* add welcome prompt when extension is not installed
* add feature flag
* move prompt logic to internal service and add day prompt
* rename dialog component
* remove feature flag hardcode and add documentation
* use i18n for image alt
* move state into service
* be more explicit when the account or creation date is not available
* remove spaces
* fix types caused by introducing a numeric feature flag type
* add `typeof` for feature flag typing
* place back button fixed at bottom right
* fix type errors
* add the new button logic to org reports also
* fix: restore keyboard focus for reports back button in CDK overlay
The CDK Overlay renders outside the cdkTrapFocus boundary, making the
floating "Back to reports" button unreachable via Tab. Add a focus bridge
element that intercepts Tab and programmatically redirects focus to the
overlay button, with a return handler to cycle focus back into the page.
* add back functionality to OTP auth flow
* respond to review comments
* hoist email value to parent component
---------
Co-authored-by: Alex Dragovich <46065570+itsadrago@users.noreply.github.com>
* add notification handler for auto confirm
* add missing state check
* fix test
* isolate angular specific code from shared lib code
* clean up
* use autoconfirm method
* add event logging for auto confirm
* update copy
Adds urlOriginsMatch to @bitwarden/platform, which compares two URLs by
scheme, host, and port. Uses `protocol + "//" + host` rather than
`URL.origin` because non-special schemes (e.g. chrome-extension://)
return the opaque string "null" from .origin, making equality comparison
unreliable. URLs without a host (file:, data:) are explicitly rejected
to prevent hostless schemes from comparing equal.
Refactors senderIsInternal to delegate to urlOriginsMatch and to derive
the extension URL via BrowserApi.getRuntimeURL("") rather than inline
chrome/browser API detection. Adds full test coverage for
senderIsInternal.
The previous string-based comparison used startsWith after stripping
trailing slashes, which was safe in senderIsInternal where inputs are
tightly constrained. As a general utility accepting arbitrary URLs,
startsWith can produce false positives (e.g. "https://example.com"
matching "https://example.com.evil.com"). Structural host comparison
is the correct contract for unrestricted input.
* shows all/filtered ciphers in allItems instead of the ones that haven't been bubbled up into autofill or favorites
* removes remainingCiphers$ remnants
* updates loading$ observable logic
* updates loading$ test
* refactor: Remove direct self-hosted org creation from OrganizationPlansComponent
* tests: Add comprehensive test suite for OrganizationPlansComponent
When "Owners and admins can manage all collections and items" is OFF, Password Manager
reports incorrectly filter out items from collections where the user has "Can view",
"Can view except passwords", or "Can edit except passwords" access.
The root cause is that all five PM report components filter ciphers using
`(!this.organization && !edit) || !viewPassword`. Since PM reports run without an
organization context (this.organization is undefined), this condition excludes any
item where edit=false or viewPassword=false. These permission checks are unnecessary
for PM reports because:
1. Personal vault items always have edit=true and viewPassword=true, so the checks
never applied to them.
2. Organization items should appear in reports regardless of permission level — the
user has collection access, and edit restrictions should only affect the item
dialog, not report visibility.
3. Admin Console reports (which work correctly) skip this filtering because
this.organization is always set, making the condition always false.
This also explains why "Can edit except passwords" items only appeared in the
Unsecured Websites report — it was the only report that didn't check !viewPassword.
Removed the edit/viewPassword filter conditions from all five PM report components:
- exposed-passwords-report
- weak-passwords-report
- reused-passwords-report
- inactive-two-factor-report
- unsecured-websites-report
* stabilize table column widths with fixed layout (PM-31163)
Add layout="fixed" and explicit width classes to report tables to prevent
column widths from shifting during virtual scroll.
Files changed:
- weak-passwords-report.component.html
- reused-passwords-report.component.html
- exposed-passwords-report.component.html
- inactive-two-factor-report.component.html
- unsecured-websites-report.component.html
* use auto width for name column to fix width calculation (PM-31163)
Remove tw-w-1/2 from name column headers. With layout="fixed", the
explicit percentages didn't sum to 100%, causing inconsistent column widths.
Before: | 48px | 50% | 25% | 25% | = 48px + 100% (overflow)
After: | 48px | auto | 25% | 25% | = columns sum correctly
Name column now uses auto to fill remaining space.
* render headers in Admin Console to fix column widths (PM-31163)
Admin Console reports had a very wide icon column because no headers were
rendered. Without headers, table-layout: fixed uses data row content to
determine column widths, causing inconsistent sizing.
Root cause:
Three reports had their entire <ng-container header> block inside
@if (!isAdminConsoleActive), so when isAdminConsoleActive=true (Admin
Console), no headers were rendered at all.
Before (broken):
@if (!isAdminConsoleActive) {
<ng-container header> <!-- Entire header skipped in Admin Console -->
<th>Icon</th>
<th>Name</th>
<th>Owner</th>
</ng-container>
}
After (fixed):
<ng-container header> <!-- Always render headers -->
<th>Icon</th>
<th>Name</th>
@if (!isAdminConsoleActive) {
<th>Owner</th> <!-- Only Owner is conditional -->
}
</ng-container>
This matches the pattern already used by weak-passwords-report and
exposed-passwords-report, which were working correctly.
Files changed:
- unsecured-websites-report.component.html
- reused-passwords-report.component.html
- inactive-two-factor-report.component.html
Result:
- Admin Console now renders headers with correct column widths
- Icon column is 48px (tw-w-12) as expected
- Owner column properly hidden in Admin Console view
* truncate long item names to prevent column overflow
- you can hover cursor for tooltip to see full name
* [PM-27782] Update Access Intelligence loading state text
Simplify the loading progress messages shown during Access Intelligence
report generation to be more user-friendly and concise.
Changes:
- Add new i18n keys with simplified text
- Update ProgressStepConfig to use new keys
Progress message updates:
- "Fetching member data..." → "Reviewing member data..."
- "Analyzing password health..." → "Analyzing passwords..."
- "Calculating risk scores..." → "Calculating risks..."
- "Generating report data..." → "Generating reports..."
- "Saving report..." → "Compiling insights..."
- "Compiling insights..." → "Done!"
* delete old messages
* remove all "this might take a few minutes"
Updates the SetInitialPasswordService TDE + Permission user flow to use the new KM data types:
- `MasterPasswordAuthenticationData`
- `MasterPasswordUnlockData`
This allows us to move away from the deprecated `makeMasterKey()` method (which takes email as salt) as we seek to eventually separate the email from the salt.
The new `setInitialPasswordTdeUserWithPermission()` method essentially takes the existing deprecated `setInitialPassword()` method and:
- Removes logic that is specific to a `JIT_PROVISIONED_MP_ORG_USER` case. This way the method only handles `TDE_ORG_USER_RESET_PASSWORD_PERMISSION_REQUIRES_MP` cases.
- Updates the logic to use `MasterPasswordAuthenticationData` and `MasterPasswordUnlockData`
Behind feature flag: `pm-27086-update-authentication-apis-for-input-password`
