[AC-1070] Enforce master password policy on login/unlock (#2410)

* [AC-1070] Add EnforceOnLogin property to MasterPasswordPolicyOptions

* [AC-1070] Add MasterPasswordPolicy property to Identity responses

* [AC-1070] Add policy service dependency to auth service

* [AC-1070] Introduce logic to evaluate master password after successful login

* [AC-1070] Add optional ForcePasswordResetReason to profile / state service

* [AC-1070] Save ForcePasswordResetReason to state when a weak master password is found during login

- Additionally, save the AdminForcePasswordReset reason if the identity result indicates an admin password reset is in effect.

* [AC-1070] Check for a saved ForcePasswordReset reason on TabsPage load force show the update password page

* [AC-1070] Make InitAsync virtual

Allow the UpdateTempPasswordPage to override the InitAsync method to check for a reset password reason in the state service

* [AC-1070] Modify UpdateTempPassword page appearance

- Load the force password reset reason from the state service
- Make warning text dynamic based on force password reason
- Conditionally show the Current master password field if updating a weak master password

* [AC-1070] Add update password method to Api service

* [AC-1070] Introduce logic to update both temp and regular passwords

- Check the Reason to use the appropriate request/endpoint when submitting.
- Verify the users current password locally using the user verification service.

* [AC-1070] Introduce VerifyMasterPasswordResponse

* [AC-1070] Add logic to evaluate master password on unlock

* [AC-1070] Add support 2FA login flow

Keep track of the reset password reason after a password login requires 2FA. During 2FA submission, check if there is a saved reason, and if so, force the user to update their password.

* [AC-1070] Formatting

* [AC-1070] Remove string key from service resolution

* [AC-1070] Change master password options to method variable to avoid class field

Add null check for password strength result and log an error as this is an unexpected flow

* [AC-1070] Remove usage of i18nService

* [AC-1070] Use AsyncCommand for SubmitCommand

* [AC-1070] Remove type from ShowToast call

* [AC-1070] Simplify UpdatePassword methods to accept string for the new encryption key

* [AC-1070] Use full text for key for the CurrentMasterPassword resource

* [AC-1070] Convert Reason to a private class field

* [AC-1070] Formatting changes

* [AC-1070] Simplify if statements in master password options policy service method

* [AC-1070] Use the saved force password reset reason after 2FA login

* [AC-1070] Use constant for ForceUpdatePassword message command

* [AC-1070] Move shared RequirePasswordChangeOnLogin method into PolicyService

* Revert "[AC-1070] Move shared RequirePasswordChangeOnLogin method into PolicyService"

This reverts commit e4feac130f.

* [AC-1070] Add check for null password strength response

* [AC-1070] Fix broken show password icon

* [AC-1070] Add show password icon for current master password

src/Core/Models/Domain/Account.cs

@@ -52,6 +52,7 @@ namespace Bit.Core.Models.Domain
                 EmailVerified = copy.EmailVerified;
                 HasPremiumPersonally = copy.HasPremiumPersonally;
                 AvatarColor = copy.AvatarColor;
+                ForcePasswordResetReason = copy.ForcePasswordResetReason;
             }
 
             public string UserId;
@@ -66,6 +67,7 @@ namespace Bit.Core.Models.Domain
             public int? KdfParallelism;
             public bool? EmailVerified;
             public bool? HasPremiumPersonally;
+            public ForcePasswordResetReason? ForcePasswordResetReason;
         }
 
         public class AccountTokens

src/Core/Models/Domain/ForcePasswordResetReason.cs

@@ -0,0 +1,16 @@
+namespace Bit.Core.Models.Domain
+{
+    public enum ForcePasswordResetReason
+    {
+        /// <summary>
+        /// Occurs when an organization admin forces a user to reset their password.
+        /// </summary>
+        AdminForcePasswordReset,
+
+        /// <summary>
+        /// Occurs when a user logs in with a master password that does not meet an organization's master password
+        /// policy that is enforced on login.
+        /// </summary>
+        WeakMasterPasswordOnLogin
+    }
+}

src/Core/Models/Domain/MasterPasswordPolicyOptions.cs

@@ -8,6 +8,7 @@
         public bool RequireLower { get; set; }
         public bool RequireNumbers { get; set; }
         public bool RequireSpecial { get; set; }
+        public bool EnforceOnLogin { get; set; }
 
         public bool InEffect()
         {

src/Core/Models/Request/PasswordRequest.cs

@@ -0,0 +1,10 @@
+namespace Bit.Core.Models.Request
+{
+    public class PasswordRequest
+    {
+        public string MasterPasswordHash { get; set; }
+        public string NewMasterPasswordHash { get; set; }
+        public string MasterPasswordHint { get; set; }
+        public string Key { get; set; }
+    }
+}

src/Core/Models/Response/IdentityTokenResponse.cs

@@ -1,4 +1,6 @@
-using Bit.Core.Enums;
+using System.Collections.Generic;
+using Bit.Core.Enums;
+using Bit.Core.Models.Domain;
 using Newtonsoft.Json;
 
 namespace Bit.Core.Models.Response
@@ -24,6 +26,7 @@ namespace Bit.Core.Models.Response
         public int? KdfParallelism { get; set; }
         public bool ForcePasswordReset { get; set; }
         public string KeyConnectorUrl { get; set; }
+        public MasterPasswordPolicyOptions MasterPasswordPolicy { get; set; }
         [JsonIgnore]
         public KdfConfig KdfConfig => new KdfConfig(Kdf, KdfIterations, KdfMemory, KdfParallelism);
     }

src/Core/Models/Response/IdentityTwoFactorResponse.cs

@@ -1,5 +1,6 @@
 using System.Collections.Generic;
 using Bit.Core.Enums;
+using Bit.Core.Models.Domain;
 using Newtonsoft.Json;
 
 namespace Bit.Core.Models.Response
@@ -8,6 +9,7 @@ namespace Bit.Core.Models.Response
     {
         public List<TwoFactorProviderType> TwoFactorProviders { get; set; }
         public Dictionary<TwoFactorProviderType, Dictionary<string, object>> TwoFactorProviders2 { get; set; }
+        public MasterPasswordPolicyOptions MasterPasswordPolicy { get; set; }
         [JsonProperty("CaptchaBypassToken")]
         public string CaptchaToken { get; set; }
     }

src/Core/Models/Response/VerifyMasterPasswordResponse.cs

@@ -0,0 +1,9 @@
+using Bit.Core.Models.Domain;
+
+namespace Bit.Core.Models.Response
+{
+    public class VerifyMasterPasswordResponse
+    {
+        public MasterPasswordPolicyOptions MasterPasswordPolicy { get; set; }
+    }
+}