wip

.github/workflows/build.yml

@@ -23,7 +23,7 @@ jobs:
       node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -51,12 +51,12 @@ jobs:
       contents: read
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Set up Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
@@ -129,12 +129,12 @@ jobs:
       _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Set up Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
@@ -200,7 +200,7 @@ jobs:
       _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -209,7 +209,7 @@ jobs:
           choco install checksum --no-progress
 
       - name: Set up Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
@@ -279,12 +279,12 @@ jobs:
       HUSKY: 0
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Set up Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
@@ -379,12 +379,12 @@ jobs:
       HUSKY: 0
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Set up Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
@@ -439,12 +439,12 @@ jobs:
       HUSKY: 0
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Set up Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'

.github/workflows/integration-test.yml

@@ -40,7 +40,7 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -52,7 +52,7 @@ jobs:
           echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Set up Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
@@ -129,7 +129,7 @@ jobs:
 
       - name: Report test results
         id: report
-        uses: dorny/test-reporter@b082adf0eced0765477756c2a610396589b8c637 # v2.5.0
+        uses: dorny/test-reporter@fe45e9537387dac839af0d33ba56eed8e24189e8 # v2.3.0
         # This will skip the job if it's a pull request from a fork, because that won't have permission to upload test results.
         # PRs from the repository and all other events are OK.
         if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository) && !cancelled()
@@ -143,6 +143,4 @@ jobs:
         uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
 
       - name: Upload results to codecov.io
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        with:
-          report_type: test_results
+        uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1.2.1

.github/workflows/release.yml

@@ -26,7 +26,7 @@ jobs:
       release_version: ${{ steps.version.outputs.version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 

.github/workflows/test.yml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -34,7 +34,7 @@ jobs:
           echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Set up Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
@@ -53,7 +53,7 @@ jobs:
         run: npm run test --coverage
 
       - name: Report test results
-        uses: dorny/test-reporter@b082adf0eced0765477756c2a610396589b8c637 # v2.5.0
+        uses: dorny/test-reporter@fe45e9537387dac839af0d33ba56eed8e24189e8 # v2.3.0
         # This will skip the job if it's a pull request from a fork, because that won't have permission to upload test results.
         # PRs from the repository and all other events are OK.
         if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository) && !cancelled()
@@ -67,6 +67,4 @@ jobs:
         uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
 
       - name: Upload results to codecov.io
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        with:
-          report_type: test_results
+        uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1.2.1

.github/workflows/version-bump.yml

@@ -50,7 +50,7 @@ jobs:
           permission-contents: write
 
       - name: Checkout Branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           token: ${{ steps.app-token.outputs.token }}
           persist-credentials: true

angular.json

@@ -18,17 +18,15 @@
       "prefix": "app",
       "architect": {
         "build": {
-          "builder": "@angular/build:application",
+          "builder": "@angular-devkit/build-angular:browser",
           "options": {
-            "outputPath": {
-              "base": "dist"
-            },
+            "outputPath": "dist",
             "index": "src/index.html",
+            "main": "src/main.ts",
             "tsConfig": "tsconfig.json",
             "assets": [],
             "styles": [],
-            "scripts": [],
-            "browser": "src/main.ts"
+            "scripts": []
           }
         }
       }

docs/google-workspace.md

@@ -0,0 +1,300 @@
+# Google Workspace Directory Integration
+
+This document provides technical documentation for the Google Workspace (formerly G Suite) directory integration in Bitwarden Directory Connector.
+
+## Overview
+
+The Google Workspace integration synchronizes users and groups from Google Workspace to Bitwarden organizations using the Google Admin SDK Directory API. The service uses a service account with domain-wide delegation to authenticate and access directory data.
+
+## Architecture
+
+### Service Location
+
+- **Implementation**: `src/services/directory-services/gsuite-directory.service.ts`
+- **Configuration Model**: `src/models/gsuiteConfiguration.ts`
+- **Integration Tests**: `src/services/directory-services/gsuite-directory.service.integration.spec.ts`
+
+### Authentication Flow
+
+The Google Workspace integration uses **OAuth 2.0 with Service Accounts** and domain-wide delegation:
+
+1. A service account is created in Google Cloud Console
+2. The service account is granted domain-wide delegation authority
+3. The service account is authorized for specific OAuth scopes in Google Workspace Admin Console
+4. The Directory Connector uses the service account's private key to generate JWT tokens
+5. JWT tokens are exchanged for access tokens to call the Admin SDK APIs
+
+### Required OAuth Scopes
+
+The service account must be granted the following OAuth 2.0 scopes:
+
+```
+https://www.googleapis.com/auth/admin.directory.user.readonly
+https://www.googleapis.com/auth/admin.directory.group.readonly
+https://www.googleapis.com/auth/admin.directory.group.member.readonly
+```
+
+## Configuration
+
+### Required Fields
+
+| Field         | Description                                                                             |
+| ------------- | --------------------------------------------------------------------------------------- |
+| `clientEmail` | Service account email address (e.g., `service-account@project.iam.gserviceaccount.com`) |
+| `privateKey`  | Service account private key in PEM format                                               |
+| `adminUser`   | Admin user email to impersonate for domain-wide delegation                              |
+| `domain`      | Primary domain of the Google Workspace organization                                     |
+
+### Optional Fields
+
+| Field      | Description                                                |
+| ---------- | ---------------------------------------------------------- |
+| `customer` | Customer ID for multi-domain organizations (rarely needed) |
+
+### Example Configuration
+
+```typescript
+{
+  clientEmail: "directory-connector@my-project.iam.gserviceaccount.com",
+  privateKey: "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
+  adminUser: "admin@example.com",
+  domain: "example.com",
+  customer: "" // Usually not required
+}
+```
+
+## Setup Instructions
+
+### 1. Create a Service Account
+
+1. Go to [Google Cloud Console](https://console.cloud.google.com)
+2. Create or select a project
+3. Navigate to **IAM & Admin** > **Service Accounts**
+4. Click **Create Service Account**
+5. Enter a name and description
+6. Click **Create and Continue**
+7. Skip granting roles (not needed for this use case)
+8. Click **Done**
+
+### 2. Generate Service Account Key
+
+1. Click on the newly created service account
+2. Navigate to the **Keys** tab
+3. Click **Add Key** > **Create new key**
+4. Select **JSON** format
+5. Click **Create** and download the key file
+6. Extract `client_email` and `private_key` from the JSON file
+
+### 3. Enable Domain-Wide Delegation
+
+1. In the service account details, click **Show Advanced Settings**
+2. Under **Domain-wide delegation**, click **Enable Google Workspace Domain-wide Delegation**
+3. Note the **Client ID** (numeric ID)
+
+### 4. Authorize the Service Account in Google Workspace
+
+1. Go to [Google Workspace Admin Console](https://admin.google.com)
+2. Navigate to **Security** > **API Controls** > **Domain-wide Delegation**
+3. Click **Add new**
+4. Enter the **Client ID** from step 3
+5. Enter the following OAuth scopes (comma-separated):
+   ```
+   https://www.googleapis.com/auth/admin.directory.user.readonly,
+   https://www.googleapis.com/auth/admin.directory.group.readonly,
+   https://www.googleapis.com/auth/admin.directory.group.member.readonly
+   ```
+6. Click **Authorize**
+
+### 5. Configure Directory Connector
+
+Use the extracted values to configure the Directory Connector:
+
+- **Client Email**: From `client_email` in the JSON key file
+- **Private Key**: From `private_key` in the JSON key file (keep the `\n` line breaks)
+- **Admin User**: Email of a super admin user in your Google Workspace domain
+- **Domain**: Your primary Google Workspace domain
+
+## Sync Behavior
+
+### User Synchronization
+
+The service synchronizes the following user attributes:
+
+| Google Workspace Field    | Bitwarden Field             | Notes                                     |
+| ------------------------- | --------------------------- | ----------------------------------------- |
+| `id`                      | `referenceId`, `externalId` | User's unique Google ID                   |
+| `primaryEmail`            | `email`                     | Normalized to lowercase                   |
+| `suspended` OR `archived` | `disabled`                  | User is disabled if suspended or archived |
+| Deleted status            | `deleted`                   | Set to true for deleted users             |
+
+**Special Behavior:**
+
+- The service queries both **active users** and **deleted users** separately
+- Suspended and archived users are included but marked as disabled
+- Deleted users are included with the `deleted` flag set to true
+
+### Group Synchronization
+
+The service synchronizes the following group attributes:
+
+| Google Workspace Field  | Bitwarden Field             | Notes                    |
+| ----------------------- | --------------------------- | ------------------------ |
+| `id`                    | `referenceId`, `externalId` | Group's unique Google ID |
+| `name`                  | `name`                      | Group display name       |
+| Members (type=USER)     | `userMemberExternalIds`     | Individual user members  |
+| Members (type=GROUP)    | `groupMemberReferenceIds`   | Nested group members     |
+| Members (type=CUSTOMER) | `userMemberExternalIds`     | All domain users         |
+
+**Member Types:**
+
+- **USER**: Individual user accounts (only ACTIVE status users are synced)
+- **GROUP**: Nested groups (allows group hierarchy)
+- **CUSTOMER**: Special member type that includes all users in the domain
+
+### Filtering
+
+#### User Filter Examples
+
+```
+exclude:testuser1@bwrox.dev | testuser1@bwrox.dev                   # Exclude multiple users
+|orgUnitPath='/Integration testing'                                 # Users in Integration testing Organizational unit (OU)
+exclude:testuser1@bwrox.dev | orgUnitPath='/Integration testing'    # Combined filter: get users in OU excluding provided user
+|email:testuser*                                                    # Users with email starting with "testuser"
+```
+
+#### Group Filter Examples
+
+An important note for group filters is that it implicitly only syncs users that are in groups. For example, in the case of
+the integration test data, `admin@bwrox.dev` is not a member of any group. Therefore, the first example filter below will
+also implicitly exclude `admin@bwrox.dev`, who is not in any group. This is important because when it is paired with an
+empty user filter, this query may semantically be understood as "sync everyone not in Integration Test Group A," while in
+practice it means "Only sync members of groups not in integration Test Groups A."
+
+```
+exclude:Integration Test Group A                                    # Get all users in groups excluding the provided group.
+```
+
+### User AND Group Filter Examples
+
+```
+
+```
+
+**Filter Syntax:**
+
+- Prefix with `|` for custom filters
+- Use `:` for pattern matching (supports `*` wildcard)
+- Combine multiple conditions with spaces (AND logic)
+
+### Pagination
+
+The service automatically handles pagination for all API calls:
+
+- Users API (active and deleted)
+- Groups API
+- Group Members API
+
+Each API call processes all pages using the `nextPageToken` mechanism until no more results are available.
+
+## Error Handling
+
+### Common Errors
+
+| Error                  | Cause                                 | Resolution                                                 |
+| ---------------------- | ------------------------------------- | ---------------------------------------------------------- |
+| "dirConfigIncomplete"  | Missing required configuration fields | Verify all required fields are provided                    |
+| "authenticationFailed" | Invalid credentials or unauthorized   | Check service account key and domain-wide delegation setup |
+| API returns 401/403    | Missing OAuth scopes                  | Verify scopes are authorized in Admin Console              |
+| API returns 404        | Invalid domain or customer ID         | Check domain configuration                                 |
+
+### Security Considerations
+
+The service implements the following security measures:
+
+1. **Credential sanitization**: Error messages do not expose private keys or sensitive credentials
+2. **Secure authentication**: Uses OAuth 2.0 with JWT tokens, not API keys
+3. **Read-only access**: Only requires read-only scopes for directory data
+4. **No credential logging**: Service account credentials are not logged
+
+## Testing
+
+### Integration Tests
+
+Integration tests are located in `src/services/directory-services/gsuite-directory.service.integration.spec.ts`.
+
+**Test Coverage:**
+
+- Basic sync (users and groups)
+- Sync with filters
+- Users-only sync
+- Groups-only sync
+- User filtering scenarios
+- Group filtering scenarios
+- Disabled users handling
+- Group membership scenarios
+- Error handling
+
+**Running Integration Tests:**
+
+Integration tests require live Google Workspace credentials:
+
+1. Create a `.env` file in the `utils/` folder with:
+   ```
+   GOOGLE_ADMIN_USER=admin@example.com
+   GOOGLE_CLIENT_EMAIL=service-account@project.iam.gserviceaccount.com
+   GOOGLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
+   GOOGLE_DOMAIN=example.com
+   ```
+2. Run tests:
+
+   ```bash
+   # Run all integration tests (includes LDAP, Google Workspace, etc.)
+   npm run test:integration
+
+   # Run only Google Workspace integration tests
+   npx jest gsuite-directory.service.integration.spec.ts
+   ```
+
+**Test Data:**
+
+The integration tests expect specific test data in Google Workspace:
+
+- **Users**: 5 test users in organizational unit `/Integration testing`
+  - testuser1@bwrox.dev (in Group A)
+  - testuser2@bwrox.dev (in Groups A & B)
+  - testuser3@bwrox.dev (in Group B)
+  - testuser4@bwrox.dev (no groups)
+  - testuser5@bwrox.dev (disabled)
+
+- **Groups**: 2 test groups with name pattern `Integration*`
+  - Integration Test Group A
+  - Integration Test Group B
+
+## API Reference
+
+### Google Admin SDK APIs Used
+
+- **Users API**: `admin.users.list()`
+  - [Documentation](https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/list)
+
+- **Groups API**: `admin.groups.list()`
+  - [Documentation](https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups/list)
+
+- **Members API**: `admin.members.list()`
+  - [Documentation](https://developers.google.com/admin-sdk/directory/reference/rest/v1/members/list)
+
+### Rate Limits
+
+Google Workspace Directory API rate limits:
+
+- Default: 2,400 queries per minute per user, per Google Cloud Project
+
+The service does not implement rate limiting logic; it relies on API error responses.
+
+## Resources
+
+- [Google Admin SDK Directory API Guide](https://developers.google.com/admin-sdk/directory/v1/guides)
+- [Service Account Authentication](https://developers.google.com/identity/protocols/oauth2/service-account)
+- [Domain-wide Delegation](https://support.google.com/a/answer/162106)
+- [Google Workspace Admin Console](https://admin.google.com)
+- [Bitwarden Directory Connector Documentation](https://bitwarden.com/help/directory-sync/)

jslib/angular/src/components/toastr.component.ts

@@ -1,77 +1,75 @@
+import { animate, state, style, transition, trigger } from "@angular/animations";
 import { CommonModule } from "@angular/common";
 import { Component, ModuleWithProviders, NgModule } from "@angular/core";
-import { DefaultNoComponentGlobalConfig, GlobalConfig, Toast, TOAST_CONFIG } from "ngx-toastr";
+import {
+  DefaultNoComponentGlobalConfig,
+  GlobalConfig,
+  Toast as BaseToast,
+  ToastPackage,
+  ToastrService,
+  TOAST_CONFIG,
+} from "ngx-toastr";
 
 @Component({
   selector: "[toast-component2]",
   template: `
-    @if (options().closeButton) {
-      <button (click)="remove()" type="button" class="toast-close-button" aria-label="Close">
-        <span aria-hidden="true">&times;</span>
-      </button>
-    }
+    <button
+      *ngIf="options.closeButton"
+      (click)="remove()"
+      type="button"
+      class="toast-close-button"
+      aria-label="Close"
+    >
+      <span aria-hidden="true">&times;</span>
+    </button>
     <div class="icon">
       <i></i>
     </div>
     <div>
-      @if (title()) {
-        <div [class]="options().titleClass" [attr.aria-label]="title()">
-          {{ title() }}
-          @if (duplicatesCount) {
-            [{{ duplicatesCount + 1 }}]
-          }
-        </div>
-      }
-      @if (message() && options().enableHtml) {
-        <div
-          role="alertdialog"
-          aria-live="polite"
-          [class]="options().messageClass"
-          [innerHTML]="message()"
-        ></div>
-      }
-      @if (message() && !options().enableHtml) {
-        <div
-          role="alertdialog"
-          aria-live="polite"
-          [class]="options().messageClass"
-          [attr.aria-label]="message()"
-        >
-          {{ message() }}
-        </div>
-      }
-    </div>
-    @if (options().progressBar) {
-      <div>
-        <div class="toast-progress" [style.width]="width + '%'"></div>
+      <div *ngIf="title" [class]="options.titleClass" [attr.aria-label]="title">
+        {{ title }} <ng-container *ngIf="duplicatesCount">[{{ duplicatesCount + 1 }}]</ng-container>
       </div>
-    }
-  `,
-  styles: `
-    :host {
-      &.toast-in {
-        animation: toast-animation var(--animation-duration) var(--animation-easing);
-      }
-
-      &.toast-out {
-        animation: toast-animation var(--animation-duration) var(--animation-easing) reverse
-          forwards;
-      }
-    }
-
-    @keyframes toast-animation {
-      from {
-        opacity: 0;
-      }
-      to {
-        opacity: 1;
-      }
-    }
+      <div
+        *ngIf="message && options.enableHtml"
+        role="alertdialog"
+        aria-live="polite"
+        [class]="options.messageClass"
+        [innerHTML]="message"
+      ></div>
+      <div
+        *ngIf="message && !options.enableHtml"
+        role="alertdialog"
+        aria-live="polite"
+        [class]="options.messageClass"
+        [attr.aria-label]="message"
+      >
+        {{ message }}
+      </div>
+    </div>
+    <div *ngIf="options.progressBar">
+      <div class="toast-progress" [style.width]="width + '%'"></div>
+    </div>
   `,
+  animations: [
+    trigger("flyInOut", [
+      state("inactive", style({ opacity: 0 })),
+      state("active", style({ opacity: 1 })),
+      state("removed", style({ opacity: 0 })),
+      transition("inactive => active", animate("{{ easeTime }}ms {{ easing }}")),
+      transition("active => removed", animate("{{ easeTime }}ms {{ easing }}")),
+    ]),
+  ],
   preserveWhitespaces: false,
   standalone: false,
 })
-export class BitwardenToast extends Toast {}
+export class BitwardenToast extends BaseToast {
+  constructor(
+    protected toastrService: ToastrService,
+    public toastPackage: ToastPackage,
+  ) {
+    super(toastrService, toastPackage);
+  }
+}
 
 export const BitwardenToastGlobalConfig: GlobalConfig = {
   ...DefaultNoComponentGlobalConfig,

jslib/common/spec/domain/symmetricCryptoKey.spec.ts

@@ -9,7 +9,7 @@ describe("SymmetricCryptoKey", () => {
       new SymmetricCryptoKey(null);
     };
 
-    expect(t).toThrow("Must provide key");
+    expect(t).toThrowError("Must provide key");
   });
 
   describe("guesses encKey from key length", () => {
@@ -63,7 +63,7 @@ describe("SymmetricCryptoKey", () => {
         new SymmetricCryptoKey(makeStaticByteArray(30));
       };
 
-      expect(t).toThrow("Unable to determine encType.");
+      expect(t).toThrowError("Unable to determine encType.");
     });
   });
 });

jslib/electron/src/window.main.ts

@@ -127,13 +127,6 @@ export class WindowMain {
       },
     });
 
-    // Enable SharedArrayBuffer. See https://developer.chrome.com/blog/enabling-shared-array-buffer/#cross-origin-isolation
-    this.win.webContents.session.webRequest.onHeadersReceived((details, callback) => {
-      details.responseHeaders["Cross-Origin-Opener-Policy"] = ["same-origin"];
-      details.responseHeaders["Cross-Origin-Embedder-Policy"] = ["require-corp"];
-      callback({ responseHeaders: details.responseHeaders });
-    });
-
     if (this.windowStates[mainWindowSizeKey].isMaximized) {
       this.win.maximize();
     }

package.json

@@ -2,7 +2,7 @@
   "name": "@bitwarden/directory-connector",
   "productName": "Bitwarden Directory Connector",
   "description": "Sync your user directory to your Bitwarden organization.",
-  "version": "2026.1.0",
+  "version": "2025.12.0",
   "keywords": [
     "bitwarden",
     "password",
@@ -73,17 +73,17 @@
     "test:types": "npx tsc --noEmit"
   },
   "devDependencies": {
-    "@angular-eslint/eslint-plugin-template": "21.1.0",
-    "@angular-eslint/template-parser": "21.1.0",
-    "@angular/build": "21.0.5",
-    "@angular/compiler-cli": "21.1.1",
+    "@angular-devkit/build-angular": "20.3.3",
+    "@angular-eslint/eslint-plugin-template": "20.7.0",
+    "@angular-eslint/template-parser": "20.7.0",
+    "@angular/compiler-cli": "20.3.15",
     "@electron/notarize": "2.5.0",
     "@electron/rebuild": "4.0.1",
     "@fluffy-spoon/substitute": "1.208.0",
     "@microsoft/microsoft-graph-types": "2.43.1",
-    "@ngtools/webpack": "21.0.5",
+    "@ngtools/webpack": "20.3.3",
     "@types/inquirer": "8.2.10",
-    "@types/jest": "30.0.0",
+    "@types/jest": "29.5.14",
     "@types/lowdb": "1.0.15",
     "@types/node": "22.19.2",
     "@types/node-fetch": "2.6.12",
@@ -94,9 +94,7 @@
     "@typescript-eslint/eslint-plugin": "8.50.0",
     "@typescript-eslint/parser": "8.50.0",
     "@yao-pkg/pkg": "5.16.1",
-    "babel-loader": "9.2.1",
     "clean-webpack-plugin": "4.0.0",
-    "jest-environment-jsdom": "30.2.0",
     "concurrently": "9.2.0",
     "copy-webpack-plugin": "13.0.0",
     "cross-env": "7.0.3",
@@ -107,7 +105,7 @@
     "electron-log": "5.4.1",
     "electron-reload": "2.0.0-alpha.1",
     "electron-store": "8.2.0",
-    "electron-updater": "6.7.3",
+    "electron-updater": "6.6.2",
     "eslint": "9.39.1",
     "eslint-config-prettier": "10.1.5",
     "eslint-import-resolver-typescript": "4.4.4",
@@ -119,16 +117,16 @@
     "html-loader": "5.1.0",
     "html-webpack-plugin": "5.6.3",
     "husky": "9.1.7",
-    "jest": "30.2.0",
+    "jest": "29.7.0",
     "jest-junit": "16.0.0",
     "jest-mock-extended": "4.0.0",
-    "jest-preset-angular": "16.0.0",
+    "jest-preset-angular": "14.6.0",
     "lint-staged": "16.2.6",
-    "mini-css-extract-plugin": "2.10.0",
+    "mini-css-extract-plugin": "2.9.2",
     "minimatch": "5.1.2",
     "node-forge": "1.3.2",
     "node-loader": "2.1.0",
-    "prettier": "3.8.1",
+    "prettier": "3.7.4",
     "rimraf": "6.1.0",
     "rxjs": "7.8.2",
     "sass": "1.97.1",
@@ -136,25 +134,25 @@
     "ts-jest": "29.4.1",
     "ts-loader": "9.5.2",
     "tsconfig-paths-webpack-plugin": "4.2.0",
-    "type-fest": "5.4.2",
+    "type-fest": "5.3.0",
     "typescript": "5.9.3",
     "webpack": "5.104.1",
     "webpack-cli": "6.0.1",
     "webpack-merge": "6.0.1",
     "webpack-node-externals": "3.0.0",
-    "zone.js": "0.16.0"
+    "zone.js": "0.15.1"
   },
   "dependencies": {
-    "@angular/animations": "21.1.1",
-    "@angular/cdk": "21.1.1",
-    "@angular/cli": "21.0.5",
-    "@angular/common": "21.1.1",
-    "@angular/compiler": "21.1.1",
-    "@angular/core": "21.1.1",
-    "@angular/forms": "21.1.1",
-    "@angular/platform-browser": "21.1.1",
-    "@angular/platform-browser-dynamic": "21.1.1",
-    "@angular/router": "21.1.1",
+    "@angular/animations": "20.3.15",
+    "@angular/cdk": "20.2.14",
+    "@angular/cli": "20.3.3",
+    "@angular/common": "20.3.15",
+    "@angular/compiler": "20.3.15",
+    "@angular/core": "20.3.15",
+    "@angular/forms": "20.3.15",
+    "@angular/platform-browser": "20.3.15",
+    "@angular/platform-browser-dynamic": "20.3.15",
+    "@angular/router": "20.3.15",
     "@microsoft/microsoft-graph-client": "3.0.7",
     "big-integer": "1.6.52",
     "bootstrap": "5.3.7",
@@ -166,16 +164,16 @@
     "https-proxy-agent": "7.0.6",
     "inquirer": "8.2.6",
     "keytar": "7.9.0",
-    "ldapts": "8.1.3",
+    "ldapts": "8.0.1",
     "lowdb": "1.0.0",
-    "ngx-toastr": "20.0.4",
+    "ngx-toastr": "19.1.0",
     "node-fetch": "2.7.0",
     "parse5": "8.0.0",
     "proper-lockfile": "4.1.2",
     "rxjs": "7.8.2",
     "tldjs": "2.3.1",
     "uuid": "11.1.0",
-    "zone.js": "0.16.0"
+    "zone.js": "0.15.1"
   },
   "engines": {
     "node": "~20",

src/app/main.ts

@@ -1,4 +1,4 @@
-import { enableProdMode, provideZoneChangeDetection } from "@angular/core";
+import { enableProdMode } from "@angular/core";
 import { platformBrowserDynamic } from "@angular/platform-browser-dynamic";
 
 import { isDev } from "@/jslib/electron/src/utils";
@@ -11,7 +11,4 @@ if (!isDev()) {
   enableProdMode();
 }
 
-platformBrowserDynamic().bootstrapModule(AppModule, {
-  applicationProviders: [provideZoneChangeDetection()],
-  preserveWhitespaces: true,
-});
+platformBrowserDynamic().bootstrapModule(AppModule, { preserveWhitespaces: true });

src/app/tabs/dashboard.component.html

@@ -3,25 +3,17 @@
   <div class="card-body">
     <p>
       {{ "lastGroupSync" | i18n }}:
-      @if (!lastGroupSync) {
-        <span>-</span>
-      }
+      <span *ngIf="!lastGroupSync">-</span>
       {{ lastGroupSync | date: "medium" }}
       <br />
       {{ "lastUserSync" | i18n }}:
-      @if (!lastUserSync) {
-        <span>-</span>
-      }
+      <span *ngIf="!lastUserSync">-</span>
       {{ lastUserSync | date: "medium" }}
     </p>
     <p>
       {{ "syncStatus" | i18n }}:
-      @if (syncRunning) {
-        <strong class="text-success">{{ "running" | i18n }}</strong>
-      }
-      @if (!syncRunning) {
-        <strong class="text-danger">{{ "stopped" | i18n }}</strong>
-      }
+      <strong *ngIf="syncRunning" class="text-success">{{ "running" | i18n }}</strong>
+      <strong *ngIf="!syncRunning" class="text-danger">{{ "stopped" | i18n }}</strong>
     </p>
     <form #startForm [appApiAction]="startPromise" class="d-inline">
       <button
@@ -68,85 +60,57 @@
       />
       <label class="form-check-label" for="simSinceLast">{{ "testLastSync" | i18n }}</label>
     </div>
-    @if (!simForm.loading && (simUsers || simGroups)) {
+    <ng-container *ngIf="!simForm.loading && (simUsers || simGroups)">
       <hr />
       <div class="row">
         <div class="col-lg">
           <h4>{{ "users" | i18n }}</h4>
-          @if (simEnabledUsers && simEnabledUsers.length) {
-            <ul class="bwi-ul testing-list">
-              @for (u of simEnabledUsers; track u) {
-                <li title="{{ u.referenceId }}">
-                  <i class="bwi bwi-li bwi-user"></i>
-                  {{ u.displayName }}
-                </li>
-              }
-            </ul>
-          }
-          @if (!simEnabledUsers || !simEnabledUsers.length) {
-            <p>
-              {{ "noUsers" | i18n }}
-            </p>
-          }
+          <ul class="bwi-ul testing-list" *ngIf="simEnabledUsers && simEnabledUsers.length">
+            <li *ngFor="let u of simEnabledUsers" title="{{ u.referenceId }}">
+              <i class="bwi bwi-li bwi-user"></i>
+              {{ u.displayName }}
+            </li>
+          </ul>
+          <p *ngIf="!simEnabledUsers || !simEnabledUsers.length">
+            {{ "noUsers" | i18n }}
+          </p>
           <h4>{{ "disabledUsers" | i18n }}</h4>
-          @if (simDisabledUsers && simDisabledUsers.length) {
-            <ul class="bwi-ul testing-list">
-              @for (u of simDisabledUsers; track u) {
-                <li title="{{ u.referenceId }}">
-                  <i class="bwi bwi-li bwi-user"></i>
-                  {{ u.displayName }}
-                </li>
-              }
-            </ul>
-          }
-          @if (!simDisabledUsers || !simDisabledUsers.length) {
-            <p>
-              {{ "noUsers" | i18n }}
-            </p>
-          }
+          <ul class="bwi-ul testing-list" *ngIf="simDisabledUsers && simDisabledUsers.length">
+            <li *ngFor="let u of simDisabledUsers" title="{{ u.referenceId }}">
+              <i class="bwi bwi-li bwi-user"></i>
+              {{ u.displayName }}
+            </li>
+          </ul>
+          <p *ngIf="!simDisabledUsers || !simDisabledUsers.length">
+            {{ "noUsers" | i18n }}
+          </p>
           <h4>{{ "deletedUsers" | i18n }}</h4>
-          @if (simDeletedUsers && simDeletedUsers.length) {
-            <ul class="bwi-ul testing-list">
-              @for (u of simDeletedUsers; track u) {
-                <li title="{{ u.referenceId }}">
-                  <i class="bwi bwi-li bwi-user"></i>
-                  {{ u.displayName }}
-                </li>
-              }
-            </ul>
-          }
-          @if (!simDeletedUsers || !simDeletedUsers.length) {
-            <p>
-              {{ "noUsers" | i18n }}
-            </p>
-          }
+          <ul class="bwi-ul testing-list" *ngIf="simDeletedUsers && simDeletedUsers.length">
+            <li *ngFor="let u of simDeletedUsers" title="{{ u.referenceId }}">
+              <i class="bwi bwi-li bwi-user"></i>
+              {{ u.displayName }}
+            </li>
+          </ul>
+          <p *ngIf="!simDeletedUsers || !simDeletedUsers.length">
+            {{ "noUsers" | i18n }}
+          </p>
         </div>
         <div class="col-lg">
           <h4>{{ "groups" | i18n }}</h4>
-          @if (simGroups && simGroups.length) {
-            <ul class="bwi-ul testing-list">
-              @for (g of simGroups; track g) {
-                <li title="{{ g.referenceId }}">
-                  <i class="bwi bwi-li bwi-sitemap"></i>
-                  {{ g.displayName }}
-                  @if (g.users && g.users.length) {
-                    <ul class="small">
-                      @for (u of g.users; track u) {
-                        <li title="{{ u.referenceId }}">
-                          {{ u.displayName }}
-                        </li>
-                      }
-                    </ul>
-                  }
+          <ul class="bwi-ul testing-list" *ngIf="simGroups && simGroups.length">
+            <li *ngFor="let g of simGroups" title="{{ g.referenceId }}">
+              <i class="bwi bwi-li bwi-sitemap"></i>
+              {{ g.displayName }}
+              <ul class="small" *ngIf="g.users && g.users.length">
+                <li *ngFor="let u of g.users" title="{{ u.referenceId }}">
+                  {{ u.displayName }}
                 </li>
-              }
-            </ul>
-          }
-          @if (!simGroups || !simGroups.length) {
-            <p>{{ "noGroups" | i18n }}</p>
-          }
+              </ul>
+            </li>
+          </ul>
+          <p *ngIf="!simGroups || !simGroups.length">{{ "noGroups" | i18n }}</p>
         </div>
       </div>
-    }
+    </ng-container>
   </div>
 </div>

src/app/tabs/settings.component.html

@@ -6,11 +6,9 @@
         <div class="mb-3">
           <label for="directory" class="form-label">{{ "type" | i18n }}</label>
           <select class="form-select" id="directory" name="Directory" [(ngModel)]="directory">
-            @for (o of directoryOptions; track o) {
-              <option [ngValue]="o.value">
-                {{ o.name }}
-              </option>
-            }
+            <option *ngFor="let o of directoryOptions" [ngValue]="o.value">
+              {{ o.name }}
+            </option>
           </select>
         </div>
         <div [hidden]="directory != directoryType.Ldap">
@@ -53,22 +51,20 @@
               <label class="form-check-label" for="ad">{{ "ldapAd" | i18n }}</label>
             </div>
           </div>
-          @if (!ldap.ad) {
-            <div class="mb-3">
-              <div class="form-check">
-                <input
-                  class="form-check-input"
-                  type="checkbox"
-                  id="pagedSearch"
-                  [(ngModel)]="ldap.pagedSearch"
-                  name="PagedSearch"
-                />
-                <label class="form-check-label" for="pagedSearch">{{
-                  "ldapPagedResults" | i18n
-                }}</label>
-              </div>
+          <div class="mb-3" *ngIf="!ldap.ad">
+            <div class="form-check">
+              <input
+                class="form-check-input"
+                type="checkbox"
+                id="pagedSearch"
+                [(ngModel)]="ldap.pagedSearch"
+                name="PagedSearch"
+              />
+              <label class="form-check-label" for="pagedSearch">{{
+                "ldapPagedResults" | i18n
+              }}</label>
             </div>
-          }
+          </div>
           <div class="mb-3">
             <div class="form-check">
               <input
@@ -83,122 +79,116 @@
               }}</label>
             </div>
           </div>
-          @if (ldap.ssl) {
-            <div class="ms-4">
-              <div class="mb-3">
-                <div class="form-check">
-                  <input
-                    class="form-check-input"
-                    type="radio"
-                    [value]="false"
-                    id="ssl"
-                    [(ngModel)]="ldap.startTls"
-                    name="SSL"
-                  />
-                  <label class="form-check-label" for="ssl">{{ "ldapSsl" | i18n }}</label>
-                </div>
-                <div class="form-check">
-                  <input
-                    class="form-check-input"
-                    type="radio"
-                    [value]="true"
-                    id="startTls"
-                    [(ngModel)]="ldap.startTls"
-                    name="StartTLS"
-                  />
-                  <label class="form-check-label" for="startTls">{{ "ldapTls" | i18n }}</label>
-                </div>
+          <div class="ms-4" *ngIf="ldap.ssl">
+            <div class="mb-3">
+              <div class="form-check">
+                <input
+                  class="form-check-input"
+                  type="radio"
+                  [value]="false"
+                  id="ssl"
+                  [(ngModel)]="ldap.startTls"
+                  name="SSL"
+                />
+                <label class="form-check-label" for="ssl">{{ "ldapSsl" | i18n }}</label>
               </div>
-              @if (ldap.startTls) {
-                <div class="ms-4">
-                  <p>{{ "ldapTlsUntrustedDesc" | i18n }}</p>
-                  <div class="mb-3">
-                    <label for="tlsCaPath" class="form-label">{{ "ldapTlsCa" | i18n }}</label>
-                    <input
-                      type="file"
-                      class="form-control mb-2"
-                      id="tlsCaPath_file"
-                      (change)="setSslPath('tlsCaPath')"
-                    />
-                    <input
-                      type="text"
-                      class="form-control"
-                      id="tlsCaPath"
-                      name="TLSCaPath"
-                      [(ngModel)]="ldap.tlsCaPath"
-                    />
-                  </div>
-                </div>
-              }
-              @if (!ldap.startTls) {
-                <div class="ms-4">
-                  <p>{{ "ldapSslUntrustedDesc" | i18n }}</p>
-                  <div class="mb-3">
-                    <label for="sslCertPath" class="form-label">{{ "ldapSslCert" | i18n }}</label>
-                    <input
-                      type="file"
-                      class="form-control mb-2"
-                      id="sslCertPath_file"
-                      (change)="setSslPath('sslCertPath')"
-                    />
-                    <input
-                      type="text"
-                      class="form-control"
-                      id="sslCertPath"
-                      name="SSLCertPath"
-                      [(ngModel)]="ldap.sslCertPath"
-                    />
-                  </div>
-                  <div class="mb-3">
-                    <label for="sslKeyPath" class="form-label">{{ "ldapSslKey" | i18n }}</label>
-                    <input
-                      type="file"
-                      class="form-control mb-2"
-                      id="sslKeyPath_file"
-                      (change)="setSslPath('sslKeyPath')"
-                    />
-                    <input
-                      type="text"
-                      class="form-control"
-                      id="sslKeyPath"
-                      name="SSLKeyPath"
-                      [(ngModel)]="ldap.sslKeyPath"
-                    />
-                  </div>
-                  <div class="mb-3">
-                    <label for="sslCaPath" class="form-label">{{ "ldapSslCa" | i18n }}</label>
-                    <input
-                      type="file"
-                      class="form-control mb-2"
-                      id="sslCaPath_file"
-                      (change)="setSslPath('sslCaPath')"
-                    />
-                    <input
-                      type="text"
-                      class="form-control"
-                      id="sslCaPath"
-                      name="SSLCaPath"
-                      [(ngModel)]="ldap.sslCaPath"
-                    />
-                  </div>
-                </div>
-              }
-              <div class="mb-3">
-                <div class="form-check">
-                  <input
-                    class="form-check-input"
-                    type="checkbox"
-                    id="certDoNotVerify"
-                    [(ngModel)]="ldap.sslAllowUnauthorized"
-                    name="CertDoNoVerify"
-                  />
-                  <label class="form-check-label" for="certDoNotVerify">{{
-                    "ldapCertDoNotVerify" | i18n
-                  }}</label>
-                </div>
+              <div class="form-check">
+                <input
+                  class="form-check-input"
+                  type="radio"
+                  [value]="true"
+                  id="startTls"
+                  [(ngModel)]="ldap.startTls"
+                  name="StartTLS"
+                />
+                <label class="form-check-label" for="startTls">{{ "ldapTls" | i18n }}</label>
               </div>
             </div>
-          }
+            <div class="ms-4" *ngIf="ldap.startTls">
+              <p>{{ "ldapTlsUntrustedDesc" | i18n }}</p>
+              <div class="mb-3">
+                <label for="tlsCaPath" class="form-label">{{ "ldapTlsCa" | i18n }}</label>
+                <input
+                  type="file"
+                  class="form-control mb-2"
+                  id="tlsCaPath_file"
+                  (change)="setSslPath('tlsCaPath')"
+                />
+                <input
+                  type="text"
+                  class="form-control"
+                  id="tlsCaPath"
+                  name="TLSCaPath"
+                  [(ngModel)]="ldap.tlsCaPath"
+                />
+              </div>
+            </div>
+            <div class="ms-4" *ngIf="!ldap.startTls">
+              <p>{{ "ldapSslUntrustedDesc" | i18n }}</p>
+              <div class="mb-3">
+                <label for="sslCertPath" class="form-label">{{ "ldapSslCert" | i18n }}</label>
+                <input
+                  type="file"
+                  class="form-control mb-2"
+                  id="sslCertPath_file"
+                  (change)="setSslPath('sslCertPath')"
+                />
+                <input
+                  type="text"
+                  class="form-control"
+                  id="sslCertPath"
+                  name="SSLCertPath"
+                  [(ngModel)]="ldap.sslCertPath"
+                />
+              </div>
+              <div class="mb-3">
+                <label for="sslKeyPath" class="form-label">{{ "ldapSslKey" | i18n }}</label>
+                <input
+                  type="file"
+                  class="form-control mb-2"
+                  id="sslKeyPath_file"
+                  (change)="setSslPath('sslKeyPath')"
+                />
+                <input
+                  type="text"
+                  class="form-control"
+                  id="sslKeyPath"
+                  name="SSLKeyPath"
+                  [(ngModel)]="ldap.sslKeyPath"
+                />
+              </div>
+              <div class="mb-3">
+                <label for="sslCaPath" class="form-label">{{ "ldapSslCa" | i18n }}</label>
+                <input
+                  type="file"
+                  class="form-control mb-2"
+                  id="sslCaPath_file"
+                  (change)="setSslPath('sslCaPath')"
+                />
+                <input
+                  type="text"
+                  class="form-control"
+                  id="sslCaPath"
+                  name="SSLCaPath"
+                  [(ngModel)]="ldap.sslCaPath"
+                />
+              </div>
+            </div>
+            <div class="mb-3">
+              <div class="form-check">
+                <input
+                  class="form-check-input"
+                  type="checkbox"
+                  id="certDoNotVerify"
+                  [(ngModel)]="ldap.sslAllowUnauthorized"
+                  name="CertDoNoVerify"
+                />
+                <label class="form-check-label" for="certDoNotVerify">{{
+                  "ldapCertDoNotVerify" | i18n
+                }}</label>
+              </div>
+            </div>
+          </div>
           <div class="mb-3" [hidden]="true">
             <div class="form-check">
               <input
@@ -221,12 +211,10 @@
                 name="Username"
                 [(ngModel)]="ldap.username"
               />
-              @if (ldap.ad) {
-                <div class="form-text">{{ "ex" | i18n }} company\admin</div>
-              }
-              @if (!ldap.ad) {
-                <div class="form-text">{{ "ex" | i18n }} cn=admin,dc=company,dc=com</div>
-              }
+              <div class="form-text" *ngIf="ldap.ad">{{ "ex" | i18n }} company\admin</div>
+              <div class="form-text" *ngIf="!ldap.ad">
+                {{ "ex" | i18n }} cn=admin,dc=company,dc=com
+              </div>
             </div>
             <div class="mb-3">
               <label for="password" class="form-label">{{ "password" | i18n }}</label>
@@ -616,24 +604,18 @@
               name="UserFilter"
               [(ngModel)]="sync.userFilter"
             ></textarea>
-            @if (directory === directoryType.Ldap) {
-              <div class="form-text">
-                {{ "ex" | i18n }} (&amp;(givenName=John)(|(l=Dallas)(l=Austin)))
-              </div>
-            }
-            @if (directory === directoryType.EntraID) {
-              <div class="form-text">{{ "ex" | i18n }} exclude:joe&#64;company.com</div>
-            }
-            @if (directory === directoryType.Okta) {
-              <div class="form-text">
-                {{ "ex" | i18n }} exclude:joe&#64;company.com | profile.firstName eq "John"
-              </div>
-            }
-            @if (directory === directoryType.GSuite) {
-              <div class="form-text">
-                {{ "ex" | i18n }} exclude:joe&#64;company.com | orgUnitPath=/Engineering
-              </div>
-            }
+            <div class="form-text" *ngIf="directory === directoryType.Ldap">
+              {{ "ex" | i18n }} (&amp;(givenName=John)(|(l=Dallas)(l=Austin)))
+            </div>
+            <div class="form-text" *ngIf="directory === directoryType.EntraID">
+              {{ "ex" | i18n }} exclude:joe&#64;company.com
+            </div>
+            <div class="form-text" *ngIf="directory === directoryType.Okta">
+              {{ "ex" | i18n }} exclude:joe&#64;company.com | profile.firstName eq "John"
+            </div>
+            <div class="form-text" *ngIf="directory === directoryType.GSuite">
+              {{ "ex" | i18n }} exclude:joe&#64;company.com | orgUnitPath=/Engineering
+            </div>
           </div>
           <div class="mb-3" [hidden]="directory != directoryType.Ldap">
             <label for="userPath" class="form-label">{{ "userPath" | i18n }}</label>
@@ -699,20 +681,18 @@
               name="GroupFilter"
               [(ngModel)]="sync.groupFilter"
             ></textarea>
-            @if (directory === directoryType.Ldap) {
-              <div class="form-text">
-                {{ "ex" | i18n }} (&amp;(objectClass=group)(!(cn=Sales*))(!(cn=IT*)))
-              </div>
-            }
-            @if (directory === directoryType.EntraID) {
-              <div class="form-text">{{ "ex" | i18n }} include:Sales,IT</div>
-            }
-            @if (directory === directoryType.Okta) {
-              <div class="form-text">{{ "ex" | i18n }} include:Sales,IT | type eq "APP_GROUP"</div>
-            }
-            @if (directory === directoryType.GSuite) {
-              <div class="form-text">{{ "ex" | i18n }} include:Sales,IT</div>
-            }
+            <div class="form-text" *ngIf="directory === directoryType.Ldap">
+              {{ "ex" | i18n }} (&amp;(objectClass=group)(!(cn=Sales*))(!(cn=IT*)))
+            </div>
+            <div class="form-text" *ngIf="directory === directoryType.EntraID">
+              {{ "ex" | i18n }} include:Sales,IT
+            </div>
+            <div class="form-text" *ngIf="directory === directoryType.Okta">
+              {{ "ex" | i18n }} include:Sales,IT | type eq "APP_GROUP"
+            </div>
+            <div class="form-text" *ngIf="directory === directoryType.GSuite">
+              {{ "ex" | i18n }} include:Sales,IT
+            </div>
           </div>
           <div class="mb-3" [hidden]="directory != directoryType.Ldap">
             <label for="groupPath" class="form-label">{{ "groupPath" | i18n }}</label>
@@ -723,12 +703,8 @@
               name="GroupPath"
               [(ngModel)]="sync.groupPath"
             />
-            @if (!ldap.ad) {
-              <div class="form-text">{{ "ex" | i18n }} CN=Groups</div>
-            }
-            @if (ldap.ad) {
-              <div class="form-text">{{ "ex" | i18n }} CN=Users</div>
-            }
+            <div class="form-text" *ngIf="!ldap.ad">{{ "ex" | i18n }} CN=Groups</div>
+            <div class="form-text" *ngIf="ldap.ad">{{ "ex" | i18n }} CN=Users</div>
           </div>
           <div [hidden]="directory != directoryType.Ldap || ldap.ad">
             <div class="mb-3">

src/scss/bootstrap.scss

@@ -28,4 +28,4 @@ $danger: map_get($theme-colors, "danger");
 $secondary: map_get($theme-colors, "secondary");
 $secondary-alt: map_get($theme-colors, "secondary-alt");
 
-@import "bootstrap/scss/bootstrap.scss";
+@import "~bootstrap/scss/bootstrap.scss";

src/scss/environment.scss

@@ -1,4 +1,4 @@
-@import "bootstrap/scss/_variables.scss";
+@import "~bootstrap/scss/_variables.scss";
 
 html.os_windows {
   body {

src/scss/misc.scss

@@ -1,4 +1,4 @@
-@import "bootstrap/scss/_variables.scss";
+@import "~bootstrap/scss/_variables.scss";
 
 body {
   padding: 10px 0 20px 0;

src/scss/plugins.scss

@@ -1,6 +1,6 @@
-@import "ngx-toastr/toastr";
+@import "~ngx-toastr/toastr";
 
-@import "bootstrap/scss/_variables.scss";
+@import "~bootstrap/scss/_variables.scss";
 
 .toast-container {
   .toast-close-button {

src/services/directory-services/gsuite-directory.service.integration.spec.ts

@@ -50,36 +50,221 @@ describe("gsuiteDirectoryService", () => {
     directoryService = new GSuiteDirectoryService(logService, i18nService, stateService);
   });
 
-  it("syncs without using filters (includes test data)", async () => {
-    const directoryConfig = getGSuiteConfiguration();
-    stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
+  describe("basic sync fetching users and groups", () => {
+    it("syncs without using filters (includes test data)", async () => {
+      const directoryConfig = getGSuiteConfiguration();
+      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
 
-    const syncConfig = getSyncConfiguration({
-      groups: true,
-      users: true,
+      const syncConfig = getSyncConfiguration({
+        groups: true,
+        users: true,
+      });
+      stateService.getSync.mockResolvedValue(syncConfig);
+
+      const result = await directoryService.getEntries(true, true);
+
+      expect(result[0]).toEqual(expect.arrayContaining(groupFixtures));
+      expect(result[1]).toEqual(expect.arrayContaining(userFixtures));
     });
-    stateService.getSync.mockResolvedValue(syncConfig);
 
-    const result = await directoryService.getEntries(true, true);
+    it("syncs using user and group filters (exact match for test data)", async () => {
+      const directoryConfig = getGSuiteConfiguration();
+      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
 
-    expect(result[0]).toEqual(expect.arrayContaining(groupFixtures));
-    expect(result[1]).toEqual(expect.arrayContaining(userFixtures));
+      const syncConfig = getSyncConfiguration({
+        groups: true,
+        users: true,
+        userFilter: INTEGRATION_USER_FILTER,
+        groupFilter: INTEGRATION_GROUP_FILTER,
+      });
+      stateService.getSync.mockResolvedValue(syncConfig);
+
+      const result = await directoryService.getEntries(true, true);
+
+      expect(result).toEqual([groupFixtures, userFixtures]);
+    });
+
+    it("syncs only users when groups sync is disabled", async () => {
+      const directoryConfig = getGSuiteConfiguration();
+      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
+
+      const syncConfig = getSyncConfiguration({
+        groups: false,
+        users: true,
+        userFilter: INTEGRATION_USER_FILTER,
+      });
+      stateService.getSync.mockResolvedValue(syncConfig);
+
+      const result = await directoryService.getEntries(true, true);
+
+      expect(result[0]).toBeUndefined();
+      expect(result[1]).toEqual(expect.arrayContaining(userFixtures));
+    });
+
+    it("syncs only groups when users sync is disabled", async () => {
+      const directoryConfig = getGSuiteConfiguration();
+      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
+
+      const syncConfig = getSyncConfiguration({
+        groups: true,
+        users: false,
+        groupFilter: INTEGRATION_GROUP_FILTER,
+      });
+      stateService.getSync.mockResolvedValue(syncConfig);
+
+      const result = await directoryService.getEntries(true, true);
+
+      expect(result[0]).toEqual(expect.arrayContaining(groupFixtures));
+      expect(result[1]).toEqual([]);
+    });
   });
 
-  it("syncs using user and group filters (exact match for test data)", async () => {
-    const directoryConfig = getGSuiteConfiguration();
-    stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
+  describe("users", () => {
+    it("includes disabled users in sync results", async () => {
+      const directoryConfig = getGSuiteConfiguration();
+      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
 
-    const syncConfig = getSyncConfiguration({
-      groups: true,
-      users: true,
-      userFilter: INTEGRATION_USER_FILTER,
-      groupFilter: INTEGRATION_GROUP_FILTER,
+      const syncConfig = getSyncConfiguration({
+        users: true,
+        userFilter: INTEGRATION_USER_FILTER,
+      });
+      stateService.getSync.mockResolvedValue(syncConfig);
+
+      const result = await directoryService.getEntries(true, true);
+
+      const disabledUser = userFixtures.find((u) => u.email === "testuser5@bwrox.dev");
+      expect(result[1]).toContainEqual(disabledUser);
+      expect(disabledUser.disabled).toBe(true);
     });
-    stateService.getSync.mockResolvedValue(syncConfig);
 
-    const result = await directoryService.getEntries(true, true);
+    it("filters users by org unit path", async () => {
+      const directoryConfig = getGSuiteConfiguration();
+      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
 
-    expect(result).toEqual([groupFixtures, userFixtures]);
+      const syncConfig = getSyncConfiguration({
+        users: true,
+        userFilter: INTEGRATION_USER_FILTER,
+      });
+      stateService.getSync.mockResolvedValue(syncConfig);
+
+      const result = await directoryService.getEntries(true, true);
+
+      expect(result[1]).toEqual(userFixtures);
+      expect(result[1].length).toBe(5);
+    });
+
+    it("filters users by email pattern", async () => {
+      const directoryConfig = getGSuiteConfiguration();
+      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
+
+      const syncConfig = getSyncConfiguration({
+        users: true,
+        userFilter: "|email:testuser1*",
+      });
+      stateService.getSync.mockResolvedValue(syncConfig);
+
+      const result = await directoryService.getEntries(true, true);
+
+      const testuser1 = userFixtures.find((u) => u.email === "testuser1@bwrox.dev");
+      expect(result[1]).toContainEqual(testuser1);
+      expect(result[1].length).toBeGreaterThanOrEqual(1);
+    });
+  });
+
+  describe("groups", () => {
+    it("filters groups by name pattern", async () => {
+      const directoryConfig = getGSuiteConfiguration();
+      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
+
+      const syncConfig = getSyncConfiguration({
+        groups: true,
+        users: true,
+        userFilter: INTEGRATION_USER_FILTER,
+        groupFilter: INTEGRATION_GROUP_FILTER,
+      });
+      stateService.getSync.mockResolvedValue(syncConfig);
+
+      const result = await directoryService.getEntries(true, true);
+
+      expect(result[0]).toEqual(groupFixtures);
+      expect(result[0].length).toBe(2);
+    });
+
+    it("includes group members correctly", async () => {
+      const directoryConfig = getGSuiteConfiguration();
+      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
+
+      const syncConfig = getSyncConfiguration({
+        groups: true,
+        users: true,
+        userFilter: INTEGRATION_USER_FILTER,
+        groupFilter: INTEGRATION_GROUP_FILTER,
+      });
+      stateService.getSync.mockResolvedValue(syncConfig);
+
+      const result = await directoryService.getEntries(true, true);
+
+      const groupA = result[0].find((g) => g.name === "Integration Test Group A");
+      expect(groupA).toBeDefined();
+      expect(groupA.userMemberExternalIds.size).toBe(2);
+      expect(groupA.userMemberExternalIds.has("111605910541641314041")).toBe(true);
+      expect(groupA.userMemberExternalIds.has("111147009830456099026")).toBe(true);
+
+      const groupB = result[0].find((g) => g.name === "Integration Test Group B");
+      expect(groupB).toBeDefined();
+      expect(groupB.userMemberExternalIds.size).toBe(2);
+      expect(groupB.userMemberExternalIds.has("111147009830456099026")).toBe(true);
+      expect(groupB.userMemberExternalIds.has("100150970267699397306")).toBe(true);
+    });
+
+    it("handles groups with no members", async () => {
+      const directoryConfig = getGSuiteConfiguration();
+      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
+
+      const syncConfig = getSyncConfiguration({
+        groups: true,
+        users: true,
+        userFilter: INTEGRATION_USER_FILTER,
+        groupFilter: "|name:Integration*",
+      });
+      stateService.getSync.mockResolvedValue(syncConfig);
+
+      const result = await directoryService.getEntries(true, true);
+
+      // All test groups should have members, but ensure the code handles empty groups
+      expect(result[0]).toBeDefined();
+      expect(Array.isArray(result[0])).toBe(true);
+    });
+  });
+
+  describe("error handling", () => {
+    it("throws error when directory configuration is incomplete", async () => {
+      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(
+        getGSuiteConfiguration({
+          clientEmail: "",
+        }),
+      );
+
+      const syncConfig = getSyncConfiguration({
+        users: true,
+      });
+      stateService.getSync.mockResolvedValue(syncConfig);
+
+      await expect(directoryService.getEntries(true, true)).rejects.toThrow();
+    });
+
+    it("throws error when authentication fails with invalid credentials", async () => {
+      const directoryConfig = getGSuiteConfiguration({
+        privateKey: "-----BEGIN PRIVATE KEY-----\nINVALID_KEY\n-----END PRIVATE KEY-----\n",
+      });
+      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
+
+      const syncConfig = getSyncConfiguration({
+        users: true,
+      });
+      stateService.getSync.mockResolvedValue(syncConfig);
+
+      await expect(directoryService.getEntries(true, true)).rejects.toThrow();
+    });
   });
 });

src/services/directory-services/gsuite-directory.service.ts

@@ -14,6 +14,22 @@ import { BaseDirectoryService } from "../baseDirectory.service";
 
 import { IDirectoryService } from "./directory.service";
 
+/**
+ * Google Workspace (formerly G Suite) Directory Service
+ *
+ * This service integrates with Google Workspace to synchronize users and groups
+ * to Bitwarden organizations using the Google Admin SDK Directory API.
+ *
+ * @remarks
+ * Authentication is performed using a service account with domain-wide delegation.
+ * The service account must be granted the following OAuth 2.0 scopes:
+ * - https://www.googleapis.com/auth/admin.directory.user.readonly
+ * - https://www.googleapis.com/auth/admin.directory.group.readonly
+ * - https://www.googleapis.com/auth/admin.directory.group.member.readonly
+ *
+ * @see {@link https://developers.google.com/admin-sdk/directory/v1/guides | Google Admin SDK Directory API}
+ * @see {@link https://support.google.com/a/answer/162106 | Domain-wide delegation of authority}
+ */
 export class GSuiteDirectoryService extends BaseDirectoryService implements IDirectoryService {
   private client: JWT;
   private service: admin_directory_v1.Admin;
@@ -30,6 +46,29 @@ export class GSuiteDirectoryService extends BaseDirectoryService implements IDir
     this.service = google.admin("directory_v1");
   }
 
+  /**
+   * Retrieves users and groups from Google Workspace directory
+   * @returns A tuple containing [groups, users] arrays
+   *
+   * @remarks
+   * This function:
+   * 1. Validates the directory type matches GSuite
+   * 2. Loads directory and sync configuration
+   * 3. Authenticates with Google Workspace using service account credentials
+   * 4. Retrieves users (if enabled in sync config)
+   * 5. Retrieves groups and their members (if enabled in sync config)
+   * 6. Applies any user/group filters specified in sync configuration
+   *
+   * User and group filters follow Google Workspace Directory API query syntax:
+   * - Use `|` prefix for custom filters (e.g., "|orgUnitPath='/Engineering'")
+   * - Multiple conditions can be combined with AND/OR operators
+   *
+   * @example
+   * ```typescript
+   * const [groups, users] = await service.getEntries(true, false);
+   * console.log(`Synced ${users.length} users and ${groups.length} groups`);
+   * ```
+   */
   async getEntries(force: boolean, test: boolean): Promise<[GroupEntry[], UserEntry[]]> {
     const type = await this.stateService.getDirectoryType();
     if (type !== DirectoryType.GSuite) {
@@ -65,6 +104,26 @@ export class GSuiteDirectoryService extends BaseDirectoryService implements IDir
     return [groups, users];
   }
 
+  /**
+   * Retrieves all users from Google Workspace directory
+   *
+   * @returns Array of UserEntry objects representing users in the directory
+   *
+   * @remarks
+   * This method performs two separate queries:
+   * 1. Active users (including suspended and archived)
+   * 2. Deleted users (marked with deleted flag)
+   *
+   * The method handles pagination automatically, fetching all pages of results.
+   * Users are filtered based on the userFilter specified in sync configuration.
+   *
+   * User properties mapped:
+   * - referenceId: User's unique Google ID
+   * - externalId: User's unique Google ID (same as referenceId)
+   * - email: User's primary email address (lowercase)
+   * - disabled: True if user is suspended or archived
+   * - deleted: True if user is deleted from the directory
+   */
   private async getUsers(): Promise<UserEntry[]> {
     const entries: UserEntry[] = [];
     const query = this.createDirectoryQuery(this.syncConfig.userFilter);
@@ -132,6 +191,13 @@ export class GSuiteDirectoryService extends BaseDirectoryService implements IDir
     return entries;
   }
 
+  /**
+   * Transforms a Google Workspace user object into a UserEntry
+   *
+   * @param user - Google Workspace user object from the API
+   * @param deleted - Whether this user is from the deleted users list
+   * @returns UserEntry object or null if user data is invalid
+   */
   private buildUser(user: admin_directory_v1.Schema$User, deleted: boolean) {
     if ((user.emails == null || user.emails === "") && !deleted) {
       return null;
@@ -146,6 +212,17 @@ export class GSuiteDirectoryService extends BaseDirectoryService implements IDir
     return entry;
   }
 
+  /**
+   * Retrieves all groups from Google Workspace directory
+   *
+   * @param setFilter - Tuple of [isWhitelist, Set<string>] for filtering groups
+   * @param users - Array of UserEntry objects to reference when processing members
+   * @returns Array of GroupEntry objects representing groups in the directory
+   *
+   * @remarks
+   * For each group, the method also retrieves all group members by calling the
+   * members API. Groups are filtered based on the groupFilter in sync configuration.
+   */
   private async getGroups(
     setFilter: [boolean, Set<string>],
     users: UserEntry[],
@@ -185,6 +262,19 @@ export class GSuiteDirectoryService extends BaseDirectoryService implements IDir
     return entries;
   }
 
+  /**
+   * Transforms a Google Workspace group object into a GroupEntry with members
+   *
+   * @param group - Google Workspace group object from the API
+   * @param users - Array of UserEntry objects for reference
+   * @returns GroupEntry object with all members populated
+   *
+   * @remarks
+   * This method retrieves all members of the group, handling three member types:
+   * - USER: Individual user members (only active status users are included)
+   * - GROUP: Nested group members
+   * - CUSTOMER: Special type that includes all users in the domain
+   */
   private async buildGroup(group: admin_directory_v1.Schema$Group, users: UserEntry[]) {
     let nextPageToken: string = null;
 
@@ -230,6 +320,26 @@ export class GSuiteDirectoryService extends BaseDirectoryService implements IDir
     return entry;
   }
 
+  /**
+   * Authenticates with Google Workspace using service account credentials
+   *
+   * @throws Error if required configuration fields are missing or authentication fails
+   *
+   * @remarks
+   * Authentication uses a JWT with the following required fields:
+   * - clientEmail: Service account email address
+   * - privateKey: Service account private key (PEM format)
+   * - subject: Admin user email to impersonate (for domain-wide delegation)
+   *
+   * The service account must be configured with domain-wide delegation and granted
+   * the required OAuth scopes in the Google Workspace Admin Console.
+   *
+   * Optional configuration:
+   * - domain: Filters results to a specific domain
+   * - customer: Customer ID for multi-domain organizations
+   *
+   * @see {@link https://developers.google.com/identity/protocols/oauth2/service-account | Service account authentication}
+   */
   private async auth() {
     if (
       this.dirConfig.clientEmail == null ||

src/services/sync.service.spec.ts

@@ -6,8 +6,6 @@ import { MessagingService } from "@/jslib/common/src/abstractions/messaging.serv
 import { OrganizationImportRequest } from "@/jslib/common/src/models/request/organizationImportRequest";
 import { ApiService } from "@/jslib/common/src/services/api.service";
 
-import { GroupEntry } from "@/src/models/groupEntry";
-
 import { getSyncConfiguration } from "../../utils/openldap/config-fixtures";
 import { DirectoryFactoryService } from "../abstractions/directory-factory.service";
 import { DirectoryType } from "../enums/directoryType";
@@ -136,198 +134,4 @@ describe("SyncService", () => {
 
     expect(apiService.postPublicImportDirectory).not.toHaveBeenCalled();
   });
-
-  describe("nested and circular group handling", () => {
-    function createGroup(
-      name: string,
-      userExternalIds: string[] = [],
-      groupMemberReferenceIds: string[] = [],
-    ) {
-      return GroupEntry.fromJSON({
-        name,
-        referenceId: name,
-        externalId: name,
-        userMemberExternalIds: userExternalIds,
-        groupMemberReferenceIds: groupMemberReferenceIds,
-        users: [],
-      });
-    }
-
-    it("should handle simple circular reference (A ↔ B) without stack overflow", async () => {
-      const groupA = createGroup("GroupA", ["userA"], ["GroupB"]);
-      const groupB = createGroup("GroupB", ["userB"], ["GroupA"]);
-      const circularGroups = [groupA, groupB];
-
-      const mockDirectoryService = mock<LdapDirectoryService>();
-      mockDirectoryService.getEntries.mockResolvedValue([circularGroups, []]);
-      directoryFactory.createService.mockReturnValue(mockDirectoryService);
-
-      stateService.getSync.mockResolvedValue(getSyncConfiguration({ groups: true, users: true }));
-      cryptoFunctionService.hash.mockResolvedValue(new ArrayBuffer(1));
-      stateService.getLastSyncHash.mockResolvedValue("unique hash");
-      singleRequestBuilder.buildRequest.mockReturnValue([
-        { members: [], groups: [], overwriteExisting: true, largeImport: false },
-      ]);
-
-      const [groups] = await syncService.sync(true, true);
-
-      // Both groups should have both users after flattening
-      expect(groups[0].userMemberExternalIds).toContain("userA");
-      expect(groups[0].userMemberExternalIds).toContain("userB");
-      expect(groups[1].userMemberExternalIds).toContain("userA");
-      expect(groups[1].userMemberExternalIds).toContain("userB");
-    });
-
-    it("should handle longer circular chain (A → B → C → A) without stack overflow", async () => {
-      const groupA = createGroup("GroupA", ["userA"], ["GroupB"]);
-      const groupB = createGroup("GroupB", ["userB"], ["GroupC"]);
-      const groupC = createGroup("GroupC", ["userC"], ["GroupA"]);
-      const circularGroups = [groupA, groupB, groupC];
-
-      const mockDirectoryService = mock<LdapDirectoryService>();
-      mockDirectoryService.getEntries.mockResolvedValue([circularGroups, []]);
-      directoryFactory.createService.mockReturnValue(mockDirectoryService);
-
-      stateService.getSync.mockResolvedValue(getSyncConfiguration({ groups: true, users: true }));
-      cryptoFunctionService.hash.mockResolvedValue(new ArrayBuffer(1));
-      stateService.getLastSyncHash.mockResolvedValue("unique hash");
-      singleRequestBuilder.buildRequest.mockReturnValue([
-        { members: [], groups: [], overwriteExisting: true, largeImport: false },
-      ]);
-
-      const [groups] = await syncService.sync(true, true);
-
-      // All groups should have all users after flattening
-      for (const group of groups) {
-        expect(group.userMemberExternalIds).toContain("userA");
-        expect(group.userMemberExternalIds).toContain("userB");
-        expect(group.userMemberExternalIds).toContain("userC");
-      }
-    });
-
-    it("should handle diamond structure (A → [B, C] → D)", async () => {
-      const groupA = createGroup("GroupA", ["userA"], ["GroupB", "GroupC"]);
-      const groupB = createGroup("GroupB", ["userB"], ["GroupD"]);
-      const groupC = createGroup("GroupC", ["userC"], ["GroupD"]);
-      const groupD = createGroup("GroupD", ["userD"], []);
-      const diamondGroups = [groupA, groupB, groupC, groupD];
-
-      const mockDirectoryService = mock<LdapDirectoryService>();
-      mockDirectoryService.getEntries.mockResolvedValue([diamondGroups, []]);
-      directoryFactory.createService.mockReturnValue(mockDirectoryService);
-
-      stateService.getSync.mockResolvedValue(getSyncConfiguration({ groups: true, users: true }));
-      cryptoFunctionService.hash.mockResolvedValue(new ArrayBuffer(1));
-      stateService.getLastSyncHash.mockResolvedValue("unique hash");
-      singleRequestBuilder.buildRequest.mockReturnValue([
-        { members: [], groups: [], overwriteExisting: true, largeImport: false },
-      ]);
-
-      const [groups] = await syncService.sync(true, true);
-
-      const [a, b, c, d] = groups;
-
-      // A should have all users (through B and C, both containing D)
-      expect(a.userMemberExternalIds).toContain("userA");
-      expect(a.userMemberExternalIds).toContain("userB");
-      expect(a.userMemberExternalIds).toContain("userC");
-      expect(a.userMemberExternalIds).toContain("userD");
-
-      // B should have its own user plus D's user
-      expect(b.userMemberExternalIds).toContain("userB");
-      expect(b.userMemberExternalIds).toContain("userD");
-
-      // C should have its own user plus D's user
-      expect(c.userMemberExternalIds).toContain("userC");
-      expect(c.userMemberExternalIds).toContain("userD");
-
-      // D should only have its own user
-      expect(d.userMemberExternalIds).toContain("userD");
-      expect(d.userMemberExternalIds.size).toBe(1);
-    });
-
-    it("should handle deep nesting with circular reference at leaf", async () => {
-      // Structure: A → B → C → D → B (cycle back to B)
-      const groupA = createGroup("GroupA", ["userA"], ["GroupB"]);
-      const groupB = createGroup("GroupB", ["userB"], ["GroupC"]);
-      const groupC = createGroup("GroupC", ["userC"], ["GroupD"]);
-      const groupD = createGroup("GroupD", ["userD"], ["GroupB"]); // cycles back to B
-      const deepGroups = [groupA, groupB, groupC, groupD];
-
-      const mockDirectoryService = mock<LdapDirectoryService>();
-      mockDirectoryService.getEntries.mockResolvedValue([deepGroups, []]);
-      directoryFactory.createService.mockReturnValue(mockDirectoryService);
-
-      stateService.getSync.mockResolvedValue(getSyncConfiguration({ groups: true, users: true }));
-      cryptoFunctionService.hash.mockResolvedValue(new ArrayBuffer(1));
-      stateService.getLastSyncHash.mockResolvedValue("unique hash");
-      singleRequestBuilder.buildRequest.mockReturnValue([
-        { members: [], groups: [], overwriteExisting: true, largeImport: false },
-      ]);
-
-      const [groups] = await syncService.sync(true, true);
-
-      const [a, b, c, d] = groups;
-
-      // A should have all users
-      expect(a.userMemberExternalIds.size).toBe(4);
-
-      // B, C, D form a cycle, so they should all have each other's users
-      expect(b.userMemberExternalIds).toContain("userB");
-      expect(b.userMemberExternalIds).toContain("userC");
-      expect(b.userMemberExternalIds).toContain("userD");
-
-      expect(c.userMemberExternalIds).toContain("userB");
-      expect(c.userMemberExternalIds).toContain("userC");
-      expect(c.userMemberExternalIds).toContain("userD");
-
-      expect(d.userMemberExternalIds).toContain("userB");
-      expect(d.userMemberExternalIds).toContain("userC");
-      expect(d.userMemberExternalIds).toContain("userD");
-    });
-
-    it("should handle complex structure with multiple cycles and shared members", async () => {
-      // Structure:
-      // A → [B, C]
-      // B → [D, E]
-      // C → [E, F]
-      // D → A (cycle)
-      // E → C (cycle)
-      // F → (leaf)
-      const groupA = createGroup("GroupA", ["userA"], ["GroupB", "GroupC"]);
-      const groupB = createGroup("GroupB", ["userB"], ["GroupD", "GroupE"]);
-      const groupC = createGroup("GroupC", ["userC"], ["GroupE", "GroupF"]);
-      const groupD = createGroup("GroupD", ["userD"], ["GroupA"]); // cycle to A
-      const groupE = createGroup("GroupE", ["userE"], ["GroupC"]); // cycle to C
-      const groupF = createGroup("GroupF", ["userF"], []);
-      const complexGroups = [groupA, groupB, groupC, groupD, groupE, groupF];
-
-      const mockDirectoryService = mock<LdapDirectoryService>();
-      mockDirectoryService.getEntries.mockResolvedValue([complexGroups, []]);
-      directoryFactory.createService.mockReturnValue(mockDirectoryService);
-
-      stateService.getSync.mockResolvedValue(getSyncConfiguration({ groups: true, users: true }));
-      cryptoFunctionService.hash.mockResolvedValue(new ArrayBuffer(1));
-      stateService.getLastSyncHash.mockResolvedValue("unique hash");
-      singleRequestBuilder.buildRequest.mockReturnValue([
-        { members: [], groups: [], overwriteExisting: true, largeImport: false },
-      ]);
-
-      // Should complete without stack overflow
-      const [groups] = await syncService.sync(true, true);
-
-      expect(groups).toHaveLength(6);
-
-      // Verify A gets users from its descendants
-      const a = groups.find((g) => g.name === "GroupA");
-      expect(a.userMemberExternalIds).toContain("userA");
-      expect(a.userMemberExternalIds).toContain("userB");
-      expect(a.userMemberExternalIds).toContain("userC");
-
-      // F should only have its own user (it's a leaf)
-      const f = groups.find((g) => g.name === "GroupF");
-      expect(f.userMemberExternalIds).toContain("userF");
-      expect(f.userMemberExternalIds.size).toBe(1);
-    });
-  });
 });

src/services/sync.service.ts

@@ -196,27 +196,14 @@ export class SyncService {
     return users == null ? null : users.filter((u) => u.email?.length <= 256);
   }
 
-  private flattenUsersToGroups(
-    levelGroups: GroupEntry[],
-    allGroups: GroupEntry[],
-    visitedGroups?: Set<string>,
-  ): Set<string> {
+  private flattenUsersToGroups(levelGroups: GroupEntry[], allGroups: GroupEntry[]): Set<string> {
     let allUsers = new Set<string>();
     if (allGroups == null) {
       return allUsers;
     }
-
     for (const group of levelGroups) {
-      const visited = visitedGroups ?? new Set<string>();
-
-      if (visited.has(group.referenceId)) {
-        continue;
-      }
-
-      visited.add(group.referenceId);
-
       const childGroups = allGroups.filter((g) => group.groupMemberReferenceIds.has(g.referenceId));
-      const childUsers = this.flattenUsersToGroups(childGroups, allGroups, visited);
+      const childUsers = this.flattenUsersToGroups(childGroups, allGroups);
       childUsers.forEach((id) => group.userMemberExternalIds.add(id));
       allUsers = new Set([...allUsers, ...group.userMemberExternalIds]);
     }

test.setup.ts

@@ -1,7 +1,7 @@
 import { webcrypto } from "crypto";
-import { TextEncoder, TextDecoder } from "util";
 
-Object.assign(globalThis, { TextEncoder, TextDecoder });
+import "jest-preset-angular/setup-jest";
+
 Object.defineProperty(window, "CSS", { value: null });
 Object.defineProperty(window, "getComputedStyle", {
   value: () => {

tsconfig.json

@@ -5,7 +5,7 @@
   },
   "compilerOptions": {
     "pretty": true,
-    "moduleResolution": "bundler",
+    "moduleResolution": "node",
     "noImplicitAny": true,
     "target": "ES2016",
     "module": "ES2020",

utils/openldap/example-ldifs/directory-circular-groups.ldif

@@ -1,308 +0,0 @@
-version: 1
-
-dn: dc=bitwarden,dc=com
-dc: bitwarden
-objectClass: dcObject
-objectClass: organization
-o: Bitwarden
-
-# Organizational Units
-dn: ou=Human Resources,dc=bitwarden,dc=com
-changetype: add
-ou: Human Resources
-objectClass: top
-objectClass: organizationalUnit
-
-dn: ou=Engineering,dc=bitwarden,dc=com
-changetype: add
-ou: Engineering
-objectClass: top
-objectClass: organizationalUnit
-
-dn: ou=Marketing,dc=bitwarden,dc=com
-changetype: add
-ou: Marketing
-objectClass: top
-objectClass: organizationalUnit
-
-# Users - Human Resources
-dn: cn=Roland Dyke,ou=Human Resources,dc=bitwarden,dc=com
-changetype: add
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: Roland Dyke
-sn: Dyke
-description: This is Roland Dyke's description
-facsimileTelephoneNumber: +1 804 674-5794
-l: San Francisco
-ou: Human Resources
-postalAddress: Human Resources$San Francisco
-telephoneNumber: +1 804 831-5121
-title: Supreme Human Resources Writer
-userPassword: Password1
-uid: DykeR
-givenName: Roland
-mail: DykeR@220af87272f04218bb8dd81d50fb19f5.bitwarden.com
-carLicense: 4CMGOJ
-departmentNumber: 2838
-employeeType: Contract
-homePhone: +1 804 936-4965
-initials: R. D.
-mobile: +1 804 592-3734
-pager: +1 804 285-2962
-roomNumber: 9890
-
-dn: cn=Teirtza Kara,ou=Human Resources,dc=bitwarden,dc=com
-changetype: add
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: Teirtza Kara
-sn: Kara
-description: This is Teirtza Kara's description
-facsimileTelephoneNumber: +1 206 759-2040
-l: San Francisco
-ou: Human Resources
-postalAddress: Human Resources$San Francisco
-telephoneNumber: +1 206 562-1407
-title: Junior Human Resources President
-userPassword: Password1
-uid: KaraT
-givenName: Teirtza
-mail: KaraT@c2afe8b3509f4a20b2b784841685bd74.bitwarden.com
-carLicense: O9GAN2
-departmentNumber: 3880
-employeeType: Employee
-homePhone: +1 206 154-4842
-initials: T. K.
-mobile: +1 206 860-1835
-pager: +1 206 684-1438
-roomNumber: 9079
-
-# Users - Engineering
-dn: cn=Alice Chen,ou=Engineering,dc=bitwarden,dc=com
-changetype: add
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: Alice Chen
-sn: Chen
-description: Senior DevOps Engineer
-l: Seattle
-ou: Engineering
-telephoneNumber: +1 206 555-0101
-title: Senior DevOps Engineer
-userPassword: Password1
-uid: ChenA
-givenName: Alice
-mail: ChenA@bitwarden.com
-employeeType: Employee
-
-dn: cn=Bob Martinez,ou=Engineering,dc=bitwarden,dc=com
-changetype: add
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: Bob Martinez
-sn: Martinez
-description: Platform Engineer
-l: Austin
-ou: Engineering
-telephoneNumber: +1 512 555-0102
-title: Platform Engineer
-userPassword: Password1
-uid: MartinezB
-givenName: Bob
-mail: MartinezB@bitwarden.com
-employeeType: Employee
-
-dn: cn=Carol Williams,ou=Engineering,dc=bitwarden,dc=com
-changetype: add
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: Carol Williams
-sn: Williams
-description: QA Lead
-l: Denver
-ou: Engineering
-telephoneNumber: +1 303 555-0103
-title: QA Lead
-userPassword: Password1
-uid: WilliamsC
-givenName: Carol
-mail: WilliamsC@bitwarden.com
-employeeType: Employee
-
-dn: cn=David Kim,ou=Engineering,dc=bitwarden,dc=com
-changetype: add
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: David Kim
-sn: Kim
-description: QA Engineer
-l: Portland
-ou: Engineering
-telephoneNumber: +1 503 555-0104
-title: QA Engineer
-userPassword: Password1
-uid: KimD
-givenName: David
-mail: KimD@bitwarden.com
-employeeType: Contractor
-
-# Users - Marketing
-dn: cn=Eva Johnson,ou=Marketing,dc=bitwarden,dc=com
-changetype: add
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: Eva Johnson
-sn: Johnson
-description: Marketing Director
-l: New York
-ou: Marketing
-telephoneNumber: +1 212 555-0105
-title: Marketing Director
-userPassword: Password1
-uid: JohnsonE
-givenName: Eva
-mail: JohnsonE@bitwarden.com
-employeeType: Employee
-
-dn: cn=Frank Lee,ou=Marketing,dc=bitwarden,dc=com
-changetype: add
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-cn: Frank Lee
-sn: Lee
-description: Content Strategist
-l: Chicago
-ou: Marketing
-telephoneNumber: +1 312 555-0106
-title: Content Strategist
-userPassword: Password1
-uid: LeeF
-givenName: Frank
-mail: LeeF@bitwarden.com
-employeeType: Employee
-
-# ============================================================
-# GROUP HIERARCHY
-# ============================================================
-# Structure (arrows show "contains" relationship):
-#
-#   AllStaff
-#     ├── Engineering ◄────────────────┐ (CYCLE from Platform)
-#     │     ├── DevOps                 │
-#     │     │     └── Platform ────────┘
-#     │     └── QA
-#     ├── Marketing
-#     └── HR
-#
-#   Contractors ─── DevOps (diamond: second path to Platform)
-#
-#   TestNestA ◄──► TestNestB (simple bidirectional cycle)
-#
-# ============================================================
-
-# Leaf group - Platform team (CYCLES BACK to Engineering)
-dn: cn=Platform,dc=bitwarden,dc=com
-changetype: add
-cn: Platform
-member: cn=Bob Martinez,ou=Engineering,dc=bitwarden,dc=com
-member: cn=Engineering,dc=bitwarden,dc=com
-objectclass: groupOfNames
-objectclass: top
-
-# DevOps group - contains Platform subgroup
-dn: cn=DevOps,dc=bitwarden,dc=com
-changetype: add
-cn: DevOps
-member: cn=Alice Chen,ou=Engineering,dc=bitwarden,dc=com
-member: cn=Platform,dc=bitwarden,dc=com
-objectclass: groupOfNames
-objectclass: top
-
-# QA group
-dn: cn=QA,dc=bitwarden,dc=com
-changetype: add
-cn: QA
-member: cn=Carol Williams,ou=Engineering,dc=bitwarden,dc=com
-member: cn=David Kim,ou=Engineering,dc=bitwarden,dc=com
-objectclass: groupOfNames
-objectclass: top
-
-# Engineering group - contains DevOps and QA subgroups
-dn: cn=Engineering,dc=bitwarden,dc=com
-changetype: add
-cn: Engineering
-member: cn=DevOps,dc=bitwarden,dc=com
-member: cn=QA,dc=bitwarden,dc=com
-objectclass: groupOfNames
-objectclass: top
-
-# Marketing group
-dn: cn=Marketing,dc=bitwarden,dc=com
-changetype: add
-cn: Marketing
-member: cn=Eva Johnson,ou=Marketing,dc=bitwarden,dc=com
-member: cn=Frank Lee,ou=Marketing,dc=bitwarden,dc=com
-objectclass: groupOfNames
-objectclass: top
-
-# HR group
-dn: cn=HR,dc=bitwarden,dc=com
-changetype: add
-cn: HR
-member: cn=Roland Dyke,ou=Human Resources,dc=bitwarden,dc=com
-member: cn=Teirtza Kara,ou=Human Resources,dc=bitwarden,dc=com
-objectclass: groupOfNames
-objectclass: top
-
-# AllStaff - top-level group containing all departments
-dn: cn=AllStaff,dc=bitwarden,dc=com
-changetype: add
-cn: AllStaff
-member: cn=Engineering,dc=bitwarden,dc=com
-member: cn=Marketing,dc=bitwarden,dc=com
-member: cn=HR,dc=bitwarden,dc=com
-objectclass: groupOfNames
-objectclass: top
-
-# Contractors group - creates diamond pattern (second path to Platform via DevOps)
-dn: cn=Contractors,dc=bitwarden,dc=com
-changetype: add
-cn: Contractors
-member: cn=DevOps,dc=bitwarden,dc=com
-member: cn=David Kim,ou=Engineering,dc=bitwarden,dc=com
-objectclass: groupOfNames
-objectclass: top
-
-# Simple bidirectional cycle test groups (preserved from original)
-dn: cn=TestNestA,dc=bitwarden,dc=com
-changetype: add
-cn: TestNestA
-member: cn=TestNestB,dc=bitwarden,dc=com
-member: cn=Roland Dyke,ou=Human Resources,dc=bitwarden,dc=com
-objectclass: groupOfNames
-objectclass: top
-
-dn: cn=TestNestB,dc=bitwarden,dc=com
-changetype: add
-cn: TestNestB
-member: cn=TestNestA,dc=bitwarden,dc=com
-member: cn=Teirtza Kara,ou=Human Resources,dc=bitwarden,dc=com
-objectclass: groupOfNames
-objectclass: top