bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2025-12-15 07:43:35 +00:00
Code Issues Releases Wiki Activity
Files
b486fcc689bb6eedf61a1949887a66568f9b1b50
browser/libs/angular/src/auth/guards/tde-decryption-required.guard.ts
Bernd Schoolmann b486fcc689 [Pm-13097] Rename cryptoservice to keyservice and move it to km ownership (#11358) 
* Rename cryptoservice to keyservice

* Rename cryptoservice to keyservice

* Move key service to key management ownership

* Remove accidentally added file

* Fix cli build

* Fix browser build

* Run prettier

* Fix builds

* Fix cli build

* Fix tests

* Fix incorrect renames

* Rename webauthn-login-crypto-service

* Fix build errors due to merge conflicts

* Fix linting
2024-10-24 19:41:30 +02:00

54 lines
2.2 KiB
TypeScript
Raw Blame History

import { inject } from "@angular/core";
import {
ActivatedRouteSnapshot,
Router,
RouterStateSnapshot,
CanActivateFn,
} from "@angular/router";
import { firstValueFrom } from "rxjs";
import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
import { DeviceTrustServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust.service.abstraction";
import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
import { KeyService } from "@bitwarden/key-management";
/**
* Only allow access to this route if the vault is locked and has never been decrypted.
* Otherwise redirect to root.
*
* TODO: This should return Observable<boolean | UrlTree> once we can get rid of all the promises
*/
export function tdeDecryptionRequiredGuard(): CanActivateFn {
return async (_: ActivatedRouteSnapshot, state: RouterStateSnapshot) => {
const authService = inject(AuthService);
const keyService = inject(KeyService);
const deviceTrustService = inject(DeviceTrustServiceAbstraction);
const logService = inject(LogService);
const router = inject(Router);
const authStatus = await authService.getAuthStatus();
const tdeEnabled = await firstValueFrom(deviceTrustService.supportsDeviceTrust$);
const everHadUserKey = await firstValueFrom(keyService.everHadUserKey$);
// We need to determine if we should bypass the decryption options and send the user to the vault.
// The ONLY time that we want to send a user to the decryption options is when:
// 1. The user's auth status is Locked, AND
// 2. TDE is enabled, AND
// 3. The user has never had a user key in state since last logout.
// The inverse of this is when we should send the user to the vault.
if (authStatus !== AuthenticationStatus.Locked || !tdeEnabled || everHadUserKey) {
return router.createUrlTree(["/"]);
}
logService.info(
"Sending user to TDE decryption options. AuthStatus is %s. TDE support is %s. Ever had user key is %s.",
AuthenticationStatus[authStatus],
tdeEnabled,
everHadUserKey,
);
return true;
};
}
Reference in New Issue View Git Blame Copy Permalink