Wrap connector calls in try to handle offline key connector

.github/workflows/version-bump.yml

@@ -27,13 +27,13 @@ jobs:
           ref: version_bump_${{ github.event.inputs.version_number }}
 
       - name: Bump Version - package.json
-        uses: bitwarden/gh-actions/version-bump@03ad9a873c39cdc95dd8d77dbbda67f84db43945
+        uses: bitwarden/gh-actions/version-bump@0c263b3963211ccaf5804313c3b3a0bcc52d4b19
         with:
           version: ${{ github.event.inputs.version_number }}
           file_path: "./package.json"
 
       - name: Bump Version - package-lock.json
-        uses: bitwarden/gh-actions/version-bump@03ad9a873c39cdc95dd8d77dbbda67f84db43945
+        uses: bitwarden/gh-actions/version-bump@0c263b3963211ccaf5804313c3b3a0bcc52d4b19
         with:
           version: ${{ github.event.inputs.version_number }}
           file_path: "./package-lock.json"

.prettierignore

@@ -7,6 +7,7 @@ jslib
 # External libraries / auto synced locales
 src/locales
 src/404/*.min.css
+src/scripts/u2f.js
 
 # Github Workflows
-.github/workflows
+.github/workflows

bitwarden_license/src/app/organizations/manage/sso.component.html

@@ -67,7 +67,7 @@
           target="_blank"
           rel="noopener"
           appA11yTitle="{{ 'learnMore' | i18n }}"
-          href="https://bitwarden.com/help/about-key-connector/"
+          href="https://bitwarden.com/help/article/about-key-connector/"
         >
           <i class="fa fa-question-circle-o" aria-hidden="true"></i>
         </a>

bitwarden_license/src/app/providers/manage/user-add-edit.component.html

@@ -52,7 +52,7 @@
             target="_blank"
             rel="noopener"
             appA11yTitle="{{ 'learnMore' | i18n }}"
-            href="https://bitwarden.com/help/user-types-access-control/#user-types"
+            href="https://bitwarden.com/help/article/user-types-access-control/#user-types"
           >
             <i class="fa fa-question-circle-o" aria-hidden="true"></i>
           </a>

package-lock.json

@@ -1,11 +1,11 @@
 {
-  "name": "@bitwarden/web-vault",
+  "name": "bitwarden-web",
   "version": "2.25.1",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
-      "name": "@bitwarden/web-vault",
+      "name": "bitwarden-web",
       "version": "2.25.1",
       "hasInstallScript": true,
       "license": "GPL-3.0",

package.json

@@ -1,5 +1,5 @@
 {
-  "name": "@bitwarden/web-vault",
+  "name": "bitwarden-web",
   "version": "2.25.1",
   "license": "GPL-3.0",
   "repository": "https://github.com/bitwarden/web",

src/app/accounts/recover-two-factor.component.html

@@ -7,7 +7,7 @@
           <p>
             {{ "recoverAccountTwoStepDesc" | i18n }}
             <a
-              href="https://bitwarden.com/help/lost-two-step-device/"
+              href="https://help.bitwarden.com/article/lost-two-step-device/"
               target="_blank"
               rel="noopener"
               >{{ "learnMore" | i18n }}</a

src/app/app.component.ts

@@ -153,7 +153,7 @@ export class AppComponent implements OnDestroy, OnInit {
             );
             if (emailVerificationConfirmed) {
               this.platformUtilsService.launchUri(
-                "https://bitwarden.com/help/create-bitwarden-account/"
+                "https://bitwarden.com/help/article/create-bitwarden-account/"
               );
             }
             break;
@@ -164,6 +164,7 @@ export class AppComponent implements OnDestroy, OnInit {
             this.setFullWidth();
             break;
           case "convertAccountToKeyConnector":
+            this.keyConnectorService.setConvertAccountRequired(true);
             this.router.navigate(["/remove-password"]);
             break;
           default:

src/app/organizations/manage/bulk/bulk-confirm.component.html

@@ -29,7 +29,7 @@
           <p>
             {{ "fingerprintEnsureIntegrityVerify" | i18n }}
             <a
-              href="https://bitwarden.com/help/fingerprint-phrase/"
+              href="https://help.bitwarden.com/article/fingerprint-phrase/"
               target="_blank"
               rel="noopener"
             >

src/app/organizations/manage/group-add-edit.component.html

@@ -56,7 +56,7 @@
               target="_blank"
               rel="noopener"
               appA11yTitle="{{ 'learnMore' | i18n }}"
-              href="https://bitwarden.com/help/user-types-access-control/#access-control"
+              href="https://bitwarden.com/help/article/user-types-access-control/#access-control"
             >
               <i class="fa fa-question-circle-o" aria-hidden="true"></i>
             </a>

src/app/organizations/manage/user-add-edit.component.html

@@ -52,7 +52,7 @@
             target="_blank"
             rel="noopener"
             appA11yTitle="{{ 'learnMore' | i18n }}"
-            href="https://bitwarden.com/help/user-types-access-control/#user-types"
+            href="https://bitwarden.com/help/article/user-types-access-control/#user-types"
           >
             <i class="fa fa-question-circle-o" aria-hidden="true"></i>
           </a>
@@ -277,7 +277,7 @@
               target="_blank"
               rel="noopener"
               appA11yTitle="{{ 'learnMore' | i18n }}"
-              href="https://bitwarden.com/help/user-types-access-control/#access-control"
+              href="https://bitwarden.com/help/article/user-types-access-control/#access-control"
             >
               <i class="fa fa-question-circle-o" aria-hidden="true"></i>
             </a>

src/app/organizations/manage/user-confirm.component.html

@@ -19,7 +19,7 @@
         <p>
           {{ "fingerprintEnsureIntegrityVerify" | i18n }}
           <a
-            href="https://bitwarden.com/help/fingerprint-phrase/"
+            href="https://help.bitwarden.com/article/fingerprint-phrase/"
             target="_blank"
             rel="noopener"
           >

src/app/organizations/settings/download-license.component.html

@@ -13,7 +13,7 @@
             target="_blank"
             rel="noopener"
             appA11yTitle="{{ 'learnMore' | i18n }}"
-            href="https://bitwarden.com/help/licensing-on-premise/#organization-account-sharing"
+            href="https://help.bitwarden.com/article/licensing-on-premise/#organization-account-sharing"
           >
             <i class="fa fa-question-circle-o" aria-hidden="true"></i>
           </a>

src/app/send/access.component.html

@@ -9,7 +9,7 @@
     <div class="col-8" *ngIf="hideEmail">
       <app-callout type="warning" title="{{ 'warning' | i18n }}">
         {{ "viewSendHiddenEmailWarning" | i18n }}
-        <a href="https://bitwarden.com/help/receive-send/" target="_blank">{{
+        <a href="https://bitwarden.com/help/article/receive-send/" target="_blank">{{
           "learnMore" | i18n
         }}</a
         >.

src/app/services/services.module.ts

@@ -4,6 +4,7 @@ import { ToastrModule } from "ngx-toastr";
 import { BroadcasterMessagingService } from "../../services/broadcasterMessaging.service";
 import { HtmlStorageService } from "../../services/htmlStorage.service";
 import { I18nService } from "../../services/i18n.service";
+import { KeyConnectorService } from "../../services/keyConnector.service";
 import { MemoryStorageService } from "../../services/memoryStorage.service";
 import { PasswordRepromptService } from "../../services/passwordReprompt.service";
 import { StateService } from "../../services/state.service";
@@ -40,6 +41,7 @@ import { EventService as EventLoggingServiceAbstraction } from "jslib-common/abs
 import { FolderService as FolderServiceAbstraction } from "jslib-common/abstractions/folder.service";
 import { I18nService as I18nServiceAbstraction } from "jslib-common/abstractions/i18n.service";
 import { ImportService as ImportServiceAbstraction } from "jslib-common/abstractions/import.service";
+import { KeyConnectorService as KeyConnectorServiceAbstraction } from "jslib-common/abstractions/keyConnector.service";
 import { LogService } from "jslib-common/abstractions/log.service";
 import { MessagingService as MessagingServiceAbstraction } from "jslib-common/abstractions/messaging.service";
 import { NotificationsService as NotificationsServiceAbstraction } from "jslib-common/abstractions/notifications.service";
@@ -52,10 +54,6 @@ import { VaultTimeoutService as VaultTimeoutServiceAbstraction } from "jslib-com
 
 import { ThemeType } from "jslib-common/enums/themeType";
 
-import { AccountFactory } from "jslib-common/models/domain/account";
-
-import { Account } from "../../models/account";
-
 export function initFactory(
   window: Window,
   storageService: StorageServiceAbstraction,
@@ -182,19 +180,7 @@ export function initFactory(
     },
     {
       provide: StateServiceAbstraction,
-      useFactory: (
-        storageService: StorageServiceAbstraction,
-        secureStorageService: StorageServiceAbstraction,
-        logService: LogService,
-        stateMigrationService: StateMigrationServiceAbstraction
-      ) =>
-        new StateService(
-          storageService,
-          secureStorageService,
-          logService,
-          stateMigrationService,
-          new AccountFactory(Account)
-        ),
+      useClass: StateService,
       deps: [
         StorageServiceAbstraction,
         "SECURE_STORAGE",
@@ -206,6 +192,10 @@ export function initFactory(
       provide: PasswordRepromptServiceAbstraction,
       useClass: PasswordRepromptService,
     },
+    {
+      provide: KeyConnectorServiceAbstraction,
+      useClass: KeyConnectorService,
+    },
   ],
 })
 export class ServicesModule {}

src/app/settings/change-kdf.component.html

@@ -39,7 +39,7 @@
         <label for="kdfIterations">{{ "kdfIterations" | i18n }}</label>
         <a
           class="ml-auto"
-          href="https://bitwarden.com/help/what-encryption-is-used/#pbkdf2"
+          href="https://bitwarden.com/help/article/what-encryption-is-used/#pbkdf2"
           target="_blank"
           rel="noopener"
           appA11yTitle="{{ 'learnMore' | i18n }}"

src/app/settings/change-password.component.html

@@ -74,7 +74,7 @@
         {{ "rotateAccountEncKey" | i18n }}
       </label>
       <a
-        href="https://bitwarden.com/help/account-encryption-key/#rotate-your-encryption-key"
+        href="https://bitwarden.com/help/article/account-encryption-key/#rotate-your-encryption-key"
         target="_blank"
         rel="noopener"
         appA11yTitle="{{ 'learnMore' | i18n }}"

src/app/settings/change-password.component.ts

@@ -87,7 +87,7 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
         );
         if (learnMore) {
           this.platformUtilsService.launchUri(
-            "https://bitwarden.com/help/attachments/#fixing-old-attachments"
+            "https://help.bitwarden.com/article/attachments/#fixing-old-attachments"
           );
         }
         this.rotateEncKey = false;

src/app/settings/emergency-access-add-edit.component.html

@@ -51,7 +51,7 @@
             target="_blank"
             rel="noopener"
             appA11yTitle="{{ 'learnMore' | i18n }}"
-            href="https://bitwarden.com/help/emergency-access/#user-access"
+            href="https://bitwarden.com/help/article/emergency-access/#user-access"
           >
             <i class="fa fa-question-circle-o" aria-hidden="true"></i>
           </a>

src/app/settings/emergency-access-confirm.component.html

@@ -19,7 +19,7 @@
         <p>
           {{ "fingerprintEnsureIntegrityVerify" | i18n }}
           <a
-            href="https://bitwarden.com/help/fingerprint-phrase/"
+            href="https://help.bitwarden.com/article/fingerprint-phrase/"
             target="_blank"
             rel="noopener"
           >

src/app/settings/emergency-access.component.html

@@ -3,7 +3,7 @@
 </div>
 <p>
   {{ "emergencyAccessDesc" | i18n }}
-  <a href="https://bitwarden.com/help/emergency-access/" target="_blank" rel="noopener">
+  <a href="https://bitwarden.com/help/article/emergency-access/" target="_blank" rel="noopener">
     {{ "learnMore" | i18n }}.
   </a>
 </p>

src/app/settings/options.component.html

@@ -52,7 +52,7 @@
           <label for="locale">{{ "language" | i18n }}</label>
           <a
             class="ml-auto"
-            href="https://bitwarden.com/help/localization/"
+            href="https://help.bitwarden.com/article/localization/"
             target="_blank"
             rel="noopener"
             appA11yTitle="{{ 'learnMore' | i18n }}"
@@ -80,7 +80,7 @@
         {{ "disableIcons" | i18n }}
       </label>
       <a
-        href="https://bitwarden.com/help/website-icons/"
+        href="https://help.bitwarden.com/article/website-icons/"
         target="_blank"
         rel="noopener"
         appA11yTitle="{{ 'learnMore' | i18n }}"

src/app/settings/profile.component.html

@@ -51,7 +51,7 @@
       <p *ngIf="fingerprint">
         {{ "yourAccountsFingerprint" | i18n }}:
         <a
-          href="https://bitwarden.com/help/fingerprint-phrase/"
+          href="https://help.bitwarden.com/article/fingerprint-phrase/"
           target="_blank"
           rel="noopener"
           appA11yTitle="{{ 'learnMore' | i18n }}"

src/app/settings/update-key.component.html

@@ -22,7 +22,7 @@
         <p>
           {{ "updateEncryptionKeyShortDesc" | i18n }} {{ "updateEncryptionKeyDesc" | i18n }}
           <a
-            href="https://bitwarden.com/help/account-encryption-key/#rotate-your-encryption-key"
+            href="https://help.bitwarden.com/article/update-encryption-key/"
             target="_blank"
             rel="noopener"
             >{{ "learnMore" | i18n }}</a

src/app/tools/import.component.html

@@ -29,8 +29,8 @@
   <app-callout type="info" title="{{ getFormatInstructionTitle() }}" *ngIf="format">
     <ng-container *ngIf="format === 'bitwardencsv' || format === 'bitwardenjson'">
       See detailed instructions on our help site at
-      <a target="_blank" rel="noopener" href="https://bitwarden.com/help/export-your-data/">
-        https://bitwarden.com/help/export-your-data/</a
+      <a target="_blank" rel="noopener" href="https://help.bitwarden.com/article/export-your-data/">
+        https://help.bitwarden.com/article/export-your-data/</a
       >
     </ng-container>
     <ng-container *ngIf="format === 'lastpasscsv'">
@@ -38,9 +38,9 @@
       <a
         target="_blank"
         rel="noopener"
-        href="https://bitwarden.com/help/import-from-lastpass/"
+        href="https://help.bitwarden.com/article/import-from-lastpass/"
       >
-        https://bitwarden.com/help/import-from-lastpass/</a
+        https://help.bitwarden.com/article/import-from-lastpass/</a
       >
     </ng-container>
     <ng-container *ngIf="format === 'keepassxcsv'">
@@ -93,9 +93,9 @@
       <a
         target="_blank"
         rel="noopener"
-        href="https://bitwarden.com/help/import-from-chrome/"
+        href="https://help.bitwarden.com/article/import-from-chrome/"
       >
-        https://bitwarden.com/help/import-from-chrome/</a
+        https://help.bitwarden.com/article/import-from-chrome/</a
       >
     </ng-container>
     <ng-container *ngIf="format === 'firefoxcsv'">
@@ -103,9 +103,9 @@
       <a
         target="_blank"
         rel="noopener"
-        href="https://bitwarden.com/help/import-from-firefox/"
+        href="https://bitwarden.com/help/article/import-from-firefox/"
       >
-        https://bitwarden.com/help/import-from-firefox/</a
+        https://bitwarden.com/help/article/import-from-firefox/</a
       >.
     </ng-container>
     <ng-container *ngIf="format === 'safaricsv'">
@@ -113,9 +113,9 @@
       <a
         target="_blank"
         rel="noopener"
-        href="https://bitwarden.com/help/import-from-safari/"
+        href="https://bitwarden.com/help/article/import-from-safari/"
       >
-        https://bitwarden.com/help/import-from-safari/</a
+        https://bitwarden.com/help/article/import-from-safari/</a
       >.
     </ng-container>
     <ng-container
@@ -127,9 +127,9 @@
       <a
         target="_blank"
         rel="noopener"
-        href="https://bitwarden.com/help/import-from-1password/"
+        href="https://help.bitwarden.com/article/import-from-1password/"
       >
-        https://bitwarden.com/help/import-from-1password/</a
+        https://help.bitwarden.com/article/import-from-1password/</a
       >.
     </ng-container>
     <ng-container *ngIf="format === 'passworddragonxml'">

src/app/vault/add-edit-custom-fields.component.html

@@ -11,7 +11,7 @@
           <label for="fieldName{{ i }}">{{ "name" | i18n }}</label>
           <a
             class="ml-auto"
-            href="https://bitwarden.com/help/custom-fields/"
+            href="https://help.bitwarden.com/article/custom-fields/"
             target="_blank"
             rel="noopener"
             appA11yTitle="{{ 'learnMore' | i18n }}"

src/app/vault/add-edit.component.html

@@ -288,7 +288,7 @@
                   </label>
                   <a
                     class="ml-auto"
-                    href="https://bitwarden.com/help/uri-match-detection/"
+                    href="https://help.bitwarden.com/article/uri-match-detection/"
                     target="_blank"
                     rel="noopener"
                     appA11yTitle="{{ 'learnMore' | i18n }}"
@@ -587,7 +587,6 @@
                 id="idEmail"
                 class="form-control"
                 type="text"
-                inputmode="email"
                 name="Identity.Email"
                 [(ngModel)]="cipher.identity.email"
                 appInputVerbatim
@@ -600,7 +599,6 @@
                 id="idPhone"
                 class="form-control"
                 type="text"
-                inputmode="tel"
                 name="Identity.Phone"
                 [(ngModel)]="cipher.identity.phone"
                 [disabled]="cipher.isDeleted || viewOnly"
@@ -790,7 +788,7 @@
               target="_blank"
               rel="noopener"
               appA11yTitle="{{ 'learnMore' | i18n }}"
-              href="https://bitwarden.com/help/managing-items/#protect-individual-items"
+              href="https://bitwarden.com/help/article/managing-items/#protect-individual-items"
             >
               <i class="fa fa-question-circle-o" aria-hidden="true"></i>
             </a>

src/app/vault/attachments.component.html

@@ -38,7 +38,7 @@
                   <a href="#" appStopClick (click)="download(a)">{{ a.fileName }}</a>
                   <div *ngIf="showFixOldAttachments(a)" class="ml-2">
                     <a
-                      href="https://bitwarden.com/help/attachments/#fixing-old-attachments"
+                      href="https://help.bitwarden.com/article/attachments/#fixing-old-attachments"
                       target="_blank"
                       rel="noopener"
                     >

src/app/vault/groupings.component.html

@@ -3,7 +3,7 @@
     {{ "filters" | i18n }}
     <a
       class="ml-auto"
-      href="https://bitwarden.com/help/searching-vault/"
+      href="https://help.bitwarden.com/article/searching-vault/"
       target="_blank"
       rel="noopener"
       appA11yTitle="{{ 'learnMore' | i18n }}"

src/app/vault/vault.component.html

@@ -100,7 +100,7 @@
           {{ "organizations" | i18n }}
           <a
             class="ml-auto"
-            href="https://bitwarden.com/help/about-organizations/"
+            href="https://help.bitwarden.com/article/what-is-an-organization/"
             target="_blank"
             rel="noopener"
             appA11yTitle="{{ 'learnMore' | i18n }}"
@@ -128,7 +128,7 @@
           {{ "providers" | i18n }}
           <a
             class="ml-auto"
-            href="https://bitwarden.com/help/providers/"
+            href="https://bitwarden.com/help/article/about-providers/"
             target="_blank"
             rel="noopener"
             appA11yTitle="{{ 'learnMore' | i18n }}"

src/connectors/cme.html

@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <meta
+      name="viewport"
+      content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=no"
+    />
+    <title>Bitwarden CME Connector</title>
+  </head>
+  <body></body>
+</html>

src/connectors/cme.ts

@@ -0,0 +1,135 @@
+import { KeyConnectorUserKeyResponse } from "jslib-common/models/response/keyConnectorUserKeyResponse";
+import { b64Decode, getQsParam } from "./common";
+
+document.addEventListener("DOMContentLoaded", () => {
+  init();
+});
+
+let parentUrl: string = null;
+let parentOrigin: string = null;
+let sentSuccess = false;
+
+async function init() {
+  await start();
+  onMessage();
+}
+
+async function start() {
+  sentSuccess = false;
+
+  const data = getQsParam("data");
+  if (!data) {
+    error("No data.");
+    return;
+  }
+
+  parentUrl = getQsParam("parent");
+  if (!parentUrl) {
+    error("No parent.");
+    return;
+  } else {
+    parentUrl = decodeURIComponent(parentUrl);
+    parentOrigin = new URL(parentUrl).origin;
+  }
+
+  let decodedData: any;
+  try {
+    decodedData = JSON.parse(b64Decode(data));
+  } catch (e) {
+    error("Cannot parse data.");
+    return;
+  }
+
+  const keyConnectorUrl = new URL(decodedData.url);
+  const bearerAccessToken = decodedData.token;
+  const operation = decodedData.operation;
+  const key = decodedData.key;
+
+  if (keyConnectorUrl.hostname === "vault.bitwarden.com") {
+    error("Invalid hostname.");
+  }
+
+  if (operation === "get") {
+    const getRequest = new Request(keyConnectorUrl.href + "user-keys", {
+      cache: "no-store",
+      method: "GET",
+      headers: new Headers({
+        Accept: "application/json",
+        Authorization: "Bearer " + bearerAccessToken,
+      }),
+    });
+    getRequest.headers.set("Cache-Control", "no-store");
+    getRequest.headers.set("Pragma", "no-cache");
+
+    try {
+      const response = await fetch(getRequest);
+      if (response.status !== 200) {
+        throw new Error();
+      }
+      success(new KeyConnectorUserKeyResponse(await response.json()));
+    } catch {
+      error("Error getting key");
+      return;
+    }
+  } else if (operation === "post") {
+    const postRequest = new Request(keyConnectorUrl.href + "user-keys", {
+      cache: "no-store",
+      method: "POST",
+      headers: new Headers({
+        Accept: "application/json",
+        Authorization: "Bearer " + bearerAccessToken,
+        "Content-Type": "application/json; charset=utf-8",
+      }),
+      body: JSON.stringify({ key: key }),
+    });
+
+    try {
+      const response = await fetch(postRequest);
+      if (response.status !== 200) {
+        throw new Error();
+      }
+    } catch {
+      error("Error posting key");
+      return;
+    }
+    success(null);
+  } else {
+    // TODO: put operation
+    error("Unsupported operation.");
+  }
+}
+
+function onMessage() {
+  window.addEventListener(
+    "message",
+    (event) => {
+      if (!event.origin || event.origin === "" || event.origin !== parentOrigin) {
+        return;
+      }
+
+      if (event.data === "start") {
+        start();
+      }
+    },
+    false
+  );
+}
+
+function error(message: string) {
+  parent.postMessage("error|" + message, parentUrl);
+}
+
+function success(response: KeyConnectorUserKeyResponse) {
+  if (sentSuccess) {
+    return;
+  }
+  parent.postMessage(
+    "success|" + (response != null && response.key != null ? response.key : ""),
+    parentUrl
+  );
+  sentSuccess = true;
+}
+
+function info(message: string | object) {
+  parent.postMessage("info|" + JSON.stringify(message), parentUrl);
+}

src/connectors/u2f.html

@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <title>Bitwarden U2F Connector</title>
+  </head>
+
+  <body></body>
+</html>

src/connectors/u2f.js

@@ -0,0 +1,150 @@
+import * as u2f from "u2f";
+
+document.addEventListener("DOMContentLoaded", function (event) {
+  init();
+});
+
+var parentUrl = null,
+  parentOrigin = null,
+  version = null,
+  stop = false,
+  sentSuccess = false;
+
+function init() {
+  start();
+  onMessage();
+  info("ready");
+}
+
+function start() {
+  sentSuccess = false;
+
+  if (!u2f.isSupported) {
+    error("U2F is not supported in this browser.");
+    return;
+  }
+
+  var data = getQsParam("data");
+  if (!data) {
+    error("No data.");
+    return;
+  }
+
+  parentUrl = getQsParam("parent");
+  if (!parentUrl) {
+    error("No parent.");
+    return;
+  } else {
+    var link = document.createElement("a");
+    link.href = parentUrl;
+    parentOrigin = link.origin;
+  }
+
+  var versionQs = getQsParam("v");
+  if (!versionQs) {
+    error("No version.");
+    return;
+  }
+
+  try {
+    version = parseInt(versionQs);
+    var jsonString = b64Decode(data);
+    var json = JSON.parse(jsonString);
+  } catch (e) {
+    error("Cannot parse data.");
+    return;
+  }
+
+  if (!json.appId || !json.challenge || !json.keys || !json.keys.length) {
+    error("Invalid data parameters.");
+    return;
+  }
+
+  stop = false;
+  initU2f(json);
+}
+
+function initU2f(obj) {
+  if (stop) {
+    return;
+  }
+
+  u2f.sign(
+    obj.appId,
+    obj.challenge,
+    obj.keys,
+    function (data) {
+      if (data.errorCode) {
+        if (data.errorCode !== 5) {
+          error("U2F Error: " + data.errorCode);
+          setTimeout(function () {
+            initU2f(obj);
+          }, 1000);
+        } else {
+          initU2f(obj);
+        }
+
+        return;
+      }
+
+      success(data);
+    },
+    10
+  );
+}
+
+function onMessage() {
+  window.addEventListener(
+    "message",
+    function (event) {
+      if (!event.origin || event.origin === "" || event.origin !== parentOrigin) {
+        return;
+      }
+
+      if (event.data === "stop") {
+        stop = true;
+      } else if (event.data === "start" && stop) {
+        start();
+      }
+    },
+    false
+  );
+}
+
+function error(message) {
+  parent.postMessage("error|" + message, parentUrl);
+}
+
+function success(data) {
+  if (sentSuccess) {
+    return;
+  }
+
+  var dataString = JSON.stringify(data);
+  parent.postMessage("success|" + dataString, parentUrl);
+  sentSuccess = true;
+}
+
+function info(message) {
+  parent.postMessage("info|" + message, parentUrl);
+}
+
+function getQsParam(name) {
+  var url = window.location.href;
+  name = name.replace(/[\[\]]/g, "\\$&");
+  var regex = new RegExp("[?&]" + name + "(=([^&#]*)|&|#|$)"),
+    results = regex.exec(url);
+  if (!results) return null;
+  if (!results[2]) return "";
+  return decodeURIComponent(results[2].replace(/\+/g, " "));
+}
+
+function b64Decode(str) {
+  return decodeURIComponent(
+    Array.prototype.map
+      .call(atob(str), function (c) {
+        return "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2);
+      })
+      .join("")
+  );
+}

src/locales/be/messages.json

@@ -3164,7 +3164,7 @@
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "dontAskFingerprintAgain": {
-    "message": "Never prompt to verify fingerprint phrases for invited users (Not recommended)",
+    "message": "Don't ask to verify fingerprint phrase again",
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "free": {

src/locales/bn/messages.json

@@ -3164,7 +3164,7 @@
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "dontAskFingerprintAgain": {
-    "message": "Never prompt to verify fingerprint phrases for invited users (Not recommended)",
+    "message": "Don't ask to verify fingerprint phrase again",
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "free": {

src/locales/el/messages.json

@@ -3445,7 +3445,7 @@
     "message": "Αποσύνδεση SSO"
   },
   "unlinkSsoConfirmation": {
-    "message": "Είστε βέβαιοι ότι θέλετε να αποσυνδέσετε το SSO για αυτόν τον οργανισμό;"
+    "message": "Are you sure you want to unlink SSO for this organization?"
   },
   "linkSso": {
     "message": "Σύνδεσμος SSO"

src/locales/en/messages.json

@@ -3164,7 +3164,7 @@
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "dontAskFingerprintAgain": {
-    "message": "Never prompt to verify fingerprint phrases for invited users (Not recommended)",
+    "message": "Don't ask to verify fingerprint phrase again",
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "free": {

src/locales/fil/messages.json

@@ -3164,7 +3164,7 @@
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "dontAskFingerprintAgain": {
-    "message": "Never prompt to verify fingerprint phrases for invited users (Not recommended)",
+    "message": "Don't ask to verify fingerprint phrase again",
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "free": {

src/locales/fr/messages.json

@@ -3164,7 +3164,7 @@
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "dontAskFingerprintAgain": {
-    "message": "Ne plus me demander de vérifier de phrase d'empreinte",
+    "message": "Ne plus me demander de saisir la phrase d'empreinte",
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "free": {

src/locales/hi/messages.json

@@ -3164,7 +3164,7 @@
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "dontAskFingerprintAgain": {
-    "message": "Never prompt to verify fingerprint phrases for invited users (Not recommended)",
+    "message": "Don't ask to verify fingerprint phrase again",
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "free": {

src/locales/hu/messages.json

@@ -3156,7 +3156,7 @@
     "message": "A széfben régi mellékletek vannak, amelyeket javítani kell a fiók titkosító kulcsának fordítása előtt."
   },
   "yourAccountsFingerprint": {
-    "message": "Fók ujjnyomat kifejezés",
+    "message": "Fók ujjlenyomat kifejezés",
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "fingerprintEnsureIntegrityVerify": {

src/locales/ja/messages.json

@@ -167,7 +167,7 @@
     "message": "真偽値"
   },
   "cfTypeLinked": {
-    "message": "リンク済",
+    "message": "Linked",
     "description": "This describes a field that is 'linked' (related) to another field."
   },
   "remove": {

src/locales/ka/messages.json

@@ -3164,7 +3164,7 @@
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "dontAskFingerprintAgain": {
-    "message": "Never prompt to verify fingerprint phrases for invited users (Not recommended)",
+    "message": "Don't ask to verify fingerprint phrase again",
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "free": {

src/locales/nl/messages.json

@@ -1344,7 +1344,7 @@
     "message": "Volg deze stappen voor het instellen van tweestapsaanmelding met e-mail:"
   },
   "twoFactorEmailEnterEmail": {
-    "message": "Voer het e-mailadres in waar je de verificatiecodes op wilt ontvangen"
+    "message": "Voer de e-mailadres in waar je de verificatiecodes wilt ontvangen"
   },
   "twoFactorEmailEnterCode": {
     "message": "Voer de 6-cijferige verificatiecode uit de e-mail in"

src/locales/nn/messages.json

@@ -3164,7 +3164,7 @@
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "dontAskFingerprintAgain": {
-    "message": "Never prompt to verify fingerprint phrases for invited users (Not recommended)",
+    "message": "Don't ask to verify fingerprint phrase again",
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "free": {

src/locales/pl/messages.json

@@ -2078,7 +2078,7 @@
     "message": "Samodzielnie hostowane środowisko (opcjonalnie)"
   },
   "usersGetPremium": {
-    "message": "Użytkownicy uzyskują dostęp do kont Premium"
+    "message": "Użytkownicy uzyskują dostęp do funkcji Premium"
   },
   "controlAccessWithGroups": {
     "message": "Kontroluj dostęp z użyciem grup użytkowników"
@@ -2660,7 +2660,7 @@
     "message": "Wyślij ponownie zaproszenie"
   },
   "resendEmail": {
-    "message": "Wyślij ponownie wiadomość"
+    "message": "Wyślij e-mail ponownie"
   },
   "hasBeenReinvited": {
     "message": "Użytkownik $USER$ został ponownie zaproszony.",
@@ -4501,10 +4501,10 @@
     "message": "Zrealizuj swój darmowy Bitwarden Families, aby zapewnić bezpieczeństwo swoich danych nawet wtedy, gdy nie jesteś w pracy."
   },
   "sponsoredFamiliesInclude": {
-    "message": "Plan Bitwarden dla rodzin zawiera"
+    "message": "Plan Bitwarden Families zawiera"
   },
   "sponsoredFamiliesPremiumAccess": {
-    "message": "Konto Premium dla maksymalnie 6 użytkowników"
+    "message": "Dostęp premium dla maksymalnie 6 użytkowników"
   },
   "sponsoredFamiliesSharedCollections": {
     "message": "Udostępnione kolekcje dla sekretów rodziny"
@@ -4570,7 +4570,7 @@
     }
   },
   "resendEmailLabel": {
-    "message": "Wyślij ponownie wiadomość o sponsoringu do użytkownika $NAME$",
+    "message": "Wyślij ponownie wiadomość e-mail o sponsoringu do $NAME$",
     "placeholders": {
       "name": {
         "content": "$1",
@@ -4594,10 +4594,10 @@
     "message": "Po usunięciu sponsorowania, będziesz odpowiedzialny za tę subskrypcję i powiązane faktury. Czy na pewno chcesz kontynuować?"
   },
   "sponsorshipCreated": {
-    "message": "Sponsoring został utworzony"
+    "message": "Utworzono sponsorowanie"
   },
   "revoke": {
-    "message": "Unieważnij"
+    "message": "Odwołaj"
   },
   "emailSent": {
     "message": "Wiadomość została wysłana"
@@ -4606,7 +4606,7 @@
     "message": "Po usunięciu sponsorowania, będziesz odpowiedzialny za tę subskrypcję i powiązane faktury. Czy na pewno chcesz kontynuować?"
   },
   "removeSponsorshipSuccess": {
-    "message": "Sponsoring został usunięty"
+    "message": "Sponsoring usunięty"
   },
   "ssoKeyConnectorUnavailable": {
     "message": "Nie można nawiązać połączenia z serwerem Key Connector. Spróbuj ponownie później."
@@ -4732,7 +4732,7 @@
     "message": "Nie można nawiązać połączenia z serwerem Key Connector. Sprawdź adres URL."
   },
   "sponsorshipTokenHasExpired": {
-    "message": "Oferta sponsoringu wygasła."
+    "message": "Oferta sponsorowania wygasła."
   },
   "freeWithSponsorship": {
     "message": "DARMOWA ze sponsorowaniem"

src/locales/ru/messages.json

@@ -3164,7 +3164,7 @@
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "dontAskFingerprintAgain": {
-    "message": "Никогда не запрашивать проверку отпечатков фраз для приглашенных пользователей (не рекомендуется)",
+    "message": "Больше не запрашивать верификацию фразы отпечатка",
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "free": {

src/locales/si/messages.json

@@ -3164,7 +3164,7 @@
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "dontAskFingerprintAgain": {
-    "message": "Never prompt to verify fingerprint phrases for invited users (Not recommended)",
+    "message": "Don't ask to verify fingerprint phrase again",
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "free": {

src/locales/sl/messages.json

@@ -3164,7 +3164,7 @@
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "dontAskFingerprintAgain": {
-    "message": "Never prompt to verify fingerprint phrases for invited users (Not recommended)",
+    "message": "Don't ask to verify fingerprint phrase again",
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "free": {

src/locales/sr/messages.json

@@ -3164,7 +3164,7 @@
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "dontAskFingerprintAgain": {
-    "message": "Never prompt to verify fingerprint phrases for invited users (Not recommended)",
+    "message": "Don't ask to verify fingerprint phrase again",
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "free": {

src/locales/sv/messages.json

@@ -1803,7 +1803,7 @@
     "message": "Uppdaterade licens"
   },
   "manageSubscription": {
-    "message": "Hantera prenumeration"
+    "message": "Hantera abonnemang"
   },
   "storage": {
     "message": "Lagring"
@@ -1947,7 +1947,7 @@
     "message": "Företagsnamn"
   },
   "chooseYourPlan": {
-    "message": "Välj din plan"
+    "message": "Välj abonnemang"
   },
   "users": {
     "message": "Användare"
@@ -2876,7 +2876,7 @@
     "message": "Företag"
   },
   "bankAccountTypeIndividual": {
-    "message": "Individual (Personal)"
+    "message": "Person"
   },
   "enterInstallationId": {
     "message": "Ange ditt installations-id"
@@ -3017,7 +3017,7 @@
     "message": "Alla krypterade exporter som du har sparat kommer också bli ogiltiga."
   },
   "subscription": {
-    "message": "Prenumeration"
+    "message": "Abonnemang"
   },
   "loading": {
     "message": "Laddar"
@@ -3097,7 +3097,7 @@
     "message": "Organisationen är inaktiverad."
   },
   "licenseIsExpired": {
-    "message": "License is expired."
+    "message": "Licensen har löpt ut."
   },
   "updatedUsers": {
     "message": "Uppdaterade användare"
@@ -3287,7 +3287,7 @@
     "message": "Standardtyp"
   },
   "userPreference": {
-    "message": "Användarpreferens"
+    "message": "Användarens val"
   },
   "vaultTimeoutAction": {
     "message": "Åtgärd när valvets tidsgräns överskrids"
@@ -3495,15 +3495,15 @@
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "createdSend": {
-    "message": "Created Send",
+    "message": "Skapade försändelse",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "editedSend": {
-    "message": "Edited Send",
+    "message": "Redigerade försändelse",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "deletedSend": {
-    "message": "Deleted Send",
+    "message": "Raderade försändelse",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "deleteSend": {
@@ -3522,14 +3522,14 @@
     "message": "Raderingsdatum"
   },
   "deletionDateDesc": {
-    "message": "The Send will be permanently deleted on the specified date and time.",
+    "message": "Försändelsen kommer att raderas permanent på angivet datum och tid.",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "expirationDate": {
     "message": "Utgångsdatum"
   },
   "expirationDateDesc": {
-    "message": "If set, access to this Send will expire on the specified date and time.",
+    "message": "Om angivet kommer åtkomst till denna försändelse upphöra på angivet datum och tid.",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "maxAccessCount": {
@@ -3543,22 +3543,22 @@
     "message": "Nuvarande antal åtkomster"
   },
   "sendPasswordDesc": {
-    "message": "Optionally require a password for users to access this Send.",
+    "message": "Kräv ett lösenord från användare innan de kommer åt denna försändelse.",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "sendNotesDesc": {
-    "message": "Private notes about this Send.",
+    "message": "Egna anteckningar om denna försändelse.",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "disabled": {
     "message": "Inaktiverad"
   },
   "sendLink": {
-    "message": "Send link",
+    "message": "Försändelselänk",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "copySendLink": {
-    "message": "Copy Send Link",
+    "message": "Kopiera försändelselänk",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "removePassword": {
@@ -3574,11 +3574,11 @@
     "message": "Dölj min e-postadress för mottagare."
   },
   "disableThisSend": {
-    "message": "Disable this Send so that no one can access it.",
+    "message": "Inaktivera denna försändelse så att ingen kan komma åt den.",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "allSends": {
-    "message": "All Sends"
+    "message": "Alla försändelser"
   },
   "maxAccessCountReached": {
     "message": "Det maximala antalet åtkomster har uppnåtts"
@@ -3590,11 +3590,11 @@
     "message": "Utgången"
   },
   "searchSends": {
-    "message": "Search Sends",
+    "message": "Sök försändelser",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "sendProtectedPassword": {
-    "message": "This Send is protected with a password. Please type the password below to continue.",
+    "message": "Denna försändelse är skyddad med ett lösenord. Vänligen skriv in lösenordet nedan för att fortsätta.",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "sendProtectedPasswordDontKnow": {
@@ -3613,11 +3613,11 @@
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "missingSendFile": {
-    "message": "The file associated with this Send could not be found.",
+    "message": "Den här försändelsens associerade fil kunde inte hittas.",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "noSendsInList": {
-    "message": "There are no Sends to list.",
+    "message": "Det finns inga försändelser att visa.",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "emergencyAccess": {
@@ -3778,14 +3778,14 @@
     "message": "Inaktivera Send"
   },
   "disableSendPolicyDesc": {
-    "message": "Låt inte användare skapa eller redigera en Bitwarden Send. Det är fortfarande tillåtet att radera en befintlig sändning.",
+    "message": "Tillåt inte användare att skapa eller redigera försändelser. Att radera existerande försändelser kommer fortfarande vara tillåtet.",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "disableSendExemption": {
     "message": "Användare som kan hantera organisationens policyer är berörs inte av den här policyn."
   },
   "sendDisabled": {
-    "message": "Send disabled",
+    "message": "Försändelser inaktiverade",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
   },
   "sendDisabledWarning": {
@@ -4004,7 +4004,7 @@
     "message": "Klicka på knappen nedan för att verifiera din 2FA."
   },
   "webAuthnAuthenticate": {
-    "message": "Autentisera WebAuthn"
+    "message": "Autentisera WebAutn"
   },
   "webAuthnNotSupported": {
     "message": "WebAuthn stöds inte i denna webbläsare."

src/locales/vi/messages.json

@@ -3164,7 +3164,7 @@
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "dontAskFingerprintAgain": {
-    "message": "Never prompt to verify fingerprint phrases for invited users (Not recommended)",
+    "message": "Don't ask to verify fingerprint phrase again",
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their public key with another user, for the purposes of sharing."
   },
   "free": {

src/scripts/u2f.js

@@ -0,0 +1,779 @@
+//Copyright 2014-2015 Google Inc. All rights reserved.
+
+//Use of this source code is governed by a BSD-style
+//license that can be found in the LICENSE file or at
+//https://developers.google.com/open-source/licenses/bsd
+
+// ref: https://github.com/google/u2f-ref-code/blob/master/u2f-gae-demo/war/js/u2f-api.js
+
+/**
+ * @fileoverview The U2F api.
+ */
+'use strict';
+
+/**
+ * Modification:
+ * Wrap implementation so that we can exit if window.u2f is already supplied by the browser (see below).
+ */
+(function (root) {
+    /**
+     * Modification:
+     * Only continue load this library if window.u2f is not already supplied by the browser.
+     */
+    var isFirefox = navigator.userAgent.indexOf('Firefox') !== -1 || navigator.userAgent.indexOf('Gecko/') !== -1;
+    var browserImplementsU2f = !!((typeof root.u2f !== 'undefined') && root.u2f.register);
+
+    if (isFirefox && browserImplementsU2f) {
+        root.u2f.isSupported = true;
+        return;
+    }
+
+    /**
+     * Namespace for the U2F api.
+     * @type {Object}
+     */
+    var u2f = root.u2f || {};
+
+    /**
+     * Modification:
+     * Check if browser supports U2F API before this wrapper was added.
+     */
+    u2f.isSupported = !!(((typeof u2f !== 'undefined') && u2f.register) || ((typeof chrome !== 'undefined') && chrome.runtime));
+
+    /**
+     * FIDO U2F Javascript API Version
+     * @number
+     */
+    var js_api_version;
+
+    /**
+     * The U2F extension id
+     * @const {string}
+     */
+    // The Chrome packaged app extension ID.
+    // Uncomment this if you want to deploy a server instance that uses
+    // the package Chrome app and does not require installing the U2F Chrome extension.
+    u2f.EXTENSION_ID = 'kmendfapggjehodndflmmgagdbamhnfd';
+    // The U2F Chrome extension ID.
+    // Uncomment this if you want to deploy a server instance that uses
+    // the U2F Chrome extension to authenticate.
+    // u2f.EXTENSION_ID = 'pfboblefjcgdjicmnffhdgionmgcdmne';
+
+
+    /**
+     * Message types for messsages to/from the extension
+     * @const
+     * @enum {string}
+     */
+    u2f.MessageTypes = {
+        'U2F_REGISTER_REQUEST': 'u2f_register_request',
+        'U2F_REGISTER_RESPONSE': 'u2f_register_response',
+        'U2F_SIGN_REQUEST': 'u2f_sign_request',
+        'U2F_SIGN_RESPONSE': 'u2f_sign_response',
+        'U2F_GET_API_VERSION_REQUEST': 'u2f_get_api_version_request',
+        'U2F_GET_API_VERSION_RESPONSE': 'u2f_get_api_version_response'
+    };
+
+
+    /**
+     * Response status codes
+     * @const
+     * @enum {number}
+     */
+    u2f.ErrorCodes = {
+        'OK': 0,
+        'OTHER_ERROR': 1,
+        'BAD_REQUEST': 2,
+        'CONFIGURATION_UNSUPPORTED': 3,
+        'DEVICE_INELIGIBLE': 4,
+        'TIMEOUT': 5
+    };
+
+
+    /**
+     * A message for registration requests
+     * @typedef {{
+     *   type: u2f.MessageTypes,
+     *   appId: ?string,
+     *   timeoutSeconds: ?number,
+     *   requestId: ?number
+     * }}
+     */
+    u2f.U2fRequest;
+
+
+    /**
+     * A message for registration responses
+     * @typedef {{
+     *   type: u2f.MessageTypes,
+     *   responseData: (u2f.Error | u2f.RegisterResponse | u2f.SignResponse),
+     *   requestId: ?number
+     * }}
+     */
+    u2f.U2fResponse;
+
+
+    /**
+     * An error object for responses
+     * @typedef {{
+     *   errorCode: u2f.ErrorCodes,
+     *   errorMessage: ?string
+     * }}
+     */
+    u2f.Error;
+
+    /**
+     * Data object for a single sign request.
+     * @typedef {enum {BLUETOOTH_RADIO, BLUETOOTH_LOW_ENERGY, USB, NFC}}
+     */
+    u2f.Transport;
+
+
+    /**
+     * Data object for a single sign request.
+     * @typedef {Array<u2f.Transport>}
+     */
+    u2f.Transports;
+
+    /**
+     * Data object for a single sign request.
+     * @typedef {{
+     *   version: string,
+     *   challenge: string,
+     *   keyHandle: string,
+     *   appId: string
+     * }}
+     */
+    u2f.SignRequest;
+
+
+    /**
+     * Data object for a sign response.
+     * @typedef {{
+     *   keyHandle: string,
+     *   signatureData: string,
+     *   clientData: string
+     * }}
+     */
+    u2f.SignResponse;
+
+
+    /**
+     * Data object for a registration request.
+     * @typedef {{
+     *   version: string,
+     *   challenge: string
+     * }}
+     */
+    u2f.RegisterRequest;
+
+
+    /**
+     * Data object for a registration response.
+     * @typedef {{
+     *   version: string,
+     *   keyHandle: string,
+     *   transports: Transports,
+     *   appId: string
+     * }}
+     */
+    u2f.RegisterResponse;
+
+
+    /**
+     * Data object for a registered key.
+     * @typedef {{
+     *   version: string,
+     *   keyHandle: string,
+     *   transports: ?Transports,
+     *   appId: ?string
+     * }}
+     */
+    u2f.RegisteredKey;
+
+
+    /**
+     * Data object for a get API register response.
+     * @typedef {{
+     *   js_api_version: number
+     * }}
+     */
+    u2f.GetJsApiVersionResponse;
+
+
+    //Low level MessagePort API support
+
+    /**
+     * Sets up a MessagePort to the U2F extension using the
+     * available mechanisms.
+     * @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
+     */
+    u2f.getMessagePort = function (callback) {
+        if (typeof chrome != 'undefined' && chrome.runtime) {
+            // The actual message here does not matter, but we need to get a reply
+            // for the callback to run. Thus, send an empty signature request
+            // in order to get a failure response.
+            var msg = {
+                type: u2f.MessageTypes.U2F_SIGN_REQUEST,
+                signRequests: []
+            };
+            chrome.runtime.sendMessage(u2f.EXTENSION_ID, msg, function () {
+                if (!chrome.runtime.lastError) {
+                    // We are on a whitelisted origin and can talk directly
+                    // with the extension.
+                    u2f.getChromeRuntimePort_(callback);
+                } else {
+                    // chrome.runtime was available, but we couldn't message
+                    // the extension directly, use iframe
+                    u2f.getIframePort_(callback);
+                }
+            });
+        } else if (u2f.isAndroidChrome_()) {
+            u2f.getAuthenticatorPort_(callback);
+        } else if (u2f.isIosChrome_()) {
+            u2f.getIosPort_(callback);
+        } else {
+            // chrome.runtime was not available at all, which is normal
+            // when this origin doesn't have access to any extensions.
+            u2f.getIframePort_(callback);
+        }
+    };
+
+    /**
+     * Detect chrome running on android based on the browser's useragent.
+     * @private
+     */
+    u2f.isAndroidChrome_ = function () {
+        var userAgent = navigator.userAgent;
+        return userAgent.indexOf('Chrome') != -1 &&
+            userAgent.indexOf('Android') != -1;
+    };
+
+    /**
+     * Detect chrome running on iOS based on the browser's platform.
+     * @private
+     */
+    u2f.isIosChrome_ = function () {
+        return ["iPhone", "iPad", "iPod"].indexOf(navigator.platform) > -1;
+    };
+
+    /**
+     * Connects directly to the extension via chrome.runtime.connect.
+     * @param {function(u2f.WrappedChromeRuntimePort_)} callback
+     * @private
+     */
+    u2f.getChromeRuntimePort_ = function (callback) {
+        var port = chrome.runtime.connect(u2f.EXTENSION_ID,
+            { 'includeTlsChannelId': true });
+        setTimeout(function () {
+            callback(new u2f.WrappedChromeRuntimePort_(port));
+        }, 0);
+    };
+
+    /**
+     * Return a 'port' abstraction to the Authenticator app.
+     * @param {function(u2f.WrappedAuthenticatorPort_)} callback
+     * @private
+     */
+    u2f.getAuthenticatorPort_ = function (callback) {
+        setTimeout(function () {
+            callback(new u2f.WrappedAuthenticatorPort_());
+        }, 0);
+    };
+
+    /**
+     * Return a 'port' abstraction to the iOS client app.
+     * @param {function(u2f.WrappedIosPort_)} callback
+     * @private
+     */
+    u2f.getIosPort_ = function (callback) {
+        setTimeout(function () {
+            callback(new u2f.WrappedIosPort_());
+        }, 0);
+    };
+
+    /**
+     * A wrapper for chrome.runtime.Port that is compatible with MessagePort.
+     * @param {Port} port
+     * @constructor
+     * @private
+     */
+    u2f.WrappedChromeRuntimePort_ = function (port) {
+        this.port_ = port;
+    };
+
+    /**
+     * Format and return a sign request compliant with the JS API version supported by the extension.
+     * @param {Array<u2f.SignRequest>} signRequests
+     * @param {number} timeoutSeconds
+     * @param {number} reqId
+     * @return {Object}
+     */
+    u2f.formatSignRequest_ =
+        function (appId, challenge, registeredKeys, timeoutSeconds, reqId) {
+            if (js_api_version === undefined || js_api_version < 1.1) {
+                // Adapt request to the 1.0 JS API
+                var signRequests = [];
+                for (var i = 0; i < registeredKeys.length; i++) {
+                    signRequests[i] = {
+                        version: registeredKeys[i].version,
+                        challenge: challenge,
+                        keyHandle: registeredKeys[i].keyHandle,
+                        appId: appId
+                    };
+                }
+                return {
+                    type: u2f.MessageTypes.U2F_SIGN_REQUEST,
+                    signRequests: signRequests,
+                    timeoutSeconds: timeoutSeconds,
+                    requestId: reqId
+                };
+            }
+            // JS 1.1 API
+            return {
+                type: u2f.MessageTypes.U2F_SIGN_REQUEST,
+                appId: appId,
+                challenge: challenge,
+                registeredKeys: registeredKeys,
+                timeoutSeconds: timeoutSeconds,
+                requestId: reqId
+            };
+        };
+
+    /**
+     * Format and return a register request compliant with the JS API version supported by the extension..
+     * @param {Array<u2f.SignRequest>} signRequests
+     * @param {Array<u2f.RegisterRequest>} signRequests
+     * @param {number} timeoutSeconds
+     * @param {number} reqId
+     * @return {Object}
+     */
+    u2f.formatRegisterRequest_ =
+        function (appId, registeredKeys, registerRequests, timeoutSeconds, reqId) {
+            if (js_api_version === undefined || js_api_version < 1.1) {
+                // Adapt request to the 1.0 JS API
+                for (var i = 0; i < registerRequests.length; i++) {
+                    registerRequests[i].appId = appId;
+                }
+                var signRequests = [];
+                for (var i = 0; i < registeredKeys.length; i++) {
+                    signRequests[i] = {
+                        version: registeredKeys[i].version,
+                        challenge: registerRequests[0],
+                        keyHandle: registeredKeys[i].keyHandle,
+                        appId: appId
+                    };
+                }
+                return {
+                    type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
+                    signRequests: signRequests,
+                    registerRequests: registerRequests,
+                    timeoutSeconds: timeoutSeconds,
+                    requestId: reqId
+                };
+            }
+            // JS 1.1 API
+            return {
+                type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
+                appId: appId,
+                registerRequests: registerRequests,
+                registeredKeys: registeredKeys,
+                timeoutSeconds: timeoutSeconds,
+                requestId: reqId
+            };
+        };
+
+
+    /**
+     * Posts a message on the underlying channel.
+     * @param {Object} message
+     */
+    u2f.WrappedChromeRuntimePort_.prototype.postMessage = function (message) {
+        this.port_.postMessage(message);
+    };
+
+
+    /**
+     * Emulates the HTML 5 addEventListener interface. Works only for the
+     * onmessage event, which is hooked up to the chrome.runtime.Port.onMessage.
+     * @param {string} eventName
+     * @param {function({data: Object})} handler
+     */
+    u2f.WrappedChromeRuntimePort_.prototype.addEventListener =
+        function (eventName, handler) {
+            var name = eventName.toLowerCase();
+            if (name == 'message' || name == 'onmessage') {
+                this.port_.onMessage.addListener(function (message) {
+                    // Emulate a minimal MessageEvent object
+                    handler({ 'data': message });
+                });
+            } else {
+                console.error('WrappedChromeRuntimePort only supports onMessage');
+            }
+        };
+
+    /**
+     * Wrap the Authenticator app with a MessagePort interface.
+     * @constructor
+     * @private
+     */
+    u2f.WrappedAuthenticatorPort_ = function () {
+        this.requestId_ = -1;
+        this.requestObject_ = null;
+    }
+
+    /**
+     * Launch the Authenticator intent.
+     * @param {Object} message
+     */
+    u2f.WrappedAuthenticatorPort_.prototype.postMessage = function (message) {
+        var intentUrl =
+            u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ +
+            ';S.request=' + encodeURIComponent(JSON.stringify(message)) +
+            ';end';
+        document.location = intentUrl;
+    };
+
+    /**
+     * Tells what type of port this is.
+     * @return {String} port type
+     */
+    u2f.WrappedAuthenticatorPort_.prototype.getPortType = function () {
+        return "WrappedAuthenticatorPort_";
+    };
+
+
+    /**
+     * Emulates the HTML 5 addEventListener interface.
+     * @param {string} eventName
+     * @param {function({data: Object})} handler
+     */
+    u2f.WrappedAuthenticatorPort_.prototype.addEventListener = function (eventName, handler) {
+        var name = eventName.toLowerCase();
+        if (name == 'message') {
+            var self = this;
+            /* Register a callback to that executes when
+             * chrome injects the response. */
+            window.addEventListener(
+                'message', self.onRequestUpdate_.bind(self, handler), false);
+        } else {
+            console.error('WrappedAuthenticatorPort only supports message');
+        }
+    };
+
+    /**
+     * Callback invoked  when a response is received from the Authenticator.
+     * @param function({data: Object}) callback
+     * @param {Object} message message Object
+     */
+    u2f.WrappedAuthenticatorPort_.prototype.onRequestUpdate_ =
+        function (callback, message) {
+            var messageObject = JSON.parse(message.data);
+            var intentUrl = messageObject['intentURL'];
+
+            var errorCode = messageObject['errorCode'];
+            var responseObject = null;
+            if (messageObject.hasOwnProperty('data')) {
+                responseObject = /** @type {Object} */ (
+                    JSON.parse(messageObject['data']));
+            }
+
+            callback({ 'data': responseObject });
+        };
+
+    /**
+     * Base URL for intents to Authenticator.
+     * @const
+     * @private
+     */
+    u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ =
+        'intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE';
+
+    /**
+     * Wrap the iOS client app with a MessagePort interface.
+     * @constructor
+     * @private
+     */
+    u2f.WrappedIosPort_ = function () { };
+
+    /**
+     * Launch the iOS client app request
+     * @param {Object} message
+     */
+    u2f.WrappedIosPort_.prototype.postMessage = function (message) {
+        var str = JSON.stringify(message);
+        var url = "u2f://auth?" + encodeURI(str);
+        location.replace(url);
+    };
+
+    /**
+     * Tells what type of port this is.
+     * @return {String} port type
+     */
+    u2f.WrappedIosPort_.prototype.getPortType = function () {
+        return "WrappedIosPort_";
+    };
+
+    /**
+     * Emulates the HTML 5 addEventListener interface.
+     * @param {string} eventName
+     * @param {function({data: Object})} handler
+     */
+    u2f.WrappedIosPort_.prototype.addEventListener = function (eventName, handler) {
+        var name = eventName.toLowerCase();
+        if (name !== 'message') {
+            console.error('WrappedIosPort only supports message');
+        }
+    };
+
+    /**
+     * Sets up an embedded trampoline iframe, sourced from the extension.
+     * @param {function(MessagePort)} callback
+     * @private
+     */
+    u2f.getIframePort_ = function (callback) {
+        // Create the iframe
+        var iframeOrigin = 'chrome-extension://' + u2f.EXTENSION_ID;
+        var iframe = document.createElement('iframe');
+        iframe.src = iframeOrigin + '/u2f-comms.html';
+        iframe.setAttribute('style', 'display:none');
+        document.body.appendChild(iframe);
+
+        var channel = new MessageChannel();
+        var ready = function (message) {
+            if (message.data == 'ready') {
+                channel.port1.removeEventListener('message', ready);
+                callback(channel.port1);
+            } else {
+                console.error('First event on iframe port was not "ready"');
+            }
+        };
+        channel.port1.addEventListener('message', ready);
+        channel.port1.start();
+
+        iframe.addEventListener('load', function () {
+            // Deliver the port to the iframe and initialize
+            iframe.contentWindow.postMessage('init', iframeOrigin, [channel.port2]);
+        });
+    };
+
+
+    //High-level JS API
+
+    /**
+     * Default extension response timeout in seconds.
+     * @const
+     */
+    u2f.EXTENSION_TIMEOUT_SEC = 30;
+
+    /**
+     * A singleton instance for a MessagePort to the extension.
+     * @type {MessagePort|u2f.WrappedChromeRuntimePort_}
+     * @private
+     */
+    u2f.port_ = null;
+
+    /**
+     * Callbacks waiting for a port
+     * @type {Array<function((MessagePort|u2f.WrappedChromeRuntimePort_))>}
+     * @private
+     */
+    u2f.waitingForPort_ = [];
+
+    /**
+     * A counter for requestIds.
+     * @type {number}
+     * @private
+     */
+    u2f.reqCounter_ = 0;
+
+    /**
+     * A map from requestIds to client callbacks
+     * @type {Object.<number,(function((u2f.Error|u2f.RegisterResponse))
+     *                       |function((u2f.Error|u2f.SignResponse)))>}
+     * @private
+     */
+    u2f.callbackMap_ = {};
+
+    /**
+     * Creates or retrieves the MessagePort singleton to use.
+     * @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
+     * @private
+     */
+    u2f.getPortSingleton_ = function (callback) {
+        if (u2f.port_) {
+            callback(u2f.port_);
+        } else {
+            if (u2f.waitingForPort_.length == 0) {
+                u2f.getMessagePort(function (port) {
+                    u2f.port_ = port;
+                    u2f.port_.addEventListener('message',
+            /** @type {function(Event)} */(u2f.responseHandler_));
+
+                    // Careful, here be async callbacks. Maybe.
+                    while (u2f.waitingForPort_.length)
+                        u2f.waitingForPort_.shift()(u2f.port_);
+                });
+            }
+            u2f.waitingForPort_.push(callback);
+        }
+    };
+
+    /**
+     * Handles response messages from the extension.
+     * @param {MessageEvent.<u2f.Response>} message
+     * @private
+     */
+    u2f.responseHandler_ = function (message) {
+        var response = message.data;
+        var reqId = response['requestId'];
+        if (!reqId || !u2f.callbackMap_[reqId]) {
+            console.error('Unknown or missing requestId in response.');
+            return;
+        }
+        var cb = u2f.callbackMap_[reqId];
+        delete u2f.callbackMap_[reqId];
+        cb(response['responseData']);
+    };
+
+    /**
+     * Dispatches an array of sign requests to available U2F tokens.
+     * If the JS API version supported by the extension is unknown, it first sends a
+     * message to the extension to find out the supported API version and then it sends
+     * the sign request.
+     * @param {string=} appId
+     * @param {string=} challenge
+     * @param {Array<u2f.RegisteredKey>} registeredKeys
+     * @param {function((u2f.Error|u2f.SignResponse))} callback
+     * @param {number=} opt_timeoutSeconds
+     */
+    u2f.sign = function (appId, challenge, registeredKeys, callback, opt_timeoutSeconds) {
+        if (js_api_version === undefined) {
+            // Send a message to get the extension to JS API version, then send the actual sign request.
+            u2f.getApiVersion(
+                function (response) {
+                    js_api_version = response['js_api_version'] === undefined ? 0 : response['js_api_version'];
+                    console.log("Extension JS API Version: ", js_api_version);
+                    u2f.sendSignRequest(appId, challenge, registeredKeys, callback, opt_timeoutSeconds);
+                });
+        } else {
+            // We know the JS API version. Send the actual sign request in the supported API version.
+            u2f.sendSignRequest(appId, challenge, registeredKeys, callback, opt_timeoutSeconds);
+        }
+    };
+
+    /**
+     * Dispatches an array of sign requests to available U2F tokens.
+     * @param {string=} appId
+     * @param {string=} challenge
+     * @param {Array<u2f.RegisteredKey>} registeredKeys
+     * @param {function((u2f.Error|u2f.SignResponse))} callback
+     * @param {number=} opt_timeoutSeconds
+     */
+    u2f.sendSignRequest = function (appId, challenge, registeredKeys, callback, opt_timeoutSeconds) {
+        u2f.getPortSingleton_(function (port) {
+            var reqId = ++u2f.reqCounter_;
+            u2f.callbackMap_[reqId] = callback;
+            var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
+                opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
+            var req = u2f.formatSignRequest_(appId, challenge, registeredKeys, timeoutSeconds, reqId);
+            port.postMessage(req);
+        });
+    };
+
+    /**
+     * Dispatches register requests to available U2F tokens. An array of sign
+     * requests identifies already registered tokens.
+     * If the JS API version supported by the extension is unknown, it first sends a
+     * message to the extension to find out the supported API version and then it sends
+     * the register request.
+     * @param {string=} appId
+     * @param {Array<u2f.RegisterRequest>} registerRequests
+     * @param {Array<u2f.RegisteredKey>} registeredKeys
+     * @param {function((u2f.Error|u2f.RegisterResponse))} callback
+     * @param {number=} opt_timeoutSeconds
+     */
+    u2f.register = function (appId, registerRequests, registeredKeys, callback, opt_timeoutSeconds) {
+        if (js_api_version === undefined) {
+            // Send a message to get the extension to JS API version, then send the actual register request.
+            u2f.getApiVersion(
+                function (response) {
+                    js_api_version = response['js_api_version'] === undefined ? 0 : response['js_api_version'];
+                    console.log("Extension JS API Version: ", js_api_version);
+                    u2f.sendRegisterRequest(appId, registerRequests, registeredKeys,
+                        callback, opt_timeoutSeconds);
+                });
+        } else {
+            // We know the JS API version. Send the actual register request in the supported API version.
+            u2f.sendRegisterRequest(appId, registerRequests, registeredKeys,
+                callback, opt_timeoutSeconds);
+        }
+    };
+
+    /**
+     * Dispatches register requests to available U2F tokens. An array of sign
+     * requests identifies already registered tokens.
+     * @param {string=} appId
+     * @param {Array<u2f.RegisterRequest>} registerRequests
+     * @param {Array<u2f.RegisteredKey>} registeredKeys
+     * @param {function((u2f.Error|u2f.RegisterResponse))} callback
+     * @param {number=} opt_timeoutSeconds
+     */
+    u2f.sendRegisterRequest = function (appId, registerRequests, registeredKeys, callback, opt_timeoutSeconds) {
+        u2f.getPortSingleton_(function (port) {
+            var reqId = ++u2f.reqCounter_;
+            u2f.callbackMap_[reqId] = callback;
+            var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
+                opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
+            var req = u2f.formatRegisterRequest_(
+                appId, registeredKeys, registerRequests, timeoutSeconds, reqId);
+            port.postMessage(req);
+        });
+    };
+
+
+    /**
+     * Dispatches a message to the extension to find out the supported
+     * JS API version.
+     * If the user is on a mobile phone and is thus using Google Authenticator instead
+     * of the Chrome extension, don't send the request and simply return 0.
+     * @param {function((u2f.Error|u2f.GetJsApiVersionResponse))} callback
+     * @param {number=} opt_timeoutSeconds
+     */
+    u2f.getApiVersion = function (callback, opt_timeoutSeconds) {
+        u2f.getPortSingleton_(function (port) {
+            // If we are using Android Google Authenticator or iOS client app,
+            // do not fire an intent to ask which JS API version to use.
+            if (port.getPortType) {
+                var apiVersion;
+                switch (port.getPortType()) {
+                    case 'WrappedIosPort_':
+                    case 'WrappedAuthenticatorPort_':
+                        apiVersion = 1.1;
+                        break;
+
+                    default:
+                        apiVersion = 0;
+                        break;
+                }
+                callback({ 'js_api_version': apiVersion });
+                return;
+            }
+            var reqId = ++u2f.reqCounter_;
+            u2f.callbackMap_[reqId] = callback;
+            var req = {
+                type: u2f.MessageTypes.U2F_GET_API_VERSION_REQUEST,
+                timeoutSeconds: (typeof opt_timeoutSeconds !== 'undefined' ?
+                    opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC),
+                requestId: reqId
+            };
+            port.postMessage(req);
+        });
+    };
+
+    /**
+     * Modification:
+     * Assign u2f back to window (root) scope.
+     */
+    root.u2f = u2f;
+}(this));

src/scss/plugins.scss

@@ -30,6 +30,12 @@
   width: 100%;
 }
 
+#cme_iframe {
+  border: none;
+  height: 0;
+  width: 0;
+}
+
 .list-group-2fa {
   .logo-2fa {
     min-width: 100px;

src/services/keyConnector.service.ts

@@ -0,0 +1,105 @@
+import { Injectable } from "@angular/core";
+
+import { ApiService } from "jslib-common/abstractions/api.service";
+import { CryptoService } from "jslib-common/abstractions/crypto.service";
+import { CryptoFunctionService } from "jslib-common/abstractions/cryptoFunction.service";
+import { EnvironmentService } from "jslib-common/abstractions/environment.service";
+import { LogService } from "jslib-common/abstractions/log.service";
+import { OrganizationService } from "jslib-common/abstractions/organization.service";
+import { PlatformUtilsService } from "jslib-common/abstractions/platformUtils.service";
+import { StateService } from "jslib-common/abstractions/state.service";
+import { TokenService } from "jslib-common/abstractions/token.service";
+
+import { CMEIFrame } from "jslib-common/misc/cme_iframe";
+import { KeyConnectorUserKeyRequest } from "jslib-common/models/request/keyConnectorUserKeyRequest";
+import { KeyConnectorUserKeyResponse } from "jslib-common/models/response/keyConnectorUserKeyResponse";
+
+import { KeyConnectorService as BaseKeyConnectorService } from "jslib-common/services/keyConnector.service";
+
+@Injectable()
+export class KeyConnectorService extends BaseKeyConnectorService {
+  constructor(
+    stateService: StateService,
+    cryptoFunctionService: CryptoFunctionService,
+    cryptoService: CryptoService,
+    apiService: ApiService,
+    tokenService: TokenService,
+    logService: LogService,
+    organizationService: OrganizationService,
+    private environmentService: EnvironmentService,
+    private platformUtilsService: PlatformUtilsService
+  ) {
+    super(
+      stateService,
+      cryptoFunctionService,
+      cryptoService,
+      apiService,
+      tokenService,
+      logService,
+      organizationService
+    );
+  }
+
+  protected async getUserKeyFromKeyConnector(url: string): Promise<KeyConnectorUserKeyResponse> {
+    if (this.platformUtilsService.isSelfHost()) {
+      return super.getUserKeyFromKeyConnector(url);
+    }
+
+    const frame = this.createIframe();
+    frame.frame.initGet(await this.apiService.getActiveBearerToken(), url);
+
+    return frame.promise.then((key: string) => new KeyConnectorUserKeyResponse({ Key: key }));
+  }
+
+  protected async postUserKeyToKeyConnector(
+    url: string,
+    request: KeyConnectorUserKeyRequest
+  ): Promise<void> {
+    if (this.platformUtilsService.isSelfHost()) {
+      return super.postUserKeyToKeyConnector(url, request);
+    }
+
+    const frame = this.createIframe();
+    frame.frame.initPost(await this.apiService.getActiveBearerToken(), url, request.key);
+
+    // tslint:disable-next-line
+    return frame.promise.then(() => {});
+  }
+
+  private createIframe(): { frame: CMEIFrame; promise: Promise<string> } {
+    const el = this.createIframeElement();
+
+    const webVaultUrl = this.environmentService.getWebVaultUrl();
+
+    let iframe: CMEIFrame;
+
+    const promise: Promise<string> = new Promise(async (resolve) => {
+      iframe = new CMEIFrame(
+        window,
+        webVaultUrl,
+        resolve,
+        (error: string) => {
+          this.platformUtilsService.showToast("error", null, error);
+        },
+        (info: string) => {
+          this.logService.info(info);
+        }
+      );
+    });
+
+    promise.finally(() => el.remove());
+
+    return {
+      frame: iframe,
+      promise: promise,
+    };
+  }
+
+  private createIframeElement() {
+    const el = document.createElement("iframe");
+    el.id = "cme_iframe";
+    document.body.appendChild(el);
+
+    return el;
+  }
+}

tsconfig.json

@@ -1,6 +1,13 @@
 {
-  "extends": "./jslib/shared/tsconfig",
   "compilerOptions": {
+    "moduleResolution": "node",
+    "noImplicitAny": true,
+    "emitDecoratorMetadata": true,
+    "experimentalDecorators": true,
+    "module": "commonjs",
+    "target": "es2015",
+    "lib": ["es5", "es6", "dom"],
+    "sourceMap": true,
     "baseUrl": ".",
     "paths": {
       "tldjs": ["jslib/common/src/misc/tldjs.noop"],

webpack.config.js

@@ -31,7 +31,7 @@ const moduleRules = [
     test: /.(ttf|otf|eot|svg|woff(2)?)(\?[a-z0-9]+)?$/,
     exclude: /loading(|-white).svg/,
     generator: {
-      filename: "fonts/[name][ext]",
+      filename: "fonts/[name].[ext]",
     },
     type: "asset/resource",
   },
@@ -39,7 +39,7 @@ const moduleRules = [
     test: /\.(jpe?g|png|gif|svg|webp|avif)$/i,
     exclude: /.*(fontawesome-webfont)\.svg/,
     generator: {
-      filename: "images/[name][ext]",
+      filename: "images/[name].[ext]",
     },
     type: "asset/resource",
   },
@@ -77,6 +77,11 @@ const plugins = [
     filename: "duo-connector.html",
     chunks: ["connectors/duo"],
   }),
+  new HtmlWebpackPlugin({
+    template: "./src/connectors/u2f.html",
+    filename: "u2f-connector.html",
+    chunks: ["connectors/u2f"],
+  }),
   new HtmlWebpackPlugin({
     template: "./src/connectors/webauthn.html",
     filename: "webauthn-connector.html",
@@ -107,6 +112,11 @@ const plugins = [
     filename: "captcha-mobile-connector.html",
     chunks: ["connectors/captcha"],
   }),
+  new HtmlWebpackPlugin({
+    template: "./src/connectors/cme.html",
+    filename: "cme-connector.html",
+    chunks: ["connectors/cme"],
+  }),
   new CopyWebpackPlugin({
     patterns: [
       { from: "./src/.nojekyll" },
@@ -118,6 +128,7 @@ const plugins = [
       { from: "./src/404", to: "404" },
       { from: "./src/images", to: "images" },
       { from: "./src/locales", to: "locales" },
+      { from: "./src/scripts", to: "scripts" },
       { from: "./node_modules/qrious/dist/qrious.min.js", to: "scripts" },
       { from: "./node_modules/braintree-web-drop-in/dist/browser/dropin.js", to: "scripts" },
       {
@@ -209,13 +220,18 @@ const webpackConfig = {
   entry: {
     "app/polyfills": "./src/app/polyfills.ts",
     "app/main": "./src/app/main.ts",
+    "connectors/u2f": "./src/connectors/u2f.js",
     "connectors/webauthn": "./src/connectors/webauthn.ts",
     "connectors/webauthn-fallback": "./src/connectors/webauthn-fallback.ts",
     "connectors/duo": "./src/connectors/duo.ts",
     "connectors/sso": "./src/connectors/sso.ts",
     "connectors/captcha": "./src/connectors/captcha.ts",
+    "connectors/cme": "./src/connectors/cme.ts",
     theme_head: "./src/theme.js",
   },
+  externals: {
+    u2f: "u2f",
+  },
   optimization: {
     splitChunks: {
       cacheGroups: {