When SSO is required:
- Make the SSO button primary
- Add a tooltip to the disabled buttons
When SSO is not required:
- SSO button remains secondary
- No tooltip on the buttons
Feature Flags enabled: pm-22110-disable-alternate-login-methods
* Resolve the dollar amount issue
* Resolve the non addition of storage amount
* Resolve the estimate tax amount
* Fix the improper tax calculation
* resolv ethe duplicate code
* Added changes to apply the discount only for acceptingSponsorship = true
* PM-22663 WIP on auth route constants
* PM-22663 - Convert desktop & extension to use constants - first pass
* PM-22663 - Further clean up
* PM-22663 - catch more missed routes
* PM-22663 - add barrel files
* PM-22663 - Per PR feedback, add missing as const
* PM-22663 - Per PR feedback and TS docs, use same name for const enum like and derived type. Adjusted filenames to be singular.
* PM-22663 - Per PR feedback update desktop app routing module since auto rename didn't update it for whatever reason.
* Fix feature flag check for "pm-25855-chromium-importer-abe"
The old lofgic actually removed all chromium support when the flag was disabled. It should only remove those browser if the flag is disabled and when on Windows.
* Extend tests
* Update comment
* Remove duplicate test
* Add test for when device cannot be detected and throws and error
* Add descriptive comment to feature flag test case assertions
* Better test assertion
---------
Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
* Add tooltip to icon button to display label
* remove legacy cdr variable
* create overlay on focus or hover
* attach describdedby ids
* fix type errors
* remove aria-describedby when not necessary
* fix failing tests
* implement Claude feedback
* fixing broken specs
* remove host attr binding
* Simplify directive aria logic
* Move id to statis number
* do not render empty tooltip
* pass id to tooltip component
* remove pointer-events none to allow tooltip on normal buttons
* exclude some tooltip stories
* change describedby input name
* add story with tooltip on regular button
* enhanced tooltip docs
* set model directly
* change model to input
* Session timeout policy
* default "custom" is 8 hours, validation fixes
* ownership update
* default max allowed timeout is not selected
* adjusting defaults, fixing backwards compatibility, skip type confirmation dialog when switching between the never and on system lock
* unit test coverage
* wording update, custom hours, minutes jumping on errors
* wording update
* wrong session timeout action dropdown label
* show dialog as valid when opened first time, use @for loop, use controls instead of get
* dialog static opener
* easier to understand type value listener
* unit tests
* explicit maximum allowed timeout required error
* eslint revert
• ensure extension method can accept both `blob` type and `arrayBuffer` type
• replace usage of Swift's `url.absoluteString` with `url.path`
• explicitly discard promise returned by `downloadSafari()`
• confine `data` type to `string` since code all code paths assign a `string` value
* new drawer functions for crit apps
* logic for triggering the drawer functions in components
* cleanup unused logic and rename "navigation" to "action"
- ... since the click is now triggering the drawer instead of navigating to another tab/page
* null check for reportData in drawer methods
* use criticalReportResults$ to avoid duplicating logic
* use criticalReportResults$ to avoid dupe logic
* remove unused code
* Add runtime type guards for decrypted JSON data
- Create risk-insights-type-guards.ts with validation functions
- Replace unsafe type assertions with runtime validation in encryption service
- Validate ApplicationHealthReportDetail, OrganizationReportSummary, and OrganizationReportApplication
- Add detailed error messages for validation failures
- Remove TODO comments for type guard implementation
Improves security by preventing malformed data from bypassing type safety and ensures data integrity for decrypted report structures.
* test file fix
* date validation
* add runtime type guards and validation failure tests
Issue 1: Missing Test Coverage for Type Guard Validation Failures
- Create comprehensive test suite with 17 tests covering all validation scenarios
- Test invalid structures, missing fields, wrong types, and edge cases
- Verify proper error messages and validation logic for all data types
Issue 2: Silent Failure on Validation Errors (Security Concern)
- Re-throw validation errors instead of silently returning empty/default data
- Add descriptive error messages indicating potential data corruption or tampering
- Ensure all validation failures are surfaced as security issues, not swallowed
Additional Fix: Date Validation Vulnerability
- Validate date strings before creating Date objects to prevent Invalid Date (NaN)
- Throw explicit errors for unparseable date strings
- Update error handling to catch and properly surface date validation failures
* add empty string validation and sanitize error messages
- Validate array elements are non-empty strings (atRiskCipherIds, cipherIds, newApplications)
- Sanitize validation error messages to prevent information disclosure
- Log detailed errors for debugging, re-throw generic messages
- Add tests for empty string validation and error message sanitization
* add comprehensive validation for scalar strings and numeric ranges
- Validate all scalar string fields are non-empty (applicationName, userName, email, cipherId, userGuid)
- Add numeric range validation (finite, non-negative) for all count fields
- Export type guard functions for testability and reusability
- Add 19 new tests covering edge cases (empty strings, NaN, Infinity, negative numbers)
* prevent prototype pollution and unexpected property injection in type guards
- Validate object prototype is Object.prototype (prevents __proto__ attacks)
- Check for dangerous own properties (constructor, prototype)
- Strict property enumeration - reject objects with unexpected properties
- Add comprehensive security tests (prototype pollution, unexpected props)
- Protects against data tampering and information leakage
* security: always sanitize error messages to prevent information disclosure
- Remove fragile pattern matching in error handlers
- Always throw generic error messages by default
- Log detailed errors for debugging, never expose to callers
- Future-proof against validation error message changes
- Prevents disclosure of internal data structure details
Applies to all decryption/validation methods in encryption service
* security: comprehensive hardening of type validation system
CRITICAL FIXES:
- Add __proto__ to prototype pollution checks (loop-based)
- Remove conditional error sanitization (always sanitize)
SECURITY ENHANCEMENTS:
- Add integer overflow protection (Number.isSafeInteger)
- Add DoS prevention (array/string length limits: 50K/1K)
- Strengthen all 4 type guards with 10-layer validation
LIMITS:
- Max string length: 1,000 characters
- Max array length: 50,000 elements
- Max safe integer: 2^53 - 1
DOCUMENTATION:
- Update code-review-methodology.md with patterns
- Update .cursorrules with security best practices
- Create comprehensive security audit document
All 57 tests passing. No linting errors.
Defense-in-depth complete - production ready.
* fix: consolidate security constants and add upper bound validation
CRITICAL FIXES:
- Consolidate MAX_STRING_LENGTH and MAX_ARRAY_LENGTH to file level (DRY)
- Add MAX_COUNT constant (10M) for upper bound validation
- Apply upper bound checks to all 12 count fields
BENEFITS:
- Single source of truth for security limits
- Prevents business logic issues from extreme values
- Easier maintenance and updates
* fix(billing): update and refactor observable logic
* tests(billing): add additional expects for dialog
* fix(billing): update for claude feedback
* tests(billing): update test conditions and comments
* add state definition for auto confirm
* typo
* refactor organziation user service
* WIP create auto confirm service
* add POST method, finish implementation
* add missing userId param, jsdoc
* fix DI
* refactor organziation user service
* WIP create auto confirm service
* add POST method, finish implementation
* add missing userId param, jsdoc
* clean up, more DI fixes
* remove @Injectable from service, fix tests
* remove from libs/common, fix dir structure, add tests
* filter at risk passwords count to only critical apps
* PM-26929 assign tasks to those apps that are marked as critical
---------
Co-authored-by: voommen-livefront <voommen@livefront.com>
