fix(tde-offboarding): Auth/PM-19165 - Handle TDE offboarding on an untrusted device with warning message (#15430)

When a user logs in via SSO after their org has offboarded from TDE, we now show them a helpful error message stating that they must either login on a Trusted device, or ask their admin to assign them a password. Feature flag: `PM16117_SetInitialPasswordRefactor`
2025-12-16 16:23:44 +00:00 · 2025-07-08 12:58:03 -04:00
parent 3da58e1752
commit b9f930a609
17 changed files with 257 additions and 41 deletions
--- a/libs/angular/src/auth/guards/auth.guard.spec.ts
+++ b/libs/angular/src/auth/guards/auth.guard.spec.ts
@@ -70,10 +70,10 @@ describe("AuthGuard", () => {
          { path: "lock", component: EmptyComponent },
          { path: "set-password", component: EmptyComponent },
          { path: "set-password-jit", component: EmptyComponent },
-          { path: "set-initial-password", component: EmptyComponent },
-          { path: "update-temp-password", component: EmptyComponent },
+          { path: "set-initial-password", component: EmptyComponent, canActivate: [authGuard] },
+          { path: "update-temp-password", component: EmptyComponent, canActivate: [authGuard] },
          { path: "change-password", component: EmptyComponent },
-          { path: "remove-password", component: EmptyComponent },
+          { path: "remove-password", component: EmptyComponent, canActivate: [authGuard] },
        ]),
      ],
      providers: [
@@ -124,6 +124,34 @@ describe("AuthGuard", () => {
    expect(router.url).toBe("/remove-password");
  });

+  describe("given user is Locked", () => {
+    describe("given the PM16117_SetInitialPasswordRefactor feature flag is ON", () => {
+      it("should redirect to /set-initial-password when the user has ForceSetPasswordReaason.TdeOffboardingUntrustedDevice", async () => {
+        const { router } = setup(
+          AuthenticationStatus.Locked,
+          ForceSetPasswordReason.TdeOffboardingUntrustedDevice,
+          false,
+          FeatureFlag.PM16117_SetInitialPasswordRefactor,
+        );
+
+        await router.navigate(["guarded-route"]);
+        expect(router.url).toBe("/set-initial-password");
+      });
+
+      it("should allow navigation to continue to /set-initial-password when the user has ForceSetPasswordReason.TdeOffboardingUntrustedDevice", async () => {
+        const { router } = setup(
+          AuthenticationStatus.Unlocked,
+          ForceSetPasswordReason.TdeOffboardingUntrustedDevice,
+          false,
+          FeatureFlag.PM16117_SetInitialPasswordRefactor,
+        );
+
+        await router.navigate(["/set-initial-password"]);
+        expect(router.url).toContain("/set-initial-password");
+      });
+    });
+  });
+
  describe("given user is Unlocked", () => {
    describe("given the PM16117_SetInitialPasswordRefactor feature flag is ON", () => {
      const tests = [