Merge branch 'main' into ps/extension-refresh

2026-02-25 00:53:22 +00:00 · 2024-08-01 11:30:47 -04:00
parent a37f91277c ffc9022f54
commit ff6fa36c41
38 changed files with 506 additions and 127 deletions
--- a/apps/desktop/src/auth/lock.component.ts
+++ b/apps/desktop/src/auth/lock.component.ts
@@ -40,6 +40,7 @@ export class LockComponent extends BaseLockComponent {
  protected biometricReady = false;
  private biometricAsked = false;
  private autoPromptBiometric = false;
+  private timerId: any;

  constructor(
    masterPasswordService: InternalMasterPasswordServiceAbstraction,
@@ -135,11 +136,18 @@ export class LockComponent extends BaseLockComponent {
      });
    });
    this.messagingService.send("getWindowIsFocused");
+
+    // start background listener until destroyed on interval
+    this.timerId = setInterval(async () => {
+      this.supportsBiometric = await this.platformUtilsService.supportsBiometric();
+      this.biometricReady = await this.canUseBiometric();
+    }, 1000);
  }

  ngOnDestroy() {
    super.ngOnDestroy();
    this.broadcasterService.unsubscribe(BroadcasterSubscriptionId);
+    clearInterval(this.timerId);
  }

  onWindowHidden() {
--- a/apps/desktop/src/main.ts
+++ b/apps/desktop/src/main.ts
@@ -39,6 +39,7 @@ import { MainCryptoFunctionService } from "./platform/main/main-crypto-function.
 import { DesktopSettingsService } from "./platform/services/desktop-settings.service";
 import { ElectronLogMainService } from "./platform/services/electron-log.main.service";
 import { ElectronStorageService } from "./platform/services/electron-storage.service";
+import { EphemeralValueStorageService } from "./platform/services/ephemeral-value-storage.main.service";
 import { I18nMainService } from "./platform/services/i18n.main.service";
 import { ElectronMainMessagingService } from "./services/electron-main-messaging.service";
 import { isMacAppStore } from "./utils";
@@ -224,6 +225,8 @@ export class Main {

    this.clipboardMain = new ClipboardMain();
    this.clipboardMain.init();
+
+    new EphemeralValueStorageService();
  }

  bootstrap() {
--- a/apps/desktop/src/platform/preload.ts
+++ b/apps/desktop/src/platform/preload.ts
@@ -99,6 +99,14 @@ const crypto = {
    ipcRenderer.invoke("crypto.argon2", { password, salt, iterations, memory, parallelism }),
 };

+const ephemeralStore = {
+  setEphemeralValue: (key: string, value: string): Promise<void> =>
+    ipcRenderer.invoke("setEphemeralValue", { key, value }),
+  getEphemeralValue: (key: string): Promise<string> => ipcRenderer.invoke("getEphemeralValue", key),
+  removeEphemeralValue: (key: string): Promise<void> =>
+    ipcRenderer.invoke("deleteEphemeralValue", key),
+};
+
 export default {
  versions: {
    app: (): Promise<string> => ipcRenderer.invoke("appVersion"),
@@ -156,6 +164,7 @@ export default {
  powermonitor,
  nativeMessaging,
  crypto,
+  ephemeralStore,
 };

 function deviceType(): DeviceType {
--- a/apps/desktop/src/platform/services/ephemeral-value-storage.main.service.ts
+++ b/apps/desktop/src/platform/services/ephemeral-value-storage.main.service.ts
@@ -0,0 +1,21 @@
+import { ipcMain } from "electron";
+
+/**
+ * The ephemeral value store holds values that should be accessible to the renderer past a process reload.
+ * In the current state, this store must not contain any keys that can decrypt a vault by themselves.
+ */
+export class EphemeralValueStorageService {
+  private ephemeralValues = new Map<string, string>();
+
+  constructor() {
+    ipcMain.handle("setEphemeralValue", async (event, { key, value }) => {
+      this.ephemeralValues.set(key, value);
+    });
+    ipcMain.handle("getEphemeralValue", async (event, key: string) => {
+      return this.ephemeralValues.get(key);
+    });
+    ipcMain.handle("deleteEphemeralValue", async (event, key: string) => {
+      this.ephemeralValues.delete(key);
+    });
+  }
+}
--- a/apps/desktop/src/services/native-messaging.service.ts
+++ b/apps/desktop/src/services/native-messaging.service.ts
@@ -3,7 +3,6 @@ import { firstValueFrom, map } from "rxjs";

 import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
-import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
 import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -30,8 +29,6 @@ const HashAlgorithmForAsymmetricEncryption = "sha1";

@Injectable()
 export class NativeMessagingService {
-  private sharedSecrets = new Map<string, SymmetricCryptoKey>();
-
  constructor(
    private cryptoFunctionService: CryptoFunctionService,
    private cryptoService: CryptoService,
@@ -104,7 +101,7 @@ export class NativeMessagingService {
      return;
    }

-    if (this.sharedSecrets.get(appId) == null) {
+    if ((await ipc.platform.ephemeralStore.getEphemeralValue(appId)) == null) {
      ipc.platform.nativeMessaging.sendMessage({
        command: "invalidateEncryption",
        appId: appId,
@@ -115,7 +112,7 @@ export class NativeMessagingService {
    const message: LegacyMessage = JSON.parse(
      await this.cryptoService.decryptToUtf8(
        rawMessage as EncString,
-        this.sharedSecrets.get(appId),
+        SymmetricCryptoKey.fromString(await ipc.platform.ephemeralStore.getEphemeralValue(appId)),
      ),
    );

@@ -147,11 +144,6 @@ export class NativeMessagingService {
          return this.send({ command: "biometricUnlock", response: "not unlocked" }, appId);
        }

-        const authStatus = await firstValueFrom(this.authService.authStatusFor$(userId));
-        if (authStatus !== AuthenticationStatus.Unlocked) {
-          return this.send({ command: "biometricUnlock", response: "not unlocked" }, appId);
-        }
-
        const biometricUnlockPromise =
          message.userId == null
            ? firstValueFrom(this.biometricStateService.biometricUnlockEnabled$)
@@ -185,6 +177,7 @@ export class NativeMessagingService {
              },
              appId,
            );
+            await ipc.platform.reloadProcess();
          } else {
            await this.send({ command: "biometricUnlock", response: "canceled" }, appId);
          }
@@ -205,7 +198,7 @@ export class NativeMessagingService {

    const encrypted = await this.cryptoService.encrypt(
      JSON.stringify(message),
-      this.sharedSecrets.get(appId),
+      SymmetricCryptoKey.fromString(await ipc.platform.ephemeralStore.getEphemeralValue(appId)),
    );

    ipc.platform.nativeMessaging.sendMessage({ appId: appId, message: encrypted });
@@ -213,7 +206,10 @@ export class NativeMessagingService {

  private async secureCommunication(remotePublicKey: Uint8Array, appId: string) {
    const secret = await this.cryptoFunctionService.randomBytes(64);
-    this.sharedSecrets.set(appId, new SymmetricCryptoKey(secret));
+    await ipc.platform.ephemeralStore.setEphemeralValue(
+      appId,
+      new SymmetricCryptoKey(secret).keyB64,
+    );

    const encryptedSecret = await this.cryptoFunctionService.rsaEncrypt(
      secret,