avoid using the SDK to decrypt attachments for emergency access (#16293)

- The SDK does not have emergency access functionality built in at this point.
2025-12-06 00:13:28 +00:00 · 2025-09-04 14:31:52 -05:00
parent bff18a8cd2
commit ca9b531571
3 changed files with 11 additions and 1 deletions
--- a/libs/common/src/vault/abstractions/cipher.service.ts
+++ b/libs/common/src/vault/abstractions/cipher.service.ts
@@ -257,6 +257,10 @@ export abstract class CipherService implements UserKeyRotationDataProvider<Ciphe
   * @param attachment The attachment view object
   * @param response The response object containing the encrypted content
   * @param userId The user ID whose key will be used for decryption
+   * @param useLegacyDecryption When true, forces the use of the legacy decryption method
+   * even when the SDK feature is enabled. This is helpful for domains of
+   * the application that have yet to be moved into the SDK, i.e. emergency access.
+   * TODO: PM-25469 - this should be obsolete once emergency access is moved to the SDK.
   *
   * @returns A promise that resolves to the decrypted content
   */
@@ -265,6 +269,7 @@ export abstract class CipherService implements UserKeyRotationDataProvider<Ciphe
    attachment: AttachmentView,
    response: Response,
    userId: UserId,
+    useLegacyDecryption?: boolean,
  ): Promise<Uint8Array | null>;

  /**
--- a/libs/common/src/vault/services/cipher.service.ts
+++ b/libs/common/src/vault/services/cipher.service.ts
@@ -1544,11 +1544,13 @@ export class CipherService implements CipherServiceAbstraction {
    return encryptedCiphers;
  }

+  /** @inheritdoc */
  async getDecryptedAttachmentBuffer(
    cipherId: CipherId,
    attachment: AttachmentView,
    response: Response,
    userId: UserId,
+    useLegacyDecryption?: boolean,
  ): Promise<Uint8Array> {
    const useSdkDecryption = await this.configService.getFeatureFlag(
      FeatureFlag.PM19941MigrateCipherDomainToSdk,
@@ -1558,7 +1560,7 @@ export class CipherService implements CipherServiceAbstraction {
      this.ciphers$(userId).pipe(map((ciphersData) => new Cipher(ciphersData[cipherId]))),
    );

-    if (useSdkDecryption) {
+    if (useSdkDecryption && !useLegacyDecryption) {
      const encryptedContent = await response.arrayBuffer();
      return this.cipherEncryptionService.decryptAttachmentContent(
        cipherDomain,
--- a/libs/vault/src/components/download-attachment/download-attachment.component.ts
+++ b/libs/vault/src/components/download-attachment/download-attachment.component.ts
@@ -92,6 +92,9 @@ export class DownloadAttachmentComponent {
        this.attachment,
        response,
        userId,
+        // When the emergency access ID is present, the cipher is being viewed via emergency access.
+        // Force legacy decryption in these cases.
+        this.emergencyAccessId ? true : false,
      );

      this.fileDownloadService.download({