Auth/pm 8882/Add TDE Logging (#9673)

* Added logging behind feature flag. * Added default for new flag. * Additional logging changes. * Consolidated log messages. * Removed unneccessary log. * Fixed test error. * Fixed linting. * Fixed constructor on test. * Updated to remove flag * Moved service. * Added logging to redirect guard.
2025-12-16 08:13:42 +00:00 · 2024-06-17 12:37:05 -04:00
parent 6f91ecf41b
commit fe1c432e03
3 changed files with 52 additions and 2 deletions
--- a/libs/auth/src/common/login-strategies/sso-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/sso-login.strategy.ts
@@ -87,12 +87,16 @@ export class SsoLoginStrategy extends LoginStrategy {

    data.userEnteredEmail = credentials.email;

+    const deviceRequest = await this.buildDeviceRequest();
+
+    this.logService.info("Logging in with appId %s.", deviceRequest.identifier);
+
    data.tokenRequest = new SsoTokenRequest(
      credentials.code,
      credentials.codeVerifier,
      credentials.redirectUrl,
      await this.buildTwoFactor(credentials.twoFactor, credentials.email),
-      await this.buildDeviceRequest(),
+      deviceRequest,
    );

    this.cache.next(data);
@@ -195,12 +199,18 @@ export class SsoLoginStrategy extends LoginStrategy {

    // Note: TDE and key connector are mutually exclusive
    if (userDecryptionOptions?.trustedDeviceOption) {
+      this.logService.info("Attempting to set user key with approved admin auth request.");
+
+      // Try to use the user key from an approved admin request if it exists.
+      // Using it will clear it from state and future requests will use the device key.
      await this.trySetUserKeyWithApprovedAdminRequestIfExists(userId);

      const hasUserKey = await this.cryptoService.hasUserKey(userId);

-      // Only try to set user key with device key if admin approval request was not successful
+      // Only try to set user key with device key if admin approval request was not successful.
      if (!hasUserKey) {
+        this.logService.info("Attempting to set user key with device key.");
+
        await this.trySetUserKeyWithDeviceKey(tokenResponse, userId);
      }
    } else if (
@@ -275,11 +285,27 @@ export class SsoLoginStrategy extends LoginStrategy {
  ): Promise<void> {
    const trustedDeviceOption = tokenResponse.userDecryptionOptions?.trustedDeviceOption;

+    if (!trustedDeviceOption) {
+      this.logService.error("Unable to set user key due to missing trustedDeviceOption.");
+      return;
+    }
+
    const deviceKey = await this.deviceTrustService.getDeviceKey(userId);
    const encDevicePrivateKey = trustedDeviceOption?.encryptedPrivateKey;
    const encUserKey = trustedDeviceOption?.encryptedUserKey;

    if (!deviceKey || !encDevicePrivateKey || !encUserKey) {
+      if (!deviceKey) {
+        await this.logService.warning("Unable to set user key due to missing device key.");
+      }
+      if (!encDevicePrivateKey) {
+        await this.logService.warning(
+          "Unable to set user key due to missing encrypted device private key.",
+        );
+      }
+      if (!encUserKey) {
+        await this.logService.warning("Unable to set user key due to missing encrypted user key.");
+      }
      return;
    }