Refactor secure storage implementation to use native bindings and migrate from keytar. Update .gitignore for Rust artifacts, adjust package.json for new build scripts, and modify workflows for native module compilation. Enhance state versioning to support migration of credentials from keytar to desktop_core.

* [deps]: Update minimatch to v10 [SECURITY]

* Remove erroneous failing dependencies

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Sven <svernyi@bitwarden.com>

.github/PULL_REQUEST_TEMPLATE.md

@@ -9,26 +9,3 @@
 ## 📸 Screenshots
 
 <!-- Required for any UI changes; delete if not applicable. Use fixed width images for better display. -->
-
-## ⏰ Reminders before review
-
-- Contributor guidelines followed
-- All formatters and local linters executed and passed
-- Written new unit and / or integration tests where applicable
-- Used internationalization (i18n) for all UI strings
-- CI builds passed
-- Communicated to DevOps any deployment requirements
-- Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team
-
-## 🦮 Reviewer guidelines
-
-<!-- Suggested interactions but feel free to use (or not) as you desire! -->
-
-- 👍 (`:+1:`) or similar for great changes
-- 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info
-- ❓ (`:question:`) for questions
-- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
-- 🎨 (`:art:`) for suggestions / improvements
-- ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention
-- 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt
-- ⛏ (`:pick:`) for minor or nitpick changes

.github/workflows/build.yml

@@ -23,7 +23,7 @@ jobs:
       node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -51,42 +51,36 @@ jobs:
       contents: read
     steps:
       - name: Checkout repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Set up Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
           node-version: ${{ env._NODE_VERSION }}
 
-      - name: Update NPM
+      - name: Set up Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Set up system dependencies
         run: |
-          npm install -g node-gyp
-          node-gyp install "$(node -v)"
-
-      - name: Keytar
-        run: |
-          keytarVersion=$(cat package.json | jq -r '.dependencies.keytar')
-          keytarTar="keytar-v$keytarVersion-napi-v3-linux-x64.tar"
-
-          keytarTarGz="$keytarTar.gz"
-          keytarUrl="https://github.com/atom/node-keytar/releases/download/v$keytarVersion/$keytarTarGz"
-
-          mkdir -p ./keytar/linux
-          wget "$keytarUrl" -O "./keytar/linux/$keytarTarGz"
-          tar -xvf "./keytar/linux/$keytarTarGz" -C ./keytar/linux
+          sudo apt-get update
+          sudo apt-get -y install libdbus-1-dev libsecret-1-dev pkg-config
 
       - name: Install
         run: npm install
 
+      - name: Build native module
+        run: npm run build:native:release
+
       - name: Package CLI
         run: npm run dist:cli:lin
 
       - name: Zip
-        run: zip -j "dist-cli/bwdc-linux-$_PACKAGE_VERSION.zip" "dist-cli/linux/bwdc" "keytar/linux/build/Release/keytar.node"
+        run: zip -j "dist-cli/bwdc-linux-$_PACKAGE_VERSION.zip" "dist-cli/linux/bwdc" "node_modules/dc-native/dc_native.linux-x64-gnu.node"
 
       - name: Version Test
         run: |
@@ -129,42 +123,31 @@ jobs:
       _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Set up Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
           node-version: ${{ env._NODE_VERSION }}
 
-      - name: Update NPM
-        run: |
-          npm install -g node-gyp
-          node-gyp install "$(node -v)"
-
-      - name: Keytar
-        run: |
-          keytarVersion=$(cat package.json | jq -r '.dependencies.keytar')
-          keytarTar="keytar-v$keytarVersion-napi-v3-darwin-x64.tar"
-
-          keytarTarGz="$keytarTar.gz"
-          keytarUrl="https://github.com/atom/node-keytar/releases/download/v$keytarVersion/$keytarTarGz"
-
-          mkdir -p ./keytar/macos
-          wget "$keytarUrl" -O "./keytar/macos/$keytarTarGz"
-          tar -xvf "./keytar/macos/$keytarTarGz" -C ./keytar/macos
+      - name: Set up Rust
+        uses: dtolnay/rust-toolchain@stable
 
       - name: Install
         run: npm install
 
+      - name: Build native module
+        run: npm run build:native:release
+
       - name: Package CLI
         run: npm run dist:cli:mac
 
       - name: Zip
-        run: zip -j "dist-cli/bwdc-macos-$_PACKAGE_VERSION.zip" "dist-cli/macos/bwdc" "keytar/macos/build/Release/keytar.node"
+        run: zip -j "dist-cli/bwdc-macos-$_PACKAGE_VERSION.zip" "dist-cli/macos/bwdc" "node_modules/dc-native/dc_native.darwin-x64.node"
 
       - name: Version Test
         run: |
@@ -200,7 +183,7 @@ jobs:
       _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -209,42 +192,29 @@ jobs:
           choco install checksum --no-progress
 
       - name: Set up Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
           node-version: ${{ env._NODE_VERSION }}
 
-      - name: Update NPM
-        run: |
-          npm install -g node-gyp
-          node-gyp install $(node -v)
-
-      - name: Keytar
-        shell: pwsh
-        run: |
-          $keytarVersion = (Get-Content -Raw -Path ./package.json | ConvertFrom-Json).dependencies.keytar
-          $keytarTar = "keytar-v${keytarVersion}-napi-v3-{0}-x64.tar"
-          $keytarTarGz = "${keytarTar}.gz"
-          $keytarUrl = "https://github.com/atom/node-keytar/releases/download/v${keytarVersion}/${keytarTarGz}"
-
-          New-Item -ItemType directory -Path ./keytar/windows | Out-Null
-
-          Invoke-RestMethod -Uri $($keytarUrl -f "win32") -OutFile "./keytar/windows/$($keytarTarGz -f "win32")"
-
-          7z e "./keytar/windows/$($keytarTarGz -f "win32")" -o"./keytar/windows"
-
-          7z e "./keytar/windows/$($keytarTar -f "win32")" -o"./keytar/windows"
+      - name: Set up Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: x86_64-pc-windows-msvc
 
       - name: Install
         run: npm install
 
+      - name: Build native module
+        run: npm run build:native:release
+
       - name: Package CLI
         run: npm run dist:cli:win
 
       - name: Zip
         shell: cmd
-        run: 7z a .\dist-cli\bwdc-windows-%_PACKAGE_VERSION%.zip .\dist-cli\windows\bwdc.exe .\keytar\windows\keytar.node
+        run: 7z a .\dist-cli\bwdc-windows-%_PACKAGE_VERSION%.zip .\dist-cli\windows\bwdc.exe .\node_modules\dc-native\dc_native.win32-x64-msvc.node
 
       - name: Version Test
         shell: pwsh
@@ -279,21 +249,21 @@ jobs:
       HUSKY: 0
     steps:
       - name: Checkout repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Set up Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
           node-version: ${{ env._NODE_VERSION }}
 
-      - name: Update NPM
-        run: |
-          npm install -g node-gyp
-          node-gyp install $(node -v)
+      - name: Set up Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: x86_64-pc-windows-msvc
 
       - name: Print environment
         run: |
@@ -379,26 +349,24 @@ jobs:
       HUSKY: 0
     steps:
       - name: Checkout repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Set up Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
           node-version: ${{ env._NODE_VERSION }}
 
-      - name: Update NPM
-        run: |
-          npm install -g node-gyp
-          node-gyp install "$(node -v)"
+      - name: Set up Rust
+        uses: dtolnay/rust-toolchain@stable
 
       - name: Set up environment
         run: |
           sudo apt-get update
-          sudo apt-get -y install pkg-config libxss-dev libsecret-1-dev
+          sudo apt-get -y install pkg-config libxss-dev libsecret-1-dev libdbus-1-dev
           sudo apt-get -y install rpm
 
       - name: NPM Install
@@ -439,21 +407,19 @@ jobs:
       HUSKY: 0
     steps:
       - name: Checkout repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Set up Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
           node-version: ${{ env._NODE_VERSION }}
 
-      - name: Update NPM
-        run: |
-          npm install -g node-gyp
-          node-gyp install "$(node -v)"
+      - name: Set up Rust
+        uses: dtolnay/rust-toolchain@stable
 
       - name: Print environment
         run: |

.github/workflows/integration-test.yml

@@ -40,7 +40,7 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -52,7 +52,7 @@ jobs:
           echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Set up Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
@@ -129,7 +129,7 @@ jobs:
 
       - name: Report test results
         id: report
-        uses: dorny/test-reporter@fe45e9537387dac839af0d33ba56eed8e24189e8 # v2.3.0
+        uses: dorny/test-reporter@b082adf0eced0765477756c2a610396589b8c637 # v2.5.0
         # This will skip the job if it's a pull request from a fork, because that won't have permission to upload test results.
         # PRs from the repository and all other events are OK.
         if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository) && !cancelled()
@@ -143,4 +143,6 @@ jobs:
         uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
 
       - name: Upload results to codecov.io
-        uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1.2.1
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        with:
+          report_type: test_results

.github/workflows/lint.yml

@@ -0,0 +1,46 @@
+name: Lint
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+      - "rc"
+      - "hotfix-rc"
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+
+  lint:
+    name: Run linter
+    if: ${{ startsWith(github.head_ref, 'version_bump_') == false }}
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Get Node version
+        id: retrieve-node-version
+        run: |
+          NODE_NVMRC=$(cat .nvmrc)
+          NODE_VERSION=${NODE_NVMRC/v/''}
+          echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Node
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          cache: 'npm'
+          cache-dependency-path: '**/package-lock.json'
+          node-version: ${{ steps.retrieve-node-version.outputs.node_version }}
+
+      - name: Install Node dependencies
+        run: npm ci
+
+      - name: Run ESLint and Prettier
+        run: npm run lint

.github/workflows/release.yml

@@ -26,7 +26,7 @@ jobs:
       release_version: ${{ steps.version.outputs.version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 

.github/workflows/test.yml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -34,7 +34,7 @@ jobs:
           echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Set up Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
@@ -53,7 +53,7 @@ jobs:
         run: npm run test --coverage
 
       - name: Report test results
-        uses: dorny/test-reporter@fe45e9537387dac839af0d33ba56eed8e24189e8 # v2.3.0
+        uses: dorny/test-reporter@b082adf0eced0765477756c2a610396589b8c637 # v2.5.0
         # This will skip the job if it's a pull request from a fork, because that won't have permission to upload test results.
         # PRs from the repository and all other events are OK.
         if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository) && !cancelled()
@@ -67,4 +67,6 @@ jobs:
         uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
 
       - name: Upload results to codecov.io
-        uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1.2.1
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        with:
+          report_type: test_results

.github/workflows/version-bump.yml

@@ -50,7 +50,7 @@ jobs:
           permission-contents: write
 
       - name: Checkout Branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ steps.app-token.outputs.token }}
           persist-credentials: true

.gitignore

@@ -32,6 +32,10 @@ build
 build-cli
 .angular/cache
 
+# Rust build artifacts
+native/target
+native/*.node
+
 # Testing
 coverage*
 junit.xml*

.nvmrc

@@ -1 +1 @@
-v20
+v22

angular.json

@@ -18,15 +18,17 @@
       "prefix": "app",
       "architect": {
         "build": {
-          "builder": "@angular-devkit/build-angular:browser",
+          "builder": "@angular/build:application",
           "options": {
-            "outputPath": "dist",
+            "outputPath": {
+              "base": "dist"
+            },
             "index": "src/index.html",
-            "main": "src/main.ts",
             "tsConfig": "tsconfig.json",
             "assets": [],
             "styles": [],
-            "scripts": []
+            "scripts": [],
+            "browser": "src/main.ts"
           }
         }
       }

docs/google-workspace.md

@@ -1,300 +0,0 @@
-# Google Workspace Directory Integration
-
-This document provides technical documentation for the Google Workspace (formerly G Suite) directory integration in Bitwarden Directory Connector.
-
-## Overview
-
-The Google Workspace integration synchronizes users and groups from Google Workspace to Bitwarden organizations using the Google Admin SDK Directory API. The service uses a service account with domain-wide delegation to authenticate and access directory data.
-
-## Architecture
-
-### Service Location
-
-- **Implementation**: `src/services/directory-services/gsuite-directory.service.ts`
-- **Configuration Model**: `src/models/gsuiteConfiguration.ts`
-- **Integration Tests**: `src/services/directory-services/gsuite-directory.service.integration.spec.ts`
-
-### Authentication Flow
-
-The Google Workspace integration uses **OAuth 2.0 with Service Accounts** and domain-wide delegation:
-
-1. A service account is created in Google Cloud Console
-2. The service account is granted domain-wide delegation authority
-3. The service account is authorized for specific OAuth scopes in Google Workspace Admin Console
-4. The Directory Connector uses the service account's private key to generate JWT tokens
-5. JWT tokens are exchanged for access tokens to call the Admin SDK APIs
-
-### Required OAuth Scopes
-
-The service account must be granted the following OAuth 2.0 scopes:
-
-```
-https://www.googleapis.com/auth/admin.directory.user.readonly
-https://www.googleapis.com/auth/admin.directory.group.readonly
-https://www.googleapis.com/auth/admin.directory.group.member.readonly
-```
-
-## Configuration
-
-### Required Fields
-
-| Field         | Description                                                                             |
-| ------------- | --------------------------------------------------------------------------------------- |
-| `clientEmail` | Service account email address (e.g., `service-account@project.iam.gserviceaccount.com`) |
-| `privateKey`  | Service account private key in PEM format                                               |
-| `adminUser`   | Admin user email to impersonate for domain-wide delegation                              |
-| `domain`      | Primary domain of the Google Workspace organization                                     |
-
-### Optional Fields
-
-| Field      | Description                                                |
-| ---------- | ---------------------------------------------------------- |
-| `customer` | Customer ID for multi-domain organizations (rarely needed) |
-
-### Example Configuration
-
-```typescript
-{
-  clientEmail: "directory-connector@my-project.iam.gserviceaccount.com",
-  privateKey: "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
-  adminUser: "admin@example.com",
-  domain: "example.com",
-  customer: "" // Usually not required
-}
-```
-
-## Setup Instructions
-
-### 1. Create a Service Account
-
-1. Go to [Google Cloud Console](https://console.cloud.google.com)
-2. Create or select a project
-3. Navigate to **IAM & Admin** > **Service Accounts**
-4. Click **Create Service Account**
-5. Enter a name and description
-6. Click **Create and Continue**
-7. Skip granting roles (not needed for this use case)
-8. Click **Done**
-
-### 2. Generate Service Account Key
-
-1. Click on the newly created service account
-2. Navigate to the **Keys** tab
-3. Click **Add Key** > **Create new key**
-4. Select **JSON** format
-5. Click **Create** and download the key file
-6. Extract `client_email` and `private_key` from the JSON file
-
-### 3. Enable Domain-Wide Delegation
-
-1. In the service account details, click **Show Advanced Settings**
-2. Under **Domain-wide delegation**, click **Enable Google Workspace Domain-wide Delegation**
-3. Note the **Client ID** (numeric ID)
-
-### 4. Authorize the Service Account in Google Workspace
-
-1. Go to [Google Workspace Admin Console](https://admin.google.com)
-2. Navigate to **Security** > **API Controls** > **Domain-wide Delegation**
-3. Click **Add new**
-4. Enter the **Client ID** from step 3
-5. Enter the following OAuth scopes (comma-separated):
-   ```
-   https://www.googleapis.com/auth/admin.directory.user.readonly,
-   https://www.googleapis.com/auth/admin.directory.group.readonly,
-   https://www.googleapis.com/auth/admin.directory.group.member.readonly
-   ```
-6. Click **Authorize**
-
-### 5. Configure Directory Connector
-
-Use the extracted values to configure the Directory Connector:
-
-- **Client Email**: From `client_email` in the JSON key file
-- **Private Key**: From `private_key` in the JSON key file (keep the `\n` line breaks)
-- **Admin User**: Email of a super admin user in your Google Workspace domain
-- **Domain**: Your primary Google Workspace domain
-
-## Sync Behavior
-
-### User Synchronization
-
-The service synchronizes the following user attributes:
-
-| Google Workspace Field    | Bitwarden Field             | Notes                                     |
-| ------------------------- | --------------------------- | ----------------------------------------- |
-| `id`                      | `referenceId`, `externalId` | User's unique Google ID                   |
-| `primaryEmail`            | `email`                     | Normalized to lowercase                   |
-| `suspended` OR `archived` | `disabled`                  | User is disabled if suspended or archived |
-| Deleted status            | `deleted`                   | Set to true for deleted users             |
-
-**Special Behavior:**
-
-- The service queries both **active users** and **deleted users** separately
-- Suspended and archived users are included but marked as disabled
-- Deleted users are included with the `deleted` flag set to true
-
-### Group Synchronization
-
-The service synchronizes the following group attributes:
-
-| Google Workspace Field  | Bitwarden Field             | Notes                    |
-| ----------------------- | --------------------------- | ------------------------ |
-| `id`                    | `referenceId`, `externalId` | Group's unique Google ID |
-| `name`                  | `name`                      | Group display name       |
-| Members (type=USER)     | `userMemberExternalIds`     | Individual user members  |
-| Members (type=GROUP)    | `groupMemberReferenceIds`   | Nested group members     |
-| Members (type=CUSTOMER) | `userMemberExternalIds`     | All domain users         |
-
-**Member Types:**
-
-- **USER**: Individual user accounts (only ACTIVE status users are synced)
-- **GROUP**: Nested groups (allows group hierarchy)
-- **CUSTOMER**: Special member type that includes all users in the domain
-
-### Filtering
-
-#### User Filter Examples
-
-```
-exclude:testuser1@bwrox.dev | testuser1@bwrox.dev                   # Exclude multiple users
-|orgUnitPath='/Integration testing'                                 # Users in Integration testing Organizational unit (OU)
-exclude:testuser1@bwrox.dev | orgUnitPath='/Integration testing'    # Combined filter: get users in OU excluding provided user
-|email:testuser*                                                    # Users with email starting with "testuser"
-```
-
-#### Group Filter Examples
-
-An important note for group filters is that it implicitly only syncs users that are in groups. For example, in the case of
-the integration test data, `admin@bwrox.dev` is not a member of any group. Therefore, the first example filter below will
-also implicitly exclude `admin@bwrox.dev`, who is not in any group. This is important because when it is paired with an
-empty user filter, this query may semantically be understood as "sync everyone not in Integration Test Group A," while in
-practice it means "Only sync members of groups not in integration Test Groups A."
-
-```
-exclude:Integration Test Group A                                    # Get all users in groups excluding the provided group.
-```
-
-### User AND Group Filter Examples
-
-```
-
-```
-
-**Filter Syntax:**
-
-- Prefix with `|` for custom filters
-- Use `:` for pattern matching (supports `*` wildcard)
-- Combine multiple conditions with spaces (AND logic)
-
-### Pagination
-
-The service automatically handles pagination for all API calls:
-
-- Users API (active and deleted)
-- Groups API
-- Group Members API
-
-Each API call processes all pages using the `nextPageToken` mechanism until no more results are available.
-
-## Error Handling
-
-### Common Errors
-
-| Error                  | Cause                                 | Resolution                                                 |
-| ---------------------- | ------------------------------------- | ---------------------------------------------------------- |
-| "dirConfigIncomplete"  | Missing required configuration fields | Verify all required fields are provided                    |
-| "authenticationFailed" | Invalid credentials or unauthorized   | Check service account key and domain-wide delegation setup |
-| API returns 401/403    | Missing OAuth scopes                  | Verify scopes are authorized in Admin Console              |
-| API returns 404        | Invalid domain or customer ID         | Check domain configuration                                 |
-
-### Security Considerations
-
-The service implements the following security measures:
-
-1. **Credential sanitization**: Error messages do not expose private keys or sensitive credentials
-2. **Secure authentication**: Uses OAuth 2.0 with JWT tokens, not API keys
-3. **Read-only access**: Only requires read-only scopes for directory data
-4. **No credential logging**: Service account credentials are not logged
-
-## Testing
-
-### Integration Tests
-
-Integration tests are located in `src/services/directory-services/gsuite-directory.service.integration.spec.ts`.
-
-**Test Coverage:**
-
-- Basic sync (users and groups)
-- Sync with filters
-- Users-only sync
-- Groups-only sync
-- User filtering scenarios
-- Group filtering scenarios
-- Disabled users handling
-- Group membership scenarios
-- Error handling
-
-**Running Integration Tests:**
-
-Integration tests require live Google Workspace credentials:
-
-1. Create a `.env` file in the `utils/` folder with:
-   ```
-   GOOGLE_ADMIN_USER=admin@example.com
-   GOOGLE_CLIENT_EMAIL=service-account@project.iam.gserviceaccount.com
-   GOOGLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
-   GOOGLE_DOMAIN=example.com
-   ```
-2. Run tests:
-
-   ```bash
-   # Run all integration tests (includes LDAP, Google Workspace, etc.)
-   npm run test:integration
-
-   # Run only Google Workspace integration tests
-   npx jest gsuite-directory.service.integration.spec.ts
-   ```
-
-**Test Data:**
-
-The integration tests expect specific test data in Google Workspace:
-
-- **Users**: 5 test users in organizational unit `/Integration testing`
-  - testuser1@bwrox.dev (in Group A)
-  - testuser2@bwrox.dev (in Groups A & B)
-  - testuser3@bwrox.dev (in Group B)
-  - testuser4@bwrox.dev (no groups)
-  - testuser5@bwrox.dev (disabled)
-
-- **Groups**: 2 test groups with name pattern `Integration*`
-  - Integration Test Group A
-  - Integration Test Group B
-
-## API Reference
-
-### Google Admin SDK APIs Used
-
-- **Users API**: `admin.users.list()`
-  - [Documentation](https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/list)
-
-- **Groups API**: `admin.groups.list()`
-  - [Documentation](https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups/list)
-
-- **Members API**: `admin.members.list()`
-  - [Documentation](https://developers.google.com/admin-sdk/directory/reference/rest/v1/members/list)
-
-### Rate Limits
-
-Google Workspace Directory API rate limits:
-
-- Default: 2,400 queries per minute per user, per Google Cloud Project
-
-The service does not implement rate limiting logic; it relies on API error responses.
-
-## Resources
-
-- [Google Admin SDK Directory API Guide](https://developers.google.com/admin-sdk/directory/v1/guides)
-- [Service Account Authentication](https://developers.google.com/identity/protocols/oauth2/service-account)
-- [Domain-wide Delegation](https://support.google.com/a/answer/162106)
-- [Google Workspace Admin Console](https://admin.google.com)
-- [Bitwarden Directory Connector Documentation](https://bitwarden.com/help/directory-sync/)

electron-builder.json

@@ -11,6 +11,7 @@
     "app": "build"
   },
   "afterSign": "scripts/notarize.js",
+  "asarUnpack": ["node_modules/dc-native/*.node"],
   "mac": {
     "artifactName": "Bitwarden-Connector-${version}-mac.${ext}",
     "category": "public.app-category.productivity",

eslint.config.mjs

@@ -23,6 +23,7 @@ export default [
       "eslint.config.mjs",
       "scripts/**/*.js",
       "**/node_modules/**",
+      "native/**",
     ],
   },
 

jslib/angular/src/components/toastr.component.ts

@@ -1,75 +1,77 @@
-import { animate, state, style, transition, trigger } from "@angular/animations";
 import { CommonModule } from "@angular/common";
 import { Component, ModuleWithProviders, NgModule } from "@angular/core";
-import {
-  DefaultNoComponentGlobalConfig,
-  GlobalConfig,
-  Toast as BaseToast,
-  ToastPackage,
-  ToastrService,
-  TOAST_CONFIG,
-} from "ngx-toastr";
+import { DefaultNoComponentGlobalConfig, GlobalConfig, Toast, TOAST_CONFIG } from "ngx-toastr";
 
 @Component({
   selector: "[toast-component2]",
   template: `
-    <button
-      *ngIf="options.closeButton"
-      (click)="remove()"
-      type="button"
-      class="toast-close-button"
-      aria-label="Close"
-    >
-      <span aria-hidden="true">&times;</span>
-    </button>
+    @if (options().closeButton) {
+      <button (click)="remove()" type="button" class="toast-close-button" aria-label="Close">
+        <span aria-hidden="true">&times;</span>
+      </button>
+    }
     <div class="icon">
       <i></i>
     </div>
     <div>
-      <div *ngIf="title" [class]="options.titleClass" [attr.aria-label]="title">
-        {{ title }} <ng-container *ngIf="duplicatesCount">[{{ duplicatesCount + 1 }}]</ng-container>
-      </div>
-      <div
-        *ngIf="message && options.enableHtml"
-        role="alertdialog"
-        aria-live="polite"
-        [class]="options.messageClass"
-        [innerHTML]="message"
-      ></div>
-      <div
-        *ngIf="message && !options.enableHtml"
-        role="alertdialog"
-        aria-live="polite"
-        [class]="options.messageClass"
-        [attr.aria-label]="message"
-      >
-        {{ message }}
-      </div>
-    </div>
-    <div *ngIf="options.progressBar">
-      <div class="toast-progress" [style.width]="width + '%'"></div>
+      @if (title()) {
+        <div [class]="options().titleClass" [attr.aria-label]="title()">
+          {{ title() }}
+          @if (duplicatesCount) {
+            [{{ duplicatesCount + 1 }}]
+          }
+        </div>
+      }
+      @if (message() && options().enableHtml) {
+        <div
+          role="alertdialog"
+          aria-live="polite"
+          [class]="options().messageClass"
+          [innerHTML]="message()"
+        ></div>
+      }
+      @if (message() && !options().enableHtml) {
+        <div
+          role="alertdialog"
+          aria-live="polite"
+          [class]="options().messageClass"
+          [attr.aria-label]="message()"
+        >
+          {{ message() }}
+        </div>
+      }
     </div>
+    @if (options().progressBar) {
+      <div>
+        <div class="toast-progress" [style.width]="width + '%'"></div>
+      </div>
+    }
+  `,
+  styles: `
+    :host {
+      &.toast-in {
+        animation: toast-animation var(--animation-duration) var(--animation-easing);
+      }
+
+      &.toast-out {
+        animation: toast-animation var(--animation-duration) var(--animation-easing) reverse
+          forwards;
+      }
+    }
+
+    @keyframes toast-animation {
+      from {
+        opacity: 0;
+      }
+      to {
+        opacity: 1;
+      }
+    }
   `,
-  animations: [
-    trigger("flyInOut", [
-      state("inactive", style({ opacity: 0 })),
-      state("active", style({ opacity: 1 })),
-      state("removed", style({ opacity: 0 })),
-      transition("inactive => active", animate("{{ easeTime }}ms {{ easing }}")),
-      transition("active => removed", animate("{{ easeTime }}ms {{ easing }}")),
-    ]),
-  ],
   preserveWhitespaces: false,
   standalone: false,
 })
-export class BitwardenToast extends BaseToast {
-  constructor(
-    protected toastrService: ToastrService,
-    public toastPackage: ToastPackage,
-  ) {
-    super(toastrService, toastPackage);
-  }
-}
+export class BitwardenToast extends Toast {}
 
 export const BitwardenToastGlobalConfig: GlobalConfig = {
   ...DefaultNoComponentGlobalConfig,

jslib/common/spec/domain/encString.spec.ts

@@ -1,195 +0,0 @@
-import { Substitute, Arg } from "@fluffy-spoon/substitute";
-
-import { CryptoService } from "@/jslib/common/src/abstractions/crypto.service";
-import { EncryptionType } from "@/jslib/common/src/enums/encryptionType";
-import { EncString } from "@/jslib/common/src/models/domain/encString";
-import { SymmetricCryptoKey } from "@/jslib/common/src/models/domain/symmetricCryptoKey";
-import { ContainerService } from "@/jslib/common/src/services/container.service";
-
-describe("EncString", () => {
-  afterEach(() => {
-    (window as any).bitwardenContainerService = undefined;
-  });
-
-  describe("Rsa2048_OaepSha256_B64", () => {
-    it("constructor", () => {
-      const encString = new EncString(EncryptionType.Rsa2048_OaepSha256_B64, "data");
-
-      expect(encString).toEqual({
-        data: "data",
-        encryptedString: "3.data",
-        encryptionType: 3,
-      });
-    });
-
-    describe("parse existing", () => {
-      it("valid", () => {
-        const encString = new EncString("3.data");
-
-        expect(encString).toEqual({
-          data: "data",
-          encryptedString: "3.data",
-          encryptionType: 3,
-        });
-      });
-
-      it("invalid", () => {
-        const encString = new EncString("3.data|test");
-
-        expect(encString).toEqual({
-          encryptedString: "3.data|test",
-          encryptionType: 3,
-        });
-      });
-    });
-
-    describe("decrypt", () => {
-      const encString = new EncString(EncryptionType.Rsa2048_OaepSha256_B64, "data");
-
-      const cryptoService = Substitute.for<CryptoService>();
-      cryptoService.getOrgKey(null).resolves(null);
-      cryptoService.decryptToUtf8(encString, Arg.any()).resolves("decrypted");
-
-      beforeEach(() => {
-        (window as any).bitwardenContainerService = new ContainerService(cryptoService);
-      });
-
-      it("decrypts correctly", async () => {
-        const decrypted = await encString.decrypt(null);
-
-        expect(decrypted).toBe("decrypted");
-      });
-
-      it("result should be cached", async () => {
-        const decrypted = await encString.decrypt(null);
-        cryptoService.received(1).decryptToUtf8(Arg.any(), Arg.any());
-
-        expect(decrypted).toBe("decrypted");
-      });
-    });
-  });
-
-  describe("AesCbc256_B64", () => {
-    it("constructor", () => {
-      const encString = new EncString(EncryptionType.AesCbc256_B64, "data", "iv");
-
-      expect(encString).toEqual({
-        data: "data",
-        encryptedString: "0.iv|data",
-        encryptionType: 0,
-        iv: "iv",
-      });
-    });
-
-    describe("parse existing", () => {
-      it("valid", () => {
-        const encString = new EncString("0.iv|data");
-
-        expect(encString).toEqual({
-          data: "data",
-          encryptedString: "0.iv|data",
-          encryptionType: 0,
-          iv: "iv",
-        });
-      });
-
-      it("invalid", () => {
-        const encString = new EncString("0.iv|data|mac");
-
-        expect(encString).toEqual({
-          encryptedString: "0.iv|data|mac",
-          encryptionType: 0,
-        });
-      });
-    });
-  });
-
-  describe("AesCbc256_HmacSha256_B64", () => {
-    it("constructor", () => {
-      const encString = new EncString(EncryptionType.AesCbc256_HmacSha256_B64, "data", "iv", "mac");
-
-      expect(encString).toEqual({
-        data: "data",
-        encryptedString: "2.iv|data|mac",
-        encryptionType: 2,
-        iv: "iv",
-        mac: "mac",
-      });
-    });
-
-    it("valid", () => {
-      const encString = new EncString("2.iv|data|mac");
-
-      expect(encString).toEqual({
-        data: "data",
-        encryptedString: "2.iv|data|mac",
-        encryptionType: 2,
-        iv: "iv",
-        mac: "mac",
-      });
-    });
-
-    it("invalid", () => {
-      const encString = new EncString("2.iv|data");
-
-      expect(encString).toEqual({
-        encryptedString: "2.iv|data",
-        encryptionType: 2,
-      });
-    });
-  });
-
-  it("Exit early if null", () => {
-    const encString = new EncString(null);
-
-    expect(encString).toEqual({
-      encryptedString: null,
-    });
-  });
-
-  describe("decrypt", () => {
-    it("throws exception when bitwarden container not initialized", async () => {
-      const encString = new EncString(null);
-
-      expect.assertions(1);
-      try {
-        await encString.decrypt(null);
-      } catch (e) {
-        expect(e.message).toEqual("global bitwardenContainerService not initialized.");
-      }
-    });
-
-    it("handles value it can't decrypt", async () => {
-      const encString = new EncString(null);
-
-      const cryptoService = Substitute.for<CryptoService>();
-      cryptoService.getOrgKey(null).resolves(null);
-      cryptoService.decryptToUtf8(encString, Arg.any()).throws("error");
-
-      (window as any).bitwardenContainerService = new ContainerService(cryptoService);
-
-      const decrypted = await encString.decrypt(null);
-
-      expect(decrypted).toBe("[error: cannot decrypt]");
-
-      expect(encString).toEqual({
-        decryptedValue: "[error: cannot decrypt]",
-        encryptedString: null,
-      });
-    });
-
-    it("passes along key", async () => {
-      const encString = new EncString(null);
-      const key = Substitute.for<SymmetricCryptoKey>();
-
-      const cryptoService = Substitute.for<CryptoService>();
-      cryptoService.getOrgKey(null).resolves(null);
-
-      (window as any).bitwardenContainerService = new ContainerService(cryptoService);
-
-      await encString.decrypt(null, key);
-
-      cryptoService.received().decryptToUtf8(encString, key);
-    });
-  });
-});

jslib/common/spec/domain/symmetricCryptoKey.spec.ts

@@ -9,7 +9,7 @@ describe("SymmetricCryptoKey", () => {
       new SymmetricCryptoKey(null);
     };
 
-    expect(t).toThrowError("Must provide key");
+    expect(t).toThrow("Must provide key");
   });
 
   describe("guesses encKey from key length", () => {
@@ -63,7 +63,7 @@ describe("SymmetricCryptoKey", () => {
         new SymmetricCryptoKey(makeStaticByteArray(30));
       };
 
-      expect(t).toThrowError("Unable to determine encType.");
+      expect(t).toThrow("Unable to determine encType.");
     });
   });
 });

jslib/common/spec/services/stateMigration.service.ts

@@ -1,84 +0,0 @@
-import { Arg, Substitute, SubstituteOf } from "@fluffy-spoon/substitute";
-
-import { StorageService } from "@/jslib/common/src/abstractions/storage.service";
-import { StateVersion } from "@/jslib/common/src/enums/stateVersion";
-import { StateFactory } from "@/jslib/common/src/factories/stateFactory";
-import { Account } from "@/jslib/common/src/models/domain/account";
-import { GlobalState } from "@/jslib/common/src/models/domain/globalState";
-import { StateMigrationService } from "@/jslib/common/src/services/stateMigration.service";
-
-const userId = "USER_ID";
-
-describe("State Migration Service", () => {
-  let storageService: SubstituteOf<StorageService>;
-  let secureStorageService: SubstituteOf<StorageService>;
-  let stateFactory: SubstituteOf<StateFactory>;
-
-  let stateMigrationService: StateMigrationService;
-
-  beforeEach(() => {
-    storageService = Substitute.for<StorageService>();
-    secureStorageService = Substitute.for<StorageService>();
-    stateFactory = Substitute.for<StateFactory>();
-
-    stateMigrationService = new StateMigrationService(
-      storageService,
-      secureStorageService,
-      stateFactory,
-    );
-  });
-
-  describe("StateVersion 3 to 4 migration", async () => {
-    beforeEach(() => {
-      const globalVersion3: Partial<GlobalState> = {
-        stateVersion: StateVersion.Three,
-      };
-
-      storageService.get("global", Arg.any()).resolves(globalVersion3);
-      storageService.get("authenticatedAccounts", Arg.any()).resolves([userId]);
-    });
-
-    it("clears everBeenUnlocked", async () => {
-      const accountVersion3: Account = {
-        profile: {
-          apiKeyClientId: null,
-          convertAccountToKeyConnector: null,
-          email: "EMAIL",
-          emailVerified: true,
-          everBeenUnlocked: true,
-          hasPremiumPersonally: false,
-          kdfIterations: 100000,
-          kdfType: 0,
-          keyHash: "KEY_HASH",
-          lastSync: "LAST_SYNC",
-          userId: userId,
-          usesKeyConnector: false,
-          forcePasswordReset: false,
-        },
-      };
-
-      const expectedAccountVersion4: Account = {
-        profile: {
-          ...accountVersion3.profile,
-        },
-      };
-      delete expectedAccountVersion4.profile.everBeenUnlocked;
-
-      storageService.get(userId, Arg.any()).resolves(accountVersion3);
-
-      await stateMigrationService.migrate();
-
-      storageService.received(1).save(userId, expectedAccountVersion4, Arg.any());
-    });
-
-    it("updates StateVersion number", async () => {
-      await stateMigrationService.migrate();
-
-      storageService.received(1).save(
-        "global",
-        Arg.is((globals: GlobalState) => globals.stateVersion === StateVersion.Four),
-        Arg.any(),
-      );
-    });
-  });
-});

jslib/common/spec/utils.ts

@@ -1,7 +1,3 @@
-import { Substitute, Arg } from "@fluffy-spoon/substitute";
-
-import { EncString } from "@/jslib/common/src/models/domain/encString";
-
 function newGuid() {
   return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, (c) => {
     const r = (Math.random() * 16) | 0;
@@ -21,13 +17,6 @@ export function BuildTestObject<T, K extends keyof T = keyof T>(
   return Object.assign(constructor === null ? {} : new constructor(), def) as T;
 }
 
-export function mockEnc(s: string): EncString {
-  const mock = Substitute.for<EncString>();
-  mock.decrypt(Arg.any(), Arg.any()).resolves(s);
-
-  return mock;
-}
-
 export function makeStaticByteArray(length: number, start = 0) {
   const arr = new Uint8Array(length);
   for (let i = 0; i < length; i++) {

jslib/common/src/enums/stateVersion.ts

@@ -3,5 +3,6 @@ export enum StateVersion {
   Two = 2, // Move to a typed State object
   Three = 3, // Fix migration of users' premium status
   Four = 4, // Fix 'Never Lock' option by removing stale data
-  Latest = Four,
+  Five = 5, // Migrate Windows keychain credentials from keytar (UTF-8) to desktop_core (UTF-16)
+  Latest = Five,
 }

jslib/electron/src/services/electronRendererSecureStorage.service.ts

@@ -5,7 +5,7 @@ import { StorageOptions } from "@/jslib/common/src/models/domain/storageOptions"
 
 export class ElectronRendererSecureStorageService implements StorageService {
   async get<T>(key: string, options?: StorageOptions): Promise<T> {
-    const val = ipcRenderer.sendSync("keytar", {
+    const val = ipcRenderer.sendSync("nativeSecureStorage", {
       action: "getPassword",
       key: key,
       keySuffix: options?.keySuffix ?? "",
@@ -14,7 +14,7 @@ export class ElectronRendererSecureStorageService implements StorageService {
   }
 
   async has(key: string, options?: StorageOptions): Promise<boolean> {
-    const val = ipcRenderer.sendSync("keytar", {
+    const val = ipcRenderer.sendSync("nativeSecureStorage", {
       action: "hasPassword",
       key: key,
       keySuffix: options?.keySuffix ?? "",
@@ -23,7 +23,7 @@ export class ElectronRendererSecureStorageService implements StorageService {
   }
 
   async save(key: string, obj: any, options?: StorageOptions): Promise<any> {
-    ipcRenderer.sendSync("keytar", {
+    ipcRenderer.sendSync("nativeSecureStorage", {
       action: "setPassword",
       key: key,
       keySuffix: options?.keySuffix ?? "",
@@ -33,7 +33,7 @@ export class ElectronRendererSecureStorageService implements StorageService {
   }
 
   async remove(key: string, options?: StorageOptions): Promise<any> {
-    ipcRenderer.sendSync("keytar", {
+    ipcRenderer.sendSync("nativeSecureStorage", {
       action: "deletePassword",
       key: key,
       keySuffix: options?.keySuffix ?? "",

jslib/electron/src/window.main.ts

@@ -127,6 +127,13 @@ export class WindowMain {
       },
     });
 
+    // Enable SharedArrayBuffer. See https://developer.chrome.com/blog/enabling-shared-array-buffer/#cross-origin-isolation
+    this.win.webContents.session.webRequest.onHeadersReceived((details, callback) => {
+      details.responseHeaders["Cross-Origin-Opener-Policy"] = ["same-origin"];
+      details.responseHeaders["Cross-Origin-Embedder-Policy"] = ["require-corp"];
+      callback({ responseHeaders: details.responseHeaders });
+    });
+
     if (this.windowStates[mainWindowSizeKey].isMaximized) {
       this.win.maximize();
     }

native/Cargo.toml

@@ -0,0 +1,27 @@
+[package]
+name = "dc_native"
+version = "0.1.0"
+edition = "2021"
+description = "Native keychain bindings for Bitwarden Directory Connector"
+license = "GPL-3.0"
+
+[lib]
+crate-type = ["cdylib"]
+name = "dc_native"
+
+[dependencies]
+anyhow = "=1.0.100"
+desktop_core = { git = "https://github.com/bitwarden/clients", rev = "00cf24972d944638bbd1adc00a0ae3eeabb6eb9a", package = "desktop_core" }
+napi = { version = "=3.3.0", features = ["async"] }
+napi-derive = "=3.2.5"
+
+[target.'cfg(windows)'.dependencies]
+scopeguard = "=1.2.0"
+widestring = "=1.2.0"
+windows = { version = "=0.61.1", features = [
+    "Win32_Foundation",
+    "Win32_Security_Credentials",
+] }
+
+[build-dependencies]
+napi-build = "=2.2.3"

native/build.rs

@@ -0,0 +1,5 @@
+extern crate napi_build;
+
+fn main() {
+    napi_build::setup();
+}

native/index.d.ts

@@ -0,0 +1,34 @@
+export declare namespace passwords {
+  /** The error message returned when a password is not found during retrieval or deletion. */
+  export const PASSWORD_NOT_FOUND: string;
+
+  /**
+   * Fetch the stored password from the keychain.
+   * Throws an Error with message PASSWORD_NOT_FOUND if the password does not exist.
+   */
+  export function getPassword(service: string, account: string): Promise<string>;
+
+  /**
+   * Save the password to the keychain. Adds an entry if none exists, otherwise updates it.
+   */
+  export function setPassword(service: string, account: string, password: string): Promise<void>;
+
+  /**
+   * Delete the stored password from the keychain.
+   * Throws an Error with message PASSWORD_NOT_FOUND if the password does not exist.
+   */
+  export function deletePassword(service: string, account: string): Promise<void>;
+
+  /**
+   * Check if OS secure storage is available.
+   */
+  export function isAvailable(): Promise<boolean>;
+
+  /**
+   * Migrate a credential previously stored by keytar (UTF-8 blob on Windows) to the UTF-16
+   * format used by desktop_core. No-ops on non-Windows platforms.
+   *
+   * Returns true if a migration was performed, false otherwise.
+   */
+  export function migrateKeytarPassword(service: string, account: string): Promise<boolean>;
+}

native/index.js

@@ -0,0 +1,67 @@
+const { existsSync } = require("fs");
+const { join } = require("path");
+
+const { platform, arch } = process;
+
+let nativeBinding = null;
+let loadError = null;
+
+function loadFirstAvailable(localFiles) {
+  for (const localFile of localFiles) {
+    const filePath = join(__dirname, localFile);
+    if (existsSync(filePath)) {
+      return require(filePath);
+    }
+  }
+  throw new Error(`Could not find dc-native binary. Run 'npm run build:native' to compile it.`);
+}
+
+switch (platform) {
+  case "win32":
+    switch (arch) {
+      case "x64":
+        nativeBinding = loadFirstAvailable(["dc_native.win32-x64-msvc.node"]);
+        break;
+      case "arm64":
+        nativeBinding = loadFirstAvailable(["dc_native.win32-arm64-msvc.node"]);
+        break;
+      default:
+        throw new Error(`Unsupported architecture on Windows: ${arch}`);
+    }
+    break;
+  case "darwin":
+    switch (arch) {
+      case "x64":
+        nativeBinding = loadFirstAvailable(["dc_native.darwin-x64.node"]);
+        break;
+      case "arm64":
+        nativeBinding = loadFirstAvailable(["dc_native.darwin-arm64.node"]);
+        break;
+      default:
+        throw new Error(`Unsupported architecture on macOS: ${arch}`);
+    }
+    break;
+  case "linux":
+    switch (arch) {
+      case "x64":
+        nativeBinding = loadFirstAvailable(["dc_native.linux-x64-gnu.node"]);
+        break;
+      case "arm64":
+        nativeBinding = loadFirstAvailable(["dc_native.linux-arm64-gnu.node"]);
+        break;
+      default:
+        throw new Error(`Unsupported architecture on Linux: ${arch}`);
+    }
+    break;
+  default:
+    throw new Error(`Unsupported platform: ${platform}, architecture: ${arch}`);
+}
+
+if (!nativeBinding) {
+  if (loadError) {
+    throw loadError;
+  }
+  throw new Error(`Failed to load dc-native binding`);
+}
+
+module.exports = nativeBinding;

native/package.json

@@ -0,0 +1,15 @@
+{
+  "name": "dc-native",
+  "version": "1.0.0",
+  "description": "Native keychain bindings for Bitwarden Directory Connector",
+  "main": "index.js",
+  "types": "index.d.ts",
+  "license": "GPL-3.0",
+  "scripts": {
+    "build": "napi build --platform",
+    "build:release": "napi build --platform --release"
+  },
+  "devDependencies": {
+    "@napi-rs/cli": "^3.0.0"
+  }
+}

native/src/lib.rs

@@ -0,0 +1,70 @@
+#[macro_use]
+extern crate napi_derive;
+
+#[napi]
+pub mod passwords {
+    /// The error message returned when a password is not found during retrieval or deletion.
+    #[napi]
+    pub const PASSWORD_NOT_FOUND: &str = desktop_core::password::PASSWORD_NOT_FOUND;
+
+    /// Fetch the stored password from the keychain.
+    /// Throws an Error with message PASSWORD_NOT_FOUND if the password does not exist.
+    #[napi]
+    pub async fn get_password(service: String, account: String) -> napi::Result<String> {
+        desktop_core::password::get_password(&service, &account)
+            .await
+            .map_err(|e| napi::Error::from_reason(e.to_string()))
+    }
+
+    /// Save the password to the keychain. Adds an entry if none exists, otherwise updates it.
+    #[napi]
+    pub async fn set_password(
+        service: String,
+        account: String,
+        password: String,
+    ) -> napi::Result<()> {
+        desktop_core::password::set_password(&service, &account, &password)
+            .await
+            .map_err(|e| napi::Error::from_reason(e.to_string()))
+    }
+
+    /// Delete the stored password from the keychain.
+    /// Throws an Error with message PASSWORD_NOT_FOUND if the password does not exist.
+    #[napi]
+    pub async fn delete_password(service: String, account: String) -> napi::Result<()> {
+        desktop_core::password::delete_password(&service, &account)
+            .await
+            .map_err(|e| napi::Error::from_reason(e.to_string()))
+    }
+
+    /// Check if OS secure storage is available.
+    #[napi]
+    pub async fn is_available() -> napi::Result<bool> {
+        desktop_core::password::is_available()
+            .await
+            .map_err(|e| napi::Error::from_reason(e.to_string()))
+    }
+
+    /// Migrate a credential that was stored by keytar (UTF-8 blob) to the new UTF-16 format
+    /// used by desktop_core on Windows. No-ops on non-Windows platforms.
+    ///
+    /// Returns true if a migration was performed, false if the credential was already in the
+    /// correct format or does not exist.
+    #[napi]
+    pub async fn migrate_keytar_password(service: String, account: String) -> napi::Result<bool> {
+        #[cfg(windows)]
+        {
+            crate::migration::migrate_keytar_password(&service, &account)
+                .await
+                .map_err(|e| napi::Error::from_reason(e.to_string()))
+        }
+        #[cfg(not(windows))]
+        {
+            let _ = (service, account);
+            Ok(false)
+        }
+    }
+}
+
+#[cfg(windows)]
+mod migration;

native/src/migration.rs

@@ -0,0 +1,67 @@
+/// Windows-only: migrates credentials stored by keytar (UTF-8 blob via CredWriteA) to the
+/// UTF-16 format expected by desktop_core (CredWriteW).
+///
+/// Keytar used CredWriteA on Windows, which stored the credential blob as raw UTF-8 bytes.
+/// desktop_core uses CredWriteW with a UTF-16 encoded blob. Reading old keytar credentials
+/// through desktop_core's get_password produces garbled output because the UTF-8 bytes are
+/// reinterpreted as UTF-16.
+///
+/// This function detects the old format by checking whether the raw blob bytes are valid UTF-8
+/// without null bytes (UTF-16 LE encoding of ASCII always contains null bytes). If so, it
+/// re-saves the credential using desktop_core's set_password (UTF-16 encoding).
+use anyhow::{anyhow, Result};
+use widestring::U16CString;
+use windows::{
+    core::PCWSTR,
+    Win32::Security::Credentials::{CredFree, CredReadW, CRED_TYPE_GENERIC},
+};
+
+pub async fn migrate_keytar_password(service: &str, account: &str) -> Result<bool> {
+    let target = format!("{}/{}", service, account);
+    let target_wide = U16CString::from_str(&target)?;
+
+    let mut credential = std::ptr::null_mut();
+    let result = unsafe {
+        CredReadW(
+            PCWSTR(target_wide.as_ptr()),
+            CRED_TYPE_GENERIC,
+            None,
+            &mut credential,
+        )
+    };
+
+    scopeguard::defer! {{
+        unsafe { CredFree(credential as *mut _) };
+    }};
+
+    if result.is_err() {
+        // Credential does not exist; nothing to migrate.
+        return Ok(false);
+    }
+
+    let blob_bytes: Vec<u8> = unsafe {
+        let blob_ptr = (*credential).CredentialBlob;
+        let blob_size = (*credential).CredentialBlobSize as usize;
+        if blob_ptr.is_null() || blob_size == 0 {
+            return Ok(false);
+        }
+        std::slice::from_raw_parts(blob_ptr, blob_size).to_vec()
+    };
+
+    // UTF-16 LE encoding of ASCII always contains null bytes (e.g. 'A' → 0x41 0x00).
+    // Keytar stored raw UTF-8 bytes which will never contain null bytes for valid JSON.
+    // If the blob is valid UTF-8 and contains no null bytes, it was written by keytar.
+    let blob_is_utf8 = std::str::from_utf8(&blob_bytes)
+        .map(|s| !s.contains('\0'))
+        .unwrap_or(false);
+
+    if !blob_is_utf8 {
+        // Already UTF-16 or unrecognised format; no migration needed.
+        return Ok(false);
+    }
+
+    let utf8_value = String::from_utf8(blob_bytes).map_err(|e| anyhow!(e))?;
+    desktop_core::password::set_password(service, account, &utf8_value).await?;
+
+    Ok(true)
+}

package.json

@@ -2,7 +2,7 @@
   "name": "@bitwarden/directory-connector",
   "productName": "Bitwarden Directory Connector",
   "description": "Sync your user directory to your Bitwarden organization.",
-  "version": "2025.12.0",
+  "version": "2026.2.0",
   "keywords": [
     "bitwarden",
     "password",
@@ -26,15 +26,16 @@
     "symlink:win": "rm -rf ./jslib && cmd /c mklink /J .\\jslib ..\\jslib",
     "symlink:mac": "npm run symlink:lin",
     "symlink:lin": "rm -rf ./jslib && ln -s ../jslib ./jslib",
-    "rebuild": "electron-rebuild",
-    "reset": "rimraf --glob ./node_modules/keytar/* && npm install",
+    "build:native": "cd native && npm install && npm run build",
+    "build:native:release": "cd native && npm install && npm run build:release",
+    "rebuild": "npm run build:native:release",
     "lint": "eslint . && prettier --check .",
     "lint:fix": "eslint . --fix",
     "build": "concurrently -n Main,Rend -c yellow,cyan \"npm run build:main\" \"npm run build:renderer\"",
     "build:main": "webpack --config webpack.main.cjs",
     "build:renderer": "webpack --config webpack.renderer.cjs",
     "build:renderer:watch": "webpack --config webpack.renderer.cjs --watch",
-    "build:dist": "npm run reset && npm run rebuild && npm run build",
+    "build:dist": "npm run rebuild && npm run build",
     "build:cli": "webpack --config webpack.cli.cjs",
     "build:cli:watch": "webpack --config webpack.cli.cjs --watch",
     "build:cli:prod": "cross-env NODE_ENV=production webpack --config webpack.cli.cjs",
@@ -73,17 +74,15 @@
     "test:types": "npx tsc --noEmit"
   },
   "devDependencies": {
-    "@angular-devkit/build-angular": "20.3.3",
-    "@angular-eslint/eslint-plugin-template": "20.7.0",
-    "@angular-eslint/template-parser": "20.7.0",
-    "@angular/compiler-cli": "20.3.15",
+    "@angular-eslint/eslint-plugin-template": "21.1.0",
+    "@angular-eslint/template-parser": "21.1.0",
+    "@angular/build": "21.1.2",
+    "@angular/compiler-cli": "21.1.1",
     "@electron/notarize": "2.5.0",
-    "@electron/rebuild": "4.0.1",
-    "@fluffy-spoon/substitute": "1.208.0",
     "@microsoft/microsoft-graph-types": "2.43.1",
-    "@ngtools/webpack": "20.3.3",
+    "@ngtools/webpack": "21.1.2",
     "@types/inquirer": "8.2.10",
-    "@types/jest": "29.5.14",
+    "@types/jest": "30.0.0",
     "@types/lowdb": "1.0.15",
     "@types/node": "22.19.2",
     "@types/node-fetch": "2.6.12",
@@ -91,10 +90,11 @@
     "@types/proper-lockfile": "4.1.4",
     "@types/semver": "7.7.1",
     "@types/tldjs": "2.3.4",
-    "@typescript-eslint/eslint-plugin": "8.50.0",
-    "@typescript-eslint/parser": "8.50.0",
+    "@typescript-eslint/eslint-plugin": "8.54.0",
+    "@typescript-eslint/parser": "8.54.0",
     "@yao-pkg/pkg": "5.16.1",
-    "clean-webpack-plugin": "4.0.0",
+    "babel-loader": "10.0.0",
+    "jest-environment-jsdom": "30.2.0",
     "concurrently": "9.2.0",
     "copy-webpack-plugin": "13.0.0",
     "cross-env": "7.0.3",
@@ -105,28 +105,27 @@
     "electron-log": "5.4.1",
     "electron-reload": "2.0.0-alpha.1",
     "electron-store": "8.2.0",
-    "electron-updater": "6.6.2",
+    "electron-updater": "6.7.3",
     "eslint": "9.39.1",
     "eslint-config-prettier": "10.1.5",
     "eslint-import-resolver-typescript": "4.4.4",
     "eslint-plugin-import": "2.32.0",
     "eslint-plugin-rxjs-angular-x": "0.1.0",
-    "eslint-plugin-rxjs-x": "0.8.3",
+    "eslint-plugin-rxjs-x": "0.9.1",
     "form-data": "4.0.4",
-    "glob": "13.0.0",
+    "glob": "13.0.6",
     "html-loader": "5.1.0",
     "html-webpack-plugin": "5.6.3",
     "husky": "9.1.7",
-    "jest": "29.7.0",
+    "jest": "30.2.0",
     "jest-junit": "16.0.0",
     "jest-mock-extended": "4.0.0",
-    "jest-preset-angular": "14.6.0",
+    "jest-preset-angular": "16.0.0",
     "lint-staged": "16.2.6",
-    "mini-css-extract-plugin": "2.9.2",
-    "minimatch": "5.1.2",
+    "mini-css-extract-plugin": "2.10.0",
     "node-forge": "1.3.2",
     "node-loader": "2.1.0",
-    "prettier": "3.7.4",
+    "prettier": "3.8.1",
     "rimraf": "6.1.0",
     "rxjs": "7.8.2",
     "sass": "1.97.1",
@@ -134,25 +133,25 @@
     "ts-jest": "29.4.1",
     "ts-loader": "9.5.2",
     "tsconfig-paths-webpack-plugin": "4.2.0",
-    "type-fest": "5.3.0",
+    "type-fest": "5.4.2",
     "typescript": "5.9.3",
-    "webpack": "5.104.1",
+    "webpack": "5.105.1",
     "webpack-cli": "6.0.1",
     "webpack-merge": "6.0.1",
     "webpack-node-externals": "3.0.0",
-    "zone.js": "0.15.1"
+    "zone.js": "0.16.0"
   },
   "dependencies": {
-    "@angular/animations": "20.3.15",
-    "@angular/cdk": "20.2.14",
-    "@angular/cli": "20.3.3",
-    "@angular/common": "20.3.15",
-    "@angular/compiler": "20.3.15",
-    "@angular/core": "20.3.15",
-    "@angular/forms": "20.3.15",
-    "@angular/platform-browser": "20.3.15",
-    "@angular/platform-browser-dynamic": "20.3.15",
-    "@angular/router": "20.3.15",
+    "@angular/animations": "21.1.1",
+    "@angular/cdk": "21.1.1",
+    "@angular/cli": "21.1.2",
+    "@angular/common": "21.1.1",
+    "@angular/compiler": "21.1.1",
+    "@angular/core": "21.1.1",
+    "@angular/forms": "21.1.1",
+    "@angular/platform-browser": "21.1.1",
+    "@angular/platform-browser-dynamic": "21.1.1",
+    "@angular/router": "21.1.1",
     "@microsoft/microsoft-graph-client": "3.0.7",
     "big-integer": "1.6.52",
     "bootstrap": "5.3.7",
@@ -163,20 +162,20 @@
     "googleapis": "149.0.0",
     "https-proxy-agent": "7.0.6",
     "inquirer": "8.2.6",
-    "keytar": "7.9.0",
-    "ldapts": "8.0.1",
+    "dc-native": "file:./native",
+    "ldapts": "8.1.3",
     "lowdb": "1.0.0",
-    "ngx-toastr": "19.1.0",
+    "ngx-toastr": "20.0.4",
     "node-fetch": "2.7.0",
     "parse5": "8.0.0",
     "proper-lockfile": "4.1.2",
     "rxjs": "7.8.2",
     "tldjs": "2.3.1",
     "uuid": "11.1.0",
-    "zone.js": "0.15.1"
+    "zone.js": "0.16.0"
   },
   "engines": {
-    "node": "~20",
+    "node": "~22",
     "npm": "~10"
   },
   "lint-staged": {

src/app/main.ts

@@ -1,4 +1,4 @@
-import { enableProdMode } from "@angular/core";
+import { enableProdMode, provideZoneChangeDetection } from "@angular/core";
 import { platformBrowserDynamic } from "@angular/platform-browser-dynamic";
 
 import { isDev } from "@/jslib/electron/src/utils";
@@ -11,4 +11,7 @@ if (!isDev()) {
   enableProdMode();
 }
 
-platformBrowserDynamic().bootstrapModule(AppModule, { preserveWhitespaces: true });
+platformBrowserDynamic().bootstrapModule(AppModule, {
+  applicationProviders: [provideZoneChangeDetection()],
+  preserveWhitespaces: true,
+});

src/app/tabs/dashboard.component.html

@@ -3,17 +3,25 @@
   <div class="card-body">
     <p>
       {{ "lastGroupSync" | i18n }}:
-      <span *ngIf="!lastGroupSync">-</span>
+      @if (!lastGroupSync) {
+        <span>-</span>
+      }
       {{ lastGroupSync | date: "medium" }}
       <br />
       {{ "lastUserSync" | i18n }}:
-      <span *ngIf="!lastUserSync">-</span>
+      @if (!lastUserSync) {
+        <span>-</span>
+      }
       {{ lastUserSync | date: "medium" }}
     </p>
     <p>
       {{ "syncStatus" | i18n }}:
-      <strong *ngIf="syncRunning" class="text-success">{{ "running" | i18n }}</strong>
-      <strong *ngIf="!syncRunning" class="text-danger">{{ "stopped" | i18n }}</strong>
+      @if (syncRunning) {
+        <strong class="text-success">{{ "running" | i18n }}</strong>
+      }
+      @if (!syncRunning) {
+        <strong class="text-danger">{{ "stopped" | i18n }}</strong>
+      }
     </p>
     <form #startForm [appApiAction]="startPromise" class="d-inline">
       <button
@@ -60,57 +68,85 @@
       />
       <label class="form-check-label" for="simSinceLast">{{ "testLastSync" | i18n }}</label>
     </div>
-    <ng-container *ngIf="!simForm.loading && (simUsers || simGroups)">
+    @if (!simForm.loading && (simUsers || simGroups)) {
       <hr />
       <div class="row">
         <div class="col-lg">
           <h4>{{ "users" | i18n }}</h4>
-          <ul class="bwi-ul testing-list" *ngIf="simEnabledUsers && simEnabledUsers.length">
-            <li *ngFor="let u of simEnabledUsers" title="{{ u.referenceId }}">
-              <i class="bwi bwi-li bwi-user"></i>
-              {{ u.displayName }}
-            </li>
-          </ul>
-          <p *ngIf="!simEnabledUsers || !simEnabledUsers.length">
-            {{ "noUsers" | i18n }}
-          </p>
+          @if (simEnabledUsers && simEnabledUsers.length) {
+            <ul class="bwi-ul testing-list">
+              @for (u of simEnabledUsers; track u) {
+                <li title="{{ u.referenceId }}">
+                  <i class="bwi bwi-li bwi-user"></i>
+                  {{ u.displayName }}
+                </li>
+              }
+            </ul>
+          }
+          @if (!simEnabledUsers || !simEnabledUsers.length) {
+            <p>
+              {{ "noUsers" | i18n }}
+            </p>
+          }
           <h4>{{ "disabledUsers" | i18n }}</h4>
-          <ul class="bwi-ul testing-list" *ngIf="simDisabledUsers && simDisabledUsers.length">
-            <li *ngFor="let u of simDisabledUsers" title="{{ u.referenceId }}">
-              <i class="bwi bwi-li bwi-user"></i>
-              {{ u.displayName }}
-            </li>
-          </ul>
-          <p *ngIf="!simDisabledUsers || !simDisabledUsers.length">
-            {{ "noUsers" | i18n }}
-          </p>
+          @if (simDisabledUsers && simDisabledUsers.length) {
+            <ul class="bwi-ul testing-list">
+              @for (u of simDisabledUsers; track u) {
+                <li title="{{ u.referenceId }}">
+                  <i class="bwi bwi-li bwi-user"></i>
+                  {{ u.displayName }}
+                </li>
+              }
+            </ul>
+          }
+          @if (!simDisabledUsers || !simDisabledUsers.length) {
+            <p>
+              {{ "noUsers" | i18n }}
+            </p>
+          }
           <h4>{{ "deletedUsers" | i18n }}</h4>
-          <ul class="bwi-ul testing-list" *ngIf="simDeletedUsers && simDeletedUsers.length">
-            <li *ngFor="let u of simDeletedUsers" title="{{ u.referenceId }}">
-              <i class="bwi bwi-li bwi-user"></i>
-              {{ u.displayName }}
-            </li>
-          </ul>
-          <p *ngIf="!simDeletedUsers || !simDeletedUsers.length">
-            {{ "noUsers" | i18n }}
-          </p>
+          @if (simDeletedUsers && simDeletedUsers.length) {
+            <ul class="bwi-ul testing-list">
+              @for (u of simDeletedUsers; track u) {
+                <li title="{{ u.referenceId }}">
+                  <i class="bwi bwi-li bwi-user"></i>
+                  {{ u.displayName }}
+                </li>
+              }
+            </ul>
+          }
+          @if (!simDeletedUsers || !simDeletedUsers.length) {
+            <p>
+              {{ "noUsers" | i18n }}
+            </p>
+          }
         </div>
         <div class="col-lg">
           <h4>{{ "groups" | i18n }}</h4>
-          <ul class="bwi-ul testing-list" *ngIf="simGroups && simGroups.length">
-            <li *ngFor="let g of simGroups" title="{{ g.referenceId }}">
-              <i class="bwi bwi-li bwi-sitemap"></i>
-              {{ g.displayName }}
-              <ul class="small" *ngIf="g.users && g.users.length">
-                <li *ngFor="let u of g.users" title="{{ u.referenceId }}">
-                  {{ u.displayName }}
+          @if (simGroups && simGroups.length) {
+            <ul class="bwi-ul testing-list">
+              @for (g of simGroups; track g) {
+                <li title="{{ g.referenceId }}">
+                  <i class="bwi bwi-li bwi-sitemap"></i>
+                  {{ g.displayName }}
+                  @if (g.users && g.users.length) {
+                    <ul class="small">
+                      @for (u of g.users; track u) {
+                        <li title="{{ u.referenceId }}">
+                          {{ u.displayName }}
+                        </li>
+                      }
+                    </ul>
+                  }
                 </li>
-              </ul>
-            </li>
-          </ul>
-          <p *ngIf="!simGroups || !simGroups.length">{{ "noGroups" | i18n }}</p>
+              }
+            </ul>
+          }
+          @if (!simGroups || !simGroups.length) {
+            <p>{{ "noGroups" | i18n }}</p>
+          }
         </div>
       </div>
-    </ng-container>
+    }
   </div>
 </div>

src/app/tabs/settings.component.html

@@ -6,9 +6,11 @@
         <div class="mb-3">
           <label for="directory" class="form-label">{{ "type" | i18n }}</label>
           <select class="form-select" id="directory" name="Directory" [(ngModel)]="directory">
-            <option *ngFor="let o of directoryOptions" [ngValue]="o.value">
-              {{ o.name }}
-            </option>
+            @for (o of directoryOptions; track o) {
+              <option [ngValue]="o.value">
+                {{ o.name }}
+              </option>
+            }
           </select>
         </div>
         <div [hidden]="directory != directoryType.Ldap">
@@ -51,20 +53,22 @@
               <label class="form-check-label" for="ad">{{ "ldapAd" | i18n }}</label>
             </div>
           </div>
-          <div class="mb-3" *ngIf="!ldap.ad">
-            <div class="form-check">
-              <input
-                class="form-check-input"
-                type="checkbox"
-                id="pagedSearch"
-                [(ngModel)]="ldap.pagedSearch"
-                name="PagedSearch"
-              />
-              <label class="form-check-label" for="pagedSearch">{{
-                "ldapPagedResults" | i18n
-              }}</label>
+          @if (!ldap.ad) {
+            <div class="mb-3">
+              <div class="form-check">
+                <input
+                  class="form-check-input"
+                  type="checkbox"
+                  id="pagedSearch"
+                  [(ngModel)]="ldap.pagedSearch"
+                  name="PagedSearch"
+                />
+                <label class="form-check-label" for="pagedSearch">{{
+                  "ldapPagedResults" | i18n
+                }}</label>
+              </div>
             </div>
-          </div>
+          }
           <div class="mb-3">
             <div class="form-check">
               <input
@@ -79,116 +83,122 @@
               }}</label>
             </div>
           </div>
-          <div class="ms-4" *ngIf="ldap.ssl">
-            <div class="mb-3">
-              <div class="form-check">
-                <input
-                  class="form-check-input"
-                  type="radio"
-                  [value]="false"
-                  id="ssl"
-                  [(ngModel)]="ldap.startTls"
-                  name="SSL"
-                />
-                <label class="form-check-label" for="ssl">{{ "ldapSsl" | i18n }}</label>
+          @if (ldap.ssl) {
+            <div class="ms-4">
+              <div class="mb-3">
+                <div class="form-check">
+                  <input
+                    class="form-check-input"
+                    type="radio"
+                    [value]="false"
+                    id="ssl"
+                    [(ngModel)]="ldap.startTls"
+                    name="SSL"
+                  />
+                  <label class="form-check-label" for="ssl">{{ "ldapSsl" | i18n }}</label>
+                </div>
+                <div class="form-check">
+                  <input
+                    class="form-check-input"
+                    type="radio"
+                    [value]="true"
+                    id="startTls"
+                    [(ngModel)]="ldap.startTls"
+                    name="StartTLS"
+                  />
+                  <label class="form-check-label" for="startTls">{{ "ldapTls" | i18n }}</label>
+                </div>
               </div>
-              <div class="form-check">
-                <input
-                  class="form-check-input"
-                  type="radio"
-                  [value]="true"
-                  id="startTls"
-                  [(ngModel)]="ldap.startTls"
-                  name="StartTLS"
-                />
-                <label class="form-check-label" for="startTls">{{ "ldapTls" | i18n }}</label>
+              @if (ldap.startTls) {
+                <div class="ms-4">
+                  <p>{{ "ldapTlsUntrustedDesc" | i18n }}</p>
+                  <div class="mb-3">
+                    <label for="tlsCaPath" class="form-label">{{ "ldapTlsCa" | i18n }}</label>
+                    <input
+                      type="file"
+                      class="form-control mb-2"
+                      id="tlsCaPath_file"
+                      (change)="setSslPath('tlsCaPath')"
+                    />
+                    <input
+                      type="text"
+                      class="form-control"
+                      id="tlsCaPath"
+                      name="TLSCaPath"
+                      [(ngModel)]="ldap.tlsCaPath"
+                    />
+                  </div>
+                </div>
+              }
+              @if (!ldap.startTls) {
+                <div class="ms-4">
+                  <p>{{ "ldapSslUntrustedDesc" | i18n }}</p>
+                  <div class="mb-3">
+                    <label for="sslCertPath" class="form-label">{{ "ldapSslCert" | i18n }}</label>
+                    <input
+                      type="file"
+                      class="form-control mb-2"
+                      id="sslCertPath_file"
+                      (change)="setSslPath('sslCertPath')"
+                    />
+                    <input
+                      type="text"
+                      class="form-control"
+                      id="sslCertPath"
+                      name="SSLCertPath"
+                      [(ngModel)]="ldap.sslCertPath"
+                    />
+                  </div>
+                  <div class="mb-3">
+                    <label for="sslKeyPath" class="form-label">{{ "ldapSslKey" | i18n }}</label>
+                    <input
+                      type="file"
+                      class="form-control mb-2"
+                      id="sslKeyPath_file"
+                      (change)="setSslPath('sslKeyPath')"
+                    />
+                    <input
+                      type="text"
+                      class="form-control"
+                      id="sslKeyPath"
+                      name="SSLKeyPath"
+                      [(ngModel)]="ldap.sslKeyPath"
+                    />
+                  </div>
+                  <div class="mb-3">
+                    <label for="sslCaPath" class="form-label">{{ "ldapSslCa" | i18n }}</label>
+                    <input
+                      type="file"
+                      class="form-control mb-2"
+                      id="sslCaPath_file"
+                      (change)="setSslPath('sslCaPath')"
+                    />
+                    <input
+                      type="text"
+                      class="form-control"
+                      id="sslCaPath"
+                      name="SSLCaPath"
+                      [(ngModel)]="ldap.sslCaPath"
+                    />
+                  </div>
+                </div>
+              }
+              <div class="mb-3">
+                <div class="form-check">
+                  <input
+                    class="form-check-input"
+                    type="checkbox"
+                    id="certDoNotVerify"
+                    [(ngModel)]="ldap.sslAllowUnauthorized"
+                    name="CertDoNoVerify"
+                  />
+                  <label class="form-check-label" for="certDoNotVerify">{{
+                    "ldapCertDoNotVerify" | i18n
+                  }}</label>
+                </div>
               </div>
             </div>
-            <div class="ms-4" *ngIf="ldap.startTls">
-              <p>{{ "ldapTlsUntrustedDesc" | i18n }}</p>
-              <div class="mb-3">
-                <label for="tlsCaPath" class="form-label">{{ "ldapTlsCa" | i18n }}</label>
-                <input
-                  type="file"
-                  class="form-control mb-2"
-                  id="tlsCaPath_file"
-                  (change)="setSslPath('tlsCaPath')"
-                />
-                <input
-                  type="text"
-                  class="form-control"
-                  id="tlsCaPath"
-                  name="TLSCaPath"
-                  [(ngModel)]="ldap.tlsCaPath"
-                />
-              </div>
-            </div>
-            <div class="ms-4" *ngIf="!ldap.startTls">
-              <p>{{ "ldapSslUntrustedDesc" | i18n }}</p>
-              <div class="mb-3">
-                <label for="sslCertPath" class="form-label">{{ "ldapSslCert" | i18n }}</label>
-                <input
-                  type="file"
-                  class="form-control mb-2"
-                  id="sslCertPath_file"
-                  (change)="setSslPath('sslCertPath')"
-                />
-                <input
-                  type="text"
-                  class="form-control"
-                  id="sslCertPath"
-                  name="SSLCertPath"
-                  [(ngModel)]="ldap.sslCertPath"
-                />
-              </div>
-              <div class="mb-3">
-                <label for="sslKeyPath" class="form-label">{{ "ldapSslKey" | i18n }}</label>
-                <input
-                  type="file"
-                  class="form-control mb-2"
-                  id="sslKeyPath_file"
-                  (change)="setSslPath('sslKeyPath')"
-                />
-                <input
-                  type="text"
-                  class="form-control"
-                  id="sslKeyPath"
-                  name="SSLKeyPath"
-                  [(ngModel)]="ldap.sslKeyPath"
-                />
-              </div>
-              <div class="mb-3">
-                <label for="sslCaPath" class="form-label">{{ "ldapSslCa" | i18n }}</label>
-                <input
-                  type="file"
-                  class="form-control mb-2"
-                  id="sslCaPath_file"
-                  (change)="setSslPath('sslCaPath')"
-                />
-                <input
-                  type="text"
-                  class="form-control"
-                  id="sslCaPath"
-                  name="SSLCaPath"
-                  [(ngModel)]="ldap.sslCaPath"
-                />
-              </div>
-            </div>
-            <div class="mb-3">
-              <div class="form-check">
-                <input
-                  class="form-check-input"
-                  type="checkbox"
-                  id="certDoNotVerify"
-                  [(ngModel)]="ldap.sslAllowUnauthorized"
-                  name="CertDoNoVerify"
-                />
-                <label class="form-check-label" for="certDoNotVerify">{{
-                  "ldapCertDoNotVerify" | i18n
-                }}</label>
-              </div>
-            </div>
-          </div>
+          }
           <div class="mb-3" [hidden]="true">
             <div class="form-check">
               <input
@@ -211,10 +221,12 @@
                 name="Username"
                 [(ngModel)]="ldap.username"
               />
-              <div class="form-text" *ngIf="ldap.ad">{{ "ex" | i18n }} company\admin</div>
-              <div class="form-text" *ngIf="!ldap.ad">
-                {{ "ex" | i18n }} cn=admin,dc=company,dc=com
-              </div>
+              @if (ldap.ad) {
+                <div class="form-text">{{ "ex" | i18n }} company\admin</div>
+              }
+              @if (!ldap.ad) {
+                <div class="form-text">{{ "ex" | i18n }} cn=admin,dc=company,dc=com</div>
+              }
             </div>
             <div class="mb-3">
               <label for="password" class="form-label">{{ "password" | i18n }}</label>
@@ -604,18 +616,24 @@
               name="UserFilter"
               [(ngModel)]="sync.userFilter"
             ></textarea>
-            <div class="form-text" *ngIf="directory === directoryType.Ldap">
-              {{ "ex" | i18n }} (&amp;(givenName=John)(|(l=Dallas)(l=Austin)))
-            </div>
-            <div class="form-text" *ngIf="directory === directoryType.EntraID">
-              {{ "ex" | i18n }} exclude:joe&#64;company.com
-            </div>
-            <div class="form-text" *ngIf="directory === directoryType.Okta">
-              {{ "ex" | i18n }} exclude:joe&#64;company.com | profile.firstName eq "John"
-            </div>
-            <div class="form-text" *ngIf="directory === directoryType.GSuite">
-              {{ "ex" | i18n }} exclude:joe&#64;company.com | orgUnitPath=/Engineering
-            </div>
+            @if (directory === directoryType.Ldap) {
+              <div class="form-text">
+                {{ "ex" | i18n }} (&amp;(givenName=John)(|(l=Dallas)(l=Austin)))
+              </div>
+            }
+            @if (directory === directoryType.EntraID) {
+              <div class="form-text">{{ "ex" | i18n }} exclude:joe&#64;company.com</div>
+            }
+            @if (directory === directoryType.Okta) {
+              <div class="form-text">
+                {{ "ex" | i18n }} exclude:joe&#64;company.com | profile.firstName eq "John"
+              </div>
+            }
+            @if (directory === directoryType.GSuite) {
+              <div class="form-text">
+                {{ "ex" | i18n }} exclude:joe&#64;company.com | orgUnitPath=/Engineering
+              </div>
+            }
           </div>
           <div class="mb-3" [hidden]="directory != directoryType.Ldap">
             <label for="userPath" class="form-label">{{ "userPath" | i18n }}</label>
@@ -681,18 +699,20 @@
               name="GroupFilter"
               [(ngModel)]="sync.groupFilter"
             ></textarea>
-            <div class="form-text" *ngIf="directory === directoryType.Ldap">
-              {{ "ex" | i18n }} (&amp;(objectClass=group)(!(cn=Sales*))(!(cn=IT*)))
-            </div>
-            <div class="form-text" *ngIf="directory === directoryType.EntraID">
-              {{ "ex" | i18n }} include:Sales,IT
-            </div>
-            <div class="form-text" *ngIf="directory === directoryType.Okta">
-              {{ "ex" | i18n }} include:Sales,IT | type eq "APP_GROUP"
-            </div>
-            <div class="form-text" *ngIf="directory === directoryType.GSuite">
-              {{ "ex" | i18n }} include:Sales,IT
-            </div>
+            @if (directory === directoryType.Ldap) {
+              <div class="form-text">
+                {{ "ex" | i18n }} (&amp;(objectClass=group)(!(cn=Sales*))(!(cn=IT*)))
+              </div>
+            }
+            @if (directory === directoryType.EntraID) {
+              <div class="form-text">{{ "ex" | i18n }} include:Sales,IT</div>
+            }
+            @if (directory === directoryType.Okta) {
+              <div class="form-text">{{ "ex" | i18n }} include:Sales,IT | type eq "APP_GROUP"</div>
+            }
+            @if (directory === directoryType.GSuite) {
+              <div class="form-text">{{ "ex" | i18n }} include:Sales,IT</div>
+            }
           </div>
           <div class="mb-3" [hidden]="directory != directoryType.Ldap">
             <label for="groupPath" class="form-label">{{ "groupPath" | i18n }}</label>
@@ -703,8 +723,12 @@
               name="GroupPath"
               [(ngModel)]="sync.groupPath"
             />
-            <div class="form-text" *ngIf="!ldap.ad">{{ "ex" | i18n }} CN=Groups</div>
-            <div class="form-text" *ngIf="ldap.ad">{{ "ex" | i18n }} CN=Users</div>
+            @if (!ldap.ad) {
+              <div class="form-text">{{ "ex" | i18n }} CN=Groups</div>
+            }
+            @if (ldap.ad) {
+              <div class="form-text">{{ "ex" | i18n }} CN=Users</div>
+            }
           </div>
           <div [hidden]="directory != directoryType.Ldap || ldap.ad">
             <div class="mb-3">

src/bwdc.ts

@@ -24,8 +24,8 @@ import { AuthService } from "./services/auth.service";
 import { BatchRequestBuilder } from "./services/batch-request-builder";
 import { DefaultDirectoryFactoryService } from "./services/directory-factory.service";
 import { I18nService } from "./services/i18n.service";
-import { KeytarSecureStorageService } from "./services/keytarSecureStorage.service";
 import { LowdbStorageService } from "./services/lowdbStorage.service";
+import { NativeSecureStorageService } from "./services/nativeSecureStorage.service";
 import { SingleRequestBuilder } from "./services/single-request-builder";
 import { StateService } from "./services/state.service";
 import { StateMigrationService } from "./services/stateMigration.service";
@@ -100,7 +100,7 @@ export class Main {
     );
     this.secureStorageService = plaintextSecrets
       ? this.storageService
-      : new KeytarSecureStorageService(applicationName);
+      : new NativeSecureStorageService(applicationName);
 
     this.stateMigrationService = new StateMigrationService(
       this.storageService,

src/main/credential-storage-listener.ts

@@ -1,11 +1,11 @@
+import { passwords } from "dc-native";
 import { ipcMain } from "electron";
-import { deletePassword, getPassword, setPassword } from "keytar";
 
 export class DCCredentialStorageListener {
   constructor(private serviceName: string) {}
 
   init() {
-    ipcMain.on("keytar", async (event: any, message: any) => {
+    ipcMain.on("nativeSecureStorage", async (event: any, message: any) => {
       try {
         let serviceName = this.serviceName;
         message.keySuffix = "_" + (message.keySuffix ?? "");
@@ -16,14 +16,14 @@ export class DCCredentialStorageListener {
         let val: string | boolean = null;
         if (message.action && message.key) {
           if (message.action === "getPassword") {
-            val = await getPassword(serviceName, message.key);
+            val = await passwords.getPassword(serviceName, message.key);
           } else if (message.action === "hasPassword") {
-            const result = await getPassword(serviceName, message.key);
+            const result = await passwords.getPassword(serviceName, message.key);
             val = result != null;
           } else if (message.action === "setPassword" && message.value) {
-            await setPassword(serviceName, message.key, message.value);
+            await passwords.setPassword(serviceName, message.key, message.value);
           } else if (message.action === "deletePassword") {
-            await deletePassword(serviceName, message.key);
+            await passwords.deletePassword(serviceName, message.key);
           }
         }
         event.returnValue = val;

src/scss/bootstrap.scss

@@ -28,4 +28,4 @@ $danger: map_get($theme-colors, "danger");
 $secondary: map_get($theme-colors, "secondary");
 $secondary-alt: map_get($theme-colors, "secondary-alt");
 
-@import "~bootstrap/scss/bootstrap.scss";
+@import "bootstrap/scss/bootstrap.scss";

src/scss/environment.scss

@@ -1,4 +1,4 @@
-@import "~bootstrap/scss/_variables.scss";
+@import "bootstrap/scss/_variables.scss";
 
 html.os_windows {
   body {

src/scss/misc.scss

@@ -1,4 +1,4 @@
-@import "~bootstrap/scss/_variables.scss";
+@import "bootstrap/scss/_variables.scss";
 
 body {
   padding: 10px 0 20px 0;

src/scss/plugins.scss

@@ -1,6 +1,6 @@
-@import "~ngx-toastr/toastr";
+@import "ngx-toastr/toastr";
 
-@import "~bootstrap/scss/_variables.scss";
+@import "bootstrap/scss/_variables.scss";
 
 .toast-container {
   .toast-close-button {

src/services/authService.spec.ts

@@ -1,7 +1,8 @@
-import { Arg, Substitute, SubstituteOf } from "@fluffy-spoon/substitute";
+import { mock } from "jest-mock-extended";
 
 import { ApiService } from "@/jslib/common/src/abstractions/api.service";
 import { AppIdService } from "@/jslib/common/src/abstractions/appId.service";
+import { MessagingService } from "@/jslib/common/src/abstractions/messaging.service";
 import { PlatformUtilsService } from "@/jslib/common/src/abstractions/platformUtils.service";
 import { Utils } from "@/jslib/common/src/misc/utils";
 import {
@@ -11,7 +12,6 @@ import {
 } from "@/jslib/common/src/models/domain/account";
 import { IdentityTokenResponse } from "@/jslib/common/src/models/response/identityTokenResponse";
 
-import { MessagingService } from "../../jslib/common/src/abstractions/messaging.service";
 import { Account, DirectoryConfigurations, DirectorySettings } from "../models/account";
 
 import { AuthService } from "./auth.service";
@@ -35,22 +35,22 @@ export function identityTokenResponseFactory() {
 }
 
 describe("AuthService", () => {
-  let apiService: SubstituteOf<ApiService>;
-  let appIdService: SubstituteOf<AppIdService>;
-  let platformUtilsService: SubstituteOf<PlatformUtilsService>;
-  let messagingService: SubstituteOf<MessagingService>;
-  let stateService: SubstituteOf<StateService>;
+  let apiService: jest.Mocked<ApiService>;
+  let appIdService: jest.Mocked<AppIdService>;
+  let platformUtilsService: jest.Mocked<PlatformUtilsService>;
+  let messagingService: jest.Mocked<MessagingService>;
+  let stateService: jest.Mocked<StateService>;
 
   let authService: AuthService;
 
   beforeEach(async () => {
-    apiService = Substitute.for();
-    appIdService = Substitute.for();
-    platformUtilsService = Substitute.for();
-    stateService = Substitute.for();
-    messagingService = Substitute.for();
+    apiService = mock<ApiService>();
+    appIdService = mock<AppIdService>();
+    platformUtilsService = mock<PlatformUtilsService>();
+    stateService = mock<StateService>();
+    messagingService = mock<MessagingService>();
 
-    appIdService.getAppId().resolves(deviceId);
+    appIdService.getAppId.mockResolvedValue(deviceId);
 
     authService = new AuthService(
       apiService,
@@ -62,11 +62,12 @@ describe("AuthService", () => {
   });
 
   it("sets the local environment after a successful login", async () => {
-    apiService.postIdentityToken(Arg.any()).resolves(identityTokenResponseFactory());
+    apiService.postIdentityToken.mockResolvedValue(identityTokenResponseFactory());
 
     await authService.logIn({ clientId, clientSecret });
 
-    stateService.received(1).addAccount(
+    expect(stateService.addAccount).toHaveBeenCalledTimes(1);
+    expect(stateService.addAccount).toHaveBeenCalledWith(
       new Account({
         profile: {
           ...new AccountProfile(),

src/services/directory-services/gsuite-directory.service.integration.spec.ts

@@ -50,221 +50,36 @@ describe("gsuiteDirectoryService", () => {
     directoryService = new GSuiteDirectoryService(logService, i18nService, stateService);
   });
 
-  describe("basic sync fetching users and groups", () => {
-    it("syncs without using filters (includes test data)", async () => {
-      const directoryConfig = getGSuiteConfiguration();
-      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
+  it("syncs without using filters (includes test data)", async () => {
+    const directoryConfig = getGSuiteConfiguration();
+    stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
 
-      const syncConfig = getSyncConfiguration({
-        groups: true,
-        users: true,
-      });
-      stateService.getSync.mockResolvedValue(syncConfig);
-
-      const result = await directoryService.getEntries(true, true);
-
-      expect(result[0]).toEqual(expect.arrayContaining(groupFixtures));
-      expect(result[1]).toEqual(expect.arrayContaining(userFixtures));
+    const syncConfig = getSyncConfiguration({
+      groups: true,
+      users: true,
     });
+    stateService.getSync.mockResolvedValue(syncConfig);
 
-    it("syncs using user and group filters (exact match for test data)", async () => {
-      const directoryConfig = getGSuiteConfiguration();
-      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
+    const result = await directoryService.getEntries(true, true);
 
-      const syncConfig = getSyncConfiguration({
-        groups: true,
-        users: true,
-        userFilter: INTEGRATION_USER_FILTER,
-        groupFilter: INTEGRATION_GROUP_FILTER,
-      });
-      stateService.getSync.mockResolvedValue(syncConfig);
-
-      const result = await directoryService.getEntries(true, true);
-
-      expect(result).toEqual([groupFixtures, userFixtures]);
-    });
-
-    it("syncs only users when groups sync is disabled", async () => {
-      const directoryConfig = getGSuiteConfiguration();
-      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
-
-      const syncConfig = getSyncConfiguration({
-        groups: false,
-        users: true,
-        userFilter: INTEGRATION_USER_FILTER,
-      });
-      stateService.getSync.mockResolvedValue(syncConfig);
-
-      const result = await directoryService.getEntries(true, true);
-
-      expect(result[0]).toBeUndefined();
-      expect(result[1]).toEqual(expect.arrayContaining(userFixtures));
-    });
-
-    it("syncs only groups when users sync is disabled", async () => {
-      const directoryConfig = getGSuiteConfiguration();
-      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
-
-      const syncConfig = getSyncConfiguration({
-        groups: true,
-        users: false,
-        groupFilter: INTEGRATION_GROUP_FILTER,
-      });
-      stateService.getSync.mockResolvedValue(syncConfig);
-
-      const result = await directoryService.getEntries(true, true);
-
-      expect(result[0]).toEqual(expect.arrayContaining(groupFixtures));
-      expect(result[1]).toEqual([]);
-    });
+    expect(result[0]).toEqual(expect.arrayContaining(groupFixtures));
+    expect(result[1]).toEqual(expect.arrayContaining(userFixtures));
   });
 
-  describe("users", () => {
-    it("includes disabled users in sync results", async () => {
-      const directoryConfig = getGSuiteConfiguration();
-      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
+  it("syncs using user and group filters (exact match for test data)", async () => {
+    const directoryConfig = getGSuiteConfiguration();
+    stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
 
-      const syncConfig = getSyncConfiguration({
-        users: true,
-        userFilter: INTEGRATION_USER_FILTER,
-      });
-      stateService.getSync.mockResolvedValue(syncConfig);
-
-      const result = await directoryService.getEntries(true, true);
-
-      const disabledUser = userFixtures.find((u) => u.email === "testuser5@bwrox.dev");
-      expect(result[1]).toContainEqual(disabledUser);
-      expect(disabledUser.disabled).toBe(true);
+    const syncConfig = getSyncConfiguration({
+      groups: true,
+      users: true,
+      userFilter: INTEGRATION_USER_FILTER,
+      groupFilter: INTEGRATION_GROUP_FILTER,
     });
+    stateService.getSync.mockResolvedValue(syncConfig);
 
-    it("filters users by org unit path", async () => {
-      const directoryConfig = getGSuiteConfiguration();
-      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
+    const result = await directoryService.getEntries(true, true);
 
-      const syncConfig = getSyncConfiguration({
-        users: true,
-        userFilter: INTEGRATION_USER_FILTER,
-      });
-      stateService.getSync.mockResolvedValue(syncConfig);
-
-      const result = await directoryService.getEntries(true, true);
-
-      expect(result[1]).toEqual(userFixtures);
-      expect(result[1].length).toBe(5);
-    });
-
-    it("filters users by email pattern", async () => {
-      const directoryConfig = getGSuiteConfiguration();
-      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
-
-      const syncConfig = getSyncConfiguration({
-        users: true,
-        userFilter: "|email:testuser1*",
-      });
-      stateService.getSync.mockResolvedValue(syncConfig);
-
-      const result = await directoryService.getEntries(true, true);
-
-      const testuser1 = userFixtures.find((u) => u.email === "testuser1@bwrox.dev");
-      expect(result[1]).toContainEqual(testuser1);
-      expect(result[1].length).toBeGreaterThanOrEqual(1);
-    });
-  });
-
-  describe("groups", () => {
-    it("filters groups by name pattern", async () => {
-      const directoryConfig = getGSuiteConfiguration();
-      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
-
-      const syncConfig = getSyncConfiguration({
-        groups: true,
-        users: true,
-        userFilter: INTEGRATION_USER_FILTER,
-        groupFilter: INTEGRATION_GROUP_FILTER,
-      });
-      stateService.getSync.mockResolvedValue(syncConfig);
-
-      const result = await directoryService.getEntries(true, true);
-
-      expect(result[0]).toEqual(groupFixtures);
-      expect(result[0].length).toBe(2);
-    });
-
-    it("includes group members correctly", async () => {
-      const directoryConfig = getGSuiteConfiguration();
-      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
-
-      const syncConfig = getSyncConfiguration({
-        groups: true,
-        users: true,
-        userFilter: INTEGRATION_USER_FILTER,
-        groupFilter: INTEGRATION_GROUP_FILTER,
-      });
-      stateService.getSync.mockResolvedValue(syncConfig);
-
-      const result = await directoryService.getEntries(true, true);
-
-      const groupA = result[0].find((g) => g.name === "Integration Test Group A");
-      expect(groupA).toBeDefined();
-      expect(groupA.userMemberExternalIds.size).toBe(2);
-      expect(groupA.userMemberExternalIds.has("111605910541641314041")).toBe(true);
-      expect(groupA.userMemberExternalIds.has("111147009830456099026")).toBe(true);
-
-      const groupB = result[0].find((g) => g.name === "Integration Test Group B");
-      expect(groupB).toBeDefined();
-      expect(groupB.userMemberExternalIds.size).toBe(2);
-      expect(groupB.userMemberExternalIds.has("111147009830456099026")).toBe(true);
-      expect(groupB.userMemberExternalIds.has("100150970267699397306")).toBe(true);
-    });
-
-    it("handles groups with no members", async () => {
-      const directoryConfig = getGSuiteConfiguration();
-      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
-
-      const syncConfig = getSyncConfiguration({
-        groups: true,
-        users: true,
-        userFilter: INTEGRATION_USER_FILTER,
-        groupFilter: "|name:Integration*",
-      });
-      stateService.getSync.mockResolvedValue(syncConfig);
-
-      const result = await directoryService.getEntries(true, true);
-
-      // All test groups should have members, but ensure the code handles empty groups
-      expect(result[0]).toBeDefined();
-      expect(Array.isArray(result[0])).toBe(true);
-    });
-  });
-
-  describe("error handling", () => {
-    it("throws error when directory configuration is incomplete", async () => {
-      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(
-        getGSuiteConfiguration({
-          clientEmail: "",
-        }),
-      );
-
-      const syncConfig = getSyncConfiguration({
-        users: true,
-      });
-      stateService.getSync.mockResolvedValue(syncConfig);
-
-      await expect(directoryService.getEntries(true, true)).rejects.toThrow();
-    });
-
-    it("throws error when authentication fails with invalid credentials", async () => {
-      const directoryConfig = getGSuiteConfiguration({
-        privateKey: "-----BEGIN PRIVATE KEY-----\nINVALID_KEY\n-----END PRIVATE KEY-----\n",
-      });
-      stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
-
-      const syncConfig = getSyncConfiguration({
-        users: true,
-      });
-      stateService.getSync.mockResolvedValue(syncConfig);
-
-      await expect(directoryService.getEntries(true, true)).rejects.toThrow();
-    });
+    expect(result).toEqual([groupFixtures, userFixtures]);
   });
 });

src/services/directory-services/gsuite-directory.service.ts

@@ -14,22 +14,6 @@ import { BaseDirectoryService } from "../baseDirectory.service";
 
 import { IDirectoryService } from "./directory.service";
 
-/**
- * Google Workspace (formerly G Suite) Directory Service
- *
- * This service integrates with Google Workspace to synchronize users and groups
- * to Bitwarden organizations using the Google Admin SDK Directory API.
- *
- * @remarks
- * Authentication is performed using a service account with domain-wide delegation.
- * The service account must be granted the following OAuth 2.0 scopes:
- * - https://www.googleapis.com/auth/admin.directory.user.readonly
- * - https://www.googleapis.com/auth/admin.directory.group.readonly
- * - https://www.googleapis.com/auth/admin.directory.group.member.readonly
- *
- * @see {@link https://developers.google.com/admin-sdk/directory/v1/guides | Google Admin SDK Directory API}
- * @see {@link https://support.google.com/a/answer/162106 | Domain-wide delegation of authority}
- */
 export class GSuiteDirectoryService extends BaseDirectoryService implements IDirectoryService {
   private client: JWT;
   private service: admin_directory_v1.Admin;
@@ -46,29 +30,6 @@ export class GSuiteDirectoryService extends BaseDirectoryService implements IDir
     this.service = google.admin("directory_v1");
   }
 
-  /**
-   * Retrieves users and groups from Google Workspace directory
-   * @returns A tuple containing [groups, users] arrays
-   *
-   * @remarks
-   * This function:
-   * 1. Validates the directory type matches GSuite
-   * 2. Loads directory and sync configuration
-   * 3. Authenticates with Google Workspace using service account credentials
-   * 4. Retrieves users (if enabled in sync config)
-   * 5. Retrieves groups and their members (if enabled in sync config)
-   * 6. Applies any user/group filters specified in sync configuration
-   *
-   * User and group filters follow Google Workspace Directory API query syntax:
-   * - Use `|` prefix for custom filters (e.g., "|orgUnitPath='/Engineering'")
-   * - Multiple conditions can be combined with AND/OR operators
-   *
-   * @example
-   * ```typescript
-   * const [groups, users] = await service.getEntries(true, false);
-   * console.log(`Synced ${users.length} users and ${groups.length} groups`);
-   * ```
-   */
   async getEntries(force: boolean, test: boolean): Promise<[GroupEntry[], UserEntry[]]> {
     const type = await this.stateService.getDirectoryType();
     if (type !== DirectoryType.GSuite) {
@@ -104,26 +65,6 @@ export class GSuiteDirectoryService extends BaseDirectoryService implements IDir
     return [groups, users];
   }
 
-  /**
-   * Retrieves all users from Google Workspace directory
-   *
-   * @returns Array of UserEntry objects representing users in the directory
-   *
-   * @remarks
-   * This method performs two separate queries:
-   * 1. Active users (including suspended and archived)
-   * 2. Deleted users (marked with deleted flag)
-   *
-   * The method handles pagination automatically, fetching all pages of results.
-   * Users are filtered based on the userFilter specified in sync configuration.
-   *
-   * User properties mapped:
-   * - referenceId: User's unique Google ID
-   * - externalId: User's unique Google ID (same as referenceId)
-   * - email: User's primary email address (lowercase)
-   * - disabled: True if user is suspended or archived
-   * - deleted: True if user is deleted from the directory
-   */
   private async getUsers(): Promise<UserEntry[]> {
     const entries: UserEntry[] = [];
     const query = this.createDirectoryQuery(this.syncConfig.userFilter);
@@ -191,13 +132,6 @@ export class GSuiteDirectoryService extends BaseDirectoryService implements IDir
     return entries;
   }
 
-  /**
-   * Transforms a Google Workspace user object into a UserEntry
-   *
-   * @param user - Google Workspace user object from the API
-   * @param deleted - Whether this user is from the deleted users list
-   * @returns UserEntry object or null if user data is invalid
-   */
   private buildUser(user: admin_directory_v1.Schema$User, deleted: boolean) {
     if ((user.emails == null || user.emails === "") && !deleted) {
       return null;
@@ -212,17 +146,6 @@ export class GSuiteDirectoryService extends BaseDirectoryService implements IDir
     return entry;
   }
 
-  /**
-   * Retrieves all groups from Google Workspace directory
-   *
-   * @param setFilter - Tuple of [isWhitelist, Set<string>] for filtering groups
-   * @param users - Array of UserEntry objects to reference when processing members
-   * @returns Array of GroupEntry objects representing groups in the directory
-   *
-   * @remarks
-   * For each group, the method also retrieves all group members by calling the
-   * members API. Groups are filtered based on the groupFilter in sync configuration.
-   */
   private async getGroups(
     setFilter: [boolean, Set<string>],
     users: UserEntry[],
@@ -262,19 +185,6 @@ export class GSuiteDirectoryService extends BaseDirectoryService implements IDir
     return entries;
   }
 
-  /**
-   * Transforms a Google Workspace group object into a GroupEntry with members
-   *
-   * @param group - Google Workspace group object from the API
-   * @param users - Array of UserEntry objects for reference
-   * @returns GroupEntry object with all members populated
-   *
-   * @remarks
-   * This method retrieves all members of the group, handling three member types:
-   * - USER: Individual user members (only active status users are included)
-   * - GROUP: Nested group members
-   * - CUSTOMER: Special type that includes all users in the domain
-   */
   private async buildGroup(group: admin_directory_v1.Schema$Group, users: UserEntry[]) {
     let nextPageToken: string = null;
 
@@ -320,26 +230,6 @@ export class GSuiteDirectoryService extends BaseDirectoryService implements IDir
     return entry;
   }
 
-  /**
-   * Authenticates with Google Workspace using service account credentials
-   *
-   * @throws Error if required configuration fields are missing or authentication fails
-   *
-   * @remarks
-   * Authentication uses a JWT with the following required fields:
-   * - clientEmail: Service account email address
-   * - privateKey: Service account private key (PEM format)
-   * - subject: Admin user email to impersonate (for domain-wide delegation)
-   *
-   * The service account must be configured with domain-wide delegation and granted
-   * the required OAuth scopes in the Google Workspace Admin Console.
-   *
-   * Optional configuration:
-   * - domain: Filters results to a specific domain
-   * - customer: Customer ID for multi-domain organizations
-   *
-   * @see {@link https://developers.google.com/identity/protocols/oauth2/service-account | Service account authentication}
-   */
   private async auth() {
     if (
       this.dirConfig.clientEmail == null ||

src/services/directory-services/ldap-directory.service.ts

@@ -68,10 +68,12 @@ export class LdapDirectoryService implements IDirectoryService {
         }
         groups = await this.getGroups(groupForce);
       }
-    } finally {
+    } catch (e) {
       await this.client.unbind();
+      throw e;
     }
 
+    await this.client.unbind();
     return [groups, users];
   }
 
@@ -453,8 +455,9 @@ export class LdapDirectoryService implements IDirectoryService {
 
     try {
       await this.client.bind(user, pass);
-    } catch {
+    } catch (error) {
       await this.client.unbind();
+      throw error;
     }
   }
 

src/services/keytarSecureStorage.service.ts

@@ -1,31 +0,0 @@
-import { deletePassword, getPassword, setPassword } from "keytar";
-
-import { StorageService } from "@/jslib/common/src/abstractions/storage.service";
-
-export class KeytarSecureStorageService implements StorageService {
-  constructor(private serviceName: string) {}
-
-  get<T>(key: string): Promise<T> {
-    return getPassword(this.serviceName, key).then((val) => {
-      return JSON.parse(val) as T;
-    });
-  }
-
-  async has(key: string): Promise<boolean> {
-    return (await this.get(key)) != null;
-  }
-
-  save(key: string, obj: any): Promise<any> {
-    // keytar throws if you try to save a falsy value: https://github.com/atom/node-keytar/issues/86
-    // handle this by removing the key instead
-    if (!obj) {
-      return this.remove(key);
-    }
-
-    return setPassword(this.serviceName, key, JSON.stringify(obj));
-  }
-
-  remove(key: string): Promise<any> {
-    return deletePassword(this.serviceName, key);
-  }
-}

src/services/nativeSecureStorage.service.ts

@@ -0,0 +1,28 @@
+import { passwords } from "dc-native";
+
+import { StorageService } from "@/jslib/common/src/abstractions/storage.service";
+
+export class NativeSecureStorageService implements StorageService {
+  constructor(private serviceName: string) {}
+
+  get<T>(key: string): Promise<T> {
+    return passwords.getPassword(this.serviceName, key).then((val) => {
+      return JSON.parse(val) as T;
+    });
+  }
+
+  async has(key: string): Promise<boolean> {
+    return (await this.get(key)) != null;
+  }
+
+  save(key: string, obj: any): Promise<any> {
+    if (!obj) {
+      return this.remove(key);
+    }
+    return passwords.setPassword(this.serviceName, key, JSON.stringify(obj));
+  }
+
+  remove(key: string): Promise<any> {
+    return passwords.deletePassword(this.serviceName, key);
+  }
+}

src/services/stateMigration.service.ts

@@ -1,3 +1,5 @@
+import { passwords } from "dc-native";
+
 import { StateVersion } from "@/jslib/common/src/enums/stateVersion";
 import { StateMigrationService as BaseStateMigrationService } from "@/jslib/common/src/services/stateMigration.service";
 
@@ -61,6 +63,13 @@ export class StateMigrationService extends BaseStateMigrationService {
           break;
         case StateVersion.Two:
           await this.migrateStateFrom2To3();
+          break;
+        case StateVersion.Three:
+          await this.migrateStateFrom3To4();
+          break;
+        case StateVersion.Four:
+          await this.migrateStateFrom4To5();
+          break;
       }
       currentStateVersion += 1;
     }
@@ -168,6 +177,50 @@ export class StateMigrationService extends BaseStateMigrationService {
       }
     }
   }
+  /**
+   * Migrates Windows credential store entries previously written by keytar (UTF-8 blob) to
+   * the UTF-16 format expected by desktop_core. No-ops on non-Windows platforms.
+   *
+   * This migration is needed because keytar used CredWriteA (storing blobs as raw UTF-8 bytes)
+   * while desktop_core uses CredWriteW (storing blobs as UTF-16). Reading old keytar credentials
+   * through desktop_core produces garbled output without this migration.
+   */
+  protected async migrateStateFrom3To4(useSecureStorageForSecrets = true): Promise<void> {
+    if (useSecureStorageForSecrets && process.platform === "win32") {
+      const serviceName = "Bitwarden Directory Connector";
+      const authenticatedUserIds = await this.get<string[]>(StateKeys.authenticatedAccounts);
+
+      if (authenticatedUserIds?.length) {
+        const credentialKeys = [
+          SecureStorageKeys.ldap,
+          SecureStorageKeys.gsuite,
+          SecureStorageKeys.azure,
+          SecureStorageKeys.entra,
+          SecureStorageKeys.okta,
+          SecureStorageKeys.oneLogin,
+        ];
+
+        await Promise.all(
+          authenticatedUserIds.flatMap((userId) =>
+            credentialKeys.map((key) =>
+              passwords.migrateKeytarPassword(serviceName, `${userId}_${key}`),
+            ),
+          ),
+        );
+      }
+    }
+
+    const globals = await this.getGlobals();
+    globals.stateVersion = StateVersion.Four;
+    await this.set(StateKeys.global, globals);
+  }
+
+  protected async migrateStateFrom4To5(): Promise<void> {
+    const globals = await this.getGlobals();
+    globals.stateVersion = StateVersion.Five;
+    await this.set(StateKeys.global, globals);
+  }
+
   protected async migrateStateFrom2To3(useSecureStorageForSecrets = true): Promise<void> {
     if (useSecureStorageForSecrets) {
       const authenticatedUserIds = await this.get<string[]>(StateKeys.authenticatedAccounts);

test.setup.ts

@@ -1,7 +1,7 @@
 import { webcrypto } from "crypto";
+import { TextEncoder, TextDecoder } from "util";
 
-import "jest-preset-angular/setup-jest";
-
+Object.assign(globalThis, { TextEncoder, TextDecoder });
 Object.defineProperty(window, "CSS", { value: null });
 Object.defineProperty(window, "getComputedStyle", {
   value: () => {

tsconfig.json

@@ -5,7 +5,7 @@
   },
   "compilerOptions": {
     "pretty": true,
-    "moduleResolution": "node",
+    "moduleResolution": "bundler",
     "noImplicitAny": true,
     "target": "ES2016",
     "module": "ES2020",

webpack.cli.cjs

@@ -1,6 +1,5 @@
 const path = require("path");
 
-const { CleanWebpackPlugin } = require("clean-webpack-plugin");
 const CopyWebpackPlugin = require("copy-webpack-plugin");
 const TsconfigPathsPlugin = require("tsconfig-paths-webpack-plugin");
 const webpack = require("webpack");
@@ -24,7 +23,6 @@ const moduleRules = [
 ];
 
 const plugins = [
-  new CleanWebpackPlugin(),
   new CopyWebpackPlugin({
     patterns: [{ from: "./src/locales", to: "locales" }],
   }),
@@ -64,6 +62,7 @@ const config = {
   output: {
     filename: "[name].js",
     path: path.resolve(__dirname, "build-cli"),
+    clean: true,
   },
   module: { rules: moduleRules },
   plugins: plugins,

webpack.main.cjs

@@ -1,7 +1,6 @@
 const path = require("path");
 const { merge } = require("webpack-merge");
 const CopyWebpackPlugin = require("copy-webpack-plugin");
-const { CleanWebpackPlugin } = require("clean-webpack-plugin");
 const nodeExternals = require("webpack-node-externals");
 const TsconfigPathsPlugin = require("tsconfig-paths-webpack-plugin");
 
@@ -23,6 +22,7 @@ const common = {
   output: {
     filename: "[name].js",
     path: path.resolve(__dirname, "build"),
+    clean: true,
   },
 };
 
@@ -48,7 +48,6 @@ const main = {
     ],
   },
   plugins: [
-    new CleanWebpackPlugin(),
     new CopyWebpackPlugin({
       patterns: [
         "./package.json",
@@ -59,7 +58,7 @@ const main = {
   ],
   externals: {
     "electron-reload": "commonjs2 electron-reload",
-    keytar: "commonjs2 keytar",
+    "dc-native": "commonjs2 dc-native",
   },
 };
 

webpack.renderer.cjs

@@ -55,6 +55,9 @@ const renderer = {
   node: {
     __dirname: false,
   },
+  externals: {
+    "dc-native": "commonjs2 dc-native",
+  },
   entry: {
     "app/main": "./src/app/main.ts",
   },