[PM-26057] Enforce session timeout policy (#17424)

* enforce session timeout policy * better angular validation * lint fix * missing switch break * fallback when timeout not supported with highest available timeout * failing unit tests * incorrect policy message * vault timeout type adjustments * fallback to "on browser refresh" for browser, when policy is set to "on system locked", but not available (Safari) * docs, naming improvements * fallback for current user session timeout to "on refresh", when policy is set to "on system locked", but not available. * don't display policy message when the policy does not affect available timeout options * 8 hours default when changing from non-numeric timeout to Custom. * failing unit test * missing locales, changing functions access to private, docs * removal of redundant magic number * missing await * await once for available timeout options * adjusted messaging * unit test coverage * vault timeout numeric module exports * unit test coverage
2025-12-16 16:23:44 +00:00 · 2025-12-05 14:55:59 +01:00
parent c036ffd775
commit bbea11388a
48 changed files with 3344 additions and 569 deletions
--- a/apps/cli/src/key-management/session-timeout/services/cli-session-timeout-type.service.ts
+++ b/apps/cli/src/key-management/session-timeout/services/cli-session-timeout-type.service.ts
@@ -0,0 +1,15 @@
+import { SessionTimeoutTypeService } from "@bitwarden/common/key-management/session-timeout";
+import {
+  VaultTimeout,
+  VaultTimeoutStringType,
+} from "@bitwarden/common/key-management/vault-timeout";
+
+export class CliSessionTimeoutTypeService implements SessionTimeoutTypeService {
+  async isAvailable(timeout: VaultTimeout): Promise<boolean> {
+    return timeout === VaultTimeoutStringType.Never;
+  }
+
+  async getOrPromoteToAvailable(_: VaultTimeout): Promise<VaultTimeout> {
+    return VaultTimeoutStringType.Never;
+  }
+}
--- a/apps/cli/src/service-container/service-container.ts
+++ b/apps/cli/src/service-container/service-container.ts
@@ -211,6 +211,7 @@ import {

 import { CliBiometricsService } from "../key-management/cli-biometrics-service";
 import { CliProcessReloadService } from "../key-management/cli-process-reload.service";
+import { CliSessionTimeoutTypeService } from "../key-management/session-timeout/services/cli-session-timeout-type.service";
 import { flagEnabled } from "../platform/flags";
 import { CliPlatformUtilsService } from "../platform/services/cli-platform-utils.service";
 import { CliSdkLoadService } from "../platform/services/cli-sdk-load.service";
@@ -529,6 +530,8 @@ export class ServiceContainer {
      this.accountService,
    );

+    const sessionTimeoutTypeService = new CliSessionTimeoutTypeService();
+
    this.vaultTimeoutSettingsService = new DefaultVaultTimeoutSettingsService(
      this.accountService,
      pinStateService,
@@ -540,6 +543,7 @@ export class ServiceContainer {
      this.stateProvider,
      this.logService,
      VaultTimeoutStringType.Never, // default vault timeout
+      sessionTimeoutTypeService,
    );

    const refreshAccessTokenErrorCallback = () => {