Merge branch 'main' into km/auto-kdf

2026-02-11 22:13:32 +00:00 · 2025-12-01 14:08:37 +01:00
parent 240e37aac9 ab543b929d
commit 8ab7d7623a
1027 changed files with 43220 additions and 14561 deletions
--- a/apps/cli/package.json
+++ b/apps/cli/package.json
@@ -75,7 +75,7 @@
    "inquirer": "8.2.6",
    "jsdom": "26.1.0",
    "jszip": "3.10.1",
-    "koa": "2.16.1",
+    "koa": "2.16.3",
    "koa-bodyparser": "4.4.1",
    "koa-json": "2.0.2",
    "lowdb": "1.0.0",
@@ -87,8 +87,8 @@
    "papaparse": "5.5.3",
    "proper-lockfile": "4.1.2",
    "rxjs": "7.8.1",
-    "semver": "7.7.2",
-    "tldts": "7.0.1",
+    "semver": "7.7.3",
+    "tldts": "7.0.18",
    "zxcvbn": "4.4.2"
  }
 }
--- a/apps/cli/src/auth/commands/lock.command.ts
+++ b/apps/cli/src/auth/commands/lock.command.ts
@@ -1,16 +1,22 @@
-// FIXME: Update this file to be type safe and remove this and next line
-// @ts-strict-ignore
-import { VaultTimeoutService } from "@bitwarden/common/key-management/vault-timeout";
+import { firstValueFrom } from "rxjs";
+
+import { LockService } from "@bitwarden/auth/common";
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { getUserId } from "@bitwarden/common/auth/services/account.service";

 import { Response } from "../../models/response";
 import { MessageResponse } from "../../models/response/message.response";

 export class LockCommand {
-  constructor(private vaultTimeoutService: VaultTimeoutService) {}
+  constructor(
+    private lockService: LockService,
+    private accountService: AccountService,
+  ) {}

  async run() {
-    await this.vaultTimeoutService.lock();
-    process.env.BW_SESSION = null;
+    const activeUserId = await firstValueFrom(getUserId(this.accountService.activeAccount$));
+    await this.lockService.lock(activeUserId);
+    process.env.BW_SESSION = undefined;
    const res = new MessageResponse("Your vault is locked.", null);
    return Response.success(res);
  }
--- a/apps/cli/src/auth/commands/login.command.ts
+++ b/apps/cli/src/auth/commands/login.command.ts
@@ -20,7 +20,6 @@ import { PolicyService } from "@bitwarden/common/admin-console/abstractions/poli
 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { MasterPasswordApiService } from "@bitwarden/common/auth/abstractions/master-password-api.service.abstraction";
-import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
 import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
 import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
 import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
@@ -28,7 +27,7 @@ import { TokenTwoFactorRequest } from "@bitwarden/common/auth/models/request/ide
 import { PasswordRequest } from "@bitwarden/common/auth/models/request/password.request";
 import { TwoFactorEmailRequest } from "@bitwarden/common/auth/models/request/two-factor-email.request";
 import { UpdateTempPasswordRequest } from "@bitwarden/common/auth/models/request/update-temp-password.request";
-import { TwoFactorApiService } from "@bitwarden/common/auth/two-factor";
+import { TwoFactorService, TwoFactorApiService } from "@bitwarden/common/auth/two-factor";
 import { ClientType } from "@bitwarden/common/enums";
 import { CryptoFunctionService } from "@bitwarden/common/key-management/crypto/abstractions/crypto-function.service";
 import { EncString } from "@bitwarden/common/key-management/crypto/models/enc-string";
--- a/apps/cli/src/commands/get.command.ts
+++ b/apps/cli/src/commands/get.command.ts
@@ -1,6 +1,6 @@
 // FIXME: Update this file to be type safe and remove this and next line
 // @ts-strict-ignore
-import { firstValueFrom, map, switchMap } from "rxjs";
+import { filter, firstValueFrom, map, switchMap } from "rxjs";

 import { CollectionService, CollectionView } from "@bitwarden/admin-console/common";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
@@ -448,7 +448,9 @@ export class GetCommand extends DownloadCommand {
        this.collectionService.encryptedCollections$(activeUserId).pipe(getById(id)),
      );
      if (collection != null) {
-        const orgKeys = await firstValueFrom(this.keyService.activeUserOrgKeys$);
+        const orgKeys = await firstValueFrom(
+          this.keyService.orgKeys$(activeUserId).pipe(filter((orgKeys) => orgKeys != null)),
+        );
        decCollection = await collection.decrypt(
          orgKeys[collection.organizationId as OrganizationId],
          this.encryptService,
--- a/apps/cli/src/key-management/cli-process-reload.service.ts
+++ b/apps/cli/src/key-management/cli-process-reload.service.ts
@@ -0,0 +1,10 @@
+import { ProcessReloadServiceAbstraction } from "@bitwarden/common/key-management/abstractions/process-reload.service";
+
+/**
+ * CLI implementation of ProcessReloadServiceAbstraction.
+ * This is NOOP since there is no effective way to process reload the CLI.
+ */
+export class CliProcessReloadService extends ProcessReloadServiceAbstraction {
+  async startProcessReload(): Promise<void> {}
+  async cancelProcessReload(): Promise<void> {}
+}
--- a/apps/cli/src/oss-serve-configurator.ts
+++ b/apps/cli/src/oss-serve-configurator.ts
@@ -160,7 +160,10 @@ export class OssServeConfigurator {
      this.serviceContainer.cipherService,
      this.serviceContainer.accountService,
    );
-    this.lockCommand = new LockCommand(this.serviceContainer.vaultTimeoutService);
+    this.lockCommand = new LockCommand(
+      serviceContainer.lockService,
+      serviceContainer.accountService,
+    );
    this.unlockCommand = new UnlockCommand(
      this.serviceContainer.accountService,
      this.serviceContainer.masterPasswordService,
--- a/apps/cli/src/platform/services/cli-system.service.ts
+++ b/apps/cli/src/platform/services/cli-system.service.ts
@@ -0,0 +1,10 @@
+import { SystemService } from "@bitwarden/common/platform/abstractions/system.service";
+
+/**
+ * CLI implementation of SystemService.
+ * The implementation is NOOP since these functions are meant for GUI clients.
+ */
+export class CliSystemService extends SystemService {
+  async clearClipboard(clipboardValue: string, timeoutMs?: number): Promise<void> {}
+  async clearPendingClipboard(): Promise<any> {}
+}
--- a/apps/cli/src/program.ts
+++ b/apps/cli/src/program.ts
@@ -251,7 +251,10 @@ export class Program extends BaseProgram {
          return;
        }

-        const command = new LockCommand(this.serviceContainer.vaultTimeoutService);
+        const command = new LockCommand(
+          this.serviceContainer.lockService,
+          this.serviceContainer.accountService,
+        );
        const response = await command.run();
        this.processResponse(response);
      });
--- a/apps/cli/src/service-container/service-container.ts
+++ b/apps/cli/src/service-container/service-container.ts
@@ -20,6 +20,9 @@ import {
  SsoUrlService,
  AuthRequestApiServiceAbstraction,
  DefaultAuthRequestApiService,
+  DefaultLockService,
+  DefaultLogoutService,
+  LockService,
 } from "@bitwarden/auth/common";
 import { EventCollectionService as EventCollectionServiceAbstraction } from "@bitwarden/common/abstractions/event/event-collection.service";
 import { EventUploadService as EventUploadServiceAbstraction } from "@bitwarden/common/abstractions/event/event-upload.service";
@@ -46,10 +49,14 @@ import { DefaultActiveUserAccessor } from "@bitwarden/common/auth/services/defau
 import { DevicesApiServiceImplementation } from "@bitwarden/common/auth/services/devices-api.service.implementation";
 import { MasterPasswordApiService } from "@bitwarden/common/auth/services/master-password/master-password-api.service.implementation";
 import { TokenService } from "@bitwarden/common/auth/services/token.service";
-import { TwoFactorService } from "@bitwarden/common/auth/services/two-factor.service";
 import { UserVerificationApiService } from "@bitwarden/common/auth/services/user-verification/user-verification-api.service";
 import { UserVerificationService } from "@bitwarden/common/auth/services/user-verification/user-verification.service";
-import { TwoFactorApiService, DefaultTwoFactorApiService } from "@bitwarden/common/auth/two-factor";
+import {
+  DefaultTwoFactorService,
+  TwoFactorService,
+  TwoFactorApiService,
+  DefaultTwoFactorApiService,
+} from "@bitwarden/common/auth/two-factor";
 import {
  AutofillSettingsService,
  AutofillSettingsServiceAbstraction,
@@ -203,9 +210,11 @@ import {
 } from "@bitwarden/vault-export-core";

 import { CliBiometricsService } from "../key-management/cli-biometrics-service";
+import { CliProcessReloadService } from "../key-management/cli-process-reload.service";
 import { flagEnabled } from "../platform/flags";
 import { CliPlatformUtilsService } from "../platform/services/cli-platform-utils.service";
 import { CliSdkLoadService } from "../platform/services/cli-sdk-load.service";
+import { CliSystemService } from "../platform/services/cli-system.service";
 import { ConsoleLogService } from "../platform/services/console-log.service";
 import { I18nService } from "../platform/services/i18n.service";
 import { LowdbStorageService } from "../platform/services/lowdb-storage.service";
@@ -323,6 +332,7 @@ export class ServiceContainer {
  securityStateService: SecurityStateService;
  masterPasswordUnlockService: MasterPasswordUnlockService;
  cipherArchiveService: CipherArchiveService;
+  lockService: LockService;

  constructor() {
    let p = null;
@@ -494,6 +504,7 @@ export class ServiceContainer {
    this.masterPasswordUnlockService = new DefaultMasterPasswordUnlockService(
      this.masterPasswordService,
      this.keyService,
+      this.logService,
    );

    this.appIdService = new AppIdService(this.storageService, this.logService);
@@ -506,7 +517,9 @@ export class ServiceContainer {
      ")";

    this.biometricStateService = new DefaultBiometricStateService(this.stateProvider);
-    this.userDecryptionOptionsService = new UserDecryptionOptionsService(this.stateProvider);
+    this.userDecryptionOptionsService = new UserDecryptionOptionsService(
+      this.singleUserStateProvider,
+    );
    this.ssoUrlService = new SsoUrlService();

    this.organizationService = new DefaultOrganizationService(this.stateProvider);
@@ -625,10 +638,11 @@ export class ServiceContainer {
      this.stateProvider,
    );

-    this.twoFactorService = new TwoFactorService(
+    this.twoFactorService = new DefaultTwoFactorService(
      this.i18nService,
      this.platformUtilsService,
      this.globalStateProvider,
+      this.twoFactorApiService,
    );

    const sdkClientFactory = flagEnabled("sdk")
@@ -695,6 +709,7 @@ export class ServiceContainer {
      this.userDecryptionOptionsService,
      this.logService,
      this.configService,
+      this.accountService,
    );

    this.loginStrategyService = new LoginStrategyService(
@@ -783,9 +798,6 @@ export class ServiceContainer {

    this.folderApiService = new FolderApiService(this.folderService, this.apiService);

-    const lockedCallback = async (userId: UserId) =>
-      await this.keyService.clearStoredUserKey(userId);
-
    this.userVerificationApiService = new UserVerificationApiService(this.apiService);

    this.userVerificationService = new UserVerificationService(
@@ -801,25 +813,35 @@ export class ServiceContainer {
    );

    const biometricService = new CliBiometricsService();
+    const logoutService = new DefaultLogoutService(this.messagingService);
+    const processReloadService = new CliProcessReloadService();
+    const systemService = new CliSystemService();
+    this.lockService = new DefaultLockService(
+      this.accountService,
+      biometricService,
+      this.vaultTimeoutSettingsService,
+      logoutService,
+      this.messagingService,
+      this.searchService,
+      this.folderService,
+      this.masterPasswordService,
+      this.stateEventRunnerService,
+      this.cipherService,
+      this.authService,
+      systemService,
+      processReloadService,
+      this.logService,
+      this.keyService,
+    );

    this.vaultTimeoutService = new DefaultVaultTimeoutService(
      this.accountService,
-      this.masterPasswordService,
-      this.cipherService,
-      this.folderService,
-      this.collectionService,
      this.platformUtilsService,
-      this.messagingService,
-      this.searchService,
-      this.stateService,
-      this.tokenService,
      this.authService,
      this.vaultTimeoutSettingsService,
-      this.stateEventRunnerService,
      this.taskSchedulerService,
      this.logService,
-      biometricService,
-      lockedCallback,
+      this.lockService,
      undefined,
    );

--- a/apps/cli/src/vault/create.command.ts
+++ b/apps/cli/src/vault/create.command.ts
@@ -92,18 +92,18 @@ export class CreateCommand {
  }

  private async createCipher(req: CipherExport) {
-    const activeUserId = await firstValueFrom(this.accountService.activeAccount$.pipe(getUserId));
-
-    const cipherView = CipherExport.toView(req);
-    const isCipherTypeRestricted =
-      await this.cliRestrictedItemTypesService.isCipherRestricted(cipherView);
-
-    if (isCipherTypeRestricted) {
-      return Response.error("Creating this item type is restricted by organizational policy.");
-    }
-
-    const cipher = await this.cipherService.encrypt(CipherExport.toView(req), activeUserId);
    try {
+      const activeUserId = await firstValueFrom(this.accountService.activeAccount$.pipe(getUserId));
+
+      const cipherView = CipherExport.toView(req);
+      const isCipherTypeRestricted =
+        await this.cliRestrictedItemTypesService.isCipherRestricted(cipherView);
+
+      if (isCipherTypeRestricted) {
+        return Response.error("Creating this item type is restricted by organizational policy.");
+      }
+
+      const cipher = await this.cipherService.encrypt(CipherExport.toView(req), activeUserId);
      const newCipher = await this.cipherService.createWithServer(cipher);
      const decCipher = await this.cipherService.decrypt(newCipher, activeUserId);
      const res = new CipherResponse(decCipher);