-
Date: Tue, 9 Dec 2025 17:28:04 -0500
Subject: [PATCH 13/60] [PM-27663] Create VaultItemTransferModalComponent and
confirmation dialogs (#17883)
* Created item transfer dialogs
* Added empty line
---
apps/browser/src/_locales/en/messages.json | 48 ++++++++++++++
apps/desktop/src/locales/en/messages.json | 48 ++++++++++++++
apps/web/src/locales/en/messages.json | 48 ++++++++++++++
.../components/vault-items-transfer/index.ts | 13 ++++
.../leave-confirmation-dialog.component.html | 33 ++++++++++
.../leave-confirmation-dialog.component.ts | 64 +++++++++++++++++++
.../transfer-items-dialog.component.html | 22 +++++++
.../transfer-items-dialog.component.ts | 64 +++++++++++++++++++
libs/vault/src/index.ts | 1 +
9 files changed, 341 insertions(+)
create mode 100644 libs/vault/src/components/vault-items-transfer/index.ts
create mode 100644 libs/vault/src/components/vault-items-transfer/leave-confirmation-dialog.component.html
create mode 100644 libs/vault/src/components/vault-items-transfer/leave-confirmation-dialog.component.ts
create mode 100644 libs/vault/src/components/vault-items-transfer/transfer-items-dialog.component.html
create mode 100644 libs/vault/src/components/vault-items-transfer/transfer-items-dialog.component.ts
diff --git a/apps/browser/src/_locales/en/messages.json b/apps/browser/src/_locales/en/messages.json
index a5c204ffc99..2d229092787 100644
--- a/apps/browser/src/_locales/en/messages.json
+++ b/apps/browser/src/_locales/en/messages.json
@@ -5937,5 +5937,53 @@
},
"upgrade": {
"message": "Upgrade"
+ },
+ "leaveConfirmationDialogTitle": {
+ "message": "Are you sure you want to leave?"
+ },
+ "leaveConfirmationDialogContentOne": {
+ "message": "By declining, your personal items will stay in your account, but you'll lose access to shared items and organization features."
+ },
+ "leaveConfirmationDialogContentTwo": {
+ "message": "Contact your admin to regain access."
+ },
+ "leaveConfirmationDialogConfirmButton": {
+ "message": "Leave $ORGANIZATION$",
+ "placeholders": {
+ "organization": {
+ "content": "$1",
+ "example": "My Org Name"
+ }
+ }
+ },
+ "howToManageMyVault": {
+ "message": "How do I manage my vault?"
+ },
+ "transferItemsToOrganizationTitle": {
+ "message": "Transfer items to $ORGANIZATION$",
+ "placeholders": {
+ "organization": {
+ "content": "$1",
+ "example": "My Org Name"
+ }
+ }
+ },
+ "transferItemsToOrganizationContent": {
+ "message": "$ORGANIZATION$ is requiring all items to be owned by the organization for security and compliance. Click accept to transfer ownership of your items.",
+ "placeholders": {
+ "organization": {
+ "content": "$1",
+ "example": "My Org Name"
+ }
+ }
+ },
+ "acceptTransfer": {
+ "message": "Accept transfer"
+ },
+ "declineAndLeave": {
+ "message": "Decline and leave"
+ },
+ "whyAmISeeingThis": {
+ "message": "Why am I seeing this?"
}
}
diff --git a/apps/desktop/src/locales/en/messages.json b/apps/desktop/src/locales/en/messages.json
index 4c3833e28c3..f6a679d9c7c 100644
--- a/apps/desktop/src/locales/en/messages.json
+++ b/apps/desktop/src/locales/en/messages.json
@@ -4383,5 +4383,53 @@
},
"upgrade": {
"message": "Upgrade"
+ },
+ "leaveConfirmationDialogTitle": {
+ "message": "Are you sure you want to leave?"
+ },
+ "leaveConfirmationDialogContentOne": {
+ "message": "By declining, your personal items will stay in your account, but you'll lose access to shared items and organization features."
+ },
+ "leaveConfirmationDialogContentTwo": {
+ "message": "Contact your admin to regain access."
+ },
+ "leaveConfirmationDialogConfirmButton": {
+ "message": "Leave $ORGANIZATION$",
+ "placeholders": {
+ "organization": {
+ "content": "$1",
+ "example": "My Org Name"
+ }
+ }
+ },
+ "howToManageMyVault": {
+ "message": "How do I manage my vault?"
+ },
+ "transferItemsToOrganizationTitle": {
+ "message": "Transfer items to $ORGANIZATION$",
+ "placeholders": {
+ "organization": {
+ "content": "$1",
+ "example": "My Org Name"
+ }
+ }
+ },
+ "transferItemsToOrganizationContent": {
+ "message": "$ORGANIZATION$ is requiring all items to be owned by the organization for security and compliance. Click accept to transfer ownership of your items.",
+ "placeholders": {
+ "organization": {
+ "content": "$1",
+ "example": "My Org Name"
+ }
+ }
+ },
+ "acceptTransfer": {
+ "message": "Accept transfer"
+ },
+ "declineAndLeave": {
+ "message": "Decline and leave"
+ },
+ "whyAmISeeingThis": {
+ "message": "Why am I seeing this?"
}
}
diff --git a/apps/web/src/locales/en/messages.json b/apps/web/src/locales/en/messages.json
index 4be70b102d1..bbbf548b8e1 100644
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -12287,5 +12287,53 @@
},
"sessionTimeoutSettingsSetUnlockMethodToChangeTimeoutAction": {
"message": "Set an unlock method to change your timeout action"
+ },
+ "leaveConfirmationDialogTitle": {
+ "message": "Are you sure you want to leave?"
+ },
+ "leaveConfirmationDialogContentOne": {
+ "message": "By declining, your personal items will stay in your account, but you'll lose access to shared items and organization features."
+ },
+ "leaveConfirmationDialogContentTwo": {
+ "message": "Contact your admin to regain access."
+ },
+ "leaveConfirmationDialogConfirmButton": {
+ "message": "Leave $ORGANIZATION$",
+ "placeholders": {
+ "organization": {
+ "content": "$1",
+ "example": "My Org Name"
+ }
+ }
+ },
+ "howToManageMyVault": {
+ "message": "How do I manage my vault?"
+ },
+ "transferItemsToOrganizationTitle": {
+ "message": "Transfer items to $ORGANIZATION$",
+ "placeholders": {
+ "organization": {
+ "content": "$1",
+ "example": "My Org Name"
+ }
+ }
+ },
+ "transferItemsToOrganizationContent": {
+ "message": "$ORGANIZATION$ is requiring all items to be owned by the organization for security and compliance. Click accept to transfer ownership of your items.",
+ "placeholders": {
+ "organization": {
+ "content": "$1",
+ "example": "My Org Name"
+ }
+ }
+ },
+ "acceptTransfer": {
+ "message": "Accept transfer"
+ },
+ "declineAndLeave": {
+ "message": "Decline and leave"
+ },
+ "whyAmISeeingThis": {
+ "message": "Why am I seeing this?"
}
}
diff --git a/libs/vault/src/components/vault-items-transfer/index.ts b/libs/vault/src/components/vault-items-transfer/index.ts
new file mode 100644
index 00000000000..f2ffb9f9c22
--- /dev/null
+++ b/libs/vault/src/components/vault-items-transfer/index.ts
@@ -0,0 +1,13 @@
+export {
+ TransferItemsDialogComponent,
+ TransferItemsDialogParams,
+ TransferItemsDialogResult,
+ TransferItemsDialogResultType,
+} from "./transfer-items-dialog.component";
+
+export {
+ LeaveConfirmationDialogComponent,
+ LeaveConfirmationDialogParams,
+ LeaveConfirmationDialogResult,
+ LeaveConfirmationDialogResultType,
+} from "./leave-confirmation-dialog.component";
diff --git a/libs/vault/src/components/vault-items-transfer/leave-confirmation-dialog.component.html b/libs/vault/src/components/vault-items-transfer/leave-confirmation-dialog.component.html
new file mode 100644
index 00000000000..f0d644fecff
--- /dev/null
+++ b/libs/vault/src/components/vault-items-transfer/leave-confirmation-dialog.component.html
@@ -0,0 +1,33 @@
+
+
+
+ {{ "leaveConfirmationDialogTitle" | i18n }}
+
+
+
+
+
+
+
+
+
+
+ {{ "howToManageMyVault" | i18n }}
+
+
+
+
diff --git a/libs/vault/src/components/vault-items-transfer/leave-confirmation-dialog.component.ts b/libs/vault/src/components/vault-items-transfer/leave-confirmation-dialog.component.ts
new file mode 100644
index 00000000000..bd32a1ea6dd
--- /dev/null
+++ b/libs/vault/src/components/vault-items-transfer/leave-confirmation-dialog.component.ts
@@ -0,0 +1,64 @@
+import { ChangeDetectionStrategy, Component, inject } from "@angular/core";
+
+import { JslibModule } from "@bitwarden/angular/jslib.module";
+import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
+import { UnionOfValues } from "@bitwarden/common/vault/types/union-of-values";
+import {
+ DIALOG_DATA,
+ DialogConfig,
+ DialogRef,
+ DialogService,
+ ButtonModule,
+ DialogModule,
+ LinkModule,
+ TypographyModule,
+} from "@bitwarden/components";
+
+export interface LeaveConfirmationDialogParams {
+ organizationName: string;
+}
+
+export const LeaveConfirmationDialogResult = Object.freeze({
+ /**
+ * User confirmed they want to leave the organization.
+ */
+ Confirmed: "confirmed",
+ /**
+ * User chose to go back instead of leaving the organization.
+ */
+ Back: "back",
+} as const);
+
+export type LeaveConfirmationDialogResultType = UnionOfValues;
+
+@Component({
+ templateUrl: "./leave-confirmation-dialog.component.html",
+ changeDetection: ChangeDetectionStrategy.OnPush,
+ imports: [ButtonModule, DialogModule, LinkModule, TypographyModule, JslibModule],
+})
+export class LeaveConfirmationDialogComponent {
+ private readonly params = inject(DIALOG_DATA);
+ private readonly dialogRef = inject(DialogRef);
+ private readonly platformUtilsService = inject(PlatformUtilsService);
+
+ protected readonly organizationName = this.params.organizationName;
+
+ protected confirmLeave() {
+ this.dialogRef.close(LeaveConfirmationDialogResult.Confirmed);
+ }
+
+ protected goBack() {
+ this.dialogRef.close(LeaveConfirmationDialogResult.Back);
+ }
+
+ protected openLearnMore(e: Event) {
+ e.preventDefault();
+ this.platformUtilsService.launchUri("https://bitwarden.com/help/transfer-ownership/");
+ }
+
+ static open(dialogService: DialogService, config: DialogConfig) {
+ return dialogService.open(LeaveConfirmationDialogComponent, {
+ ...config,
+ });
+ }
+}
diff --git a/libs/vault/src/components/vault-items-transfer/transfer-items-dialog.component.html b/libs/vault/src/components/vault-items-transfer/transfer-items-dialog.component.html
new file mode 100644
index 00000000000..0b77d4ba7d8
--- /dev/null
+++ b/libs/vault/src/components/vault-items-transfer/transfer-items-dialog.component.html
@@ -0,0 +1,22 @@
+
+ {{ "transferItemsToOrganizationTitle" | i18n: organizationName }}
+
+
+ {{ "transferItemsToOrganizationContent" | i18n: organizationName }}
+
+
+
+
+
+
+
+
+ {{ "whyAmISeeingThis" | i18n }}
+
+
+
+
diff --git a/libs/vault/src/components/vault-items-transfer/transfer-items-dialog.component.ts b/libs/vault/src/components/vault-items-transfer/transfer-items-dialog.component.ts
new file mode 100644
index 00000000000..f28ad2ab3ec
--- /dev/null
+++ b/libs/vault/src/components/vault-items-transfer/transfer-items-dialog.component.ts
@@ -0,0 +1,64 @@
+import { ChangeDetectionStrategy, Component, inject } from "@angular/core";
+
+import { JslibModule } from "@bitwarden/angular/jslib.module";
+import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
+import { UnionOfValues } from "@bitwarden/common/vault/types/union-of-values";
+import {
+ DIALOG_DATA,
+ DialogConfig,
+ DialogRef,
+ DialogService,
+ ButtonModule,
+ DialogModule,
+ LinkModule,
+ TypographyModule,
+} from "@bitwarden/components";
+
+export interface TransferItemsDialogParams {
+ organizationName: string;
+}
+
+export const TransferItemsDialogResult = Object.freeze({
+ /**
+ * User accepted the transfer of items.
+ */
+ Accepted: "accepted",
+ /**
+ * User declined the transfer of items.
+ */
+ Declined: "declined",
+} as const);
+
+export type TransferItemsDialogResultType = UnionOfValues;
+
+@Component({
+ templateUrl: "./transfer-items-dialog.component.html",
+ changeDetection: ChangeDetectionStrategy.OnPush,
+ imports: [ButtonModule, DialogModule, LinkModule, TypographyModule, JslibModule],
+})
+export class TransferItemsDialogComponent {
+ private readonly params = inject(DIALOG_DATA);
+ private readonly dialogRef = inject(DialogRef);
+ private readonly platformUtilsService = inject(PlatformUtilsService);
+
+ protected readonly organizationName = this.params.organizationName;
+
+ protected acceptTransfer() {
+ this.dialogRef.close(TransferItemsDialogResult.Accepted);
+ }
+
+ protected decline() {
+ this.dialogRef.close(TransferItemsDialogResult.Declined);
+ }
+
+ protected openLearnMore(e: Event) {
+ e.preventDefault();
+ this.platformUtilsService.launchUri("https://bitwarden.com/help/transfer-ownership/");
+ }
+
+ static open(dialogService: DialogService, config: DialogConfig) {
+ return dialogService.open(TransferItemsDialogComponent, {
+ ...config,
+ });
+ }
+}
diff --git a/libs/vault/src/index.ts b/libs/vault/src/index.ts
index 93a72ba14e0..be0daad3637 100644
--- a/libs/vault/src/index.ts
+++ b/libs/vault/src/index.ts
@@ -29,6 +29,7 @@ export * from "./components/add-edit-folder-dialog/add-edit-folder-dialog.compon
export * from "./components/carousel";
export * from "./components/new-cipher-menu/new-cipher-menu.component";
export * from "./components/permit-cipher-details-popover/permit-cipher-details-popover.component";
+export * from "./components/vault-items-transfer";
export { DefaultSshImportPromptService } from "./services/default-ssh-import-prompt.service";
export { SshImportPromptService } from "./services/ssh-import-prompt.service";
From f161a8c454afdaf4d84679fc683157032236fdba Mon Sep 17 00:00:00 2001
From: Shane Melton
Date: Tue, 9 Dec 2025 15:14:40 -0800
Subject: [PATCH 14/60] [PM-27662] Introduce vault item transfer service
(#17876)
* [PM-27662] Add revision date to policy response
* [PM-27662] Introduce vault item transfer service
* [PM-27662] Add feature flag check
* [PM-27662] Add tests
* [PM-27662] Add basic implementation to Web vault
* [PM-27662] Remove redundant for loop
* [PM-27662] Remove unnecessary distinctUntilChanged
* [PM-27662] Avoid subscribing to userMigrationInfo$ if feature flag disabled
* [PM-27662] Make UserMigrationInfo type more strict
* [PM-27662] Typo
* [PM-27662] Fix missing i18n
* [PM-27662] Fix tests
* [PM-27662] Fix tests/types related to policy changes
* [PM-27662] Use getById operator
---
apps/browser/src/_locales/en/messages.json | 3 +
apps/desktop/src/locales/en/messages.json | 3 +
.../vault/individual-vault/vault.component.ts | 9 +-
apps/web/src/locales/en/messages.json | 3 +
.../admin-console/models/data/policy.data.ts | 2 +
.../src/admin-console/models/domain/policy.ts | 3 +
.../models/response/policy.response.ts | 2 +
.../policy/default-policy.service.spec.ts | 40 +
libs/common/src/enums/feature-flag.enum.ts | 2 +
.../available-algorithms-policy.spec.ts | 7 +
.../passphrase-least-privilege.spec.ts | 1 +
.../policies/password-least-privilege.spec.ts | 1 +
.../generator-profile-provider.spec.ts | 1 +
...fault-generator-navigation.service.spec.ts | 1 +
.../src/generator-navigation-policy.spec.ts | 1 +
.../vault-items-transfer.service.ts | 59 ++
libs/vault/src/index.ts | 2 +
...fault-vault-items-transfer.service.spec.ts | 721 ++++++++++++++++++
.../default-vault-items-transfer.service.ts | 231 ++++++
19 files changed, 1090 insertions(+), 2 deletions(-)
create mode 100644 libs/vault/src/abstractions/vault-items-transfer.service.ts
create mode 100644 libs/vault/src/services/default-vault-items-transfer.service.spec.ts
create mode 100644 libs/vault/src/services/default-vault-items-transfer.service.ts
diff --git a/apps/browser/src/_locales/en/messages.json b/apps/browser/src/_locales/en/messages.json
index 2d229092787..a90fbcbf332 100644
--- a/apps/browser/src/_locales/en/messages.json
+++ b/apps/browser/src/_locales/en/messages.json
@@ -1475,6 +1475,9 @@
"selectFile": {
"message": "Select a file"
},
+ "itemsTransferred": {
+ "message": "Items transferred"
+ },
"maxFileSize": {
"message": "Maximum file size is 500 MB."
},
diff --git a/apps/desktop/src/locales/en/messages.json b/apps/desktop/src/locales/en/messages.json
index f6a679d9c7c..7a3abe528e8 100644
--- a/apps/desktop/src/locales/en/messages.json
+++ b/apps/desktop/src/locales/en/messages.json
@@ -708,6 +708,9 @@
"addAttachment": {
"message": "Add attachment"
},
+ "itemsTransferred": {
+ "message": "Items transferred"
+ },
"fixEncryption": {
"message": "Fix encryption"
},
diff --git a/apps/web/src/app/vault/individual-vault/vault.component.ts b/apps/web/src/app/vault/individual-vault/vault.component.ts
index b0685a028df..78a8889bc8f 100644
--- a/apps/web/src/app/vault/individual-vault/vault.component.ts
+++ b/apps/web/src/app/vault/individual-vault/vault.component.ts
@@ -84,7 +84,7 @@ import {
CipherViewLikeUtils,
} from "@bitwarden/common/vault/utils/cipher-view-like-utils";
import { filterOutNullish } from "@bitwarden/common/vault/utils/observable-utilities";
-import { DialogRef, DialogService, ToastService, BannerComponent } from "@bitwarden/components";
+import { DialogRef, DialogService, ToastService } from "@bitwarden/components";
import { CipherListView } from "@bitwarden/sdk-internal";
import {
AddEditFolderDialogComponent,
@@ -97,6 +97,8 @@ import {
DecryptionFailureDialogComponent,
DefaultCipherFormConfigService,
PasswordRepromptService,
+ VaultItemsTransferService,
+ DefaultVaultItemsTransferService,
} from "@bitwarden/vault";
import { UnifiedUpgradePromptService } from "@bitwarden/web-vault/app/billing/individual/upgrade/services";
import { OrganizationWarningsModule } from "@bitwarden/web-vault/app/billing/organizations/warnings/organization-warnings.module";
@@ -177,12 +179,12 @@ type EmptyStateMap = Record;
VaultItemsModule,
SharedModule,
OrganizationWarningsModule,
- BannerComponent,
],
providers: [
RoutedVaultFilterService,
RoutedVaultFilterBridgeService,
DefaultCipherFormConfigService,
+ { provide: VaultItemsTransferService, useClass: DefaultVaultItemsTransferService },
],
})
export class VaultComponent implements OnInit, OnDestroy {
@@ -349,6 +351,7 @@ export class VaultComponent implements OnInit, OnDestr
private premiumUpgradePromptService: PremiumUpgradePromptService,
private autoConfirmService: AutomaticUserConfirmationService,
private configService: ConfigService,
+ private vaultItemTransferService: VaultItemsTransferService,
) {}
async ngOnInit() {
@@ -644,6 +647,8 @@ export class VaultComponent implements OnInit, OnDestr
void this.unifiedUpgradePromptService.displayUpgradePromptConditionally();
this.setupAutoConfirm();
+
+ void this.vaultItemTransferService.enforceOrganizationDataOwnership(activeUserId);
}
ngOnDestroy() {
diff --git a/apps/web/src/locales/en/messages.json b/apps/web/src/locales/en/messages.json
index bbbf548b8e1..a755e4de556 100644
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -5185,6 +5185,9 @@
"oldAttachmentsNeedFixDesc": {
"message": "There are old file attachments in your vault that need to be fixed before you can rotate your account's encryption key."
},
+ "itemsTransferred": {
+ "message": "Items transferred"
+ },
"yourAccountsFingerprint": {
"message": "Your account's fingerprint phrase",
"description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
diff --git a/libs/common/src/admin-console/models/data/policy.data.ts b/libs/common/src/admin-console/models/data/policy.data.ts
index a8628e2f1ab..639fda1fa92 100644
--- a/libs/common/src/admin-console/models/data/policy.data.ts
+++ b/libs/common/src/admin-console/models/data/policy.data.ts
@@ -11,6 +11,7 @@ export class PolicyData {
type: PolicyType;
data: Record;
enabled: boolean;
+ revisionDate: string;
constructor(response?: PolicyResponse) {
if (response == null) {
@@ -22,6 +23,7 @@ export class PolicyData {
this.type = response.type;
this.data = response.data;
this.enabled = response.enabled;
+ this.revisionDate = response.revisionDate;
}
static fromPolicy(policy: Policy): PolicyData {
diff --git a/libs/common/src/admin-console/models/domain/policy.ts b/libs/common/src/admin-console/models/domain/policy.ts
index eb67c4412e9..6b2d587a262 100644
--- a/libs/common/src/admin-console/models/domain/policy.ts
+++ b/libs/common/src/admin-console/models/domain/policy.ts
@@ -19,6 +19,8 @@ export class Policy extends Domain {
*/
enabled: boolean;
+ revisionDate: Date;
+
constructor(obj?: PolicyData) {
super();
if (obj == null) {
@@ -30,6 +32,7 @@ export class Policy extends Domain {
this.type = obj.type;
this.data = obj.data;
this.enabled = obj.enabled;
+ this.revisionDate = new Date(obj.revisionDate);
}
static fromResponse(response: PolicyResponse): Policy {
diff --git a/libs/common/src/admin-console/models/response/policy.response.ts b/libs/common/src/admin-console/models/response/policy.response.ts
index 0544cd996f4..7cca63a19d3 100644
--- a/libs/common/src/admin-console/models/response/policy.response.ts
+++ b/libs/common/src/admin-console/models/response/policy.response.ts
@@ -9,6 +9,7 @@ export class PolicyResponse extends BaseResponse {
data: any;
enabled: boolean;
canToggleState: boolean;
+ revisionDate: string;
constructor(response: any) {
super(response);
@@ -18,5 +19,6 @@ export class PolicyResponse extends BaseResponse {
this.data = this.getResponseProperty("Data");
this.enabled = this.getResponseProperty("Enabled");
this.canToggleState = this.getResponseProperty("CanToggleState") ?? true;
+ this.revisionDate = this.getResponseProperty("RevisionDate");
}
}
diff --git a/libs/common/src/admin-console/services/policy/default-policy.service.spec.ts b/libs/common/src/admin-console/services/policy/default-policy.service.spec.ts
index 4b59683ec0a..2ff649e6533 100644
--- a/libs/common/src/admin-console/services/policy/default-policy.service.spec.ts
+++ b/libs/common/src/admin-console/services/policy/default-policy.service.spec.ts
@@ -83,12 +83,15 @@ describe("PolicyService", () => {
type: PolicyType.MaximumVaultTimeout,
enabled: true,
data: { minutes: 14 },
+ revisionDate: expect.any(Date),
},
{
id: "99",
organizationId: "test-organization",
type: PolicyType.DisableSend,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
]);
});
@@ -113,6 +116,8 @@ describe("PolicyService", () => {
organizationId: "test-organization",
type: PolicyType.DisableSend,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
]);
});
@@ -242,6 +247,8 @@ describe("PolicyService", () => {
organizationId: "org1",
type: PolicyType.DisablePersonalVaultExport,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
});
});
@@ -331,24 +338,32 @@ describe("PolicyService", () => {
organizationId: "org4",
type: PolicyType.DisablePersonalVaultExport,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
{
id: "policy2",
organizationId: "org1",
type: PolicyType.ActivateAutofill,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
{
id: "policy3",
organizationId: "org5",
type: PolicyType.DisablePersonalVaultExport,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
{
id: "policy4",
organizationId: "org1",
type: PolicyType.DisablePersonalVaultExport,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
]);
});
@@ -371,24 +386,32 @@ describe("PolicyService", () => {
organizationId: "org4",
type: PolicyType.DisablePersonalVaultExport,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
{
id: "policy2",
organizationId: "org1",
type: PolicyType.ActivateAutofill,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
{
id: "policy3",
organizationId: "org5",
type: PolicyType.DisablePersonalVaultExport,
enabled: false,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
{
id: "policy4",
organizationId: "org1",
type: PolicyType.DisablePersonalVaultExport,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
]);
});
@@ -411,24 +434,32 @@ describe("PolicyService", () => {
organizationId: "org4",
type: PolicyType.DisablePersonalVaultExport,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
{
id: "policy2",
organizationId: "org1",
type: PolicyType.ActivateAutofill,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
{
id: "policy3",
organizationId: "org5",
type: PolicyType.DisablePersonalVaultExport,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
{
id: "policy4",
organizationId: "org2",
type: PolicyType.DisablePersonalVaultExport,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
]);
});
@@ -451,24 +482,32 @@ describe("PolicyService", () => {
organizationId: "org4",
type: PolicyType.DisablePersonalVaultExport,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
{
id: "policy2",
organizationId: "org1",
type: PolicyType.ActivateAutofill,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
{
id: "policy3",
organizationId: "org3",
type: PolicyType.DisablePersonalVaultExport,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
{
id: "policy4",
organizationId: "org1",
type: PolicyType.DisablePersonalVaultExport,
enabled: true,
+ data: undefined,
+ revisionDate: expect.any(Date),
},
]);
});
@@ -788,6 +827,7 @@ describe("PolicyService", () => {
policyData.type = type;
policyData.enabled = enabled;
policyData.data = data;
+ policyData.revisionDate = new Date().toISOString();
return policyData;
}
diff --git a/libs/common/src/enums/feature-flag.enum.ts b/libs/common/src/enums/feature-flag.enum.ts
index 371081a89d9..1727d3da712 100644
--- a/libs/common/src/enums/feature-flag.enum.ts
+++ b/libs/common/src/enums/feature-flag.enum.ts
@@ -64,6 +64,7 @@ export enum FeatureFlag {
RiskInsightsForPremium = "pm-23904-risk-insights-for-premium",
VaultLoadingSkeletons = "pm-25081-vault-skeleton-loaders",
BrowserPremiumSpotlight = "pm-23384-browser-premium-spotlight",
+ MigrateMyVaultToMyItems = "pm-20558-migrate-myvault-to-myitems",
/* Platform */
IpcChannelFramework = "ipc-channel-framework",
@@ -123,6 +124,7 @@ export const DefaultFeatureFlagValue = {
[FeatureFlag.RiskInsightsForPremium]: FALSE,
[FeatureFlag.VaultLoadingSkeletons]: FALSE,
[FeatureFlag.BrowserPremiumSpotlight]: FALSE,
+ [FeatureFlag.MigrateMyVaultToMyItems]: FALSE,
/* Auth */
[FeatureFlag.PM23801_PrefetchPasswordPrelogin]: FALSE,
diff --git a/libs/tools/generator/core/src/policies/available-algorithms-policy.spec.ts b/libs/tools/generator/core/src/policies/available-algorithms-policy.spec.ts
index 5f699974fba..7de8c708dcf 100644
--- a/libs/tools/generator/core/src/policies/available-algorithms-policy.spec.ts
+++ b/libs/tools/generator/core/src/policies/available-algorithms-policy.spec.ts
@@ -24,6 +24,7 @@ describe("availableAlgorithms_vNextPolicy", () => {
overridePasswordType: override,
},
enabled: true,
+ revisionDate: new Date().toISOString(),
});
const result = availableAlgorithms([policy]);
@@ -44,6 +45,7 @@ describe("availableAlgorithms_vNextPolicy", () => {
overridePasswordType: override,
},
enabled: true,
+ revisionDate: new Date().toISOString(),
});
const result = availableAlgorithms([policy, policy]);
@@ -64,6 +66,7 @@ describe("availableAlgorithms_vNextPolicy", () => {
overridePasswordType: "password",
},
enabled: true,
+ revisionDate: new Date().toISOString(),
});
const passphrase = new Policy({
id: "" as PolicyId,
@@ -73,6 +76,7 @@ describe("availableAlgorithms_vNextPolicy", () => {
overridePasswordType: "passphrase",
},
enabled: true,
+ revisionDate: new Date().toISOString(),
});
const result = availableAlgorithms([password, passphrase]);
@@ -93,6 +97,7 @@ describe("availableAlgorithms_vNextPolicy", () => {
some: "policy",
},
enabled: true,
+ revisionDate: new Date().toISOString(),
});
const result = availableAlgorithms([policy]);
@@ -111,6 +116,7 @@ describe("availableAlgorithms_vNextPolicy", () => {
some: "policy",
},
enabled: false,
+ revisionDate: new Date().toISOString(),
});
const result = availableAlgorithms([policy]);
@@ -129,6 +135,7 @@ describe("availableAlgorithms_vNextPolicy", () => {
some: "policy",
},
enabled: true,
+ revisionDate: new Date().toISOString(),
});
const result = availableAlgorithms([policy]);
diff --git a/libs/tools/generator/core/src/policies/passphrase-least-privilege.spec.ts b/libs/tools/generator/core/src/policies/passphrase-least-privilege.spec.ts
index 0fbc1796e9e..c6ce189f620 100644
--- a/libs/tools/generator/core/src/policies/passphrase-least-privilege.spec.ts
+++ b/libs/tools/generator/core/src/policies/passphrase-least-privilege.spec.ts
@@ -17,6 +17,7 @@ function createPolicy(
data,
enabled,
type,
+ revisionDate: new Date().toISOString(),
});
}
diff --git a/libs/tools/generator/core/src/policies/password-least-privilege.spec.ts b/libs/tools/generator/core/src/policies/password-least-privilege.spec.ts
index 7f8dce19b15..7885641c8e5 100644
--- a/libs/tools/generator/core/src/policies/password-least-privilege.spec.ts
+++ b/libs/tools/generator/core/src/policies/password-least-privilege.spec.ts
@@ -17,6 +17,7 @@ function createPolicy(
data,
enabled,
type,
+ revisionDate: new Date().toISOString(),
});
}
diff --git a/libs/tools/generator/core/src/providers/generator-profile-provider.spec.ts b/libs/tools/generator/core/src/providers/generator-profile-provider.spec.ts
index 32d99aa8a1f..924849b1c22 100644
--- a/libs/tools/generator/core/src/providers/generator-profile-provider.spec.ts
+++ b/libs/tools/generator/core/src/providers/generator-profile-provider.spec.ts
@@ -57,6 +57,7 @@ const somePolicy = new Policy({
id: "" as PolicyId,
organizationId: "" as OrganizationId,
enabled: true,
+ revisionDate: new Date().toISOString(),
});
const stateProvider = new FakeStateProvider(accountService);
diff --git a/libs/tools/generator/extensions/navigation/src/default-generator-navigation.service.spec.ts b/libs/tools/generator/extensions/navigation/src/default-generator-navigation.service.spec.ts
index 65f1669ebd1..37e8ec6e379 100644
--- a/libs/tools/generator/extensions/navigation/src/default-generator-navigation.service.spec.ts
+++ b/libs/tools/generator/extensions/navigation/src/default-generator-navigation.service.spec.ts
@@ -70,6 +70,7 @@ describe("DefaultGeneratorNavigationService", () => {
enabled: true,
type: PolicyType.PasswordGenerator,
data: { overridePasswordType: "password" },
+ revisionDate: new Date().toISOString(),
}),
]);
},
diff --git a/libs/tools/generator/extensions/navigation/src/generator-navigation-policy.spec.ts b/libs/tools/generator/extensions/navigation/src/generator-navigation-policy.spec.ts
index e4f0b08a3d5..69a4e75d47d 100644
--- a/libs/tools/generator/extensions/navigation/src/generator-navigation-policy.spec.ts
+++ b/libs/tools/generator/extensions/navigation/src/generator-navigation-policy.spec.ts
@@ -17,6 +17,7 @@ function createPolicy(
data,
enabled,
type,
+ revisionDate: new Date().toISOString(),
});
}
diff --git a/libs/vault/src/abstractions/vault-items-transfer.service.ts b/libs/vault/src/abstractions/vault-items-transfer.service.ts
new file mode 100644
index 00000000000..ced9f71eb83
--- /dev/null
+++ b/libs/vault/src/abstractions/vault-items-transfer.service.ts
@@ -0,0 +1,59 @@
+import { Observable } from "rxjs";
+
+import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
+import { OrganizationId, CollectionId } from "@bitwarden/common/types/guid";
+import { UserId } from "@bitwarden/user-core";
+
+export type UserMigrationInfo =
+ | {
+ /**
+ * Whether the user requires migration of their vault items from My Vault to a My Items collection due to an
+ * organizational policy change. (Enforce organization data ownership policy enabled)
+ */
+ requiresMigration: false;
+ }
+ | {
+ /**
+ * Whether the user requires migration of their vault items from My Vault to a My Items collection due to an
+ * organizational policy change. (Enforce organization data ownership policy enabled)
+ */
+ requiresMigration: true;
+
+ /**
+ * The organization that is enforcing data ownership policies for the given user.
+ */
+ enforcingOrganization: Organization;
+
+ /**
+ * The default collection ID for the user in the enforcing organization, if available.
+ */
+ defaultCollectionId?: CollectionId;
+ };
+
+export abstract class VaultItemsTransferService {
+ /**
+ * Gets information about whether the given user requires migration of their vault items
+ * from My Vault to a My Items collection, and whether they are capable of performing that migration.
+ * @param userId
+ */
+ abstract userMigrationInfo$(userId: UserId): Observable;
+
+ /**
+ * Enforces organization data ownership for the given user by transferring vault items.
+ * Checks if any organization policies require the transfer, and if so, prompts the user to confirm before proceeding.
+ *
+ * Rejecting the transfer will result in the user being revoked from the organization.
+ *
+ * @param userId
+ */
+ abstract enforceOrganizationDataOwnership(userId: UserId): Promise;
+
+ /**
+ * Begins transfer of vault items from My Vault to the specified default collection for the given user.
+ */
+ abstract transferPersonalItems(
+ userId: UserId,
+ organizationId: OrganizationId,
+ defaultCollectionId: CollectionId,
+ ): Promise;
+}
diff --git a/libs/vault/src/index.ts b/libs/vault/src/index.ts
index be0daad3637..391957d26d8 100644
--- a/libs/vault/src/index.ts
+++ b/libs/vault/src/index.ts
@@ -35,5 +35,7 @@ export { DefaultSshImportPromptService } from "./services/default-ssh-import-pro
export { SshImportPromptService } from "./services/ssh-import-prompt.service";
export * from "./abstractions/change-login-password.service";
+export * from "./abstractions/vault-items-transfer.service";
+export * from "./services/default-vault-items-transfer.service";
export * from "./services/default-change-login-password.service";
export * from "./services/archive-cipher-utilities.service";
diff --git a/libs/vault/src/services/default-vault-items-transfer.service.spec.ts b/libs/vault/src/services/default-vault-items-transfer.service.spec.ts
new file mode 100644
index 00000000000..d85fe2ffd43
--- /dev/null
+++ b/libs/vault/src/services/default-vault-items-transfer.service.spec.ts
@@ -0,0 +1,721 @@
+import { mock, MockProxy } from "jest-mock-extended";
+import { firstValueFrom, of } from "rxjs";
+
+// eslint-disable-next-line no-restricted-imports
+import { CollectionService, CollectionView } from "@bitwarden/admin-console/common";
+import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
+import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
+import { PolicyType } from "@bitwarden/common/admin-console/enums";
+import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
+import { Policy } from "@bitwarden/common/admin-console/models/domain/policy";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { OrganizationId, CollectionId } from "@bitwarden/common/types/guid";
+import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
+import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
+import { DialogService, ToastService } from "@bitwarden/components";
+import { LogService } from "@bitwarden/logging";
+import { UserId } from "@bitwarden/user-core";
+
+import { DefaultVaultItemsTransferService } from "./default-vault-items-transfer.service";
+
+describe("DefaultVaultItemsTransferService", () => {
+ let service: DefaultVaultItemsTransferService;
+
+ let mockCipherService: MockProxy;
+ let mockPolicyService: MockProxy;
+ let mockOrganizationService: MockProxy;
+ let mockCollectionService: MockProxy;
+ let mockLogService: MockProxy;
+ let mockI18nService: MockProxy;
+ let mockDialogService: MockProxy;
+ let mockToastService: MockProxy;
+ let mockConfigService: MockProxy;
+
+ const userId = "user-id" as UserId;
+ const organizationId = "org-id" as OrganizationId;
+ const collectionId = "collection-id" as CollectionId;
+
+ beforeEach(() => {
+ mockCipherService = mock();
+ mockPolicyService = mock();
+ mockOrganizationService = mock();
+ mockCollectionService = mock();
+ mockLogService = mock();
+ mockI18nService = mock();
+ mockDialogService = mock();
+ mockToastService = mock();
+ mockConfigService = mock();
+
+ mockI18nService.t.mockImplementation((key) => key);
+
+ service = new DefaultVaultItemsTransferService(
+ mockCipherService,
+ mockPolicyService,
+ mockOrganizationService,
+ mockCollectionService,
+ mockLogService,
+ mockI18nService,
+ mockDialogService,
+ mockToastService,
+ mockConfigService,
+ );
+ });
+
+ describe("userMigrationInfo$", () => {
+ // Helper to setup common mock scenario
+ function setupMocksForMigrationScenario(options: {
+ policies?: Policy[];
+ organizations?: Organization[];
+ ciphers?: CipherView[];
+ collections?: CollectionView[];
+ }): void {
+ mockPolicyService.policiesByType$.mockReturnValue(of(options.policies ?? []));
+ mockOrganizationService.organizations$.mockReturnValue(of(options.organizations ?? []));
+ mockCipherService.cipherViews$.mockReturnValue(of(options.ciphers ?? []));
+ mockCollectionService.decryptedCollections$.mockReturnValue(of(options.collections ?? []));
+ }
+
+ it("calls policiesByType$ with correct PolicyType", async () => {
+ setupMocksForMigrationScenario({ policies: [] });
+
+ await firstValueFrom(service.userMigrationInfo$(userId));
+
+ expect(mockPolicyService.policiesByType$).toHaveBeenCalledWith(
+ PolicyType.OrganizationDataOwnership,
+ userId,
+ );
+ });
+
+ describe("when no policy exists", () => {
+ beforeEach(() => {
+ setupMocksForMigrationScenario({ policies: [] });
+ });
+
+ it("returns requiresMigration: false", async () => {
+ const result = await firstValueFrom(service.userMigrationInfo$(userId));
+
+ expect(result).toEqual({
+ requiresMigration: false,
+ });
+ });
+ });
+
+ describe("when policy exists", () => {
+ const policy = {
+ organizationId: organizationId,
+ revisionDate: new Date("2024-01-01"),
+ } as Policy;
+ const organization = {
+ id: organizationId,
+ name: "Test Org",
+ } as Organization;
+
+ beforeEach(() => {
+ setupMocksForMigrationScenario({
+ policies: [policy],
+ organizations: [organization],
+ });
+ });
+
+ describe("and user has no personal ciphers", () => {
+ beforeEach(() => {
+ mockCipherService.cipherViews$.mockReturnValue(of([]));
+ });
+
+ it("returns requiresMigration: false", async () => {
+ const result = await firstValueFrom(service.userMigrationInfo$(userId));
+
+ expect(result).toEqual({
+ requiresMigration: false,
+ enforcingOrganization: organization,
+ defaultCollectionId: undefined,
+ });
+ });
+ });
+
+ describe("and user has personal ciphers", () => {
+ beforeEach(() => {
+ mockCipherService.cipherViews$.mockReturnValue(of([{ id: "cipher-1" } as CipherView]));
+ });
+
+ it("returns requiresMigration: true", async () => {
+ const result = await firstValueFrom(service.userMigrationInfo$(userId));
+
+ expect(result).toEqual({
+ requiresMigration: true,
+ enforcingOrganization: organization,
+ defaultCollectionId: undefined,
+ });
+ });
+
+ it("includes defaultCollectionId when a default collection exists", async () => {
+ mockCollectionService.decryptedCollections$.mockReturnValue(
+ of([
+ {
+ id: collectionId,
+ organizationId: organizationId,
+ isDefaultCollection: true,
+ } as CollectionView,
+ ]),
+ );
+
+ const result = await firstValueFrom(service.userMigrationInfo$(userId));
+
+ expect(result).toEqual({
+ requiresMigration: true,
+ enforcingOrganization: organization,
+ defaultCollectionId: collectionId,
+ });
+ });
+
+ it("returns default collection only for the enforcing organization", async () => {
+ mockCollectionService.decryptedCollections$.mockReturnValue(
+ of([
+ {
+ id: "wrong-collection-id" as CollectionId,
+ organizationId: "wrong-org-id" as OrganizationId,
+ isDefaultCollection: true,
+ } as CollectionView,
+ {
+ id: collectionId,
+ organizationId: organizationId,
+ isDefaultCollection: true,
+ } as CollectionView,
+ ]),
+ );
+
+ const result = await firstValueFrom(service.userMigrationInfo$(userId));
+
+ expect(result).toEqual({
+ requiresMigration: true,
+ enforcingOrganization: organization,
+ defaultCollectionId: collectionId,
+ });
+ });
+ });
+
+ it("filters out organization ciphers when checking for personal ciphers", async () => {
+ mockCipherService.cipherViews$.mockReturnValue(
+ of([
+ {
+ id: "cipher-1",
+ organizationId: organizationId as string,
+ } as CipherView,
+ ]),
+ );
+
+ const result = await firstValueFrom(service.userMigrationInfo$(userId));
+
+ expect(result).toEqual({
+ requiresMigration: false,
+ enforcingOrganization: organization,
+ defaultCollectionId: undefined,
+ });
+ });
+ });
+
+ describe("when multiple policies exist", () => {
+ const olderPolicy = {
+ organizationId: "older-org-id" as OrganizationId,
+ revisionDate: new Date("2024-01-01"),
+ } as Policy;
+ const newerPolicy = {
+ organizationId: organizationId,
+ revisionDate: new Date("2024-06-01"),
+ } as Policy;
+ const olderOrganization = {
+ id: "older-org-id" as OrganizationId,
+ name: "Older Org",
+ } as Organization;
+ const newerOrganization = {
+ id: organizationId,
+ name: "Newer Org",
+ } as Organization;
+
+ beforeEach(() => {
+ setupMocksForMigrationScenario({
+ policies: [newerPolicy, olderPolicy],
+ organizations: [olderOrganization, newerOrganization],
+ ciphers: [{ id: "cipher-1" } as CipherView],
+ });
+ });
+
+ it("uses the oldest policy when selecting enforcing organization", async () => {
+ const result = await firstValueFrom(service.userMigrationInfo$(userId));
+
+ expect(result).toEqual({
+ requiresMigration: true,
+ enforcingOrganization: olderOrganization,
+ defaultCollectionId: undefined,
+ });
+ });
+ });
+ });
+
+ describe("transferPersonalItems", () => {
+ it("does nothing when user has no personal ciphers", async () => {
+ mockCipherService.cipherViews$.mockReturnValue(of([]));
+
+ await service.transferPersonalItems(userId, organizationId, collectionId);
+
+ expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
+ expect(mockLogService.info).not.toHaveBeenCalled();
+ });
+
+ it("calls shareManyWithServer with correct parameters", async () => {
+ const personalCiphers = [{ id: "cipher-1" }, { id: "cipher-2" }] as CipherView[];
+
+ mockCipherService.cipherViews$.mockReturnValue(of(personalCiphers));
+ mockCipherService.shareManyWithServer.mockResolvedValue(undefined);
+
+ await service.transferPersonalItems(userId, organizationId, collectionId);
+
+ expect(mockCipherService.shareManyWithServer).toHaveBeenCalledWith(
+ personalCiphers,
+ organizationId,
+ [collectionId],
+ userId,
+ );
+ });
+
+ it("transfers only personal ciphers, not organization ciphers", async () => {
+ const allCiphers = [
+ { id: "cipher-1" },
+ { id: "cipher-2", organizationId: "other-org-id" },
+ { id: "cipher-3" },
+ ] as CipherView[];
+
+ const expectedPersonalCiphers = [allCiphers[0], allCiphers[2]];
+
+ mockCipherService.cipherViews$.mockReturnValue(of(allCiphers));
+ mockCipherService.shareManyWithServer.mockResolvedValue(undefined);
+
+ await service.transferPersonalItems(userId, organizationId, collectionId);
+
+ expect(mockCipherService.shareManyWithServer).toHaveBeenCalledWith(
+ expectedPersonalCiphers,
+ organizationId,
+ [collectionId],
+ userId,
+ );
+ });
+
+ it("propagates errors from shareManyWithServer", async () => {
+ const personalCiphers = [{ id: "cipher-1" }] as CipherView[];
+
+ const error = new Error("Transfer failed");
+
+ mockCipherService.cipherViews$.mockReturnValue(of(personalCiphers));
+ mockCipherService.shareManyWithServer.mockRejectedValue(error);
+
+ await expect(
+ service.transferPersonalItems(userId, organizationId, collectionId),
+ ).rejects.toThrow("Transfer failed");
+ });
+ });
+
+ describe("upgradeOldAttachments", () => {
+ it("upgrades old attachments before transferring", async () => {
+ const cipherWithOldAttachment = {
+ id: "cipher-1",
+ name: "Cipher 1",
+ hasOldAttachments: true,
+ attachments: [{ key: null }],
+ } as unknown as CipherView;
+
+ const upgradedCipher = {
+ id: "cipher-1",
+ name: "Cipher 1",
+ hasOldAttachments: false,
+ attachments: [{ key: "new-key" }],
+ } as unknown as CipherView;
+
+ mockCipherService.cipherViews$
+ .mockReturnValueOnce(of([cipherWithOldAttachment]))
+ .mockReturnValueOnce(of([upgradedCipher]));
+ mockCipherService.upgradeOldCipherAttachments.mockResolvedValue(upgradedCipher);
+ mockCipherService.shareManyWithServer.mockResolvedValue(undefined);
+
+ await service.transferPersonalItems(userId, organizationId, collectionId);
+
+ expect(mockCipherService.upgradeOldCipherAttachments).toHaveBeenCalledWith(
+ cipherWithOldAttachment,
+ userId,
+ );
+ expect(mockCipherService.shareManyWithServer).toHaveBeenCalledWith(
+ [upgradedCipher],
+ organizationId,
+ [collectionId],
+ userId,
+ );
+ });
+
+ it("upgrades multiple ciphers with old attachments", async () => {
+ const cipher1 = {
+ id: "cipher-1",
+ name: "Cipher 1",
+ hasOldAttachments: true,
+ attachments: [{ key: null }],
+ } as unknown as CipherView;
+
+ const cipher2 = {
+ id: "cipher-2",
+ name: "Cipher 2",
+ hasOldAttachments: true,
+ attachments: [{ key: null }],
+ } as unknown as CipherView;
+
+ const upgradedCipher1 = { ...cipher1, hasOldAttachments: false } as CipherView;
+ const upgradedCipher2 = { ...cipher2, hasOldAttachments: false } as CipherView;
+
+ mockCipherService.cipherViews$
+ .mockReturnValueOnce(of([cipher1, cipher2]))
+ .mockReturnValueOnce(of([upgradedCipher1, upgradedCipher2]));
+ mockCipherService.upgradeOldCipherAttachments
+ .mockResolvedValueOnce(upgradedCipher1)
+ .mockResolvedValueOnce(upgradedCipher2);
+ mockCipherService.shareManyWithServer.mockResolvedValue(undefined);
+
+ await service.transferPersonalItems(userId, organizationId, collectionId);
+
+ expect(mockCipherService.upgradeOldCipherAttachments).toHaveBeenCalledTimes(2);
+ expect(mockCipherService.upgradeOldCipherAttachments).toHaveBeenCalledWith(cipher1, userId);
+ expect(mockCipherService.upgradeOldCipherAttachments).toHaveBeenCalledWith(cipher2, userId);
+ });
+
+ it("skips attachments that already have keys", async () => {
+ const cipherWithMixedAttachments = {
+ id: "cipher-1",
+ name: "Cipher 1",
+ hasOldAttachments: true,
+ attachments: [{ key: "existing-key" }, { key: null }],
+ } as unknown as CipherView;
+
+ const upgradedCipher = {
+ ...cipherWithMixedAttachments,
+ hasOldAttachments: false,
+ } as unknown as CipherView;
+
+ mockCipherService.cipherViews$
+ .mockReturnValueOnce(of([cipherWithMixedAttachments]))
+ .mockReturnValueOnce(of([upgradedCipher]));
+ mockCipherService.upgradeOldCipherAttachments.mockResolvedValue(upgradedCipher);
+ mockCipherService.shareManyWithServer.mockResolvedValue(undefined);
+
+ await service.transferPersonalItems(userId, organizationId, collectionId);
+
+ // Should only be called once for the attachment without a key
+ expect(mockCipherService.upgradeOldCipherAttachments).toHaveBeenCalledTimes(1);
+ });
+
+ it("throws error when upgradeOldCipherAttachments fails", async () => {
+ const cipherWithOldAttachment = {
+ id: "cipher-1",
+ name: "Cipher 1",
+ hasOldAttachments: true,
+ attachments: [{ key: null }],
+ } as unknown as CipherView;
+
+ mockCipherService.cipherViews$.mockReturnValue(of([cipherWithOldAttachment]));
+ mockCipherService.upgradeOldCipherAttachments.mockRejectedValue(new Error("Upgrade failed"));
+
+ await expect(
+ service.transferPersonalItems(userId, organizationId, collectionId),
+ ).rejects.toThrow("Failed to upgrade old attachments for cipher cipher-1");
+
+ expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
+ });
+
+ it("throws error when upgrade returns cipher still having old attachments", async () => {
+ const cipherWithOldAttachment = {
+ id: "cipher-1",
+ name: "Cipher 1",
+ hasOldAttachments: true,
+ attachments: [{ key: null }],
+ } as unknown as CipherView;
+
+ // Upgrade returns but cipher still has old attachments
+ const stillOldCipher = {
+ ...cipherWithOldAttachment,
+ hasOldAttachments: true,
+ } as unknown as CipherView;
+
+ mockCipherService.cipherViews$.mockReturnValue(of([cipherWithOldAttachment]));
+ mockCipherService.upgradeOldCipherAttachments.mockResolvedValue(stillOldCipher);
+
+ await expect(
+ service.transferPersonalItems(userId, organizationId, collectionId),
+ ).rejects.toThrow("Failed to upgrade old attachments for cipher cipher-1");
+
+ expect(mockLogService.error).toHaveBeenCalled();
+ expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
+ });
+
+ it("throws error when sanity check finds remaining old attachments after upgrade", async () => {
+ const cipherWithOldAttachment = {
+ id: "cipher-1",
+ name: "Cipher 1",
+ hasOldAttachments: true,
+ attachments: [{ key: null }],
+ } as unknown as CipherView;
+
+ const upgradedCipher = {
+ ...cipherWithOldAttachment,
+ hasOldAttachments: false,
+ } as unknown as CipherView;
+
+ // First call returns cipher with old attachment, second call (after upgrade) still returns old attachment
+ mockCipherService.cipherViews$
+ .mockReturnValueOnce(of([cipherWithOldAttachment]))
+ .mockReturnValueOnce(of([cipherWithOldAttachment])); // Still has old attachments after re-fetch
+ mockCipherService.upgradeOldCipherAttachments.mockResolvedValue(upgradedCipher);
+
+ await expect(
+ service.transferPersonalItems(userId, organizationId, collectionId),
+ ).rejects.toThrow(
+ "Failed to upgrade all old attachments. 1 ciphers still have old attachments.",
+ );
+
+ expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
+ });
+
+ it("logs info when upgrading old attachments", async () => {
+ const cipherWithOldAttachment = {
+ id: "cipher-1",
+ name: "Cipher 1",
+ hasOldAttachments: true,
+ attachments: [{ key: null }],
+ } as unknown as CipherView;
+
+ const upgradedCipher = {
+ ...cipherWithOldAttachment,
+ hasOldAttachments: false,
+ } as unknown as CipherView;
+
+ mockCipherService.cipherViews$
+ .mockReturnValueOnce(of([cipherWithOldAttachment]))
+ .mockReturnValueOnce(of([upgradedCipher]));
+ mockCipherService.upgradeOldCipherAttachments.mockResolvedValue(upgradedCipher);
+ mockCipherService.shareManyWithServer.mockResolvedValue(undefined);
+
+ await service.transferPersonalItems(userId, organizationId, collectionId);
+
+ expect(mockLogService.info).toHaveBeenCalledWith(
+ expect.stringContaining("Found 1 ciphers with old attachments needing upgrade"),
+ );
+ expect(mockLogService.info).toHaveBeenCalledWith(
+ expect.stringContaining("Successfully upgraded 1 ciphers with old attachments"),
+ );
+ });
+
+ it("does not upgrade when ciphers have no old attachments", async () => {
+ const cipherWithoutOldAttachment = {
+ id: "cipher-1",
+ name: "Cipher 1",
+ hasOldAttachments: false,
+ } as unknown as CipherView;
+
+ mockCipherService.cipherViews$.mockReturnValue(of([cipherWithoutOldAttachment]));
+ mockCipherService.shareManyWithServer.mockResolvedValue(undefined);
+
+ await service.transferPersonalItems(userId, organizationId, collectionId);
+
+ expect(mockCipherService.upgradeOldCipherAttachments).not.toHaveBeenCalled();
+ expect(mockCipherService.shareManyWithServer).toHaveBeenCalled();
+ });
+ });
+
+ describe("enforceOrganizationDataOwnership", () => {
+ const policy = {
+ organizationId: organizationId,
+ revisionDate: new Date("2024-01-01"),
+ } as Policy;
+ const organization = {
+ id: organizationId,
+ name: "Test Org",
+ } as Organization;
+
+ function setupMocksForEnforcementScenario(options: {
+ featureEnabled?: boolean;
+ policies?: Policy[];
+ organizations?: Organization[];
+ ciphers?: CipherView[];
+ collections?: CollectionView[];
+ }): void {
+ mockConfigService.getFeatureFlag.mockResolvedValue(options.featureEnabled ?? true);
+ mockPolicyService.policiesByType$.mockReturnValue(of(options.policies ?? []));
+ mockOrganizationService.organizations$.mockReturnValue(of(options.organizations ?? []));
+ mockCipherService.cipherViews$.mockReturnValue(of(options.ciphers ?? []));
+ mockCollectionService.decryptedCollections$.mockReturnValue(of(options.collections ?? []));
+ }
+
+ it("does nothing when feature flag is disabled", async () => {
+ setupMocksForEnforcementScenario({
+ featureEnabled: false,
+ policies: [policy],
+ organizations: [organization],
+ ciphers: [{ id: "cipher-1" } as CipherView],
+ collections: [
+ {
+ id: collectionId,
+ organizationId: organizationId,
+ isDefaultCollection: true,
+ } as CollectionView,
+ ],
+ });
+
+ await service.enforceOrganizationDataOwnership(userId);
+
+ expect(mockConfigService.getFeatureFlag).toHaveBeenCalledWith(
+ FeatureFlag.MigrateMyVaultToMyItems,
+ );
+ expect(mockDialogService.openSimpleDialog).not.toHaveBeenCalled();
+ expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
+ });
+
+ it("does nothing when no migration is required", async () => {
+ setupMocksForEnforcementScenario({ policies: [] });
+
+ await service.enforceOrganizationDataOwnership(userId);
+
+ expect(mockDialogService.openSimpleDialog).not.toHaveBeenCalled();
+ expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
+ });
+
+ it("does nothing when user has no personal ciphers", async () => {
+ setupMocksForEnforcementScenario({
+ policies: [policy],
+ organizations: [organization],
+ ciphers: [],
+ });
+
+ await service.enforceOrganizationDataOwnership(userId);
+
+ expect(mockDialogService.openSimpleDialog).not.toHaveBeenCalled();
+ expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
+ });
+
+ it("logs warning and returns when default collection is missing", async () => {
+ setupMocksForEnforcementScenario({
+ policies: [policy],
+ organizations: [organization],
+ ciphers: [{ id: "cipher-1" } as CipherView],
+ collections: [],
+ });
+
+ await service.enforceOrganizationDataOwnership(userId);
+
+ expect(mockLogService.warning).toHaveBeenCalledWith(
+ "Default collection is missing for user during organization data ownership enforcement",
+ );
+ expect(mockDialogService.openSimpleDialog).not.toHaveBeenCalled();
+ expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
+ });
+
+ it("shows confirmation dialog when migration is required", async () => {
+ setupMocksForEnforcementScenario({
+ policies: [policy],
+ organizations: [organization],
+ ciphers: [{ id: "cipher-1" } as CipherView],
+ collections: [
+ {
+ id: collectionId,
+ organizationId: organizationId,
+ isDefaultCollection: true,
+ } as CollectionView,
+ ],
+ });
+ mockDialogService.openSimpleDialog.mockResolvedValue(false);
+
+ await service.enforceOrganizationDataOwnership(userId);
+
+ expect(mockDialogService.openSimpleDialog).toHaveBeenCalledWith({
+ title: "Requires migration",
+ content: "Your vault requires migration of personal items to your organization.",
+ type: "warning",
+ });
+ });
+
+ it("does not transfer items when user declines confirmation", async () => {
+ setupMocksForEnforcementScenario({
+ policies: [policy],
+ organizations: [organization],
+ ciphers: [{ id: "cipher-1" } as CipherView],
+ collections: [
+ {
+ id: collectionId,
+ organizationId: organizationId,
+ isDefaultCollection: true,
+ } as CollectionView,
+ ],
+ });
+ mockDialogService.openSimpleDialog.mockResolvedValue(false);
+
+ await service.enforceOrganizationDataOwnership(userId);
+
+ expect(mockCipherService.shareManyWithServer).not.toHaveBeenCalled();
+ });
+
+ it("transfers items and shows success toast when user confirms", async () => {
+ const personalCiphers = [{ id: "cipher-1" } as CipherView];
+ setupMocksForEnforcementScenario({
+ policies: [policy],
+ organizations: [organization],
+ ciphers: personalCiphers,
+ collections: [
+ {
+ id: collectionId,
+ organizationId: organizationId,
+ isDefaultCollection: true,
+ } as CollectionView,
+ ],
+ });
+ mockDialogService.openSimpleDialog.mockResolvedValue(true);
+ mockCipherService.shareManyWithServer.mockResolvedValue(undefined);
+
+ await service.enforceOrganizationDataOwnership(userId);
+
+ expect(mockCipherService.shareManyWithServer).toHaveBeenCalledWith(
+ personalCiphers,
+ organizationId,
+ [collectionId],
+ userId,
+ );
+ expect(mockToastService.showToast).toHaveBeenCalledWith({
+ variant: "success",
+ message: "itemsTransferred",
+ });
+ });
+
+ it("shows error toast when transfer fails", async () => {
+ const personalCiphers = [{ id: "cipher-1" } as CipherView];
+ setupMocksForEnforcementScenario({
+ policies: [policy],
+ organizations: [organization],
+ ciphers: personalCiphers,
+ collections: [
+ {
+ id: collectionId,
+ organizationId: organizationId,
+ isDefaultCollection: true,
+ } as CollectionView,
+ ],
+ });
+ mockDialogService.openSimpleDialog.mockResolvedValue(true);
+ mockCipherService.shareManyWithServer.mockRejectedValue(new Error("Transfer failed"));
+
+ await service.enforceOrganizationDataOwnership(userId);
+
+ expect(mockLogService.error).toHaveBeenCalledWith(
+ "Error transferring personal items to organization",
+ expect.any(Error),
+ );
+ expect(mockToastService.showToast).toHaveBeenCalledWith({
+ variant: "error",
+ message: "errorOccurred",
+ });
+ });
+ });
+});
diff --git a/libs/vault/src/services/default-vault-items-transfer.service.ts b/libs/vault/src/services/default-vault-items-transfer.service.ts
new file mode 100644
index 00000000000..d9c490f870e
--- /dev/null
+++ b/libs/vault/src/services/default-vault-items-transfer.service.ts
@@ -0,0 +1,231 @@
+import { Injectable } from "@angular/core";
+import { firstValueFrom, switchMap, map, of, Observable, combineLatest } from "rxjs";
+
+// eslint-disable-next-line no-restricted-imports
+import { CollectionService } from "@bitwarden/admin-console/common";
+import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
+import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
+import { PolicyType } from "@bitwarden/common/admin-console/enums";
+import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { getById } from "@bitwarden/common/platform/misc";
+import { OrganizationId, CollectionId } from "@bitwarden/common/types/guid";
+import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
+import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
+import { filterOutNullish } from "@bitwarden/common/vault/utils/observable-utilities";
+import { DialogService, ToastService } from "@bitwarden/components";
+import { LogService } from "@bitwarden/logging";
+import { UserId } from "@bitwarden/user-core";
+
+import {
+ VaultItemsTransferService,
+ UserMigrationInfo,
+} from "../abstractions/vault-items-transfer.service";
+
+@Injectable()
+export class DefaultVaultItemsTransferService implements VaultItemsTransferService {
+ constructor(
+ private cipherService: CipherService,
+ private policyService: PolicyService,
+ private organizationService: OrganizationService,
+ private collectionService: CollectionService,
+ private logService: LogService,
+ private i18nService: I18nService,
+ private dialogService: DialogService,
+ private toastService: ToastService,
+ private configService: ConfigService,
+ ) {}
+
+ private enforcingOrganization$(userId: UserId): Observable {
+ return this.policyService.policiesByType$(PolicyType.OrganizationDataOwnership, userId).pipe(
+ map(
+ (policies) =>
+ policies.sort((a, b) => a.revisionDate.getTime() - b.revisionDate.getTime())?.[0],
+ ),
+ switchMap((policy) => {
+ if (policy == null) {
+ return of(undefined);
+ }
+ return this.organizationService.organizations$(userId).pipe(getById(policy.organizationId));
+ }),
+ );
+ }
+
+ private personalCiphers$(userId: UserId): Observable {
+ return this.cipherService.cipherViews$(userId).pipe(
+ filterOutNullish(),
+ map((ciphers) => ciphers.filter((c) => c.organizationId == null)),
+ );
+ }
+
+ private defaultUserCollection$(
+ userId: UserId,
+ organizationId: OrganizationId,
+ ): Observable {
+ return this.collectionService.decryptedCollections$(userId).pipe(
+ map((collections) => {
+ return collections.find((c) => c.isDefaultCollection && c.organizationId === organizationId)
+ ?.id;
+ }),
+ );
+ }
+
+ userMigrationInfo$(userId: UserId): Observable {
+ return this.enforcingOrganization$(userId).pipe(
+ switchMap((enforcingOrganization) => {
+ if (enforcingOrganization == null) {
+ return of({
+ requiresMigration: false,
+ });
+ }
+ return combineLatest([
+ this.personalCiphers$(userId),
+ this.defaultUserCollection$(userId, enforcingOrganization.id),
+ ]).pipe(
+ map(([personalCiphers, defaultCollectionId]): UserMigrationInfo => {
+ return {
+ requiresMigration: personalCiphers.length > 0,
+ enforcingOrganization,
+ defaultCollectionId,
+ };
+ }),
+ );
+ }),
+ );
+ }
+
+ async enforceOrganizationDataOwnership(userId: UserId): Promise {
+ const featureEnabled = await this.configService.getFeatureFlag(
+ FeatureFlag.MigrateMyVaultToMyItems,
+ );
+
+ if (!featureEnabled) {
+ return;
+ }
+
+ const migrationInfo = await firstValueFrom(this.userMigrationInfo$(userId));
+
+ if (!migrationInfo.requiresMigration) {
+ return;
+ }
+
+ if (migrationInfo.defaultCollectionId == null) {
+ // TODO: Handle creating the default collection if missing (to be handled by AC in future work)
+ this.logService.warning(
+ "Default collection is missing for user during organization data ownership enforcement",
+ );
+ return;
+ }
+
+ // Temporary confirmation dialog. Full implementation in PM-27663
+ const confirmMigration = await this.dialogService.openSimpleDialog({
+ title: "Requires migration",
+ content: "Your vault requires migration of personal items to your organization.",
+ type: "warning",
+ });
+
+ if (!confirmMigration) {
+ // TODO: Show secondary confirmation dialog in PM-27663, for now we just exit
+ // TODO: Revoke user from organization if they decline migration PM-29465
+ return;
+ }
+
+ try {
+ await this.transferPersonalItems(
+ userId,
+ migrationInfo.enforcingOrganization.id,
+ migrationInfo.defaultCollectionId,
+ );
+ this.toastService.showToast({
+ variant: "success",
+ message: this.i18nService.t("itemsTransferred"),
+ });
+ } catch (error) {
+ this.logService.error("Error transferring personal items to organization", error);
+ this.toastService.showToast({
+ variant: "error",
+ message: this.i18nService.t("errorOccurred"),
+ });
+ }
+ }
+
+ async transferPersonalItems(
+ userId: UserId,
+ organizationId: OrganizationId,
+ defaultCollectionId: CollectionId,
+ ): Promise {
+ let personalCiphers = await firstValueFrom(this.personalCiphers$(userId));
+
+ if (personalCiphers.length === 0) {
+ return;
+ }
+
+ const oldAttachmentCiphers = personalCiphers.filter((c) => c.hasOldAttachments);
+
+ if (oldAttachmentCiphers.length > 0) {
+ await this.upgradeOldAttachments(oldAttachmentCiphers, userId, organizationId);
+ personalCiphers = await firstValueFrom(this.personalCiphers$(userId));
+
+ // Sanity check to ensure all old attachments were upgraded, though upgradeOldAttachments should throw if any fail
+ const remainingOldAttachments = personalCiphers.filter((c) => c.hasOldAttachments);
+ if (remainingOldAttachments.length > 0) {
+ throw new Error(
+ `Failed to upgrade all old attachments. ${remainingOldAttachments.length} ciphers still have old attachments.`,
+ );
+ }
+ }
+
+ this.logService.info(
+ `Starting transfer of ${personalCiphers.length} personal ciphers to organization ${organizationId} for user ${userId}`,
+ );
+
+ await this.cipherService.shareManyWithServer(
+ personalCiphers,
+ organizationId,
+ [defaultCollectionId],
+ userId,
+ );
+ }
+
+ /**
+ * Upgrades old attachments that don't have attachment keys.
+ * Throws an error if any attachment fails to upgrade as it is not possible to share with an organization without a key.
+ */
+ private async upgradeOldAttachments(
+ ciphers: CipherView[],
+ userId: UserId,
+ organizationId: OrganizationId,
+ ): Promise {
+ this.logService.info(
+ `Found ${ciphers.length} ciphers with old attachments needing upgrade during transfer to organization ${organizationId} for user ${userId}`,
+ );
+
+ for (const cipher of ciphers) {
+ try {
+ if (!cipher.hasOldAttachments) {
+ continue;
+ }
+
+ const upgraded = await this.cipherService.upgradeOldCipherAttachments(cipher, userId);
+
+ if (upgraded.hasOldAttachments) {
+ this.logService.error(
+ `Attachment upgrade did not complete successfully for cipher ${cipher.id} during transfer to organization ${organizationId} for user ${userId}`,
+ );
+ throw new Error(`Failed to upgrade old attachments for cipher ${cipher.id}`);
+ }
+ } catch (e) {
+ this.logService.error(
+ `Failed to upgrade old attachments for cipher ${cipher.id} during transfer to organization ${organizationId} for user ${userId}: ${e}`,
+ );
+ throw new Error(`Failed to upgrade old attachments for cipher ${cipher.id}`);
+ }
+ }
+
+ this.logService.info(
+ `Successfully upgraded ${ciphers.length} ciphers with old attachments during transfer to organization ${organizationId} for user ${userId}`,
+ );
+ }
+}
From 42c09b325c532fb5a6fc55f2633a9c0b5233c57a Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 9 Dec 2025 21:45:44 -0500
Subject: [PATCH 15/60] [deps] Autofill: Update rimraf to v6.1.2 (#17295)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
package-lock.json | 48 ++++++++++++++++++++++++++++++++++++++++-------
package.json | 2 +-
2 files changed, 42 insertions(+), 8 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index cf9b6becf2f..5321edccd18 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -164,7 +164,7 @@
"prettier-plugin-tailwindcss": "0.7.1",
"process": "0.11.10",
"remark-gfm": "4.0.1",
- "rimraf": "6.0.1",
+ "rimraf": "6.1.2",
"sass": "1.94.2",
"sass-loader": "16.0.6",
"storybook": "9.1.16",
@@ -35750,14 +35750,14 @@
"license": "MIT"
},
"node_modules/rimraf": {
- "version": "6.0.1",
- "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-6.0.1.tgz",
- "integrity": "sha512-9dkvaxAsk/xNXSJzMgFqqMCuFgt2+KsOFek3TMLfo8NCPfWpBmqwyNn5Y+NX56QUYfCtsyhF3ayiboEoUmJk/A==",
+ "version": "6.1.2",
+ "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-6.1.2.tgz",
+ "integrity": "sha512-cFCkPslJv7BAXJsYlK1dZsbP8/ZNLkCAQ0bi1hf5EKX2QHegmDFEFA6QhuYJlk7UDdc+02JjO80YSOrWPpw06g==",
"dev": true,
- "license": "ISC",
+ "license": "BlueOak-1.0.0",
"dependencies": {
- "glob": "^11.0.0",
- "package-json-from-dist": "^1.0.0"
+ "glob": "^13.0.0",
+ "package-json-from-dist": "^1.0.1"
},
"bin": {
"rimraf": "dist/esm/bin.mjs"
@@ -35769,6 +35769,40 @@
"url": "https://github.com/sponsors/isaacs"
}
},
+ "node_modules/rimraf/node_modules/glob": {
+ "version": "13.0.0",
+ "resolved": "https://registry.npmjs.org/glob/-/glob-13.0.0.tgz",
+ "integrity": "sha512-tvZgpqk6fz4BaNZ66ZsRaZnbHvP/jG3uKJvAZOwEVUL4RTA5nJeeLYfyN9/VA8NX/V3IBG+hkeuGpKjvELkVhA==",
+ "dev": true,
+ "license": "BlueOak-1.0.0",
+ "dependencies": {
+ "minimatch": "^10.1.1",
+ "minipass": "^7.1.2",
+ "path-scurry": "^2.0.0"
+ },
+ "engines": {
+ "node": "20 || >=22"
+ },
+ "funding": {
+ "url": "https://github.com/sponsors/isaacs"
+ }
+ },
+ "node_modules/rimraf/node_modules/minimatch": {
+ "version": "10.1.1",
+ "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.1.1.tgz",
+ "integrity": "sha512-enIvLvRAFZYXJzkCYG5RKmPfrFArdLv+R+lbQ53BmIMLIry74bjKzX6iHAm8WYamJkhSSEabrWN5D97XnKObjQ==",
+ "dev": true,
+ "license": "BlueOak-1.0.0",
+ "dependencies": {
+ "@isaacs/brace-expansion": "^5.0.0"
+ },
+ "engines": {
+ "node": "20 || >=22"
+ },
+ "funding": {
+ "url": "https://github.com/sponsors/isaacs"
+ }
+ },
"node_modules/roarr": {
"version": "2.15.4",
"resolved": "https://registry.npmjs.org/roarr/-/roarr-2.15.4.tgz",
diff --git a/package.json b/package.json
index 58ff0ba8ea5..c7b04c434e7 100644
--- a/package.json
+++ b/package.json
@@ -126,7 +126,7 @@
"prettier-plugin-tailwindcss": "0.7.1",
"process": "0.11.10",
"remark-gfm": "4.0.1",
- "rimraf": "6.0.1",
+ "rimraf": "6.1.2",
"sass": "1.94.2",
"sass-loader": "16.0.6",
"storybook": "9.1.16",
From 3af19ad9340deffdcbf6df943d8b9fddf907c60c Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann
Date: Wed, 10 Dec 2025 04:03:31 +0100
Subject: [PATCH 16/60] [PM-28813] Implement encryption diagnostics & recovery
tool (#17673)
* Implement data recovery tool
* Fix tests
* Move Sdkloadservice call and use bit action
---
.../data-recovery.component.html | 75 ++++
.../data-recovery.component.spec.ts | 348 ++++++++++++++++++
.../data-recovery/data-recovery.component.ts | 208 +++++++++++
.../data-recovery/log-recorder.ts | 19 +
.../data-recovery/steps/cipher-step.ts | 81 ++++
.../data-recovery/steps/folder-step.ts | 97 +++++
.../data-recovery/steps/index.ts | 6 +
.../data-recovery/steps/private-key-step.ts | 93 +++++
.../data-recovery/steps/recovery-step.ts | 43 +++
.../data-recovery/steps/sync-step.ts | 43 +++
.../data-recovery/steps/user-info-step.ts | 49 +++
apps/web/src/app/oss-routing.module.ts | 7 +
apps/web/src/locales/en/messages.json | 48 +++
libs/common/src/enums/feature-flag.enum.ts | 2 +
...ser-asymmetric-key-regeneration.service.ts | 7 +
...symmetric-key-regeneration.service.spec.ts | 49 +++
...ser-asymmetric-key-regeneration.service.ts | 7 +-
17 files changed, 1180 insertions(+), 2 deletions(-)
create mode 100644 apps/web/src/app/key-management/data-recovery/data-recovery.component.html
create mode 100644 apps/web/src/app/key-management/data-recovery/data-recovery.component.spec.ts
create mode 100644 apps/web/src/app/key-management/data-recovery/data-recovery.component.ts
create mode 100644 apps/web/src/app/key-management/data-recovery/log-recorder.ts
create mode 100644 apps/web/src/app/key-management/data-recovery/steps/cipher-step.ts
create mode 100644 apps/web/src/app/key-management/data-recovery/steps/folder-step.ts
create mode 100644 apps/web/src/app/key-management/data-recovery/steps/index.ts
create mode 100644 apps/web/src/app/key-management/data-recovery/steps/private-key-step.ts
create mode 100644 apps/web/src/app/key-management/data-recovery/steps/recovery-step.ts
create mode 100644 apps/web/src/app/key-management/data-recovery/steps/sync-step.ts
create mode 100644 apps/web/src/app/key-management/data-recovery/steps/user-info-step.ts
diff --git a/apps/web/src/app/key-management/data-recovery/data-recovery.component.html b/apps/web/src/app/key-management/data-recovery/data-recovery.component.html
new file mode 100644
index 00000000000..f357e516115
--- /dev/null
+++ b/apps/web/src/app/key-management/data-recovery/data-recovery.component.html
@@ -0,0 +1,75 @@
+;
+
+ // Mock Services
+ let mockI18nService: MockProxy;
+ let mockApiService: MockProxy;
+ let mockAccountService: FakeAccountService;
+ let mockKeyService: MockProxy;
+ let mockFolderApiService: MockProxy;
+ let mockCipherEncryptService: MockProxy;
+ let mockDialogService: MockProxy;
+ let mockPrivateKeyRegenerationService: MockProxy;
+ let mockLogService: MockProxy;
+ let mockCryptoFunctionService: MockProxy;
+ let mockFileDownloadService: MockProxy;
+
+ const mockUserId = "user-id" as UserId;
+
+ beforeEach(async () => {
+ mockI18nService = mock();
+ mockApiService = mock();
+ mockAccountService = mockAccountServiceWith(mockUserId);
+ mockKeyService = mock();
+ mockFolderApiService = mock();
+ mockCipherEncryptService = mock();
+ mockDialogService = mock();
+ mockPrivateKeyRegenerationService = mock();
+ mockLogService = mock();
+ mockCryptoFunctionService = mock();
+ mockFileDownloadService = mock();
+
+ mockI18nService.t.mockImplementation((key) => `${key}_used-i18n`);
+
+ await TestBed.configureTestingModule({
+ imports: [DataRecoveryComponent],
+ providers: [
+ { provide: I18nService, useValue: mockI18nService },
+ { provide: ApiService, useValue: mockApiService },
+ { provide: AccountService, useValue: mockAccountService },
+ { provide: KeyService, useValue: mockKeyService },
+ { provide: FolderApiServiceAbstraction, useValue: mockFolderApiService },
+ { provide: CipherEncryptionService, useValue: mockCipherEncryptService },
+ { provide: DialogService, useValue: mockDialogService },
+ {
+ provide: UserAsymmetricKeysRegenerationService,
+ useValue: mockPrivateKeyRegenerationService,
+ },
+ { provide: LogService, useValue: mockLogService },
+ { provide: CryptoFunctionService, useValue: mockCryptoFunctionService },
+ { provide: FileDownloadService, useValue: mockFileDownloadService },
+ ],
+ }).compileComponents();
+
+ fixture = TestBed.createComponent(DataRecoveryComponent);
+ component = fixture.componentInstance;
+ fixture.detectChanges();
+ });
+
+ describe("Component Initialization", () => {
+ it("should create", () => {
+ expect(component).toBeTruthy();
+ });
+
+ it("should initialize with default signal values", () => {
+ expect(component.status()).toBe(StepStatus.NotStarted);
+ expect(component.hasStarted()).toBe(false);
+ expect(component.diagnosticsCompleted()).toBe(false);
+ expect(component.recoveryCompleted()).toBe(false);
+ expect(component.hasIssues()).toBe(false);
+ });
+
+ it("should initialize steps in correct order", () => {
+ const steps = component.steps();
+ expect(steps.length).toBe(5);
+ expect(steps[0].title).toBe("recoveryStepUserInfoTitle_used-i18n");
+ expect(steps[1].title).toBe("recoveryStepSyncTitle_used-i18n");
+ expect(steps[2].title).toBe("recoveryStepPrivateKeyTitle_used-i18n");
+ expect(steps[3].title).toBe("recoveryStepFoldersTitle_used-i18n");
+ expect(steps[4].title).toBe("recoveryStepCipherTitle_used-i18n");
+ });
+ });
+
+ describe("runDiagnostics", () => {
+ let mockSteps: MockProxy[];
+
+ beforeEach(() => {
+ // Create mock steps
+ mockSteps = Array(5)
+ .fill(null)
+ .map(() => {
+ const mockStep = mock();
+ mockStep.title = "mockStep";
+ mockStep.runDiagnostics.mockResolvedValue(true);
+ mockStep.canRecover.mockReturnValue(false);
+ return mockStep;
+ });
+
+ // Replace recovery steps with mocks
+ component["recoverySteps"] = mockSteps;
+ });
+
+ it("should not run if already running", async () => {
+ component["status"].set(StepStatus.InProgress);
+ await component.runDiagnostics();
+
+ expect(mockSteps[0].runDiagnostics).not.toHaveBeenCalled();
+ });
+
+ it("should set hasStarted, isRunning and initialize workingData", async () => {
+ await component.runDiagnostics();
+
+ expect(component.hasStarted()).toBe(true);
+ expect(component["workingData"]).toBeDefined();
+ expect(component["workingData"]?.userId).toBeNull();
+ expect(component["workingData"]?.userKey).toBeNull();
+ });
+
+ it("should run diagnostics for all steps", async () => {
+ await component.runDiagnostics();
+
+ mockSteps.forEach((step) => {
+ expect(step.runDiagnostics).toHaveBeenCalledWith(
+ component["workingData"],
+ expect.anything(),
+ );
+ });
+ });
+
+ it("should mark steps as completed when diagnostics succeed", async () => {
+ await component.runDiagnostics();
+
+ const steps = component.steps();
+ steps.forEach((step) => {
+ expect(step.status).toBe(StepStatus.Completed);
+ });
+ });
+
+ it("should mark steps as failed when diagnostics return false", async () => {
+ mockSteps[2].runDiagnostics.mockResolvedValue(false);
+
+ await component.runDiagnostics();
+
+ const steps = component.steps();
+ expect(steps[2].status).toBe(StepStatus.Failed);
+ });
+
+ it("should mark steps as failed when diagnostics throw error", async () => {
+ mockSteps[3].runDiagnostics.mockRejectedValue(new Error("Test error"));
+
+ await component.runDiagnostics();
+
+ const steps = component.steps();
+ expect(steps[3].status).toBe(StepStatus.Failed);
+ expect(steps[3].message).toBe("Test error");
+ });
+
+ it("should continue diagnostics even if a step fails", async () => {
+ mockSteps[1].runDiagnostics.mockRejectedValue(new Error("Step 1 failed"));
+ mockSteps[3].runDiagnostics.mockResolvedValue(false);
+
+ await component.runDiagnostics();
+
+ // All steps should have been called despite failures
+ mockSteps.forEach((step) => {
+ expect(step.runDiagnostics).toHaveBeenCalled();
+ });
+ });
+
+ it("should set hasIssues to true when a step can recover", async () => {
+ mockSteps[2].runDiagnostics.mockResolvedValue(false);
+ mockSteps[2].canRecover.mockReturnValue(true);
+
+ await component.runDiagnostics();
+
+ expect(component.hasIssues()).toBe(true);
+ });
+
+ it("should set hasIssues to false when no step can recover", async () => {
+ mockSteps.forEach((step) => {
+ step.runDiagnostics.mockResolvedValue(true);
+ step.canRecover.mockReturnValue(false);
+ });
+
+ await component.runDiagnostics();
+
+ expect(component.hasIssues()).toBe(false);
+ });
+
+ it("should set diagnosticsCompleted and status to completed when complete", async () => {
+ await component.runDiagnostics();
+
+ expect(component.diagnosticsCompleted()).toBe(true);
+ expect(component.status()).toBe(StepStatus.Completed);
+ });
+ });
+
+ describe("runRecovery", () => {
+ let mockSteps: MockProxy[];
+ let mockWorkingData: RecoveryWorkingData;
+
+ beforeEach(() => {
+ mockWorkingData = {
+ userId: mockUserId,
+ userKey: null as any,
+ isPrivateKeyCorrupt: false,
+ encryptedPrivateKey: null,
+ ciphers: [],
+ folders: [],
+ };
+
+ mockSteps = Array(5)
+ .fill(null)
+ .map(() => {
+ const mockStep = mock();
+ mockStep.title = "mockStep";
+ mockStep.canRecover.mockReturnValue(false);
+ mockStep.runRecovery.mockResolvedValue();
+ mockStep.runDiagnostics.mockResolvedValue(true);
+ return mockStep;
+ });
+
+ component["recoverySteps"] = mockSteps;
+ component["workingData"] = mockWorkingData;
+ });
+
+ it("should not run if already running", async () => {
+ component["status"].set(StepStatus.InProgress);
+ await component.runRecovery();
+
+ expect(mockSteps[0].runRecovery).not.toHaveBeenCalled();
+ });
+
+ it("should not run if workingData is null", async () => {
+ component["workingData"] = null;
+ await component.runRecovery();
+
+ expect(mockSteps[0].runRecovery).not.toHaveBeenCalled();
+ });
+
+ it("should only run recovery for steps that can recover", async () => {
+ mockSteps[1].canRecover.mockReturnValue(true);
+ mockSteps[3].canRecover.mockReturnValue(true);
+
+ await component.runRecovery();
+
+ expect(mockSteps[0].runRecovery).not.toHaveBeenCalled();
+ expect(mockSteps[1].runRecovery).toHaveBeenCalled();
+ expect(mockSteps[2].runRecovery).not.toHaveBeenCalled();
+ expect(mockSteps[3].runRecovery).toHaveBeenCalled();
+ expect(mockSteps[4].runRecovery).not.toHaveBeenCalled();
+ });
+
+ it("should set recoveryCompleted and status when successful", async () => {
+ mockSteps[1].canRecover.mockReturnValue(true);
+
+ await component.runRecovery();
+
+ expect(component.recoveryCompleted()).toBe(true);
+ expect(component.status()).toBe(StepStatus.Completed);
+ });
+
+ it("should set status to failed if recovery is cancelled", async () => {
+ mockSteps[1].canRecover.mockReturnValue(true);
+ mockSteps[1].runRecovery.mockRejectedValue(new Error("User cancelled"));
+
+ await component.runRecovery();
+
+ expect(component.status()).toBe(StepStatus.Failed);
+ expect(component.recoveryCompleted()).toBe(false);
+ });
+
+ it("should re-run diagnostics after recovery completes", async () => {
+ mockSteps[1].canRecover.mockReturnValue(true);
+
+ await component.runRecovery();
+
+ // Diagnostics should be called twice: once for initial diagnostic scan
+ mockSteps.forEach((step) => {
+ expect(step.runDiagnostics).toHaveBeenCalledWith(mockWorkingData, expect.anything());
+ });
+ });
+
+ it("should update hasIssues after re-running diagnostics", async () => {
+ // Setup initial state with an issue
+ mockSteps[1].canRecover.mockReturnValue(true);
+ mockSteps[1].runDiagnostics.mockResolvedValue(false);
+
+ // After recovery completes, the issue should be fixed
+ mockSteps[1].runRecovery.mockImplementation(() => {
+ // Simulate recovery fixing the issue
+ mockSteps[1].canRecover.mockReturnValue(false);
+ mockSteps[1].runDiagnostics.mockResolvedValue(true);
+ return Promise.resolve();
+ });
+
+ await component.runRecovery();
+
+ // Verify hasIssues is updated after re-running diagnostics
+ expect(component.hasIssues()).toBe(false);
+ });
+ });
+
+ describe("saveDiagnosticLogs", () => {
+ it("should call fileDownloadService with log content", () => {
+ component.saveDiagnosticLogs();
+
+ expect(mockFileDownloadService.download).toHaveBeenCalledWith({
+ fileName: expect.stringContaining("data-recovery-logs-"),
+ blobData: expect.any(String),
+ blobOptions: { type: "text/plain" },
+ });
+ });
+
+ it("should include timestamp in filename", () => {
+ component.saveDiagnosticLogs();
+
+ const downloadCall = mockFileDownloadService.download.mock.calls[0][0];
+ expect(downloadCall.fileName).toMatch(/data-recovery-logs-\d{4}-\d{2}-\d{2}T.*\.txt/);
+ });
+ });
+});
diff --git a/apps/web/src/app/key-management/data-recovery/data-recovery.component.ts b/apps/web/src/app/key-management/data-recovery/data-recovery.component.ts
new file mode 100644
index 00000000000..31179dfb062
--- /dev/null
+++ b/apps/web/src/app/key-management/data-recovery/data-recovery.component.ts
@@ -0,0 +1,208 @@
+import { CommonModule } from "@angular/common";
+import { ChangeDetectionStrategy, Component, inject, signal } from "@angular/core";
+
+import { JslibModule } from "@bitwarden/angular/jslib.module";
+import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { CryptoFunctionService } from "@bitwarden/common/key-management/crypto/abstractions/crypto-function.service";
+import { FileDownloadService } from "@bitwarden/common/platform/abstractions/file-download/file-download.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { CipherEncryptionService } from "@bitwarden/common/vault/abstractions/cipher-encryption.service";
+import { FolderApiServiceAbstraction } from "@bitwarden/common/vault/abstractions/folder/folder-api.service.abstraction";
+import { ButtonModule, DialogService } from "@bitwarden/components";
+import { KeyService, UserAsymmetricKeysRegenerationService } from "@bitwarden/key-management";
+import { LogService } from "@bitwarden/logging";
+
+import { SharedModule } from "../../shared";
+
+import { LogRecorder } from "./log-recorder";
+import {
+ SyncStep,
+ UserInfoStep,
+ RecoveryStep,
+ PrivateKeyStep,
+ RecoveryWorkingData,
+ FolderStep,
+ CipherStep,
+} from "./steps";
+
+export const StepStatus = Object.freeze({
+ NotStarted: 0,
+ InProgress: 1,
+ Completed: 2,
+ Failed: 3,
+} as const);
+export type StepStatus = (typeof StepStatus)[keyof typeof StepStatus];
+
+interface StepState {
+ title: string;
+ status: StepStatus;
+ message?: string;
+}
+
+@Component({
+ selector: "app-data-recovery",
+ templateUrl: "data-recovery.component.html",
+ standalone: true,
+ imports: [JslibModule, ButtonModule, CommonModule, SharedModule],
+ changeDetection: ChangeDetectionStrategy.OnPush,
+})
+export class DataRecoveryComponent {
+ protected readonly StepStatus = StepStatus;
+
+ private i18nService = inject(I18nService);
+ private apiService = inject(ApiService);
+ private accountService = inject(AccountService);
+ private keyService = inject(KeyService);
+ private folderApiService = inject(FolderApiServiceAbstraction);
+ private cipherEncryptService = inject(CipherEncryptionService);
+ private dialogService = inject(DialogService);
+ private privateKeyRegenerationService = inject(UserAsymmetricKeysRegenerationService);
+ private cryptoFunctionService = inject(CryptoFunctionService);
+ private logService = inject(LogService);
+ private fileDownloadService = inject(FileDownloadService);
+
+ private logger: LogRecorder = new LogRecorder(this.logService);
+ private recoverySteps: RecoveryStep[] = [
+ new UserInfoStep(this.accountService, this.keyService),
+ new SyncStep(this.apiService),
+ new PrivateKeyStep(
+ this.privateKeyRegenerationService,
+ this.dialogService,
+ this.cryptoFunctionService,
+ ),
+ new FolderStep(this.folderApiService, this.dialogService),
+ new CipherStep(this.apiService, this.cipherEncryptService, this.dialogService),
+ ];
+ private workingData: RecoveryWorkingData | null = null;
+
+ readonly status = signal(StepStatus.NotStarted);
+ readonly hasStarted = signal(false);
+ readonly diagnosticsCompleted = signal(false);
+ readonly recoveryCompleted = signal(false);
+ readonly steps = signal(
+ this.recoverySteps.map((step) => ({
+ title: this.i18nService.t(step.title),
+ status: StepStatus.NotStarted,
+ })),
+ );
+ readonly hasIssues = signal(false);
+
+ runDiagnostics = async () => {
+ if (this.status() === StepStatus.InProgress) {
+ return;
+ }
+
+ this.hasStarted.set(true);
+ this.status.set(StepStatus.InProgress);
+ this.diagnosticsCompleted.set(false);
+
+ this.logger.record("Starting diagnostics...");
+ this.workingData = {
+ userId: null,
+ userKey: null,
+ isPrivateKeyCorrupt: false,
+ encryptedPrivateKey: null,
+ ciphers: [],
+ folders: [],
+ };
+
+ await this.runDiagnosticsInternal();
+
+ this.status.set(StepStatus.Completed);
+ this.diagnosticsCompleted.set(true);
+ };
+
+ private async runDiagnosticsInternal() {
+ if (!this.workingData) {
+ this.logger.record("No working data available");
+ return;
+ }
+
+ const currentSteps = this.steps();
+ let hasAnyFailures = false;
+
+ for (let i = 0; i < this.recoverySteps.length; i++) {
+ const step = this.recoverySteps[i];
+ currentSteps[i].status = StepStatus.InProgress;
+ this.steps.set([...currentSteps]);
+
+ this.logger.record(`Running diagnostics for step: ${step.title}`);
+ try {
+ const success = await step.runDiagnostics(this.workingData, this.logger);
+ currentSteps[i].status = success ? StepStatus.Completed : StepStatus.Failed;
+ if (!success) {
+ hasAnyFailures = true;
+ }
+ this.steps.set([...currentSteps]);
+ this.logger.record(`Diagnostics completed for step: ${step.title}`);
+ } catch (error) {
+ currentSteps[i].status = StepStatus.Failed;
+ currentSteps[i].message = (error as Error).message;
+ this.steps.set([...currentSteps]);
+ this.logger.record(
+ `Diagnostics failed for step: ${step.title} with error: ${(error as Error).message}`,
+ );
+ hasAnyFailures = true;
+ }
+ }
+
+ if (hasAnyFailures) {
+ this.logger.record("Diagnostics completed with errors");
+ } else {
+ this.logger.record("Diagnostics completed successfully");
+ }
+
+ // Check if any recovery can be performed
+ const canRecoverAnyStep = this.recoverySteps.some((step) => step.canRecover(this.workingData!));
+ this.hasIssues.set(canRecoverAnyStep);
+ }
+
+ runRecovery = async () => {
+ if (this.status() === StepStatus.InProgress || !this.workingData) {
+ return;
+ }
+
+ this.status.set(StepStatus.InProgress);
+ this.recoveryCompleted.set(false);
+
+ this.logger.record("Starting recovery process...");
+
+ try {
+ for (let i = 0; i < this.recoverySteps.length; i++) {
+ const step = this.recoverySteps[i];
+ if (step.canRecover(this.workingData)) {
+ this.logger.record(`Running recovery for step: ${step.title}`);
+ await step.runRecovery(this.workingData, this.logger);
+ }
+ }
+
+ this.logger.record("Recovery process completed");
+ this.recoveryCompleted.set(true);
+
+ // Re-run diagnostics after recovery
+ this.logger.record("Re-running diagnostics to verify recovery...");
+ await this.runDiagnosticsInternal();
+
+ this.status.set(StepStatus.Completed);
+ } catch (error) {
+ this.logger.record(`Recovery process cancelled or failed: ${(error as Error).message}`);
+ this.status.set(StepStatus.Failed);
+ }
+ };
+
+ saveDiagnosticLogs = () => {
+ const logs = this.logger.getLogs();
+ const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
+ const filename = `data-recovery-logs-${timestamp}.txt`;
+
+ const logContent = logs.join("\n");
+ this.fileDownloadService.download({
+ fileName: filename,
+ blobData: logContent,
+ blobOptions: { type: "text/plain" },
+ });
+
+ this.logger.record("Diagnostic logs saved");
+ };
+}
diff --git a/apps/web/src/app/key-management/data-recovery/log-recorder.ts b/apps/web/src/app/key-management/data-recovery/log-recorder.ts
new file mode 100644
index 00000000000..1bca90de48d
--- /dev/null
+++ b/apps/web/src/app/key-management/data-recovery/log-recorder.ts
@@ -0,0 +1,19 @@
+import { LogService } from "@bitwarden/logging";
+
+/**
+ * Record logs during the data recovery process. This only keeps them in memory and does not persist them anywhere.
+ */
+export class LogRecorder {
+ private logs: string[] = [];
+
+ constructor(private logService: LogService) {}
+
+ record(message: string) {
+ this.logs.push(message);
+ this.logService.info(`[DataRecovery] ${message}`);
+ }
+
+ getLogs(): string[] {
+ return [...this.logs];
+ }
+}
diff --git a/apps/web/src/app/key-management/data-recovery/steps/cipher-step.ts b/apps/web/src/app/key-management/data-recovery/steps/cipher-step.ts
new file mode 100644
index 00000000000..34e8cbdc9f3
--- /dev/null
+++ b/apps/web/src/app/key-management/data-recovery/steps/cipher-step.ts
@@ -0,0 +1,81 @@
+import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { CipherEncryptionService } from "@bitwarden/common/vault/abstractions/cipher-encryption.service";
+import { DialogService } from "@bitwarden/components";
+
+import { LogRecorder } from "../log-recorder";
+
+import { RecoveryStep, RecoveryWorkingData } from "./recovery-step";
+
+export class CipherStep implements RecoveryStep {
+ title = "recoveryStepCipherTitle";
+
+ private undecryptableCipherIds: string[] = [];
+
+ constructor(
+ private apiService: ApiService,
+ private cipherService: CipherEncryptionService,
+ private dialogService: DialogService,
+ ) {}
+
+ async runDiagnostics(workingData: RecoveryWorkingData, logger: LogRecorder): Promise {
+ if (!workingData.userId) {
+ logger.record("Missing user ID");
+ return false;
+ }
+
+ this.undecryptableCipherIds = [];
+ for (const cipher of workingData.ciphers) {
+ try {
+ await this.cipherService.decrypt(cipher, workingData.userId);
+ } catch {
+ logger.record(`Cipher ID ${cipher.id} was undecryptable`);
+ this.undecryptableCipherIds.push(cipher.id);
+ }
+ }
+ logger.record(`Found ${this.undecryptableCipherIds.length} undecryptable ciphers`);
+
+ return this.undecryptableCipherIds.length == 0;
+ }
+
+ canRecover(workingData: RecoveryWorkingData): boolean {
+ return this.undecryptableCipherIds.length > 0;
+ }
+
+ async runRecovery(workingData: RecoveryWorkingData, logger: LogRecorder): Promise {
+ // Recovery means deleting the broken ciphers.
+ if (this.undecryptableCipherIds.length === 0) {
+ logger.record("No undecryptable ciphers to recover");
+ return;
+ }
+
+ logger.record(`Showing confirmation dialog for ${this.undecryptableCipherIds.length} ciphers`);
+
+ const confirmed = await this.dialogService.openSimpleDialog({
+ title: { key: "recoveryDeleteCiphersTitle" },
+ content: { key: "recoveryDeleteCiphersDesc" },
+ acceptButtonText: { key: "ok" },
+ cancelButtonText: { key: "cancel" },
+ type: "danger",
+ });
+
+ if (!confirmed) {
+ logger.record("User cancelled cipher deletion");
+ throw new Error("Cipher recovery cancelled by user");
+ }
+
+ logger.record(`Deleting ${this.undecryptableCipherIds.length} ciphers`);
+
+ for (const cipherId of this.undecryptableCipherIds) {
+ try {
+ await this.apiService.deleteCipher(cipherId);
+ logger.record(`Deleted cipher ${cipherId}`);
+ } catch (error) {
+ const errorMessage = error instanceof Error ? error.message : String(error);
+ logger.record(`Failed to delete cipher ${cipherId}: ${errorMessage}`);
+ throw error;
+ }
+ }
+
+ logger.record(`Successfully deleted ${this.undecryptableCipherIds.length} ciphers`);
+ }
+}
diff --git a/apps/web/src/app/key-management/data-recovery/steps/folder-step.ts b/apps/web/src/app/key-management/data-recovery/steps/folder-step.ts
new file mode 100644
index 00000000000..bc0ae31efba
--- /dev/null
+++ b/apps/web/src/app/key-management/data-recovery/steps/folder-step.ts
@@ -0,0 +1,97 @@
+import { SdkLoadService } from "@bitwarden/common/platform/abstractions/sdk/sdk-load.service";
+import { FolderApiServiceAbstraction } from "@bitwarden/common/vault/abstractions/folder/folder-api.service.abstraction";
+import { DialogService } from "@bitwarden/components";
+import { PureCrypto } from "@bitwarden/sdk-internal";
+
+import { LogRecorder } from "../log-recorder";
+
+import { RecoveryStep, RecoveryWorkingData } from "./recovery-step";
+
+export class FolderStep implements RecoveryStep {
+ title = "recoveryStepFoldersTitle";
+
+ private undecryptableFolderIds: string[] = [];
+
+ constructor(
+ private folderService: FolderApiServiceAbstraction,
+ private dialogService: DialogService,
+ ) {}
+
+ async runDiagnostics(workingData: RecoveryWorkingData, logger: LogRecorder): Promise {
+ if (!workingData.userKey) {
+ logger.record("Missing user key");
+ return false;
+ }
+
+ this.undecryptableFolderIds = [];
+ for (const folder of workingData.folders) {
+ if (!folder.name?.encryptedString) {
+ logger.record(`Folder ID ${folder.id} has no name`);
+ this.undecryptableFolderIds.push(folder.id);
+ continue;
+ }
+ try {
+ await SdkLoadService.Ready;
+ PureCrypto.symmetric_decrypt_string(
+ folder.name.encryptedString,
+ workingData.userKey.toEncoded(),
+ );
+ } catch {
+ logger.record(`Folder name for folder ID ${folder.id} was undecryptable`);
+ this.undecryptableFolderIds.push(folder.id);
+ }
+ }
+ logger.record(`Found ${this.undecryptableFolderIds.length} undecryptable folders`);
+
+ return this.undecryptableFolderIds.length == 0;
+ }
+
+ canRecover(workingData: RecoveryWorkingData): boolean {
+ return this.undecryptableFolderIds.length > 0;
+ }
+
+ async runRecovery(workingData: RecoveryWorkingData, logger: LogRecorder): Promise {
+ // Recovery means deleting the broken folders.
+ if (this.undecryptableFolderIds.length === 0) {
+ logger.record("No undecryptable folders to recover");
+ return;
+ }
+
+ if (!workingData.userId) {
+ logger.record("Missing user ID");
+ throw new Error("Missing user ID");
+ }
+
+ logger.record(`Showing confirmation dialog for ${this.undecryptableFolderIds.length} folders`);
+
+ const confirmed = await this.dialogService.openSimpleDialog({
+ title: { key: "recoveryDeleteFoldersTitle" },
+ content: { key: "recoveryDeleteFoldersDesc" },
+ acceptButtonText: { key: "ok" },
+ cancelButtonText: { key: "cancel" },
+ type: "danger",
+ });
+
+ if (!confirmed) {
+ logger.record("User cancelled folder deletion");
+ throw new Error("Folder recovery cancelled by user");
+ }
+
+ logger.record(`Deleting ${this.undecryptableFolderIds.length} folders`);
+
+ for (const folderId of this.undecryptableFolderIds) {
+ try {
+ await this.folderService.delete(folderId, workingData.userId);
+ logger.record(`Deleted folder ${folderId}`);
+ } catch (error) {
+ logger.record(`Failed to delete folder ${folderId}: ${error}`);
+ }
+ }
+
+ logger.record(`Successfully deleted ${this.undecryptableFolderIds.length} folders`);
+ }
+
+ getUndecryptableFolderIds(): string[] {
+ return this.undecryptableFolderIds;
+ }
+}
diff --git a/apps/web/src/app/key-management/data-recovery/steps/index.ts b/apps/web/src/app/key-management/data-recovery/steps/index.ts
new file mode 100644
index 00000000000..caf3cdb34ef
--- /dev/null
+++ b/apps/web/src/app/key-management/data-recovery/steps/index.ts
@@ -0,0 +1,6 @@
+export * from "./sync-step";
+export * from "./user-info-step";
+export * from "./recovery-step";
+export * from "./private-key-step";
+export * from "./folder-step";
+export * from "./cipher-step";
diff --git a/apps/web/src/app/key-management/data-recovery/steps/private-key-step.ts b/apps/web/src/app/key-management/data-recovery/steps/private-key-step.ts
new file mode 100644
index 00000000000..82c20c466b8
--- /dev/null
+++ b/apps/web/src/app/key-management/data-recovery/steps/private-key-step.ts
@@ -0,0 +1,93 @@
+import { CryptoFunctionService } from "@bitwarden/common/key-management/crypto/abstractions/crypto-function.service";
+import { SdkLoadService } from "@bitwarden/common/platform/abstractions/sdk/sdk-load.service";
+import { EncryptionType } from "@bitwarden/common/platform/enums";
+import { DialogService } from "@bitwarden/components";
+import { UserAsymmetricKeysRegenerationService } from "@bitwarden/key-management";
+import { PureCrypto } from "@bitwarden/sdk-internal";
+
+import { LogRecorder } from "../log-recorder";
+
+import { RecoveryStep, RecoveryWorkingData } from "./recovery-step";
+
+export class PrivateKeyStep implements RecoveryStep {
+ title = "recoveryStepPrivateKeyTitle";
+
+ constructor(
+ private privateKeyRegenerationService: UserAsymmetricKeysRegenerationService,
+ private dialogService: DialogService,
+ private cryptoFunctionService: CryptoFunctionService,
+ ) {}
+
+ async runDiagnostics(workingData: RecoveryWorkingData, logger: LogRecorder): Promise {
+ if (!workingData.userId || !workingData.userKey) {
+ logger.record("Missing user ID or user key");
+ return false;
+ }
+
+ // Make sure the private key decrypts properly and is not somehow encrypted by a different user key / broken during key rotation.
+ const encryptedPrivateKey = workingData.encryptedPrivateKey;
+ if (!encryptedPrivateKey) {
+ logger.record("No encrypted private key found");
+ return false;
+ }
+ logger.record("Private key length: " + encryptedPrivateKey.length);
+ let privateKey: Uint8Array;
+ try {
+ await SdkLoadService.Ready;
+ privateKey = PureCrypto.unwrap_decapsulation_key(
+ encryptedPrivateKey,
+ workingData.userKey.toEncoded(),
+ );
+ } catch {
+ logger.record("Private key was un-decryptable");
+ workingData.isPrivateKeyCorrupt = true;
+ return false;
+ }
+
+ // Make sure the contained private key can be parsed and the public key can be derived. If not, then the private key may be corrupt / generated with an incompatible ASN.1 representation / with incompatible padding.
+ try {
+ const publicKey = await this.cryptoFunctionService.rsaExtractPublicKey(privateKey);
+ logger.record("Public key length: " + publicKey.length);
+ } catch {
+ logger.record("Public key could not be derived; private key is corrupt");
+ workingData.isPrivateKeyCorrupt = true;
+ return false;
+ }
+
+ return true;
+ }
+
+ canRecover(workingData: RecoveryWorkingData): boolean {
+ // Only support recovery on V1 users.
+ return (
+ workingData.isPrivateKeyCorrupt &&
+ workingData.userKey !== null &&
+ workingData.userKey.inner().type === EncryptionType.AesCbc256_HmacSha256_B64
+ );
+ }
+
+ async runRecovery(workingData: RecoveryWorkingData, logger: LogRecorder): Promise {
+ // The recovery step is to replace the key pair. Currently, this only works if the user is not using emergency access or is part of an organization.
+ // This is because this will break emergency access enrollments / organization memberships / provider memberships.
+ logger.record("Showing confirmation dialog for private key replacement");
+
+ const confirmed = await this.dialogService.openSimpleDialog({
+ title: { key: "recoveryReplacePrivateKeyTitle" },
+ content: { key: "recoveryReplacePrivateKeyDesc" },
+ acceptButtonText: { key: "ok" },
+ cancelButtonText: { key: "cancel" },
+ type: "danger",
+ });
+
+ if (!confirmed) {
+ logger.record("User cancelled private key replacement");
+ throw new Error("Private key recovery cancelled by user");
+ }
+
+ logger.record("Replacing private key");
+ await this.privateKeyRegenerationService.regenerateUserPublicKeyEncryptionKeyPair(
+ workingData.userId!,
+ );
+ logger.record("Private key replaced successfully");
+ }
+}
diff --git a/apps/web/src/app/key-management/data-recovery/steps/recovery-step.ts b/apps/web/src/app/key-management/data-recovery/steps/recovery-step.ts
new file mode 100644
index 00000000000..265d7c68284
--- /dev/null
+++ b/apps/web/src/app/key-management/data-recovery/steps/recovery-step.ts
@@ -0,0 +1,43 @@
+import { WrappedPrivateKey } from "@bitwarden/common/key-management/types";
+import { UserKey } from "@bitwarden/common/types/key";
+import { Cipher } from "@bitwarden/common/vault/models/domain/cipher";
+import { Folder } from "@bitwarden/common/vault/models/domain/folder";
+import { UserId } from "@bitwarden/user-core";
+
+import { LogRecorder } from "../log-recorder";
+
+/**
+ * A recovery step performs diagnostics and recovery actions on a specific domain, such as ciphers.
+ */
+export abstract class RecoveryStep {
+ /** Title of the recovery step, as an i18n key. */
+ abstract title: string;
+
+ /**
+ * Runs diagnostics on the provided working data.
+ * Returns true if no issues were found, false otherwise.
+ */
+ abstract runDiagnostics(workingData: RecoveryWorkingData, logger: LogRecorder): Promise;
+
+ /**
+ * Returns whether recovery can be performed
+ */
+ abstract canRecover(workingData: RecoveryWorkingData): boolean;
+
+ /**
+ * Performs recovery on the provided working data.
+ */
+ abstract runRecovery(workingData: RecoveryWorkingData, logger: LogRecorder): Promise;
+}
+
+/**
+ * Data used during the recovery process, passed between steps.
+ */
+export type RecoveryWorkingData = {
+ userId: UserId | null;
+ userKey: UserKey | null;
+ encryptedPrivateKey: WrappedPrivateKey | null;
+ isPrivateKeyCorrupt: boolean;
+ ciphers: Cipher[];
+ folders: Folder[];
+};
diff --git a/apps/web/src/app/key-management/data-recovery/steps/sync-step.ts b/apps/web/src/app/key-management/data-recovery/steps/sync-step.ts
new file mode 100644
index 00000000000..f0adb1e0b46
--- /dev/null
+++ b/apps/web/src/app/key-management/data-recovery/steps/sync-step.ts
@@ -0,0 +1,43 @@
+import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { CipherData } from "@bitwarden/common/vault/models/data/cipher.data";
+import { FolderData } from "@bitwarden/common/vault/models/data/folder.data";
+import { Cipher } from "@bitwarden/common/vault/models/domain/cipher";
+import { Folder } from "@bitwarden/common/vault/models/domain/folder";
+
+import { LogRecorder } from "../log-recorder";
+
+import { RecoveryStep, RecoveryWorkingData } from "./recovery-step";
+
+export class SyncStep implements RecoveryStep {
+ title = "recoveryStepSyncTitle";
+
+ constructor(private apiService: ApiService) {}
+
+ async runDiagnostics(workingData: RecoveryWorkingData, logger: LogRecorder): Promise {
+ // The intent of this step is to fetch the latest data from the server. Diagnostics does not
+ // ever run on local data but only remote data that is recent.
+ const response = await this.apiService.getSync();
+
+ workingData.ciphers = response.ciphers.map((c) => new Cipher(new CipherData(c)));
+ logger.record(`Fetched ${workingData.ciphers.length} ciphers from server`);
+
+ workingData.folders = response.folders.map((f) => new Folder(new FolderData(f)));
+ logger.record(`Fetched ${workingData.folders.length} folders from server`);
+
+ workingData.encryptedPrivateKey =
+ response.profile?.accountKeys?.publicKeyEncryptionKeyPair?.wrappedPrivateKey ?? null;
+ logger.record(
+ `Fetched encrypted private key of length ${workingData.encryptedPrivateKey?.length ?? 0} from server`,
+ );
+
+ return true;
+ }
+
+ canRecover(workingData: RecoveryWorkingData): boolean {
+ return false;
+ }
+
+ runRecovery(workingData: RecoveryWorkingData, logger: LogRecorder): Promise {
+ return Promise.resolve();
+ }
+}
diff --git a/apps/web/src/app/key-management/data-recovery/steps/user-info-step.ts b/apps/web/src/app/key-management/data-recovery/steps/user-info-step.ts
new file mode 100644
index 00000000000..9565b1da73b
--- /dev/null
+++ b/apps/web/src/app/key-management/data-recovery/steps/user-info-step.ts
@@ -0,0 +1,49 @@
+import { firstValueFrom } from "rxjs";
+
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { EncryptionType } from "@bitwarden/common/platform/enums";
+import { KeyService } from "@bitwarden/key-management";
+
+import { LogRecorder } from "../log-recorder";
+
+import { RecoveryStep, RecoveryWorkingData } from "./recovery-step";
+
+export class UserInfoStep implements RecoveryStep {
+ title = "recoveryStepUserInfoTitle";
+
+ constructor(
+ private accountService: AccountService,
+ private keyService: KeyService,
+ ) {}
+
+ async runDiagnostics(workingData: RecoveryWorkingData, logger: LogRecorder): Promise {
+ const activeAccount = await firstValueFrom(this.accountService.activeAccount$);
+ if (!activeAccount) {
+ logger.record("No active account found");
+ return false;
+ }
+ const userId = activeAccount.id;
+ workingData.userId = userId;
+ logger.record(`User ID: ${userId}`);
+
+ const userKey = await firstValueFrom(this.keyService.userKey$(userId));
+ if (!userKey) {
+ logger.record("No user key found");
+ return false;
+ }
+ workingData.userKey = userKey;
+ logger.record(
+ `User encryption type: ${userKey.inner().type === EncryptionType.AesCbc256_HmacSha256_B64 ? "V1" : userKey.inner().type === EncryptionType.CoseEncrypt0 ? "Cose" : "Unknown"}`,
+ );
+
+ return true;
+ }
+
+ canRecover(workingData: RecoveryWorkingData): boolean {
+ return false;
+ }
+
+ runRecovery(workingData: RecoveryWorkingData, logger: LogRecorder): Promise {
+ return Promise.resolve();
+ }
+}
diff --git a/apps/web/src/app/oss-routing.module.ts b/apps/web/src/app/oss-routing.module.ts
index b40b9143991..ac9bdc4b946 100644
--- a/apps/web/src/app/oss-routing.module.ts
+++ b/apps/web/src/app/oss-routing.module.ts
@@ -78,6 +78,7 @@ import { freeTrialTextResolver } from "./billing/trial-initiation/complete-trial
import { EnvironmentSelectorComponent } from "./components/environment-selector/environment-selector.component";
import { RouteDataProperties } from "./core";
import { ReportsModule } from "./dirt/reports";
+import { DataRecoveryComponent } from "./key-management/data-recovery/data-recovery.component";
import { ConfirmKeyConnectorDomainComponent } from "./key-management/key-connector/confirm-key-connector-domain.component";
import { RemovePasswordComponent } from "./key-management/key-connector/remove-password.component";
import { FrontendLayoutComponent } from "./layouts/frontend-layout.component";
@@ -696,6 +697,12 @@ const routes: Routes = [
path: "security",
loadChildren: () => SecurityRoutingModule,
},
+ {
+ path: "data-recovery",
+ component: DataRecoveryComponent,
+ canActivate: [canAccessFeature(FeatureFlag.DataRecoveryTool)],
+ data: { titleId: "dataRecovery" } satisfies RouteDataProperties,
+ },
{
path: "domain-rules",
component: DomainRulesComponent,
diff --git a/apps/web/src/locales/en/messages.json b/apps/web/src/locales/en/messages.json
index a755e4de556..c827f09d173 100644
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -12253,6 +12253,54 @@
"userVerificationFailed": {
"message": "User verification failed."
},
+ "recoveryDeleteCiphersTitle": {
+ "message": "Delete unrecoverable vault items"
+ },
+ "recoveryDeleteCiphersDesc": {
+ "message": "Some of your vault items could not be recovered. Do you want to delete these unrecoverable items from your vault?"
+ },
+ "recoveryDeleteFoldersTitle": {
+ "message": "Delete unrecoverable folders"
+ },
+ "recoveryDeleteFoldersDesc": {
+ "message": "Some of your folders could not be recovered. Do you want to delete these unrecoverable folders from your vault?"
+ },
+ "recoveryReplacePrivateKeyTitle": {
+ "message": "Replace encryption key"
+ },
+ "recoveryReplacePrivateKeyDesc": {
+ "message": "Your public-key encryption key pair could not be recovered. Do you want to replace your encryption key with a new key pair? This will require you to set up existing emergency-access and organization memberships again."
+ },
+ "recoveryStepSyncTitle": {
+ "message": "Synchronizing data"
+ },
+ "recoveryStepPrivateKeyTitle": {
+ "message": "Verifying encryption key integrity"
+ },
+ "recoveryStepUserInfoTitle": {
+ "message": "Verifying user information"
+ },
+ "recoveryStepCipherTitle": {
+ "message": "Verifying vault item integrity"
+ },
+ "recoveryStepFoldersTitle": {
+ "message": "Verifying folder integrity"
+ },
+ "dataRecoveryTitle": {
+ "message": "Data Recovery and Diagnostics"
+ },
+ "dataRecoveryDescription": {
+ "message": "Use the data recovery tool to diagnose and repair issues with your account. After running diagnostics you have the option to save diagnostic logs for support and the option to repair any detected issues."
+ },
+ "runDiagnostics": {
+ "message": "Run Diagnostics"
+ },
+ "repairIssues": {
+ "message": "Repair Issues"
+ },
+ "saveDiagnosticLogs": {
+ "message": "Save Diagnostic Logs"
+ },
"sessionTimeoutSettingsManagedByOrganization": {
"message": "This setting is managed by your organization."
},
diff --git a/libs/common/src/enums/feature-flag.enum.ts b/libs/common/src/enums/feature-flag.enum.ts
index 1727d3da712..fb8edd8aa7d 100644
--- a/libs/common/src/enums/feature-flag.enum.ts
+++ b/libs/common/src/enums/feature-flag.enum.ts
@@ -43,6 +43,7 @@ export enum FeatureFlag {
LinuxBiometricsV2 = "pm-26340-linux-biometrics-v2",
UnlockWithMasterPasswordUnlockData = "pm-23246-unlock-with-master-password-unlock-data",
NoLogoutOnKdfChange = "pm-23995-no-logout-on-kdf-change",
+ DataRecoveryTool = "pm-28813-data-recovery-tool",
ConsolidatedSessionTimeoutComponent = "pm-26056-consolidated-session-timeout-component",
/* Tools */
@@ -149,6 +150,7 @@ export const DefaultFeatureFlagValue = {
[FeatureFlag.LinuxBiometricsV2]: FALSE,
[FeatureFlag.UnlockWithMasterPasswordUnlockData]: FALSE,
[FeatureFlag.NoLogoutOnKdfChange]: FALSE,
+ [FeatureFlag.DataRecoveryTool]: FALSE,
[FeatureFlag.ConsolidatedSessionTimeoutComponent]: FALSE,
/* Platform */
diff --git a/libs/key-management/src/user-asymmetric-key-regeneration/abstractions/user-asymmetric-key-regeneration.service.ts b/libs/key-management/src/user-asymmetric-key-regeneration/abstractions/user-asymmetric-key-regeneration.service.ts
index 4703d836db7..58620f49ed1 100644
--- a/libs/key-management/src/user-asymmetric-key-regeneration/abstractions/user-asymmetric-key-regeneration.service.ts
+++ b/libs/key-management/src/user-asymmetric-key-regeneration/abstractions/user-asymmetric-key-regeneration.service.ts
@@ -7,4 +7,11 @@ export abstract class UserAsymmetricKeysRegenerationService {
* @param userId The user id.
*/
abstract regenerateIfNeeded(userId: UserId): Promise;
+
+ /**
+ * Performs the regeneration of the user's public/private key pair without checking any preconditions.
+ * This should only be used for V1 encryption accounts
+ * @param userId The user id.
+ */
+ abstract regenerateUserPublicKeyEncryptionKeyPair(userId: UserId): Promise;
}
diff --git a/libs/key-management/src/user-asymmetric-key-regeneration/services/default-user-asymmetric-key-regeneration.service.spec.ts b/libs/key-management/src/user-asymmetric-key-regeneration/services/default-user-asymmetric-key-regeneration.service.spec.ts
index e57ab74de6b..92e5240a187 100644
--- a/libs/key-management/src/user-asymmetric-key-regeneration/services/default-user-asymmetric-key-regeneration.service.spec.ts
+++ b/libs/key-management/src/user-asymmetric-key-regeneration/services/default-user-asymmetric-key-regeneration.service.spec.ts
@@ -370,3 +370,52 @@ describe("regenerateIfNeeded", () => {
);
});
});
+
+describe("regenerateUserPublicKeyEncryptionKeyPair", () => {
+ let sut: DefaultUserAsymmetricKeysRegenerationService;
+ const userId = "userId" as UserId;
+
+ let keyService: MockProxy;
+ let cipherService: MockProxy;
+ let userAsymmetricKeysRegenerationApiService: MockProxy;
+ let logService: MockProxy;
+ let sdkService: MockSdkService;
+ let apiService: MockProxy;
+ let configService: MockProxy;
+
+ beforeEach(() => {
+ keyService = mock();
+ cipherService = mock();
+ userAsymmetricKeysRegenerationApiService = mock();
+ logService = mock();
+ sdkService = new MockSdkService();
+ apiService = mock();
+ configService = mock();
+
+ sut = new DefaultUserAsymmetricKeysRegenerationService(
+ keyService,
+ cipherService,
+ userAsymmetricKeysRegenerationApiService,
+ logService,
+ sdkService,
+ apiService,
+ configService,
+ );
+ });
+
+ afterEach(() => {
+ jest.resetAllMocks();
+ });
+
+ it("should throw error when user key is not V1 encryption type", async () => {
+ const mockUserKey = {
+ keyB64: "mockKeyB64",
+ inner: () => ({ type: 7 }),
+ } as unknown as UserKey;
+ keyService.userKey$.mockReturnValue(of(mockUserKey));
+
+ await expect(sut.regenerateUserPublicKeyEncryptionKeyPair(userId)).rejects.toThrow(
+ "User key is not V1 encryption type",
+ );
+ });
+});
diff --git a/libs/key-management/src/user-asymmetric-key-regeneration/services/default-user-asymmetric-key-regeneration.service.ts b/libs/key-management/src/user-asymmetric-key-regeneration/services/default-user-asymmetric-key-regeneration.service.ts
index 335f45b0ce2..48fe3a1686f 100644
--- a/libs/key-management/src/user-asymmetric-key-regeneration/services/default-user-asymmetric-key-regeneration.service.ts
+++ b/libs/key-management/src/user-asymmetric-key-regeneration/services/default-user-asymmetric-key-regeneration.service.ts
@@ -37,7 +37,7 @@ export class DefaultUserAsymmetricKeysRegenerationService
if (privateKeyRegenerationFlag) {
const shouldRegenerate = await this.shouldRegenerate(userId);
if (shouldRegenerate) {
- await this.regenerateUserAsymmetricKeys(userId);
+ await this.regenerateUserPublicKeyEncryptionKeyPair(userId);
}
}
} catch (error) {
@@ -125,11 +125,14 @@ export class DefaultUserAsymmetricKeysRegenerationService
return false;
}
- private async regenerateUserAsymmetricKeys(userId: UserId): Promise {
+ async regenerateUserPublicKeyEncryptionKeyPair(userId: UserId): Promise {
const userKey = await firstValueFrom(this.keyService.userKey$(userId));
if (userKey == null) {
throw new Error("User key not found");
}
+ if (userKey.inner().type !== EncryptionType.AesCbc256_HmacSha256_B64) {
+ throw new Error("User key is not V1 encryption type");
+ }
const makeKeyPairResponse = await firstValueFrom(
this.sdkService.client$.pipe(
map((sdk) => {
From 3e9db6b472a04d94da214336add1fa4a3814a48e Mon Sep 17 00:00:00 2001
From: bmbitwarden
Date: Tue, 9 Dec 2025 23:49:58 -0500
Subject: [PATCH 17/60] PM-27628 Rename Remove individual vault export policy
(#17335)
* PM-27628 conditions for send and export links in left navbar
* PM-27628 resolved claude comment for pr
* PM-27628 resolved claude comment for pr
* PM-27628 reverted earlier display conditionals and changed label
* PM-27628 changed out keys as well
* PM-27628 revert description key change
---
apps/web/src/locales/en/messages.json | 4 ++--
.../disable-personal-vault-export.component.ts | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/apps/web/src/locales/en/messages.json b/apps/web/src/locales/en/messages.json
index c827f09d173..85159c0230c 100644
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -6815,8 +6815,8 @@
"vaultTimeoutRangeError": {
"message": "Vault timeout is not within allowed range."
},
- "disablePersonalVaultExport": {
- "message": "Remove individual vault export"
+ "disableExport": {
+ "message": "Remove export"
},
"disablePersonalVaultExportDescription": {
"message": "Do not allow members to export data from their individual vault."
diff --git a/bitwarden_license/bit-web/src/app/admin-console/policies/policy-edit-definitions/disable-personal-vault-export.component.ts b/bitwarden_license/bit-web/src/app/admin-console/policies/policy-edit-definitions/disable-personal-vault-export.component.ts
index 0f0fc5f358d..5a9b36912c9 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/policies/policy-edit-definitions/disable-personal-vault-export.component.ts
+++ b/bitwarden_license/bit-web/src/app/admin-console/policies/policy-edit-definitions/disable-personal-vault-export.component.ts
@@ -8,7 +8,7 @@ import {
import { SharedModule } from "@bitwarden/web-vault/app/shared";
export class DisablePersonalVaultExportPolicy extends BasePolicyEditDefinition {
- name = "disablePersonalVaultExport";
+ name = "disableExport";
description = "disablePersonalVaultExportDescription";
type = PolicyType.DisablePersonalVaultExport;
component = DisablePersonalVaultExportPolicyComponent;
From 663ef60ae5113115c092578193cf52c504f42572 Mon Sep 17 00:00:00 2001
From: Isaac Ivins
Date: Wed, 10 Dec 2025 04:02:30 -0500
Subject: [PATCH 18/60] Feature/pm 27795 migrate send filters desktop migration
(#17802)
Created a new navigation component that renders Send type filters as sidebar navigation items.
---
.../app/layout/desktop-layout.component.html | 2 +-
.../layout/desktop-layout.component.spec.ts | 25 ++-
.../app/layout/desktop-layout.component.ts | 11 +-
.../send-v2/send-filters-nav.component.html | 25 +++
.../send-filters-nav.component.spec.ts | 204 ++++++++++++++++++
.../send-v2/send-filters-nav.component.ts | 54 +++++
.../tools/send-v2/send-v2.component.spec.ts | 34 ++-
.../app/tools/send-v2/send-v2.component.ts | 44 +++-
8 files changed, 382 insertions(+), 17 deletions(-)
create mode 100644 apps/desktop/src/app/tools/send-v2/send-filters-nav.component.html
create mode 100644 apps/desktop/src/app/tools/send-v2/send-filters-nav.component.spec.ts
create mode 100644 apps/desktop/src/app/tools/send-v2/send-filters-nav.component.ts
diff --git a/apps/desktop/src/app/layout/desktop-layout.component.html b/apps/desktop/src/app/layout/desktop-layout.component.html
index 7f8bd265102..1717b29acd1 100644
--- a/apps/desktop/src/app/layout/desktop-layout.component.html
+++ b/apps/desktop/src/app/layout/desktop-layout.component.html
@@ -3,7 +3,7 @@
(),
},
],
- }).compileComponents();
+ })
+ .overrideComponent(DesktopLayoutComponent, {
+ remove: { imports: [SendFiltersNavComponent] },
+ add: { imports: [MockSendFiltersNavComponent] },
+ })
+ .compileComponents();
fixture = TestBed.createComponent(DesktopLayoutComponent);
component = fixture.componentInstance;
@@ -58,4 +74,11 @@ describe("DesktopLayoutComponent", () => {
expect(ngContent).toBeTruthy();
});
+
+ it("renders send filters navigation component", () => {
+ const compiled = fixture.nativeElement;
+ const sendFiltersNav = compiled.querySelector("app-send-filters-nav");
+
+ expect(sendFiltersNav).toBeTruthy();
+ });
});
diff --git a/apps/desktop/src/app/layout/desktop-layout.component.ts b/apps/desktop/src/app/layout/desktop-layout.component.ts
index 006055f475f..0ee7065fba8 100644
--- a/apps/desktop/src/app/layout/desktop-layout.component.ts
+++ b/apps/desktop/src/app/layout/desktop-layout.component.ts
@@ -5,13 +5,22 @@ import { PasswordManagerLogo } from "@bitwarden/assets/svg";
import { LayoutComponent, NavigationModule } from "@bitwarden/components";
import { I18nPipe } from "@bitwarden/ui-common";
+import { SendFiltersNavComponent } from "../tools/send-v2/send-filters-nav.component";
+
import { DesktopSideNavComponent } from "./desktop-side-nav.component";
// FIXME(https://bitwarden.atlassian.net/browse/CL-764): Migrate to OnPush
// eslint-disable-next-line @angular-eslint/prefer-on-push-component-change-detection
@Component({
selector: "app-layout",
- imports: [RouterModule, I18nPipe, LayoutComponent, NavigationModule, DesktopSideNavComponent],
+ imports: [
+ RouterModule,
+ I18nPipe,
+ LayoutComponent,
+ NavigationModule,
+ DesktopSideNavComponent,
+ SendFiltersNavComponent,
+ ],
templateUrl: "./desktop-layout.component.html",
})
export class DesktopLayoutComponent {
diff --git a/apps/desktop/src/app/tools/send-v2/send-filters-nav.component.html b/apps/desktop/src/app/tools/send-v2/send-filters-nav.component.html
new file mode 100644
index 00000000000..64c52b50a49
--- /dev/null
+++ b/apps/desktop/src/app/tools/send-v2/send-filters-nav.component.html
@@ -0,0 +1,25 @@
+
+
diff --git a/apps/desktop/src/app/tools/send-v2/send-filters-nav.component.spec.ts b/apps/desktop/src/app/tools/send-v2/send-filters-nav.component.spec.ts
new file mode 100644
index 00000000000..95ba5c53e36
--- /dev/null
+++ b/apps/desktop/src/app/tools/send-v2/send-filters-nav.component.spec.ts
@@ -0,0 +1,204 @@
+import { ChangeDetectionStrategy, Component } from "@angular/core";
+import { ComponentFixture, TestBed } from "@angular/core/testing";
+import { Router, provideRouter } from "@angular/router";
+import { RouterTestingHarness } from "@angular/router/testing";
+import { BehaviorSubject } from "rxjs";
+
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { SendType } from "@bitwarden/common/tools/send/enums/send-type";
+import { NavigationModule } from "@bitwarden/components";
+import { SendListFiltersService } from "@bitwarden/send-ui";
+
+import { SendFiltersNavComponent } from "./send-filters-nav.component";
+
+@Component({ template: "", changeDetection: ChangeDetectionStrategy.OnPush })
+class DummyComponent {}
+
+Object.defineProperty(window, "matchMedia", {
+ writable: true,
+ value: jest.fn().mockImplementation((query) => ({
+ matches: true,
+ media: query,
+ onchange: null,
+ addListener: jest.fn(),
+ removeListener: jest.fn(),
+ addEventListener: jest.fn(),
+ removeEventListener: jest.fn(),
+ dispatchEvent: jest.fn(),
+ })),
+});
+
+describe("SendFiltersNavComponent", () => {
+ let component: SendFiltersNavComponent;
+ let fixture: ComponentFixture;
+ let harness: RouterTestingHarness;
+ let filterFormValueSubject: BehaviorSubject<{ sendType: SendType | null }>;
+ let mockSendListFiltersService: Partial;
+
+ beforeEach(async () => {
+ filterFormValueSubject = new BehaviorSubject<{ sendType: SendType | null }>({
+ sendType: null,
+ });
+
+ mockSendListFiltersService = {
+ filterForm: {
+ value: { sendType: null },
+ valueChanges: filterFormValueSubject.asObservable(),
+ patchValue: jest.fn((value) => {
+ mockSendListFiltersService.filterForm.value = {
+ ...mockSendListFiltersService.filterForm.value,
+ ...value,
+ };
+ filterFormValueSubject.next(mockSendListFiltersService.filterForm.value);
+ }),
+ } as any,
+ filters$: filterFormValueSubject.asObservable(),
+ };
+
+ await TestBed.configureTestingModule({
+ imports: [SendFiltersNavComponent, NavigationModule],
+ providers: [
+ provideRouter([
+ { path: "vault", component: DummyComponent },
+ { path: "new-sends", component: DummyComponent },
+ ]),
+ {
+ provide: SendListFiltersService,
+ useValue: mockSendListFiltersService,
+ },
+ {
+ provide: I18nService,
+ useValue: {
+ t: jest.fn((key) => key),
+ },
+ },
+ ],
+ }).compileComponents();
+
+ // Create harness and navigate to initial route
+ harness = await RouterTestingHarness.create("/vault");
+
+ // Create the component fixture separately (not a routed component)
+ fixture = TestBed.createComponent(SendFiltersNavComponent);
+ component = fixture.componentInstance;
+ fixture.detectChanges();
+ });
+
+ it("creates component", () => {
+ expect(component).toBeTruthy();
+ });
+
+ it("renders bit-nav-group with Send icon and text", () => {
+ const compiled = fixture.nativeElement;
+ const navGroup = compiled.querySelector("bit-nav-group");
+
+ expect(navGroup).toBeTruthy();
+ expect(navGroup.getAttribute("icon")).toBe("bwi-send");
+ });
+
+ it("component exposes SendType enum for template", () => {
+ expect(component["SendType"]).toBe(SendType);
+ });
+
+ describe("isSendRouteActive", () => {
+ it("returns true when on /new-sends route", async () => {
+ await harness.navigateByUrl("/new-sends");
+ fixture.detectChanges();
+
+ expect(component["isSendRouteActive"]()).toBe(true);
+ });
+
+ it("returns false when not on /new-sends route", () => {
+ expect(component["isSendRouteActive"]()).toBe(false);
+ });
+ });
+
+ describe("activeSendType", () => {
+ it("returns the active send type when on send route and filter type is set", async () => {
+ await harness.navigateByUrl("/new-sends");
+ mockSendListFiltersService.filterForm.value = { sendType: SendType.Text };
+ filterFormValueSubject.next({ sendType: SendType.Text });
+ fixture.detectChanges();
+
+ expect(component["activeSendType"]()).toBe(SendType.Text);
+ });
+
+ it("returns undefined when not on send route", () => {
+ mockSendListFiltersService.filterForm.value = { sendType: SendType.Text };
+ filterFormValueSubject.next({ sendType: SendType.Text });
+ fixture.detectChanges();
+
+ expect(component["activeSendType"]()).toBeUndefined();
+ });
+
+ it("returns null when on send route but no type is selected", async () => {
+ await harness.navigateByUrl("/new-sends");
+ mockSendListFiltersService.filterForm.value = { sendType: null };
+ filterFormValueSubject.next({ sendType: null });
+ fixture.detectChanges();
+
+ expect(component["activeSendType"]()).toBeNull();
+ });
+ });
+
+ describe("selectTypeAndNavigate", () => {
+ it("clears the sendType filter when called with no parameter", async () => {
+ await component["selectTypeAndNavigate"]();
+
+ expect(mockSendListFiltersService.filterForm.patchValue).toHaveBeenCalledWith({
+ sendType: null,
+ });
+ });
+
+ it("updates filter form with Text type", async () => {
+ await component["selectTypeAndNavigate"](SendType.Text);
+
+ expect(mockSendListFiltersService.filterForm.patchValue).toHaveBeenCalledWith({
+ sendType: SendType.Text,
+ });
+ });
+
+ it("updates filter form with File type", async () => {
+ await component["selectTypeAndNavigate"](SendType.File);
+
+ expect(mockSendListFiltersService.filterForm.patchValue).toHaveBeenCalledWith({
+ sendType: SendType.File,
+ });
+ });
+
+ it("navigates to /new-sends when not on send route", async () => {
+ expect(harness.routeNativeElement?.textContent).toBeDefined();
+
+ await component["selectTypeAndNavigate"](SendType.Text);
+
+ const currentUrl = TestBed.inject(Router).url;
+ expect(currentUrl).toBe("/new-sends");
+ expect(mockSendListFiltersService.filterForm.patchValue).toHaveBeenCalledWith({
+ sendType: SendType.Text,
+ });
+ });
+
+ it("does not navigate when already on send route (component is reactive)", async () => {
+ await harness.navigateByUrl("/new-sends");
+ const router = TestBed.inject(Router);
+ const navigateSpy = jest.spyOn(router, "navigate");
+
+ await component["selectTypeAndNavigate"](SendType.Text);
+
+ expect(navigateSpy).not.toHaveBeenCalled();
+ expect(mockSendListFiltersService.filterForm.patchValue).toHaveBeenCalledWith({
+ sendType: SendType.Text,
+ });
+ });
+
+ it("navigates when clearing filter from different route", async () => {
+ await component["selectTypeAndNavigate"](); // No parameter = clear filter
+
+ const currentUrl = TestBed.inject(Router).url;
+ expect(currentUrl).toBe("/new-sends");
+ expect(mockSendListFiltersService.filterForm.patchValue).toHaveBeenCalledWith({
+ sendType: null,
+ });
+ });
+ });
+});
diff --git a/apps/desktop/src/app/tools/send-v2/send-filters-nav.component.ts b/apps/desktop/src/app/tools/send-v2/send-filters-nav.component.ts
new file mode 100644
index 00000000000..28004f475e5
--- /dev/null
+++ b/apps/desktop/src/app/tools/send-v2/send-filters-nav.component.ts
@@ -0,0 +1,54 @@
+import { CommonModule } from "@angular/common";
+import { ChangeDetectionStrategy, Component, computed, inject } from "@angular/core";
+import { toSignal } from "@angular/core/rxjs-interop";
+import { NavigationEnd, Router } from "@angular/router";
+import { filter, map, startWith } from "rxjs";
+
+import { SendType } from "@bitwarden/common/tools/send/enums/send-type";
+import { NavigationModule } from "@bitwarden/components";
+import { SendListFiltersService } from "@bitwarden/send-ui";
+import { I18nPipe } from "@bitwarden/ui-common";
+
+/**
+ * Navigation component that renders Send filter options in the sidebar.
+ * Fully reactive using signals - no manual subscriptions or method-based computed values.
+ * - Parent "Send" nav-group clears filter (shows all sends)
+ * - Child "Text"/"File" items set filter to specific type
+ * - Active states computed reactively from filter signal + route signal
+ */
+@Component({
+ selector: "app-send-filters-nav",
+ templateUrl: "./send-filters-nav.component.html",
+ changeDetection: ChangeDetectionStrategy.OnPush,
+ imports: [CommonModule, NavigationModule, I18nPipe],
+})
+export class SendFiltersNavComponent {
+ protected readonly SendType = SendType;
+ private readonly filtersService = inject(SendListFiltersService);
+ private readonly router = inject(Router);
+ private readonly currentFilter = toSignal(this.filtersService.filters$);
+
+ // Track whether current route is the send route
+ private readonly isSendRouteActive = toSignal(
+ this.router.events.pipe(
+ filter((event) => event instanceof NavigationEnd),
+ map((event) => (event as NavigationEnd).urlAfterRedirects.includes("/new-sends")),
+ startWith(this.router.url.includes("/new-sends")),
+ ),
+ { initialValue: this.router.url.includes("/new-sends") },
+ );
+
+ // Computed: Active send type (null when on send route with no filter, undefined when not on send route)
+ protected readonly activeSendType = computed(() => {
+ return this.isSendRouteActive() ? this.currentFilter()?.sendType : undefined;
+ });
+
+ // Update send filter and navigate to /new-sends (only if not already there - send-v2 component reacts to filter changes)
+ protected async selectTypeAndNavigate(type?: SendType): Promise {
+ this.filtersService.filterForm.patchValue({ sendType: type !== undefined ? type : null });
+
+ if (!this.router.url.includes("/new-sends")) {
+ await this.router.navigate(["/new-sends"]);
+ }
+ }
+}
diff --git a/apps/desktop/src/app/tools/send-v2/send-v2.component.spec.ts b/apps/desktop/src/app/tools/send-v2/send-v2.component.spec.ts
index 5798df0989d..8657f3e375e 100644
--- a/apps/desktop/src/app/tools/send-v2/send-v2.component.spec.ts
+++ b/apps/desktop/src/app/tools/send-v2/send-v2.component.spec.ts
@@ -1,4 +1,8 @@
+// FIXME: Update this file to be type safe and remove this and next line
+// @ts-strict-ignore
+import { ChangeDetectorRef } from "@angular/core";
import { ComponentFixture, TestBed } from "@angular/core/testing";
+import { FormBuilder } from "@angular/forms";
import { mock, MockProxy } from "jest-mock-extended";
import { BehaviorSubject, of } from "rxjs";
@@ -15,6 +19,7 @@ import { SendApiService } from "@bitwarden/common/tools/send/services/send-api.s
import { SendService } from "@bitwarden/common/tools/send/services/send.service.abstraction";
import { SearchService } from "@bitwarden/common/vault/abstractions/search.service";
import { DialogService, ToastService } from "@bitwarden/components";
+import { SendListFiltersService } from "@bitwarden/send-ui";
import * as utils from "../../../utils";
import { SearchBarService } from "../../layout/search/search-bar.service";
@@ -35,6 +40,8 @@ describe("SendV2Component", () => {
let broadcasterService: MockProxy;
let accountService: MockProxy;
let policyService: MockProxy;
+ let sendListFiltersService: SendListFiltersService;
+ let changeDetectorRef: MockProxy;
beforeEach(async () => {
sendService = mock();
@@ -42,6 +49,13 @@ describe("SendV2Component", () => {
broadcasterService = mock();
accountService = mock();
policyService = mock();
+ changeDetectorRef = mock();
+
+ // Create real SendListFiltersService with mocked dependencies
+ const formBuilder = new FormBuilder();
+ const i18nService = mock();
+ i18nService.t.mockImplementation((key: string) => key);
+ sendListFiltersService = new SendListFiltersService(i18nService, formBuilder);
// Mock sendViews$ observable
sendService.sendViews$ = of([]);
@@ -51,6 +65,10 @@ describe("SendV2Component", () => {
accountService.activeAccount$ = of({ id: "test-user-id" } as any);
policyService.policyAppliesToUser$ = jest.fn().mockReturnValue(of(false));
+ // Mock SearchService methods needed by base component
+ const mockSearchService = mock();
+ mockSearchService.isSearchable.mockResolvedValue(false);
+
await TestBed.configureTestingModule({
imports: [SendV2Component],
providers: [
@@ -59,7 +77,7 @@ describe("SendV2Component", () => {
{ provide: PlatformUtilsService, useValue: mock() },
{ provide: EnvironmentService, useValue: mock() },
{ provide: BroadcasterService, useValue: broadcasterService },
- { provide: SearchService, useValue: mock() },
+ { provide: SearchService, useValue: mockSearchService },
{ provide: PolicyService, useValue: policyService },
{ provide: SearchBarService, useValue: searchBarService },
{ provide: LogService, useValue: mock() },
@@ -67,6 +85,8 @@ describe("SendV2Component", () => {
{ provide: DialogService, useValue: mock() },
{ provide: ToastService, useValue: mock() },
{ provide: AccountService, useValue: accountService },
+ { provide: SendListFiltersService, useValue: sendListFiltersService },
+ { provide: ChangeDetectorRef, useValue: changeDetectorRef },
],
}).compileComponents();
@@ -331,7 +351,6 @@ describe("SendV2Component", () => {
describe("load", () => {
it("sets loading states correctly", async () => {
jest.spyOn(component, "search").mockResolvedValue();
- jest.spyOn(component, "selectAll");
expect(component.loaded).toBeFalsy();
@@ -341,14 +360,17 @@ describe("SendV2Component", () => {
expect(component.loaded).toBe(true);
});
- it("calls selectAll when onSuccessfulLoad is not set", async () => {
+ it("sets up sendViews$ subscription", async () => {
+ const mockSends = [new SendView(), new SendView()];
+ sendService.sendViews$ = of(mockSends);
jest.spyOn(component, "search").mockResolvedValue();
- jest.spyOn(component, "selectAll");
- component.onSuccessfulLoad = null;
await component.load();
- expect(component.selectAll).toHaveBeenCalled();
+ // Give observable time to emit
+ await new Promise((resolve) => setTimeout(resolve, 10));
+
+ expect(component.sends).toEqual(mockSends);
});
it("calls onSuccessfulLoad when it is set", async () => {
diff --git a/apps/desktop/src/app/tools/send-v2/send-v2.component.ts b/apps/desktop/src/app/tools/send-v2/send-v2.component.ts
index 4afe02d9f98..eb0856b76af 100644
--- a/apps/desktop/src/app/tools/send-v2/send-v2.component.ts
+++ b/apps/desktop/src/app/tools/send-v2/send-v2.component.ts
@@ -2,8 +2,9 @@
// @ts-strict-ignore
import { CommonModule } from "@angular/common";
import { Component, OnInit, OnDestroy, ViewChild, NgZone, ChangeDetectorRef } from "@angular/core";
+import { takeUntilDestroyed } from "@angular/core/rxjs-interop";
import { FormsModule } from "@angular/forms";
-import { mergeMap } from "rxjs";
+import { mergeMap, Subscription } from "rxjs";
import { JslibModule } from "@bitwarden/angular/jslib.module";
import { SendComponent as BaseSendComponent } from "@bitwarden/angular/tools/send/send.component";
@@ -14,11 +15,13 @@ import { EnvironmentService } from "@bitwarden/common/platform/abstractions/envi
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
+import { SendType } from "@bitwarden/common/tools/send/enums/send-type";
import { SendView } from "@bitwarden/common/tools/send/models/view/send.view";
import { SendApiService } from "@bitwarden/common/tools/send/services/send-api.service.abstraction";
import { SendService } from "@bitwarden/common/tools/send/services/send.service.abstraction";
import { SearchService } from "@bitwarden/common/vault/abstractions/search.service";
import { DialogService, ToastService } from "@bitwarden/components";
+import { SendListFiltersService } from "@bitwarden/send-ui";
import { invokeMenu, RendererMenuItem } from "../../../utils";
import { SearchBarService } from "../../layout/search/search-bar.service";
@@ -55,6 +58,9 @@ export class SendV2Component extends BaseSendComponent implements OnInit, OnDest
// Tracks the current UI state: viewing list (None), adding new Send (Add), or editing existing Send (Edit)
action: Action = Action.None;
+ // Subscription for sendViews$ cleanup
+ private sendViewsSubscription: Subscription;
+
constructor(
sendService: SendService,
i18nService: I18nService,
@@ -71,6 +77,7 @@ export class SendV2Component extends BaseSendComponent implements OnInit, OnDest
toastService: ToastService,
accountService: AccountService,
private cdr: ChangeDetectorRef,
+ private sendListFiltersService: SendListFiltersService,
) {
super(
sendService,
@@ -88,12 +95,17 @@ export class SendV2Component extends BaseSendComponent implements OnInit, OnDest
);
// Listen to search bar changes and update the Send list filter
- // eslint-disable-next-line rxjs-angular/prefer-takeuntil
- this.searchBarService.searchText$.subscribe((searchText) => {
+ this.searchBarService.searchText$.pipe(takeUntilDestroyed()).subscribe((searchText) => {
this.searchText = searchText;
this.searchTextChanged();
- setTimeout(() => this.cdr.detectChanges(), 250);
});
+
+ // Listen to filter changes from sidebar navigation
+ this.sendListFiltersService.filterForm.valueChanges
+ .pipe(takeUntilDestroyed())
+ .subscribe((filters) => {
+ this.applySendTypeFilter(filters);
+ });
}
// Initialize the component: enable search bar, subscribe to sync events, and load Send items
@@ -103,6 +115,10 @@ export class SendV2Component extends BaseSendComponent implements OnInit, OnDest
await super.ngOnInit();
+ // Read current filter synchronously to avoid race condition on navigation
+ const currentFilter = this.sendListFiltersService.filterForm.value;
+ this.applySendTypeFilter(currentFilter);
+
// Listen for sync completion events to refresh the Send list
this.broadcasterService.subscribe(BroadcasterSubscriptionId, (message: any) => {
// FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
@@ -118,8 +134,18 @@ export class SendV2Component extends BaseSendComponent implements OnInit, OnDest
await this.load();
}
+ // Apply send type filter to display: centralized logic for initial load and filter changes
+ private applySendTypeFilter(filters: Partial<{ sendType: SendType | null }>): void {
+ if (filters.sendType === null || filters.sendType === undefined) {
+ this.selectAll();
+ } else {
+ this.selectType(filters.sendType);
+ }
+ }
+
// Clean up subscriptions and disable search bar when component is destroyed
ngOnDestroy() {
+ this.sendViewsSubscription?.unsubscribe();
this.broadcasterService.unsubscribe(BroadcasterSubscriptionId);
this.searchBarService.setEnabled(false);
}
@@ -130,7 +156,12 @@ export class SendV2Component extends BaseSendComponent implements OnInit, OnDest
// Note: The filter parameter is ignored in this implementation for desktop-specific behavior.
async load(filter: (send: SendView) => boolean = null) {
this.loading = true;
- this.sendService.sendViews$
+
+ // Recreate subscription on each load (required for sync refresh)
+ // Manual cleanup in ngOnDestroy is intentional - load() is called multiple times
+ this.sendViewsSubscription?.unsubscribe();
+
+ this.sendViewsSubscription = this.sendService.sendViews$
.pipe(
mergeMap(async (sends) => {
this.sends = sends;
@@ -143,9 +174,6 @@ export class SendV2Component extends BaseSendComponent implements OnInit, OnDest
.subscribe();
if (this.onSuccessfulLoad != null) {
await this.onSuccessfulLoad();
- } else {
- // Default action
- this.selectAll();
}
this.loading = false;
this.loaded = true;
From 6e383ecbc6cfe68f73959d38c49227425b064226 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 10 Dec 2025 13:23:04 +0100
Subject: [PATCH 19/60] [deps]: Update peter-evans/repository-dispatch action
to v4.0.1 (#17891)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
.github/workflows/test-browser-interactions.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/test-browser-interactions.yml b/.github/workflows/test-browser-interactions.yml
index dfc0f28b9c6..c8f4c959c52 100644
--- a/.github/workflows/test-browser-interactions.yml
+++ b/.github/workflows/test-browser-interactions.yml
@@ -75,7 +75,7 @@ jobs:
- name: Trigger test-all workflow in browser-interactions-testing
if: steps.changed-files.outputs.monitored == 'true'
- uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
+ uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
with:
token: ${{ steps.app-token.outputs.token }}
repository: "bitwarden/browser-interactions-testing"
From 0301e9d1d7ad1c42127451372c66a99ff7bdff49 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 10 Dec 2025 07:57:58 -0600
Subject: [PATCH 20/60] [deps]: Update Rust crate tokio-util to v0.7.17
(#17575)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
apps/desktop/desktop_native/Cargo.lock | 4 ++--
apps/desktop/desktop_native/Cargo.toml | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/apps/desktop/desktop_native/Cargo.lock b/apps/desktop/desktop_native/Cargo.lock
index cf946f7f204..1b98e677ac7 100644
--- a/apps/desktop/desktop_native/Cargo.lock
+++ b/apps/desktop/desktop_native/Cargo.lock
@@ -3329,9 +3329,9 @@ dependencies = [
[[package]]
name = "tokio-util"
-version = "0.7.13"
+version = "0.7.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7fcaa8d55a2bdd6b83ace262b016eca0d79ee02818c5c1bcdf0305114081078"
+checksum = "2efa149fe76073d6e8fd97ef4f4eca7b67f599660115591483572e406e165594"
dependencies = [
"bytes",
"futures-core",
diff --git a/apps/desktop/desktop_native/Cargo.toml b/apps/desktop/desktop_native/Cargo.toml
index 59df7ba57fb..b492fc62e2a 100644
--- a/apps/desktop/desktop_native/Cargo.toml
+++ b/apps/desktop/desktop_native/Cargo.toml
@@ -63,7 +63,7 @@ ssh-key = { version = "=0.6.7", default-features = false }
sysinfo = "=0.37.2"
thiserror = "=2.0.17"
tokio = "=1.45.0"
-tokio-util = "=0.7.13"
+tokio-util = "=0.7.17"
tracing = "=0.1.41"
tracing-subscriber = { version = "=0.3.20", features = [
"fmt",
From 151c2d97f07e47cbce92593c83ae03c6193bd2a9 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 10 Dec 2025 14:13:24 +0000
Subject: [PATCH 21/60] [deps]: Update Rust crate tokio to v1.48.0 (#15700)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
apps/desktop/desktop_native/Cargo.lock | 77 +++-----------------------
apps/desktop/desktop_native/Cargo.toml | 2 +-
2 files changed, 9 insertions(+), 70 deletions(-)
diff --git a/apps/desktop/desktop_native/Cargo.lock b/apps/desktop/desktop_native/Cargo.lock
index 1b98e677ac7..692ebfa29e9 100644
--- a/apps/desktop/desktop_native/Cargo.lock
+++ b/apps/desktop/desktop_native/Cargo.lock
@@ -2,21 +2,6 @@
# It is not intended for manual editing.
version = 4
-[[package]]
-name = "addr2line"
-version = "0.24.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dfbe277e56a376000877090da837660b4427aad530e3028d44e0bffe4f89a1c1"
-dependencies = [
- "gimli",
-]
-
-[[package]]
-name = "adler2"
-version = "2.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627"
-
[[package]]
name = "aead"
version = "0.5.2"
@@ -351,21 +336,6 @@ dependencies = [
"windows-core",
]
-[[package]]
-name = "backtrace"
-version = "0.3.75"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6806a6321ec58106fea15becdad98371e28d92ccbc7c8f1b3b6dd724fe8f1002"
-dependencies = [
- "addr2line",
- "cfg-if",
- "libc",
- "miniz_oxide",
- "object",
- "rustc-demangle",
- "windows-targets 0.52.6",
-]
-
[[package]]
name = "base16ct"
version = "0.2.0"
@@ -1415,12 +1385,6 @@ dependencies = [
"polyval",
]
-[[package]]
-name = "gimli"
-version = "0.31.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
-
[[package]]
name = "glob"
version = "0.3.3"
@@ -1857,15 +1821,6 @@ version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
-[[package]]
-name = "miniz_oxide"
-version = "0.8.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3be647b768db090acb35d5ec5db2b0e1f1de11133ca123b9eacf5137868f892a"
-dependencies = [
- "adler2",
-]
-
[[package]]
name = "mio"
version = "1.0.3"
@@ -2177,15 +2132,6 @@ dependencies = [
"objc2-core-foundation",
]
-[[package]]
-name = "object"
-version = "0.36.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62948e14d923ea95ea2c7c86c71013138b66525b86bdc08d2dcc262bdb497b87"
-dependencies = [
- "memchr",
-]
-
[[package]]
name = "once_cell"
version = "1.21.3"
@@ -2751,12 +2697,6 @@ dependencies = [
"winapi",
]
-[[package]]
-name = "rustc-demangle"
-version = "0.1.24"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f"
-
[[package]]
name = "rustc_version"
version = "0.4.1"
@@ -3078,12 +3018,12 @@ checksum = "b7c388c1b5e93756d0c740965c41e8822f866621d41acbdf6336a6a168f8840c"
[[package]]
name = "socket2"
-version = "0.5.9"
+version = "0.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4f5fd57c80058a56cf5c777ab8a126398ece8e442983605d280a44ce79d0edef"
+checksum = "17129e116933cf371d018bb80ae557e889637989d8638274fb25622827b03881"
dependencies = [
"libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.60.2",
]
[[package]]
@@ -3299,11 +3239,10 @@ dependencies = [
[[package]]
name = "tokio"
-version = "1.45.0"
+version = "1.48.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2513ca694ef9ede0fb23fe71a4ee4107cb102b9dc1930f6d0fd77aae068ae165"
+checksum = "ff360e02eab121e0bc37a2d3b4d4dc622e6eda3a8e5253d5435ecf5bd4c68408"
dependencies = [
- "backtrace",
"bytes",
"libc",
"mio",
@@ -3313,14 +3252,14 @@ dependencies = [
"socket2",
"tokio-macros",
"tracing",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
]
[[package]]
name = "tokio-macros"
-version = "2.5.0"
+version = "2.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e06d43f1345a3bcd39f6a56dbb7dcab2ba47e68e8ac134855e7e2bdbaf8cab8"
+checksum = "af407857209536a95c8e56f8231ef2c2e2aff839b22e07a1ffcbc617e9db9fa5"
dependencies = [
"proc-macro2",
"quote",
diff --git a/apps/desktop/desktop_native/Cargo.toml b/apps/desktop/desktop_native/Cargo.toml
index b492fc62e2a..2d5b1e31175 100644
--- a/apps/desktop/desktop_native/Cargo.toml
+++ b/apps/desktop/desktop_native/Cargo.toml
@@ -62,7 +62,7 @@ ssh-encoding = "=0.2.0"
ssh-key = { version = "=0.6.7", default-features = false }
sysinfo = "=0.37.2"
thiserror = "=2.0.17"
-tokio = "=1.45.0"
+tokio = "=1.48.0"
tokio-util = "=0.7.17"
tracing = "=0.1.41"
tracing-subscriber = { version = "=0.3.20", features = [
From 892f5548d21f63e64fedac03c94d540c83b9ef6d Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 10 Dec 2025 15:14:18 +0100
Subject: [PATCH 22/60] [deps] Platform: Update Rust crate bytes to v1.11.0
(#17618)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
apps/desktop/desktop_native/Cargo.lock | 4 ++--
apps/desktop/desktop_native/Cargo.toml | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/apps/desktop/desktop_native/Cargo.lock b/apps/desktop/desktop_native/Cargo.lock
index 692ebfa29e9..a2b653a929e 100644
--- a/apps/desktop/desktop_native/Cargo.lock
+++ b/apps/desktop/desktop_native/Cargo.lock
@@ -485,9 +485,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
[[package]]
name = "bytes"
-version = "1.10.1"
+version = "1.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a"
+checksum = "b35204fbdc0b3f4446b89fc1ac2cf84a8a68971995d0bf2e925ec7cd960f9cb3"
[[package]]
name = "camino"
diff --git a/apps/desktop/desktop_native/Cargo.toml b/apps/desktop/desktop_native/Cargo.toml
index 2d5b1e31175..58ce3758ae1 100644
--- a/apps/desktop/desktop_native/Cargo.toml
+++ b/apps/desktop/desktop_native/Cargo.toml
@@ -27,7 +27,7 @@ ashpd = "=0.11.0"
base64 = "=0.22.1"
bitwarden-russh = { git = "https://github.com/bitwarden/bitwarden-russh.git", rev = "a641316227227f8777fdf56ac9fa2d6b5f7fe662" }
byteorder = "=1.5.0"
-bytes = "=1.10.1"
+bytes = "=1.11.0"
cbc = "=0.1.2"
chacha20poly1305 = "=0.10.1"
core-foundation = "=0.10.1"
From 44384d51c9d2b2017603be94a54329b2df6cd8b3 Mon Sep 17 00:00:00 2001
From: Bryan Cunningham
Date: Wed, 10 Dec 2025 09:28:36 -0500
Subject: [PATCH 23/60] fix padding when nested. remove ng style and class
(#17874)
* fix padding when nested. remove ng style and class
* add expanded group to story to cover bug fix
* use class binding for async classes
* remove unnecessary x padding to improve truncation
* simplify padding logic
* fix padding end in closed state
* add back some padding in tree view
* add back padding to avoid weird spacing scenarios
---
.../src/navigation/nav-group.stories.ts | 5 ++++
.../src/navigation/nav-item.component.html | 27 ++++++++-----------
2 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/libs/components/src/navigation/nav-group.stories.ts b/libs/components/src/navigation/nav-group.stories.ts
index d5c381ac3e3..e3033e4b40a 100644
--- a/libs/components/src/navigation/nav-group.stories.ts
+++ b/libs/components/src/navigation/nav-group.stories.ts
@@ -84,6 +84,11 @@ export const Default: StoryObj = {
+
`,
}),
diff --git a/libs/components/src/navigation/nav-item.component.html b/libs/components/src/navigation/nav-item.component.html
index 1de8a9bd167..8a59d474d94 100644
--- a/libs/components/src/navigation/nav-item.component.html
+++ b/libs/components/src/navigation/nav-item.component.html
@@ -2,16 +2,12 @@
@let open = sideNavService.open$ | async;
@if (open || icon()) {
+
-
+
+ + {{ "leaveConfirmationDialogContentOne" | i18n }} +
++ {{ "leaveConfirmationDialogContentTwo" | i18n }} +
+{{ "dataRecoveryTitle" | i18n }}
+ +
+
diff --git a/apps/web/src/app/key-management/data-recovery/data-recovery.component.spec.ts b/apps/web/src/app/key-management/data-recovery/data-recovery.component.spec.ts
new file mode 100644
index 00000000000..1976a8dfe27
--- /dev/null
+++ b/apps/web/src/app/key-management/data-recovery/data-recovery.component.spec.ts
@@ -0,0 +1,348 @@
+import { ComponentFixture, TestBed } from "@angular/core/testing";
+import { mock, MockProxy } from "jest-mock-extended";
+
+import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { CryptoFunctionService } from "@bitwarden/common/key-management/crypto/abstractions/crypto-function.service";
+import { FileDownloadService } from "@bitwarden/common/platform/abstractions/file-download/file-download.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { FakeAccountService, mockAccountServiceWith } from "@bitwarden/common/spec";
+import { UserId } from "@bitwarden/common/types/guid";
+import { CipherEncryptionService } from "@bitwarden/common/vault/abstractions/cipher-encryption.service";
+import { FolderApiServiceAbstraction } from "@bitwarden/common/vault/abstractions/folder/folder-api.service.abstraction";
+import { DialogService } from "@bitwarden/components";
+import { KeyService, UserAsymmetricKeysRegenerationService } from "@bitwarden/key-management";
+import { LogService } from "@bitwarden/logging";
+
+import { DataRecoveryComponent, StepStatus } from "./data-recovery.component";
+import { RecoveryStep, RecoveryWorkingData } from "./steps";
+
+// Mock SdkLoadService
+jest.mock("@bitwarden/common/platform/abstractions/sdk/sdk-load.service", () => ({
+ SdkLoadService: {
+ Ready: Promise.resolve(),
+ },
+}));
+
+describe("DataRecoveryComponent", () => {
+ let component: DataRecoveryComponent;
+ let fixture: ComponentFixture+ {{ "dataRecoveryDescription" | i18n }} +
+ + @if (!diagnosticsCompleted() && !recoveryCompleted()) { + + } + +
+ @for (step of steps(); track $index) {
+ @if (
+ ($index === 0 && hasStarted()) ||
+ ($index > 0 &&
+ (steps()[$index - 1].status === StepStatus.Completed ||
+ steps()[$index - 1].status === StepStatus.Failed))
+ ) {
+
+
+ @if (diagnosticsCompleted()) {
+
+
+ }
+ }
+
+ @if (step.status === StepStatus.Failed) {
+
+ } @else if (step.status === StepStatus.Completed) {
+
+ } @else if (step.status === StepStatus.InProgress) {
+
+ } @else {
+
+ }
+
+
+
+ {{ step.title }}
+
+
+
+ @if (hasIssues() && !recoveryCompleted()) {
+
+ }
+
+
+ }
+