mirror of
https://github.com/bitwarden/clients.git
synced 2026-02-11 03:15:16 +08:00
07c2c2af20
* [EC-1070] Introduce flag for enforcing master password policy on login * [EC-1070] Update master password policy form Add the ability to toggle enforceOnLogin flag in web * [EC-1070] Add API method to retrieve all policies for the current user * [EC-1070] Refactor forcePasswordReset in state service to support more options - Use an options class to provide a reason and optional organization id - Use the OnDiskMemory storage location so the option persists between the same auth session * [AC-1070] Retrieve single master password policy from identity token response Additionally, store the policy in the login strategy for future use * [EC-1070] Introduce master password evaluation in the password login strategy - If a master password policy is returned from the identity result, evaluate the password. - If the password does not meet the requirements, save the forcePasswordReset options - Add support for 2FA by storing the results of the password evaluation on the login strategy instance - Add unit tests to password login strategy * [AC-1070] Modify admin password reset component to support update master password on login - Modify the warning message to depend on the reason - Use the forcePasswordResetOptions in the update temp password component * [EC-1070] Require current master password when updating weak mp on login - Inject user verification service to verify the user - Conditionally show the current master password field only when updating a weak mp. Admin reset does not require the current master password. * [EC-1070] Implement password policy check during vault unlock Checking the master password during unlock is the only applicable place to enforce the master password policy check for SSO users. * [EC-1070] CLI - Add ability to load MP policies on login Inject policyApi and organization services into the login command * [EC-1070] CLI - Refactor update temp password logic to support updating weak passwords - Introduce new shared method for collecting a valid and confirmed master password from the CLI and generating a new encryption key - Add separate methods for updating temp passwords and weak passwords. - Utilize those methods during login flow if not using an API key * [EC-1070] Add route guard to force password reset when required * [AC-1070] Use master password policy from verify password response in lock component * [EC-1070] Update labels in update password component * [AC-1070] Fix policy service tests * [AC-1070] CLI - Force sync before any password reset flow Move up the call to sync the vault before attempting to collect a new master password. Ensures the master password policies are available. * [AC-1070] Remove unused getAllPolicies method from policy api service * [AC-1070] Fix missing enforceOnLogin copy in policy service * [AC-1070] Include current master password on desktop/browser update password page templates * [AC-1070] Check for forced password reset on account switch in Desktop * [AC-1070] Rename WeakMasterPasswordOnLogin to WeakMasterPassword * [AC-1070] Update AuthServiceInitOptions * [AC-1070] Add None force reset password reason * [AC-1070] Remove redundant ForcePasswordResetOptions class and replace with ForcePasswordResetReason enum * [AC-1070] Rename ForceResetPasswordReason file * [AC-1070] Simplify conditional * [AC-1070] Refactor logic that saves password reset flag * [AC-1070] Remove redundant constructors * [AC-1070] Remove unnecessary state service call * [AC-1070] Update master password policy component - Use typed reactive form - Use CL form components - Remove bootstrap - Update error component to support min/max - Use Utils.minimumPasswordLength value for min value form validation * [AC-1070] Cleanup leftover html comment * [AC-1070] Remove overridden default values from MasterPasswordPolicyResponse * [AC-1070] Hide current master password input in browser for admin password reset * [AC-1070] Remove clientside user verification * [AC-1070] Update temp password web component to use CL - Use CL for form inputs in the Web component template - Remove most of the bootstrap classes in the Web component template - Use userVerificationService to build the password request - Remove redundant current master password null check * [AC-1070] Replace repeated user inputs email parsing helpers - Update passwordStrength() method to accept an optional email argument that will be parsed into separate user inputs for use with zxcvbn - Remove all other repeated getUserInput helper methods that parsed user emails and use the new passwordStrength signature * [AC-1070] Fix broken login command after forcePasswordReset enum refactor * [AC-1070] Reduce side effects in base login strategy - Remove masterPasswordPolicy property from base login.strategy.ts - Include an IdentityResponse in base startLogin() in addition to AuthResult - Use the new IdentityResponse to parse the master password policy info only in the PasswordLoginStrategy * [AC-1070] Cleanup password login strategy tests * [AC-1070] Remove unused field * [AC-1070] Strongly type postAccountVerifyPassword API service method - Remove redundant verify master password response - Use MasterPasswordPolicyResponse instead * [AC-1070] Use ForceResetPassword.None during account switch check * [AC-1070] Fix check for forcePasswordReset reason after addition of None * [AC-1070] Redirect a user home if on the update temp password page without a reason * [AC-1070] Use bit-select and bit-option * [AC-1070] Reduce explicit form control definitions for readability * [AC-1070] Import SelectModule in Shared web module * [AC-1070] Add check for missing 'at' symbol * [AC-1070] Remove redundant unpacking and null coalescing * [AC-1070] Update passwordStrength signature and add jsdocs * [AC-1070] Remove variable abbreviation * [AC-1070] Restore Id attributes on form inputs * [AC-1070] Clarify input value min/max error messages * [AC-1070] Add input min/max value example to storybook * [AC-1070] Add missing spinner to update temp password form * [AC-1070] Add missing ids to form elements * [AC-1070] Remove duplicate force sync and update comment * [AC-1070] Switch backticks to quotation marks --------- Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
213 lines
7.7 KiB
TypeScript
213 lines
7.7 KiB
TypeScript
import { Directive, OnDestroy, OnInit } from "@angular/core";
|
|
import { Router } from "@angular/router";
|
|
import { Subject, takeUntil } from "rxjs";
|
|
|
|
import { AnonymousHubService } from "@bitwarden/common/abstractions/anonymousHub.service";
|
|
import { ApiService } from "@bitwarden/common/abstractions/api.service";
|
|
import { AppIdService } from "@bitwarden/common/abstractions/appId.service";
|
|
import { CryptoService } from "@bitwarden/common/abstractions/crypto.service";
|
|
import { CryptoFunctionService } from "@bitwarden/common/abstractions/cryptoFunction.service";
|
|
import { EnvironmentService } from "@bitwarden/common/abstractions/environment.service";
|
|
import { I18nService } from "@bitwarden/common/abstractions/i18n.service";
|
|
import { LogService } from "@bitwarden/common/abstractions/log.service";
|
|
import { PlatformUtilsService } from "@bitwarden/common/abstractions/platformUtils.service";
|
|
import { StateService } from "@bitwarden/common/abstractions/state.service";
|
|
import { ValidationService } from "@bitwarden/common/abstractions/validation.service";
|
|
import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
|
|
import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
|
|
import { AuthRequestType } from "@bitwarden/common/auth/enums/auth-request-type";
|
|
import { ForceResetPasswordReason } from "@bitwarden/common/auth/models/domain/force-reset-password-reason";
|
|
import { PasswordlessLogInCredentials } from "@bitwarden/common/auth/models/domain/log-in-credentials";
|
|
import { PasswordlessCreateAuthRequest } from "@bitwarden/common/auth/models/request/passwordless-create-auth.request";
|
|
import { AuthRequestResponse } from "@bitwarden/common/auth/models/response/auth-request.response";
|
|
import { Utils } from "@bitwarden/common/misc/utils";
|
|
import { SymmetricCryptoKey } from "@bitwarden/common/models/domain/symmetric-crypto-key";
|
|
import { ErrorResponse } from "@bitwarden/common/models/response/error.response";
|
|
import { PasswordGenerationServiceAbstraction } from "@bitwarden/common/tools/generator/password";
|
|
|
|
import { CaptchaProtectedComponent } from "./captcha-protected.component";
|
|
|
|
@Directive()
|
|
export class LoginWithDeviceComponent
|
|
extends CaptchaProtectedComponent
|
|
implements OnInit, OnDestroy
|
|
{
|
|
private destroy$ = new Subject<void>();
|
|
email: string;
|
|
showResendNotification = false;
|
|
passwordlessRequest: PasswordlessCreateAuthRequest;
|
|
fingerprintPhrase: string;
|
|
onSuccessfulLoginTwoFactorNavigate: () => Promise<any>;
|
|
onSuccessfulLogin: () => Promise<any>;
|
|
onSuccessfulLoginNavigate: () => Promise<any>;
|
|
onSuccessfulLoginForceResetNavigate: () => Promise<any>;
|
|
|
|
protected twoFactorRoute = "2fa";
|
|
protected successRoute = "vault";
|
|
protected forcePasswordResetRoute = "update-temp-password";
|
|
private resendTimeout = 12000;
|
|
private authRequestKeyPair: [publicKey: ArrayBuffer, privateKey: ArrayBuffer];
|
|
|
|
constructor(
|
|
protected router: Router,
|
|
private cryptoService: CryptoService,
|
|
private cryptoFunctionService: CryptoFunctionService,
|
|
private appIdService: AppIdService,
|
|
private passwordGenerationService: PasswordGenerationServiceAbstraction,
|
|
private apiService: ApiService,
|
|
private authService: AuthService,
|
|
private logService: LogService,
|
|
environmentService: EnvironmentService,
|
|
i18nService: I18nService,
|
|
platformUtilsService: PlatformUtilsService,
|
|
private anonymousHubService: AnonymousHubService,
|
|
private validationService: ValidationService,
|
|
private stateService: StateService,
|
|
private loginService: LoginService
|
|
) {
|
|
super(environmentService, i18nService, platformUtilsService);
|
|
|
|
const navigation = this.router.getCurrentNavigation();
|
|
if (navigation) {
|
|
this.email = this.loginService.getEmail();
|
|
}
|
|
|
|
//gets signalR push notification
|
|
this.authService
|
|
.getPushNotifcationObs$()
|
|
.pipe(takeUntil(this.destroy$))
|
|
.subscribe((id) => {
|
|
this.confirmResponse(id);
|
|
});
|
|
}
|
|
|
|
async ngOnInit() {
|
|
if (!this.email) {
|
|
this.router.navigate(["/login"]);
|
|
return;
|
|
}
|
|
|
|
this.startPasswordlessLogin();
|
|
}
|
|
|
|
async startPasswordlessLogin() {
|
|
this.showResendNotification = false;
|
|
|
|
try {
|
|
await this.buildAuthRequest();
|
|
const reqResponse = await this.apiService.postAuthRequest(this.passwordlessRequest);
|
|
|
|
if (reqResponse.id) {
|
|
this.anonymousHubService.createHubConnection(reqResponse.id);
|
|
}
|
|
} catch (e) {
|
|
this.logService.error(e);
|
|
}
|
|
|
|
setTimeout(() => {
|
|
this.showResendNotification = true;
|
|
}, this.resendTimeout);
|
|
}
|
|
|
|
ngOnDestroy(): void {
|
|
this.destroy$.next();
|
|
this.destroy$.complete();
|
|
this.anonymousHubService.stopHubConnection();
|
|
}
|
|
|
|
private async confirmResponse(requestId: string) {
|
|
try {
|
|
const response = await this.apiService.getAuthResponse(
|
|
requestId,
|
|
this.passwordlessRequest.accessCode
|
|
);
|
|
|
|
if (!response.requestApproved) {
|
|
return;
|
|
}
|
|
|
|
const credentials = await this.buildLoginCredntials(requestId, response);
|
|
const loginResponse = await this.authService.logIn(credentials);
|
|
|
|
if (loginResponse.requiresTwoFactor) {
|
|
if (this.onSuccessfulLoginTwoFactorNavigate != null) {
|
|
this.onSuccessfulLoginTwoFactorNavigate();
|
|
} else {
|
|
this.router.navigate([this.twoFactorRoute]);
|
|
}
|
|
} else if (loginResponse.forcePasswordReset != ForceResetPasswordReason.None) {
|
|
if (this.onSuccessfulLoginForceResetNavigate != null) {
|
|
this.onSuccessfulLoginForceResetNavigate();
|
|
} else {
|
|
this.router.navigate([this.forcePasswordResetRoute]);
|
|
}
|
|
} else {
|
|
await this.setRememberEmailValues();
|
|
if (this.onSuccessfulLogin != null) {
|
|
this.onSuccessfulLogin();
|
|
}
|
|
if (this.onSuccessfulLoginNavigate != null) {
|
|
this.onSuccessfulLoginNavigate();
|
|
} else {
|
|
this.router.navigate([this.successRoute]);
|
|
}
|
|
}
|
|
} catch (error) {
|
|
if (error instanceof ErrorResponse) {
|
|
this.router.navigate(["/login"]);
|
|
this.validationService.showError(error);
|
|
return;
|
|
}
|
|
|
|
this.logService.error(error);
|
|
}
|
|
}
|
|
|
|
async setRememberEmailValues() {
|
|
const rememberEmail = this.loginService.getRememberEmail();
|
|
const rememberedEmail = this.loginService.getEmail();
|
|
await this.stateService.setRememberedEmail(rememberEmail ? rememberedEmail : null);
|
|
this.loginService.clearValues();
|
|
}
|
|
|
|
private async buildAuthRequest() {
|
|
this.authRequestKeyPair = await this.cryptoFunctionService.rsaGenerateKeyPair(2048);
|
|
const deviceIdentifier = await this.appIdService.getAppId();
|
|
const publicKey = Utils.fromBufferToB64(this.authRequestKeyPair[0]);
|
|
const accessCode = await this.passwordGenerationService.generatePassword({ length: 25 });
|
|
|
|
this.fingerprintPhrase = (
|
|
await this.cryptoService.getFingerprint(this.email, this.authRequestKeyPair[0])
|
|
).join("-");
|
|
|
|
this.passwordlessRequest = new PasswordlessCreateAuthRequest(
|
|
this.email,
|
|
deviceIdentifier,
|
|
publicKey,
|
|
AuthRequestType.AuthenticateAndUnlock,
|
|
accessCode
|
|
);
|
|
}
|
|
|
|
private async buildLoginCredntials(
|
|
requestId: string,
|
|
response: AuthRequestResponse
|
|
): Promise<PasswordlessLogInCredentials> {
|
|
const decKey = await this.cryptoService.rsaDecrypt(response.key, this.authRequestKeyPair[1]);
|
|
const decMasterPasswordHash = await this.cryptoService.rsaDecrypt(
|
|
response.masterPasswordHash,
|
|
this.authRequestKeyPair[1]
|
|
);
|
|
const key = new SymmetricCryptoKey(decKey);
|
|
const localHashedPassword = Utils.fromBufferToUtf8(decMasterPasswordHash);
|
|
|
|
return new PasswordlessLogInCredentials(
|
|
this.email,
|
|
this.passwordlessRequest.accessCode,
|
|
requestId,
|
|
key,
|
|
localHashedPassword
|
|
);
|
|
}
|
|
}
|