mirror of
https://github.com/bitwarden/browser
synced 2025-12-11 22:03:36 +00:00
acbff6953c
* PM-8113 - Deprecate TwoFactorComponentRefactor feature flag in favor of UnauthenticatedExtensionUIRefresh flag * PM-8113 - Rename all existing 2FA components as V1. * PM-8113 - TwoFactorAuthComp - Add comment explaining that tagged unused import is used a dialog. * PM-8113 - 2FA Auth Comp - deprecate captcha * PM-8113 - LoginStrategySvc - add todo for deprecation of captcha response * PM-8113 - TwoFactorAuth tests - remove captcha * PM-8113 - TwoFactorAuthComp HTML - remove captcha * PM-8113 - Web Two Factor Auth - update deps * PM-8113 - Move all new two-factor-auth components into libs/auth instead of libs/angular/src/auth * PM-8113 - Add new child-components folder to help differentiate between top level page component and child components * PM-8113 - Add todo for browser TwoFactorAuthEmailComponent * PM-8113 - TwoFactorAuth - progress on consolidation * PM-8113 - TwoFactorAuth - add TODO to ensure I don't miss web on success logic * PM-8113 - TwoFactorAuth - Deprecate browser implementation of two-factor-auth and move all logic into single component - WIP * PM-8113 - Bring across 2FA session timeout to new 2FA orchestrator comp * PM-8113 - Export TwoFactorAuth from libs/auth * PM-8113 - Fix 2FA Auth Comp tests by adding new service deps. * PM-8113 - Fix TwoFactorAuthExpiredComp imports + TwoFactorAuthComponent imports on other clients. * PM-8113 - 2FA Auth Comp - Progress on removing onSuccessfulLogin callback * PM-8113 - 2FA Auth - update deps to private as inheritance will no longer be used. * PM-8113 - TwoFactorAuthComp - Refactor init a bit. * PM-8113 - TwoFactorAuthComp - More naming refactors * PM-8113 - TwoFactorAuth - (1) more refactoring (2) removed onSuccessfulLoginNavigate (3) after successful login we always loginEmailService.clearValues() * PM-8113 - TwoFactorAuthComp Tests - clean up tests for removed callbacks. * PM-8113 - TwoFactorAuthComponent - refactor default success route handling * PM-8113 - TwoFactorAuthComp - More refactoring * PM-8113 - TwoFactorAuthComp - more refactors * PM-8113 - TwoFactorAuth - Remove unused service dep * PM-8113 - TwoFactorAuthComp - Refactor out unused button action text and move checks for continue button visibility into component * PM-8113 - TwoFactorAuthComponent - Add type for providerData * PM-8113 - TwoFactorAuthComponent - Add todo * PM-8113 - TwoFactorAuthComponent - Add client type * PM-8113 - TwoFactorAuth - implement browser specific SSO + 2FA logic * PM-8113 - TwoFactorService Abstraction - refactor to use proper functions + mark methods as abstract properly + add null return to getProviders * PM-8113 - Refactor 2FA Guard logic out of ngOnInit and into own tested guard. Updated all routes. * PM-8113 - TwoFactorAuthComponent - WIP on webauthn init. * PM-8113 - TwoFactorAuthComponent - pull webauthn fallback response handling into primary init with checks based on client for if it should be processed. * PM-8113 - TwoFactorAuthComponent - move linux popup width extension logic into ExtensionTwoFactorAuthComponentService * PM-8113 - WebTwoFactorAuthComponentService - add explicit override for web's determineLegacyKeyMigrationAction method. * PM-8113 - Implement new TwoFactorAuthComponentService .openPopoutIfApprovedForEmail2fa to replace extension specific init logic. * PM-8113 - TwoFactorAuthComponent - misc cleanup * PM-8113 - TwoFactorAuthComponent - more clean up * PM-8113 - TwoFactorAuthComponent - WIP on removing TDE callbacks * PM-8113 - TwoFactorAuthComponent - finish refactoring out all callbacks * PM-8113 - TwoFactorAuthComponent - remove now unused method * PM-8113 - TwoFactorAuthComponent - refactor routes. * PM-8113 - TwoFactorAuthComponent - add TODO * PM-8113 - TwoFactorAuthComp - isTrustedDeviceEncEnabled - add undefined check for optional window close. + Add todo * PM-8113 - TwoFactorAuthComponent tests - updated to pass * PM-8113 - (1) Consolidate TwoFactorAuthEmail component into new service architecture (2) Move openPopoutIfApprovedForEmail2fa to new TwoFactorAuthEmailComponentService * PM-8113 - Refactor libs/auth/2fa into barrel files. * PM-8113 - Move TwoFactorAuthEmail content to own folder. * PM-8113 - Move 2FA Duo to own comp folder. * PM-8113 - ExtensionTwoFactorAuthEmailComponentService - Add comment * PM-8113 - TwoFactorAuthEmailComponentService - add docs * PM-8113 - TwoFactorAuthDuoComponentService - define top level abstraction and each clients implementation of the duo2faResultListener * PM-8113 - TwoFactorAuthDuoCompService - add client specific handling for launchDuoFrameless * PM-8113 - Delete no longer used client specific two factor auth duo components. * PM-8113 - Register TwoFactorAuthDuoComponentService implementation in each client. * PM-8113 - TwoFactorAuthComp - add destroy ref to fix warnings. * PM-8113 - Remove accidentally checked in dev change * PM-8113 - TwoFactorAuthComp - (1) Add loading state (2) Add missing CheckboxModule import * PM-8113 - TwoFactorAuthDuoComponent - update takeUntilDestroyed to pass in destroy context as you can't use takeUntilDestroyed in ngOnInit without it. * PM-8113 - TwoFactorAuthWebAuthnComponent - remove no longer necessary webauthn new tab check as webauthn seems to work without it * PM-8113 - TwoFactorAuthWebAuthnComp - refactor names and add todo * PM-8113 - (1) Move WebAuthn 2FA comp to own folder (2) build out client service for new tab logic * PM-8113 - Register TwoFactorAuthWebAuthnComponentServices * PM-8113 - Tweak TwoFactorAuthWebAuthnComponentService and add to TwoFactorAuthWebAuthnComponent * PM-8113 - WebTwoFactorAuthDuoComponentService - fix type issue * PM-8113 - ExtensionTwoFactorAuthDuoComponentService - attempt to fix type issue. * PM-8113 - Remove ts-strict-ignore * PM-8113 - TwoFactorAuthWebAuthnComponent - satisfy strict typescript reqs. * PM-8113 - TwoFactorAuthComponent - some progress on strict TS conversion * PM-8113 - TwoFactorAuthComp - fixed all strict typescript issues. * PM-8113 - TwoFactorAuthComp - remove no longer necessary webauthn code * PM-8113 - ExtensionTwoFactorAuthComponentService - handleSso2faFlowSuccess - add more context * PM-8113 - TwoFactorAuthComp - TDE should use same success handler method * PM-8113 - Fix SSO + 2FA result handling by closing proper popout window * PM-8113 - Add todo * PM-8113 - Webauthn 2FA - As webauthn popout doesn't persist SSO state, have to genercize success logic (which should be a good thing but requires confirmation testing). * PM-8113 - Per main changes, remove deprecated I18nPipe from 2fa comps that use it. * PM-8113 - Remove more incorrect i18nPipes * PM-8113 - TwoFactorAuth + Webauthn - Refactor logic * PM-8113 - TwoFactorAuth - build submitting loading logic * PM-8113 - TwoFactorAuth - remove loading as submitting. * PM-8113 - TwoFactorAuth - update to latest authN session timeout logic * PM-8113 - AuthPopoutWindow - Add new single action popout for email 2FA so we can close it programmatically * PM-8113 - Update ExtensionTwoFactorAuthComponentService to close email 2FA single action popouts. * PM-8113 - Fix build after merge conflict issue * PM-8113 - 2FA - Duo & Email comps - strict typescript adherence. * PM-8113 - TwoFactorAuth - Clean up unused stuff and get tests passing * PM-8113 - Clean up used service method + TODO as I've confirmed it works for other flows. * PM-8113 - TODO: test all comp services * PM-8113 - TwoFactorAuthComponent Tests - fix tests by removing mock of removed method. * PM-8113 - Revert changes to login strategies to avoid scope creep for the sake of typescript strictness. * PM-8113 - ExtensionTwoFactorAuthComponentService tests * PM-8113 - Test ExtensionTwoFactorAuthDuoComponentService * PM-8113 - ExtensionTwoFactorAuthEmailComponentService - add tests * PM-8113 - Test ExtensionTwoFactorAuthWebAuthnComponentService * PM-8113 - Add 2fa icons (icons need tweaking still) * PM-8113 - TwoFactorAuthComponent - add setAnonLayoutDataByTwoFactorProviderType and handle email case as POC * PM-8113 - TwoFactorEmailComp - work on converting to new design * PM-8113 - Update icons with proper svg with scaling via viewbox * PM-8113 - Update icons to use proper classes * PM-8113 - 2FA Auth Comp - Progress on implementing design changes * PM-8113 - TwoFactorOptionsComponent - add todos * PM-8113 - 2fa Email Comp - add style changes per discussion with design * PM-8113 - TwoFactorAuthComponent - use2faRecoveryCode - build out method per discussion with design * PM-8113 - TwoFactorAuthComp - fix comp tests * PM-8113 - TwoFactorAuthComp - progress on adding 2fa provider page icons and subtitles * PM-8113 - Browser Translations - update duoTwoFactorRequiredPageSubtitle to match design discussion * PM-8113 - TwoFactorAuthComp - more work on getting page title / icons working * PM-8113 - Add todo * PM-8113 - TwoFactorAuthDuoComponent Html - remove text that was moved to page subtitle. * PM-8113 - 2FA Auth Comp - Duo icon works * PM-8113 - (1) Add Yubico logo icon (2) Rename Yubikey icon to security key icon * PM-8113 - TwoFactorAuthComp - remove icon from launch duo button per figma * PM-8113 - Mark old two-factor-options component as v1. * PM-8113 - Web - TwoFactorOptionsComponentV1 - Fix import * PM-8113 - Fix more imports * PM-8113 - Adjust translations based on meeting with Design * PM-8113 - TwoFactorOptionsComponent - deprecate recovery code functionality * PM-8113 - TwoFactorOptionsComponent - remove icon disable logic and unused imports * PM-8113 - 2FA Options Comp rewritten to match figma * PM-8113 - TwoFactorOptions - (1) Sort providers like setup screen (2) Add responsive scaling * PM-8113 - Webauthn 2FA - WIP on updating connectors to latest style * PM-8113 - Webauthn connector - clean up commented out code and restore block style * PM-8113 - TwoFactorAuthWebAuthn - Add loading state for iframe until webauthn ready * PM-8113 - Webauthn Iframe - update translation per figma * PM-8113 - TwoFactorAuthComp - per figma, put webauthn after checkbox. * PM-8113 - WebAuthn Fallback connector - UI refreshed * PM-8113 - Two Factor Options - Implement wrapping * PM-8113 - TwoFactorAuthAuthenticator - Remove text per figma * PM-8113 - TwoFactorAuthYubikey - Clean up design per figma * PM-8113 - Refactor all 2FA flows to use either reactive forms or programmatic submission so we get the benefit of onSubmit form validation like we have elsewhere. * PM-8113 - 2FA Auth Comp - for form validated 2FA methods, add enter support. * PM-8113 - TwoFactorAuthComp - Add loginSuccessHandlerService * PM-8113 - DesktopTwoFactorAuthDuoComponentService - add tests * PM-8113 - WebTwoFactorAuthDuoComponentService test file - WIP on tests * PM-8113 - WebTwoFactorAuthDuoComponentService - test listenForDuo2faResult * PM-8113 - TwoFactorAuthComp - (1) remove unused deps (2) get tests passing * PM-8113 - Add required to inputs * PM-8113 - TwoFactorAuth - Save off 2FA providers map so we can only show the select another 2FA method if the user actually has more than 1 configured 2FA method. * PM-8113 - Webauthn iframe styling must be adjusted per client so adjust desktop and browser extension * PM-8113 - TwoFactorAuthComp - Integrate latest ssoLoginService changes * PM-8113 - Desktop & Browser routing modules - add new page title per figma * PM-8113 - WebAuthn - added optional awaiting security key interaction button state to improve UX. * PM-8113 - TwoFactorAuthComp - refactor to avoid reactive race condition with retrieval of active user id. * PM-8113 - ExtensionTwoFactorAuthEmailComponentService - force close the popup since it has stopped closing when the popup opens. * PM-8113 - TwoFactorAuth - refactor enter key press to exempt non-applicable flows from enter key handling * PM-8113 - Refactor ExtensionTwoFactorAuthComponentService methods to solve issues with submission * PM-8113 - TwoFactorAuth - fix programmatic submit of form * PM-8113 - Fix ExtensionTwoFactorAuthComponentService tests * PM-8113 - Extension - Webauthn iframe - remove -10px margin * PM-8113 - Extension Routing module - 2FA screens need back button * PM-8113 - Get Duo working in extension * PM-8113 - TwoFactorOptions - tweak styling of row styling to better work for extension * PM-8113 - TwoFactorWebauthnComp - new tab button styling per figma * PM-8113 - 2FA Comp - Update logic for hiding / showing the remember me checkbox * PM-8113 - TwoFactorAuthWebAuthnComp - new tab flow - fix remember me * PM-8113 - Per PR feedback, add TODO for better provider and module structure for auth component client logic services. * PM-8113 - TwoFactorAuth - add missing TDE offboarding logic. * PM-8113 - TwoFactorAuthComponent tests - fix tests * PM-8113 - 2FA Auth Comp HTML - per PR feedback, remove unnecessary margin bottom * PM-8113 - 2FA Comp - per PR feedback, remove inSsoFlow as it isn't used. * PM-8113 - TwoFactorOptionsComp - Clean up no longer needed emitters. * PM-8113 - TwoFactorOptions - per PR feedback, clean up any usage * PM-8113 - TwoFactorAuthComp - per PR feedback, rename method from selectOtherTwofactorMethod to selectOtherTwoFactorMethod * PM-8113 - Per PR feedback, fix translations misspelling * PM-8113 - TwoFactorAuthSecurityKeyIcon - fix hardcoded value * PM-8113 - TwoFactorAuthSecurityKeyIcon - fix extra " * PM-8113 - TwoFactorAuthDuo - Per PR feedback, remove empty template. * PM-8113 - LooseComponentsModule - re-add accidentally removed component * PM-8113 - TwoFactorAuthWebAuthnIcon - per PR feedback, fix hardcoded stroke value. * PM-8113 - Desktop AppRoutingModule - per PR feedback, remove unnecessary AnonLayoutWrapperComponent component property. * PM-8113 - Update apps/browser/src/auth/services/extension-two-factor-auth-duo-component.service.spec.ts to fix misspelling Co-authored-by: rr-bw <102181210+rr-bw@users.noreply.github.com> * PM-8113 - TwoFactorAuthComp - Per PR feedback, add trim to token value * PM-8113 - TwoFactorService - add typescript strict * PM-8113 - TwoFactorService - per PR feedback, add jsdocs * PM-8113 - Per PR feedback, fix misspelling * PM-8113 - Webauthn fallback - per PR feedback fix stroke * PM-8113 - Update apps/web/src/connectors/webauthn-fallback.html Co-authored-by: rr-bw <102181210+rr-bw@users.noreply.github.com> * PM-8113 - Update libs/auth/src/angular/icons/two-factor-auth/two-factor-auth-webauthn.icon.ts Co-authored-by: rr-bw <102181210+rr-bw@users.noreply.github.com> --------- Co-authored-by: rr-bw <102181210+rr-bw@users.noreply.github.com>
516 lines
19 KiB
TypeScript
516 lines
19 KiB
TypeScript
// FIXME: Update this file to be type safe and remove this and next line
|
|
// @ts-strict-ignore
|
|
import { Directive, Inject, OnInit, OnDestroy } from "@angular/core";
|
|
import { takeUntilDestroyed } from "@angular/core/rxjs-interop";
|
|
import { ActivatedRoute, NavigationExtras, Router } from "@angular/router";
|
|
import { firstValueFrom } from "rxjs";
|
|
import { first } from "rxjs/operators";
|
|
|
|
// eslint-disable-next-line no-restricted-imports
|
|
import { WINDOW } from "@bitwarden/angular/services/injection-tokens";
|
|
import {
|
|
LoginStrategyServiceAbstraction,
|
|
LoginEmailServiceAbstraction,
|
|
TrustedDeviceUserDecryptionOption,
|
|
UserDecryptionOptions,
|
|
UserDecryptionOptionsServiceAbstraction,
|
|
} from "@bitwarden/auth/common";
|
|
import { ApiService } from "@bitwarden/common/abstractions/api.service";
|
|
import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
|
|
import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/auth/abstractions/master-password.service.abstraction";
|
|
import { SsoLoginServiceAbstraction } from "@bitwarden/common/auth/abstractions/sso-login.service.abstraction";
|
|
import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
|
|
import { AuthenticationType } from "@bitwarden/common/auth/enums/authentication-type";
|
|
import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
|
|
import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
|
|
import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
|
|
import { TokenTwoFactorRequest } from "@bitwarden/common/auth/models/request/identity-token/token-two-factor.request";
|
|
import { TwoFactorEmailRequest } from "@bitwarden/common/auth/models/request/two-factor-email.request";
|
|
import { TwoFactorProviders } from "@bitwarden/common/auth/services/two-factor.service";
|
|
import { WebAuthnIFrame } from "@bitwarden/common/auth/webauthn-iframe";
|
|
import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
|
|
import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
|
|
import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
|
|
import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
|
|
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
|
|
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
|
|
import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
|
|
import { ToastService } from "@bitwarden/components";
|
|
|
|
import { CaptchaProtectedComponent } from "./captcha-protected.component";
|
|
|
|
@Directive()
|
|
export class TwoFactorComponentV1 extends CaptchaProtectedComponent implements OnInit, OnDestroy {
|
|
token = "";
|
|
remember = false;
|
|
webAuthnReady = false;
|
|
webAuthnNewTab = false;
|
|
providers = TwoFactorProviders;
|
|
providerType = TwoFactorProviderType;
|
|
selectedProviderType: TwoFactorProviderType = TwoFactorProviderType.Authenticator;
|
|
webAuthnSupported = false;
|
|
webAuthn: WebAuthnIFrame = null;
|
|
title = "";
|
|
twoFactorEmail: string = null;
|
|
formPromise: Promise<any>;
|
|
emailPromise: Promise<any>;
|
|
orgIdentifier: string = null;
|
|
|
|
duoFramelessUrl: string = null;
|
|
duoResultListenerInitialized = false;
|
|
|
|
onSuccessfulLogin: () => Promise<void>;
|
|
onSuccessfulLoginNavigate: () => Promise<void>;
|
|
|
|
onSuccessfulLoginTde: () => Promise<void>;
|
|
onSuccessfulLoginTdeNavigate: () => Promise<void>;
|
|
|
|
protected loginRoute = "login";
|
|
|
|
protected trustedDeviceEncRoute = "login-initiated";
|
|
protected changePasswordRoute = "set-password";
|
|
protected forcePasswordResetRoute = "update-temp-password";
|
|
protected successRoute = "vault";
|
|
protected twoFactorTimeoutRoute = "authentication-timeout";
|
|
|
|
get isDuoProvider(): boolean {
|
|
return (
|
|
this.selectedProviderType === TwoFactorProviderType.Duo ||
|
|
this.selectedProviderType === TwoFactorProviderType.OrganizationDuo
|
|
);
|
|
}
|
|
|
|
constructor(
|
|
protected loginStrategyService: LoginStrategyServiceAbstraction,
|
|
protected router: Router,
|
|
protected i18nService: I18nService,
|
|
protected apiService: ApiService,
|
|
protected platformUtilsService: PlatformUtilsService,
|
|
@Inject(WINDOW) protected win: Window,
|
|
protected environmentService: EnvironmentService,
|
|
protected stateService: StateService,
|
|
protected route: ActivatedRoute,
|
|
protected logService: LogService,
|
|
protected twoFactorService: TwoFactorService,
|
|
protected appIdService: AppIdService,
|
|
protected loginEmailService: LoginEmailServiceAbstraction,
|
|
protected userDecryptionOptionsService: UserDecryptionOptionsServiceAbstraction,
|
|
protected ssoLoginService: SsoLoginServiceAbstraction,
|
|
protected configService: ConfigService,
|
|
protected masterPasswordService: InternalMasterPasswordServiceAbstraction,
|
|
protected accountService: AccountService,
|
|
protected toastService: ToastService,
|
|
) {
|
|
super(environmentService, i18nService, platformUtilsService, toastService);
|
|
|
|
this.webAuthnSupported = this.platformUtilsService.supportsWebAuthn(win);
|
|
|
|
// Add subscription to authenticationSessionTimeout$ and navigate to twoFactorTimeoutRoute if expired
|
|
this.loginStrategyService.authenticationSessionTimeout$
|
|
.pipe(takeUntilDestroyed())
|
|
.subscribe(async (expired) => {
|
|
if (!expired) {
|
|
return;
|
|
}
|
|
|
|
try {
|
|
await this.router.navigate([this.twoFactorTimeoutRoute]);
|
|
} catch (err) {
|
|
this.logService.error(`Failed to navigate to ${this.twoFactorTimeoutRoute} route`, err);
|
|
}
|
|
});
|
|
}
|
|
|
|
async ngOnInit() {
|
|
if (!(await this.authing()) || (await this.twoFactorService.getProviders()) == null) {
|
|
// FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
|
|
// eslint-disable-next-line @typescript-eslint/no-floating-promises
|
|
this.router.navigate([this.loginRoute]);
|
|
return;
|
|
}
|
|
|
|
this.route.queryParams.pipe(first()).subscribe((qParams) => {
|
|
if (qParams.identifier != null) {
|
|
this.orgIdentifier = qParams.identifier;
|
|
}
|
|
});
|
|
|
|
if (await this.needsLock()) {
|
|
this.successRoute = "lock";
|
|
}
|
|
|
|
if (this.win != null && this.webAuthnSupported) {
|
|
const env = await firstValueFrom(this.environmentService.environment$);
|
|
const webVaultUrl = env.getWebVaultUrl();
|
|
this.webAuthn = new WebAuthnIFrame(
|
|
this.win,
|
|
webVaultUrl,
|
|
this.webAuthnNewTab,
|
|
this.platformUtilsService,
|
|
this.i18nService,
|
|
(token: string) => {
|
|
this.token = token;
|
|
// FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
|
|
// eslint-disable-next-line @typescript-eslint/no-floating-promises
|
|
this.submit();
|
|
},
|
|
(error: string) => {
|
|
this.toastService.showToast({
|
|
variant: "error",
|
|
title: this.i18nService.t("errorOccurred"),
|
|
message: this.i18nService.t("webauthnCancelOrTimeout"),
|
|
});
|
|
},
|
|
(info: string) => {
|
|
if (info === "ready") {
|
|
this.webAuthnReady = true;
|
|
}
|
|
},
|
|
);
|
|
}
|
|
|
|
this.selectedProviderType = await this.twoFactorService.getDefaultProvider(
|
|
this.webAuthnSupported,
|
|
);
|
|
await this.init();
|
|
}
|
|
|
|
ngOnDestroy(): void {
|
|
this.cleanupWebAuthn();
|
|
this.webAuthn = null;
|
|
}
|
|
|
|
async init() {
|
|
if (this.selectedProviderType == null) {
|
|
this.title = this.i18nService.t("loginUnavailable");
|
|
return;
|
|
}
|
|
|
|
this.cleanupWebAuthn();
|
|
this.title = (TwoFactorProviders as any)[this.selectedProviderType].name;
|
|
const providerData = await this.twoFactorService.getProviders().then((providers) => {
|
|
return providers.get(this.selectedProviderType);
|
|
});
|
|
switch (this.selectedProviderType) {
|
|
case TwoFactorProviderType.WebAuthn:
|
|
if (!this.webAuthnNewTab) {
|
|
setTimeout(async () => {
|
|
await this.authWebAuthn();
|
|
}, 500);
|
|
}
|
|
break;
|
|
case TwoFactorProviderType.Duo:
|
|
case TwoFactorProviderType.OrganizationDuo:
|
|
// Setup listener for duo-redirect.ts connector to send back the code
|
|
if (!this.duoResultListenerInitialized) {
|
|
// setup client specific duo result listener
|
|
this.setupDuoResultListener();
|
|
this.duoResultListenerInitialized = true;
|
|
}
|
|
// flow must be launched by user so they can choose to remember the device or not.
|
|
this.duoFramelessUrl = providerData.AuthUrl;
|
|
break;
|
|
case TwoFactorProviderType.Email:
|
|
this.twoFactorEmail = providerData.Email;
|
|
if ((await this.twoFactorService.getProviders()).size > 1) {
|
|
await this.sendEmail(false);
|
|
}
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
}
|
|
|
|
async submit() {
|
|
await this.setupCaptcha();
|
|
|
|
if (this.token == null || this.token === "") {
|
|
this.toastService.showToast({
|
|
variant: "error",
|
|
title: this.i18nService.t("errorOccurred"),
|
|
message: this.i18nService.t("verificationCodeRequired"),
|
|
});
|
|
return;
|
|
}
|
|
|
|
if (this.selectedProviderType === TwoFactorProviderType.WebAuthn) {
|
|
if (this.webAuthn != null) {
|
|
this.webAuthn.stop();
|
|
} else {
|
|
return;
|
|
}
|
|
} else if (
|
|
this.selectedProviderType === TwoFactorProviderType.Email ||
|
|
this.selectedProviderType === TwoFactorProviderType.Authenticator
|
|
) {
|
|
this.token = this.token.replace(" ", "").trim();
|
|
}
|
|
|
|
await this.doSubmit();
|
|
if (this.selectedProviderType === TwoFactorProviderType.WebAuthn && this.webAuthn != null) {
|
|
this.webAuthn.start();
|
|
}
|
|
}
|
|
|
|
async doSubmit() {
|
|
this.formPromise = this.loginStrategyService.logInTwoFactor(
|
|
new TokenTwoFactorRequest(this.selectedProviderType, this.token, this.remember),
|
|
this.captchaToken,
|
|
);
|
|
const authResult: AuthResult = await this.formPromise;
|
|
|
|
await this.handleLoginResponse(authResult);
|
|
}
|
|
|
|
protected handleMigrateEncryptionKey(result: AuthResult): boolean {
|
|
if (!result.requiresEncryptionKeyMigration) {
|
|
return false;
|
|
}
|
|
|
|
this.toastService.showToast({
|
|
variant: "error",
|
|
title: this.i18nService.t("errorOccured"),
|
|
message: this.i18nService.t("encryptionKeyMigrationRequired"),
|
|
});
|
|
return true;
|
|
}
|
|
|
|
// Each client will have own implementation
|
|
protected setupDuoResultListener(): void {}
|
|
|
|
private async handleLoginResponse(authResult: AuthResult) {
|
|
if (this.handleCaptchaRequired(authResult)) {
|
|
return;
|
|
} else if (this.handleMigrateEncryptionKey(authResult)) {
|
|
return;
|
|
}
|
|
|
|
// Save off the OrgSsoIdentifier for use in the TDE flows
|
|
// - TDE login decryption options component
|
|
// - Browser SSO on extension open
|
|
const userId = (await firstValueFrom(this.accountService.activeAccount$))?.id;
|
|
await this.ssoLoginService.setActiveUserOrganizationSsoIdentifier(this.orgIdentifier, userId);
|
|
this.loginEmailService.clearValues();
|
|
|
|
// note: this flow affects both TDE & standard users
|
|
if (this.isForcePasswordResetRequired(authResult)) {
|
|
return await this.handleForcePasswordReset(this.orgIdentifier);
|
|
}
|
|
|
|
const userDecryptionOpts = await firstValueFrom(
|
|
this.userDecryptionOptionsService.userDecryptionOptions$,
|
|
);
|
|
|
|
const tdeEnabled = await this.isTrustedDeviceEncEnabled(userDecryptionOpts.trustedDeviceOption);
|
|
|
|
if (tdeEnabled) {
|
|
return await this.handleTrustedDeviceEncryptionEnabled(
|
|
authResult,
|
|
this.orgIdentifier,
|
|
userDecryptionOpts,
|
|
);
|
|
}
|
|
|
|
// User must set password if they don't have one and they aren't using either TDE or key connector.
|
|
const requireSetPassword =
|
|
!userDecryptionOpts.hasMasterPassword && userDecryptionOpts.keyConnectorOption === undefined;
|
|
|
|
if (requireSetPassword || authResult.resetMasterPassword) {
|
|
// Change implies going no password -> password in this case
|
|
return await this.handleChangePasswordRequired(this.orgIdentifier);
|
|
}
|
|
|
|
return await this.handleSuccessfulLogin();
|
|
}
|
|
|
|
private async isTrustedDeviceEncEnabled(
|
|
trustedDeviceOption: TrustedDeviceUserDecryptionOption,
|
|
): Promise<boolean> {
|
|
const ssoTo2faFlowActive = this.route.snapshot.queryParamMap.get("sso") === "true";
|
|
|
|
return ssoTo2faFlowActive && trustedDeviceOption !== undefined;
|
|
}
|
|
|
|
private async handleTrustedDeviceEncryptionEnabled(
|
|
authResult: AuthResult,
|
|
orgIdentifier: string,
|
|
userDecryptionOpts: UserDecryptionOptions,
|
|
): Promise<void> {
|
|
// If user doesn't have a MP, but has reset password permission, they must set a MP
|
|
if (
|
|
!userDecryptionOpts.hasMasterPassword &&
|
|
userDecryptionOpts.trustedDeviceOption.hasManageResetPasswordPermission
|
|
) {
|
|
// Set flag so that auth guard can redirect to set password screen after decryption (trusted or untrusted device)
|
|
// Note: we cannot directly navigate to the set password screen in this scenario as we are in a pre-decryption state, and
|
|
// if you try to set a new MP before decrypting, you will invalidate the user's data by making a new user key.
|
|
const userId = (await firstValueFrom(this.accountService.activeAccount$))?.id;
|
|
await this.masterPasswordService.setForceSetPasswordReason(
|
|
ForceSetPasswordReason.TdeUserWithoutPasswordHasPasswordResetPermission,
|
|
userId,
|
|
);
|
|
}
|
|
|
|
if (this.onSuccessfulLoginTde != null) {
|
|
// Note: awaiting this will currently cause a hang on desktop & browser as they will wait for a full sync to complete
|
|
// before navigating to the success route.
|
|
// FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
|
|
// eslint-disable-next-line @typescript-eslint/no-floating-promises
|
|
this.onSuccessfulLoginTde();
|
|
}
|
|
|
|
// FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
|
|
// eslint-disable-next-line @typescript-eslint/no-floating-promises
|
|
this.navigateViaCallbackOrRoute(
|
|
this.onSuccessfulLoginTdeNavigate,
|
|
// Navigate to TDE page (if user was on trusted device and TDE has decrypted
|
|
// their user key, the login-initiated guard will redirect them to the vault)
|
|
[this.trustedDeviceEncRoute],
|
|
);
|
|
}
|
|
|
|
private async handleChangePasswordRequired(orgIdentifier: string) {
|
|
await this.router.navigate([this.changePasswordRoute], {
|
|
queryParams: {
|
|
identifier: orgIdentifier,
|
|
},
|
|
});
|
|
}
|
|
|
|
/**
|
|
* Determines if a user needs to reset their password based on certain conditions.
|
|
* Users can be forced to reset their password via an admin or org policy disallowing weak passwords.
|
|
* Note: this is different from the SSO component login flow as a user can
|
|
* login with MP and then have to pass 2FA to finish login and we can actually
|
|
* evaluate if they have a weak password at that time.
|
|
*
|
|
* @param {AuthResult} authResult - The authentication result.
|
|
* @returns {boolean} Returns true if a password reset is required, false otherwise.
|
|
*/
|
|
private isForcePasswordResetRequired(authResult: AuthResult): boolean {
|
|
const forceResetReasons = [
|
|
ForceSetPasswordReason.AdminForcePasswordReset,
|
|
ForceSetPasswordReason.WeakMasterPassword,
|
|
];
|
|
|
|
return forceResetReasons.includes(authResult.forcePasswordReset);
|
|
}
|
|
|
|
private async handleForcePasswordReset(orgIdentifier: string) {
|
|
// FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
|
|
// eslint-disable-next-line @typescript-eslint/no-floating-promises
|
|
this.router.navigate([this.forcePasswordResetRoute], {
|
|
queryParams: {
|
|
identifier: orgIdentifier,
|
|
},
|
|
});
|
|
}
|
|
|
|
private async handleSuccessfulLogin() {
|
|
if (this.onSuccessfulLogin != null) {
|
|
// Note: awaiting this will currently cause a hang on desktop & browser as they will wait for a full sync to complete
|
|
// before navigating to the success route.
|
|
// FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
|
|
// eslint-disable-next-line @typescript-eslint/no-floating-promises
|
|
this.onSuccessfulLogin();
|
|
}
|
|
await this.navigateViaCallbackOrRoute(this.onSuccessfulLoginNavigate, [this.successRoute]);
|
|
}
|
|
|
|
private async navigateViaCallbackOrRoute(
|
|
callback: () => Promise<unknown>,
|
|
commands: unknown[],
|
|
extras?: NavigationExtras,
|
|
): Promise<void> {
|
|
if (callback) {
|
|
await callback();
|
|
} else {
|
|
await this.router.navigate(commands, extras);
|
|
}
|
|
}
|
|
|
|
async sendEmail(doToast: boolean) {
|
|
if (this.selectedProviderType !== TwoFactorProviderType.Email) {
|
|
return;
|
|
}
|
|
|
|
if (this.emailPromise != null) {
|
|
return;
|
|
}
|
|
|
|
if ((await this.loginStrategyService.getEmail()) == null) {
|
|
this.toastService.showToast({
|
|
variant: "error",
|
|
title: this.i18nService.t("errorOccurred"),
|
|
message: this.i18nService.t("sessionTimeout"),
|
|
});
|
|
return;
|
|
}
|
|
|
|
try {
|
|
const request = new TwoFactorEmailRequest();
|
|
request.email = await this.loginStrategyService.getEmail();
|
|
request.masterPasswordHash = await this.loginStrategyService.getMasterPasswordHash();
|
|
request.ssoEmail2FaSessionToken =
|
|
await this.loginStrategyService.getSsoEmail2FaSessionToken();
|
|
request.deviceIdentifier = await this.appIdService.getAppId();
|
|
request.authRequestAccessCode = await this.loginStrategyService.getAccessCode();
|
|
request.authRequestId = await this.loginStrategyService.getAuthRequestId();
|
|
this.emailPromise = this.apiService.postTwoFactorEmail(request);
|
|
await this.emailPromise;
|
|
if (doToast) {
|
|
this.toastService.showToast({
|
|
variant: "success",
|
|
title: null,
|
|
message: this.i18nService.t("verificationCodeEmailSent", this.twoFactorEmail),
|
|
});
|
|
}
|
|
} catch (e) {
|
|
this.logService.error(e);
|
|
}
|
|
|
|
this.emailPromise = null;
|
|
}
|
|
|
|
async authWebAuthn() {
|
|
const providerData = await this.twoFactorService.getProviders().then((providers) => {
|
|
return providers.get(this.selectedProviderType);
|
|
});
|
|
|
|
if (!this.webAuthnSupported || this.webAuthn == null) {
|
|
return;
|
|
}
|
|
|
|
this.webAuthn.init(providerData);
|
|
}
|
|
|
|
private cleanupWebAuthn() {
|
|
if (this.webAuthn != null) {
|
|
this.webAuthn.stop();
|
|
this.webAuthn.cleanup();
|
|
}
|
|
}
|
|
|
|
private async authing(): Promise<boolean> {
|
|
return (await firstValueFrom(this.loginStrategyService.currentAuthType$)) !== null;
|
|
}
|
|
|
|
private async needsLock(): Promise<boolean> {
|
|
const authType = await firstValueFrom(this.loginStrategyService.currentAuthType$);
|
|
return authType == AuthenticationType.Sso || authType == AuthenticationType.UserApiKey;
|
|
}
|
|
|
|
async launchDuoFrameless() {
|
|
if (this.duoFramelessUrl === null) {
|
|
this.toastService.showToast({
|
|
variant: "error",
|
|
title: null,
|
|
message: this.i18nService.t("duoHealthCheckResultsInNullAuthUrlError"),
|
|
});
|
|
return;
|
|
}
|
|
|
|
this.platformUtilsService.launchUri(this.duoFramelessUrl);
|
|
}
|
|
}
|