[PM-5363] PinService State Providers (#8244)

* move pinKeyEncryptedUserKey * move pinKeyEncryptedUserKeyEphemeral * remove comments, move docs * cleanup * use UserKeyDefinition * refactor methods * add migration * fix browser dependency * add tests for migration * rename to pinService * move state to PinService * add PinService dep to CryptoService * move protectedPin to state provider * update service deps * renaming * move decryptUserKeyWithPin to pinService * update service injection * move more methods our of crypto service * remove CryptoService dep from PinService and update service injection * remove cryptoService reference * add method to FakeMasterPasswordService * fix circular dependency * fix desktop service injection * update browser dependencies * add protectedPin to migrations * move storePinKey to pinService * update and clarify documentation * more jsdoc updates * update import paths * refactor isPinLockSet method * update state definitions * initialize service before injecting into other services * initialize service before injecting into other services (bw.ts) * update clearOn and do additional cleanup * clarify docs and naming * assign abstract & private methods, add clarity to decryptAndMigrateOldPinKeyEncryptedMasterKey() method * derived state (attempt) * fix typos * use accountService to get active user email * use constant userId * add derived state * add get and clear for oldPinKeyEncryptedMasterKey * require userId * move pinProtected * add clear methods * remove pinProtected from account.ts and replace methods * add methods to create and store pinKeyEncryptedUserKey * add pinProtected/oldPinKeyEncrypterMasterKey to migration * update migration tests * update migration rollback tests * update to systemService and decryptAndMigrate... method * remove old test * increase length of state definition name to meet test requirements * rename 'TRANSIENT' to 'EPHEMERAL' for consistency * fix tests for login strategies, vault-export, and fake MP service * more updates to login-strategy tests * write new tests for core pinKeyEncrypterUserKey methods and isPinSet * write new tests for pinProtected and oldPinKeyEncryptedMasterKey methods * minor test reformatting * update test for decryptUserKeyWithPin() * fix bug with oldPinKeyEncryptedMasterKey * fix tests for vault-timeout-settings.service * fix bitwarden-password-protected-importer test * fix login strategy tests and auth-request.service test * update pinService tests * fix crypto service tests * add jsdoc * fix test file import * update jsdocs for decryptAndMigrateOldPinKeyEncryptedMasterKey() * update error messages and jsdocs * add null checks, move userId retrievals * update migration tests * update stateService calls to require userId * update test for decryptUserKeyWithPin() * update oldPinKeyEncryptedMasterKey migration tests * more test updates * fix factory import * update tests for isPinSet() and createProtectedPin() * add test for makePinKey() * add test for createPinKeyEncryptedUserKey() * add tests for getPinLockType() * consolidate userId verification tests * add tests for storePinKeyEncryptedUserKey() * fix service dep * get email based on userId * use MasterPasswordService instead of internal * rename protectedPin to userKeyEncryptedPin * rename to pinKeyEncryptedUserKeyPersistent * update method params * fix CryptoService tests * jsdoc update * use EncString for userKeyEncryptedPin * remove comment * use cryptoFunctionService.compareFast() * update tests * cleanup, remove comments * resolve merge conflict * fix DI of MasterPasswordService * more DI fixes
2025-12-17 08:43:33 +00:00 · 2024-05-08 11:34:47 -07:00
parent c2812fc21d
commit a42de41587
84 changed files with 2182 additions and 998 deletions
--- a/libs/auth/src/common/abstractions/index.ts
+++ b/libs/auth/src/common/abstractions/index.ts
@@ -1,4 +1,4 @@
-export * from "./pin-crypto.service.abstraction";
+export * from "./pin.service.abstraction";
 export * from "./login-email.service";
 export * from "./login-strategy.service";
 export * from "./user-decryption-options.service.abstraction";
--- a/libs/auth/src/common/abstractions/pin-crypto.service.abstraction.ts
+++ b/libs/auth/src/common/abstractions/pin-crypto.service.abstraction.ts
@@ -1,5 +0,0 @@
-import { UserKey } from "@bitwarden/common/types/key";
-
-export abstract class PinCryptoServiceAbstraction {
-  decryptUserKeyWithPin: (pin: string) => Promise<UserKey | null>;
-}
--- a/libs/auth/src/common/abstractions/pin.service.abstraction.ts
+++ b/libs/auth/src/common/abstractions/pin.service.abstraction.ts
@@ -0,0 +1,129 @@
+import { KdfConfig } from "@bitwarden/common/auth/models/domain/kdf-config";
+import { EncString, EncryptedString } from "@bitwarden/common/platform/models/domain/enc-string";
+import { UserId } from "@bitwarden/common/types/guid";
+import { PinKey, UserKey } from "@bitwarden/common/types/key";
+
+import { PinLockType } from "../services";
+
+/**
+ * The PinService is used for PIN-based unlocks. Below is a very basic overview of the PIN flow:
+ *
+ * -- Setting the PIN via {@link SetPinComponent} --
+ *
+ *    When the user submits the setPinForm:
+
+ *    1. We encrypt the PIN with the UserKey and store it on disk as `userKeyEncryptedPin`.
+ *
+ *    2. We create a PinKey from the PIN, and then use that PinKey to encrypt the UserKey, resulting in
+ *       a `pinKeyEncryptedUserKey`, which can be stored in one of two ways depending on what the user selects
+ *       for the `requireMasterPasswordOnClientReset` checkbox.
+ *
+ *       If `requireMasterPasswordOnClientReset` is:
+ *       - TRUE, store in memory as `pinKeyEncryptedUserKeyEphemeral` (does NOT persist through a client reset)
+ *       - FALSE, store on disk as `pinKeyEncryptedUserKeyPersistent` (persists through a client reset)
+ *
+ * -- Unlocking with the PIN via {@link LockComponent} --
+ *
+ *    When the user enters their PIN, we decrypt their UserKey with the PIN and set that UserKey to state.
+ */
+export abstract class PinServiceAbstraction {
+  /**
+   * Gets the persistent (stored on disk) version of the UserKey, encrypted by the PinKey.
+   */
+  abstract getPinKeyEncryptedUserKeyPersistent: (userId: UserId) => Promise<EncString>;
+
+  /**
+   * Clears the persistent (stored on disk) version of the UserKey, encrypted by the PinKey.
+   */
+  abstract clearPinKeyEncryptedUserKeyPersistent(userId: UserId): Promise<void>;
+
+  /**
+   * Gets the ephemeral (stored in memory) version of the UserKey, encrypted by the PinKey.
+   */
+  abstract getPinKeyEncryptedUserKeyEphemeral: (userId: UserId) => Promise<EncString>;
+
+  /**
+   * Clears the ephemeral (stored in memory) version of the UserKey, encrypted by the PinKey.
+   */
+  abstract clearPinKeyEncryptedUserKeyEphemeral(userId: UserId): Promise<void>;
+
+  /**
+   * Creates a pinKeyEncryptedUserKey from the provided PIN and UserKey.
+   */
+  abstract createPinKeyEncryptedUserKey: (
+    pin: string,
+    userKey: UserKey,
+    userId: UserId,
+  ) => Promise<EncString>;
+
+  /**
+   * Stores the UserKey, encrypted by the PinKey.
+   * @param storeEphemeralVersion If true, stores an ephemeral version via the private {@link setPinKeyEncryptedUserKeyEphemeral} method.
+   *                              If false, stores a persistent version via the private {@link setPinKeyEncryptedUserKeyPersistent} method.
+   */
+  abstract storePinKeyEncryptedUserKey: (
+    pinKeyEncryptedUserKey: EncString,
+    storeEphemeralVersion: boolean,
+    userId: UserId,
+  ) => Promise<void>;
+
+  /**
+   * Gets the user's PIN, encrypted by the UserKey.
+   */
+  abstract getUserKeyEncryptedPin: (userId: UserId) => Promise<EncString>;
+
+  /**
+   * Sets the user's PIN, encrypted by the UserKey.
+   */
+  abstract setUserKeyEncryptedPin: (
+    userKeyEncryptedPin: EncString,
+    userId: UserId,
+  ) => Promise<void>;
+
+  /**
+   * Creates a PIN, encrypted by the UserKey.
+   */
+  abstract createUserKeyEncryptedPin: (pin: string, userKey: UserKey) => Promise<EncString>;
+
+  /**
+   * Clears the user's PIN, encrypted by the UserKey.
+   */
+  abstract clearUserKeyEncryptedPin(userId: UserId): Promise<void>;
+
+  /**
+   * Gets the old MasterKey, encrypted by the PinKey (formerly called `pinProtected`).
+   * Deprecated and used for migration purposes only.
+   */
+  abstract getOldPinKeyEncryptedMasterKey: (userId: UserId) => Promise<EncryptedString>;
+
+  /**
+   * Clears the old MasterKey, encrypted by the PinKey.
+   */
+  abstract clearOldPinKeyEncryptedMasterKey: (userId: UserId) => Promise<void>;
+
+  /**
+   * Makes a PinKey from the provided PIN.
+   */
+  abstract makePinKey: (pin: string, salt: string, kdfConfig: KdfConfig) => Promise<PinKey>;
+
+  /**
+   * Gets the user's PinLockType {@link PinLockType}.
+   */
+  abstract getPinLockType: (userId: UserId) => Promise<PinLockType>;
+
+  /**
+   * Declares whether or not the user has a PIN set (either persistent or ephemeral).
+   */
+  abstract isPinSet: (userId: UserId) => Promise<boolean>;
+
+  /**
+   * Decrypts the UserKey with the provided PIN.
+   *
+   * @remarks - If the user has an old pinKeyEncryptedMasterKey (formerly called `pinProtected`), the UserKey
+   *            will be obtained via the private {@link decryptAndMigrateOldPinKeyEncryptedMasterKey} method.
+   *          - If the user does not have an old pinKeyEncryptedMasterKey, the UserKey will be obtained via the
+   *            private {@link decryptUserKey} method.
+   * @returns UserKey
+   */
+  abstract decryptUserKeyWithPin: (pin: string, userId: UserId) => Promise<UserKey | null>;
+}