bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2025-12-19 09:43:23 +00:00
Code Issues Releases Wiki Activity

Auth/pm 8882/Add TDE Logging (#9673)

Browse Source 
* Added logging behind feature flag.

* Added default for new flag.

* Additional logging changes.

* Consolidated log messages.

* Removed unneccessary log.

* Fixed test error.

* Fixed linting.

* Fixed constructor on test.

* Updated to remove flag

* Moved service.

* Added logging to redirect guard.
This commit is contained in:
Todd Martin
2024-06-17 12:37:05 -04:00
committed by GitHub
parent 6f91ecf41b
commit fe1c432e03
3 changed files with 52 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
libs/angular/src/auth/guards/tde-decryption-required.guard.ts
View File

@@ -11,6 +11,7 @@ import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
/**
* Only allow access to this route if the vault is locked and has never been decrypted.
@@ -23,15 +24,30 @@ export function tdeDecryptionRequiredGuard(): CanActivateFn {
const authService = inject(AuthService);
const cryptoService = inject(CryptoService);
const deviceTrustService = inject(DeviceTrustServiceAbstraction);
const logService = inject(LogService);
const router = inject(Router);
const authStatus = await authService.getAuthStatus();
const tdeEnabled = await firstValueFrom(deviceTrustService.supportsDeviceTrust$);
const everHadUserKey = await firstValueFrom(cryptoService.everHadUserKey$);
// We need to determine if we should bypass the decryption options and send the user to the vault.
// The ONLY time that we want to send a user to the decryption options is when:
// 1. The user's auth status is Locked, AND
// 2. TDE is enabled, AND
// 3. The user has never had a user key in state since last logout.
// The inverse of this is when we should send the user to the vault.
if (authStatus !== AuthenticationStatus.Locked || !tdeEnabled || everHadUserKey) {
return router.createUrlTree(["/"]);
}
logService.info(
"Sending user to TDE decryption options. AuthStatus is %s. TDE support is %s. Ever had user key is %s.",
AuthenticationStatus[authStatus],
tdeEnabled,
everHadUserKey,
);
return true;
};
}