Auth/PM-7235 - Refactor AuthService.getAuthStatus, deprecate everBeenUnlocked, and handle initialization of auto user key on client init (#8590)

* PM-7235 - AuthSvc - Refactor getAuthStatus to simply use the cryptoService.hasUserKey check to determine the user's auth status.

* PM-7235 - CryptoSvc - getUserKey - remove setUserKey side effect if auto key is stored. Will move to app init

* PM-7235 - For each client init service, add setUserKeyInMemoryIfAutoUserKeySet logic

* PM-7235 - CryptoSvc tests - remove uncessary test.

* PM-7235 - Create UserKeyInitService and inject into all init services with new listening logic to support acct switching.

* PM-7235 - UserKeyInitSvc - minor refactor of setUserKeyInMemoryIfAutoUserKeySet

* PM-7235 - Add test suite for UserKeyInitService

* PM-7235 - Remove everBeenUnlocked as it is no longer needed

* PM-7235 - Fix tests

* PM-7235 - UserKeyInitSvc - per PR feedback, add error handling to protect observable stream from being cancelled in case of an error

* PM-7235 - Fix tests

* Update libs/common/src/platform/services/user-key-init.service.ts

Co-authored-by: Matt Gibson <mgibson@bitwarden.com>

* Update libs/common/src/platform/services/user-key-init.service.ts

Co-authored-by: Matt Gibson <mgibson@bitwarden.com>

* PM-7235 - AuthSvc - Per PR review, for getAuthStatus, only check user key existence in memory.

* PM-7235 - remove not useful test per PR feedback.

* PM-7235 - Per PR feedback, update cryptoService.hasUserKey to only check memory for the user key.

* PM-7235 - Per PR feedback, move user key init service listener to main.background instead of init service

* PM-7235 - UserKeyInitSvc tests - fix tests to plass

---------

Co-authored-by: Matt Gibson <mgibson@bitwarden.com>

libs/common/src/platform/abstractions/state.service.ts

@@ -148,8 +148,6 @@ export abstract class StateService<T extends Account = Account> {
    * @deprecated For migration purposes only, use setEncryptedUserKeyPin instead
    */
   setEncryptedPinProtected: (value: string, options?: StorageOptions) => Promise<void>;
-  getEverBeenUnlocked: (options?: StorageOptions) => Promise<boolean>;
-  setEverBeenUnlocked: (value: boolean, options?: StorageOptions) => Promise<void>;
   getIsAuthenticated: (options?: StorageOptions) => Promise<boolean>;
   getKdfConfig: (options?: StorageOptions) => Promise<KdfConfig>;
   setKdfConfig: (kdfConfig: KdfConfig, options?: StorageOptions) => Promise<void>;

libs/common/src/platform/models/domain/account.ts

@@ -126,7 +126,6 @@ export class AccountProfile {
   name?: string;
   email?: string;
   emailVerified?: boolean;
-  everBeenUnlocked?: boolean;
   lastSync?: string;
   userId?: string;
   kdfIterations?: number;

libs/common/src/platform/services/crypto.service.spec.ts

@@ -91,21 +91,7 @@ describe("cryptoService", () => {
       expect(userKey).toEqual(mockUserKey);
     });
 
-    it("sets from the Auto key if the User Key if not set", async () => {
-      const autoKeyB64 =
-        "IT5cA1i5Hncd953pb00E58D2FqJX+fWTj4AvoI67qkGHSQPgulAqKv+LaKRAo9Bg0xzP9Nw00wk4TqjMmGSM+g==";
-      stateService.getUserKeyAutoUnlock.mockResolvedValue(autoKeyB64);
-      const setKeySpy = jest.spyOn(cryptoService, "setUserKey");
-
-      const userKey = await cryptoService.getUserKey(mockUserId);
-
-      expect(setKeySpy).toHaveBeenCalledWith(expect.any(SymmetricCryptoKey), mockUserId);
-      expect(setKeySpy).toHaveBeenCalledTimes(1);
-
-      expect(userKey.keyB64).toEqual(autoKeyB64);
-    });
-
-    it("returns nullish if there is no auto key and the user key is not set", async () => {
+    it("returns nullish if the user key is not set", async () => {
       const userKey = await cryptoService.getUserKey(mockUserId);
 
       expect(userKey).toBeFalsy();
@@ -147,17 +133,6 @@ describe("cryptoService", () => {
     },
   );
 
-  describe("hasUserKey", () => {
-    it.each([true, false])(
-      "returns %s when the user key is not in memory, but the auto key is set",
-      async (hasKey) => {
-        stateProvider.singleUser.getFake(mockUserId, USER_KEY).nextState(null);
-        cryptoService.hasUserKeyStored = jest.fn().mockResolvedValue(hasKey);
-        expect(await cryptoService.hasUserKey(mockUserId)).toBe(hasKey);
-      },
-    );
-  });
-
   describe("getUserKeyWithLegacySupport", () => {
     let mockUserKey: UserKey;
     let mockMasterKey: MasterKey;

libs/common/src/platform/services/crypto.service.ts

@@ -164,19 +164,8 @@ export class CryptoService implements CryptoServiceAbstraction {
   }
 
   async getUserKey(userId?: UserId): Promise<UserKey> {
-    let userKey = await firstValueFrom(this.stateProvider.getUserState$(USER_KEY, userId));
-    if (userKey) {
-      return userKey;
-    }
-
-    // If the user has set their vault timeout to 'Never', we can load the user key from storage
-    if (await this.hasUserKeyStored(KeySuffixOptions.Auto, userId)) {
-      userKey = await this.getKeyFromStorage(KeySuffixOptions.Auto, userId);
-      if (userKey) {
-        await this.setUserKey(userKey, userId);
-        return userKey;
-      }
-    }
+    const userKey = await firstValueFrom(this.stateProvider.getUserState$(USER_KEY, userId));
+    return userKey;
   }
 
   async isLegacyUser(masterKey?: MasterKey, userId?: UserId): Promise<boolean> {
@@ -217,10 +206,7 @@ export class CryptoService implements CryptoServiceAbstraction {
     if (userId == null) {
       return false;
     }
-    return (
-      (await this.hasUserKeyInMemory(userId)) ||
-      (await this.hasUserKeyStored(KeySuffixOptions.Auto, userId))
-    );
+    return await this.hasUserKeyInMemory(userId);
   }
 
   async hasUserKeyInMemory(userId?: UserId): Promise<boolean> {

libs/common/src/platform/services/state.service.ts

@@ -634,24 +634,6 @@ export class StateService<
     );
   }
 
-  async getEverBeenUnlocked(options?: StorageOptions): Promise<boolean> {
-    return (
-      (await this.getAccount(this.reconcileOptions(options, await this.defaultInMemoryOptions())))
-        ?.profile?.everBeenUnlocked ?? false
-    );
-  }
-
-  async setEverBeenUnlocked(value: boolean, options?: StorageOptions): Promise<void> {
-    const account = await this.getAccount(
-      this.reconcileOptions(options, await this.defaultInMemoryOptions()),
-    );
-    account.profile.everBeenUnlocked = value;
-    await this.saveAccount(
-      account,
-      this.reconcileOptions(options, await this.defaultInMemoryOptions()),
-    );
-  }
-
   async getIsAuthenticated(options?: StorageOptions): Promise<boolean> {
     return (
       (await this.tokenService.getAccessToken(options?.userId as UserId)) != null &&

libs/common/src/platform/services/user-key-init.service.spec.ts

@@ -0,0 +1,162 @@
+import { mock } from "jest-mock-extended";
+
+import { FakeAccountService, mockAccountServiceWith } from "../../../spec";
+import { CsprngArray } from "../../types/csprng";
+import { UserId } from "../../types/guid";
+import { UserKey } from "../../types/key";
+import { LogService } from "../abstractions/log.service";
+import { KeySuffixOptions } from "../enums";
+import { Utils } from "../misc/utils";
+import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key";
+
+import { CryptoService } from "./crypto.service";
+import { UserKeyInitService } from "./user-key-init.service";
+
+describe("UserKeyInitService", () => {
+  let userKeyInitService: UserKeyInitService;
+
+  const mockUserId = Utils.newGuid() as UserId;
+
+  const accountService: FakeAccountService = mockAccountServiceWith(mockUserId);
+
+  const cryptoService = mock<CryptoService>();
+  const logService = mock<LogService>();
+
+  beforeEach(() => {
+    userKeyInitService = new UserKeyInitService(accountService, cryptoService, logService);
+  });
+
+  describe("listenForActiveUserChangesToSetUserKey()", () => {
+    it("calls setUserKeyInMemoryIfAutoUserKeySet if there is an active user", () => {
+      // Arrange
+      accountService.activeAccountSubject.next({
+        id: mockUserId,
+        name: "name",
+        email: "email",
+      });
+
+      (userKeyInitService as any).setUserKeyInMemoryIfAutoUserKeySet = jest.fn();
+
+      // Act
+
+      const subscription = userKeyInitService.listenForActiveUserChangesToSetUserKey();
+
+      // Assert
+
+      expect(subscription).not.toBeFalsy();
+
+      expect((userKeyInitService as any).setUserKeyInMemoryIfAutoUserKeySet).toHaveBeenCalledWith(
+        mockUserId,
+      );
+    });
+
+    it("calls setUserKeyInMemoryIfAutoUserKeySet if there is an active user and tracks subsequent emissions", () => {
+      // Arrange
+      accountService.activeAccountSubject.next({
+        id: mockUserId,
+        name: "name",
+        email: "email",
+      });
+
+      const mockUser2Id = Utils.newGuid() as UserId;
+
+      jest
+        .spyOn(userKeyInitService as any, "setUserKeyInMemoryIfAutoUserKeySet")
+        .mockImplementation(() => Promise.resolve());
+
+      // Act
+
+      const subscription = userKeyInitService.listenForActiveUserChangesToSetUserKey();
+
+      accountService.activeAccountSubject.next({
+        id: mockUser2Id,
+        name: "name",
+        email: "email",
+      });
+
+      // Assert
+
+      expect(subscription).not.toBeFalsy();
+
+      expect((userKeyInitService as any).setUserKeyInMemoryIfAutoUserKeySet).toHaveBeenCalledTimes(
+        2,
+      );
+
+      expect(
+        (userKeyInitService as any).setUserKeyInMemoryIfAutoUserKeySet,
+      ).toHaveBeenNthCalledWith(1, mockUserId);
+      expect(
+        (userKeyInitService as any).setUserKeyInMemoryIfAutoUserKeySet,
+      ).toHaveBeenNthCalledWith(2, mockUser2Id);
+
+      subscription.unsubscribe();
+    });
+
+    it("does not call setUserKeyInMemoryIfAutoUserKeySet if there is not an active user", () => {
+      // Arrange
+      accountService.activeAccountSubject.next(null);
+
+      (userKeyInitService as any).setUserKeyInMemoryIfAutoUserKeySet = jest.fn();
+
+      // Act
+
+      const subscription = userKeyInitService.listenForActiveUserChangesToSetUserKey();
+
+      // Assert
+
+      expect(subscription).not.toBeFalsy();
+
+      expect(
+        (userKeyInitService as any).setUserKeyInMemoryIfAutoUserKeySet,
+      ).not.toHaveBeenCalledWith(mockUserId);
+    });
+  });
+
+  describe("setUserKeyInMemoryIfAutoUserKeySet", () => {
+    it("does nothing if the userId is null", async () => {
+      // Act
+      await (userKeyInitService as any).setUserKeyInMemoryIfAutoUserKeySet(null);
+
+      // Assert
+      expect(cryptoService.getUserKeyFromStorage).not.toHaveBeenCalled();
+      expect(cryptoService.setUserKey).not.toHaveBeenCalled();
+    });
+
+    it("does nothing if the autoUserKey is null", async () => {
+      // Arrange
+      const userId = mockUserId;
+
+      cryptoService.getUserKeyFromStorage.mockResolvedValue(null);
+
+      // Act
+      await (userKeyInitService as any).setUserKeyInMemoryIfAutoUserKeySet(userId);
+
+      // Assert
+      expect(cryptoService.getUserKeyFromStorage).toHaveBeenCalledWith(
+        KeySuffixOptions.Auto,
+        userId,
+      );
+      expect(cryptoService.setUserKey).not.toHaveBeenCalled();
+    });
+
+    it("sets the user key in memory if the autoUserKey is not null", async () => {
+      // Arrange
+      const userId = mockUserId;
+
+      const mockRandomBytes = new Uint8Array(64) as CsprngArray;
+      const mockAutoUserKey: UserKey = new SymmetricCryptoKey(mockRandomBytes) as UserKey;
+
+      cryptoService.getUserKeyFromStorage.mockResolvedValue(mockAutoUserKey);
+
+      // Act
+      await (userKeyInitService as any).setUserKeyInMemoryIfAutoUserKeySet(userId);
+
+      // Assert
+      expect(cryptoService.getUserKeyFromStorage).toHaveBeenCalledWith(
+        KeySuffixOptions.Auto,
+        userId,
+      );
+      expect(cryptoService.setUserKey).toHaveBeenCalledWith(mockAutoUserKey, userId);
+    });
+  });
+});

libs/common/src/platform/services/user-key-init.service.ts

@@ -0,0 +1,57 @@
+import { EMPTY, Subscription, catchError, filter, from, switchMap } from "rxjs";
+
+import { AccountService } from "../../auth/abstractions/account.service";
+import { UserId } from "../../types/guid";
+import { CryptoService } from "../abstractions/crypto.service";
+import { LogService } from "../abstractions/log.service";
+import { KeySuffixOptions } from "../enums";
+
+// TODO: this is a half measure improvement which allows us to reduce some side effects today (cryptoService.getUserKey setting user key in memory if auto key exists)
+// but ideally, in the future, we would be able to put this logic into the cryptoService
+// after the vault timeout settings service is transitioned to state provider so that
+// the getUserKey logic can simply go to the correct location based on the vault timeout settings
+// similar to the TokenService (it would either go to secure storage for the auto user key or memory for the user key)
+
+export class UserKeyInitService {
+  constructor(
+    private accountService: AccountService,
+    private cryptoService: CryptoService,
+    private logService: LogService,
+  ) {}
+
+  // Note: must listen for changes to support account switching
+  listenForActiveUserChangesToSetUserKey(): Subscription {
+    return this.accountService.activeAccount$
+      .pipe(
+        filter((activeAccount) => activeAccount != null),
+        switchMap((activeAccount) =>
+          from(this.setUserKeyInMemoryIfAutoUserKeySet(activeAccount?.id)).pipe(
+            catchError((err: unknown) => {
+              this.logService.warning(
+                `setUserKeyInMemoryIfAutoUserKeySet failed with error: ${err}`,
+              );
+              // Returning EMPTY to protect observable chain from cancellation in case of error
+              return EMPTY;
+            }),
+          ),
+        ),
+      )
+      .subscribe();
+  }
+
+  private async setUserKeyInMemoryIfAutoUserKeySet(userId: UserId) {
+    if (userId == null) {
+      return;
+    }
+
+    const autoUserKey = await this.cryptoService.getUserKeyFromStorage(
+      KeySuffixOptions.Auto,
+      userId,
+    );
+    if (autoUserKey == null) {
+      return;
+    }
+
+    await this.cryptoService.setUserKey(autoUserKey, userId);
+  }
+}