Innovation/opaque grant validator (#13918)

* Add grant validator * Fix 2fa * Set active endpoint
2026-03-02 03:21:19 +00:00 · 2025-03-20 15:13:02 +01:00
parent b6c2eb7d82
commit c84be3eb22
10 changed files with 72 additions and 12 deletions
--- a/libs/auth/src/common/login-strategies/opaque-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/opaque-login.strategy.ts
@@ -8,13 +8,13 @@ import { MasterPasswordPolicyOptions } from "@bitwarden/common/admin-console/mod
 import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
 import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
 import { OpaqueTokenRequest } from "@bitwarden/common/auth/models/request/identity-token/opaque-token.request";
-import { PasswordTokenRequest } from "@bitwarden/common/auth/models/request/identity-token/password-token.request";
 import { TokenTwoFactorRequest } from "@bitwarden/common/auth/models/request/identity-token/token-two-factor.request";
 import { IdentityCaptchaResponse } from "@bitwarden/common/auth/models/response/identity-captcha.response";
 import { IdentityDeviceVerificationResponse } from "@bitwarden/common/auth/models/response/identity-device-verification.response";
 import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response";
 import { IdentityTwoFactorResponse } from "@bitwarden/common/auth/models/response/identity-two-factor.response";
 import { OpaqueCipherConfiguration } from "@bitwarden/common/auth/opaque/models/opaque-cipher-configuration";
+import { OpaqueKeyExchangeService } from "@bitwarden/common/auth/opaque/opaque-key-exchange.service";
 import { HashPurpose } from "@bitwarden/common/platform/enums";
 import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { PasswordStrengthServiceAbstraction } from "@bitwarden/common/tools/password-strength";
@@ -49,7 +49,7 @@ export class OpaqueLoginStrategyData implements LoginStrategyData {

  static fromJSON(obj: Jsonify<OpaqueLoginStrategyData>): OpaqueLoginStrategyData {
    const data = Object.assign(new OpaqueLoginStrategyData(), obj, {
-      tokenRequest: PasswordTokenRequest.fromJSON(obj.tokenRequest),
+      tokenRequest: OpaqueTokenRequest.fromJSON(obj.tokenRequest),
      masterKey: SymmetricCryptoKey.fromJSON(obj.masterKey),
    });
    return data;
@@ -76,6 +76,7 @@ export class OpaqueLoginStrategy extends BaseLoginStrategy {
    data: OpaqueLoginStrategyData,
    private passwordStrengthService: PasswordStrengthServiceAbstraction,
    private policyService: PolicyService,
+    private opaqueKeyExchangeService: OpaqueKeyExchangeService,
    ...sharedDeps: ConstructorParameters<typeof BaseLoginStrategy>
  ) {
    super(...sharedDeps);
@@ -87,8 +88,15 @@ export class OpaqueLoginStrategy extends BaseLoginStrategy {
  }

  override async logIn(credentials: OpaqueLoginCredentials) {
+    this.logService.info("Logging in with OPAQUE");
    const { email, masterPassword, kdfConfig, cipherConfiguration, twoFactor } = credentials;

+    const { sessionId } = await this.opaqueKeyExchangeService.login(
+      email,
+      masterPassword,
+      OpaqueCipherConfiguration.fromAny(cipherConfiguration),
+    );
+
    const data = new OpaqueLoginStrategyData();

    data.userEnteredEmail = email;
@@ -109,6 +117,7 @@ export class OpaqueLoginStrategy extends BaseLoginStrategy {
    data.tokenRequest = new OpaqueTokenRequest(
      email,
      await this.buildTwoFactor(twoFactor, email),
+      sessionId,
      await this.buildDeviceRequest(),
    );

--- a/libs/auth/src/common/login-strategies/password-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/password-login.strategy.ts
@@ -303,7 +303,12 @@ export class PasswordLoginStrategy extends BaseLoginStrategy {
    );

    try {
-      await this.opaqueKeyExchangeService.register(masterPassword, userKey, cipherConfig);
+      const sessionId = await this.opaqueKeyExchangeService.register(
+        masterPassword,
+        userKey,
+        cipherConfig,
+      );
+      await this.opaqueKeyExchangeService.setRegistrationActive(sessionId);
    } catch (error) {
      // If this process fails for any reason, we don't want to stop the login process
      // so just log the error and continue.
--- a/libs/auth/src/common/services/login-strategies/login-strategy.service.ts
+++ b/libs/auth/src/common/services/login-strategies/login-strategy.service.ts
@@ -433,6 +433,7 @@ export class LoginStrategyService implements LoginStrategyServiceAbstraction {
          data?.opaque ?? new OpaqueLoginStrategyData(),
          this.passwordStrengthService,
          this.policyService,
+          this.opaqueKeyExchangeService,
          ...sharedDeps,
        );
      default: