[PM-7907] No more optional privateKey (#9029)

* Update Emergency Access To Get Their Own Key * Migrate Organization Keys To Get Their Own Key * Remove Optional Parameters * Update Abstraction Parameter Name to Match Implementation * Add @throws Doc
2025-12-13 14:53:33 +00:00 · 2024-05-03 14:30:45 -04:00
parent a4d5717283
commit b46766affd
6 changed files with 60 additions and 16 deletions
--- a/apps/web/src/app/auth/emergency-access/services/emergency-access.service.spec.ts
+++ b/apps/web/src/app/auth/emergency-access/services/emergency-access.service.spec.ts
@@ -153,6 +153,7 @@ describe("EmergencyAccessService", () => {
      } as EmergencyAccessTakeoverResponse);

      const mockDecryptedGrantorUserKey = new Uint8Array(64);
+      cryptoService.getPrivateKey.mockResolvedValue(new Uint8Array(64));
      cryptoService.rsaDecrypt.mockResolvedValueOnce(mockDecryptedGrantorUserKey);

      const mockMasterKey = new SymmetricCryptoKey(new Uint8Array(64) as CsprngArray) as MasterKey;
@@ -197,6 +198,7 @@ describe("EmergencyAccessService", () => {
        kdf: KdfType.PBKDF2_SHA256,
        kdfIterations: 500,
      } as EmergencyAccessTakeoverResponse);
+      cryptoService.getPrivateKey.mockResolvedValue(new Uint8Array(64));

      await expect(
        emergencyAccessService.takeover(mockId, mockEmail, mockName),
@@ -204,6 +206,21 @@ describe("EmergencyAccessService", () => {

      expect(emergencyAccessApiService.postEmergencyAccessPassword).not.toHaveBeenCalled();
    });
+
+    it("should throw an error if the users private key cannot be retrieved", async () => {
+      emergencyAccessApiService.postEmergencyAccessTakeover.mockResolvedValueOnce({
+        keyEncrypted: "EncryptedKey",
+        kdf: KdfType.PBKDF2_SHA256,
+        kdfIterations: 500,
+      } as EmergencyAccessTakeoverResponse);
+      cryptoService.getPrivateKey.mockResolvedValue(null);
+
+      await expect(emergencyAccessService.takeover(mockId, mockEmail, mockName)).rejects.toThrow(
+        "user does not have a private key",
+      );
+
+      expect(emergencyAccessApiService.postEmergencyAccessPassword).not.toHaveBeenCalled();
+    });
  });

  describe("getRotatedKeys", () => {
--- a/apps/web/src/app/auth/emergency-access/services/emergency-access.service.ts
+++ b/apps/web/src/app/auth/emergency-access/services/emergency-access.service.ts
@@ -209,7 +209,16 @@ export class EmergencyAccessService {
  async getViewOnlyCiphers(id: string): Promise<CipherView[]> {
    const response = await this.emergencyAccessApiService.postEmergencyAccessView(id);

-    const grantorKeyBuffer = await this.cryptoService.rsaDecrypt(response.keyEncrypted);
+    const activeUserPrivateKey = await this.cryptoService.getPrivateKey();
+
+    if (activeUserPrivateKey == null) {
+      throw new Error("Active user does not have a private key, cannot get view only ciphers.");
+    }
+
+    const grantorKeyBuffer = await this.cryptoService.rsaDecrypt(
+      response.keyEncrypted,
+      activeUserPrivateKey,
+    );
    const grantorUserKey = new SymmetricCryptoKey(grantorKeyBuffer) as UserKey;

    const ciphers = await this.encryptService.decryptItems(
@@ -229,7 +238,16 @@ export class EmergencyAccessService {
  async takeover(id: string, masterPassword: string, email: string) {
    const takeoverResponse = await this.emergencyAccessApiService.postEmergencyAccessTakeover(id);

-    const grantorKeyBuffer = await this.cryptoService.rsaDecrypt(takeoverResponse.keyEncrypted);
+    const activeUserPrivateKey = await this.cryptoService.getPrivateKey();
+
+    if (activeUserPrivateKey == null) {
+      throw new Error("Active user does not have a private key, cannot complete a takeover.");
+    }
+
+    const grantorKeyBuffer = await this.cryptoService.rsaDecrypt(
+      takeoverResponse.keyEncrypted,
+      activeUserPrivateKey,
+    );
    if (grantorKeyBuffer == null) {
      throw new Error("Failed to decrypt grantor key");
    }