Fix circular groups

* [deps]: Update ngx-toastr to v20

* Adjust to toastr v20

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Sven <svernyi@bitwarden.com>

jslib/angular/src/components/toastr.component.ts

@@ -1,19 +1,11 @@
-import { animate, state, style, transition, trigger } from "@angular/animations";
 import { CommonModule } from "@angular/common";
 import { Component, ModuleWithProviders, NgModule } from "@angular/core";
-import {
-  DefaultNoComponentGlobalConfig,
-  GlobalConfig,
-  Toast as BaseToast,
-  ToastPackage,
-  ToastrService,
-  TOAST_CONFIG,
-} from "ngx-toastr";
+import { DefaultNoComponentGlobalConfig, GlobalConfig, Toast, TOAST_CONFIG } from "ngx-toastr";
 
 @Component({
   selector: "[toast-component2]",
   template: `
-    @if (options.closeButton) {
+    @if (options().closeButton) {
       <button (click)="remove()" type="button" class="toast-close-button" aria-label="Close">
         <span aria-hidden="true">&times;</span>
       </button>
@@ -22,59 +14,64 @@ import {
       <i></i>
     </div>
     <div>
-      @if (title) {
-        <div [class]="options.titleClass" [attr.aria-label]="title">
-          {{ title }}
+      @if (title()) {
+        <div [class]="options().titleClass" [attr.aria-label]="title()">
+          {{ title() }}
           @if (duplicatesCount) {
             [{{ duplicatesCount + 1 }}]
           }
         </div>
       }
-      @if (message && options.enableHtml) {
+      @if (message() && options().enableHtml) {
         <div
           role="alertdialog"
           aria-live="polite"
-          [class]="options.messageClass"
-          [innerHTML]="message"
+          [class]="options().messageClass"
+          [innerHTML]="message()"
         ></div>
       }
-      @if (message && !options.enableHtml) {
+      @if (message() && !options().enableHtml) {
         <div
           role="alertdialog"
           aria-live="polite"
-          [class]="options.messageClass"
-          [attr.aria-label]="message"
+          [class]="options().messageClass"
+          [attr.aria-label]="message()"
         >
-          {{ message }}
+          {{ message() }}
         </div>
       }
     </div>
-    @if (options.progressBar) {
+    @if (options().progressBar) {
       <div>
         <div class="toast-progress" [style.width]="width + '%'"></div>
       </div>
     }
   `,
-  animations: [
-    trigger("flyInOut", [
-      state("inactive", style({ opacity: 0 })),
-      state("active", style({ opacity: 1 })),
-      state("removed", style({ opacity: 0 })),
-      transition("inactive => active", animate("{{ easeTime }}ms {{ easing }}")),
-      transition("active => removed", animate("{{ easeTime }}ms {{ easing }}")),
-    ]),
-  ],
+  styles: `
+    :host {
+      &.toast-in {
+        animation: toast-animation var(--animation-duration) var(--animation-easing);
+      }
+
+      &.toast-out {
+        animation: toast-animation var(--animation-duration) var(--animation-easing) reverse
+          forwards;
+      }
+    }
+
+    @keyframes toast-animation {
+      from {
+        opacity: 0;
+      }
+      to {
+        opacity: 1;
+      }
+    }
+  `,
   preserveWhitespaces: false,
   standalone: false,
 })
-export class BitwardenToast extends BaseToast {
-  constructor(
-    protected toastrService: ToastrService,
-    public toastPackage: ToastPackage,
-  ) {
-    super(toastrService, toastPackage);
-  }
-}
+export class BitwardenToast extends Toast {}
 
 export const BitwardenToastGlobalConfig: GlobalConfig = {
   ...DefaultNoComponentGlobalConfig,

jslib/common/src/enums/stateVersion.ts

@@ -3,6 +3,5 @@ export enum StateVersion {
   Two = 2, // Move to a typed State object
   Three = 3, // Fix migration of users' premium status
   Four = 4, // Fix 'Never Lock' option by removing stale data
-  Five = 5, // New state service implementation
-  Latest = Five,
+  Latest = Four,
 }

jslib/electron/src/window.main.ts

@@ -127,6 +127,13 @@ export class WindowMain {
       },
     });
 
+    // Enable SharedArrayBuffer. See https://developer.chrome.com/blog/enabling-shared-array-buffer/#cross-origin-isolation
+    this.win.webContents.session.webRequest.onHeadersReceived((details, callback) => {
+      details.responseHeaders["Cross-Origin-Opener-Policy"] = ["same-origin"];
+      details.responseHeaders["Cross-Origin-Embedder-Policy"] = ["require-corp"];
+      callback({ responseHeaders: details.responseHeaders });
+    });
+
     if (this.windowStates[mainWindowSizeKey].isMaximized) {
       this.win.maximize();
     }

package.json

@@ -76,7 +76,7 @@
     "@angular-eslint/eslint-plugin-template": "21.1.0",
     "@angular-eslint/template-parser": "21.1.0",
     "@angular/build": "21.0.5",
-    "@angular/compiler-cli": "21.0.8",
+    "@angular/compiler-cli": "21.1.1",
     "@electron/notarize": "2.5.0",
     "@electron/rebuild": "4.0.1",
     "@fluffy-spoon/substitute": "1.208.0",
@@ -124,11 +124,11 @@
     "jest-mock-extended": "4.0.0",
     "jest-preset-angular": "16.0.0",
     "lint-staged": "16.2.6",
-    "mini-css-extract-plugin": "2.9.2",
+    "mini-css-extract-plugin": "2.10.0",
     "minimatch": "5.1.2",
     "node-forge": "1.3.2",
     "node-loader": "2.1.0",
-    "prettier": "3.7.4",
+    "prettier": "3.8.1",
     "rimraf": "6.1.0",
     "rxjs": "7.8.2",
     "sass": "1.97.1",
@@ -136,25 +136,25 @@
     "ts-jest": "29.4.1",
     "ts-loader": "9.5.2",
     "tsconfig-paths-webpack-plugin": "4.2.0",
-    "type-fest": "5.3.0",
+    "type-fest": "5.4.2",
     "typescript": "5.9.3",
     "webpack": "5.104.1",
     "webpack-cli": "6.0.1",
     "webpack-merge": "6.0.1",
     "webpack-node-externals": "3.0.0",
-    "zone.js": "0.15.1"
+    "zone.js": "0.16.0"
   },
   "dependencies": {
-    "@angular/animations": "21.0.8",
-    "@angular/cdk": "21.0.6",
+    "@angular/animations": "21.1.1",
+    "@angular/cdk": "21.1.1",
     "@angular/cli": "21.0.5",
-    "@angular/common": "21.0.8",
-    "@angular/compiler": "21.0.8",
-    "@angular/core": "21.0.8",
-    "@angular/forms": "21.0.8",
-    "@angular/platform-browser": "21.0.8",
-    "@angular/platform-browser-dynamic": "21.0.8",
-    "@angular/router": "21.0.8",
+    "@angular/common": "21.1.1",
+    "@angular/compiler": "21.1.1",
+    "@angular/core": "21.1.1",
+    "@angular/forms": "21.1.1",
+    "@angular/platform-browser": "21.1.1",
+    "@angular/platform-browser-dynamic": "21.1.1",
+    "@angular/router": "21.1.1",
     "@microsoft/microsoft-graph-client": "3.0.7",
     "big-integer": "1.6.52",
     "bootstrap": "5.3.7",
@@ -168,14 +168,14 @@
     "keytar": "7.9.0",
     "ldapts": "8.1.3",
     "lowdb": "1.0.0",
-    "ngx-toastr": "19.1.0",
+    "ngx-toastr": "20.0.4",
     "node-fetch": "2.7.0",
     "parse5": "8.0.0",
     "proper-lockfile": "4.1.2",
     "rxjs": "7.8.2",
     "tldjs": "2.3.1",
     "uuid": "11.1.0",
-    "zone.js": "0.15.1"
+    "zone.js": "0.16.0"
   },
   "engines": {
     "node": "~20",

src/abstractions/state-vNext.service.ts

@@ -1,54 +0,0 @@
-import { StorageOptions } from "@/jslib/common/src/models/domain/storageOptions";
-
-import { DirectoryType } from "@/src/enums/directoryType";
-import { EntraIdConfiguration } from "@/src/models/entraIdConfiguration";
-import { GSuiteConfiguration } from "@/src/models/gsuiteConfiguration";
-import { LdapConfiguration } from "@/src/models/ldapConfiguration";
-import { OktaConfiguration } from "@/src/models/oktaConfiguration";
-import { OneLoginConfiguration } from "@/src/models/oneLoginConfiguration";
-import { SyncConfiguration } from "@/src/models/syncConfiguration";
-
-export abstract class StateServiceVNext {
-  getDirectory: <IConfiguration>(type: DirectoryType) => Promise<IConfiguration>;
-  setDirectory: (
-    type: DirectoryType,
-    config:
-      | LdapConfiguration
-      | GSuiteConfiguration
-      | EntraIdConfiguration
-      | OktaConfiguration
-      | OneLoginConfiguration,
-  ) => Promise<any>;
-  getLdapConfiguration: (options?: StorageOptions) => Promise<LdapConfiguration>;
-  setLdapConfiguration: (value: LdapConfiguration, options?: StorageOptions) => Promise<void>;
-  getGsuiteConfiguration: (options?: StorageOptions) => Promise<GSuiteConfiguration>;
-  setGsuiteConfiguration: (value: GSuiteConfiguration, options?: StorageOptions) => Promise<void>;
-  getEntraConfiguration: (options?: StorageOptions) => Promise<EntraIdConfiguration>;
-  setEntraConfiguration: (value: EntraIdConfiguration, options?: StorageOptions) => Promise<void>;
-  getOktaConfiguration: (options?: StorageOptions) => Promise<OktaConfiguration>;
-  setOktaConfiguration: (value: OktaConfiguration, options?: StorageOptions) => Promise<void>;
-  getOneLoginConfiguration: (options?: StorageOptions) => Promise<OneLoginConfiguration>;
-  setOneLoginConfiguration: (
-    value: OneLoginConfiguration,
-    options?: StorageOptions,
-  ) => Promise<void>;
-  getOrganizationId: (options?: StorageOptions) => Promise<string>;
-  setOrganizationId: (value: string, options?: StorageOptions) => Promise<void>;
-  getSync: (options?: StorageOptions) => Promise<SyncConfiguration>;
-  setSync: (value: SyncConfiguration, options?: StorageOptions) => Promise<void>;
-  getDirectoryType: (options?: StorageOptions) => Promise<DirectoryType>;
-  setDirectoryType: (value: DirectoryType, options?: StorageOptions) => Promise<void>;
-  getUserDelta: (options?: StorageOptions) => Promise<string>;
-  setUserDelta: (value: string, options?: StorageOptions) => Promise<void>;
-  getLastUserSync: (options?: StorageOptions) => Promise<Date>;
-  setLastUserSync: (value: Date, options?: StorageOptions) => Promise<void>;
-  getLastGroupSync: (options?: StorageOptions) => Promise<Date>;
-  setLastGroupSync: (value: Date, options?: StorageOptions) => Promise<void>;
-  getGroupDelta: (options?: StorageOptions) => Promise<string>;
-  setGroupDelta: (value: string, options?: StorageOptions) => Promise<void>;
-  getLastSyncHash: (options?: StorageOptions) => Promise<string>;
-  setLastSyncHash: (value: string, options?: StorageOptions) => Promise<void>;
-  getSyncingDir: (options?: StorageOptions) => Promise<boolean>;
-  setSyncingDir: (value: boolean, options?: StorageOptions) => Promise<void>;
-  clearSyncSettings: (syncHashToo: boolean) => Promise<void>;
-}

src/app/services/services.module.ts

@@ -31,14 +31,12 @@ import { DefaultDirectoryFactoryService } from "@/src/services/directory-factory
 import { SingleRequestBuilder } from "@/src/services/single-request-builder";
 
 import { AuthService as AuthServiceAbstraction } from "../../abstractions/auth.service";
-import { StateServiceVNext } from "../../abstractions/state-vNext.service";
 import { StateService as StateServiceAbstraction } from "../../abstractions/state.service";
 import { Account } from "../../models/account";
 import { AuthService } from "../../services/auth.service";
 import { I18nService } from "../../services/i18n.service";
-import { StateServiceVNextImplementation } from "../../services/state-service/state-vNext.service";
-import { StateService } from "../../services/state-service/state.service";
-import { StateMigrationService } from "../../services/state-service/stateMigration.service";
+import { StateService } from "../../services/state.service";
+import { StateMigrationService } from "../../services/stateMigration.service";
 import { SyncService } from "../../services/sync.service";
 
 import { AuthGuardService } from "./auth-guard.service";
@@ -224,29 +222,6 @@ export function initFactory(
         StateMigrationServiceAbstraction,
       ],
     }),
-    // Use new StateServiceVNext with flat key-value structure (new interface)
-    safeProvider({
-      provide: StateServiceVNext,
-      useFactory: (
-        storageService: StorageServiceAbstraction,
-        secureStorageService: StorageServiceAbstraction,
-        logService: LogServiceAbstraction,
-        stateMigrationService: StateMigrationServiceAbstraction,
-      ) =>
-        new StateServiceVNextImplementation(
-          storageService,
-          secureStorageService,
-          logService,
-          stateMigrationService,
-          true,
-        ),
-      deps: [
-        StorageServiceAbstraction,
-        SECURE_STORAGE,
-        LogServiceAbstraction,
-        StateMigrationServiceAbstraction,
-      ],
-    }),
     safeProvider({
       provide: SingleRequestBuilder,
       deps: [],
@@ -258,12 +233,7 @@ export function initFactory(
     safeProvider({
       provide: DirectoryFactoryService,
       useClass: DefaultDirectoryFactoryService,
-      deps: [
-        LogServiceAbstraction,
-        I18nServiceAbstraction,
-        StateServiceAbstraction,
-        StateServiceVNext,
-      ],
+      deps: [LogServiceAbstraction, I18nServiceAbstraction, StateServiceAbstraction],
     }),
   ] satisfies SafeProvider[],
 })

src/bwdc.ts

@@ -18,7 +18,6 @@ import { NodeApiService } from "@/jslib/node/src/services/nodeApi.service";
 import { NodeCryptoFunctionService } from "@/jslib/node/src/services/nodeCryptoFunction.service";
 
 import { DirectoryFactoryService } from "./abstractions/directory-factory.service";
-import { StateServiceVNext } from "./abstractions/state-vNext.service";
 import { Account } from "./models/account";
 import { Program } from "./program";
 import { AuthService } from "./services/auth.service";
@@ -28,9 +27,8 @@ import { I18nService } from "./services/i18n.service";
 import { KeytarSecureStorageService } from "./services/keytarSecureStorage.service";
 import { LowdbStorageService } from "./services/lowdbStorage.service";
 import { SingleRequestBuilder } from "./services/single-request-builder";
-import { StateServiceVNextImplementation } from "./services/state-service/state-vNext.service";
-import { StateService } from "./services/state-service/state.service";
-import { StateMigrationService } from "./services/state-service/stateMigration.service";
+import { StateService } from "./services/state.service";
+import { StateMigrationService } from "./services/stateMigration.service";
 import { SyncService } from "./services/sync.service";
 
 // eslint-disable-next-line
@@ -55,7 +53,6 @@ export class Main {
   cryptoFunctionService: NodeCryptoFunctionService;
   authService: AuthService;
   syncService: SyncService;
-  stateServiceVNext: StateServiceVNext;
   stateService: StateService;
   stateMigrationService: StateMigrationService;
   directoryFactoryService: DirectoryFactoryService;
@@ -119,14 +116,6 @@ export class Main {
       process.env.BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS !== "true",
       new StateFactory(GlobalState, Account),
     );
-    // Use new StateServiceVNext with flat key-value structure
-    this.stateServiceVNext = new StateServiceVNextImplementation(
-      this.storageService,
-      this.secureStorageService,
-      this.logService,
-      this.stateMigrationService,
-      process.env.BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS !== "true",
-    );
 
     this.cryptoService = new CryptoService(
       this.cryptoFunctionService,
@@ -168,7 +157,6 @@ export class Main {
       this.logService,
       this.i18nService,
       this.stateService,
-      this.stateServiceVNext,
     );
 
     this.batchRequestBuilder = new BatchRequestBuilder();

src/main.ts

@@ -11,14 +11,12 @@ import { TrayMain } from "@/jslib/electron/src/tray.main";
 import { UpdaterMain } from "@/jslib/electron/src/updater.main";
 import { WindowMain } from "@/jslib/electron/src/window.main";
 
-import { StateServiceVNext } from "./abstractions/state-vNext.service";
 import { DCCredentialStorageListener } from "./main/credential-storage-listener";
 import { MenuMain } from "./main/menu.main";
 import { MessagingMain } from "./main/messaging.main";
 import { Account } from "./models/account";
 import { I18nService } from "./services/i18n.service";
-import { StateServiceVNextImplementation } from "./services/state-service/state-vNext.service";
-import { StateService } from "./services/state-service/state.service";
+import { StateService } from "./services/state.service";
 
 export class Main {
   logService: ElectronLogService;
@@ -26,7 +24,6 @@ export class Main {
   storageService: ElectronStorageService;
   messagingService: ElectronMainMessagingService;
   credentialStorageListener: DCCredentialStorageListener;
-  stateServiceVNext: StateServiceVNext;
   stateService: StateService;
 
   windowMain: WindowMain;
@@ -69,14 +66,6 @@ export class Main {
       true,
       new StateFactory(GlobalState, Account),
     );
-    // Use new StateServiceVNext with flat key-value structure
-    this.stateServiceVNext = new StateServiceVNextImplementation(
-      this.storageService,
-      null,
-      this.logService,
-      null,
-      true,
-    );
 
     this.windowMain = new WindowMain(
       this.stateService,

src/models/state.model.ts

@@ -1,108 +0,0 @@
-// ===================================================================
-// vNext Storage Keys (Flat key-value structure)
-// ===================================================================
-
-export const StorageKeysVNext = {
-  stateVersion: "stateVersion",
-  directoryType: "directoryType",
-  organizationId: "organizationId",
-  directory_ldap: "directory_ldap",
-  directory_gsuite: "directory_gsuite",
-  directory_entra: "directory_entra",
-  directory_okta: "directory_okta",
-  directory_onelogin: "directory_onelogin",
-  sync: "sync",
-  syncingDir: "syncingDir",
-};
-
-export const SecureStorageKeysVNext: { [key: string]: any } = {
-  ldap: "secret_ldap",
-  gsuite: "secret_gsuite",
-  // Azure Active Directory was renamed to Entra ID, but we've kept the old property name
-  // to be backwards compatible with existing configurations.
-  azure: "secret_azure",
-  entra: "secret_entra",
-  okta: "secret_okta",
-  oneLogin: "secret_oneLogin",
-  userDelta: "userDeltaToken",
-  groupDelta: "groupDeltaToken",
-  lastUserSync: "lastUserSync",
-  lastGroupSync: "lastGroupSync",
-  lastSyncHash: "lastSyncHash",
-};
-
-// ===================================================================
-// Legacy Storage Keys (Account-based hierarchy)
-// ===================================================================
-
-export const SecureStorageKeysLegacy = {
-  ldap: "ldapPassword",
-  gsuite: "gsuitePrivateKey",
-  // Azure Active Directory was renamed to Entra ID, but we've kept the old property name
-  // to be backwards compatible with existing configurations.
-  azure: "azureKey",
-  entra: "entraKey",
-  okta: "oktaToken",
-  oneLogin: "oneLoginClientSecret",
-  userDelta: "userDeltaToken",
-  groupDelta: "groupDeltaToken",
-  lastUserSync: "lastUserSync",
-  lastGroupSync: "lastGroupSync",
-  lastSyncHash: "lastSyncHash",
-};
-
-export const TempKeys = {
-  tempAccountSettings: "tempAccountSettings",
-  tempDirectoryConfigs: "tempDirectoryConfigs",
-  tempDirectorySettings: "tempDirectorySettings",
-};
-
-// ===================================================================
-// Migration Storage Keys
-// ===================================================================
-
-export const SecureStorageKeysMigration: { [key: string]: any } = {
-  ldap: "ldapPassword",
-  gsuite: "gsuitePrivateKey",
-  azure: "azureKey",
-  entra: "entraIdKey",
-  okta: "oktaToken",
-  oneLogin: "oneLoginClientSecret",
-  directoryConfigPrefix: "directoryConfig_",
-  sync: "syncConfig",
-  directoryType: "directoryType",
-  organizationId: "organizationId",
-};
-
-export const MigrationKeys: { [key: string]: any } = {
-  entityId: "entityId",
-  directoryType: "directoryType",
-  organizationId: "organizationId",
-  lastUserSync: "lastUserSync",
-  lastGroupSync: "lastGroupSync",
-  lastSyncHash: "lastSyncHash",
-  syncingDir: "syncingDir",
-  syncConfig: "syncConfig",
-  userDelta: "userDeltaToken",
-  groupDelta: "groupDeltaToken",
-  tempDirectoryConfigs: "tempDirectoryConfigs",
-  tempDirectorySettings: "tempDirectorySettings",
-};
-
-export const MigrationStateKeys = {
-  global: "global",
-  authenticatedAccounts: "authenticatedAccounts",
-};
-
-export const MigrationClientKeys: { [key: string]: any } = {
-  clientIdOld: "clientId",
-  clientId: "apikey_clientId",
-  clientSecretOld: "clientSecret",
-  clientSecret: "apikey_clientSecret",
-};
-
-// ===================================================================
-// Shared Constants
-// ===================================================================
-
-export const StoredSecurely = "[STORED SECURELY]";

src/services/authService.spec.ts

@@ -15,7 +15,7 @@ import { MessagingService } from "../../jslib/common/src/abstractions/messaging.
 import { Account, DirectoryConfigurations, DirectorySettings } from "../models/account";
 
 import { AuthService } from "./auth.service";
-import { StateService } from "./state-service/state.service";
+import { StateService } from "./state.service";
 
 const clientId = "organization.CLIENT_ID";
 const clientSecret = "CLIENT_SECRET";

src/services/directory-factory.service.ts

@@ -2,7 +2,6 @@ import { I18nService } from "@/jslib/common/src/abstractions/i18n.service";
 import { LogService } from "@/jslib/common/src/abstractions/log.service";
 
 import { DirectoryFactoryService } from "../abstractions/directory-factory.service";
-import { StateServiceVNext } from "../abstractions/state-vNext.service";
 import { StateService } from "../abstractions/state.service";
 import { DirectoryType } from "../enums/directoryType";
 
@@ -17,18 +16,12 @@ export class DefaultDirectoryFactoryService implements DirectoryFactoryService {
     private logService: LogService,
     private i18nService: I18nService,
     private stateService: StateService,
-    private stateServiceVNext: StateServiceVNext,
   ) {}
 
   createService(directoryType: DirectoryType) {
     switch (directoryType) {
       case DirectoryType.GSuite:
-        return new GSuiteDirectoryService(
-          this.logService,
-          this.i18nService,
-          this.stateService,
-          this.stateServiceVNext,
-        );
+        return new GSuiteDirectoryService(this.logService, this.i18nService, this.stateService);
       case DirectoryType.EntraID:
         return new EntraIdDirectoryService(this.logService, this.i18nService, this.stateService);
       case DirectoryType.Ldap:

src/services/directory-services/gsuite-directory.service.integration.spec.ts

@@ -1,8 +1,6 @@
 import { config as dotenvConfig } from "dotenv";
 import { mock, MockProxy } from "jest-mock-extended";
 
-import { StateServiceVNext } from "@/src/abstractions/state-vNext.service";
-
 import { I18nService } from "../../../jslib/common/src/abstractions/i18n.service";
 import { LogService } from "../../../jslib/common/src/abstractions/log.service";
 import {
@@ -12,7 +10,7 @@ import {
 import { groupFixtures } from "../../../utils/google-workspace/group-fixtures";
 import { userFixtures } from "../../../utils/google-workspace/user-fixtures";
 import { DirectoryType } from "../../enums/directoryType";
-import { StateService } from "../state-service/state.service";
+import { StateService } from "../state.service";
 
 import { GSuiteDirectoryService } from "./gsuite-directory.service";
 
@@ -37,7 +35,6 @@ describe("gsuiteDirectoryService", () => {
   let logService: MockProxy<LogService>;
   let i18nService: MockProxy<I18nService>;
   let stateService: MockProxy<StateService>;
-  let stateServiceVNext: MockProxy<StateServiceVNext>;
 
   let directoryService: GSuiteDirectoryService;
 
@@ -45,31 +42,23 @@ describe("gsuiteDirectoryService", () => {
     logService = mock();
     i18nService = mock();
     stateService = mock();
-    stateServiceVNext = mock();
 
-    stateServiceVNext.getDirectoryType.mockResolvedValue(DirectoryType.GSuite);
+    stateService.getDirectoryType.mockResolvedValue(DirectoryType.GSuite);
     stateService.getLastUserSync.mockResolvedValue(null); // do not filter results by last modified date
     i18nService.t.mockImplementation((id) => id); // passthrough implementation for any error  messages
 
-    directoryService = new GSuiteDirectoryService(
-      logService,
-      i18nService,
-      stateService,
-      stateServiceVNext,
-    );
+    directoryService = new GSuiteDirectoryService(logService, i18nService, stateService);
   });
 
   it("syncs without using filters (includes test data)", async () => {
     const directoryConfig = getGSuiteConfiguration();
-    stateServiceVNext.getDirectory
-      .calledWith(DirectoryType.GSuite)
-      .mockResolvedValue(directoryConfig);
+    stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
 
     const syncConfig = getSyncConfiguration({
       groups: true,
       users: true,
     });
-    stateServiceVNext.getSync.mockResolvedValue(syncConfig);
+    stateService.getSync.mockResolvedValue(syncConfig);
 
     const result = await directoryService.getEntries(true, true);
 
@@ -79,9 +68,7 @@ describe("gsuiteDirectoryService", () => {
 
   it("syncs using user and group filters (exact match for test data)", async () => {
     const directoryConfig = getGSuiteConfiguration();
-    stateServiceVNext.getDirectory
-      .calledWith(DirectoryType.GSuite)
-      .mockResolvedValue(directoryConfig);
+    stateService.getDirectory.calledWith(DirectoryType.GSuite).mockResolvedValue(directoryConfig);
 
     const syncConfig = getSyncConfiguration({
       groups: true,
@@ -89,7 +76,7 @@ describe("gsuiteDirectoryService", () => {
       userFilter: INTEGRATION_USER_FILTER,
       groupFilter: INTEGRATION_GROUP_FILTER,
     });
-    stateServiceVNext.getSync.mockResolvedValue(syncConfig);
+    stateService.getSync.mockResolvedValue(syncConfig);
 
     const result = await directoryService.getEntries(true, true);
 

src/services/directory-services/gsuite-directory.service.ts

@@ -4,8 +4,6 @@ import { admin_directory_v1, google } from "googleapis";
 import { I18nService } from "@/jslib/common/src/abstractions/i18n.service";
 import { LogService } from "@/jslib/common/src/abstractions/log.service";
 
-import { StateServiceVNext } from "@/src/abstractions/state-vNext.service";
-
 import { StateService } from "../../abstractions/state.service";
 import { DirectoryType } from "../../enums/directoryType";
 import { GroupEntry } from "../../models/groupEntry";
@@ -27,26 +25,25 @@ export class GSuiteDirectoryService extends BaseDirectoryService implements IDir
     private logService: LogService,
     private i18nService: I18nService,
     private stateService: StateService,
-    private stateServiceVNext: StateServiceVNext,
   ) {
     super();
     this.service = google.admin("directory_v1");
   }
 
   async getEntries(force: boolean, test: boolean): Promise<[GroupEntry[], UserEntry[]]> {
-    const type = await this.stateServiceVNext.getDirectoryType();
+    const type = await this.stateService.getDirectoryType();
     if (type !== DirectoryType.GSuite) {
       return;
     }
 
-    this.dirConfig = await this.stateServiceVNext.getDirectory<GSuiteConfiguration>(
+    this.dirConfig = await this.stateService.getDirectory<GSuiteConfiguration>(
       DirectoryType.GSuite,
     );
     if (this.dirConfig == null) {
       return;
     }
 
-    this.syncConfig = await this.stateServiceVNext.getSync();
+    this.syncConfig = await this.stateService.getSync();
     if (this.syncConfig == null) {
       return;
     }

src/services/directory-services/ldap-directory.service.integration.spec.ts

@@ -9,7 +9,7 @@ import {
 import { groupFixtures } from "../../../utils/openldap/group-fixtures";
 import { userFixtures } from "../../../utils/openldap/user-fixtures";
 import { DirectoryType } from "../../enums/directoryType";
-import { StateService } from "../state-service/state.service";
+import { StateService } from "../state.service";
 
 import { LdapDirectoryService } from "./ldap-directory.service";
 

src/services/state-service/state-vNext.service.spec.ts

@@ -1,488 +0,0 @@
-import { mock, MockProxy } from "jest-mock-extended";
-
-import { LogService } from "@/jslib/common/src/abstractions/log.service";
-import { StateMigrationService } from "@/jslib/common/src/abstractions/stateMigration.service";
-import { StorageService } from "@/jslib/common/src/abstractions/storage.service";
-
-import { DirectoryType } from "@/src/enums/directoryType";
-import { EntraIdConfiguration } from "@/src/models/entraIdConfiguration";
-import { GSuiteConfiguration } from "@/src/models/gsuiteConfiguration";
-import { LdapConfiguration } from "@/src/models/ldapConfiguration";
-import { OktaConfiguration } from "@/src/models/oktaConfiguration";
-import { OneLoginConfiguration } from "@/src/models/oneLoginConfiguration";
-import { StorageKeysVNext as StorageKeys, StoredSecurely } from "@/src/models/state.model";
-import { SyncConfiguration } from "@/src/models/syncConfiguration";
-
-import { StateServiceVNextImplementation } from "./state-vNext.service";
-
-describe("StateServiceVNextImplementation", () => {
-  let storageService: MockProxy<StorageService>;
-  let secureStorageService: MockProxy<StorageService>;
-  let logService: MockProxy<LogService>;
-  let stateMigrationService: MockProxy<StateMigrationService>;
-  let stateService: StateServiceVNextImplementation;
-
-  beforeEach(() => {
-    storageService = mock<StorageService>();
-    secureStorageService = mock<StorageService>();
-    logService = mock<LogService>();
-    stateMigrationService = mock<StateMigrationService>();
-
-    stateService = new StateServiceVNextImplementation(
-      storageService,
-      secureStorageService,
-      logService,
-      stateMigrationService,
-      true, // useSecureStorageForSecrets
-    );
-  });
-
-  describe("init", () => {
-    it("should run migration if needed", async () => {
-      stateMigrationService.needsMigration.mockResolvedValue(true);
-
-      await stateService.init();
-
-      expect(stateMigrationService.needsMigration).toHaveBeenCalled();
-      expect(stateMigrationService.migrate).toHaveBeenCalled();
-    });
-
-    it("should not run migration if not needed", async () => {
-      stateMigrationService.needsMigration.mockResolvedValue(false);
-
-      await stateService.init();
-
-      expect(stateMigrationService.needsMigration).toHaveBeenCalled();
-      expect(stateMigrationService.migrate).not.toHaveBeenCalled();
-    });
-  });
-
-  describe("clean", () => {
-    it("should clear all directory settings and configurations", async () => {
-      await stateService.clean();
-
-      // Verify all directory types are cleared
-      expect(storageService.save).toHaveBeenCalledWith(StorageKeys.directoryType, null);
-      expect(storageService.save).toHaveBeenCalledWith(StorageKeys.organizationId, null);
-      expect(storageService.save).toHaveBeenCalledWith(StorageKeys.sync, null);
-    });
-  });
-
-  describe("Directory Type", () => {
-    it("should store and retrieve directory type", async () => {
-      storageService.get.mockResolvedValue(DirectoryType.Ldap);
-
-      await stateService.setDirectoryType(DirectoryType.Ldap);
-      const result = await stateService.getDirectoryType();
-
-      expect(storageService.save).toHaveBeenCalledWith(
-        StorageKeys.directoryType,
-        DirectoryType.Ldap,
-      );
-      expect(result).toBe(DirectoryType.Ldap);
-    });
-
-    it("should return null when directory type is not set", async () => {
-      storageService.get.mockResolvedValue(null);
-
-      const result = await stateService.getDirectoryType();
-
-      expect(result).toBeNull();
-    });
-  });
-
-  describe("Organization Id", () => {
-    it("should store and retrieve organization ID", async () => {
-      const orgId = "test-org-123";
-
-      storageService.get.mockResolvedValue(orgId);
-
-      await stateService.setOrganizationId(orgId);
-      const result = await stateService.getOrganizationId();
-
-      expect(storageService.save).toHaveBeenCalledWith(StorageKeys.organizationId, orgId);
-      expect(result).toBe(orgId);
-    });
-  });
-
-  describe("LDAP Configuration", () => {
-    it("should store and retrieve LDAP configuration with secrets in secure storage", async () => {
-      const config: LdapConfiguration = {
-        ssl: true,
-        startTls: false,
-        tlsCaPath: null,
-        sslAllowUnauthorized: false,
-        sslCertPath: null,
-        sslKeyPath: null,
-        sslCaPath: null,
-        hostname: "ldap.example.com",
-        port: 636,
-        domain: null,
-        rootPath: null,
-        ad: true,
-        username: "admin",
-        password: "secret-password",
-        currentUser: false,
-        pagedSearch: true,
-      };
-
-      secureStorageService.get.mockResolvedValue("secret-password");
-      storageService.get.mockResolvedValue({
-        ...config,
-        password: StoredSecurely,
-      });
-
-      await stateService.setDirectory(DirectoryType.Ldap, config);
-      const result = await stateService.getDirectory<LdapConfiguration>(DirectoryType.Ldap);
-
-      // Verify password is stored in secure storage
-      expect(secureStorageService.save).toHaveBeenCalled();
-
-      // Verify configuration is stored
-      expect(storageService.save).toHaveBeenCalled();
-
-      // Verify retrieved config has real password from secure storage
-      expect(result?.password).toBe("secret-password");
-    });
-
-    it("should return null when LDAP configuration is not set", async () => {
-      storageService.get.mockResolvedValue(null);
-
-      const result = await stateService.getLdapConfiguration();
-
-      expect(result).toBeNull();
-    });
-
-    it("should handle null password in LDAP configuration", async () => {
-      const config: LdapConfiguration = {
-        ssl: true,
-        startTls: false,
-        tlsCaPath: null,
-        sslAllowUnauthorized: false,
-        sslCertPath: null,
-        sslKeyPath: null,
-        sslCaPath: null,
-        hostname: "ldap.example.com",
-        port: 636,
-        domain: null,
-        rootPath: null,
-        ad: true,
-        username: "admin",
-        password: null,
-        currentUser: false,
-        pagedSearch: true,
-      };
-
-      await stateService.setDirectory(DirectoryType.Ldap, config);
-
-      // Null passwords should call remove on the secure storage secret key
-      expect(secureStorageService.remove).toHaveBeenCalled();
-    });
-  });
-
-  describe("GSuite Configuration", () => {
-    it("should store and retrieve GSuite configuration with privateKey in secure storage", async () => {
-      const config: GSuiteConfiguration = {
-        domain: "example.com",
-        clientEmail: "service@example.com",
-        adminUser: "admin@example.com",
-        privateKey: "private-key-content",
-        customer: "customer-id",
-      };
-
-      secureStorageService.get.mockResolvedValue("private-key-content");
-      storageService.get.mockResolvedValue({
-        ...config,
-        privateKey: StoredSecurely,
-      });
-
-      await stateService.setDirectory(DirectoryType.GSuite, config);
-      const result = await stateService.getDirectory<GSuiteConfiguration>(DirectoryType.GSuite);
-
-      expect(secureStorageService.save).toHaveBeenCalled();
-      expect(result?.privateKey).toBe("private-key-content");
-    });
-
-    it("should handle null privateKey in GSuite configuration", async () => {
-      const config: GSuiteConfiguration = {
-        domain: "example.com",
-        clientEmail: "service@example.com",
-        adminUser: "admin@example.com",
-        privateKey: null,
-        customer: "customer-id",
-      };
-
-      await stateService.setDirectory(DirectoryType.GSuite, config);
-
-      // Null privateKey should call remove on the secure storage secret key
-      expect(secureStorageService.remove).toHaveBeenCalled();
-    });
-  });
-
-  describe("Entra ID Configuration", () => {
-    it("should store and retrieve Entra ID configuration with key in secure storage", async () => {
-      const config: EntraIdConfiguration = {
-        identityAuthority: "https://login.microsoftonline.com",
-        tenant: "tenant-id",
-        applicationId: "app-id",
-        key: "secret-key",
-      };
-
-      secureStorageService.get.mockResolvedValue("secret-key");
-      storageService.get.mockResolvedValue({
-        ...config,
-        key: StoredSecurely,
-      });
-
-      await stateService.setDirectory(DirectoryType.EntraID, config);
-      const result = await stateService.getDirectory<EntraIdConfiguration>(DirectoryType.EntraID);
-
-      expect(secureStorageService.save).toHaveBeenCalled();
-      expect(result?.key).toBe("secret-key");
-    });
-
-    it("should maintain backwards compatibility with Azure key storage", async () => {
-      const config: EntraIdConfiguration = {
-        identityAuthority: "https://login.microsoftonline.com",
-        tenant: "tenant-id",
-        applicationId: "app-id",
-        key: StoredSecurely,
-      };
-
-      storageService.get.mockResolvedValue(config);
-      secureStorageService.get.mockResolvedValueOnce(null); // entra key not found
-      secureStorageService.get.mockResolvedValueOnce("azure-secret-key"); // fallback to azure key
-
-      const result = await stateService.getDirectory<EntraIdConfiguration>(DirectoryType.EntraID);
-
-      expect(secureStorageService.get).toHaveBeenCalled();
-      expect(result?.key).toBe("azure-secret-key");
-    });
-  });
-
-  describe("Okta Configuration", () => {
-    it("should store and retrieve Okta configuration with token in secure storage", async () => {
-      const config: OktaConfiguration = {
-        orgUrl: "https://example.okta.com",
-        token: "okta-token",
-      };
-
-      secureStorageService.get.mockResolvedValue("okta-token");
-      storageService.get.mockResolvedValue({
-        ...config,
-        token: StoredSecurely,
-      });
-
-      await stateService.setDirectory(DirectoryType.Okta, config);
-      const result = await stateService.getDirectory<OktaConfiguration>(DirectoryType.Okta);
-
-      expect(secureStorageService.save).toHaveBeenCalled();
-      expect(result?.token).toBe("okta-token");
-    });
-  });
-
-  describe("OneLogin Configuration", () => {
-    it("should store and retrieve OneLogin configuration with clientSecret in secure storage", async () => {
-      const config: OneLoginConfiguration = {
-        region: "us",
-        clientId: "client-id",
-        clientSecret: "client-secret",
-      };
-
-      secureStorageService.get.mockResolvedValue("client-secret");
-      storageService.get.mockResolvedValue({
-        ...config,
-        clientSecret: StoredSecurely,
-      });
-
-      await stateService.setDirectory(DirectoryType.OneLogin, config);
-      const result = await stateService.getDirectory<OneLoginConfiguration>(DirectoryType.OneLogin);
-
-      expect(secureStorageService.save).toHaveBeenCalled();
-      expect(result?.clientSecret).toBe("client-secret");
-    });
-  });
-
-  describe("Sync Configuration", () => {
-    it("should store and retrieve sync configuration", async () => {
-      const syncConfig: SyncConfiguration = {
-        users: true,
-        groups: true,
-        interval: 5,
-        userFilter: null,
-        groupFilter: null,
-        removeDisabled: true,
-        overwriteExisting: false,
-        largeImport: false,
-        groupObjectClass: null,
-        userObjectClass: null,
-        groupPath: null,
-        userPath: null,
-        groupNameAttribute: null,
-        userEmailAttribute: null,
-        memberAttribute: "member",
-        creationDateAttribute: "whenCreated",
-        revisionDateAttribute: "whenChanged",
-        useEmailPrefixSuffix: false,
-        emailPrefixAttribute: null,
-        emailSuffix: null,
-      };
-
-      storageService.get.mockResolvedValue(syncConfig);
-
-      await stateService.setSync(syncConfig);
-      const result = await stateService.getSync();
-
-      expect(storageService.save).toHaveBeenCalledWith(StorageKeys.sync, syncConfig);
-      expect(result).toEqual(syncConfig);
-    });
-  });
-
-  describe("Sync Settings", () => {
-    it("should clear sync settings when clearSyncSettings is called", async () => {
-      await stateService.clearSyncSettings(false);
-
-      // Should set delta and sync values to null
-      expect(storageService.save).toHaveBeenCalled();
-    });
-
-    it("should clear lastSyncHash when hashToo is true", async () => {
-      await stateService.clearSyncSettings(true);
-
-      // Should set all values including lastSyncHash to null
-      expect(storageService.save).toHaveBeenCalled();
-    });
-
-    it("should not clear lastSyncHash when hashToo is false", async () => {
-      await stateService.clearSyncSettings(false);
-
-      // Should set delta and sync values but not lastSyncHash
-      expect(storageService.save).toHaveBeenCalled();
-    });
-  });
-
-  describe("Last Sync Hash", () => {
-    it("should store and retrieve last sync hash", async () => {
-      const hash = "hash";
-
-      storageService.get.mockResolvedValue(hash);
-
-      await stateService.setLastSyncHash(hash);
-      const result = await stateService.getLastSyncHash();
-
-      expect(storageService.save).toHaveBeenCalled();
-      expect(result).toBe(hash);
-    });
-  });
-
-  describe("Delta Tokens", () => {
-    it("should store and retrieve user delta token", async () => {
-      const token = "user-delta-token";
-
-      storageService.get.mockResolvedValue(token);
-
-      await stateService.setUserDelta(token);
-      const result = await stateService.getUserDelta();
-
-      expect(storageService.save).toHaveBeenCalled();
-      expect(result).toBe(token);
-    });
-
-    it("should store and retrieve group delta token", async () => {
-      const token = "group-delta-token";
-
-      storageService.get.mockResolvedValue(token);
-
-      await stateService.setGroupDelta(token);
-      const result = await stateService.getGroupDelta();
-
-      expect(storageService.save).toHaveBeenCalled();
-      expect(result).toBe(token);
-    });
-  });
-
-  describe("Last Sync Timestamps", () => {
-    it("should store and retrieve last user sync timestamp", async () => {
-      const timestamp = new Date("2024-01-01T00:00:00Z");
-
-      storageService.get.mockResolvedValue(timestamp.toISOString());
-
-      await stateService.setLastUserSync(timestamp);
-      const result = await stateService.getLastUserSync();
-
-      expect(storageService.save).toHaveBeenCalled();
-      expect(result?.toISOString()).toBe(timestamp.toISOString());
-    });
-
-    it("should store and retrieve last group sync timestamp", async () => {
-      const timestamp = new Date("2024-01-01T00:00:00Z");
-
-      storageService.get.mockResolvedValue(timestamp.toISOString());
-
-      await stateService.setLastGroupSync(timestamp);
-      const result = await stateService.getLastGroupSync();
-
-      expect(storageService.save).toHaveBeenCalled();
-      expect(result?.toISOString()).toBe(timestamp.toISOString());
-    });
-
-    it("should return null when last user sync timestamp is not set", async () => {
-      storageService.get.mockResolvedValue(null);
-
-      const result = await stateService.getLastUserSync();
-
-      expect(result).toBeNull();
-    });
-
-    it("should return null when last group sync timestamp is not set", async () => {
-      storageService.get.mockResolvedValue(null);
-
-      const result = await stateService.getLastGroupSync();
-
-      expect(result).toBeNull();
-    });
-  });
-
-  describe("Secure Storage Flag", () => {
-    it("should not separate secrets when useSecureStorageForSecrets is false", async () => {
-      const insecureStateService = new StateServiceVNextImplementation(
-        storageService,
-        secureStorageService,
-        logService,
-        stateMigrationService,
-        false, // useSecureStorageForSecrets = false
-      );
-
-      const config: LdapConfiguration = {
-        ssl: true,
-        startTls: false,
-        tlsCaPath: null,
-        sslAllowUnauthorized: false,
-        sslCertPath: null,
-        sslKeyPath: null,
-        sslCaPath: null,
-        hostname: "ldap.example.com",
-        port: 636,
-        domain: null,
-        rootPath: null,
-        ad: true,
-        username: "admin",
-        password: "secret-password",
-        currentUser: false,
-        pagedSearch: true,
-      };
-
-      storageService.get.mockResolvedValue(config);
-
-      // When useSecureStorageForSecrets is false, setDirectory doesn't process secrets
-      await insecureStateService.setDirectory(DirectoryType.Ldap, config);
-
-      // Retrieve config - should return password as-is from storage (not from secure storage)
-      const result = await insecureStateService.getDirectory<LdapConfiguration>(DirectoryType.Ldap);
-
-      // Password should be retrieved directly from storage, not secure storage
-      expect(result?.password).toBe("secret-password");
-      expect(secureStorageService.get).not.toHaveBeenCalled();
-    });
-  });
-});

src/services/state-service/state-vNext.service.ts

@@ -1,409 +0,0 @@
-import { LogService } from "@/jslib/common/src/abstractions/log.service";
-import { StateMigrationService } from "@/jslib/common/src/abstractions/stateMigration.service";
-import { StorageService } from "@/jslib/common/src/abstractions/storage.service";
-import { EnvironmentUrls } from "@/jslib/common/src/models/domain/environmentUrls";
-import { StorageOptions } from "@/jslib/common/src/models/domain/storageOptions";
-
-import { StateServiceVNext as StateServiceVNextAbstraction } from "@/src/abstractions/state-vNext.service";
-import { DirectoryType } from "@/src/enums/directoryType";
-import { IConfiguration } from "@/src/models/IConfiguration";
-import { EntraIdConfiguration } from "@/src/models/entraIdConfiguration";
-import { GSuiteConfiguration } from "@/src/models/gsuiteConfiguration";
-import { LdapConfiguration } from "@/src/models/ldapConfiguration";
-import { OktaConfiguration } from "@/src/models/oktaConfiguration";
-import { OneLoginConfiguration } from "@/src/models/oneLoginConfiguration";
-import {
-  SecureStorageKeysVNext as SecureStorageKeys,
-  StorageKeysVNext as StorageKeys,
-  StoredSecurely,
-} from "@/src/models/state.model";
-import { SyncConfiguration } from "@/src/models/syncConfiguration";
-
-export class StateServiceVNextImplementation implements StateServiceVNextAbstraction {
-  constructor(
-    protected storageService: StorageService,
-    protected secureStorageService: StorageService,
-    protected logService: LogService,
-    protected stateMigrationService: StateMigrationService,
-    private useSecureStorageForSecrets = true,
-  ) {}
-
-  async init(): Promise<void> {
-    if (await this.stateMigrationService.needsMigration()) {
-      await this.stateMigrationService.migrate();
-    }
-  }
-
-  async clean(options?: StorageOptions): Promise<void> {
-    // Clear all directory settings and configurations
-    // but preserve version and environment settings
-    await this.setDirectoryType(null);
-    await this.setOrganizationId(null);
-    await this.setSync(null);
-    await this.setLdapConfiguration(null);
-    await this.setGsuiteConfiguration(null);
-    await this.setEntraConfiguration(null);
-    await this.setOktaConfiguration(null);
-    await this.setOneLoginConfiguration(null);
-    await this.clearSyncSettings(true);
-  }
-
-  // ===================================================================
-  // Directory Configuration Methods
-  // ===================================================================
-
-  async getDirectory<T extends IConfiguration>(type: DirectoryType): Promise<T> {
-    const config = await this.getConfiguration(type);
-    if (config == null) {
-      return config as T;
-    }
-
-    if (this.useSecureStorageForSecrets) {
-      // Create a copy to avoid modifying the cached config
-      const configWithSecrets = Object.assign({}, config);
-
-      switch (type) {
-        case DirectoryType.Ldap:
-          (configWithSecrets as any).password = await this.getLdapSecret();
-          break;
-        case DirectoryType.EntraID:
-          (configWithSecrets as any).key = await this.getEntraSecret();
-          break;
-        case DirectoryType.Okta:
-          (configWithSecrets as any).token = await this.getOktaSecret();
-          break;
-        case DirectoryType.GSuite:
-          (configWithSecrets as any).privateKey = await this.getGsuiteSecret();
-          break;
-        case DirectoryType.OneLogin:
-          (configWithSecrets as any).clientSecret = await this.getOneLoginSecret();
-          break;
-      }
-
-      return configWithSecrets as T;
-    }
-
-    return config as T;
-  }
-
-  async setDirectory(
-    type: DirectoryType,
-    config:
-      | LdapConfiguration
-      | GSuiteConfiguration
-      | EntraIdConfiguration
-      | OktaConfiguration
-      | OneLoginConfiguration,
-  ): Promise<any> {
-    if (this.useSecureStorageForSecrets) {
-      switch (type) {
-        case DirectoryType.Ldap: {
-          const ldapConfig = config as LdapConfiguration;
-          await this.setLdapSecret(ldapConfig.password);
-          ldapConfig.password = StoredSecurely;
-          await this.setLdapConfiguration(ldapConfig);
-          break;
-        }
-        case DirectoryType.EntraID: {
-          const entraConfig = config as EntraIdConfiguration;
-          await this.setEntraSecret(entraConfig.key);
-          entraConfig.key = StoredSecurely;
-          await this.setEntraConfiguration(entraConfig);
-          break;
-        }
-        case DirectoryType.Okta: {
-          const oktaConfig = config as OktaConfiguration;
-          await this.setOktaSecret(oktaConfig.token);
-          oktaConfig.token = StoredSecurely;
-          await this.setOktaConfiguration(oktaConfig);
-          break;
-        }
-        case DirectoryType.GSuite: {
-          const gsuiteConfig = config as GSuiteConfiguration;
-          if (gsuiteConfig.privateKey == null) {
-            await this.setGsuiteSecret(null);
-          } else {
-            const normalizedPrivateKey = gsuiteConfig.privateKey.replace(/\\n/g, "\n");
-            await this.setGsuiteSecret(normalizedPrivateKey);
-            gsuiteConfig.privateKey = StoredSecurely;
-          }
-          await this.setGsuiteConfiguration(gsuiteConfig);
-          break;
-        }
-        case DirectoryType.OneLogin: {
-          const oneLoginConfig = config as OneLoginConfiguration;
-          await this.setOneLoginSecret(oneLoginConfig.clientSecret);
-          oneLoginConfig.clientSecret = StoredSecurely;
-          await this.setOneLoginConfiguration(oneLoginConfig);
-          break;
-        }
-      }
-    }
-  }
-
-  async getConfiguration(type: DirectoryType): Promise<IConfiguration> {
-    switch (type) {
-      case DirectoryType.Ldap:
-        return await this.getLdapConfiguration();
-      case DirectoryType.GSuite:
-        return await this.getGsuiteConfiguration();
-      case DirectoryType.EntraID:
-        return await this.getEntraConfiguration();
-      case DirectoryType.Okta:
-        return await this.getOktaConfiguration();
-      case DirectoryType.OneLogin:
-        return await this.getOneLoginConfiguration();
-    }
-  }
-
-  // ===================================================================
-  // Secret Storage Methods (Secure Storage)
-  // ===================================================================
-
-  private async getLdapSecret(): Promise<string> {
-    return await this.secureStorageService.get<string>(SecureStorageKeys.ldap);
-  }
-
-  private async setLdapSecret(value: string): Promise<void> {
-    if (value == null) {
-      await this.secureStorageService.remove(SecureStorageKeys.ldap);
-    } else {
-      await this.secureStorageService.save(SecureStorageKeys.ldap, value);
-    }
-  }
-
-  private async getGsuiteSecret(): Promise<string> {
-    return await this.secureStorageService.get<string>(SecureStorageKeys.gsuite);
-  }
-
-  private async setGsuiteSecret(value: string): Promise<void> {
-    if (value == null) {
-      await this.secureStorageService.remove(SecureStorageKeys.gsuite);
-    } else {
-      await this.secureStorageService.save(SecureStorageKeys.gsuite, value);
-    }
-  }
-
-  private async getEntraSecret(): Promise<string> {
-    // Try new key first, fall back to old azure key for backwards compatibility
-    const entraKey = await this.secureStorageService.get<string>(SecureStorageKeys.entra);
-    if (entraKey != null) {
-      return entraKey;
-    }
-    return await this.secureStorageService.get<string>(SecureStorageKeys.azure);
-  }
-
-  private async setEntraSecret(value: string): Promise<void> {
-    if (value == null) {
-      await this.secureStorageService.remove(SecureStorageKeys.entra);
-      await this.secureStorageService.remove(SecureStorageKeys.azure);
-    } else {
-      await this.secureStorageService.save(SecureStorageKeys.entra, value);
-    }
-  }
-
-  private async getOktaSecret(): Promise<string> {
-    return await this.secureStorageService.get<string>(SecureStorageKeys.okta);
-  }
-
-  private async setOktaSecret(value: string): Promise<void> {
-    if (value == null) {
-      await this.secureStorageService.remove(SecureStorageKeys.okta);
-    } else {
-      await this.secureStorageService.save(SecureStorageKeys.okta, value);
-    }
-  }
-
-  private async getOneLoginSecret(): Promise<string> {
-    return await this.secureStorageService.get<string>(SecureStorageKeys.oneLogin);
-  }
-
-  private async setOneLoginSecret(value: string): Promise<void> {
-    if (value == null) {
-      await this.secureStorageService.remove(SecureStorageKeys.oneLogin);
-    } else {
-      await this.secureStorageService.save(SecureStorageKeys.oneLogin, value);
-    }
-  }
-
-  // ===================================================================
-  // Directory-Specific Configuration Methods
-  // ===================================================================
-
-  async getLdapConfiguration(options?: StorageOptions): Promise<LdapConfiguration> {
-    return await this.storageService.get<LdapConfiguration>(StorageKeys.directory_ldap);
-  }
-
-  async setLdapConfiguration(value: LdapConfiguration, options?: StorageOptions): Promise<void> {
-    await this.storageService.save(StorageKeys.directory_ldap, value);
-  }
-
-  async getGsuiteConfiguration(options?: StorageOptions): Promise<GSuiteConfiguration> {
-    return await this.storageService.get<GSuiteConfiguration>(StorageKeys.directory_gsuite);
-  }
-
-  async setGsuiteConfiguration(
-    value: GSuiteConfiguration,
-    options?: StorageOptions,
-  ): Promise<void> {
-    await this.storageService.save(StorageKeys.directory_gsuite, value);
-  }
-
-  async getEntraConfiguration(options?: StorageOptions): Promise<EntraIdConfiguration> {
-    return await this.storageService.get<EntraIdConfiguration>(StorageKeys.directory_entra);
-  }
-
-  async setEntraConfiguration(
-    value: EntraIdConfiguration,
-    options?: StorageOptions,
-  ): Promise<void> {
-    await this.storageService.save(StorageKeys.directory_entra, value);
-  }
-
-  async getOktaConfiguration(options?: StorageOptions): Promise<OktaConfiguration> {
-    return await this.storageService.get<OktaConfiguration>(StorageKeys.directory_okta);
-  }
-
-  async setOktaConfiguration(value: OktaConfiguration, options?: StorageOptions): Promise<void> {
-    await this.storageService.save(StorageKeys.directory_okta, value);
-  }
-
-  async getOneLoginConfiguration(options?: StorageOptions): Promise<OneLoginConfiguration> {
-    return await this.storageService.get<OneLoginConfiguration>(StorageKeys.directory_onelogin);
-  }
-
-  async setOneLoginConfiguration(
-    value: OneLoginConfiguration,
-    options?: StorageOptions,
-  ): Promise<void> {
-    await this.storageService.save(StorageKeys.directory_onelogin, value);
-  }
-
-  // ===================================================================
-  // Directory Settings Methods
-  // ===================================================================
-
-  async getOrganizationId(options?: StorageOptions): Promise<string> {
-    return await this.storageService.get<string>(StorageKeys.organizationId);
-  }
-
-  async setOrganizationId(value: string, options?: StorageOptions): Promise<void> {
-    const currentId = await this.getOrganizationId();
-    if (currentId !== value) {
-      await this.clearSyncSettings();
-    }
-    await this.storageService.save(StorageKeys.organizationId, value);
-  }
-
-  async getSync(options?: StorageOptions): Promise<SyncConfiguration> {
-    return await this.storageService.get<SyncConfiguration>(StorageKeys.sync);
-  }
-
-  async setSync(value: SyncConfiguration, options?: StorageOptions): Promise<void> {
-    await this.storageService.save(StorageKeys.sync, value);
-  }
-
-  async getDirectoryType(options?: StorageOptions): Promise<DirectoryType> {
-    return await this.storageService.get<DirectoryType>(StorageKeys.directoryType);
-  }
-
-  async setDirectoryType(value: DirectoryType, options?: StorageOptions): Promise<void> {
-    const currentType = await this.getDirectoryType();
-    if (value !== currentType) {
-      await this.clearSyncSettings();
-    }
-    await this.storageService.save(StorageKeys.directoryType, value);
-  }
-
-  async getLastUserSync(options?: StorageOptions): Promise<Date> {
-    const dateString = await this.storageService.get<string>(SecureStorageKeys.lastUserSync);
-    return dateString ? new Date(dateString) : null;
-  }
-
-  async setLastUserSync(value: Date, options?: StorageOptions): Promise<void> {
-    await this.storageService.save(SecureStorageKeys.lastUserSync, value);
-  }
-
-  async getLastGroupSync(options?: StorageOptions): Promise<Date> {
-    const dateString = await this.storageService.get<string>(SecureStorageKeys.lastGroupSync);
-    return dateString ? new Date(dateString) : null;
-  }
-
-  async setLastGroupSync(value: Date, options?: StorageOptions): Promise<void> {
-    await this.storageService.save(SecureStorageKeys.lastGroupSync, value);
-  }
-
-  async getLastSyncHash(options?: StorageOptions): Promise<string> {
-    return await this.storageService.get<string>(SecureStorageKeys.lastSyncHash);
-  }
-
-  async setLastSyncHash(value: string, options?: StorageOptions): Promise<void> {
-    await this.storageService.save(SecureStorageKeys.lastSyncHash, value);
-  }
-
-  async getSyncingDir(options?: StorageOptions): Promise<boolean> {
-    return await this.storageService.get<boolean>(StorageKeys.syncingDir);
-  }
-
-  async setSyncingDir(value: boolean, options?: StorageOptions): Promise<void> {
-    await this.storageService.save(StorageKeys.syncingDir, value);
-  }
-
-  async getUserDelta(options?: StorageOptions): Promise<string> {
-    return await this.storageService.get<string>(SecureStorageKeys.userDelta);
-  }
-
-  async setUserDelta(value: string, options?: StorageOptions): Promise<void> {
-    await this.storageService.save(SecureStorageKeys.userDelta, value);
-  }
-
-  async getGroupDelta(options?: StorageOptions): Promise<string> {
-    return await this.storageService.get<string>(SecureStorageKeys.groupDelta);
-  }
-
-  async setGroupDelta(value: string, options?: StorageOptions): Promise<void> {
-    await this.storageService.save(SecureStorageKeys.groupDelta, value);
-  }
-
-  async clearSyncSettings(hashToo = false): Promise<void> {
-    await this.setUserDelta(null);
-    await this.setGroupDelta(null);
-    await this.setLastGroupSync(null);
-    await this.setLastUserSync(null);
-    if (hashToo) {
-      await this.setLastSyncHash(null);
-    }
-  }
-
-  // ===================================================================
-  // Environment URLs (inherited from base, simplified implementation)
-  // ===================================================================
-
-  async getEnvironmentUrls(options?: StorageOptions): Promise<EnvironmentUrls> {
-    return await this.storageService.get<EnvironmentUrls>("environmentUrls");
-  }
-
-  async setEnvironmentUrls(value: EnvironmentUrls): Promise<void> {
-    await this.storageService.save("environmentUrls", value);
-  }
-
-  // ===================================================================
-  // Additional State Methods
-  // ===================================================================
-
-  async getLocale(options?: StorageOptions): Promise<string> {
-    return await this.storageService.get<string>("locale");
-  }
-
-  async setLocale(value: string, options?: StorageOptions): Promise<void> {
-    await this.storageService.save("locale", value);
-  }
-
-  async getInstalledVersion(options?: StorageOptions): Promise<string> {
-    return await this.storageService.get<string>("installedVersion");
-  }
-
-  async setInstalledVersion(value: string, options?: StorageOptions): Promise<void> {
-    await this.storageService.save("installedVersion", value);
-  }
-}

src/services/state.service.ts

@@ -16,13 +16,32 @@ import { GSuiteConfiguration } from "@/src/models/gsuiteConfiguration";
 import { LdapConfiguration } from "@/src/models/ldapConfiguration";
 import { OktaConfiguration } from "@/src/models/oktaConfiguration";
 import { OneLoginConfiguration } from "@/src/models/oneLoginConfiguration";
-import {
-  SecureStorageKeysLegacy as SecureStorageKeys,
-  StoredSecurely,
-  TempKeys as keys,
-} from "@/src/models/state.model";
 import { SyncConfiguration } from "@/src/models/syncConfiguration";
 
+const SecureStorageKeys = {
+  ldap: "ldapPassword",
+  gsuite: "gsuitePrivateKey",
+  // Azure Active Directory was renamed to Entra ID, but we've kept the old property name
+  // to be backwards compatible with existing configurations.
+  azure: "azureKey",
+  entra: "entraKey",
+  okta: "oktaToken",
+  oneLogin: "oneLoginClientSecret",
+  userDelta: "userDeltaToken",
+  groupDelta: "groupDeltaToken",
+  lastUserSync: "lastUserSync",
+  lastGroupSync: "lastGroupSync",
+  lastSyncHash: "lastSyncHash",
+};
+
+const keys = {
+  tempAccountSettings: "tempAccountSettings",
+  tempDirectoryConfigs: "tempDirectoryConfigs",
+  tempDirectorySettings: "tempDirectorySettings",
+};
+
+const StoredSecurely = "[STORED SECURELY]";
+
 export class StateService
   extends BaseStateService<GlobalState, Account>
   implements StateServiceAbstraction

src/services/stateMigration.service.ts

@@ -8,14 +8,48 @@ import { GSuiteConfiguration } from "@/src/models/gsuiteConfiguration";
 import { LdapConfiguration } from "@/src/models/ldapConfiguration";
 import { OktaConfiguration } from "@/src/models/oktaConfiguration";
 import { OneLoginConfiguration } from "@/src/models/oneLoginConfiguration";
-import {
-  MigrationClientKeys as ClientKeys,
-  MigrationKeys as Keys,
-  MigrationStateKeys as StateKeys,
-  SecureStorageKeysMigration as SecureStorageKeys,
-} from "@/src/models/state.model";
 import { SyncConfiguration } from "@/src/models/syncConfiguration";
 
+const SecureStorageKeys: { [key: string]: any } = {
+  ldap: "ldapPassword",
+  gsuite: "gsuitePrivateKey",
+  azure: "azureKey",
+  entra: "entraIdKey",
+  okta: "oktaToken",
+  oneLogin: "oneLoginClientSecret",
+  directoryConfigPrefix: "directoryConfig_",
+  sync: "syncConfig",
+  directoryType: "directoryType",
+  organizationId: "organizationId",
+};
+
+const Keys: { [key: string]: any } = {
+  entityId: "entityId",
+  directoryType: "directoryType",
+  organizationId: "organizationId",
+  lastUserSync: "lastUserSync",
+  lastGroupSync: "lastGroupSync",
+  lastSyncHash: "lastSyncHash",
+  syncingDir: "syncingDir",
+  syncConfig: "syncConfig",
+  userDelta: "userDeltaToken",
+  groupDelta: "groupDeltaToken",
+  tempDirectoryConfigs: "tempDirectoryConfigs",
+  tempDirectorySettings: "tempDirectorySettings",
+};
+
+const StateKeys = {
+  global: "global",
+  authenticatedAccounts: "authenticatedAccounts",
+};
+
+const ClientKeys: { [key: string]: any } = {
+  clientIdOld: "clientId",
+  clientId: "apikey_clientId",
+  clientSecretOld: "clientSecret",
+  clientSecret: "apikey_clientSecret",
+};
+
 export class StateMigrationService extends BaseStateMigrationService {
   async migrate(): Promise<void> {
     let currentStateVersion = await this.getCurrentStateVersion();
@@ -27,13 +61,6 @@ export class StateMigrationService extends BaseStateMigrationService {
           break;
         case StateVersion.Two:
           await this.migrateStateFrom2To3();
-          break;
-        case StateVersion.Three:
-          await this.migrateStateFrom3To4();
-          break;
-        case StateVersion.Four:
-          await this.migrateStateFrom4To5();
-          break;
       }
       currentStateVersion += 1;
     }
@@ -171,124 +198,4 @@ export class StateMigrationService extends BaseStateMigrationService {
     globals.stateVersion = StateVersion.Three;
     await this.set(StateKeys.global, globals);
   }
-
-  /**
-   * Migrate from State v4 (Account-based hierarchy) to v5 (flat key-value structure)
-   *
-   * This is a clean break from the Account-based structure. Data is extracted from
-   * the account and saved into flat keys for simpler access.
-   *
-   * Old structure: authenticatedAccounts -> userId -> account.directorySettings/directoryConfigurations
-   * New structure: flat keys like "directoryType", "organizationId", "directory_ldap", etc.
-   *
-   * Secrets migrate from: {userId}_{secretKey} -> secret_{secretKey}
-   */
-  protected async migrateStateFrom4To5(useSecureStorageForSecrets = true): Promise<void> {
-    // Get the authenticated user IDs from v3 structure
-    const authenticatedUserIds = await this.get<string[]>(StateKeys.authenticatedAccounts);
-
-    if (
-      !authenticatedUserIds ||
-      !Array.isArray(authenticatedUserIds) ||
-      authenticatedUserIds.length === 0
-    ) {
-      // No accounts to migrate, just update version
-      const globals = await this.getGlobals();
-      globals.stateVersion = StateVersion.Five;
-      await this.set(StateKeys.global, globals);
-      return;
-    }
-
-    // DC is single-user, so we take the first (and likely only) account
-    const userId = authenticatedUserIds[0];
-    const account = await this.get<Account>(userId);
-
-    if (!account) {
-      // No account data found, just update version
-      const globals = await this.getGlobals();
-      globals.stateVersion = StateVersion.Five;
-      await this.set(StateKeys.global, globals);
-      return;
-    }
-
-    // Migrate directory configurations to flat structure
-    if (account.directoryConfigurations) {
-      if (account.directoryConfigurations.ldap) {
-        await this.set("directory_ldap", account.directoryConfigurations.ldap);
-      }
-      if (account.directoryConfigurations.gsuite) {
-        await this.set("directory_gsuite", account.directoryConfigurations.gsuite);
-      }
-      if (account.directoryConfigurations.entra) {
-        await this.set("directory_entra", account.directoryConfigurations.entra);
-      } else if (account.directoryConfigurations.azure) {
-        // Backwards compatibility: migrate azure to entra
-        await this.set("directory_entra", account.directoryConfigurations.azure);
-      }
-      if (account.directoryConfigurations.okta) {
-        await this.set("directory_okta", account.directoryConfigurations.okta);
-      }
-      if (account.directoryConfigurations.oneLogin) {
-        await this.set("directory_onelogin", account.directoryConfigurations.oneLogin);
-      }
-    }
-
-    // Migrate directory settings to flat structure
-    if (account.directorySettings) {
-      if (account.directorySettings.organizationId) {
-        await this.set("organizationId", account.directorySettings.organizationId);
-      }
-      if (account.directorySettings.directoryType != null) {
-        await this.set("directoryType", account.directorySettings.directoryType);
-      }
-      if (account.directorySettings.sync) {
-        await this.set("sync", account.directorySettings.sync);
-      }
-      if (account.directorySettings.lastUserSync) {
-        await this.set("lastUserSync", account.directorySettings.lastUserSync);
-      }
-      if (account.directorySettings.lastGroupSync) {
-        await this.set("lastGroupSync", account.directorySettings.lastGroupSync);
-      }
-      if (account.directorySettings.lastSyncHash) {
-        await this.set("lastSyncHash", account.directorySettings.lastSyncHash);
-      }
-      if (account.directorySettings.userDelta) {
-        await this.set("userDelta", account.directorySettings.userDelta);
-      }
-      if (account.directorySettings.groupDelta) {
-        await this.set("groupDelta", account.directorySettings.groupDelta);
-      }
-      if (account.directorySettings.syncingDir != null) {
-        await this.set("syncingDir", account.directorySettings.syncingDir);
-      }
-    }
-
-    // Migrate secrets from {userId}_* to secret_* pattern
-    if (useSecureStorageForSecrets) {
-      const oldSecretKeys = [
-        { old: `${userId}_${SecureStorageKeys.ldap}`, new: "secret_ldap" },
-        { old: `${userId}_${SecureStorageKeys.gsuite}`, new: "secret_gsuite" },
-        { old: `${userId}_${SecureStorageKeys.azure}`, new: "secret_azure" },
-        { old: `${userId}_${SecureStorageKeys.entra}`, new: "secret_entra" },
-        { old: `${userId}_${SecureStorageKeys.okta}`, new: "secret_okta" },
-        { old: `${userId}_${SecureStorageKeys.oneLogin}`, new: "secret_onelogin" },
-      ];
-
-      for (const { old: oldKey, new: newKey } of oldSecretKeys) {
-        if (await this.secureStorageService.has(oldKey)) {
-          const value = await this.secureStorageService.get(oldKey);
-          if (value) {
-            await this.secureStorageService.save(newKey, value);
-          }
-          // @TODO Keep old key for now - will remove in future release
-          // await this.secureStorageService.remove(oldKey);
-        }
-      }
-    }
-
-    const globals = await this.getGlobals();
-    globals.stateVersion = StateVersion.Five;
-    await this.set(StateKeys.global, globals);
-  }
 }

src/services/sync.service.integration.spec.ts

@@ -14,7 +14,7 @@ import { DirectoryType } from "../enums/directoryType";
 import { BatchRequestBuilder } from "./batch-request-builder";
 import { LdapDirectoryService } from "./directory-services/ldap-directory.service";
 import { SingleRequestBuilder } from "./single-request-builder";
-import { StateService } from "./state-service/state.service";
+import { StateService } from "./state.service";
 import { SyncService } from "./sync.service";
 import * as constants from "./sync.service";
 

src/services/sync.service.spec.ts

@@ -6,6 +6,8 @@ import { MessagingService } from "@/jslib/common/src/abstractions/messaging.serv
 import { OrganizationImportRequest } from "@/jslib/common/src/models/request/organizationImportRequest";
 import { ApiService } from "@/jslib/common/src/services/api.service";
 
+import { GroupEntry } from "@/src/models/groupEntry";
+
 import { getSyncConfiguration } from "../../utils/openldap/config-fixtures";
 import { DirectoryFactoryService } from "../abstractions/directory-factory.service";
 import { DirectoryType } from "../enums/directoryType";
@@ -14,7 +16,7 @@ import { BatchRequestBuilder } from "./batch-request-builder";
 import { LdapDirectoryService } from "./directory-services/ldap-directory.service";
 import { I18nService } from "./i18n.service";
 import { SingleRequestBuilder } from "./single-request-builder";
-import { StateService } from "./state-service/state.service";
+import { StateService } from "./state.service";
 import { SyncService } from "./sync.service";
 import * as constants from "./sync.service";
 
@@ -134,4 +136,198 @@ describe("SyncService", () => {
 
     expect(apiService.postPublicImportDirectory).not.toHaveBeenCalled();
   });
+
+  describe("nested and circular group handling", () => {
+    function createGroup(
+      name: string,
+      userExternalIds: string[] = [],
+      groupMemberReferenceIds: string[] = [],
+    ) {
+      return GroupEntry.fromJSON({
+        name,
+        referenceId: name,
+        externalId: name,
+        userMemberExternalIds: userExternalIds,
+        groupMemberReferenceIds: groupMemberReferenceIds,
+        users: [],
+      });
+    }
+
+    it("should handle simple circular reference (A ↔ B) without stack overflow", async () => {
+      const groupA = createGroup("GroupA", ["userA"], ["GroupB"]);
+      const groupB = createGroup("GroupB", ["userB"], ["GroupA"]);
+      const circularGroups = [groupA, groupB];
+
+      const mockDirectoryService = mock<LdapDirectoryService>();
+      mockDirectoryService.getEntries.mockResolvedValue([circularGroups, []]);
+      directoryFactory.createService.mockReturnValue(mockDirectoryService);
+
+      stateService.getSync.mockResolvedValue(getSyncConfiguration({ groups: true, users: true }));
+      cryptoFunctionService.hash.mockResolvedValue(new ArrayBuffer(1));
+      stateService.getLastSyncHash.mockResolvedValue("unique hash");
+      singleRequestBuilder.buildRequest.mockReturnValue([
+        { members: [], groups: [], overwriteExisting: true, largeImport: false },
+      ]);
+
+      const [groups] = await syncService.sync(true, true);
+
+      // Both groups should have both users after flattening
+      expect(groups[0].userMemberExternalIds).toContain("userA");
+      expect(groups[0].userMemberExternalIds).toContain("userB");
+      expect(groups[1].userMemberExternalIds).toContain("userA");
+      expect(groups[1].userMemberExternalIds).toContain("userB");
+    });
+
+    it("should handle longer circular chain (A → B → C → A) without stack overflow", async () => {
+      const groupA = createGroup("GroupA", ["userA"], ["GroupB"]);
+      const groupB = createGroup("GroupB", ["userB"], ["GroupC"]);
+      const groupC = createGroup("GroupC", ["userC"], ["GroupA"]);
+      const circularGroups = [groupA, groupB, groupC];
+
+      const mockDirectoryService = mock<LdapDirectoryService>();
+      mockDirectoryService.getEntries.mockResolvedValue([circularGroups, []]);
+      directoryFactory.createService.mockReturnValue(mockDirectoryService);
+
+      stateService.getSync.mockResolvedValue(getSyncConfiguration({ groups: true, users: true }));
+      cryptoFunctionService.hash.mockResolvedValue(new ArrayBuffer(1));
+      stateService.getLastSyncHash.mockResolvedValue("unique hash");
+      singleRequestBuilder.buildRequest.mockReturnValue([
+        { members: [], groups: [], overwriteExisting: true, largeImport: false },
+      ]);
+
+      const [groups] = await syncService.sync(true, true);
+
+      // All groups should have all users after flattening
+      for (const group of groups) {
+        expect(group.userMemberExternalIds).toContain("userA");
+        expect(group.userMemberExternalIds).toContain("userB");
+        expect(group.userMemberExternalIds).toContain("userC");
+      }
+    });
+
+    it("should handle diamond structure (A → [B, C] → D)", async () => {
+      const groupA = createGroup("GroupA", ["userA"], ["GroupB", "GroupC"]);
+      const groupB = createGroup("GroupB", ["userB"], ["GroupD"]);
+      const groupC = createGroup("GroupC", ["userC"], ["GroupD"]);
+      const groupD = createGroup("GroupD", ["userD"], []);
+      const diamondGroups = [groupA, groupB, groupC, groupD];
+
+      const mockDirectoryService = mock<LdapDirectoryService>();
+      mockDirectoryService.getEntries.mockResolvedValue([diamondGroups, []]);
+      directoryFactory.createService.mockReturnValue(mockDirectoryService);
+
+      stateService.getSync.mockResolvedValue(getSyncConfiguration({ groups: true, users: true }));
+      cryptoFunctionService.hash.mockResolvedValue(new ArrayBuffer(1));
+      stateService.getLastSyncHash.mockResolvedValue("unique hash");
+      singleRequestBuilder.buildRequest.mockReturnValue([
+        { members: [], groups: [], overwriteExisting: true, largeImport: false },
+      ]);
+
+      const [groups] = await syncService.sync(true, true);
+
+      const [a, b, c, d] = groups;
+
+      // A should have all users (through B and C, both containing D)
+      expect(a.userMemberExternalIds).toContain("userA");
+      expect(a.userMemberExternalIds).toContain("userB");
+      expect(a.userMemberExternalIds).toContain("userC");
+      expect(a.userMemberExternalIds).toContain("userD");
+
+      // B should have its own user plus D's user
+      expect(b.userMemberExternalIds).toContain("userB");
+      expect(b.userMemberExternalIds).toContain("userD");
+
+      // C should have its own user plus D's user
+      expect(c.userMemberExternalIds).toContain("userC");
+      expect(c.userMemberExternalIds).toContain("userD");
+
+      // D should only have its own user
+      expect(d.userMemberExternalIds).toContain("userD");
+      expect(d.userMemberExternalIds.size).toBe(1);
+    });
+
+    it("should handle deep nesting with circular reference at leaf", async () => {
+      // Structure: A → B → C → D → B (cycle back to B)
+      const groupA = createGroup("GroupA", ["userA"], ["GroupB"]);
+      const groupB = createGroup("GroupB", ["userB"], ["GroupC"]);
+      const groupC = createGroup("GroupC", ["userC"], ["GroupD"]);
+      const groupD = createGroup("GroupD", ["userD"], ["GroupB"]); // cycles back to B
+      const deepGroups = [groupA, groupB, groupC, groupD];
+
+      const mockDirectoryService = mock<LdapDirectoryService>();
+      mockDirectoryService.getEntries.mockResolvedValue([deepGroups, []]);
+      directoryFactory.createService.mockReturnValue(mockDirectoryService);
+
+      stateService.getSync.mockResolvedValue(getSyncConfiguration({ groups: true, users: true }));
+      cryptoFunctionService.hash.mockResolvedValue(new ArrayBuffer(1));
+      stateService.getLastSyncHash.mockResolvedValue("unique hash");
+      singleRequestBuilder.buildRequest.mockReturnValue([
+        { members: [], groups: [], overwriteExisting: true, largeImport: false },
+      ]);
+
+      const [groups] = await syncService.sync(true, true);
+
+      const [a, b, c, d] = groups;
+
+      // A should have all users
+      expect(a.userMemberExternalIds.size).toBe(4);
+
+      // B, C, D form a cycle, so they should all have each other's users
+      expect(b.userMemberExternalIds).toContain("userB");
+      expect(b.userMemberExternalIds).toContain("userC");
+      expect(b.userMemberExternalIds).toContain("userD");
+
+      expect(c.userMemberExternalIds).toContain("userB");
+      expect(c.userMemberExternalIds).toContain("userC");
+      expect(c.userMemberExternalIds).toContain("userD");
+
+      expect(d.userMemberExternalIds).toContain("userB");
+      expect(d.userMemberExternalIds).toContain("userC");
+      expect(d.userMemberExternalIds).toContain("userD");
+    });
+
+    it("should handle complex structure with multiple cycles and shared members", async () => {
+      // Structure:
+      // A → [B, C]
+      // B → [D, E]
+      // C → [E, F]
+      // D → A (cycle)
+      // E → C (cycle)
+      // F → (leaf)
+      const groupA = createGroup("GroupA", ["userA"], ["GroupB", "GroupC"]);
+      const groupB = createGroup("GroupB", ["userB"], ["GroupD", "GroupE"]);
+      const groupC = createGroup("GroupC", ["userC"], ["GroupE", "GroupF"]);
+      const groupD = createGroup("GroupD", ["userD"], ["GroupA"]); // cycle to A
+      const groupE = createGroup("GroupE", ["userE"], ["GroupC"]); // cycle to C
+      const groupF = createGroup("GroupF", ["userF"], []);
+      const complexGroups = [groupA, groupB, groupC, groupD, groupE, groupF];
+
+      const mockDirectoryService = mock<LdapDirectoryService>();
+      mockDirectoryService.getEntries.mockResolvedValue([complexGroups, []]);
+      directoryFactory.createService.mockReturnValue(mockDirectoryService);
+
+      stateService.getSync.mockResolvedValue(getSyncConfiguration({ groups: true, users: true }));
+      cryptoFunctionService.hash.mockResolvedValue(new ArrayBuffer(1));
+      stateService.getLastSyncHash.mockResolvedValue("unique hash");
+      singleRequestBuilder.buildRequest.mockReturnValue([
+        { members: [], groups: [], overwriteExisting: true, largeImport: false },
+      ]);
+
+      // Should complete without stack overflow
+      const [groups] = await syncService.sync(true, true);
+
+      expect(groups).toHaveLength(6);
+
+      // Verify A gets users from its descendants
+      const a = groups.find((g) => g.name === "GroupA");
+      expect(a.userMemberExternalIds).toContain("userA");
+      expect(a.userMemberExternalIds).toContain("userB");
+      expect(a.userMemberExternalIds).toContain("userC");
+
+      // F should only have its own user (it's a leaf)
+      const f = groups.find((g) => g.name === "GroupF");
+      expect(f.userMemberExternalIds).toContain("userF");
+      expect(f.userMemberExternalIds.size).toBe(1);
+    });
+  });
 });

src/services/sync.service.ts

@@ -196,14 +196,27 @@ export class SyncService {
     return users == null ? null : users.filter((u) => u.email?.length <= 256);
   }
 
-  private flattenUsersToGroups(levelGroups: GroupEntry[], allGroups: GroupEntry[]): Set<string> {
+  private flattenUsersToGroups(
+    levelGroups: GroupEntry[],
+    allGroups: GroupEntry[],
+    visitedGroups?: Set<string>,
+  ): Set<string> {
     let allUsers = new Set<string>();
     if (allGroups == null) {
       return allUsers;
     }
+
     for (const group of levelGroups) {
+      const visited = visitedGroups ?? new Set<string>();
+
+      if (visited.has(group.referenceId)) {
+        continue;
+      }
+
+      visited.add(group.referenceId);
+
       const childGroups = allGroups.filter((g) => group.groupMemberReferenceIds.has(g.referenceId));
-      const childUsers = this.flattenUsersToGroups(childGroups, allGroups);
+      const childUsers = this.flattenUsersToGroups(childGroups, allGroups, visited);
       childUsers.forEach((id) => group.userMemberExternalIds.add(id));
       allUsers = new Set([...allUsers, ...group.userMemberExternalIds]);
     }

utils/openldap/example-ldifs/directory-circular-groups.ldif

@@ -0,0 +1,308 @@
+version: 1
+
+dn: dc=bitwarden,dc=com
+dc: bitwarden
+objectClass: dcObject
+objectClass: organization
+o: Bitwarden
+
+# Organizational Units
+dn: ou=Human Resources,dc=bitwarden,dc=com
+changetype: add
+ou: Human Resources
+objectClass: top
+objectClass: organizationalUnit
+
+dn: ou=Engineering,dc=bitwarden,dc=com
+changetype: add
+ou: Engineering
+objectClass: top
+objectClass: organizationalUnit
+
+dn: ou=Marketing,dc=bitwarden,dc=com
+changetype: add
+ou: Marketing
+objectClass: top
+objectClass: organizationalUnit
+
+# Users - Human Resources
+dn: cn=Roland Dyke,ou=Human Resources,dc=bitwarden,dc=com
+changetype: add
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: Roland Dyke
+sn: Dyke
+description: This is Roland Dyke's description
+facsimileTelephoneNumber: +1 804 674-5794
+l: San Francisco
+ou: Human Resources
+postalAddress: Human Resources$San Francisco
+telephoneNumber: +1 804 831-5121
+title: Supreme Human Resources Writer
+userPassword: Password1
+uid: DykeR
+givenName: Roland
+mail: DykeR@220af87272f04218bb8dd81d50fb19f5.bitwarden.com
+carLicense: 4CMGOJ
+departmentNumber: 2838
+employeeType: Contract
+homePhone: +1 804 936-4965
+initials: R. D.
+mobile: +1 804 592-3734
+pager: +1 804 285-2962
+roomNumber: 9890
+
+dn: cn=Teirtza Kara,ou=Human Resources,dc=bitwarden,dc=com
+changetype: add
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: Teirtza Kara
+sn: Kara
+description: This is Teirtza Kara's description
+facsimileTelephoneNumber: +1 206 759-2040
+l: San Francisco
+ou: Human Resources
+postalAddress: Human Resources$San Francisco
+telephoneNumber: +1 206 562-1407
+title: Junior Human Resources President
+userPassword: Password1
+uid: KaraT
+givenName: Teirtza
+mail: KaraT@c2afe8b3509f4a20b2b784841685bd74.bitwarden.com
+carLicense: O9GAN2
+departmentNumber: 3880
+employeeType: Employee
+homePhone: +1 206 154-4842
+initials: T. K.
+mobile: +1 206 860-1835
+pager: +1 206 684-1438
+roomNumber: 9079
+
+# Users - Engineering
+dn: cn=Alice Chen,ou=Engineering,dc=bitwarden,dc=com
+changetype: add
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: Alice Chen
+sn: Chen
+description: Senior DevOps Engineer
+l: Seattle
+ou: Engineering
+telephoneNumber: +1 206 555-0101
+title: Senior DevOps Engineer
+userPassword: Password1
+uid: ChenA
+givenName: Alice
+mail: ChenA@bitwarden.com
+employeeType: Employee
+
+dn: cn=Bob Martinez,ou=Engineering,dc=bitwarden,dc=com
+changetype: add
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: Bob Martinez
+sn: Martinez
+description: Platform Engineer
+l: Austin
+ou: Engineering
+telephoneNumber: +1 512 555-0102
+title: Platform Engineer
+userPassword: Password1
+uid: MartinezB
+givenName: Bob
+mail: MartinezB@bitwarden.com
+employeeType: Employee
+
+dn: cn=Carol Williams,ou=Engineering,dc=bitwarden,dc=com
+changetype: add
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: Carol Williams
+sn: Williams
+description: QA Lead
+l: Denver
+ou: Engineering
+telephoneNumber: +1 303 555-0103
+title: QA Lead
+userPassword: Password1
+uid: WilliamsC
+givenName: Carol
+mail: WilliamsC@bitwarden.com
+employeeType: Employee
+
+dn: cn=David Kim,ou=Engineering,dc=bitwarden,dc=com
+changetype: add
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: David Kim
+sn: Kim
+description: QA Engineer
+l: Portland
+ou: Engineering
+telephoneNumber: +1 503 555-0104
+title: QA Engineer
+userPassword: Password1
+uid: KimD
+givenName: David
+mail: KimD@bitwarden.com
+employeeType: Contractor
+
+# Users - Marketing
+dn: cn=Eva Johnson,ou=Marketing,dc=bitwarden,dc=com
+changetype: add
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: Eva Johnson
+sn: Johnson
+description: Marketing Director
+l: New York
+ou: Marketing
+telephoneNumber: +1 212 555-0105
+title: Marketing Director
+userPassword: Password1
+uid: JohnsonE
+givenName: Eva
+mail: JohnsonE@bitwarden.com
+employeeType: Employee
+
+dn: cn=Frank Lee,ou=Marketing,dc=bitwarden,dc=com
+changetype: add
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: Frank Lee
+sn: Lee
+description: Content Strategist
+l: Chicago
+ou: Marketing
+telephoneNumber: +1 312 555-0106
+title: Content Strategist
+userPassword: Password1
+uid: LeeF
+givenName: Frank
+mail: LeeF@bitwarden.com
+employeeType: Employee
+
+# ============================================================
+# GROUP HIERARCHY
+# ============================================================
+# Structure (arrows show "contains" relationship):
+#
+#   AllStaff
+#     ├── Engineering ◄────────────────┐ (CYCLE from Platform)
+#     │     ├── DevOps                 │
+#     │     │     └── Platform ────────┘
+#     │     └── QA
+#     ├── Marketing
+#     └── HR
+#
+#   Contractors ─── DevOps (diamond: second path to Platform)
+#
+#   TestNestA ◄──► TestNestB (simple bidirectional cycle)
+#
+# ============================================================
+
+# Leaf group - Platform team (CYCLES BACK to Engineering)
+dn: cn=Platform,dc=bitwarden,dc=com
+changetype: add
+cn: Platform
+member: cn=Bob Martinez,ou=Engineering,dc=bitwarden,dc=com
+member: cn=Engineering,dc=bitwarden,dc=com
+objectclass: groupOfNames
+objectclass: top
+
+# DevOps group - contains Platform subgroup
+dn: cn=DevOps,dc=bitwarden,dc=com
+changetype: add
+cn: DevOps
+member: cn=Alice Chen,ou=Engineering,dc=bitwarden,dc=com
+member: cn=Platform,dc=bitwarden,dc=com
+objectclass: groupOfNames
+objectclass: top
+
+# QA group
+dn: cn=QA,dc=bitwarden,dc=com
+changetype: add
+cn: QA
+member: cn=Carol Williams,ou=Engineering,dc=bitwarden,dc=com
+member: cn=David Kim,ou=Engineering,dc=bitwarden,dc=com
+objectclass: groupOfNames
+objectclass: top
+
+# Engineering group - contains DevOps and QA subgroups
+dn: cn=Engineering,dc=bitwarden,dc=com
+changetype: add
+cn: Engineering
+member: cn=DevOps,dc=bitwarden,dc=com
+member: cn=QA,dc=bitwarden,dc=com
+objectclass: groupOfNames
+objectclass: top
+
+# Marketing group
+dn: cn=Marketing,dc=bitwarden,dc=com
+changetype: add
+cn: Marketing
+member: cn=Eva Johnson,ou=Marketing,dc=bitwarden,dc=com
+member: cn=Frank Lee,ou=Marketing,dc=bitwarden,dc=com
+objectclass: groupOfNames
+objectclass: top
+
+# HR group
+dn: cn=HR,dc=bitwarden,dc=com
+changetype: add
+cn: HR
+member: cn=Roland Dyke,ou=Human Resources,dc=bitwarden,dc=com
+member: cn=Teirtza Kara,ou=Human Resources,dc=bitwarden,dc=com
+objectclass: groupOfNames
+objectclass: top
+
+# AllStaff - top-level group containing all departments
+dn: cn=AllStaff,dc=bitwarden,dc=com
+changetype: add
+cn: AllStaff
+member: cn=Engineering,dc=bitwarden,dc=com
+member: cn=Marketing,dc=bitwarden,dc=com
+member: cn=HR,dc=bitwarden,dc=com
+objectclass: groupOfNames
+objectclass: top
+
+# Contractors group - creates diamond pattern (second path to Platform via DevOps)
+dn: cn=Contractors,dc=bitwarden,dc=com
+changetype: add
+cn: Contractors
+member: cn=DevOps,dc=bitwarden,dc=com
+member: cn=David Kim,ou=Engineering,dc=bitwarden,dc=com
+objectclass: groupOfNames
+objectclass: top
+
+# Simple bidirectional cycle test groups (preserved from original)
+dn: cn=TestNestA,dc=bitwarden,dc=com
+changetype: add
+cn: TestNestA
+member: cn=TestNestB,dc=bitwarden,dc=com
+member: cn=Roland Dyke,ou=Human Resources,dc=bitwarden,dc=com
+objectclass: groupOfNames
+objectclass: top
+
+dn: cn=TestNestB,dc=bitwarden,dc=com
+changetype: add
+cn: TestNestB
+member: cn=TestNestA,dc=bitwarden,dc=com
+member: cn=Teirtza Kara,ou=Human Resources,dc=bitwarden,dc=com
+objectclass: groupOfNames
+objectclass: top