fix(tde-offboarding): Auth/PM-19165 - Handle TDE offboarding on an untrusted device with warning message (#15430)

When a user logs in via SSO after their org has offboarded from TDE, we now show them a helpful error message stating that they must either login on a Trusted device, or ask their admin to assign them a password. Feature flag: `PM16117_SetInitialPasswordRefactor`
2025-12-15 15:53:27 +00:00 · 2025-07-08 12:58:03 -04:00
parent 3da58e1752
commit b9f930a609
17 changed files with 257 additions and 41 deletions
--- a/libs/common/src/auth/models/domain/force-set-password-reason.ts
+++ b/libs/common/src/auth/models/domain/force-set-password-reason.ts
@@ -37,6 +37,15 @@ export enum ForceSetPasswordReason {
   */
  TdeOffboarding,

+  /**
+   * Occurs when an org admin switches the org from trusted-device-encryption to master-password-encryption,
+   * which forces the org user to set an initial password. User must not already have a master password,
+   * and they must be on an untrusted device.
+   *
+   * Calculated on client based on server flags and user state.
+   */
+  TdeOffboardingUntrustedDevice,
+
  /*----------------------------
      Change Existing Password  
  -----------------------------*/
--- a/libs/common/src/auth/models/response/identity-token.response.ts
+++ b/libs/common/src/auth/models/response/identity-token.response.ts
@@ -17,8 +17,8 @@ export class IdentityTokenResponse extends BaseResponse {
  tokenType: string;

  resetMasterPassword: boolean;
-  privateKey: string;
-  key?: EncString;
+  privateKey: string; // userKeyEncryptedPrivateKey
+  key?: EncString; // masterKeyEncryptedUserKey
  twoFactorToken: string;
  kdf: KdfType;
  kdfIterations: number;
@@ -62,4 +62,8 @@ export class IdentityTokenResponse extends BaseResponse {
      );
    }
  }
+
+  hasMasterKeyEncryptedUserKey(): boolean {
+    return Boolean(this.key);
+  }
 }