mirror of
https://github.com/bitwarden/browser
synced 2025-12-10 05:13:29 +00:00
c70a5aa024
* Use account service to track accounts and active account * Remove state service active account Observables. * Add email verified to account service * Do not store account info on logged out accounts * Add account activity tracking to account service * Use last account activity from account service * migrate or replicate account service data * Add `AccountActivityService` that handles storing account last active data * Move active and next active user to account service * Remove authenticated accounts from state object * Fold account activity into account service * Fix builds * Fix desktop app switch * Fix logging out non active user * Expand helper to handle new authenticated accounts location * Prefer view observable to tons of async pipes * Fix `npm run test:types` * Correct user activity sorting test * Be more precise about log out messaging * Fix dev compare errors All stored values are serializable, the next step wasn't necessary and was erroring on some types that lack `toString`. * If the account in unlocked on load of lock component, navigate away from lock screen * Handle no users case for auth service statuses * Specify account to switch to * Filter active account out of inactive accounts * Prefer constructor init * Improve comparator * Use helper methods internally * Fixup component tests * Clarify name * Ensure accounts object has only valid userIds * Capitalize const values * Prefer descriptive, single-responsibility guards * Update libs/common/src/state-migrations/migrate.ts Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> * Fix merge * Add user Id validation activity for undefined was being set, which was resulting in requests for the auth status of `"undefined"` (string) userId, due to key enumeration. These changes stop that at both locations, as well as account add for good measure. --------- Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>
196 lines
7.5 KiB
TypeScript
196 lines
7.5 KiB
TypeScript
import { combineLatest, firstValueFrom, switchMap } from "rxjs";
|
|
|
|
import { SearchService } from "../../abstractions/search.service";
|
|
import { VaultTimeoutSettingsService } from "../../abstractions/vault-timeout/vault-timeout-settings.service";
|
|
import { VaultTimeoutService as VaultTimeoutServiceAbstraction } from "../../abstractions/vault-timeout/vault-timeout.service";
|
|
import { AccountService } from "../../auth/abstractions/account.service";
|
|
import { AuthService } from "../../auth/abstractions/auth.service";
|
|
import { InternalMasterPasswordServiceAbstraction } from "../../auth/abstractions/master-password.service.abstraction";
|
|
import { AuthenticationStatus } from "../../auth/enums/authentication-status";
|
|
import { ClientType } from "../../enums";
|
|
import { VaultTimeoutAction } from "../../enums/vault-timeout-action.enum";
|
|
import { CryptoService } from "../../platform/abstractions/crypto.service";
|
|
import { MessagingService } from "../../platform/abstractions/messaging.service";
|
|
import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
|
|
import { StateService } from "../../platform/abstractions/state.service";
|
|
import { StateEventRunnerService } from "../../platform/state";
|
|
import { UserId } from "../../types/guid";
|
|
import { CipherService } from "../../vault/abstractions/cipher.service";
|
|
import { CollectionService } from "../../vault/abstractions/collection.service";
|
|
import { FolderService } from "../../vault/abstractions/folder/folder.service.abstraction";
|
|
|
|
export class VaultTimeoutService implements VaultTimeoutServiceAbstraction {
|
|
private inited = false;
|
|
|
|
constructor(
|
|
private accountService: AccountService,
|
|
private masterPasswordService: InternalMasterPasswordServiceAbstraction,
|
|
private cipherService: CipherService,
|
|
private folderService: FolderService,
|
|
private collectionService: CollectionService,
|
|
private cryptoService: CryptoService,
|
|
protected platformUtilsService: PlatformUtilsService,
|
|
private messagingService: MessagingService,
|
|
private searchService: SearchService,
|
|
private stateService: StateService,
|
|
private authService: AuthService,
|
|
private vaultTimeoutSettingsService: VaultTimeoutSettingsService,
|
|
private stateEventRunnerService: StateEventRunnerService,
|
|
private lockedCallback: (userId?: string) => Promise<void> = null,
|
|
private loggedOutCallback: (expired: boolean, userId?: string) => Promise<void> = null,
|
|
) {}
|
|
|
|
async init(checkOnInterval: boolean) {
|
|
if (this.inited) {
|
|
return;
|
|
}
|
|
// TODO: Remove after 2023.10 release (https://bitwarden.atlassian.net/browse/PM-3483)
|
|
await this.migrateKeyForNeverLockIfNeeded();
|
|
|
|
this.inited = true;
|
|
if (checkOnInterval) {
|
|
this.startCheck();
|
|
}
|
|
}
|
|
|
|
startCheck() {
|
|
// FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
|
|
// eslint-disable-next-line @typescript-eslint/no-floating-promises
|
|
this.checkVaultTimeout();
|
|
setInterval(() => this.checkVaultTimeout(), 10 * 1000); // check every 10 seconds
|
|
}
|
|
|
|
async checkVaultTimeout(): Promise<void> {
|
|
// Get whether or not the view is open a single time so it can be compared for each user
|
|
const isViewOpen = await this.platformUtilsService.isViewOpen();
|
|
|
|
await firstValueFrom(
|
|
combineLatest([
|
|
this.accountService.activeAccount$,
|
|
this.accountService.accountActivity$,
|
|
]).pipe(
|
|
switchMap(async ([activeAccount, accountActivity]) => {
|
|
const activeUserId = activeAccount?.id;
|
|
for (const userIdString in accountActivity) {
|
|
const userId = userIdString as UserId;
|
|
if (
|
|
userId != null &&
|
|
(await this.shouldLock(userId, accountActivity[userId], activeUserId, isViewOpen))
|
|
) {
|
|
await this.executeTimeoutAction(userId);
|
|
}
|
|
}
|
|
}),
|
|
),
|
|
);
|
|
}
|
|
|
|
async lock(userId?: string): Promise<void> {
|
|
const authed = await this.stateService.getIsAuthenticated({ userId: userId });
|
|
if (!authed) {
|
|
return;
|
|
}
|
|
|
|
const availableActions = await firstValueFrom(
|
|
this.vaultTimeoutSettingsService.availableVaultTimeoutActions$(userId),
|
|
);
|
|
const supportsLock = availableActions.includes(VaultTimeoutAction.Lock);
|
|
if (!supportsLock) {
|
|
await this.logOut(userId);
|
|
}
|
|
|
|
const currentUserId = (await firstValueFrom(this.accountService.activeAccount$)).id;
|
|
|
|
if (userId == null || userId === currentUserId) {
|
|
await this.searchService.clearIndex();
|
|
await this.folderService.clearCache();
|
|
await this.collectionService.clearActiveUserCache();
|
|
}
|
|
|
|
await this.masterPasswordService.clearMasterKey((userId ?? currentUserId) as UserId);
|
|
|
|
await this.stateService.setUserKeyAutoUnlock(null, { userId: userId });
|
|
await this.stateService.setCryptoMasterKeyAuto(null, { userId: userId });
|
|
|
|
await this.cipherService.clearCache(userId);
|
|
|
|
await this.stateEventRunnerService.handleEvent("lock", (userId ?? currentUserId) as UserId);
|
|
|
|
// FIXME: We should send the userId of the user that was locked, in the case of this method being passed
|
|
// undefined then it should give back the currentUserId. Better yet, this method shouldn't take
|
|
// an undefined userId at all. All receivers need to be checked for how they handle getting undefined.
|
|
this.messagingService.send("locked", { userId: userId });
|
|
|
|
if (this.lockedCallback != null) {
|
|
await this.lockedCallback(userId);
|
|
}
|
|
}
|
|
|
|
async logOut(userId?: string): Promise<void> {
|
|
if (this.loggedOutCallback != null) {
|
|
await this.loggedOutCallback(false, userId);
|
|
}
|
|
}
|
|
|
|
private async shouldLock(
|
|
userId: string,
|
|
lastActive: Date,
|
|
activeUserId: string,
|
|
isViewOpen: boolean,
|
|
): Promise<boolean> {
|
|
if (isViewOpen && userId === activeUserId) {
|
|
// We know a view is open and this is the currently active user
|
|
// which means they are likely looking at their vault
|
|
// and they should not lock.
|
|
return false;
|
|
}
|
|
|
|
const authStatus = await this.authService.getAuthStatus(userId);
|
|
if (
|
|
authStatus === AuthenticationStatus.Locked ||
|
|
authStatus === AuthenticationStatus.LoggedOut
|
|
) {
|
|
return false;
|
|
}
|
|
|
|
const vaultTimeout = await this.vaultTimeoutSettingsService.getVaultTimeout(userId);
|
|
if (vaultTimeout == null || vaultTimeout < 0) {
|
|
return false;
|
|
}
|
|
|
|
if (lastActive == null) {
|
|
return false;
|
|
}
|
|
|
|
const vaultTimeoutSeconds = vaultTimeout * 60;
|
|
const diffSeconds = (new Date().getTime() - lastActive.getTime()) / 1000;
|
|
return diffSeconds >= vaultTimeoutSeconds;
|
|
}
|
|
|
|
private async executeTimeoutAction(userId: string): Promise<void> {
|
|
const timeoutAction = await firstValueFrom(
|
|
this.vaultTimeoutSettingsService.vaultTimeoutAction$(userId),
|
|
);
|
|
timeoutAction === VaultTimeoutAction.LogOut
|
|
? await this.logOut(userId)
|
|
: await this.lock(userId);
|
|
}
|
|
|
|
private async migrateKeyForNeverLockIfNeeded(): Promise<void> {
|
|
// Web can't set vault timeout to never
|
|
if (this.platformUtilsService.getClientType() == ClientType.Web) {
|
|
return;
|
|
}
|
|
const accounts = await firstValueFrom(this.stateService.accounts$);
|
|
for (const userId in accounts) {
|
|
if (userId != null) {
|
|
await this.cryptoService.migrateAutoKeyIfNeeded(userId);
|
|
// Legacy users should be logged out since we're not on the web vault and can't migrate.
|
|
if (await this.cryptoService.isLegacyUser(null, userId)) {
|
|
await this.logOut(userId);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|