Specify clearOn options for platform services (#8584)

* Use UserKeys in biometric state * Remove global clear todo. Answer is never * User UserKeys in crypto state * Clear userkey on both lock and logout via User Key Definitions * Use UserKeyDefinitions in environment service * Rely on userKeyDefinition to clear org keys * Rely on userKeyDefinition to clear provider keys * Rely on userKeyDefinition to clear user keys * Rely on userKeyDefinitions to clear user asym key pair
2025-12-20 02:03:39 +00:00 · 2024-04-09 10:17:00 -05:00
parent aefea43fff
commit c02723d6a6
15 changed files with 169 additions and 365 deletions
--- a/libs/common/src/platform/biometrics/biometric.state.spec.ts
+++ b/libs/common/src/platform/biometrics/biometric.state.spec.ts
@@ -1,5 +1,5 @@
 import { EncryptedString } from "../models/domain/enc-string";
-import { KeyDefinition } from "../state";
+import { KeyDefinition, UserKeyDefinition } from "../state";

 import {
  BIOMETRIC_UNLOCK_ENABLED,
@@ -22,9 +22,15 @@ describe.each([
 ])(
  "deserializes state %s",
  (
-    ...args: [KeyDefinition<EncryptedString>, EncryptedString] | [KeyDefinition<boolean>, boolean]
+    ...args:
+      | [UserKeyDefinition<EncryptedString>, EncryptedString]
+      | [UserKeyDefinition<boolean>, boolean]
+      | [KeyDefinition<boolean>, boolean]
  ) => {
-    function testDeserialization<T>(keyDefinition: KeyDefinition<T>, state: T) {
+    function testDeserialization<T>(
+      keyDefinition: UserKeyDefinition<T> | KeyDefinition<T>,
+      state: T,
+    ) {
      const deserialized = keyDefinition.deserializer(JSON.parse(JSON.stringify(state)));
      expect(deserialized).toEqual(state);
    }
--- a/libs/common/src/platform/biometrics/biometric.state.ts
+++ b/libs/common/src/platform/biometrics/biometric.state.ts
@@ -1,15 +1,16 @@
 import { UserId } from "../../types/guid";
 import { EncryptedString } from "../models/domain/enc-string";
-import { KeyDefinition, BIOMETRIC_SETTINGS_DISK } from "../state";
+import { KeyDefinition, BIOMETRIC_SETTINGS_DISK, UserKeyDefinition } from "../state";

 /**
 * Indicates whether the user elected to store a biometric key to unlock their vault.
 */
-export const BIOMETRIC_UNLOCK_ENABLED = new KeyDefinition<boolean>(
+export const BIOMETRIC_UNLOCK_ENABLED = new UserKeyDefinition<boolean>(
  BIOMETRIC_SETTINGS_DISK,
  "biometricUnlockEnabled",
  {
    deserializer: (obj) => obj,
+    clearOn: [],
  },
 );

@@ -18,11 +19,12 @@ export const BIOMETRIC_UNLOCK_ENABLED = new KeyDefinition<boolean>(
 *
 * A true setting controls whether {@link ENCRYPTED_CLIENT_KEY_HALF} is set.
 */
-export const REQUIRE_PASSWORD_ON_START = new KeyDefinition<boolean>(
+export const REQUIRE_PASSWORD_ON_START = new UserKeyDefinition<boolean>(
  BIOMETRIC_SETTINGS_DISK,
  "requirePasswordOnStart",
  {
    deserializer: (value) => value,
+    clearOn: [],
  },
 );

@@ -33,11 +35,12 @@ export const REQUIRE_PASSWORD_ON_START = new KeyDefinition<boolean>(
 * For operating systems without application-level key storage, this key half is concatenated with a signature
 * provided by the OS and used to encrypt the biometric key prior to storage.
 */
-export const ENCRYPTED_CLIENT_KEY_HALF = new KeyDefinition<EncryptedString>(
+export const ENCRYPTED_CLIENT_KEY_HALF = new UserKeyDefinition<EncryptedString>(
  BIOMETRIC_SETTINGS_DISK,
  "clientKeyHalf",
  {
    deserializer: (obj) => obj,
+    clearOn: ["logout"],
  },
 );

@@ -45,11 +48,12 @@ export const ENCRYPTED_CLIENT_KEY_HALF = new KeyDefinition<EncryptedString>(
 * Indicates the user has been warned about the security implications of using biometrics and, depending on the OS,
 * recommended to require a password on first unlock of an application instance.
 */
-export const DISMISSED_REQUIRE_PASSWORD_ON_START_CALLOUT = new KeyDefinition<boolean>(
+export const DISMISSED_REQUIRE_PASSWORD_ON_START_CALLOUT = new UserKeyDefinition<boolean>(
  BIOMETRIC_SETTINGS_DISK,
  "dismissedBiometricRequirePasswordOnStartCallout",
  {
    deserializer: (obj) => obj,
+    clearOn: [],
  },
 );

@@ -68,11 +72,12 @@ export const PROMPT_CANCELLED = KeyDefinition.record<boolean, UserId>(
 /**
 * Stores whether the user has elected to automatically prompt for biometric unlock on application start.
 */
-export const PROMPT_AUTOMATICALLY = new KeyDefinition<boolean>(
+export const PROMPT_AUTOMATICALLY = new UserKeyDefinition<boolean>(
  BIOMETRIC_SETTINGS_DISK,
  "promptAutomatically",
  {
    deserializer: (obj) => obj,
+    clearOn: [],
  },
 );