-device | no | |
* | Standard Flow 4 | authed | "Approve from your other device" [/login-initiated] | /login-with-device | no |
* | Admin Flow | authed | "Request admin approval" [/login-initiated] | /admin-approval-requested | NA - admin requests always send encrypted userKey |
* |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
* * Note 1: The phrase "in memory" here is important. It is possible for a user to have a master password for their account, but not have a masterKey IN MEMORY for
@@ -393,6 +542,11 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
await this.handleAuthenticatedFlows(authRequestResponse);
}
} else {
if (!this.authRequest) {
this.logService.error("No auth request defined when handling approved auth request.");
return;
}
// Get the auth request from the server
// User is unauthenticated, therefore the endpoint requires an access code for user verification.
const authRequestResponse = await this.authRequestApiService.getAuthResponse(
@@ -413,11 +567,26 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
}
this.logService.error(error);
} finally {
// Manually clean out the cache to make sure sensitive
// data does not persist longer than it needs to.
this.loginViaAuthRequestCacheService.clearCacheLoginView();
}
}
private async handleAuthenticatedFlows(authRequestResponse: AuthRequestResponse) {
const userId = (await firstValueFrom(this.accountService.activeAccount$)).id;
const userId = (await firstValueFrom(this.accountService.activeAccount$))?.id;
if (!userId) {
this.logService.error(
"Not able to get a user id from the account service active account observable.",
);
return;
}
if (!this.authRequestKeyPair || !this.authRequestKeyPair.privateKey) {
this.logService.error("No private key set when handling the authenticated flows.");
return;
}
await this.decryptViaApprovedAuthRequest(
authRequestResponse,
@@ -435,6 +604,11 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
authRequestResponse,
);
if (!authRequestLoginCredentials) {
this.logService.error("Didn't set up auth request login credentials properly.");
return;
}
// Note: keys are set by AuthRequestLoginStrategy success handling
const authResult = await this.loginStrategyService.logIn(authRequestLoginCredentials);
@@ -453,7 +627,6 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
* - If `masterPasswordHash` has a value, we receive the `key` as an authRequestPublicKey(masterKey) [plus we have authRequestPublicKey(masterPasswordHash)]
* - If `masterPasswordHash` does not have a value, we receive the `key` as an authRequestPublicKey(userKey)
*/
if (authRequestResponse.masterPasswordHash) {
// ...in Standard Auth Request Flow 3
await this.authRequestService.setKeysAfterDecryptingSharedMasterKeyAndHash(
@@ -476,13 +649,17 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
this.toastService.showToast({
variant: "success",
title: null,
message: this.i18nService.t("loginApproved"),
});
// Now that we have a decrypted user key in memory, we can check if we
// need to establish trust on the current device
const activeAccount = await firstValueFrom(this.accountService.activeAccount$);
if (!activeAccount) {
this.logService.error("No active account defined from the account service.");
return;
}
await this.deviceTrustService.trustDeviceIfRequired(activeAccount.id);
await this.handleSuccessfulLoginNavigation(userId);
@@ -498,7 +675,24 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
private async buildAuthRequestLoginCredentials(
requestId: string,
authRequestResponse: AuthRequestResponse,
): Promise<AuthRequestLoginCredentials> {
): Promise<AuthRequestLoginCredentials | undefined> {
if (!this.authRequestKeyPair || !this.authRequestKeyPair.privateKey) {
this.logService.error("No private key set when building auth request login credentials.");
return;
}
if (!this.email) {
this.logService.error("Email not defined.");
return;
}
if (!this.authRequest) {
this.logService.error(
"AuthRequest not defined when building auth request login credentials.",
);
return;
}
/**
* See verifyAndHandleApprovedAuthReq() for flow details.
*
@@ -506,7 +700,6 @@ export class LoginViaAuthRequestComponent implements OnInit, OnDestroy {
* - If `masterPasswordHash` has a value, we receive the `key` as an authRequestPublicKey(masterKey) [plus we have authRequestPublicKey(masterPasswordHash)]
* - If `masterPasswordHash` does not have a value, we receive the `key` as an authRequestPublicKey(userKey)
*/
if (authRequestResponse.masterPasswordHash) {
// ...in Standard Auth Request Flow 1
const { masterKey, masterKeyHash } =

58
libs/auth/src/angular/login/default-login-component.service.spec.ts
View File

@@ -56,13 +56,6 @@ describe("DefaultLoginComponentService", () => {
expect(service).toBeTruthy();
});
describe("getOrgPolicies", () => {
it("returns null", async () => {
const result = await service.getOrgPolicies();
expect(result).toBeNull();
});
});
describe("isLoginWithPasskeySupported", () => {
it("returns true when clientType is Web", () => {
service["clientType"] = ClientType.Web;
@@ -75,50 +68,21 @@ describe("DefaultLoginComponentService", () => {
});
});
describe("launchSsoBrowserWindow", () => {
const email = "test@bitwarden.com";
let state = "testState";
const codeVerifier = "testCodeVerifier";
const codeChallenge = "testCodeChallenge";
const baseUrl = "https://webvault.bitwarden.com/#/sso";
beforeEach(() => {
state = "testState";
describe("redirectToSsoLogin", () => {
it("sets the pre-SSO state", async () => {
const email = "test@bitwarden.com";
const state = "testState";
const codeVerifier = "testCodeVerifier";
const codeChallenge = "testCodeChallenge";
passwordGenerationService.generatePassword.mockResolvedValueOnce(state);
passwordGenerationService.generatePassword.mockResolvedValueOnce(codeVerifier);
jest.spyOn(Utils, "fromBufferToUrlB64").mockReturnValue(codeChallenge);
await service.redirectToSsoLogin(email);
expect(ssoLoginService.setSsoEmail).toHaveBeenCalledWith(email);
expect(ssoLoginService.setSsoState).toHaveBeenCalledWith(state);
expect(ssoLoginService.setCodeVerifier).toHaveBeenCalledWith(codeVerifier);
});
it.each([
{
clientType: ClientType.Browser,
clientId: "browser",
expectedRedirectUri: "https://webvault.bitwarden.com/sso-connector.html",
},
{
clientType: ClientType.Desktop,
clientId: "desktop",
expectedRedirectUri: "bitwarden://sso-callback",
},
])(
"launches SSO browser window with correct URL for $clientId client",
async ({ clientType, clientId, expectedRedirectUri }) => {
service["clientType"] = clientType;
await service.launchSsoBrowserWindow(email, clientId as "browser" | "desktop");
if (clientType === ClientType.Browser) {
state += ":clientId=browser";
}
const expectedUrl = `${baseUrl}?clientId=${clientId}&redirectUri=${encodeURIComponent(expectedRedirectUri)}&state=${state}&codeChallenge=${codeChallenge}&email=${encodeURIComponent(email)}`;
expect(ssoLoginService.setSsoEmail).toHaveBeenCalledWith(email);
expect(ssoLoginService.setSsoState).toHaveBeenCalledWith(state);
expect(ssoLoginService.setCodeVerifier).toHaveBeenCalledWith(codeVerifier);
expect(platformUtilsService.launchUri).toHaveBeenCalledWith(expectedUrl);
},
);
});
});

89
libs/auth/src/angular/login/default-login-component.service.ts
View File

@@ -1,8 +1,6 @@
// FIXME: Update this file to be type safe and remove this and next line
// @ts-strict-ignore
import { firstValueFrom } from "rxjs";
import { LoginComponentService, PasswordPolicies } from "@bitwarden/auth/angular";
import { LoginComponentService } from "@bitwarden/auth/angular";
import { SsoLoginServiceAbstraction } from "@bitwarden/common/auth/abstractions/sso-login.service.abstraction";
import { ClientType } from "@bitwarden/common/enums";
import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
@@ -21,23 +19,55 @@ export class DefaultLoginComponentService implements LoginComponentService {
protected passwordGenerationService: PasswordGenerationServiceAbstraction,
protected platformUtilsService: PlatformUtilsService,
protected ssoLoginService: SsoLoginServiceAbstraction,
) {}
async getOrgPolicies(): Promise<PasswordPolicies | null> {
return null;
) {
this.clientType = this.platformUtilsService.getClientType();
}
isLoginWithPasskeySupported(): boolean {
return this.clientType === ClientType.Web;
}
async launchSsoBrowserWindow(
email: string,
clientId: "browser" | "desktop",
): Promise<void | null> {
// Save email for SSO
/**
* Redirects the user to the SSO login page, either via route or in a new browser window.
* @param email The email address of the user attempting to log in
*/
async redirectToSsoLogin(email: string): Promise<void | null> {
// Set the state that we'll need to verify the SSO login when we get the code back
const [state, codeChallenge] = await this.setSsoPreLoginState();
// Set the email address in state. This is used in 2 places:
// 1. On the web client, on the SSO component we need the email address to look up
// the org SSO identifier. The email address is passed via query param for the other clients.
// 2. On all clients, after authentication on the originating client the SSO component
// will need to look up 2FA Remember token by email.
await this.ssoLoginService.setSsoEmail(email);
// Finally, we redirect to the SSO login page. This will be handled by each client implementation of this service.
await this.redirectToSso(email, state, codeChallenge);
}
/**
* No-op implementation of redirectToSso
*/
protected async redirectToSso(
email: string,
state: string,
codeChallenge: string,
): Promise<void> {
return;
}
/**
* No-op implementation of showBackButton
*/
showBackButton(showBackButton: boolean): void {
return;
}
/**
* Sets the state required for verifying SSO login after completion
*/
private async setSsoPreLoginState(): Promise<[string, string]> {
// Generate SSO params
const passwordOptions: any = {
type: "password",
@@ -50,8 +80,8 @@ export class DefaultLoginComponentService implements LoginComponentService {
let state = await this.passwordGenerationService.generatePassword(passwordOptions);
if (clientId === "browser") {
// Need to persist the clientId in the state for the extension
// For the browser extension, we persist the clientId on state so that it will be included after SSO in the callback
if (this.clientType === ClientType.Browser) {
state += ":clientId=browser";
}
@@ -63,35 +93,6 @@ export class DefaultLoginComponentService implements LoginComponentService {
await this.ssoLoginService.setSsoState(state);
await this.ssoLoginService.setCodeVerifier(codeVerifier);
// Build URL
const env = await firstValueFrom(this.environmentService.environment$);
const webVaultUrl = env.getWebVaultUrl();
const redirectUri =
clientId === "browser"
? webVaultUrl + "/sso-connector.html" // Browser
: "bitwarden://sso-callback"; // Desktop
// Launch browser window with URL
this.platformUtilsService.launchUri(
webVaultUrl +
"/#/sso?clientId=" +
clientId +
"&redirectUri=" +
encodeURIComponent(redirectUri) +
"&state=" +
state +
"&codeChallenge=" +
codeChallenge +
"&email=" +
encodeURIComponent(email),
);
}
/**
* No-op implementation of showBackButton
*/
showBackButton(showBackButton: boolean): void {
return;
return [state, codeChallenge];
}
}

7
libs/auth/src/angular/login/login-component.service.ts
View File

@@ -23,7 +23,7 @@ export abstract class LoginComponentService {
* Gets the organization policies if there is an organization invite.
* - Used by: Web
*/
getOrgPolicies: () => Promise<PasswordPolicies | null>;
getOrgPoliciesFromOrgInvite?: () => Promise<PasswordPolicies | null>;
/**
* Indicates whether login with passkey is supported on the given client
@@ -31,10 +31,9 @@ export abstract class LoginComponentService {
isLoginWithPasskeySupported: () => boolean;
/**
* Launches the SSO flow in a new browser window.
* - Used by: Browser, Desktop
* Redirects the user to the SSO login page, either via route or in a new browser window.
*/
launchSsoBrowserWindow: (email: string, clientId: "browser" | "desktop") => Promise<void>;
redirectToSsoLogin: (email: string) => Promise<void | null>;
/**
* Shows the back button.

7
libs/auth/src/angular/login/login-secondary-content.component.ts
View File

@@ -3,7 +3,6 @@ import { Component, inject } from "@angular/core";
import { RouterModule } from "@angular/router";
import { JslibModule } from "@bitwarden/angular/jslib.module";
import { RegisterRouteService } from "@bitwarden/auth/common";
import { DefaultServerSettingsService } from "@bitwarden/common/platform/services/default-server-settings.service";
import { LinkModule } from "@bitwarden/components";
@@ -13,16 +12,12 @@ import { LinkModule } from "@bitwarden/components";
template: `
<div class="tw-text-center" *ngIf="!(isUserRegistrationDisabled$ | async)">
{{ "newToBitwarden" | i18n }}
<a bitLink [routerLink]="registerRoute$ | async">{{ "createAccount" | i18n }}</a>
<a bitLink routerLink="/signup">{{ "createAccount" | i18n }}</a>
</div>
`,
})
export class LoginSecondaryContentComponent {
registerRouteService = inject(RegisterRouteService);
serverSettingsService = inject(DefaultServerSettingsService);
// TODO: remove when email verification flag is removed
protected registerRoute$ = this.registerRouteService.registerRoute$();
protected isUserRegistrationDisabled$ = this.serverSettingsService.isUserRegistrationDisabled$;
}

4
libs/auth/src/angular/login/login.component.html
View File

@@ -11,7 +11,7 @@
-->
<form [bitSubmit]="submit" [formGroup]="formGroup">
<div [ngClass]="{ 'tw-invisible tw-h-0': loginUiState !== LoginUiState.EMAIL_ENTRY }">
<div [ngClass]="{ 'tw-hidden': loginUiState !== LoginUiState.EMAIL_ENTRY }">
<!-- Email Address input -->
<bit-form-field>
<bit-label>{{ "emailAddress" | i18n }}</bit-label>
@@ -61,7 +61,7 @@
</div>
</div>
<div [ngClass]="{ 'tw-invisible tw-h-0': loginUiState !== LoginUiState.MASTER_PASSWORD_ENTRY }">
<div [ngClass]="{ 'tw-hidden': loginUiState !== LoginUiState.MASTER_PASSWORD_ENTRY }">
<!-- Master Password input -->
<bit-form-field class="!tw-mb-1">
<bit-label>{{ "masterPass" | i18n }}</bit-label>

190
libs/auth/src/angular/login/login.component.ts
View File

@@ -2,7 +2,7 @@ import { CommonModule } from "@angular/common";
import { Component, ElementRef, NgZone, OnDestroy, OnInit, ViewChild } from "@angular/core";
import { FormBuilder, FormControl, ReactiveFormsModule, Validators } from "@angular/forms";
import { ActivatedRoute, Router, RouterModule } from "@angular/router";
import { firstValueFrom, Subject, take, takeUntil, tap } from "rxjs";
import { firstValueFrom, Subject, take, takeUntil } from "rxjs";
import { JslibModule } from "@bitwarden/angular/jslib.module";
import {
@@ -12,17 +12,16 @@ import {
PasswordLoginCredentials,
} from "@bitwarden/auth/common";
import { InternalPolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
import { PolicyData } from "@bitwarden/common/admin-console/models/data/policy.data";
import { MasterPasswordPolicyOptions } from "@bitwarden/common/admin-console/models/domain/master-password-policy-options";
import { Policy } from "@bitwarden/common/admin-console/models/domain/policy";
import { DevicesApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/devices-api.service.abstraction";
import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
import { ClientType, HttpStatusCode } from "@bitwarden/common/enums";
import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
import { ErrorResponse } from "@bitwarden/common/models/response/error.response";
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
import { BroadcasterService } from "@bitwarden/common/platform/abstractions/broadcaster.service";
import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
@@ -30,6 +29,7 @@ import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/pl
import { ValidationService } from "@bitwarden/common/platform/abstractions/validation.service";
import { Utils } from "@bitwarden/common/platform/misc/utils";
import { PasswordStrengthServiceAbstraction } from "@bitwarden/common/tools/password-strength";
import { UserId } from "@bitwarden/common/types/guid";
import {
AsyncActionsModule,
ButtonModule,
@@ -43,7 +43,7 @@ import {
import { AnonLayoutWrapperDataService } from "../anon-layout/anon-layout-wrapper-data.service";
import { VaultIcon, WaveIcon } from "../icons";
import { LoginComponentService } from "./login-component.service";
import { LoginComponentService, PasswordPolicies } from "./login-component.service";
const BroadcasterSubscriptionId = "LoginComponent";
@@ -72,7 +72,6 @@ export class LoginComponent implements OnInit, OnDestroy {
@ViewChild("masterPasswordInputRef") masterPasswordInputRef: ElementRef | undefined;
private destroy$ = new Subject<void>();
private enforcedMasterPasswordOptions: MasterPasswordPolicyOptions | undefined = undefined;
readonly Icons = { WaveIcon, VaultIcon };
clientType: ClientType;
@@ -97,11 +96,6 @@ export class LoginComponent implements OnInit, OnDestroy {
return this.formGroup.controls.email;
}
// Web properties
enforcedPasswordPolicyOptions: MasterPasswordPolicyOptions | undefined;
policies: Policy[] | undefined;
showResetPasswordAutoEnrollWarning = false;
// Desktop properties
deferFocus: boolean | null = null;
@@ -125,7 +119,6 @@ export class LoginComponent implements OnInit, OnDestroy {
private toastService: ToastService,
private logService: LogService,
private validationService: ValidationService,
private configService: ConfigService,
private loginSuccessHandlerService: LoginSuccessHandlerService,
) {
this.clientType = this.platformUtilsService.getClientType();
@@ -135,9 +128,6 @@ export class LoginComponent implements OnInit, OnDestroy {
// Add popstate listener to listen for browser back button clicks
window.addEventListener("popstate", this.handlePopState);
// TODO: remove this when the UnauthenticatedExtensionUIRefresh feature flag is removed.
this.listenForUnauthUiRefreshFlagChanges();
await this.defaultOnInit();
if (this.clientType === ClientType.Desktop) {
@@ -158,29 +148,6 @@ export class LoginComponent implements OnInit, OnDestroy {
this.destroy$.complete();
}
private listenForUnauthUiRefreshFlagChanges() {
this.configService
.getFeatureFlag$(FeatureFlag.UnauthenticatedExtensionUIRefresh)
.pipe(
tap(async (flag) => {
// If the flag is turned OFF, we must force a reload to ensure the correct UI is shown
if (!flag) {
const uniqueQueryParams = {
...this.activatedRoute.queryParams,
// adding a unique timestamp to the query params to force a reload
t: new Date().getTime().toString(), // Adding a unique timestamp as a query parameter
};
await this.router.navigate(["/"], {
queryParams: uniqueQueryParams,
});
}
}),
takeUntil(this.destroy$),
)
.subscribe();
}
submit = async (): Promise<void> => {
if (this.clientType === ClientType.Desktop) {
if (this.loginUiState !== LoginUiState.MASTER_PASSWORD_ENTRY) {
@@ -275,18 +242,45 @@ export class LoginComponent implements OnInit, OnDestroy {
return;
}
await this.loginSuccessHandlerService.run(authResult.userId);
// Redirect to device verification if this is an unknown device
if (authResult.requiresDeviceVerification) {
await this.router.navigate(["device-verification"]);
return;
}
// User logged in successfully so execute side effects
await this.loginSuccessHandlerService.run(authResult.userId);
this.loginEmailService.clearValues();
// Determine where to send the user next
if (authResult.forcePasswordReset != ForceSetPasswordReason.None) {
this.loginEmailService.clearValues();
await this.router.navigate(["update-temp-password"]);
return;
}
// If none of the above cases are true, proceed with login...
await this.evaluatePassword();
// TODO: PM-18269 - evaluate if we can combine this with the
// password evaluation done in the password login strategy.
// If there's an existing org invite, use it to get the org's password policies
// so we can evaluate the MP against the org policies
if (this.loginComponentService.getOrgPoliciesFromOrgInvite) {
const orgPolicies: PasswordPolicies | null =
await this.loginComponentService.getOrgPoliciesFromOrgInvite();
this.loginEmailService.clearValues();
if (orgPolicies) {
// Since we have retrieved the policies, we can go ahead and set them into state for future use
// e.g., the update-password page currently only references state for policy data and
// doesn't fallback to pulling them from the server like it should if they are null.
await this.setPoliciesIntoState(authResult.userId, orgPolicies.policies);
const isPasswordChangeRequired = await this.isPasswordChangeRequiredByOrgPolicy(
orgPolicies.enforcedPasswordPolicyOptions,
);
if (isPasswordChangeRequired) {
await this.router.navigate(["update-password"]);
return;
}
}
}
if (this.clientType === ClientType.Browser) {
await this.router.navigate(["/tabs/vault"]);
@@ -295,63 +289,51 @@ export class LoginComponent implements OnInit, OnDestroy {
}
}
protected async launchSsoBrowserWindow(clientId: "browser" | "desktop"): Promise<void> {
const email = this.emailFormControl.value;
if (!email) {
this.logService.error("Email is required for SSO login");
return;
}
await this.loginComponentService.launchSsoBrowserWindow(email, clientId);
}
protected async evaluatePassword(): Promise<void> {
/**
* Checks if the master password meets the enforced policy requirements
* and if the user is required to change their password.
*/
private async isPasswordChangeRequiredByOrgPolicy(
enforcedPasswordPolicyOptions: MasterPasswordPolicyOptions,
): Promise<boolean> {
try {
// If we do not have any saved policies, attempt to load them from the service
if (this.enforcedMasterPasswordOptions == undefined) {
this.enforcedMasterPasswordOptions = await firstValueFrom(
this.policyService.masterPasswordPolicyOptions$(),
);
if (enforcedPasswordPolicyOptions == undefined) {
return false;
}
if (this.requirePasswordChange()) {
await this.router.navigate(["update-password"]);
return;
// Note: we deliberately do not check enforcedPasswordPolicyOptions.enforceOnLogin
// as existing users who are logging in after getting an org invite should
// always be forced to set a password that meets the org's policy.
// Org Invite -> Registration also works this way for new BW users as well.
const masterPassword = this.formGroup.controls.masterPassword.value;
// Return false if masterPassword is null/undefined since this is only evaluated after successful login
if (!masterPassword) {
return false;
}
const passwordStrength = this.passwordStrengthService.getPasswordStrength(
masterPassword,
this.formGroup.value.email ?? undefined,
)?.score;
return !this.policyService.evaluateMasterPassword(
passwordStrength,
masterPassword,
enforcedPasswordPolicyOptions,
);
} catch (e) {
// Do not prevent unlock if there is an error evaluating policies
this.logService.error(e);
return false;
}
}
/**
* Checks if the master password meets the enforced policy requirements
* If not, returns false
*/
private requirePasswordChange(): boolean {
if (
this.enforcedMasterPasswordOptions == undefined ||
!this.enforcedMasterPasswordOptions.enforceOnLogin
) {
return false;
}
const masterPassword = this.formGroup.controls.masterPassword.value;
// Return false if masterPassword is null/undefined since this is only evaluated after successful login
if (!masterPassword) {
return false;
}
const passwordStrength = this.passwordStrengthService.getPasswordStrength(
masterPassword,
this.formGroup.value.email ?? undefined,
)?.score;
return !this.policyService.evaluateMasterPassword(
passwordStrength,
masterPassword,
this.enforcedMasterPasswordOptions,
);
private async setPoliciesIntoState(userId: UserId, policies: Policy[]): Promise<void> {
const policiesData: { [id: string]: PolicyData } = {};
policies.map((p) => (policiesData[p.id] = PolicyData.fromPolicy(p)));
await this.policyService.replace(policiesData, userId);
}
protected async startAuthRequestLogin(): Promise<void> {
@@ -484,6 +466,8 @@ export class LoginComponent implements OnInit, OnDestroy {
try {
const deviceIdentifier = await this.appIdService.getAppId();
this.isKnownDevice = await this.devicesApiService.getKnownDevice(email, deviceIdentifier);
// FIXME: Remove when updating file. Eslint update
// eslint-disable-next-line @typescript-eslint/no-unused-vars
} catch (e) {
this.isKnownDevice = false;
}
@@ -520,12 +504,6 @@ export class LoginComponent implements OnInit, OnDestroy {
}
private async defaultOnInit(): Promise<void> {
// If there's an existing org invite, use it to get the password policies
const orgPolicies = await this.loginComponentService.getOrgPolicies();
this.policies = orgPolicies?.policies;
this.showResetPasswordAutoEnrollWarning = orgPolicies?.isPolicyAndAutoEnrollEnabled ?? false;
let paramEmailIsSet = false;
const params = await firstValueFrom(this.activatedRoute.queryParams);
@@ -620,26 +598,26 @@ export class LoginComponent implements OnInit, OnDestroy {
/**
* Handle the SSO button click.
* @param event - The event object.
*/
async handleSsoClick() {
const isEmailValid = await this.validateEmail();
const email = this.formGroup.value.email;
// Make sure the email is valid
const isEmailValid = await this.validateEmail();
if (!isEmailValid) {
return;
}
await this.saveEmailSettings();
if (this.clientType === ClientType.Web) {
await this.router.navigate(["/sso"], {
queryParams: { email: this.formGroup.value.email },
});
// Make sure the email is not empty, for type safety
if (!email) {
this.logService.error("Email is required for SSO");
return;
}
await this.launchSsoBrowserWindow(
this.clientType === ClientType.Browser ? "browser" : "desktop",
);
// Save the email configuration for the login component
await this.saveEmailSettings();
// Send the user to SSO, either through routing or through redirecting to the web app
await this.loginComponentService.redirectToSsoLogin(email);
}
}

37
libs/auth/src/angular/new-device-verification/new-device-verification.component.html Normal file
View File

@@ -0,0 +1,37 @@
<form [formGroup]="formGroup" [bitSubmit]="submit">
<bit-form-field class="!tw-mb-1">
<bit-label>{{ "verificationCode" | i18n }}</bit-label>
<input
bitInput
type="text"
id="verificationCode"
name="verificationCode"
formControlName="code"
appInputVerbatim
/>
</bit-form-field>
<button
bitLink
type="button"
linkType="primary"
(click)="resendOTP()"
[disabled]="disableRequestOTP"
class="tw-text-sm"
>
{{ "resendCode" | i18n }}
</button>
<div class="tw-flex tw-mt-4">
<button
bitButton
bitFormButton
buttonType="primary"
type="submit"
[block]="true"
[disabled]="formGroup.invalid"
>
{{ "continueLoggingIn" | i18n }}
</button>
</div>
</form>

167
libs/auth/src/angular/new-device-verification/new-device-verification.component.ts Normal file
View File

@@ -0,0 +1,167 @@
import { CommonModule } from "@angular/common";
import { Component, OnDestroy, OnInit } from "@angular/core";
import { FormBuilder, ReactiveFormsModule, Validators } from "@angular/forms";
import { Router } from "@angular/router";
import { Subject, takeUntil } from "rxjs";
import { JslibModule } from "@bitwarden/angular/jslib.module";
import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
import {
AsyncActionsModule,
ButtonModule,
FormFieldModule,
IconButtonModule,
LinkModule,
} from "@bitwarden/components";
import { LoginEmailServiceAbstraction } from "../../common/abstractions/login-email.service";
import { LoginStrategyServiceAbstraction } from "../../common/abstractions/login-strategy.service";
/**
* Component for verifying a new device via a one-time password (OTP).
*/
@Component({
standalone: true,
selector: "app-new-device-verification",
templateUrl: "./new-device-verification.component.html",
imports: [
CommonModule,
ReactiveFormsModule,
AsyncActionsModule,
JslibModule,
ButtonModule,
FormFieldModule,
IconButtonModule,
LinkModule,
],
})
export class NewDeviceVerificationComponent implements OnInit, OnDestroy {
formGroup = this.formBuilder.group({
code: [
"",
{
validators: [Validators.required],
updateOn: "change",
},
],
});
protected disableRequestOTP = false;
private destroy$ = new Subject<void>();
protected authenticationSessionTimeoutRoute = "/authentication-timeout";
constructor(
private router: Router,
private formBuilder: FormBuilder,
private apiService: ApiService,
private loginStrategyService: LoginStrategyServiceAbstraction,
private logService: LogService,
private i18nService: I18nService,
private syncService: SyncService,
private loginEmailService: LoginEmailServiceAbstraction,
) {}
async ngOnInit() {
// Redirect to timeout route if session expires
this.loginStrategyService.authenticationSessionTimeout$
.pipe(takeUntil(this.destroy$))
.subscribe((expired) => {
if (!expired) {
return;
}
try {
void this.router.navigate([this.authenticationSessionTimeoutRoute]);
} catch (err) {
this.logService.error(
`Failed to navigate to ${this.authenticationSessionTimeoutRoute} route`,
err,
);
}
});
}
ngOnDestroy() {
this.destroy$.next();
this.destroy$.complete();
}
/**
* Resends the OTP for device verification.
*/
async resendOTP() {
this.disableRequestOTP = true;
try {
const email = await this.loginStrategyService.getEmail();
const masterPasswordHash = await this.loginStrategyService.getMasterPasswordHash();
if (!email || !masterPasswordHash) {
throw new Error("Missing email or master password hash");
}
await this.apiService.send(
"POST",
"/accounts/resend-new-device-otp",
{
email: email,
masterPasswordHash: masterPasswordHash,
},
false,
false,
);
} catch (e) {
this.logService.error(e);
} finally {
this.disableRequestOTP = false;
}
}
/**
* Submits the OTP for device verification.
*/
submit = async (): Promise<void> => {
const codeControl = this.formGroup.get("code");
if (!codeControl || !codeControl.value) {
return;
}
try {
const authResult = await this.loginStrategyService.logInNewDeviceVerification(
codeControl.value,
);
if (authResult.requiresTwoFactor) {
await this.router.navigate(["/2fa"]);
return;
}
if (authResult.forcePasswordReset) {
await this.router.navigate(["/update-temp-password"]);
return;
}
this.loginEmailService.clearValues();
await this.syncService.fullSync(true);
// If verification succeeds, navigate to vault
await this.router.navigate(["/vault"]);
} catch (e) {
this.logService.error(e);
let errorMessage =
((e as any)?.response?.error_description as string) ?? this.i18nService.t("errorOccurred");
if (errorMessage.includes("Invalid New Device OTP")) {
errorMessage = this.i18nService.t("invalidVerificationCode");
}
codeControl.setErrors({ serverError: { message: errorMessage } });
// For enter key press scenarios, we have to manually mark the control as touched
// to get the error message to display
codeControl.markAsTouched();
}
};
}

9
libs/auth/src/angular/registration/registration-finish/registration-finish.component.ts
View File

@@ -16,7 +16,11 @@ import { LogService } from "@bitwarden/common/platform/abstractions/log.service"
import { ValidationService } from "@bitwarden/common/platform/abstractions/validation.service";
import { ToastService } from "@bitwarden/components";
import { LoginStrategyServiceAbstraction, PasswordLoginCredentials } from "../../../common";
import {
LoginStrategyServiceAbstraction,
LoginSuccessHandlerService,
PasswordLoginCredentials,
} from "../../../common";
import { AnonLayoutWrapperDataService } from "../../anon-layout/anon-layout-wrapper-data.service";
import { InputPasswordComponent } from "../../input-password/input-password.component";
import { PasswordInputResult } from "../../input-password/password-input-result";
@@ -68,6 +72,7 @@ export class RegistrationFinishComponent implements OnInit, OnDestroy {
private loginStrategyService: LoginStrategyServiceAbstraction,
private logService: LogService,
private anonLayoutWrapperDataService: AnonLayoutWrapperDataService,
private loginSuccessHandlerService: LoginSuccessHandlerService,
) {}
async ngOnInit() {
@@ -189,6 +194,8 @@ export class RegistrationFinishComponent implements OnInit, OnDestroy {
message: this.i18nService.t("youHaveBeenLoggedIn"),
});
await this.loginSuccessHandlerService.run(authenticationResult.userId);
await this.router.navigate(["/vault"]);
} catch (e) {
// If login errors, redirect to login page per product. Don't show error

3
libs/auth/src/angular/registration/registration-start/registration-start.stories.ts
View File

@@ -28,7 +28,8 @@ import {
} from "@bitwarden/components";
// FIXME: remove `/apps` import from `/libs`
// eslint-disable-next-line import/no-restricted-paths
// FIXME: remove `src` and fix import
// eslint-disable-next-line import/no-restricted-paths, no-restricted-imports
import { PreloadedEnglishI18nModule } from "../../../../../../apps/web/src/app/core/tests";
import { LoginEmailService } from "../../../common";
import { AnonLayoutWrapperDataService } from "../../anon-layout/anon-layout-wrapper-data.service";

16
libs/auth/src/angular/set-password-jit/default-set-password-jit.service.spec.ts
View File

@@ -9,10 +9,11 @@ import {
import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { OrganizationApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization/organization-api.service.abstraction";
import { OrganizationKeysResponse } from "@bitwarden/common/admin-console/models/response/organization-keys.response";
import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/auth/abstractions/master-password.service.abstraction";
import { MasterPasswordApiService } from "@bitwarden/common/auth/abstractions/master-password-api.service.abstraction";
import { SetPasswordRequest } from "@bitwarden/common/auth/models/request/set-password.request";
import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
import { KeysRequest } from "@bitwarden/common/models/request/keys.request";
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { Utils } from "@bitwarden/common/platform/misc/utils";
import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
@@ -31,6 +32,7 @@ describe("DefaultSetPasswordJitService", () => {
let sut: DefaultSetPasswordJitService;
let apiService: MockProxy<ApiService>;
let masterPasswordApiService: MockProxy<MasterPasswordApiService>;
let keyService: MockProxy<KeyService>;
let encryptService: MockProxy<EncryptService>;
let i18nService: MockProxy<I18nService>;
@@ -42,6 +44,7 @@ describe("DefaultSetPasswordJitService", () => {
beforeEach(() => {
apiService = mock<ApiService>();
masterPasswordApiService = mock<MasterPasswordApiService>();
keyService = mock<KeyService>();
encryptService = mock<EncryptService>();
i18nService = mock<I18nService>();
@@ -53,6 +56,7 @@ describe("DefaultSetPasswordJitService", () => {
sut = new DefaultSetPasswordJitService(
apiService,
masterPasswordApiService,
keyService,
encryptService,
i18nService,
@@ -148,7 +152,7 @@ describe("DefaultSetPasswordJitService", () => {
keyService.makeKeyPair.mockResolvedValue(keyPair);
apiService.setPassword.mockResolvedValue(undefined);
masterPasswordApiService.setPassword.mockResolvedValue(undefined);
masterPasswordService.setForceSetPasswordReason.mockResolvedValue(undefined);
userDecryptionOptionsSubject.next(new UserDecryptionOptions({ hasMasterPassword: true }));
@@ -185,7 +189,7 @@ describe("DefaultSetPasswordJitService", () => {
await sut.setPassword(credentials);
// Assert
expect(apiService.setPassword).toHaveBeenCalledWith(setPasswordRequest);
expect(masterPasswordApiService.setPassword).toHaveBeenCalledWith(setPasswordRequest);
});
it("should set password successfully (given no user key)", async () => {
@@ -196,7 +200,7 @@ describe("DefaultSetPasswordJitService", () => {
await sut.setPassword(credentials);
// Assert
expect(apiService.setPassword).toHaveBeenCalledWith(setPasswordRequest);
expect(masterPasswordApiService.setPassword).toHaveBeenCalledWith(setPasswordRequest);
});
it("should handle reset password auto enroll", async () => {
@@ -210,7 +214,7 @@ describe("DefaultSetPasswordJitService", () => {
await sut.setPassword(credentials);
// Assert
expect(apiService.setPassword).toHaveBeenCalledWith(setPasswordRequest);
expect(masterPasswordApiService.setPassword).toHaveBeenCalledWith(setPasswordRequest);
expect(organizationApiService.getKeys).toHaveBeenCalledWith(orgId);
expect(encryptService.rsaEncrypt).toHaveBeenCalledWith(userKey.key, orgPublicKey);
expect(

8
libs/auth/src/angular/set-password-jit/default-set-password-jit.service.ts
View File

@@ -9,11 +9,12 @@ import {
import { InternalUserDecryptionOptionsServiceAbstraction } from "@bitwarden/auth/common";
import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { OrganizationApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization/organization-api.service.abstraction";
import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/auth/abstractions/master-password.service.abstraction";
import { MasterPasswordApiService } from "@bitwarden/common/auth/abstractions/master-password-api.service.abstraction";
import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
import { SetPasswordRequest } from "@bitwarden/common/auth/models/request/set-password.request";
import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
import { KeysRequest } from "@bitwarden/common/models/request/keys.request";
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { Utils } from "@bitwarden/common/platform/misc/utils";
import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
@@ -29,6 +30,7 @@ import {
export class DefaultSetPasswordJitService implements SetPasswordJitService {
constructor(
protected apiService: ApiService,
protected masterPasswordApiService: MasterPasswordApiService,
protected keyService: KeyService,
protected encryptService: EncryptService,
protected i18nService: I18nService,
@@ -77,7 +79,7 @@ export class DefaultSetPasswordJitService implements SetPasswordJitService {
kdfConfig.iterations,
);
await this.apiService.setPassword(request);
await this.masterPasswordApiService.setPassword(request);
// Clear force set password reason to allow navigation back to vault.
await this.masterPasswordService.setForceSetPasswordReason(ForceSetPasswordReason.None, userId);

2
libs/auth/src/angular/set-password-jit/set-password-jit.component.ts
View File

@@ -15,6 +15,8 @@ import { ValidationService } from "@bitwarden/common/platform/abstractions/valid
import { UserId } from "@bitwarden/common/types/guid";
import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
// FIXME: remove `src` and fix import
// eslint-disable-next-line no-restricted-imports
import { ToastService } from "../../../../components/src/toast";
import { InputPasswordComponent } from "../input-password/input-password.component";
import { PasswordInputResult } from "../input-password/password-input-result";

6
libs/auth/src/angular/sso/sso-component.service.ts
View File

@@ -1,6 +1,10 @@
import { ClientType } from "@bitwarden/common/enums";
export type SsoClientType = ClientType.Web | ClientType.Browser | ClientType.Desktop;
export type SsoClientType =
| ClientType.Web
| ClientType.Browser
| ClientType.Desktop
| ClientType.Cli;
/**
* Abstract class for SSO component services.

171
libs/auth/src/angular/sso/sso.component.ts
View File

@@ -19,13 +19,13 @@ import { OrgDomainApiServiceAbstraction } from "@bitwarden/common/admin-console/
import { OrganizationDomainSsoDetailsResponse } from "@bitwarden/common/admin-console/abstractions/organization-domain/responses/organization-domain-sso-details.response";
import { VerifiedOrganizationDomainSsoDetailsResponse } from "@bitwarden/common/admin-console/abstractions/organization-domain/responses/verified-organization-domain-sso-details.response";
import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/auth/abstractions/master-password.service.abstraction";
import { SsoLoginServiceAbstraction } from "@bitwarden/common/auth/abstractions/sso-login.service.abstraction";
import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
import { SsoPreValidateResponse } from "@bitwarden/common/auth/models/response/sso-pre-validate.response";
import { ClientType, HttpStatusCode } from "@bitwarden/common/enums";
import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
import { ErrorResponse } from "@bitwarden/common/models/response/error.response";
import { ListResponse } from "@bitwarden/common/models/response/list.response";
import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
@@ -89,6 +89,7 @@ export class SsoComponent implements OnInit {
protected state: string | undefined;
protected codeChallenge: string | undefined;
protected clientId: SsoClientType | undefined;
protected email: string | null | undefined;
formPromise: Promise<AuthResult> | undefined;
initiateSsoFormPromise: Promise<SsoPreValidateResponse> | undefined;
@@ -129,38 +130,58 @@ export class SsoComponent implements OnInit {
}
}
/**
* Like several components in our app (e.g. our invite acceptance components), the SSO component is engaged both
* before and after the user authenticates.
* Flow 1: Initialize SSO state and redirect to IdP
* - We can get here several ways:
* - The user is on the web client and is routed here
* - The user is on a different client and is redirected by opening a new browser window, passing query params
* - A customer integration has been set up to direct users to the `/sso` route to initiate SSO with an identifier
* Flow 2: Handle callback from IdP and verify the state that was set pre-authentication
*/
async ngOnInit() {
const qParams: QueryParams = await firstValueFrom(this.route.queryParams);
// This if statement will pass on the second portion of the SSO flow
// SSO on web uses a service to provide the email via state that's set on login,
// but because we have clients that delegate SSO to web we have to accept the email in the query params as well.
// We also can't require the email, because it isn't provided in the CLI SSO flow.
this.email = qParams.email ?? (await this.ssoLoginService.getSsoEmail());
// Detect if we are on the second portion of the SSO flow,
// where the user has already authenticated with the identity provider
if (this.hasCodeOrStateParams(qParams)) {
await this.handleCodeAndStateParams(qParams);
return;
}
// This if statement will pass on the first portion of the SSO flow
if (this.hasRequiredSsoParams(qParams)) {
this.setRequiredSsoVariables(qParams);
if (this.userCompletedSsoAuthentication(qParams)) {
await this.handleTokenRequestForAuthenticatedUser(qParams);
return;
}
// Detect if we have landed here but only have an SSO identifier in the URL.
// This is used by integrations that want to "short-circuit" the login to send users
// directly to their IdP to simulate IdP-initiated SSO, so we submit automatically.
if (qParams.identifier != null) {
// SSO Org Identifier in query params takes precedence over claimed domains
this.identifierFormControl.setValue(qParams.identifier);
this.loggingIn = true;
await this.submit();
return;
}
await this.initializeIdentifierFromEmailOrStorage(qParams);
// Detect if we are on the first portion of the SSO flow
// and have been sent here from another client with the info in query params.
// If so, we want to initialize the SSO flow with those values.
if (this.hasParametersFromOtherClientRedirect(qParams)) {
this.initializeFromRedirectFromOtherClient(qParams);
}
// Try to determine the identifier using claimed domain or local state
// persisted from the user's last login attempt.
await this.initializeIdentifierFromEmailOrStorage();
}
/**
* Sets the required SSO variables from the query params
* @param qParams - The query params
*/
private setRequiredSsoVariables(qParams: QueryParams): void {
private initializeFromRedirectFromOtherClient(qParams: QueryParams): void {
this.redirectUri = qParams.redirectUri ?? "";
this.state = qParams.state ?? "";
this.codeChallenge = qParams.codeChallenge ?? "";
@@ -178,15 +199,22 @@ export class SsoComponent implements OnInit {
* @returns True if the value is a valid SSO client type, otherwise false
*/
private isValidSsoClientType(value: string): value is SsoClientType {
return [ClientType.Web, ClientType.Browser, ClientType.Desktop].includes(value as ClientType);
return [ClientType.Web, ClientType.Browser, ClientType.Desktop, ClientType.Cli].includes(
value as ClientType,
);
}
/**
* Checks if the query params have the required SSO params
* Checks if the query params have the required SSO params to initiate SSO
* * The query params presented here are:
* - clientId: The client type (e.g. web, browser, desktop)
* - redirectUri: The URI to redirect to after authentication
* - state: The state to verify on the client after authentication
* - codeChallenge: The PKCE code challenge that is sent up when authenticating with the IdP
* @param qParams - The query params
* @returns True if the query params have the required SSO params, false otherwise
*/
private hasRequiredSsoParams(qParams: QueryParams): boolean {
private hasParametersFromOtherClientRedirect(qParams: QueryParams): boolean {
return (
qParams.clientId != null &&
qParams.redirectUri != null &&
@@ -196,12 +224,18 @@ export class SsoComponent implements OnInit {
}
/**
* Handles the code and state params
* Handles the case in which the user has completed SSO authentication, has a code
* and has been redirected back to the SSO component to exchange the code for a token.
* This will be on the client originating the SSO request, not always the web client, as that
* is where the state and verifier are stored.
* @param qParams - The query params
*/
private async handleCodeAndStateParams(qParams: QueryParams): Promise<void> {
private async handleTokenRequestForAuthenticatedUser(qParams: QueryParams): Promise<void> {
// We set these in state prior to starting SSO, so we can retrieve them here
const codeVerifier = await this.ssoLoginService.getCodeVerifier();
const state = await this.ssoLoginService.getSsoState();
const stateFromPrelogin = await this.ssoLoginService.getSsoState();
// Reset the code verifier and state so we don't accidentally use them again
await this.ssoLoginService.setCodeVerifier("");
await this.ssoLoginService.setSsoState("");
@@ -209,11 +243,13 @@ export class SsoComponent implements OnInit {
this.redirectUri = qParams.redirectUri;
}
// Verify that the state matches the state we set prior to starting SSO.
// If it does, we can proceed with exchanging the code for a token.
if (
qParams.code != null &&
codeVerifier != null &&
state != null &&
this.checkState(state, qParams.state ?? "")
stateFromPrelogin != null &&
this.verifyStateMatches(stateFromPrelogin, qParams.state ?? "")
) {
const ssoOrganizationIdentifier = this.getOrgIdentifierFromState(qParams.state ?? "");
await this.logIn(qParams.code, codeVerifier, ssoOrganizationIdentifier);
@@ -221,11 +257,12 @@ export class SsoComponent implements OnInit {
}
/**
* Checks if the query params have a code or state
* Checks if the query params have a code and state, indicating that we've completed SSO authentication
* and have been redirected back to the SSO component on the originating client to complete login.
* @param qParams - The query params
* @returns True if the query params have a code or state, false otherwise
* @returns True if the query params have a code and state, false otherwise
*/
private hasCodeOrStateParams(qParams: QueryParams): boolean {
private userCompletedSsoAuthentication(qParams: QueryParams): boolean {
return qParams.code != null && qParams.state != null;
}
@@ -265,6 +302,11 @@ export class SsoComponent implements OnInit {
}
};
/**
* Redirects the user to `/connect/authorize` on IdentityServer to begin SSO.
* @param returnUri - The URI to redirect to after authentication (used to link user to SSO)
* @param includeUserIdentifier - Whether to include the user identifier in the request (used to link user to SSO)
*/
private async submitSso(returnUri?: string, includeUserIdentifier?: boolean) {
if (this.identifier == null || this.identifier === "") {
this.toastService.showToast({
@@ -307,6 +349,9 @@ export class SsoComponent implements OnInit {
special: false,
};
// Initialize the challenge and state if they aren't passed in. If we're performing SSO initiated on a
// different client, they'll be passed in, as they will need to be verified on that client and not the web.
// If they're not passed in, then we need to set them here on the web client to be verified here after SSO.
if (codeChallenge == null) {
const codeVerifier = await this.passwordGenerationService.generatePassword(passwordOptions);
const codeVerifierHash = await this.cryptoFunctionService.hash(codeVerifier, "sha256");
@@ -316,15 +361,20 @@ export class SsoComponent implements OnInit {
if (state == null) {
state = await this.passwordGenerationService.generatePassword(passwordOptions);
if (returnUri) {
state += `_returnUri='${returnUri}'`;
}
}
// If we have a returnUri, add it to the state parameter. This will be used after SSO
// is complete, on the sso-connector, in order to route the user somewhere other than the SSO component.
if (returnUri) {
state += `_returnUri='${returnUri}'`;
}
// Add Organization Identifier to state
state += `_identifier=${this.identifier}`;
// Save state (regardless of new or existing)
// Save the pre-SSO state.
// We need to do this here as even if it was generated on the intiating client (e.g. browser, desktop),
// we need it on the web client to verify after the user authenticates with the identity provider and is redirected back.
await this.ssoLoginService.setSsoState(state);
const env = await firstValueFrom(this.environmentService.environment$);
@@ -349,6 +399,8 @@ export class SsoComponent implements OnInit {
"&ssoToken=" +
encodeURIComponent(token ?? "");
// If we're linking a user to SSO, we need to provide a user identifier that will be passed
// on to the SSO provider so that after SSO we can link the user to the SSO identity.
if (includeUserIdentifier) {
const userIdentifier = await this.apiService.getSsoUserIdentifier();
authorizeUrl += `&user_identifier=${encodeURIComponent(userIdentifier)}`;
@@ -357,21 +409,26 @@ export class SsoComponent implements OnInit {
return authorizeUrl;
}
/**
* We are using the Auth Code + PKCE flow.
* We have received the code from IdentityServer, which we will now present with the code verifier to get a token.
*/
private async logIn(code: string, codeVerifier: string, orgSsoIdentifier: string): Promise<void> {
this.loggingIn = true;
try {
const email = await this.ssoLoginService.getSsoEmail();
// The code verifier is used to ensure that the client presenting the code is the same one that initiated the authentication request.
// The redirect URI is also supplied on the request to the token endpoint, so the server can ensure it matches the original request
// for the code and prevent authorization code injection attacks.
const redirectUri = this.redirectUri ?? "";
const credentials = new SsoLoginCredentials(
code,
codeVerifier,
redirectUri,
orgSsoIdentifier,
email,
this.email ?? undefined,
);
this.formPromise = this.loginStrategyService.logIn(credentials);
const authResult = await this.formPromise;
if (authResult.requiresTwoFactor) {
return await this.handleTwoFactorRequired(orgSsoIdentifier);
}
@@ -384,14 +441,11 @@ export class SsoComponent implements OnInit {
// - TDE login decryption options component
// - Browser SSO on extension open
// Note: you cannot set this in state before 2FA b/c there won't be an account in state.
await this.ssoLoginService.setActiveUserOrganizationSsoIdentifier(orgSsoIdentifier);
// Users enrolled in admin acct recovery can be forced to set a new password after
// having the admin set a temp password for them (affects TDE & standard users)
if (authResult.forcePasswordReset == ForceSetPasswordReason.AdminForcePasswordReset) {
// Weak password is not a valid scenario here b/c we cannot have evaluated a MP yet
return await this.handleForcePasswordReset(orgSsoIdentifier);
}
await this.ssoLoginService.setActiveUserOrganizationSsoIdentifier(
orgSsoIdentifier,
authResult.userId,
);
// must come after 2fa check since user decryption options aren't available if 2fa is required
const userDecryptionOpts = await firstValueFrom(
@@ -480,16 +534,7 @@ export class SsoComponent implements OnInit {
}
private async handleChangePasswordRequired(orgIdentifier: string) {
const emailVerification = await this.configService.getFeatureFlag(
FeatureFlag.EmailVerification,
);
let route = "set-password";
if (emailVerification) {
route = "set-password-jit";
}
await this.router.navigate([route], {
await this.router.navigate(["set-password-jit"], {
queryParams: {
identifier: orgIdentifier,
},
@@ -530,16 +575,22 @@ export class SsoComponent implements OnInit {
return stateSplit.length > 1 ? stateSplit[1] : "";
}
private checkState(state: string, checkState: string): boolean {
if (state === null || state === undefined) {
/**
* Checks if the state matches the checkState
* @param originalStateValue - The state to check
* @param stateValueToCheck - The state to check against
* @returns True if the state matches the checkState, false otherwise
*/
private verifyStateMatches(originalStateValue: string, stateValueToCheck: string): boolean {
if (originalStateValue === null || originalStateValue === undefined) {
return false;
}
if (checkState === null || checkState === undefined) {
if (stateValueToCheck === null || stateValueToCheck === undefined) {
return false;
}
const stateSplit = state.split("_identifier=");
const checkStateSplit = checkState.split("_identifier=");
const stateSplit = originalStateValue.split("_identifier=");
const checkStateSplit = stateValueToCheck.split("_identifier=");
return stateSplit[0] === checkStateSplit[0];
}
@@ -547,17 +598,16 @@ export class SsoComponent implements OnInit {
* Attempts to initialize the SSO identifier from email or storage.
* Note: this flow is written for web but both browser and desktop
* redirect here on SSO button click.
* @param qParams - The query params
*/
private async initializeIdentifierFromEmailOrStorage(qParams: QueryParams): Promise<void> {
// Check if email matches any claimed domains
if (qParams.email) {
private async initializeIdentifierFromEmailOrStorage(): Promise<void> {
if (this.email) {
// show loading spinner
this.loggingIn = true;
try {
// Check if email matches any claimed domains
if (await this.configService.getFeatureFlag(FeatureFlag.VerifiedSsoDomainEndpoint)) {
const response: ListResponse<VerifiedOrganizationDomainSsoDetailsResponse> =
await this.orgDomainApiService.getVerifiedOrgDomainsByEmail(qParams.email);
await this.orgDomainApiService.getVerifiedOrgDomainsByEmail(this.email);
if (response.data.length > 0) {
this.identifierFormControl.setValue(response.data[0].organizationIdentifier);
@@ -566,7 +616,7 @@ export class SsoComponent implements OnInit {
}
} else {
const response: OrganizationDomainSsoDetailsResponse =
await this.orgDomainApiService.getClaimedOrgDomainByEmail(qParams.email);
await this.orgDomainApiService.getClaimedOrgDomainByEmail(this.email);
if (response?.ssoAvailable && response?.verifiedDate) {
this.identifierFormControl.setValue(response.organizationIdentifier);
@@ -581,7 +631,8 @@ export class SsoComponent implements OnInit {
this.loggingIn = false;
}
// Fallback to state svc if domain is unclaimed
// If we don't find a claimed domain, check to see if we stored an identifier in state
// from their last attrempt to login via SSO. If so, we'll populate the field, but not submit.
const storedIdentifier = await this.ssoLoginService.getOrganizationSsoIdentifier();
if (storedIdentifier != null) {
this.identifierFormControl.setValue(storedIdentifier);

3
libs/auth/src/angular/two-factor-auth/child-components/index.ts Normal file
View File

@@ -0,0 +1,3 @@
export * from "./two-factor-auth-email";
export * from "./two-factor-auth-duo";
export * from "./two-factor-auth-webauthn";

6
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-authenticator.component.html Normal file
View File

@@ -0,0 +1,6 @@
<ng-container>
<bit-form-field>
<bit-label>{{ "verificationCode" | i18n }}</bit-label>
<input bitInput type="text" appAutofocus appInputVerbatim [formControl]="tokenFormControl" />
</bit-form-field>
</ng-container>

35
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-authenticator.component.ts Normal file
View File

@@ -0,0 +1,35 @@
import { DialogModule } from "@angular/cdk/dialog";
import { CommonModule } from "@angular/common";
import { Component, Input } from "@angular/core";
import { ReactiveFormsModule, FormsModule, FormControl } from "@angular/forms";
import { JslibModule } from "@bitwarden/angular/jslib.module";
import {
ButtonModule,
LinkModule,
TypographyModule,
FormFieldModule,
AsyncActionsModule,
} from "@bitwarden/components";
@Component({
standalone: true,
selector: "app-two-factor-auth-authenticator",
templateUrl: "two-factor-auth-authenticator.component.html",
imports: [
CommonModule,
JslibModule,
DialogModule,
ButtonModule,
LinkModule,
TypographyModule,
ReactiveFormsModule,
FormFieldModule,
AsyncActionsModule,
FormsModule,
],
providers: [],
})
export class TwoFactorAuthAuthenticatorComponent {
@Input({ required: true }) tokenFormControl: FormControl | undefined = undefined;
}

1
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-duo/index.ts Normal file
View File

@@ -0,0 +1 @@
export * from "./two-factor-auth-duo-component.service";

32
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-duo/two-factor-auth-duo-component.service.ts Normal file
View File

@@ -0,0 +1,32 @@
import { Observable } from "rxjs";
export interface Duo2faResult {
code: string;
state: string;
/**
* The code and the state joined by a | character.
*/
token: string;
}
/**
* A service which manages all the cross client logic for the duo 2FA component.
*/
export abstract class TwoFactorAuthDuoComponentService {
/**
* Retrieves the result of the duo two-factor authentication process.
* @returns {Observable<Duo2faResult>} An observable that emits the result of the duo two-factor authentication process.
*/
abstract listenForDuo2faResult$(): Observable<Duo2faResult>;
/**
* Launches the client specific duo frameless 2FA flow.
*/
abstract launchDuoFrameless(duoFramelessUrl: string): Promise<void>;
/**
* Optionally launches the extension duo 2FA single action popout
* Only applies to the extension today.
*/
abstract openTwoFactorAuthDuoPopout?(): Promise<void>;
}

96
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-duo/two-factor-auth-duo.component.ts Normal file
View File

@@ -0,0 +1,96 @@
import { DialogModule } from "@angular/cdk/dialog";
import { CommonModule } from "@angular/common";
import { Component, DestroyRef, EventEmitter, Input, OnInit, Output } from "@angular/core";
import { takeUntilDestroyed } from "@angular/core/rxjs-interop";
import { ReactiveFormsModule, FormsModule } from "@angular/forms";
import { JslibModule } from "@bitwarden/angular/jslib.module";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
import {
ButtonModule,
LinkModule,
TypographyModule,
FormFieldModule,
AsyncActionsModule,
ToastService,
} from "@bitwarden/components";
import { DuoLaunchAction } from "../../two-factor-auth-component.service";
import {
Duo2faResult,
TwoFactorAuthDuoComponentService,
} from "./two-factor-auth-duo-component.service";
@Component({
standalone: true,
selector: "app-two-factor-auth-duo",
template: "",
imports: [
CommonModule,
JslibModule,
DialogModule,
ButtonModule,
LinkModule,
TypographyModule,
ReactiveFormsModule,
FormFieldModule,
AsyncActionsModule,
FormsModule,
],
providers: [],
})
export class TwoFactorAuthDuoComponent implements OnInit {
@Output() tokenEmitter = new EventEmitter<string>();
@Input() providerData: any;
duoFramelessUrl: string | undefined = undefined;
constructor(
protected i18nService: I18nService,
protected platformUtilsService: PlatformUtilsService,
protected toastService: ToastService,
private twoFactorAuthDuoComponentService: TwoFactorAuthDuoComponentService,
private destroyRef: DestroyRef,
) {}
async ngOnInit(): Promise<void> {
this.twoFactorAuthDuoComponentService
.listenForDuo2faResult$()
.pipe(takeUntilDestroyed(this.destroyRef))
.subscribe((duo2faResult: Duo2faResult) => {
this.tokenEmitter.emit(duo2faResult.token);
});
// flow must be launched by user so they can choose to remember the device or not.
this.duoFramelessUrl = this.providerData.AuthUrl;
}
// Called via parent two-factor-auth component.
async launchDuoFrameless(duoLaunchAction: DuoLaunchAction): Promise<void> {
switch (duoLaunchAction) {
case DuoLaunchAction.DIRECT_LAUNCH:
await this.launchDuoFramelessDirectly();
break;
case DuoLaunchAction.SINGLE_ACTION_POPOUT:
await this.twoFactorAuthDuoComponentService.openTwoFactorAuthDuoPopout?.();
break;
default:
break;
}
}
private async launchDuoFramelessDirectly(): Promise<void> {
if (this.duoFramelessUrl === null || this.duoFramelessUrl === undefined) {
this.toastService.showToast({
variant: "error",
title: "",
message: this.i18nService.t("duoHealthCheckResultsInNullAuthUrlError"),
});
return;
}
await this.twoFactorAuthDuoComponentService.launchDuoFrameless(this.duoFramelessUrl);
}
}

6
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-email/default-two-factor-auth-email-component.service.ts Normal file
View File

@@ -0,0 +1,6 @@
import { TwoFactorAuthEmailComponentService } from "./two-factor-auth-email-component.service";
export class DefaultTwoFactorAuthEmailComponentService
implements TwoFactorAuthEmailComponentService {
// no default implementation
}

2
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-email/index.ts Normal file
View File

@@ -0,0 +1,2 @@
export * from "./default-two-factor-auth-email-component.service";
export * from "./two-factor-auth-email-component.service";

10
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-email/two-factor-auth-email-component.service.ts Normal file
View File

@@ -0,0 +1,10 @@
/**
* A service that manages all cross client functionality for the email 2FA component.
*/
export abstract class TwoFactorAuthEmailComponentService {
/**
* Optionally shows a warning to the user that they might need to popout the
* window to complete email 2FA.
*/
abstract openPopoutIfApprovedForEmail2fa?(): Promise<void>;
}

17
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-email/two-factor-auth-email.component.html Normal file
View File

@@ -0,0 +1,17 @@
<bit-form-field class="!tw-mb-0">
<bit-label>{{ "verificationCode" | i18n }}</bit-label>
<input bitInput type="text" appAutofocus appInputVerbatim [formControl]="tokenFormControl" />
</bit-form-field>
<div class="tw-mb-4">
<a
bitTypography="helper"
class="tw-text-main"
bitLink
href="#"
appStopClick
(click)="sendEmail(true)"
>
{{ "resendCode" | i18n }}
</a>
</div>

129
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-email/two-factor-auth-email.component.ts Normal file
View File

@@ -0,0 +1,129 @@
import { DialogModule } from "@angular/cdk/dialog";
import { CommonModule } from "@angular/common";
import { Component, Input, OnInit } from "@angular/core";
import { ReactiveFormsModule, FormsModule, FormControl } from "@angular/forms";
import { JslibModule } from "@bitwarden/angular/jslib.module";
import { LoginStrategyServiceAbstraction } from "@bitwarden/auth/common";
import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
import { TwoFactorEmailRequest } from "@bitwarden/common/auth/models/request/two-factor-email.request";
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
import {
ButtonModule,
LinkModule,
TypographyModule,
FormFieldModule,
AsyncActionsModule,
ToastService,
} from "@bitwarden/components";
import { TwoFactorAuthEmailComponentService } from "./two-factor-auth-email-component.service";
@Component({
standalone: true,
selector: "app-two-factor-auth-email",
templateUrl: "two-factor-auth-email.component.html",
imports: [
CommonModule,
JslibModule,
DialogModule,
ButtonModule,
LinkModule,
TypographyModule,
ReactiveFormsModule,
FormFieldModule,
AsyncActionsModule,
FormsModule,
],
providers: [],
})
export class TwoFactorAuthEmailComponent implements OnInit {
@Input({ required: true }) tokenFormControl: FormControl | undefined = undefined;
twoFactorEmail: string | undefined = undefined;
emailPromise: Promise<any> | undefined = undefined;
tokenValue: string = "";
constructor(
protected i18nService: I18nService,
protected twoFactorService: TwoFactorService,
protected loginStrategyService: LoginStrategyServiceAbstraction,
protected platformUtilsService: PlatformUtilsService,
protected logService: LogService,
protected apiService: ApiService,
protected appIdService: AppIdService,
private toastService: ToastService,
private twoFactorAuthEmailComponentService: TwoFactorAuthEmailComponentService,
) {}
async ngOnInit(): Promise<void> {
await this.twoFactorAuthEmailComponentService.openPopoutIfApprovedForEmail2fa?.();
const providers = await this.twoFactorService.getProviders();
if (!providers) {
throw new Error("User has no 2FA Providers");
}
const email2faProviderData = providers.get(TwoFactorProviderType.Email);
if (!email2faProviderData) {
throw new Error("Unable to retrieve email 2FA provider data");
}
this.twoFactorEmail = email2faProviderData.Email;
if (providers.size > 1) {
await this.sendEmail(false);
}
}
async sendEmail(doToast: boolean) {
if (this.emailPromise !== undefined) {
return;
}
// TODO: PM-17545 - consider building a method on the login strategy service to get a mostly
// initialized TwoFactorEmailRequest in 1 call instead of 5 like we do today.
const email = await this.loginStrategyService.getEmail();
if (email == null) {
this.toastService.showToast({
variant: "error",
title: this.i18nService.t("errorOccurred"),
message: this.i18nService.t("sessionTimeout"),
});
return;
}
try {
const request = new TwoFactorEmailRequest();
request.email = email;
request.masterPasswordHash = (await this.loginStrategyService.getMasterPasswordHash()) ?? "";
request.ssoEmail2FaSessionToken =
(await this.loginStrategyService.getSsoEmail2FaSessionToken()) ?? "";
request.deviceIdentifier = await this.appIdService.getAppId();
request.authRequestAccessCode = (await this.loginStrategyService.getAccessCode()) ?? "";
request.authRequestId = (await this.loginStrategyService.getAuthRequestId()) ?? "";
this.emailPromise = this.apiService.postTwoFactorEmail(request);
await this.emailPromise;
if (doToast) {
this.toastService.showToast({
variant: "success",
title: "",
message: this.i18nService.t("verificationCodeEmailSent", this.twoFactorEmail),
});
}
} catch (e) {
this.logService.error(e);
}
this.emailPromise = undefined;
}
}

12
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-webauthn/default-two-factor-auth-webauthn-component.service.ts Normal file
View File

@@ -0,0 +1,12 @@
import { TwoFactorAuthWebAuthnComponentService } from "./two-factor-auth-webauthn-component.service";
export class DefaultTwoFactorAuthWebAuthnComponentService
implements TwoFactorAuthWebAuthnComponentService
{
/**
* Default implementation is to not open in a new tab.
*/
shouldOpenWebAuthnInNewTab(): boolean {
return false;
}
}

2
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-webauthn/index.ts Normal file
View File

@@ -0,0 +1,2 @@
export * from "./two-factor-auth-webauthn-component.service";
export * from "./default-two-factor-auth-webauthn-component.service";

10
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-webauthn/two-factor-auth-webauthn-component.service.ts Normal file
View File

@@ -0,0 +1,10 @@
/**
* A service that manages all cross client functionality for the WebAuthn 2FA component.
*/
export abstract class TwoFactorAuthWebAuthnComponentService {
/**
* Determines if the WebAuthn 2FA should be opened in a new tab or can be completed in the current tab.
* In a browser extension context, we open WebAuthn in a new web client tab.
*/
abstract shouldOpenWebAuthnInNewTab(): boolean;
}

24
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-webauthn/two-factor-auth-webauthn.component.html Normal file
View File

@@ -0,0 +1,24 @@
<div id="web-authn-frame" class="tw-mb-3" *ngIf="!webAuthnNewTab">
<div *ngIf="!webAuthnReady" class="tw-flex tw-items-center tw-justify-center">
<i class="bwi bwi-spinner bwi-spin bwi-3x" aria-hidden="true"></i>
</div>
<iframe
id="webauthn_iframe"
sandbox="allow-scripts allow-same-origin"
[ngClass]="{ 'tw-hidden': !webAuthnReady }"
></iframe>
</div>
<ng-container *ngIf="webAuthnNewTab">
<button
class="tw-mb-3"
buttonType="primary"
[block]="true"
bitButton
type="button"
(click)="authWebAuthn()"
appStopClick
>
{{ "openInNewTab" | i18n }}
</button>
</ng-container>

161
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-webauthn/two-factor-auth-webauthn.component.ts Normal file
View File

@@ -0,0 +1,161 @@
import { DialogModule } from "@angular/cdk/dialog";
import { CommonModule } from "@angular/common";
import { Component, EventEmitter, Inject, OnDestroy, OnInit, Output } from "@angular/core";
import { ReactiveFormsModule, FormsModule } from "@angular/forms";
import { ActivatedRoute } from "@angular/router";
import { firstValueFrom } from "rxjs";
import { JslibModule } from "@bitwarden/angular/jslib.module";
import { WINDOW } from "@bitwarden/angular/services/injection-tokens";
import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
import { WebAuthnIFrame } from "@bitwarden/common/auth/webauthn-iframe";
import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
import {
ButtonModule,
LinkModule,
TypographyModule,
FormFieldModule,
AsyncActionsModule,
ToastService,
} from "@bitwarden/components";
import { TwoFactorAuthWebAuthnComponentService } from "./two-factor-auth-webauthn-component.service";
export interface WebAuthnResult {
token: string;
remember?: boolean;
}
@Component({
standalone: true,
selector: "app-two-factor-auth-webauthn",
templateUrl: "two-factor-auth-webauthn.component.html",
imports: [
CommonModule,
JslibModule,
DialogModule,
ButtonModule,
LinkModule,
TypographyModule,
ReactiveFormsModule,
FormFieldModule,
AsyncActionsModule,
FormsModule,
],
providers: [],
})
export class TwoFactorAuthWebAuthnComponent implements OnInit, OnDestroy {
@Output() webAuthnResultEmitter = new EventEmitter<WebAuthnResult>();
@Output() webAuthnInNewTabEmitter = new EventEmitter<boolean>();
webAuthnReady = false;
webAuthnNewTab = false;
webAuthnSupported = false;
webAuthnIframe: WebAuthnIFrame | undefined = undefined;
constructor(
protected i18nService: I18nService,
protected platformUtilsService: PlatformUtilsService,
@Inject(WINDOW) protected win: Window,
protected environmentService: EnvironmentService,
protected twoFactorService: TwoFactorService,
protected route: ActivatedRoute,
private toastService: ToastService,
private twoFactorAuthWebAuthnComponentService: TwoFactorAuthWebAuthnComponentService,
private logService: LogService,
) {
this.webAuthnSupported = this.platformUtilsService.supportsWebAuthn(win);
this.webAuthnNewTab = this.twoFactorAuthWebAuthnComponentService.shouldOpenWebAuthnInNewTab();
}
async ngOnInit(): Promise<void> {
this.webAuthnInNewTabEmitter.emit(this.webAuthnNewTab);
if (this.webAuthnNewTab && this.route.snapshot.paramMap.has("webAuthnResponse")) {
this.submitWebAuthnNewTabResponse();
} else {
await this.buildWebAuthnIFrame();
}
}
private submitWebAuthnNewTabResponse() {
const webAuthnNewTabResponse = this.route.snapshot.paramMap.get("webAuthnResponse");
const remember = this.route.snapshot.paramMap.get("remember") === "true";
if (webAuthnNewTabResponse != null) {
this.webAuthnResultEmitter.emit({
token: webAuthnNewTabResponse,
remember,
});
}
}
private async buildWebAuthnIFrame() {
if (this.win != null && this.webAuthnSupported) {
const env = await firstValueFrom(this.environmentService.environment$);
const webVaultUrl = env.getWebVaultUrl();
this.webAuthnIframe = new WebAuthnIFrame(
this.win,
webVaultUrl,
this.webAuthnNewTab,
this.platformUtilsService,
this.i18nService,
(token: string) => {
this.webAuthnResultEmitter.emit({ token });
},
(error: string) => {
this.logService.error("WebAuthn error: ", error);
this.toastService.showToast({
variant: "error",
title: this.i18nService.t("errorOccurred"),
message: this.i18nService.t("webauthnCancelOrTimeout"),
});
},
(info: string) => {
if (info === "ready") {
this.webAuthnReady = true;
}
},
);
if (!this.webAuthnNewTab) {
setTimeout(async () => {
await this.authWebAuthn();
}, 500);
}
}
}
ngOnDestroy(): void {
this.cleanupWebAuthnIframe();
}
async authWebAuthn() {
const providers = await this.twoFactorService.getProviders();
if (providers == null) {
this.logService.error("No 2FA providers found. Unable to authenticate with WebAuthn.");
return;
}
const providerData = providers?.get(TwoFactorProviderType.WebAuthn);
if (!this.webAuthnSupported || this.webAuthnIframe == null) {
return;
}
this.webAuthnIframe.init(providerData);
}
private cleanupWebAuthnIframe() {
if (this.webAuthnIframe != null) {
this.webAuthnIframe.stop();
this.webAuthnIframe.cleanup();
}
}
}

4
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-yubikey.component.html Normal file
View File

@@ -0,0 +1,4 @@
<bit-form-field>
<bit-label class="">{{ "verificationCode" | i18n }}</bit-label>
<input type="password" bitInput appAutofocus appInputVerbatim [formControl]="tokenFormControl" />
</bit-form-field>

35
libs/auth/src/angular/two-factor-auth/child-components/two-factor-auth-yubikey.component.ts Normal file
View File

@@ -0,0 +1,35 @@
import { DialogModule } from "@angular/cdk/dialog";
import { CommonModule } from "@angular/common";
import { Component, Input } from "@angular/core";
import { ReactiveFormsModule, FormsModule, FormControl } from "@angular/forms";
import { JslibModule } from "@bitwarden/angular/jslib.module";
import {
ButtonModule,
LinkModule,
TypographyModule,
FormFieldModule,
AsyncActionsModule,
} from "@bitwarden/components";
@Component({
standalone: true,
selector: "app-two-factor-auth-yubikey",
templateUrl: "two-factor-auth-yubikey.component.html",
imports: [
CommonModule,
JslibModule,
DialogModule,
ButtonModule,
LinkModule,
TypographyModule,
ReactiveFormsModule,
FormFieldModule,
AsyncActionsModule,
FormsModule,
],
providers: [],
})
export class TwoFactorAuthYubikeyComponent {
@Input({ required: true }) tokenFormControl: FormControl | undefined = undefined;
}

19
libs/auth/src/angular/two-factor-auth/default-two-factor-auth-component.service.ts Normal file
View File

@@ -0,0 +1,19 @@
import {
DuoLaunchAction,
LegacyKeyMigrationAction,
TwoFactorAuthComponentService,
} from "./two-factor-auth-component.service";
export class DefaultTwoFactorAuthComponentService implements TwoFactorAuthComponentService {
shouldCheckForWebAuthnQueryParamResponse() {
return false;
}
determineLegacyKeyMigrationAction() {
return LegacyKeyMigrationAction.PREVENT_LOGIN_AND_SHOW_REQUIRE_MIGRATION_WARNING;
}
determineDuoLaunchAction(): DuoLaunchAction {
return DuoLaunchAction.DIRECT_LAUNCH;
}
}

6
libs/auth/src/angular/two-factor-auth/index.ts Normal file
View File

@@ -0,0 +1,6 @@
export * from "./two-factor-auth-component.service";
export * from "./default-two-factor-auth-component.service";
export * from "./two-factor-auth.component";
export * from "./two-factor-auth.guard";
export * from "./child-components";

66
libs/auth/src/angular/two-factor-auth/two-factor-auth-component.service.ts Normal file
View File

@@ -0,0 +1,66 @@
import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
export enum LegacyKeyMigrationAction {
PREVENT_LOGIN_AND_SHOW_REQUIRE_MIGRATION_WARNING,
NAVIGATE_TO_MIGRATION_COMPONENT,
}
export enum DuoLaunchAction {
DIRECT_LAUNCH,
SINGLE_ACTION_POPOUT,
}
/**
* Manages all cross client functionality so we can have a single two factor auth component
* implementation for all clients.
*/
export abstract class TwoFactorAuthComponentService {
/**
* Determines if the client should check for a webauthn response on init.
* Currently, only the extension should check during component initialization.
*/
abstract shouldCheckForWebAuthnQueryParamResponse(): boolean;
/**
* Extends the popup width if required.
* Some client specific situations require the popup to be wider than the default width.
*/
abstract extendPopupWidthIfRequired?(
selected2faProviderType: TwoFactorProviderType,
): Promise<void>;
/**
* Removes the popup width extension.
*/
abstract removePopupWidthExtension?(): void;
/**
* We used to use the user's master key to encrypt their data. We deprecated that approach
* and now use a user key. This method should be called if we detect that the user
* is still using the old master key encryption scheme (server sends down a flag to
* indicate this). This method then determines what action to take based on the client.
*
* We have two possible actions:
* 1. Prevent the user from logging in and show a warning that they need to migrate their key on the web client today.
* 2. Navigate the user to the key migration component on the web client.
*/
abstract determineLegacyKeyMigrationAction(): LegacyKeyMigrationAction;
/**
* Optionally closes any single action popouts (extension only).
* @returns true if we are in a single action popout and it was closed, false otherwise.
*/
abstract closeSingleActionPopouts?(): Promise<boolean>;
/**
* Optionally refreshes any open windows (exempts current window).
* Only defined on the extension client for the goal of refreshing sidebars.
*/
abstract reloadOpenWindows?(): void;
/**
* Determines the action to take when launching the Duo flow.
* The extension has to popout the flow, while other clients can launch it directly.
*/
abstract determineDuoLaunchAction(): DuoLaunchAction;
}

108
libs/auth/src/angular/two-factor-auth/two-factor-auth.component.html Normal file
View File

@@ -0,0 +1,108 @@
<ng-container *ngIf="loading">
<div class="tw-flex tw-items-center tw-justify-center">
<i class="bwi bwi-spinner bwi-spin bwi-3x" aria-hidden="true"></i>
</div>
</ng-container>
<ng-container *ngIf="!loading">
<form
[bitSubmit]="submit"
[formGroup]="form"
autocomplete="off"
(keydown.enter)="handleEnterKeyPress()"
>
<app-two-factor-auth-email
[tokenFormControl]="tokenFormControl"
*ngIf="selectedProviderType === providerType.Email"
/>
<app-two-factor-auth-authenticator
[tokenFormControl]="tokenFormControl"
*ngIf="selectedProviderType === providerType.Authenticator"
/>
<app-two-factor-auth-yubikey
[tokenFormControl]="tokenFormControl"
*ngIf="selectedProviderType === providerType.Yubikey"
/>
<app-two-factor-auth-duo
(tokenEmitter)="submit($event)"
[providerData]="selectedProviderData"
*ngIf="
selectedProviderType === providerType.OrganizationDuo ||
selectedProviderType === providerType.Duo
"
#duoComponent
/>
<bit-form-control *ngIf="!hideRememberMe()">
<bit-label>{{ "dontAskAgainOnThisDeviceFor30Days" | i18n }}</bit-label>
<input type="checkbox" bitCheckbox formControlName="remember" />
</bit-form-control>
<app-two-factor-auth-webauthn
(webAuthnResultEmitter)="submit($event.token, $event.remember)"
(webAuthnInNewTabEmitter)="webAuthInNewTab = $event"
*ngIf="selectedProviderType === providerType.WebAuthn"
/>
<ng-container *ngIf="selectedProviderType == null">
<p bitTypography="body1">{{ "noTwoStepProviders" | i18n }}</p>
<p bitTypography="body1">{{ "noTwoStepProviders2" | i18n }}</p>
</ng-container>
<!-- Buttons -->
<div class="tw-flex tw-flex-col tw-space-y-3">
<button
type="submit"
buttonType="primary"
bitButton
bitFormButton
#continueButton
*ngIf="showContinueButton()"
>
<span> {{ "continueLoggingIn" | i18n }} </span>
</button>
<button
type="button"
buttonType="primary"
bitButton
(click)="launchDuo()"
*ngIf="
selectedProviderType === providerType.Duo ||
selectedProviderType === providerType.OrganizationDuo
"
>
<span *ngIf="duoLaunchAction === DuoLaunchAction.DIRECT_LAUNCH">
{{ "launchDuo" | i18n }}</span
>
<span *ngIf="duoLaunchAction === DuoLaunchAction.SINGLE_ACTION_POPOUT">
{{ "popoutExtension" | i18n }}</span
>
</button>
<p class="tw-text-center tw-mb-0">{{ "or" | i18n }}</p>
<button
type="button"
buttonType="secondary"
bitButton
bitFormButton
*ngIf="twoFactorProviders?.size > 1"
(click)="selectOtherTwoFactorMethod()"
>
<span> {{ "selectAnotherMethod" | i18n }} </span>
</button>
<button
type="button"
buttonType="secondary"
bitButton
bitFormButton
(click)="use2faRecoveryCode()"
>
<span> {{ "useYourRecoveryCode" | i18n }} </span>
</button>
</div>
</form>
</ng-container>

397
libs/auth/src/angular/two-factor-auth/two-factor-auth.component.spec.ts Normal file
View File

@@ -0,0 +1,397 @@
// FIXME: Update this file to be type safe and remove this and next line
// @ts-strict-ignore
import { Component } from "@angular/core";
import { ComponentFixture, TestBed } from "@angular/core/testing";
import { ActivatedRoute, convertToParamMap, Router } from "@angular/router";
import { mock, MockProxy } from "jest-mock-extended";
import { BehaviorSubject } from "rxjs";
import { WINDOW } from "@bitwarden/angular/services/injection-tokens";
import {
LoginStrategyServiceAbstraction,
LoginEmailServiceAbstraction,
FakeKeyConnectorUserDecryptionOption as KeyConnectorUserDecryptionOption,
FakeTrustedDeviceUserDecryptionOption as TrustedDeviceUserDecryptionOption,
FakeUserDecryptionOptions as UserDecryptionOptions,
UserDecryptionOptionsServiceAbstraction,
LoginSuccessHandlerService,
} from "@bitwarden/auth/common";
import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
import { SsoLoginServiceAbstraction } from "@bitwarden/common/auth/abstractions/sso-login.service.abstraction";
import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
import { AuthenticationType } from "@bitwarden/common/auth/enums/authentication-type";
import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
import { TokenTwoFactorRequest } from "@bitwarden/common/auth/models/request/identity-token/token-two-factor.request";
import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
import { FakeMasterPasswordService } from "@bitwarden/common/key-management/master-password/services/fake-master-password.service";
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
import { FakeAccountService, mockAccountServiceWith } from "@bitwarden/common/spec";
import { UserId } from "@bitwarden/common/types/guid";
import { DialogService, ToastService } from "@bitwarden/components";
import { AnonLayoutWrapperDataService } from "../anon-layout/anon-layout-wrapper-data.service";
import { TwoFactorAuthComponentService } from "./two-factor-auth-component.service";
import { TwoFactorAuthComponent } from "./two-factor-auth.component";
@Component({})
class TestTwoFactorComponent extends TwoFactorAuthComponent {}
describe("TwoFactorAuthComponent", () => {
let component: TestTwoFactorComponent;
let fixture: ComponentFixture<TestTwoFactorComponent>;
const userId = "userId" as UserId;
// Mock Services
let mockLoginStrategyService: MockProxy<LoginStrategyServiceAbstraction>;
let mockRouter: MockProxy<Router>;
let mockI18nService: MockProxy<I18nService>;
let mockApiService: MockProxy<ApiService>;
let mockPlatformUtilsService: MockProxy<PlatformUtilsService>;
let mockWin: MockProxy<Window>;
let mockStateService: MockProxy<StateService>;
let mockLogService: MockProxy<LogService>;
let mockTwoFactorService: MockProxy<TwoFactorService>;
let mockAppIdService: MockProxy<AppIdService>;
let mockLoginEmailService: MockProxy<LoginEmailServiceAbstraction>;
let mockUserDecryptionOptionsService: MockProxy<UserDecryptionOptionsServiceAbstraction>;
let mockSsoLoginService: MockProxy<SsoLoginServiceAbstraction>;
let mockMasterPasswordService: FakeMasterPasswordService;
let mockAccountService: FakeAccountService;
let mockDialogService: MockProxy<DialogService>;
let mockToastService: MockProxy<ToastService>;
let mockTwoFactorAuthCompService: MockProxy<TwoFactorAuthComponentService>;
let anonLayoutWrapperDataService: MockProxy<AnonLayoutWrapperDataService>;
let mockEnvService: MockProxy<EnvironmentService>;
let mockLoginSuccessHandlerService: MockProxy<LoginSuccessHandlerService>;
let mockUserDecryptionOpts: {
noMasterPassword: UserDecryptionOptions;
withMasterPassword: UserDecryptionOptions;
withMasterPasswordAndTrustedDevice: UserDecryptionOptions;
withMasterPasswordAndTrustedDeviceWithManageResetPassword: UserDecryptionOptions;
withMasterPasswordAndKeyConnector: UserDecryptionOptions;
noMasterPasswordWithTrustedDevice: UserDecryptionOptions;
noMasterPasswordWithTrustedDeviceWithManageResetPassword: UserDecryptionOptions;
noMasterPasswordWithKeyConnector: UserDecryptionOptions;
};
let selectedUserDecryptionOptions: BehaviorSubject<UserDecryptionOptions>;
beforeEach(() => {
mockLoginStrategyService = mock<LoginStrategyServiceAbstraction>();
mockRouter = mock<Router>();
mockI18nService = mock<I18nService>();
mockApiService = mock<ApiService>();
mockPlatformUtilsService = mock<PlatformUtilsService>();
mockWin = mock<Window>();
mockStateService = mock<StateService>();
mockLogService = mock<LogService>();
mockTwoFactorService = mock<TwoFactorService>();
mockAppIdService = mock<AppIdService>();
mockLoginEmailService = mock<LoginEmailServiceAbstraction>();
mockUserDecryptionOptionsService = mock<UserDecryptionOptionsServiceAbstraction>();
mockSsoLoginService = mock<SsoLoginServiceAbstraction>();
mockAccountService = mockAccountServiceWith(userId);
mockMasterPasswordService = new FakeMasterPasswordService();
mockDialogService = mock<DialogService>();
mockToastService = mock<ToastService>();
mockTwoFactorAuthCompService = mock<TwoFactorAuthComponentService>();
mockEnvService = mock<EnvironmentService>();
mockLoginSuccessHandlerService = mock<LoginSuccessHandlerService>();
anonLayoutWrapperDataService = mock<AnonLayoutWrapperDataService>();
mockUserDecryptionOpts = {
noMasterPassword: new UserDecryptionOptions({
hasMasterPassword: false,
trustedDeviceOption: undefined,
keyConnectorOption: undefined,
}),
withMasterPassword: new UserDecryptionOptions({
hasMasterPassword: true,
trustedDeviceOption: undefined,
keyConnectorOption: undefined,
}),
withMasterPasswordAndTrustedDevice: new UserDecryptionOptions({
hasMasterPassword: true,
trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false, false),
keyConnectorOption: undefined,
}),
withMasterPasswordAndTrustedDeviceWithManageResetPassword: new UserDecryptionOptions({
hasMasterPassword: true,
trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true, false),
keyConnectorOption: undefined,
}),
withMasterPasswordAndKeyConnector: new UserDecryptionOptions({
hasMasterPassword: true,
trustedDeviceOption: undefined,
keyConnectorOption: new KeyConnectorUserDecryptionOption("http://example.com"),
}),
noMasterPasswordWithTrustedDevice: new UserDecryptionOptions({
hasMasterPassword: false,
trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false, false),
keyConnectorOption: undefined,
}),
noMasterPasswordWithTrustedDeviceWithManageResetPassword: new UserDecryptionOptions({
hasMasterPassword: false,
trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true, false),
keyConnectorOption: undefined,
}),
noMasterPasswordWithKeyConnector: new UserDecryptionOptions({
hasMasterPassword: false,
trustedDeviceOption: undefined,
keyConnectorOption: new KeyConnectorUserDecryptionOption("http://example.com"),
}),
};
selectedUserDecryptionOptions = new BehaviorSubject<UserDecryptionOptions>(undefined);
mockUserDecryptionOptionsService.userDecryptionOptions$ = selectedUserDecryptionOptions;
TestBed.configureTestingModule({
declarations: [TestTwoFactorComponent],
providers: [
{ provide: LoginStrategyServiceAbstraction, useValue: mockLoginStrategyService },
{ provide: Router, useValue: mockRouter },
{ provide: I18nService, useValue: mockI18nService },
{ provide: ApiService, useValue: mockApiService },
{ provide: PlatformUtilsService, useValue: mockPlatformUtilsService },
{ provide: WINDOW, useValue: mockWin },
{ provide: StateService, useValue: mockStateService },
{
provide: ActivatedRoute,
useValue: {
snapshot: {
// Default to standard 2FA flow - not SSO + 2FA
queryParamMap: convertToParamMap({ sso: "false" }),
},
},
},
{ provide: LogService, useValue: mockLogService },
{ provide: TwoFactorService, useValue: mockTwoFactorService },
{ provide: AppIdService, useValue: mockAppIdService },
{ provide: LoginEmailServiceAbstraction, useValue: mockLoginEmailService },
{
provide: UserDecryptionOptionsServiceAbstraction,
useValue: mockUserDecryptionOptionsService,
},
{ provide: SsoLoginServiceAbstraction, useValue: mockSsoLoginService },
{ provide: InternalMasterPasswordServiceAbstraction, useValue: mockMasterPasswordService },
{ provide: AccountService, useValue: mockAccountService },
{ provide: DialogService, useValue: mockDialogService },
{ provide: ToastService, useValue: mockToastService },
{ provide: TwoFactorAuthComponentService, useValue: mockTwoFactorAuthCompService },
{ provide: EnvironmentService, useValue: mockEnvService },
{ provide: AnonLayoutWrapperDataService, useValue: anonLayoutWrapperDataService },
{ provide: LoginSuccessHandlerService, useValue: mockLoginSuccessHandlerService },
],
});
fixture = TestBed.createComponent(TestTwoFactorComponent);
component = fixture.componentInstance;
});
afterEach(() => {
// Reset all mocks after each test
jest.resetAllMocks();
});
it("should create", () => {
expect(component).toBeTruthy();
});
// Shared tests
const testChangePasswordOnSuccessfulLogin = () => {
it("navigates to the component's defined change password route when user doesn't have a MP and key connector isn't enabled", async () => {
// Act
await component.submit("testToken");
// Assert
expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
expect(mockRouter.navigate).toHaveBeenCalledWith(["set-password"], {
queryParams: {
identifier: component.orgSsoIdentifier,
},
});
});
};
describe("Standard 2FA scenarios", () => {
describe("submit", () => {
const token = "testToken";
const remember = false;
const currentAuthTypeSubject = new BehaviorSubject<AuthenticationType>(
AuthenticationType.Password,
);
beforeEach(() => {
selectedUserDecryptionOptions.next(mockUserDecryptionOpts.withMasterPassword);
mockLoginStrategyService.currentAuthType$ = currentAuthTypeSubject.asObservable();
});
it("calls authService.logInTwoFactor with correct parameters when form is submitted", async () => {
// Arrange
mockLoginStrategyService.logInTwoFactor.mockResolvedValue(new AuthResult());
// Act
await component.submit(token, remember);
// Assert
expect(mockLoginStrategyService.logInTwoFactor).toHaveBeenCalledWith(
new TokenTwoFactorRequest(component.selectedProviderType, token, remember),
"",
);
});
it("calls loginEmailService.clearValues() when login is successful", async () => {
// Arrange
mockLoginStrategyService.logInTwoFactor.mockResolvedValue(new AuthResult());
// spy on loginEmailService.clearValues
const clearValuesSpy = jest.spyOn(mockLoginEmailService, "clearValues");
// Act
await component.submit(token, remember);
// Assert
expect(clearValuesSpy).toHaveBeenCalled();
});
describe("Set Master Password scenarios", () => {
beforeEach(() => {
const authResult = new AuthResult();
mockLoginStrategyService.logInTwoFactor.mockResolvedValue(authResult);
});
describe("Given user needs to set a master password", () => {
beforeEach(() => {
// Only need to test the case where the user has no master password to test the primary change mp flow here
selectedUserDecryptionOptions.next(mockUserDecryptionOpts.noMasterPassword);
});
testChangePasswordOnSuccessfulLogin();
});
it("does not navigate to the change password route when the user has key connector even if user has no master password", async () => {
selectedUserDecryptionOptions.next(
mockUserDecryptionOpts.noMasterPasswordWithKeyConnector,
);
await component.submit(token, remember);
expect(mockRouter.navigate).not.toHaveBeenCalledWith(["set-password"], {
queryParams: {
identifier: component.orgSsoIdentifier,
},
});
});
});
it("navigates to the component's defined success route (vault is default) when the login is successful", async () => {
mockLoginStrategyService.logInTwoFactor.mockResolvedValue(new AuthResult());
// Act
await component.submit("testToken");
// Assert
expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
expect(mockRouter.navigate).toHaveBeenCalledWith(["vault"], {
queryParams: {
identifier: component.orgSsoIdentifier,
},
});
});
it.each([
[AuthenticationType.Sso, "lock"],
[AuthenticationType.UserApiKey, "lock"],
])(
"navigates to the lock component when the authentication type is %s",
async (authType, expectedRoute) => {
mockLoginStrategyService.logInTwoFactor.mockResolvedValue(new AuthResult());
currentAuthTypeSubject.next(authType);
// Act
await component.submit("testToken");
// Assert
expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
expect(mockRouter.navigate).toHaveBeenCalledWith(["lock"], {
queryParams: {
identifier: component.orgSsoIdentifier,
},
});
},
);
});
});
describe("SSO > 2FA scenarios", () => {
beforeEach(() => {
const mockActivatedRoute = TestBed.inject(ActivatedRoute);
mockActivatedRoute.snapshot.queryParamMap.get = jest.fn().mockReturnValue("true");
});
describe("submit", () => {
const token = "testToken";
const remember = false;
describe("Trusted Device Encryption scenarios", () => {
describe("Given Trusted Device Encryption is enabled and user needs to set a master password", () => {
beforeEach(() => {
selectedUserDecryptionOptions.next(
mockUserDecryptionOpts.noMasterPasswordWithTrustedDeviceWithManageResetPassword,
);
const authResult = new AuthResult();
authResult.userId = userId;
mockLoginStrategyService.logInTwoFactor.mockResolvedValue(authResult);
});
it("navigates to the login-initiated route and sets correct flag when user doesn't have a MP and key connector isn't enabled", async () => {
// Act
await component.submit(token, remember);
// Assert
expect(mockMasterPasswordService.mock.setForceSetPasswordReason).toHaveBeenCalledWith(
ForceSetPasswordReason.TdeUserWithoutPasswordHasPasswordResetPermission,
userId,
);
expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
expect(mockRouter.navigate).toHaveBeenCalledWith(["login-initiated"]);
});
});
describe("Given Trusted Device Encryption is enabled and user doesn't need to set a MP", () => {
let authResult;
beforeEach(() => {
selectedUserDecryptionOptions.next(
mockUserDecryptionOpts.withMasterPasswordAndTrustedDevice,
);
authResult = new AuthResult();
mockLoginStrategyService.logInTwoFactor.mockResolvedValue(authResult);
});
it("navigates to the login-initiated route when login is successful", async () => {
await component.submit(token, remember);
expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
expect(mockRouter.navigate).toHaveBeenCalledWith(["login-initiated"]);
});
});
});
});
});
});

578
libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts Normal file
View File

@@ -0,0 +1,578 @@
import { CommonModule } from "@angular/common";
import {
Component,
DestroyRef,
ElementRef,
Inject,
OnDestroy,
OnInit,
ViewChild,
} from "@angular/core";
import { takeUntilDestroyed } from "@angular/core/rxjs-interop";
import { FormBuilder, ReactiveFormsModule, Validators } from "@angular/forms";
import { ActivatedRoute, Router, RouterLink } from "@angular/router";
import { lastValueFrom, firstValueFrom } from "rxjs";
import { JslibModule } from "@bitwarden/angular/jslib.module";
import { WINDOW } from "@bitwarden/angular/services/injection-tokens";
import {
LoginStrategyServiceAbstraction,
LoginEmailServiceAbstraction,
UserDecryptionOptionsServiceAbstraction,
TrustedDeviceUserDecryptionOption,
UserDecryptionOptions,
LoginSuccessHandlerService,
} from "@bitwarden/auth/common";
import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
import { SsoLoginServiceAbstraction } from "@bitwarden/common/auth/abstractions/sso-login.service.abstraction";
import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
import { AuthenticationType } from "@bitwarden/common/auth/enums/authentication-type";
import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
import { TokenTwoFactorRequest } from "@bitwarden/common/auth/models/request/identity-token/token-two-factor.request";
import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
import { UserId } from "@bitwarden/common/types/guid";
import {
AsyncActionsModule,
ButtonModule,
CheckboxModule,
DialogService,
FormFieldModule,
ToastService,
} from "@bitwarden/components";
import { AnonLayoutWrapperDataService } from "../anon-layout/anon-layout-wrapper-data.service";
import {
TwoFactorAuthAuthenticatorIcon,
TwoFactorAuthEmailIcon,
TwoFactorAuthWebAuthnIcon,
TwoFactorAuthSecurityKeyIcon,
TwoFactorAuthDuoIcon,
} from "../icons/two-factor-auth";
import { TwoFactorAuthAuthenticatorComponent } from "./child-components/two-factor-auth-authenticator.component";
import { TwoFactorAuthDuoComponent } from "./child-components/two-factor-auth-duo/two-factor-auth-duo.component";
import { TwoFactorAuthEmailComponent } from "./child-components/two-factor-auth-email/two-factor-auth-email.component";
import { TwoFactorAuthWebAuthnComponent } from "./child-components/two-factor-auth-webauthn/two-factor-auth-webauthn.component";
import { TwoFactorAuthYubikeyComponent } from "./child-components/two-factor-auth-yubikey.component";
import {
DuoLaunchAction,
LegacyKeyMigrationAction,
TwoFactorAuthComponentService,
} from "./two-factor-auth-component.service";
import {
TwoFactorOptionsComponent,
TwoFactorOptionsDialogResult,
} from "./two-factor-options.component";
@Component({
standalone: true,
selector: "app-two-factor-auth",
templateUrl: "two-factor-auth.component.html",
imports: [
CommonModule,
JslibModule,
ReactiveFormsModule,
FormFieldModule,
AsyncActionsModule,
RouterLink,
CheckboxModule,
ButtonModule,
TwoFactorOptionsComponent, // used as dialog
TwoFactorAuthAuthenticatorComponent,
TwoFactorAuthEmailComponent,
TwoFactorAuthDuoComponent,
TwoFactorAuthYubikeyComponent,
TwoFactorAuthWebAuthnComponent,
],
providers: [],
})
export class TwoFactorAuthComponent implements OnInit, OnDestroy {
@ViewChild("continueButton", { read: ElementRef, static: false }) continueButton:
| ElementRef
| undefined = undefined;
loading = true;
orgSsoIdentifier: string | undefined = undefined;
providerType = TwoFactorProviderType;
selectedProviderType: TwoFactorProviderType = TwoFactorProviderType.Authenticator;
// TODO: PM-17176 - build more specific type for 2FA metadata
twoFactorProviders: Map<TwoFactorProviderType, { [key: string]: string }> | null = null;
selectedProviderData: { [key: string]: string } | undefined;
@ViewChild("duoComponent") duoComponent!: TwoFactorAuthDuoComponent;
form = this.formBuilder.group({
token: [
"",
{
validators: [Validators.required],
updateOn: "submit",
},
],
remember: [false],
});
get tokenFormControl() {
return this.form.controls.token;
}
get rememberFormControl() {
return this.form.controls.remember;
}
formPromise: Promise<any> | undefined;
duoLaunchAction: DuoLaunchAction | undefined = undefined;
DuoLaunchAction = DuoLaunchAction;
webAuthInNewTab = false;
private authenticationSessionTimeoutRoute = "authentication-timeout";
constructor(
private loginStrategyService: LoginStrategyServiceAbstraction,
private router: Router,
private i18nService: I18nService,
private platformUtilsService: PlatformUtilsService,
private dialogService: DialogService,
private activatedRoute: ActivatedRoute,
private logService: LogService,
private twoFactorService: TwoFactorService,
private loginEmailService: LoginEmailServiceAbstraction,
private userDecryptionOptionsService: UserDecryptionOptionsServiceAbstraction,
private ssoLoginService: SsoLoginServiceAbstraction,
private masterPasswordService: InternalMasterPasswordServiceAbstraction,
private accountService: AccountService,
private formBuilder: FormBuilder,
@Inject(WINDOW) protected win: Window,
private toastService: ToastService,
private twoFactorAuthComponentService: TwoFactorAuthComponentService,
private destroyRef: DestroyRef,
private anonLayoutWrapperDataService: AnonLayoutWrapperDataService,
private environmentService: EnvironmentService,
private loginSuccessHandlerService: LoginSuccessHandlerService,
) {}
async ngOnInit() {
this.orgSsoIdentifier =
this.activatedRoute.snapshot.queryParamMap.get("identifier") ?? undefined;
this.listenForAuthnSessionTimeout();
await this.setSelected2faProviderType();
await this.set2faProvidersAndData();
await this.setAnonLayoutDataByTwoFactorProviderType();
await this.twoFactorAuthComponentService.extendPopupWidthIfRequired?.(
this.selectedProviderType,
);
this.duoLaunchAction = this.twoFactorAuthComponentService.determineDuoLaunchAction();
this.loading = false;
}
private async setSelected2faProviderType() {
const webAuthnSupported = this.platformUtilsService.supportsWebAuthn(this.win);
if (
this.twoFactorAuthComponentService.shouldCheckForWebAuthnQueryParamResponse() &&
webAuthnSupported
) {
const webAuthn2faResponse = this.activatedRoute.snapshot.paramMap.get("webAuthnResponse");
if (webAuthn2faResponse) {
this.selectedProviderType = TwoFactorProviderType.WebAuthn;
return;
}
}
this.selectedProviderType = await this.twoFactorService.getDefaultProvider(webAuthnSupported);
}
private async set2faProvidersAndData() {
this.twoFactorProviders = await this.twoFactorService.getProviders();
const providerData = this.twoFactorProviders?.get(this.selectedProviderType);
this.selectedProviderData = providerData;
}
private listenForAuthnSessionTimeout() {
this.loginStrategyService.authenticationSessionTimeout$
.pipe(takeUntilDestroyed(this.destroyRef))
.subscribe(async (expired) => {
if (!expired) {
return;
}
try {
await this.router.navigate([this.authenticationSessionTimeoutRoute]);
} catch (err) {
this.logService.error(
`Failed to navigate to ${this.authenticationSessionTimeoutRoute} route`,
err,
);
}
});
}
submit = async (token?: string, remember?: boolean) => {
// 2FA submission either comes via programmatic submission for flows like
// WebAuthn or Duo, or via the form submission for other 2FA providers.
// So, we have to figure out whether we need to validate the form or not.
let tokenValue: string;
if (token !== undefined) {
if (token === "" || token === null) {
this.toastService.showToast({
variant: "error",
title: this.i18nService.t("errorOccurred"),
message: this.i18nService.t("verificationCodeRequired"),
});
return;
}
// Token has been passed in so no need to validate the form
tokenValue = token;
} else {
// We support programmatic submission via enter key press, but we only update on submit
// so we have to manually update the form here for the invalid check to be accurate.
this.tokenFormControl.markAsTouched();
this.tokenFormControl.markAsDirty();
this.tokenFormControl.updateValueAndValidity();
// Token has not been passed in ensure form is valid before proceeding.
if (this.form.invalid) {
// returning as form validation will show the relevant errors.
return;
}
// This shouldn't be possible w/ the required form validation, but
// to satisfy strict TS checks, have to check for null here.
const tokenFormValue = this.tokenFormControl.value;
if (!tokenFormValue) {
return;
}
tokenValue = tokenFormValue.trim();
}
// In all flows but WebAuthn, the remember value is taken from the form.
const rememberValue = remember ?? this.rememberFormControl.value ?? false;
try {
this.formPromise = this.loginStrategyService.logInTwoFactor(
new TokenTwoFactorRequest(this.selectedProviderType, tokenValue, rememberValue),
"", // TODO: PM-15162 - deprecate captchaResponse
);
const authResult: AuthResult = await this.formPromise;
this.logService.info("Successfully submitted two factor token");
await this.handleAuthResult(authResult);
} catch {
this.logService.error("Error submitting two factor token");
this.toastService.showToast({
variant: "error",
title: this.i18nService.t("errorOccurred"),
message: this.i18nService.t("invalidVerificationCode"),
});
}
};
async selectOtherTwoFactorMethod() {
const dialogRef = TwoFactorOptionsComponent.open(this.dialogService);
const response: TwoFactorOptionsDialogResult | string | undefined = await lastValueFrom(
dialogRef.closed,
);
if (response !== undefined && response !== null && typeof response !== "string") {
const providerData = await this.twoFactorService.getProviders().then((providers) => {
return providers?.get(response.type);
});
this.selectedProviderData = providerData;
this.selectedProviderType = response.type;
await this.setAnonLayoutDataByTwoFactorProviderType();
this.form.reset();
this.form.updateValueAndValidity();
}
}
async launchDuo() {
if (this.duoComponent != null && this.duoLaunchAction !== undefined) {
await this.duoComponent.launchDuoFrameless(this.duoLaunchAction);
}
}
protected async handleMigrateEncryptionKey(result: AuthResult): Promise<boolean> {
if (!result.requiresEncryptionKeyMigration) {
return false;
}
// Migration is forced so prevent login via return
const legacyKeyMigrationAction: LegacyKeyMigrationAction =
this.twoFactorAuthComponentService.determineLegacyKeyMigrationAction();
switch (legacyKeyMigrationAction) {
case LegacyKeyMigrationAction.NAVIGATE_TO_MIGRATION_COMPONENT:
await this.router.navigate(["migrate-legacy-encryption"]);
break;
case LegacyKeyMigrationAction.PREVENT_LOGIN_AND_SHOW_REQUIRE_MIGRATION_WARNING:
this.toastService.showToast({
variant: "error",
title: this.i18nService.t("errorOccured"),
message: this.i18nService.t("encryptionKeyMigrationRequired"),
});
break;
}
return true;
}
async setAnonLayoutDataByTwoFactorProviderType() {
switch (this.selectedProviderType) {
case TwoFactorProviderType.Authenticator:
this.anonLayoutWrapperDataService.setAnonLayoutWrapperData({
pageSubtitle: this.i18nService.t("enterTheCodeFromYourAuthenticatorApp"),
pageIcon: TwoFactorAuthAuthenticatorIcon,
});
break;
case TwoFactorProviderType.Email:
this.anonLayoutWrapperDataService.setAnonLayoutWrapperData({
pageSubtitle: this.i18nService.t("enterTheCodeSentToYourEmail"),
pageIcon: TwoFactorAuthEmailIcon,
});
break;
case TwoFactorProviderType.Duo:
case TwoFactorProviderType.OrganizationDuo:
this.anonLayoutWrapperDataService.setAnonLayoutWrapperData({
pageSubtitle: this.i18nService.t("duoTwoFactorRequiredPageSubtitle"),
pageIcon: TwoFactorAuthDuoIcon,
});
break;
case TwoFactorProviderType.Yubikey:
this.anonLayoutWrapperDataService.setAnonLayoutWrapperData({
pageSubtitle: this.i18nService.t("pressYourYubiKeyToAuthenticate"),
pageIcon: TwoFactorAuthSecurityKeyIcon,
});
break;
case TwoFactorProviderType.WebAuthn:
this.anonLayoutWrapperDataService.setAnonLayoutWrapperData({
pageSubtitle: this.i18nService.t("followTheStepsBelowToFinishLoggingIn"),
pageIcon: TwoFactorAuthWebAuthnIcon,
});
break;
default:
this.logService.error(
"setAnonLayoutDataByTwoFactorProviderType: Unhandled 2FA provider type",
this.selectedProviderType,
);
break;
}
}
private async handleAuthResult(authResult: AuthResult) {
if (await this.handleMigrateEncryptionKey(authResult)) {
return; // stop login process
}
// User is fully logged in so handle any post login logic before executing navigation
await this.loginSuccessHandlerService.run(authResult.userId);
this.loginEmailService.clearValues();
// Save off the OrgSsoIdentifier for use in the TDE flows
// - TDE login decryption options component
// - Browser SSO on extension open
if (this.orgSsoIdentifier !== undefined) {
const userId = (await firstValueFrom(this.accountService.activeAccount$))?.id;
await this.ssoLoginService.setActiveUserOrganizationSsoIdentifier(
this.orgSsoIdentifier,
userId,
);
}
const userDecryptionOpts = await firstValueFrom(
this.userDecryptionOptionsService.userDecryptionOptions$,
);
const tdeEnabled = await this.isTrustedDeviceEncEnabled(userDecryptionOpts.trustedDeviceOption);
if (tdeEnabled) {
return await this.handleTrustedDeviceEncryptionEnabled(authResult.userId, userDecryptionOpts);
}
// User must set password if they don't have one and they aren't using either TDE or key connector.
const requireSetPassword =
!userDecryptionOpts.hasMasterPassword && userDecryptionOpts.keyConnectorOption === undefined;
// New users without a master password must set a master password before advancing.
if (requireSetPassword || authResult.resetMasterPassword) {
// Change implies going no password -> password in this case
return await this.handleChangePasswordRequired(this.orgSsoIdentifier);
}
this.twoFactorAuthComponentService.reloadOpenWindows?.();
const inSingleActionPopoutWhichWasClosed =
await this.twoFactorAuthComponentService.closeSingleActionPopouts?.();
if (inSingleActionPopoutWhichWasClosed) {
// No need to execute navigation as the single action popout was closed
return;
}
const defaultSuccessRoute = await this.determineDefaultSuccessRoute();
await this.router.navigate([defaultSuccessRoute], {
queryParams: {
identifier: this.orgSsoIdentifier,
},
});
}
private async determineDefaultSuccessRoute(): Promise<string> {
const authType = await firstValueFrom(this.loginStrategyService.currentAuthType$);
if (authType == AuthenticationType.Sso || authType == AuthenticationType.UserApiKey) {
return "lock";
}
return "vault";
}
private async isTrustedDeviceEncEnabled(
trustedDeviceOption: TrustedDeviceUserDecryptionOption | undefined,
): Promise<boolean> {
const ssoTo2faFlowActive = this.activatedRoute.snapshot.queryParamMap.get("sso") === "true";
return ssoTo2faFlowActive && trustedDeviceOption !== undefined;
}
private async handleTrustedDeviceEncryptionEnabled(
userId: UserId,
userDecryptionOpts: UserDecryptionOptions,
): Promise<void> {
// Tde offboarding takes precedence
if (
!userDecryptionOpts.hasMasterPassword &&
userDecryptionOpts.trustedDeviceOption?.isTdeOffboarding
) {
await this.masterPasswordService.setForceSetPasswordReason(
ForceSetPasswordReason.TdeOffboarding,
userId,
);
} else if (
!userDecryptionOpts.hasMasterPassword &&
userDecryptionOpts.trustedDeviceOption?.hasManageResetPasswordPermission
) {
// If user doesn't have a MP, but has reset password permission, they must set a MP
// Set flag so that auth guard can redirect to set password screen after decryption (trusted or untrusted device)
// Note: we cannot directly navigate to the set password screen in this scenario as we are in a pre-decryption state, and
// if you try to set a new MP before decrypting, you will invalidate the user's data by making a new user key.
await this.masterPasswordService.setForceSetPasswordReason(
ForceSetPasswordReason.TdeUserWithoutPasswordHasPasswordResetPermission,
userId,
);
}
this.twoFactorAuthComponentService.reloadOpenWindows?.();
const inSingleActionPopoutWhichWasClosed =
await this.twoFactorAuthComponentService.closeSingleActionPopouts?.();
if (inSingleActionPopoutWhichWasClosed) {
// No need to execute navigation as the single action popout was closed
return;
}
await this.router.navigate(["login-initiated"]);
}
private async handleChangePasswordRequired(orgIdentifier: string | undefined) {
await this.router.navigate(["set-password"], {
queryParams: {
identifier: orgIdentifier,
},
});
}
/**
* Determines if a user needs to reset their password based on certain conditions.
* Users can be forced to reset their password via an admin or org policy disallowing weak passwords.
* Note: this is different from the SSO component login flow as a user can
* login with MP and then have to pass 2FA to finish login and we can actually
* evaluate if they have a weak password at that time.
*
* @param {AuthResult} authResult - The authentication result.
* @returns {boolean} Returns true if a password reset is required, false otherwise.
*/
private isForcePasswordResetRequired(authResult: AuthResult): boolean {
const forceResetReasons = [
ForceSetPasswordReason.AdminForcePasswordReset,
ForceSetPasswordReason.WeakMasterPassword,
];
return forceResetReasons.includes(authResult.forcePasswordReset);
}
showContinueButton() {
return (
this.selectedProviderType != null &&
this.selectedProviderType !== TwoFactorProviderType.WebAuthn &&
this.selectedProviderType !== TwoFactorProviderType.Duo &&
this.selectedProviderType !== TwoFactorProviderType.OrganizationDuo
);
}
hideRememberMe() {
// Don't show remember for me for scenarios where we have to popout the extension
return (
((this.selectedProviderType === TwoFactorProviderType.Duo ||
this.selectedProviderType === TwoFactorProviderType.OrganizationDuo) &&
this.duoLaunchAction === DuoLaunchAction.SINGLE_ACTION_POPOUT) ||
(this.selectedProviderType === TwoFactorProviderType.WebAuthn && this.webAuthInNewTab)
);
}
async use2faRecoveryCode() {
// TODO: PM-17696 eventually we should have a consolidated recover-2fa component as a follow up
// so that we don't have to always open a new tab for non-web clients.
const env = await firstValueFrom(this.environmentService.environment$);
const webVault = env.getWebVaultUrl();
this.platformUtilsService.launchUri(webVault + "/#/recover-2fa");
}
async handleEnterKeyPress() {
// Each 2FA provider has a different implementation.
// For example, email 2FA uses an input of type "text" for the token which does not automatically submit on enter.
// Yubikey, however, uses an input with type "password" which does automatically submit on enter.
// So we have to handle the enter key press differently for each provider.
switch (this.selectedProviderType) {
case TwoFactorProviderType.Authenticator:
case TwoFactorProviderType.Email:
// We must actually submit the form via click in order for the tokenFormControl value to be set.
this.continueButton?.nativeElement?.click();
break;
case TwoFactorProviderType.Duo:
case TwoFactorProviderType.OrganizationDuo:
case TwoFactorProviderType.WebAuthn:
case TwoFactorProviderType.Yubikey:
// Do nothing
break;
default:
this.logService.error(
"handleEnterKeyPress: Unhandled 2FA provider type",
this.selectedProviderType,
);
break;
}
}
async ngOnDestroy() {
this.twoFactorAuthComponentService.removePopupWidthExtension?.();
}
}

74
libs/auth/src/angular/two-factor-auth/two-factor-auth.guard.spec.ts Normal file
View File

@@ -0,0 +1,74 @@
import { Component } from "@angular/core";
import { TestBed } from "@angular/core/testing";
import { provideRouter, Router } from "@angular/router";
import { mock, MockProxy } from "jest-mock-extended";
import { BehaviorSubject } from "rxjs";
import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
import { AuthenticationType } from "@bitwarden/common/auth/enums/authentication-type";
import { LoginStrategyServiceAbstraction } from "../../common";
import { TwoFactorAuthGuard } from "./two-factor-auth.guard";
@Component({ template: "" })
export class EmptyComponent {}
describe("TwoFactorAuthGuard", () => {
let loginStrategyService: MockProxy<LoginStrategyServiceAbstraction>;
const currentAuthTypesSubject = new BehaviorSubject<AuthenticationType | null>(null);
let twoFactorService: MockProxy<TwoFactorService>;
let router: Router;
beforeEach(() => {
loginStrategyService = mock<LoginStrategyServiceAbstraction>();
loginStrategyService.currentAuthType$ = currentAuthTypesSubject.asObservable();
twoFactorService = mock<TwoFactorService>();
TestBed.configureTestingModule({
providers: [
provideRouter([
{ path: "login", component: EmptyComponent },
{ path: "protected", component: EmptyComponent, canActivate: [TwoFactorAuthGuard] },
]),
{ provide: LoginStrategyServiceAbstraction, useValue: loginStrategyService },
{ provide: TwoFactorService, useValue: twoFactorService },
],
});
router = TestBed.inject(Router);
});
it("should redirect to /login if the user is not authenticating", async () => {
// Arrange
currentAuthTypesSubject.next(null);
twoFactorService.getProviders.mockResolvedValue(null);
// Act
await router.navigateByUrl("/protected");
// Assert
expect(router.url).toBe("/login");
});
const authenticationTypes = Object.entries(AuthenticationType)
// filter out reverse mappings (e.g., "0": "Password")
.filter(([key, value]) => typeof value === "number")
.map(([key, value]) => [value, key]) as [AuthenticationType, string][];
authenticationTypes.forEach(([authType, authTypeName]) => {
it(`should redirect to /login if the user is authenticating with ${authTypeName} but no two-factor providers exist`, async () => {
// Arrange
currentAuthTypesSubject.next(authType);
twoFactorService.getProviders.mockResolvedValue(null);
// Act
await router.navigateByUrl("/protected");
// Assert
expect(router.url).toBe("/login");
});
});
});

33
libs/auth/src/angular/two-factor-auth/two-factor-auth.guard.ts Normal file
View File

@@ -0,0 +1,33 @@
import { inject } from "@angular/core";
import {
ActivatedRouteSnapshot,
CanActivateFn,
Router,
RouterStateSnapshot,
UrlTree,
} from "@angular/router";
import { firstValueFrom } from "rxjs";
import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
import { LoginStrategyServiceAbstraction } from "../../common";
export const TwoFactorAuthGuard: CanActivateFn = async (
route: ActivatedRouteSnapshot,
routerState: RouterStateSnapshot,
): Promise<boolean | UrlTree> => {
const loginStrategyService = inject(LoginStrategyServiceAbstraction);
const twoFactorService = inject(TwoFactorService);
const router = inject(Router);
const currentAuthType = await firstValueFrom(loginStrategyService.currentAuthType$);
const userIsAuthenticating = currentAuthType !== null;
const twoFactorProviders = await twoFactorService.getProviders();
if (!userIsAuthenticating || twoFactorProviders == null) {
return router.createUrlTree(["/login"]);
}
return true;
};

50
libs/auth/src/angular/two-factor-auth/two-factor-options.component.html Normal file
View File

@@ -0,0 +1,50 @@
<bit-dialog [background]="'alt'" dialogSize="large">
<span bitDialogTitle>
{{ "selectTwoStepLoginMethod" | i18n }}
</span>
<ng-container bitDialogContent>
<bit-item-group>
<bit-item *ngFor="let provider of providers" (click)="choose(provider)">
<button bit-item-content [truncate]="false" type="button" class="tw-h-auto md:tw-h-20">
<div
slot="start"
[ngSwitch]="provider.type"
class="tw-w-16 md:tw-w-20 tw-mr-2 sm:tw-mr-4"
>
<bit-icon
*ngSwitchCase="TwoFactorProviderType.Authenticator"
[icon]="Icons.TwoFactorAuthAuthenticatorIcon"
></bit-icon>
<bit-icon
*ngSwitchCase="TwoFactorProviderType.Email"
[icon]="Icons.TwoFactorAuthEmailIcon"
></bit-icon>
<bit-icon
*ngSwitchCase="TwoFactorProviderType.Duo"
[icon]="Icons.TwoFactorAuthDuoIcon"
></bit-icon>
<bit-icon
*ngSwitchCase="TwoFactorProviderType.Yubikey"
[icon]="Icons.TwoFactorAuthYubicoIcon"
></bit-icon>
<bit-icon
*ngSwitchCase="TwoFactorProviderType.OrganizationDuo"
[icon]="Icons.TwoFactorAuthDuoIcon"
></bit-icon>
<bit-icon
*ngSwitchCase="TwoFactorProviderType.WebAuthn"
[icon]="Icons.TwoFactorAuthWebAuthnIcon"
></bit-icon>
</div>
{{ provider.name }}
<ng-container slot="secondary"> {{ provider.description }} </ng-container>
</button>
</bit-item>
</bit-item-group>
</ng-container>
<ng-container bitDialogFooter>
<button bitButton type="button" buttonType="secondary" (click)="cancel()">
{{ "cancel" | i18n }}
</button>
</ng-container>
</bit-dialog>

81
libs/auth/src/angular/two-factor-auth/two-factor-options.component.ts Normal file
View File

@@ -0,0 +1,81 @@
import { DialogRef } from "@angular/cdk/dialog";
import { CommonModule } from "@angular/common";
import { Component, OnInit } from "@angular/core";
import { JslibModule } from "@bitwarden/angular/jslib.module";
import {
TwoFactorProviderDetails,
TwoFactorService,
} from "@bitwarden/common/auth/abstractions/two-factor.service";
import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
import {
ButtonModule,
DialogModule,
DialogService,
IconModule,
ItemModule,
TypographyModule,
} from "@bitwarden/components";
import {
TwoFactorAuthAuthenticatorIcon,
TwoFactorAuthDuoIcon,
TwoFactorAuthEmailIcon,
TwoFactorAuthWebAuthnIcon,
TwoFactorAuthYubicoIcon,
} from "../icons/two-factor-auth";
export type TwoFactorOptionsDialogResult = {
type: TwoFactorProviderType;
};
@Component({
standalone: true,
selector: "app-two-factor-options",
templateUrl: "two-factor-options.component.html",
imports: [
CommonModule,
JslibModule,
DialogModule,
ButtonModule,
TypographyModule,
ItemModule,
IconModule,
],
providers: [],
})
export class TwoFactorOptionsComponent implements OnInit {
providers: TwoFactorProviderDetails[] = [];
TwoFactorProviderType = TwoFactorProviderType;
readonly Icons = {
TwoFactorAuthAuthenticatorIcon,
TwoFactorAuthEmailIcon,
TwoFactorAuthDuoIcon,
TwoFactorAuthYubicoIcon,
TwoFactorAuthWebAuthnIcon,
};
constructor(
private twoFactorService: TwoFactorService,
private dialogRef: DialogRef,
) {}
async ngOnInit() {
const providers = await this.twoFactorService.getSupportedProviders(window);
providers.sort((a: TwoFactorProviderDetails, b: TwoFactorProviderDetails) => a.sort - b.sort);
this.providers = providers;
}
async choose(p: TwoFactorProviderDetails) {
this.dialogRef.close({ type: p.type });
}
static open(dialogService: DialogService) {
return dialogService.open<TwoFactorOptionsDialogResult>(TwoFactorOptionsComponent);
}
cancel() {
this.dialogRef.close();
}
}

2
libs/auth/src/angular/user-verification/user-verification-form-input.component.html
View File

@@ -120,7 +120,7 @@
<div class="tw-mb-6" *ngIf="sentInitialCode">
{{ "enterVerificationCodeSentToEmail" | i18n }}
<p class="mb-0">
<p class="tw-mb-0">
<button bitLink type="button" linkType="primary" (click)="requestOTP()">
{{ "resendCode" | i18n }}
</button>

1
libs/auth/src/angular/user-verification/user-verification-form-input.component.ts
View File

@@ -68,7 +68,6 @@ import { ActiveClientVerificationOption } from "./active-client-verification-opt
CalloutModule,
],
})
// eslint-disable-next-line rxjs-angular/prefer-takeuntil
export class UserVerificationFormInputComponent implements ControlValueAccessor, OnInit, OnDestroy {
@Input() verificationType: "server" | "client" = "server"; // server represents original behavior
private _invalidSecret = false;

6
libs/auth/src/angular/vault-timeout-input/vault-timeout-input.component.spec.ts
View File

@@ -1,10 +1,12 @@
import { ComponentFixture, TestBed } from "@angular/core/testing";
import { BehaviorSubject } from "rxjs";
import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
import {
VaultTimeoutSettingsService,
VaultTimeoutStringType,
} from "@bitwarden/common/key-management/vault-timeout";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { VaultTimeoutStringType } from "@bitwarden/common/types/vault-timeout.type";
import { VaultTimeoutInputComponent } from "./vault-timeout-input.component";

9
libs/auth/src/angular/vault-timeout-input/vault-timeout-input.component.ts
View File

@@ -17,13 +17,16 @@ import {
import { filter, map, Observable, Subject, takeUntil } from "rxjs";
import { JslibModule } from "@bitwarden/angular/jslib.module";
import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
import { PolicyType } from "@bitwarden/common/admin-console/enums";
import { Policy } from "@bitwarden/common/admin-console/models/domain/policy";
import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
import {
VaultTimeout,
VaultTimeoutAction,
VaultTimeoutOption,
VaultTimeoutSettingsService,
} from "@bitwarden/common/key-management/vault-timeout";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { VaultTimeout, VaultTimeoutOption } from "@bitwarden/common/types/vault-timeout.type";
import { FormFieldModule, SelectModule } from "@bitwarden/components";
type VaultTimeoutForm = FormGroup<{

15
libs/auth/src/common/abstractions/auth-request.service.abstraction.ts
View File

@@ -12,6 +12,12 @@ export abstract class AuthRequestServiceAbstraction {
/** Emits an auth request id when an auth request has been approved. */
authRequestPushNotification$: Observable<string>;
/**
* Emits when a login has been approved by an admin. This emission is specifically for the
* purpose of notifying the consuming component to display a toast informing the user.
*/
adminLoginApproved$: Observable<void>;
/**
* Returns an admin auth request for the given user if it exists.
* @param userId The user id.
@@ -106,4 +112,13 @@ export abstract class AuthRequestServiceAbstraction {
* @returns The dash-delimited fingerprint phrase.
*/
abstract getFingerprintPhrase(email: string, publicKey: Uint8Array): Promise<string>;
/**
* Passes a value to the adminLoginApprovedSubject via next(), which causes the
* adminLoginApproved$ observable to emit.
*
* The purpose is to notify consuming components (of adminLoginApproved$) to display
* a toast informing the user that a login has been approved by an admin.
*/
abstract emitAdminLoginApproved(): void;
}

10
libs/auth/src/common/abstractions/login-strategy.service.ts
View File

@@ -47,7 +47,6 @@ export abstract class LoginStrategyServiceAbstraction {
* Auth Request. Otherwise, it will return null.
*/
getAuthRequestId: () => Promise<string | null>;
/**
* Sends a token request to the server using the provided credentials.
*/
@@ -67,6 +66,7 @@ export abstract class LoginStrategyServiceAbstraction {
*/
logInTwoFactor: (
twoFactor: TokenTwoFactorRequest,
// TODO: PM-15162 - deprecate captchaResponse
captchaResponse: string,
) => Promise<AuthResult>;
/**
@@ -74,7 +74,11 @@ export abstract class LoginStrategyServiceAbstraction {
*/
makePreloginKey: (masterPassword: string, email: string) => Promise<MasterKey>;
/**
* Emits true if the two factor session has expired.
* Emits true if the authentication session has expired.
*/
twoFactorTimeout$: Observable<boolean>;
authenticationSessionTimeout$: Observable<boolean>;
/**
* Sends a token request to the server with the provided device verification OTP.
*/
logInNewDeviceVerification: (deviceVerificationOtp: string) => Promise<AuthResult>;
}

8
libs/auth/src/common/abstractions/pin.service.abstraction.ts
View File

@@ -30,7 +30,7 @@ export abstract class PinServiceAbstraction {
/**
* Gets the persistent (stored on disk) version of the UserKey, encrypted by the PinKey.
*/
abstract getPinKeyEncryptedUserKeyPersistent: (userId: UserId) => Promise<EncString>;
abstract getPinKeyEncryptedUserKeyPersistent: (userId: UserId) => Promise<EncString | null>;
/**
* Clears the persistent (stored on disk) version of the UserKey, encrypted by the PinKey.
@@ -40,7 +40,7 @@ export abstract class PinServiceAbstraction {
/**
* Gets the ephemeral (stored in memory) version of the UserKey, encrypted by the PinKey.
*/
abstract getPinKeyEncryptedUserKeyEphemeral: (userId: UserId) => Promise<EncString>;
abstract getPinKeyEncryptedUserKeyEphemeral: (userId: UserId) => Promise<EncString | null>;
/**
* Clears the ephemeral (stored in memory) version of the UserKey, encrypted by the PinKey.
@@ -70,7 +70,7 @@ export abstract class PinServiceAbstraction {
/**
* Gets the user's PIN, encrypted by the UserKey.
*/
abstract getUserKeyEncryptedPin: (userId: UserId) => Promise<EncString>;
abstract getUserKeyEncryptedPin: (userId: UserId) => Promise<EncString | null>;
/**
* Sets the user's PIN, encrypted by the UserKey.
@@ -94,7 +94,7 @@ export abstract class PinServiceAbstraction {
* Gets the old MasterKey, encrypted by the PinKey (formerly called `pinProtected`).
* Deprecated and used for migration purposes only.
*/
abstract getOldPinKeyEncryptedMasterKey: (userId: UserId) => Promise<EncryptedString>;
abstract getOldPinKeyEncryptedMasterKey: (userId: UserId) => Promise<EncryptedString | null>;
/**
* Clears the old MasterKey, encrypted by the PinKey.

1
libs/auth/src/common/index.ts
View File

@@ -6,3 +6,4 @@ export * from "./models";
export * from "./types";
export * from "./services";
export * from "./utilities";
export * from "./login-strategies";

16
libs/auth/src/common/login-strategies/auth-request-login.strategy.spec.ts
View File

@@ -2,22 +2,25 @@ import { mock, MockProxy } from "jest-mock-extended";
import { BehaviorSubject } from "rxjs";
import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
import { TokenService } from "@bitwarden/common/auth/abstractions/token.service";
import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
import { FakeMasterPasswordService } from "@bitwarden/common/auth/services/master-password/fake-master-password.service";
import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions/account/billing-account-profile-state.service";
import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
import { FakeMasterPasswordService } from "@bitwarden/common/key-management/master-password/services/fake-master-password.service";
import {
VaultTimeoutAction,
VaultTimeoutSettingsService,
} from "@bitwarden/common/key-management/vault-timeout";
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
import { Utils } from "@bitwarden/common/platform/misc/utils";
import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
import { VaultTimeoutSettingsService } from "@bitwarden/common/services/vault-timeout/vault-timeout-settings.service";
import { FakeAccountService, mockAccountServiceWith } from "@bitwarden/common/spec";
import { CsprngArray } from "@bitwarden/common/types/csprng";
import { UserId } from "@bitwarden/common/types/guid";
@@ -51,6 +54,7 @@ describe("AuthRequestLoginStrategy", () => {
let billingAccountProfileStateService: MockProxy<BillingAccountProfileStateService>;
let vaultTimeoutSettingsService: MockProxy<VaultTimeoutSettingsService>;
let kdfConfigService: MockProxy<KdfConfigService>;
let environmentService: MockProxy<EnvironmentService>;
const mockUserId = Utils.newGuid() as UserId;
let accountService: FakeAccountService;
@@ -86,6 +90,7 @@ describe("AuthRequestLoginStrategy", () => {
billingAccountProfileStateService = mock<BillingAccountProfileStateService>();
vaultTimeoutSettingsService = mock<VaultTimeoutSettingsService>();
kdfConfigService = mock<KdfConfigService>();
environmentService = mock<EnvironmentService>();
accountService = mockAccountServiceWith(mockUserId);
masterPasswordService = new FakeMasterPasswordService();
@@ -115,6 +120,7 @@ describe("AuthRequestLoginStrategy", () => {
billingAccountProfileStateService,
vaultTimeoutSettingsService,
kdfConfigService,
environmentService,
);
tokenResponse = identityTokenResponseFactory();

2
libs/auth/src/common/login-strategies/auth-request-login.strategy.ts
View File

@@ -3,11 +3,11 @@
import { firstValueFrom, Observable, map, BehaviorSubject } from "rxjs";
import { Jsonify } from "type-fest";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
import { PasswordTokenRequest } from "@bitwarden/common/auth/models/request/identity-token/password-token.request";
import { TokenTwoFactorRequest } from "@bitwarden/common/auth/models/request/identity-token/token-two-factor.request";
import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
import { UserId } from "@bitwarden/common/types/guid";
import { AuthRequestLoginCredentials } from "../models/domain/login-credentials";

1
libs/auth/src/common/login-strategies/index.ts Normal file
View File

@@ -0,0 +1 @@
export { PasswordLoginStrategy, PasswordLoginStrategyData } from "./password-login.strategy";

134
libs/auth/src/common/login-strategies/login.strategy.spec.ts
View File

@@ -2,8 +2,8 @@ import { mock, MockProxy } from "jest-mock-extended";
import { BehaviorSubject } from "rxjs";
import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
import { TokenService } from "@bitwarden/common/auth/abstractions/token.service";
import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
@@ -12,15 +12,20 @@ import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/for
import { PasswordTokenRequest } from "@bitwarden/common/auth/models/request/identity-token/password-token.request";
import { TokenTwoFactorRequest } from "@bitwarden/common/auth/models/request/identity-token/token-two-factor.request";
import { IdentityCaptchaResponse } from "@bitwarden/common/auth/models/response/identity-captcha.response";
import { IdentityDeviceVerificationResponse } from "@bitwarden/common/auth/models/response/identity-device-verification.response";
import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
import { IdentityTwoFactorResponse } from "@bitwarden/common/auth/models/response/identity-two-factor.response";
import { MasterPasswordPolicyResponse } from "@bitwarden/common/auth/models/response/master-password-policy.response";
import { IUserDecryptionOptionsServerResponse } from "@bitwarden/common/auth/models/response/user-decryption-options/user-decryption-options.response";
import { FakeMasterPasswordService } from "@bitwarden/common/auth/services/master-password/fake-master-password.service";
import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions/account/billing-account-profile-state.service";
import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
import { FakeMasterPasswordService } from "@bitwarden/common/key-management/master-password/services/fake-master-password.service";
import {
VaultTimeoutAction,
VaultTimeoutSettingsService,
} from "@bitwarden/common/key-management/vault-timeout";
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
@@ -76,8 +81,8 @@ const twoFactorToken = "TWO_FACTOR_TOKEN";
const twoFactorRemember = true;
export function identityTokenResponseFactory(
masterPasswordPolicyResponse: MasterPasswordPolicyResponse = null,
userDecryptionOptions: IUserDecryptionOptionsServerResponse = null,
masterPasswordPolicyResponse: MasterPasswordPolicyResponse | undefined = undefined,
userDecryptionOptions: IUserDecryptionOptionsServerResponse | undefined = undefined,
) {
return new IdentityTokenResponse({
ForcePasswordReset: false,
@@ -119,6 +124,7 @@ describe("LoginStrategy", () => {
let billingAccountProfileStateService: MockProxy<BillingAccountProfileStateService>;
let vaultTimeoutSettingsService: MockProxy<VaultTimeoutSettingsService>;
let kdfConfigService: MockProxy<KdfConfigService>;
let environmentService: MockProxy<EnvironmentService>;
let passwordLoginStrategy: PasswordLoginStrategy;
let credentials: PasswordLoginCredentials;
@@ -143,6 +149,7 @@ describe("LoginStrategy", () => {
policyService = mock<PolicyService>();
passwordStrengthService = mock<PasswordStrengthService>();
billingAccountProfileStateService = mock<BillingAccountProfileStateService>();
environmentService = mock<EnvironmentService>();
vaultTimeoutSettingsService = mock<VaultTimeoutSettingsService>();
@@ -155,7 +162,7 @@ describe("LoginStrategy", () => {
passwordStrengthService,
policyService,
loginStrategyService,
accountService,
accountService as unknown as AccountService,
masterPasswordService,
keyService,
encryptService,
@@ -171,6 +178,7 @@ describe("LoginStrategy", () => {
billingAccountProfileStateService,
vaultTimeoutSettingsService,
kdfConfigService,
environmentService,
);
credentials = new PasswordLoginCredentials(email, masterPassword);
});
@@ -286,13 +294,41 @@ describe("LoginStrategy", () => {
const result = await passwordLoginStrategy.logIn(credentials);
expect(result).toEqual({
userId: userId,
forcePasswordReset: ForceSetPasswordReason.AdminForcePasswordReset,
resetMasterPassword: true,
twoFactorProviders: null,
captchaSiteKey: "",
} as AuthResult);
const expected = new AuthResult();
expected.userId = userId;
expected.forcePasswordReset = ForceSetPasswordReason.AdminForcePasswordReset;
expected.resetMasterPassword = true;
expected.twoFactorProviders = {} as Partial<
Record<TwoFactorProviderType, Record<string, string>>
>;
expected.captchaSiteKey = "";
expected.twoFactorProviders = null;
expect(result).toEqual(expected);
});
it("processes a forcePasswordReset response properly", async () => {
const tokenResponse = identityTokenResponseFactory();
tokenResponse.forcePasswordReset = true;
apiService.postIdentityToken.mockResolvedValue(tokenResponse);
const result = await passwordLoginStrategy.logIn(credentials);
const expected = new AuthResult();
expected.userId = userId;
expected.forcePasswordReset = ForceSetPasswordReason.AdminForcePasswordReset;
expected.resetMasterPassword = false;
expected.twoFactorProviders = {} as Partial<
Record<TwoFactorProviderType, Record<string, string>>
>;
expected.captchaSiteKey = "";
expected.twoFactorProviders = null;
expect(result).toEqual(expected);
expect(masterPasswordService.mock.setForceSetPasswordReason).toHaveBeenCalledWith(
ForceSetPasswordReason.AdminForcePasswordReset,
userId,
);
});
it("rejects login if CAPTCHA is required", async () => {
@@ -377,10 +413,11 @@ describe("LoginStrategy", () => {
expect(tokenService.clearTwoFactorToken).toHaveBeenCalled();
const expected = new AuthResult();
expected.twoFactorProviders = { 0: null } as Record<
TwoFactorProviderType,
Record<string, string>
expected.twoFactorProviders = { 0: null } as unknown as Partial<
Record<TwoFactorProviderType, Record<string, string>>
>;
expected.email = "";
expected.ssoEmail2FaSessionToken = undefined;
expect(result).toEqual(expected);
});
@@ -460,14 +497,19 @@ describe("LoginStrategy", () => {
it("sends 2FA token provided by user to server (two-step)", async () => {
// Simulate a partially completed login
cache = new PasswordLoginStrategyData();
cache.tokenRequest = new PasswordTokenRequest(email, masterPasswordHash, null, null);
cache.tokenRequest = new PasswordTokenRequest(
email,
masterPasswordHash,
"",
new TokenTwoFactorRequest(),
);
passwordLoginStrategy = new PasswordLoginStrategy(
cache,
passwordStrengthService,
policyService,
loginStrategyService,
accountService,
accountService as AccountService,
masterPasswordService,
keyService,
encryptService,
@@ -483,13 +525,14 @@ describe("LoginStrategy", () => {
billingAccountProfileStateService,
vaultTimeoutSettingsService,
kdfConfigService,
environmentService,
);
apiService.postIdentityToken.mockResolvedValue(identityTokenResponseFactory());
await passwordLoginStrategy.logInTwoFactor(
new TokenTwoFactorRequest(twoFactorProviderType, twoFactorToken, twoFactorRemember),
null,
"",
);
expect(apiService.postIdentityToken).toHaveBeenCalledWith(
@@ -503,4 +546,55 @@ describe("LoginStrategy", () => {
);
});
});
describe("Device verification", () => {
it("processes device verification response", async () => {
const captchaToken = "test-captcha-token";
const deviceVerificationResponse = new IdentityDeviceVerificationResponse({
error: "invalid_grant",
error_description: "Device verification required.",
email: "test@bitwarden.com",
deviceVerificationRequest: true,
captchaToken: captchaToken,
});
apiService.postIdentityToken.mockResolvedValue(deviceVerificationResponse);
cache = new PasswordLoginStrategyData();
cache.tokenRequest = new PasswordTokenRequest(
email,
masterPasswordHash,
"",
new TokenTwoFactorRequest(),
);
passwordLoginStrategy = new PasswordLoginStrategy(
cache,
passwordStrengthService,
policyService,
loginStrategyService,
accountService as AccountService,
masterPasswordService,
keyService,
encryptService,
apiService,
tokenService,
appIdService,
platformUtilsService,
messagingService,
logService,
stateService,
twoFactorService,
userDecryptionOptionsService,
billingAccountProfileStateService,
vaultTimeoutSettingsService,
kdfConfigService,
environmentService,
);
const result = await passwordLoginStrategy.logIn(credentials);
expect(result.requiresDeviceVerification).toBe(true);
});
});
});

97
libs/auth/src/common/login-strategies/login.strategy.ts
View File

@@ -1,11 +1,7 @@
// FIXME: Update this file to be type safe and remove this and next line
// @ts-strict-ignore
import { BehaviorSubject, filter, firstValueFrom, timeout } from "rxjs";
import { BehaviorSubject, filter, firstValueFrom, timeout, Observable } from "rxjs";
import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/auth/abstractions/master-password.service.abstraction";
import { TokenService } from "@bitwarden/common/auth/abstractions/token.service";
import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
@@ -18,14 +14,20 @@ import { TokenTwoFactorRequest } from "@bitwarden/common/auth/models/request/ide
import { UserApiTokenRequest } from "@bitwarden/common/auth/models/request/identity-token/user-api-token.request";
import { WebAuthnLoginTokenRequest } from "@bitwarden/common/auth/models/request/identity-token/webauthn-login-token.request";
import { IdentityCaptchaResponse } from "@bitwarden/common/auth/models/response/identity-captcha.response";
import { IdentityDeviceVerificationResponse } from "@bitwarden/common/auth/models/response/identity-device-verification.response";
import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
import { IdentityTwoFactorResponse } from "@bitwarden/common/auth/models/response/identity-two-factor.response";
import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions/account/billing-account-profile-state.service";
import { ClientType } from "@bitwarden/common/enums";
import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
import {
VaultTimeoutAction,
VaultTimeoutSettingsService,
} from "@bitwarden/common/key-management/vault-timeout";
import { KeysRequest } from "@bitwarden/common/models/request/keys.request";
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
@@ -51,14 +53,19 @@ import {
import { UserDecryptionOptions } from "../models/domain/user-decryption-options";
import { CacheData } from "../services/login-strategies/login-strategy.state";
type IdentityResponse = IdentityTokenResponse | IdentityTwoFactorResponse | IdentityCaptchaResponse;
type IdentityResponse =
| IdentityTokenResponse
| IdentityTwoFactorResponse
| IdentityCaptchaResponse
| IdentityDeviceVerificationResponse;
export abstract class LoginStrategyData {
tokenRequest:
| UserApiTokenRequest
| PasswordTokenRequest
| SsoTokenRequest
| WebAuthnLoginTokenRequest;
| WebAuthnLoginTokenRequest
| undefined;
captchaBypassToken?: string;
/** User's entered email obtained pre-login. */
@@ -67,6 +74,8 @@ export abstract class LoginStrategyData {
export abstract class LoginStrategy {
protected abstract cache: BehaviorSubject<LoginStrategyData>;
protected sessionTimeoutSubject = new BehaviorSubject<boolean>(false);
sessionTimeout$: Observable<boolean> = this.sessionTimeoutSubject.asObservable();
constructor(
protected accountService: AccountService,
@@ -85,6 +94,7 @@ export abstract class LoginStrategy {
protected billingAccountProfileStateService: BillingAccountProfileStateService,
protected vaultTimeoutSettingsService: VaultTimeoutSettingsService,
protected KdfConfigService: KdfConfigService,
protected environmentService: EnvironmentService,
) {}
abstract exportCache(): CacheData;
@@ -100,9 +110,12 @@ export abstract class LoginStrategy {
async logInTwoFactor(
twoFactor: TokenTwoFactorRequest,
captchaResponse: string = null,
captchaResponse: string | null = null,
): Promise<AuthResult> {
const data = this.cache.value;
if (!data.tokenRequest) {
throw new Error("Token request is undefined");
}
data.tokenRequest.setTwoFactor(twoFactor);
this.cache.next(data);
const [authResult] = await this.startLogIn();
@@ -113,6 +126,9 @@ export abstract class LoginStrategy {
await this.twoFactorService.clearSelectedProvider();
const tokenRequest = this.cache.value.tokenRequest;
if (!tokenRequest) {
throw new Error("Token request is undefined");
}
const response = await this.apiService.postIdentityToken(tokenRequest);
if (response instanceof IdentityTwoFactorResponse) {
@@ -121,6 +137,8 @@ export abstract class LoginStrategy {
return [await this.processCaptchaResponse(response), response];
} else if (response instanceof IdentityTokenResponse) {
return [await this.processTokenResponse(response), response];
} else if (response instanceof IdentityDeviceVerificationResponse) {
return [await this.processDeviceVerificationResponse(response), response];
}
throw new Error("Invalid response object.");
@@ -176,10 +194,14 @@ export abstract class LoginStrategy {
await this.accountService.addAccount(userId, {
name: accountInformation.name,
email: accountInformation.email,
emailVerified: accountInformation.email_verified,
email: accountInformation.email ?? "",
emailVerified: accountInformation.email_verified ?? false,
});
// User env must be seeded from currently set env before switching to the account
// to avoid any incorrect emissions of the global default env.
await this.environmentService.seedUserEnvironment(userId);
await this.accountService.switchAccount(userId);
await this.stateService.addAccount(
@@ -230,7 +252,7 @@ export abstract class LoginStrategy {
);
await this.billingAccountProfileStateService.setHasPremium(
accountInformation.premium,
accountInformation.premium ?? false,
false,
userId,
);
@@ -249,17 +271,24 @@ export abstract class LoginStrategy {
}
}
result.resetMasterPassword = response.resetMasterPassword;
// Convert boolean to enum
if (response.forcePasswordReset) {
result.forcePasswordReset = ForceSetPasswordReason.AdminForcePasswordReset;
}
// Must come before setting keys, user key needs email to update additional keys
// Must come before setting keys, user key needs email to update additional keys.
const userId = await this.saveAccountInformation(response);
result.userId = userId;
result.resetMasterPassword = response.resetMasterPassword;
// Convert boolean to enum and set the state for the master password service to
// so we know when we reach the auth guard that we need to guide them properly to admin
// password reset.
if (response.forcePasswordReset) {
result.forcePasswordReset = ForceSetPasswordReason.AdminForcePasswordReset;
await this.masterPasswordService.setForceSetPasswordReason(
ForceSetPasswordReason.AdminForcePasswordReset,
userId,
);
}
if (response.twoFactorToken != null) {
// note: we can read email from access token b/c it was saved in saveAccountInformation
const userEmail = await this.tokenService.getEmail();
@@ -278,7 +307,9 @@ export abstract class LoginStrategy {
// The keys comes from different sources depending on the login strategy
protected abstract setMasterKey(response: IdentityTokenResponse, userId: UserId): Promise<void>;
protected abstract setUserKey(response: IdentityTokenResponse, userId: UserId): Promise<void>;
protected abstract setPrivateKey(response: IdentityTokenResponse, userId: UserId): Promise<void>;
// Old accounts used master key for encryption. We are forcing migrations but only need to
@@ -291,6 +322,9 @@ export abstract class LoginStrategy {
try {
const userKey = await this.keyService.getUserKeyWithLegacySupport(userId);
const [publicKey, privateKey] = await this.keyService.makeKeyPair(userKey);
if (!privateKey.encryptedString) {
throw new Error("Failed to create encrypted private key");
}
await this.apiService.postAccountKeys(new KeysRequest(publicKey, privateKey.encryptedString));
return privateKey.encryptedString;
} catch (e) {
@@ -316,7 +350,8 @@ export abstract class LoginStrategy {
await this.twoFactorService.setProviders(response);
this.cache.next({ ...this.cache.value, captchaBypassToken: response.captchaToken ?? null });
result.ssoEmail2FaSessionToken = response.ssoEmail2faSessionToken;
result.email = response.email;
result.email = response.email ?? "";
return result;
}
@@ -355,4 +390,22 @@ export abstract class LoginStrategy {
),
);
}
/**
* Handles the response from the server when a device verification is required.
* It sets the requiresDeviceVerification flag to true and caches the captcha token if it came back.
*
* @param {IdentityDeviceVerificationResponse} response - The response from the server indicating that device verification is required.
* @returns {Promise<AuthResult>} - A promise that resolves to an AuthResult object
*/
protected async processDeviceVerificationResponse(
response: IdentityDeviceVerificationResponse,
): Promise<AuthResult> {
const result = new AuthResult();
result.requiresDeviceVerification = true;
// Extend cached data with captcha bypass token if it came back.
this.cache.next({ ...this.cache.value, captchaBypassToken: response.captchaToken ?? null });
return result;
}
}

34
libs/auth/src/common/login-strategies/password-login.strategy.spec.ts
View File

@@ -10,11 +10,15 @@ import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/for
import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
import { IdentityTwoFactorResponse } from "@bitwarden/common/auth/models/response/identity-two-factor.response";
import { MasterPasswordPolicyResponse } from "@bitwarden/common/auth/models/response/master-password-policy.response";
import { FakeMasterPasswordService } from "@bitwarden/common/auth/services/master-password/fake-master-password.service";
import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions/account/billing-account-profile-state.service";
import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
import { FakeMasterPasswordService } from "@bitwarden/common/key-management/master-password/services/fake-master-password.service";
import {
VaultTimeoutAction,
VaultTimeoutSettingsService,
} from "@bitwarden/common/key-management/vault-timeout";
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
@@ -22,7 +26,6 @@ import { StateService } from "@bitwarden/common/platform/abstractions/state.serv
import { HashPurpose } from "@bitwarden/common/platform/enums";
import { Utils } from "@bitwarden/common/platform/misc/utils";
import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
import { VaultTimeoutSettingsService } from "@bitwarden/common/services/vault-timeout/vault-timeout-settings.service";
import { FakeAccountService, mockAccountServiceWith } from "@bitwarden/common/spec";
import {
PasswordStrengthServiceAbstraction,
@@ -78,6 +81,7 @@ describe("PasswordLoginStrategy", () => {
let billingAccountProfileStateService: MockProxy<BillingAccountProfileStateService>;
let vaultTimeoutSettingsService: MockProxy<VaultTimeoutSettingsService>;
let kdfConfigService: MockProxy<KdfConfigService>;
let environmentService: MockProxy<EnvironmentService>;
let passwordLoginStrategy: PasswordLoginStrategy;
let credentials: PasswordLoginCredentials;
@@ -104,6 +108,7 @@ describe("PasswordLoginStrategy", () => {
billingAccountProfileStateService = mock<BillingAccountProfileStateService>();
vaultTimeoutSettingsService = mock<VaultTimeoutSettingsService>();
kdfConfigService = mock<KdfConfigService>();
environmentService = mock<EnvironmentService>();
appIdService.getAppId.mockResolvedValue(deviceId);
tokenService.decodeAccessToken.mockResolvedValue({
@@ -142,6 +147,7 @@ describe("PasswordLoginStrategy", () => {
billingAccountProfileStateService,
vaultTimeoutSettingsService,
kdfConfigService,
environmentService,
);
credentials = new PasswordLoginCredentials(email, masterPassword);
tokenResponse = identityTokenResponseFactory(masterPasswordPolicy);
@@ -276,4 +282,24 @@ describe("PasswordLoginStrategy", () => {
);
expect(secondResult.forcePasswordReset).toEqual(ForceSetPasswordReason.WeakMasterPassword);
});
it("handles new device verification login with OTP", async () => {
const deviceVerificationOtp = "123456";
const tokenResponse = identityTokenResponseFactory();
apiService.postIdentityToken.mockResolvedValueOnce(tokenResponse);
tokenService.decodeAccessToken.mockResolvedValue({ sub: userId });
await passwordLoginStrategy.logIn(credentials);
const result = await passwordLoginStrategy.logInNewDeviceVerification(deviceVerificationOtp);
expect(apiService.postIdentityToken).toHaveBeenCalledWith(
expect.objectContaining({
newDeviceOtp: deviceVerificationOtp,
}),
);
expect(result.forcePasswordReset).toBe(ForceSetPasswordReason.None);
expect(result.resetMasterPassword).toBe(false);
expect(result.userId).toBe(userId);
});
});

17
libs/auth/src/common/login-strategies/password-login.strategy.ts
View File

@@ -10,6 +10,7 @@ import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/for
import { PasswordTokenRequest } from "@bitwarden/common/auth/models/request/identity-token/password-token.request";
import { TokenTwoFactorRequest } from "@bitwarden/common/auth/models/request/identity-token/token-two-factor.request";
import { IdentityCaptchaResponse } from "@bitwarden/common/auth/models/response/identity-captcha.response";
import { IdentityDeviceVerificationResponse } from "@bitwarden/common/auth/models/response/identity-device-verification.response";
import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
import { IdentityTwoFactorResponse } from "@bitwarden/common/auth/models/response/identity-two-factor.response";
import { HashPurpose } from "@bitwarden/common/platform/enums";
@@ -208,9 +209,12 @@ export class PasswordLoginStrategy extends LoginStrategy {
}
private getMasterPasswordPolicyOptionsFromResponse(
response: IdentityTokenResponse | IdentityTwoFactorResponse,
response:
| IdentityTokenResponse
| IdentityTwoFactorResponse
| IdentityDeviceVerificationResponse,
): MasterPasswordPolicyOptions {
if (response == null) {
if (response == null || response instanceof IdentityDeviceVerificationResponse) {
return null;
}
return MasterPasswordPolicyOptions.fromResponse(response.masterPasswordPolicy);
@@ -233,4 +237,13 @@ export class PasswordLoginStrategy extends LoginStrategy {
password: this.cache.value,
};
}
async logInNewDeviceVerification(deviceVerificationOtp: string): Promise<AuthResult> {
const data = this.cache.value;
data.tokenRequest.newDeviceOtp = deviceVerificationOtp;
this.cache.next(data);
const [authResult] = await this.startLogIn();
return authResult;
}
}

18
libs/auth/src/common/login-strategies/sso-login.strategy.spec.ts
View File

@@ -2,20 +2,24 @@ import { mock, MockProxy } from "jest-mock-extended";
import { BehaviorSubject } from "rxjs";
import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
import { TokenService } from "@bitwarden/common/auth/abstractions/token.service";
import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
import { AdminAuthRequestStorable } from "@bitwarden/common/auth/models/domain/admin-auth-req-storable";
import { AuthRequestResponse } from "@bitwarden/common/auth/models/response/auth-request.response";
import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
import { IUserDecryptionOptionsServerResponse } from "@bitwarden/common/auth/models/response/user-decryption-options/user-decryption-options.response";
import { FakeMasterPasswordService } from "@bitwarden/common/auth/services/master-password/fake-master-password.service";
import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions/account/billing-account-profile-state.service";
import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
import { KeyConnectorService } from "@bitwarden/common/key-management/key-connector/abstractions/key-connector.service";
import { FakeMasterPasswordService } from "@bitwarden/common/key-management/master-password/services/fake-master-password.service";
import {
VaultTimeoutAction,
VaultTimeoutSettingsService,
} from "@bitwarden/common/key-management/vault-timeout";
import { ErrorResponse } from "@bitwarden/common/models/response/error.response";
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
@@ -23,7 +27,6 @@ import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/pl
import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
import { Utils } from "@bitwarden/common/platform/misc/utils";
import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
import { VaultTimeoutSettingsService } from "@bitwarden/common/services/vault-timeout/vault-timeout-settings.service";
import { FakeAccountService, mockAccountServiceWith } from "@bitwarden/common/spec";
import { CsprngArray } from "@bitwarden/common/types/csprng";
import { UserId } from "@bitwarden/common/types/guid";
@@ -61,6 +64,7 @@ describe("SsoLoginStrategy", () => {
let billingAccountProfileStateService: MockProxy<BillingAccountProfileStateService>;
let vaultTimeoutSettingsService: MockProxy<VaultTimeoutSettingsService>;
let kdfConfigService: MockProxy<KdfConfigService>;
let environmentService: MockProxy<EnvironmentService>;
let ssoLoginStrategy: SsoLoginStrategy;
let credentials: SsoLoginCredentials;
@@ -96,6 +100,7 @@ describe("SsoLoginStrategy", () => {
billingAccountProfileStateService = mock<BillingAccountProfileStateService>();
vaultTimeoutSettingsService = mock<VaultTimeoutSettingsService>();
kdfConfigService = mock<KdfConfigService>();
environmentService = mock<EnvironmentService>();
tokenService.getTwoFactorToken.mockResolvedValue(null);
appIdService.getAppId.mockResolvedValue(deviceId);
@@ -140,6 +145,7 @@ describe("SsoLoginStrategy", () => {
billingAccountProfileStateService,
vaultTimeoutSettingsService,
kdfConfigService,
environmentService,
);
credentials = new SsoLoginCredentials(ssoCode, ssoCodeVerifier, ssoRedirectUrl, ssoOrgId);
});

16
libs/auth/src/common/login-strategies/sso-login.strategy.ts
View File

@@ -3,14 +3,13 @@
import { firstValueFrom, Observable, map, BehaviorSubject } from "rxjs";
import { Jsonify } from "type-fest";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
import { SsoTokenRequest } from "@bitwarden/common/auth/models/request/identity-token/sso-token.request";
import { AuthRequestResponse } from "@bitwarden/common/auth/models/response/auth-request.response";
import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
import { HttpStatusCode } from "@bitwarden/common/enums";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
import { KeyConnectorService } from "@bitwarden/common/key-management/key-connector/abstractions/key-connector.service";
import { ErrorResponse } from "@bitwarden/common/models/response/error.response";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { UserId } from "@bitwarden/common/types/guid";
@@ -108,14 +107,6 @@ export class SsoLoginStrategy extends LoginStrategy {
const email = ssoAuthResult.email;
const ssoEmail2FaSessionToken = ssoAuthResult.ssoEmail2FaSessionToken;
// Auth guard currently handles redirects for this.
if (ssoAuthResult.forcePasswordReset == ForceSetPasswordReason.AdminForcePasswordReset) {
await this.masterPasswordService.setForceSetPasswordReason(
ssoAuthResult.forcePasswordReset,
ssoAuthResult.userId,
);
}
this.cache.next({
...this.cache.value,
email,
@@ -278,7 +269,8 @@ export class SsoLoginStrategy extends LoginStrategy {
// TODO: eventually we post and clean up DB as well once consumed on client
await this.authRequestService.clearAdminAuthRequest(userId);
this.platformUtilsService.showToast("success", null, this.i18nService.t("loginApproved"));
// This notification will be picked up by the SsoComponent to handle displaying a toast to the user
this.authRequestService.emitAdminLoginApproved();
}
}
}

14
libs/auth/src/common/login-strategies/user-api-login.strategy.spec.ts
View File

@@ -2,14 +2,17 @@ import { mock, MockProxy } from "jest-mock-extended";
import { BehaviorSubject } from "rxjs";
import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
import { TokenService } from "@bitwarden/common/auth/abstractions/token.service";
import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
import { FakeMasterPasswordService } from "@bitwarden/common/auth/services/master-password/fake-master-password.service";
import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions/account/billing-account-profile-state.service";
import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
import { KeyConnectorService } from "@bitwarden/common/key-management/key-connector/abstractions/key-connector.service";
import { FakeMasterPasswordService } from "@bitwarden/common/key-management/master-password/services/fake-master-password.service";
import {
VaultTimeoutAction,
VaultTimeoutSettingsService,
} from "@bitwarden/common/key-management/vault-timeout";
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
import {
Environment,
EnvironmentService,
@@ -20,7 +23,6 @@ import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/pl
import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
import { Utils } from "@bitwarden/common/platform/misc/utils";
import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
import { VaultTimeoutSettingsService } from "@bitwarden/common/services/vault-timeout/vault-timeout-settings.service";
import { FakeAccountService, mockAccountServiceWith } from "@bitwarden/common/spec";
import { CsprngArray } from "@bitwarden/common/types/csprng";
import { UserId } from "@bitwarden/common/types/guid";
@@ -95,7 +97,6 @@ describe("UserApiLoginStrategy", () => {
apiLogInStrategy = new UserApiLoginStrategy(
cache,
environmentService,
keyConnectorService,
accountService,
masterPasswordService,
@@ -113,6 +114,7 @@ describe("UserApiLoginStrategy", () => {
billingAccountProfileStateService,
vaultTimeoutSettingsService,
kdfConfigService,
environmentService,
);
credentials = new UserApiLoginCredentials(apiClientId, apiClientSecret);

6
libs/auth/src/common/login-strategies/user-api-login.strategy.ts
View File

@@ -3,11 +3,10 @@
import { firstValueFrom, BehaviorSubject } from "rxjs";
import { Jsonify } from "type-fest";
import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
import { UserApiTokenRequest } from "@bitwarden/common/auth/models/request/identity-token/user-api-token.request";
import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
import { KeyConnectorService } from "@bitwarden/common/key-management/key-connector/abstractions/key-connector.service";
import { VaultTimeoutAction } from "@bitwarden/common/key-management/vault-timeout";
import { UserId } from "@bitwarden/common/types/guid";
import { UserApiLoginCredentials } from "../models/domain/login-credentials";
@@ -31,7 +30,6 @@ export class UserApiLoginStrategy extends LoginStrategy {
constructor(
data: UserApiLoginStrategyData,
private environmentService: EnvironmentService,
private keyConnectorService: KeyConnectorService,
...sharedDeps: ConstructorParameters<typeof LoginStrategy>
) {

14
libs/auth/src/common/login-strategies/webauthn-login.strategy.spec.ts
View File

@@ -7,19 +7,22 @@ import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor
import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
import { IUserDecryptionOptionsServerResponse } from "@bitwarden/common/auth/models/response/user-decryption-options/user-decryption-options.response";
import { FakeMasterPasswordService } from "@bitwarden/common/auth/services/master-password/fake-master-password.service";
import { WebAuthnLoginAssertionResponseRequest } from "@bitwarden/common/auth/services/webauthn-login/request/webauthn-login-assertion-response.request";
import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions/account/billing-account-profile-state.service";
import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
import { FakeMasterPasswordService } from "@bitwarden/common/key-management/master-password/services/fake-master-password.service";
import {
VaultTimeoutAction,
VaultTimeoutSettingsService,
} from "@bitwarden/common/key-management/vault-timeout";
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
import { Utils } from "@bitwarden/common/platform/misc/utils";
import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
import { VaultTimeoutSettingsService } from "@bitwarden/common/services/vault-timeout/vault-timeout-settings.service";
import { FakeAccountService, mockAccountServiceWith } from "@bitwarden/common/spec";
import { UserId } from "@bitwarden/common/types/guid";
import { PrfKey, UserKey } from "@bitwarden/common/types/key";
@@ -50,6 +53,7 @@ describe("WebAuthnLoginStrategy", () => {
let billingAccountProfileStateService: MockProxy<BillingAccountProfileStateService>;
let vaultTimeoutSettingsService: MockProxy<VaultTimeoutSettingsService>;
let kdfConfigService: MockProxy<KdfConfigService>;
let environmentService: MockProxy<EnvironmentService>;
let webAuthnLoginStrategy!: WebAuthnLoginStrategy;
@@ -93,6 +97,7 @@ describe("WebAuthnLoginStrategy", () => {
billingAccountProfileStateService = mock<BillingAccountProfileStateService>();
vaultTimeoutSettingsService = mock<VaultTimeoutSettingsService>();
kdfConfigService = mock<KdfConfigService>();
environmentService = mock<EnvironmentService>();
tokenService.getTwoFactorToken.mockResolvedValue(null);
appIdService.getAppId.mockResolvedValue(deviceId);
@@ -118,6 +123,7 @@ describe("WebAuthnLoginStrategy", () => {
billingAccountProfileStateService,
vaultTimeoutSettingsService,
kdfConfigService,
environmentService,
);
// Create credentials

6
libs/auth/src/common/models/domain/login-credentials.ts
View File

@@ -53,9 +53,9 @@ export class AuthRequestLoginCredentials {
public email: string,
public accessCode: string,
public authRequestId: string,
public decryptedUserKey: UserKey,
public decryptedMasterKey: MasterKey,
public decryptedMasterKeyHash: string,
public decryptedUserKey: UserKey | null,
public decryptedMasterKey: MasterKey | null,
public decryptedMasterKeyHash: string | null,
public twoFactor?: TokenTwoFactorRequest,
) {}

2
libs/auth/src/common/models/domain/user-decryption-options.ts
View File

@@ -4,6 +4,8 @@ import { Jsonify } from "type-fest";
import { KeyConnectorUserDecryptionOptionResponse } from "@bitwarden/common/auth/models/response/user-decryption-options/key-connector-user-decryption-option.response";
import { TrustedDeviceUserDecryptionOptionResponse } from "@bitwarden/common/auth/models/response/user-decryption-options/trusted-device-user-decryption-option.response";
// FIXME: remove `src` and fix import
// eslint-disable-next-line no-restricted-imports
import { IdentityTokenResponse } from "@bitwarden/common/src/auth/models/response/identity-token.response";
/**

2
libs/auth/src/common/services/accounts/lock.service.ts
View File

@@ -1,7 +1,7 @@
import { combineLatest, firstValueFrom, map } from "rxjs";
import { VaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
import { VaultTimeoutService } from "@bitwarden/common/key-management/vault-timeout";
import { UserId } from "@bitwarden/common/types/guid";
export abstract class LockService {

2
libs/auth/src/common/services/accounts/lock.services.spec.ts
View File

@@ -1,6 +1,6 @@
import { mock } from "jest-mock-extended";
import { VaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
import { VaultTimeoutService } from "@bitwarden/common/key-management/vault-timeout";
import { mockAccountServiceWith } from "@bitwarden/common/spec";
import { UserId } from "@bitwarden/common/types/guid";

23
libs/auth/src/common/services/auth-request/auth-request-api.service.ts
View File

@@ -16,7 +16,7 @@ export class DefaultAuthRequestApiService implements AuthRequestApiService {
const path = `/auth-requests/${requestId}`;
const response = await this.apiService.send("GET", path, null, true, true);
return response;
return new AuthRequestResponse(response);
} catch (e: unknown) {
this.logService.error(e);
throw e;
@@ -28,7 +28,7 @@ export class DefaultAuthRequestApiService implements AuthRequestApiService {
const path = `/auth-requests/${requestId}/response?code=${accessCode}`;
const response = await this.apiService.send("GET", path, null, false, true);
return response;
return new AuthRequestResponse(response);
} catch (e: unknown) {
this.logService.error(e);
throw e;
@@ -45,7 +45,7 @@ export class DefaultAuthRequestApiService implements AuthRequestApiService {
true,
);
return response;
return new AuthRequestResponse(response);
} catch (e: unknown) {
this.logService.error(e);
throw e;
@@ -54,9 +54,22 @@ export class DefaultAuthRequestApiService implements AuthRequestApiService {
async postAuthRequest(request: AuthRequest): Promise<AuthRequestResponse> {
try {
const response = await this.apiService.send("POST", "/auth-requests/", request, false, true);
// Submit the current device identifier in the header as well as in the POST body.
// The value in the header will be used to build the request context and ensure that the resulting
// notifications have the current device as a source.
const response = await this.apiService.send(
"POST",
"/auth-requests/",
request,
false,
true,
null,
(headers) => {
headers.set("Device-Identifier", request.deviceIdentifier);
},
);
return response;
return new AuthRequestResponse(response);
} catch (e: unknown) {
this.logService.error(e);
throw e;

4
libs/auth/src/common/services/auth-request/auth-request.service.spec.ts
View File

@@ -2,10 +2,10 @@ import { mock } from "jest-mock-extended";
import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { AuthRequestResponse } from "@bitwarden/common/auth/models/response/auth-request.response";
import { FakeMasterPasswordService } from "@bitwarden/common/auth/services/master-password/fake-master-password.service";
import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
import { FakeMasterPasswordService } from "@bitwarden/common/key-management/master-password/services/fake-master-password.service";
import { AuthRequestPushNotification } from "@bitwarden/common/models/response/notification.response";
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
import { Utils } from "@bitwarden/common/platform/misc/utils";
import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";

13
libs/auth/src/common/services/auth-request/auth-request.service.ts
View File

@@ -5,13 +5,13 @@ import { Jsonify } from "type-fest";
import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/auth/abstractions/master-password.service.abstraction";
import { AdminAuthRequestStorable } from "@bitwarden/common/auth/models/domain/admin-auth-req-storable";
import { PasswordlessAuthRequest } from "@bitwarden/common/auth/models/request/passwordless-auth.request";
import { AuthRequestResponse } from "@bitwarden/common/auth/models/response/auth-request.response";
import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
import { AuthRequestPushNotification } from "@bitwarden/common/models/response/notification.response";
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
import { Utils } from "@bitwarden/common/platform/misc/utils";
import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
@@ -43,6 +43,10 @@ export class AuthRequestService implements AuthRequestServiceAbstraction {
private authRequestPushNotificationSubject = new Subject<string>();
authRequestPushNotification$: Observable<string>;
// Observable emission is used to trigger a toast in consuming components
private adminLoginApprovedSubject = new Subject<void>();
adminLoginApproved$: Observable<void>;
constructor(
private appIdService: AppIdService,
private accountService: AccountService,
@@ -53,6 +57,7 @@ export class AuthRequestService implements AuthRequestServiceAbstraction {
private stateProvider: StateProvider,
) {
this.authRequestPushNotification$ = this.authRequestPushNotificationSubject.asObservable();
this.adminLoginApproved$ = this.adminLoginApprovedSubject.asObservable();
}
async getAdminAuthRequest(userId: UserId): Promise<AdminAuthRequestStorable | null> {
@@ -207,4 +212,8 @@ export class AuthRequestService implements AuthRequestServiceAbstraction {
async getFingerprintPhrase(email: string, publicKey: Uint8Array): Promise<string> {
return (await this.keyService.getFingerprint(email.toLowerCase(), publicKey)).join("-");
}
emitAdminLoginApproved(): void {
this.adminLoginApprovedSubject.next();
}
}

111
libs/auth/src/common/services/auth-request/default-login-via-auth-request-cache.service.spec.ts Normal file
View File

@@ -0,0 +1,111 @@
import { signal } from "@angular/core";
import { TestBed } from "@angular/core/testing";
import { ViewCacheService } from "@bitwarden/angular/platform/abstractions/view-cache.service";
import { AuthRequestType } from "@bitwarden/common/auth/enums/auth-request-type";
import { AuthRequest } from "@bitwarden/common/auth/models/request/auth.request";
import { AuthRequestResponse } from "@bitwarden/common/auth/models/response/auth-request.response";
import { LoginViaAuthRequestView } from "@bitwarden/common/auth/models/view/login-via-auth-request.view";
import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
import { LoginViaAuthRequestCacheService } from "./default-login-via-auth-request-cache.service";
describe("LoginViaAuthRequestCache", () => {
let service: LoginViaAuthRequestCacheService;
let testBed: TestBed;
const cacheSignal = signal<LoginViaAuthRequestView | null>(null);
const getCacheSignal = jest.fn().mockReturnValue(cacheSignal);
const getFeatureFlag = jest.fn().mockResolvedValue(false);
const cacheSetMock = jest.spyOn(cacheSignal, "set");
beforeEach(() => {
getCacheSignal.mockClear();
getFeatureFlag.mockClear();
cacheSetMock.mockClear();
testBed = TestBed.configureTestingModule({
providers: [
{ provide: ViewCacheService, useValue: { signal: getCacheSignal } },
{ provide: ConfigService, useValue: { getFeatureFlag } },
LoginViaAuthRequestCacheService,
],
});
});
describe("feature enabled", () => {
beforeEach(() => {
getFeatureFlag.mockResolvedValue(true);
});
it("`getCachedLoginViaAuthRequestView` returns the cached data", async () => {
cacheSignal.set({ ...buildAuthenticMockAuthView() });
service = testBed.inject(LoginViaAuthRequestCacheService);
await service.init();
expect(service.getCachedLoginViaAuthRequestView()).toEqual({
...buildAuthenticMockAuthView(),
});
});
it("updates the signal value", async () => {
service = testBed.inject(LoginViaAuthRequestCacheService);
await service.init();
const parameters = buildAuthenticMockAuthView();
service.cacheLoginView(
parameters.authRequest,
parameters.authRequestResponse,
parameters.fingerprintPhrase,
{ publicKey: new Uint8Array(), privateKey: new Uint8Array() },
);
expect(cacheSignal.set).toHaveBeenCalledWith(parameters);
});
});
describe("feature disabled", () => {
beforeEach(async () => {
cacheSignal.set({ ...buildAuthenticMockAuthView() } as LoginViaAuthRequestView);
getFeatureFlag.mockResolvedValue(false);
cacheSetMock.mockClear();
service = testBed.inject(LoginViaAuthRequestCacheService);
await service.init();
});
it("`getCachedCipherView` returns null", () => {
expect(service.getCachedLoginViaAuthRequestView()).toBeNull();
});
it("does not update the signal value", () => {
const params = buildAuthenticMockAuthView();
service.cacheLoginView(
params.authRequest,
params.authRequestResponse,
params.fingerprintPhrase,
{ publicKey: new Uint8Array(), privateKey: new Uint8Array() },
);
expect(cacheSignal.set).not.toHaveBeenCalled();
});
});
const buildAuthenticMockAuthView = () => {
return {
fingerprintPhrase: "",
privateKey: "",
publicKey: "",
authRequest: new AuthRequest(
"test@gmail.com",
"deviceIdentifier",
"publicKey",
AuthRequestType.Unlock,
"accessCode",
),
authRequestResponse: new AuthRequestResponse({}),
};
};
});

88
libs/auth/src/common/services/auth-request/default-login-via-auth-request-cache.service.ts Normal file
View File

@@ -0,0 +1,88 @@
import { inject, Injectable, WritableSignal } from "@angular/core";
import { ViewCacheService } from "@bitwarden/angular/platform/abstractions/view-cache.service";
import { AuthRequest } from "@bitwarden/common/auth/models/request/auth.request";
import { AuthRequestResponse } from "@bitwarden/common/auth/models/response/auth-request.response";
import { LoginViaAuthRequestView } from "@bitwarden/common/auth/models/view/login-via-auth-request.view";
import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
import { Utils } from "@bitwarden/common/platform/misc/utils";
const LOGIN_VIA_AUTH_CACHE_KEY = "login-via-auth-request-form-cache";
/**
* This is a cache service used for the login via auth request component.
*
* There is sensitive information stored temporarily here. Cache will be cleared
* after 2 minutes.
*/
@Injectable()
export class LoginViaAuthRequestCacheService {
private viewCacheService: ViewCacheService = inject(ViewCacheService);
private configService: ConfigService = inject(ConfigService);
/** True when the `PM9112_DeviceApproval` flag is enabled */
private featureEnabled: boolean = false;
private defaultLoginViaAuthRequestCache: WritableSignal<LoginViaAuthRequestView | null> =
this.viewCacheService.signal<LoginViaAuthRequestView | null>({
key: LOGIN_VIA_AUTH_CACHE_KEY,
initialValue: null,
deserializer: LoginViaAuthRequestView.fromJSON,
});
constructor() {}
/**
* Must be called once before interacting with the cached data, otherwise methods will be noop.
*/
async init() {
this.featureEnabled = await this.configService.getFeatureFlag(
FeatureFlag.PM9112_DeviceApprovalPersistence,
);
}
/**
* Update the cache with the new LoginView.
*/
cacheLoginView(
authRequest: AuthRequest,
authRequestResponse: AuthRequestResponse,
fingerprintPhrase: string,
keys: { privateKey: Uint8Array | undefined; publicKey: Uint8Array | undefined },
): void {
if (!this.featureEnabled) {
return;
}
// When the keys get stored they should be converted to a B64 string to ensure
// data can be properly formed when json-ified. If not done, they are not stored properly and
// will not be parsable by the cryptography library after coming out of storage.
this.defaultLoginViaAuthRequestCache.set({
authRequest,
authRequestResponse,
fingerprintPhrase,
privateKey: keys.privateKey ? Utils.fromBufferToB64(keys.privateKey.buffer) : undefined,
publicKey: keys.publicKey ? Utils.fromBufferToB64(keys.publicKey.buffer) : undefined,
} as LoginViaAuthRequestView);
}
clearCacheLoginView(): void {
if (!this.featureEnabled) {
return;
}
this.defaultLoginViaAuthRequestCache.set(null);
}
/**
* Returns the cached LoginViaAuthRequestView when available.
*/
getCachedLoginViaAuthRequestView(): LoginViaAuthRequestView | null {
if (!this.featureEnabled) {
return null;
}
return this.defaultLoginViaAuthRequestCache();
}
}

2
libs/auth/src/common/services/index.ts
View File

@@ -4,6 +4,6 @@ export * from "./login-strategies/login-strategy.service";
export * from "./user-decryption-options/user-decryption-options.service";
export * from "./auth-request/auth-request.service";
export * from "./auth-request/auth-request-api.service";
export * from "./register-route.service";
export * from "./accounts/lock.service";
export * from "./login-success-handler/default-login-success-handler.service";
export * from "./sso-redirect/sso-url.service";

2
libs/auth/src/common/services/login-email/login-email.service.ts
View File

@@ -6,6 +6,8 @@ import { AccountService } from "@bitwarden/common/auth/abstractions/account.serv
import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
// FIXME: remove `src` and fix import
// eslint-disable-next-line no-restricted-imports
import {
GlobalState,
KeyDefinition,

77
libs/auth/src/common/services/login-strategies/login-strategy.service.spec.ts
View File

@@ -2,10 +2,7 @@ import { MockProxy, mock } from "jest-mock-extended";
import { BehaviorSubject } from "rxjs";
import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
import { TokenService } from "@bitwarden/common/auth/abstractions/token.service";
import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
@@ -14,11 +11,16 @@ import { TokenTwoFactorRequest } from "@bitwarden/common/auth/models/request/ide
import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
import { IdentityTwoFactorResponse } from "@bitwarden/common/auth/models/response/identity-two-factor.response";
import { PreloginResponse } from "@bitwarden/common/auth/models/response/prelogin.response";
import { FakeMasterPasswordService } from "@bitwarden/common/auth/services/master-password/fake-master-password.service";
import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions/account/billing-account-profile-state.service";
import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
import { KeyConnectorService } from "@bitwarden/common/key-management/key-connector/abstractions/key-connector.service";
import { FakeMasterPasswordService } from "@bitwarden/common/key-management/master-password/services/fake-master-password.service";
import {
VaultTimeoutAction,
VaultTimeoutSettingsService,
} from "@bitwarden/common/key-management/vault-timeout";
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -321,4 +323,67 @@ describe("LoginStrategyService", () => {
`PBKDF2 iterations must be at least ${PBKDF2KdfConfig.PRELOGIN_ITERATIONS_MIN}, but was ${PBKDF2KdfConfig.PRELOGIN_ITERATIONS_MIN - 1}; possible pre-login downgrade attack detected.`,
);
});
it("returns an AuthResult on successful new device verification", async () => {
const credentials = new PasswordLoginCredentials("EMAIL", "MASTER_PASSWORD");
const deviceVerificationOtp = "123456";
// Setup initial login and device verification response
apiService.postPrelogin.mockResolvedValue(
new PreloginResponse({
Kdf: KdfType.Argon2id,
KdfIterations: 2,
KdfMemory: 16,
KdfParallelism: 1,
}),
);
apiService.postIdentityToken.mockResolvedValueOnce(
new IdentityTwoFactorResponse({
TwoFactorProviders: ["0"],
TwoFactorProviders2: { 0: null },
error: "invalid_grant",
error_description: "Two factor required.",
email: undefined,
ssoEmail2faSessionToken: undefined,
}),
);
await sut.logIn(credentials);
// Successful device verification login
apiService.postIdentityToken.mockResolvedValueOnce(
new IdentityTokenResponse({
ForcePasswordReset: false,
Kdf: KdfType.Argon2id,
KdfIterations: 2,
KdfMemory: 16,
KdfParallelism: 1,
Key: "KEY",
PrivateKey: "PRIVATE_KEY",
ResetMasterPassword: false,
access_token: "ACCESS_TOKEN",
expires_in: 3600,
refresh_token: "REFRESH_TOKEN",
scope: "api offline_access",
token_type: "Bearer",
}),
);
tokenService.decodeAccessToken.calledWith("ACCESS_TOKEN").mockResolvedValue({
sub: "USER_ID",
name: "NAME",
email: "EMAIL",
premium: false,
});
const result = await sut.logInNewDeviceVerification(deviceVerificationOtp);
expect(result).toBeInstanceOf(AuthResult);
expect(apiService.postIdentityToken).toHaveBeenCalledWith(
expect.objectContaining({
newDeviceOtp: deviceVerificationOtp,
}),
);
});
});

Some files were not shown because too many files have changed in this diff Show More