[PM-24128] New Pin service, using PasswordProtectedKeyEnvelope (#15863)

* fix: broken SDK interface * Fix all compile errors related to uuids * Update usages of sdk to type-safe SDK type * Update sdk version * Update to "toSdk" * Move pin service to km ownership * Run format * Eslint * Fix tsconfig * Fix imports and test * Clean up imports * Pin tmp * Initial version of updated pin service * Add tests * Rename function * Clean up logging * Fix imports * Fix cli build * Fix browser desktop * Fix tests * Attempt to fix * Fix build * Fix tests * Fix browser build * Add missing empty line * Fix linting * Remove non-required change * Missing newline * Re-add comment * Undo change to file * Fix missing empty line * Cleanup * Cleanup * Cleanup * Cleanup * Switch to replaysubject * Add comments * Fix tests * Run prettier * Undo change * Fix browser * Fix circular dependency on browser * Add missing clear ephemeral pin * Address feedback * Update docs * Simplify sdk usage in pin service * Replace with mock sdk * Update sdk * Initialize pin service via unlock instead of listening to keyservice * Cleanup * Fix test * Prevent race condition with userkey not being set * Filter null userkeys * [PM-24124] Pin State Service (#16641) * add pin-state.service * add remaining tests * improve description for clearEphemeralPinState * rename getUserKeyWrappedPin$ to userKeyWrappedPin$ * drop temp variable in setPinState * add new test and remove copied one * Fix dep cycle * Fix tests and remaining build issues * Fix cli build * Add comments about functions not being public API --------- Co-authored-by: Andreas Coroiu <andreas.coroiu@gmail.com> Co-authored-by: Hinton <hinton@users.noreply.github.com> Co-authored-by: Jake Fink <jfink@bitwarden.com>
2025-12-06 00:13:28 +00:00 · 2025-10-17 16:30:29 +02:00
parent 7015663c38
commit a860f218bd
33 changed files with 1610 additions and 1029 deletions
--- a/apps/browser/src/auth/popup/settings/account-security.component.ts
+++ b/apps/browser/src/auth/popup/settings/account-security.component.ts
@@ -311,12 +311,8 @@ export class AccountSecurityComponent implements OnInit, OnDestroy {
      .pipe(
        concatMap(async (value) => {
          const userId = (await firstValueFrom(this.accountService.activeAccount$)).id;
-          const pinKeyEncryptedUserKey =
-            (await this.pinService.getPinKeyEncryptedUserKeyPersistent(userId)) ||
-            (await this.pinService.getPinKeyEncryptedUserKeyEphemeral(userId));
-          await this.pinService.clearPinKeyEncryptedUserKeyPersistent(userId);
-          await this.pinService.clearPinKeyEncryptedUserKeyEphemeral(userId);
-          await this.pinService.storePinKeyEncryptedUserKey(pinKeyEncryptedUserKey, value, userId);
+          const pin = await this.pinService.getPin(userId);
+          await this.pinService.setPin(pin, value ? "EPHEMERAL" : "PERSISTENT", userId);
          this.refreshTimeoutSettings$.next();
        }),
        takeUntil(this.destroy$),
@@ -486,7 +482,7 @@ export class AccountSecurityComponent implements OnInit, OnDestroy {
      }
    } else {
      const userId = await firstValueFrom(this.accountService.activeAccount$.pipe(getUserId));
-      await this.vaultTimeoutSettingsService.clear(userId);
+      await this.pinService.unsetPin(userId);
    }
  }

--- a/apps/browser/src/background/main.background.ts
+++ b/apps/browser/src/background/main.background.ts
@@ -98,6 +98,7 @@ import { KeyConnectorService as KeyConnectorServiceAbstraction } from "@bitwarde
 import { KeyConnectorService } from "@bitwarden/common/key-management/key-connector/services/key-connector.service";
 import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
 import { MasterPasswordService } from "@bitwarden/common/key-management/master-password/services/master-password.service";
+import { PinStateService } from "@bitwarden/common/key-management/pin/pin-state.service.implementation";
 import { PinServiceAbstraction } from "@bitwarden/common/key-management/pin/pin.service.abstraction";
 import { PinService } from "@bitwarden/common/key-management/pin/pin.service.implementation";
 import { SecurityStateService } from "@bitwarden/common/key-management/security-state/abstractions/security-state.service";
@@ -709,18 +710,7 @@ export default class MainBackground {

    this.kdfConfigService = new DefaultKdfConfigService(this.stateProvider);

-    this.pinService = new PinService(
-      this.accountService,
-      this.cryptoFunctionService,
-      this.encryptService,
-      this.kdfConfigService,
-      this.keyGenerationService,
-      this.logService,
-      this.stateProvider,
-    );
-
    this.keyService = new DefaultKeyService(
-      this.pinService,
      this.masterPasswordService,
      this.keyGenerationService,
      this.cryptoFunctionService,
@@ -733,6 +723,19 @@ export default class MainBackground {
      this.kdfConfigService,
    );

+    const pinStateService = new PinStateService(this.stateProvider);
+
+    this.pinService = new PinService(
+      this.accountService,
+      this.encryptService,
+      this.kdfConfigService,
+      this.keyGenerationService,
+      this.logService,
+      this.keyService,
+      this.sdkService,
+      pinStateService,
+    );
+
    this.appIdService = new AppIdService(this.storageService, this.logService);

    this.userDecryptionOptionsService = new UserDecryptionOptionsService(this.stateProvider);
@@ -741,7 +744,7 @@ export default class MainBackground {

    this.vaultTimeoutSettingsService = new DefaultVaultTimeoutSettingsService(
      this.accountService,
-      this.pinService,
+      pinStateService,
      this.userDecryptionOptionsService,
      this.keyService,
      this.tokenService,
@@ -759,6 +762,7 @@ export default class MainBackground {
      this.biometricStateService,
      this.messagingService,
      this.vaultTimeoutSettingsService,
+      this.pinService,
    );

    this.apiService = new ApiService(
@@ -1681,9 +1685,9 @@ export default class MainBackground {
      this.keyService.clearKeys(userBeingLoggedOut),
      this.cipherService.clear(userBeingLoggedOut),
      this.folderService.clear(userBeingLoggedOut),
-      this.vaultTimeoutSettingsService.clear(userBeingLoggedOut),
      this.biometricStateService.logout(userBeingLoggedOut),
      this.popupViewCacheBackgroundService.clearState(),
+      this.pinService.logout(userBeingLoggedOut),
      /* We intentionally do not clear:
       *  - autofillSettingsService
       *  - badgeSettingsService
--- a/apps/browser/src/key-management/biometrics/background-browser-biometrics.service.spec.ts
+++ b/apps/browser/src/key-management/biometrics/background-browser-biometrics.service.spec.ts
@@ -1,5 +1,6 @@
 import { mock } from "jest-mock-extended";

+import { PinServiceAbstraction } from "@bitwarden/common/key-management/pin/pin.service.abstraction";
 import { VaultTimeoutSettingsService } from "@bitwarden/common/key-management/vault-timeout";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
@@ -18,6 +19,7 @@ describe("background browser biometrics service tests", function () {
  const biometricStateService = mock<BiometricStateService>();
  const messagingService = mock<MessagingService>();
  const vaultTimeoutSettingsService = mock<VaultTimeoutSettingsService>();
+  const pinService = mock<PinServiceAbstraction>();

  beforeEach(() => {
    jest.resetAllMocks();
@@ -28,6 +30,7 @@ describe("background browser biometrics service tests", function () {
      biometricStateService,
      messagingService,
      vaultTimeoutSettingsService,
+      pinService,
    );
  });

--- a/apps/browser/src/key-management/biometrics/background-browser-biometrics.service.ts
+++ b/apps/browser/src/key-management/biometrics/background-browser-biometrics.service.ts
@@ -1,6 +1,7 @@
 import { combineLatest, timer } from "rxjs";
 import { filter, concatMap } from "rxjs/operators";

+import { PinServiceAbstraction } from "@bitwarden/common/key-management/pin/pin.service.abstraction";
 import { VaultTimeoutSettingsService } from "@bitwarden/common/key-management/vault-timeout";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
@@ -29,6 +30,7 @@ export class BackgroundBrowserBiometricsService extends BiometricsService {
    private biometricStateService: BiometricStateService,
    private messagingService: MessagingService,
    private vaultTimeoutSettingsService: VaultTimeoutSettingsService,
+    private pinService: PinServiceAbstraction,
  ) {
    super();
    // Always connect to the native messaging background if biometrics are enabled, not just when it is used
@@ -101,6 +103,7 @@ export class BackgroundBrowserBiometricsService extends BiometricsService {
        if (await this.keyService.validateUserKey(userKey, userId)) {
          await this.biometricStateService.setBiometricUnlockEnabled(true);
          await this.keyService.setUserKey(userKey, userId);
+          await this.pinService.userUnlocked(userId);
          // to update badge and other things
          this.messagingService.send("switchAccount", { userId });
          return userKey;
--- a/apps/browser/src/popup/services/services.module.ts
+++ b/apps/browser/src/popup/services/services.module.ts
@@ -75,7 +75,6 @@ import {
  InternalMasterPasswordServiceAbstraction,
  MasterPasswordServiceAbstraction,
 } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction";
-import { PinServiceAbstraction } from "@bitwarden/common/key-management/pin/pin.service.abstraction";
 import {
  VaultTimeoutService,
  VaultTimeoutStringType,
@@ -271,7 +270,6 @@ const safeProviders: SafeProvider[] = [
  safeProvider({
    provide: KeyService,
    useFactory: (
-      pinService: PinServiceAbstraction,
      masterPasswordService: InternalMasterPasswordServiceAbstraction,
      keyGenerationService: KeyGenerationService,
      cryptoFunctionService: CryptoFunctionService,
@@ -284,7 +282,6 @@ const safeProviders: SafeProvider[] = [
      kdfConfigService: KdfConfigService,
    ) => {
      const keyService = new DefaultKeyService(
-        pinService,
        masterPasswordService,
        keyGenerationService,
        cryptoFunctionService,
@@ -300,7 +297,6 @@ const safeProviders: SafeProvider[] = [
      return keyService;
    },
    deps: [
-      PinServiceAbstraction,
      InternalMasterPasswordServiceAbstraction,
      KeyGenerationService,
      CryptoFunctionService,