* feat(accept-emergency) [PM-33437]: Add guid boundary detection to component.
* refactor(accept-emergency) [PM-33437]: Re-group and re-name id validation for readability.
* adds changePasswordUrl as the href target
* passes changePasswordUrl to subcomponent
* updates href logic
* allows changePasswordUrl to be null without error
* changes banner from a link to just text if there is no http(s) uri
* removes change me link under the password field if there is no http(s) uri
* update vulnerable password copy
* changes backend services calls to only when at risk password link needs to be shown
* Show more descriptive error on expired tokens
* Separate org invitation acceptance from others
* Adjust variable names
* Account for additional invitation-accept error
* feat: add full middleware pipeline support
* Retrieve cookies from storage and attach cookies using Electron session
* Register middleware to act on fetch redirect to acquire cookie for SSO
* Add missing tests
* fix: acquireCookies call
* fix: cookies not getting set
* feat: add vaultUrl to server communication config
* feat: adapt to receiving vaultUrl in acquireCookies
* fix: remove localhost connector override
* Fix requests can't be re-used
* Add small delay to ensure cookies are saved before retrying requests
* Fix vaultUrl being set twice
* Add mock clone method
* Fix sso-cookie.main tests
* Remove old FIXME
* Re-use request and fix test
* Add missing coverage checking that needsBootsrap is called
* In case the hostname can't be extracted, the response is returned
* Only check the responseType instead of also checking statuscodes for redirects
* Bump the sdk-version
* Prepend https:// if necessary before launching the connector url
* Do not retry if needsBootstrap returns false
---------
Co-authored-by: Andreas Coroiu <andreas.coroiu@gmail.com>
Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
Updates the `ChangePasswordService` (`changePassword()` and `changePasswordForAccountRecovery()`) to use the new KM data types :
- `MasterPasswordAuthenticationData`
- `MasterPasswordUnlockData`
This allows us to move away from the deprecated `makeMasterKey()` method (which takes email as salt) as we seek to eventually separate the email from the salt.
Also moves current password validation into the default and web change password services.
Behind feature flag: `pm-27086-update-authentication-apis-for-input-password`
* Refactor user self-revocation message in event service and update localization string. The message now provides a clearer context for the action taken by the user.
* Update user self-revocation message in event service and add corresponding localization string. The new message enhances clarity regarding the user's action of declining organization ownership transfer.
* Update user self-revocation message to include user ID placeholder for improved clarity in localization. This change enhances the context of the user's action when self-revoking from an organization.
* Fix bug causing ciphers not to load under certain circumstances.
* Don't set admin flag for non-admin cipher attachment operations
* Use the same flag for getCipherAdmin as for calling Admin API
* Set 'edit' flag on admin
* [PM-27772] Add TrendWidget component with Chart.js implementation (#19078)
Add reusable TrendWidget component with Chart.js line chart for displaying risk trends over time in Access Intelligence.
- Configurable datetime/linear x-axis scales
- Theme-aware colors from design system (brand-700/400, gray-200/600)
- Full i18n support (10 new translation keys)
- Loading spinner and error state handling
- Proper Chart.js lifecycle management
* [PM-28530] Implement period selector UI component (#19162)
* feat(dirt): define TimePeriod type for risk-over-time period selector
Add const object type for 5 time periods (month, 3mo, 6mo, 12mo, all)
following ADR-0025 no-enum pattern. Includes PeriodOption interface
and PERIOD_OPTIONS config for rendering.
[PM-28530]
* feat(dirt): create PeriodSelectorComponent using bit-menu
Custom trigger button with bit-menu dropdown for risk-over-time
time period selection. No clear button, neutral styling matching
Figma design. Check icon marks current selection.
[PM-28530]
* feat(dirt): add barrel export for period selector
[PM-28530]
* feat(dirt): add i18n strings for period selector options
Add translation keys for time period labels: pastMonth, last3Months,
last6Months, last12Months, and timePeriod placeholder.
[PM-28530]
* feat(dirt): add Storybook stories for PeriodSelectorComponent
Stories for default state, pre-selected 3 months, and disabled state.
[PM-28530]
* test(dirt): add unit tests for PeriodSelectorComponent
Tests cover default state, period options with pre-translated labels,
selection changes, and selected label reactivity.
[PM-28530]
* feat(dirt): integrate PeriodSelector into TrendWidget component
Replace placeholder with dirt-period-selector dropdown. Add TimePeriod
to TrendWidgetTimespan mapping layer to bridge the two type systems.
Remove standalone Storybook story and disabled input per review feedback
— component now lives inside TrendWidget, not standalone.
[PM-28530]
* refactor(dirt): replace model() with signal() + output() for PeriodSelector
Switch from Angular's model() API to the signal() + output() pattern
used throughout the Access Intelligence module. This matches the
existing convention in TrendWidget (selectedTimespan/timespanChanged),
app-table-row-scrollable (checkboxChange/selectAllChange), and
review-applications-view (onToggleSelection/onToggleAll).
Changes:
- Replace model<TimePeriod>() with signal<TimePeriod>() for internal state
- Add explicit selectedPeriodChange output for parent notification
- Manual .emit() in selectPeriod() to match module convention
- Update test to verify output emission via subscribe spy
No functional change — both patterns emit selectedPeriodChange events.
The template binding (selectedPeriodChange)="..." is unchanged.
* refactor(dirt): update labels to match Figma and unify type system
Update period selector labels per Figma design:
- "Last 3 months" → "Past 3 months" (past3Months)
- "Last 6 months" → "Past 6 months" (past6Months)
- "Last 12 months" → "Past year" (pastYear)
- "All" → "All time" (allTime, new key — pre-existing "all" key untouched)
Rename TimePeriod const keys to match labels:
- Last3Months → Past3Months
- Last6Months → Past6Months
- Last12Months → PastYear
- All → AllTime
Wire values unchanged ("month", "3mo", "6mo", "12mo", "all") to
preserve server API compatibility.
Remove TrendWidgetTimespan entirely — TrendWidget now uses TimePeriod
directly for signals, outputs, and data model. Eliminates the temporary
mapping layer (timePeriodMap + onPeriodSelectorChange). Period selector
wires directly to onTimespanChange().
[PM-28530]
* [PM-28533] Add view selector to TrendWidget component (#19163)
Adds the view selector button group to the TrendWidget component. Hooks up to existing signal and emits events when the view mode is changed. In future development, the parent component of TrendWidget will need to handle these events to fetch updated chart data from the API.
View options are:
Applications
Passwords
Members
* Fix TimePeriod type errors in TrendWidget stories (#19239)
Replace invalid "past-month" string literals with TimePeriod.PastMonth
constant to match the TimePeriod type definition. The TimePeriod const
object uses "month" as the value for PastMonth, not "past-month".
* [PM-32056] Add feature flag for access intelligence trend chart (#19164)
* feat(dirt): add feature flag for access intelligence trend chart
Register the `pm-26961-access-intelligence-trend-chart` feature flag
to gate the upcoming TrendChart widget in the Activity tab. Default
is FALSE (disabled). PM-32057 will consume this flag when wiring up
the widget component.
[PM-32056]
* feat(dirt): read trend chart feature flag in activity component
Inject ConfigService into AllActivityComponent and read the
AccessIntelligenceTrendChart flag on init. This prepares the
component for the TrendChart widget to be conditionally rendered.
[PM-32056]
* feat(dirt): add conditional wrapper for trend chart widget
Add an @if block gated by the AccessIntelligenceTrendChart feature
flag in the Activity tab template. The TrendChart widget will be
placed inside this block when wired up.
[PM-32056]
* reset package files to main
* install chartjs using node v22
* add chartjs to dirt team deps (#19244)
* [PM-32055] Download TrendWidget chart to PNG and CSV (#19245)
This PR adds a download button to the TrendWidget component that supports downloading the "Risk over time" chart data as a PNG or in CSV format.
Logic to dynamically add a chart title and x/y axis labels is included. This required creating a service that recreates a copy of the chart with title and axis labels applied, in an off screen canvas element, and then exporting to blob for file download. This logic is owned by the ChartExportService.
* Fix readonly variables. Update chart variable to use signal
* Fix any type in test file
---------
Co-authored-by: Brad <44413459+lastbestdev@users.noreply.github.com>
Co-authored-by: Alex <55413326+AlexRubik@users.noreply.github.com>
Co-authored-by: Brad Deibert <bdeibert@bitwarden.com>
* feat(accept-organization-component) [PM-29796]: Validate Id expected shape.
* feat(utils) [PM-29796]: Remove invalidUrlParams.
* feat(utils) [PM-29796]: Re-add URL pattern matching detection with updated naming and comments.
* feat(accept-organization) [PM-29796]: Update component handling for id validation.
* feat(utils) [PM-29796]: Improve pattern-matching on utils.
* comment(accept-organization) [PM-29796]: Add comments on handling pattern.
* comment(accept-organization) [PM-29796]: Comments around authedHandler handling.
* refactor(utils) [PM-29796]: One entry per line with trailing comments for Prettier.
* refactor(accept-organization) [PM-29796]: Abstract handleInvalidInvite to its own method.
* docs(utils) [PM-29796]: Add/ungroup comments on declared match patterns.
* test(utils) [PM-29796]: Update tests and comments.
---------
Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
* adds premium-upsell service
* adds and updates tests
* changes name and type in test file
* fixes strict ts
* Update libs/angular/src/vault/services/premium-upsell.service.spec.ts
fix import
Co-authored-by: Jordan Aasen <166539328+jaasen-livefront@users.noreply.github.com>
* change initial value and fix import order
---------
Co-authored-by: Jordan Aasen <166539328+jaasen-livefront@users.noreply.github.com>
* PM-33168 - EmergencyAccess - Add / Edit dialog - add missing validation service call to show errors as toasts
* PM-33168 - Per PR feedback, remove catch and let bitSubmit handle logging and showing error.
* PM-32487 - EmergencyAccessAddEditComponent - clean up unused service
Updates import statements in tools-related files to use direct imports
instead of re-exported paths. This prepares for removal of re-exporting
files in a follow-up PR.
Part of PM-33381
Updates import statements in vault-related files to use direct imports
instead of re-exported paths. This prepares for removal of re-exporting
files in a follow-up PR.
Part of PM-33381
* fix(register): [PM-27085] Account Register Uses New Data Types - Initial changes.
* test(register): [PM-27085] Account Register Uses New Data Types - Fixed tests.
* test(register): [PM-27085] Account Register Uses New Data Types - Updated tests.
* feat(register): [PM-27085] Account Register Uses New Data Types - Added feature flag.
* fix(register): [PM-27085] Account Register Uses New Data Types - Removed unnecessary part of the payload.
* fix(register): [PM-27085] Account Register Uses New Data Types - Changed the feature flag to be gated with the other password input changes.
* fix(register): [PM-27085] Account Register Uses New Data Types - Added protection for feature flagged state.
* fix(register): [PM-27085] Account Register Uses New Data Types - Removed unnecessary comment.
* fix(register): [PM-27085] Account Register Uses New Data Types - Addressed feedback.
* fix(register): [PM-27085] Account Register Uses New Data Types - Fixed tests and added comment.
* fix(register): [PM-27085] Account Register Uses New Data Types - Fixed another test.
* fix(register): [PM-27085] Account Register Uses New Data Types - And last test fix.
* fix(register): [PM-27085] Account Register Uses New Data Types - Removed unneeded code.
* fix(register): [PM-27085] Account Register Uses New Data Types - Updated comments and fixed code from feedback.
* fix(register): [PM-27085] Account Register Uses New Data Types - Updated comments again with small styling fix.
* fix(register): [PM-27085] Account Register Uses New Data Types - Switched to snapshot testing and explicit checks for unlock and authentication data for feature flag on. Also addressed pr comments.
* test(register): [PM-27085] Account Register Uses New Data Types - Made explicit checks for critical pieces of data in tests.
* fix(feature-flag): [PM-27085] Account Register Uses New Data Types - Added in feedback from comments. Default registration tests have snapshots now and web registration has more dry code.
* [CL-1033] Migrate remaining CTAs to new icon API
Migrates buttons and links in settings and secrets manager components to use the new icon API.
* Revert unrelated .vscode/settings.json change
Removes angular.enable-strict-mode-prompt setting that was accidentally included from the source branch.
* Apply suggestion from @claude[bot]
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
---------
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
* feat(event): add support for self-revocation event type and corresponding localization messages
* fix(tests): update transfer rejection logging test to ensure no event is logged when a user rejects a transfer
* feat(event-logs): add OrganizationUser_SelfRevoked event type and logging
* Handle corrupted encrypted project names gracefully
- Add decryptionError flag to ProjectView, ProjectListView, and SecretProjectView
- Wrap all project name decryption in try-catch blocks across services
- Use DECRYPT_ERROR constant instead of hardcoded strings
- Display corrupted names as clickable warning text in projects list
- Show warning badges for corrupted project names in secrets list
- Add i18n keys for error tooltips
- Add keyboard accessibility (role, tabindex, enter/space handlers)
* fixing tests
* fixing jittery loading
* refactor decline and leave to be a link button rather than a secondary button
* update supporting text for transfer dialog
* add aria-label for learn more link
* feat: remove reference to otp_invalid response since it is not used anymore
* remove usage of otpInvalid in CLI receive command
* fix: remove vestigial error types.
* chore: update sdk
* chore: fix failing test
---------
Co-authored-by: John Harrington <84741727+harr1424@users.noreply.github.com>
* Make TwoFactorIconComponent standalone
* Angular updates to TwoFactorIconComponent
- Migrate TwoFactorProviderType from enum to const (ADR25)
- Migrate Inputs to Signals
- Make provider a required input
- Use new Control Flow syntax
- Use OnPush change detection
- Memoize function for legacy providers (providers with png image)
- Add documentation
- Remove @ts-strict-ignore
- Fix type in TwoFactorSetupDuoComponent as it would default to number because of the migration of TwoFactorProviderType (enum to const). Now it can be overridden with any value of TwoFactorProviderType
* Add type guard for TwoFactorProviderType and fix CLI
* PM-32915 - Update TwoFactorProviderType to mark U2f as deprecated in favor of WebAuthn
* PM-32915 - TwoFactorIconComp - refactor to eliminate legacy providers and just use new, already available duo and yubikey SVG icons.
* PM-32915 - Add TODOs for cleaning up mfaType usages.
* PM-32915 - Remove unncessary ng-container
---------
Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
Co-authored-by: Jared Snider <jsnider@bitwarden.com>
Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
* PM-24047: Make popout windows respect vault timeout when unfocused
Replace the heartbeat message-passing mechanism for popup detection
with direct browser API queries (getContexts on MV3, getExtensionViews
on MV2/Safari) that can distinguish focused from unfocused popout
windows. Unfocused popout windows no longer prevent vault timeout.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* PM-24047: Add isAnyViewFocused(), revert isPopupOpen() to simple popup detection
Addresses PR review feedback by separating focus-aware logic from the
isPopupOpen() semantics, which other callers depend on for simple
popup detection:
- BrowserApi.isPopupOpen(): reverted to return views.length > 0 for
popup-type views only (original behavior)
- BrowserApi.isAnyViewFocused(): new method that checks popup views
(always focused), sidebar tab views (always focused), and popout
tab views (focused only if document.hasFocus() is true)
- BrowserPlatformUtilsService.isPopupOpen(): simplified MV3 path
uses getContexts({ contextTypes: ['POPUP'] })
- BrowserPlatformUtilsService.isAnyViewFocused(): new method with
MV3 (POPUP/SIDE_PANEL/focused TAB) and MV2/Safari paths
- PlatformUtilsService: adds isAnyViewFocused() to the interface
- Web/Desktop/CLI stubs return false (no popout windows)
- VaultTimeoutService now calls isAnyViewFocused() instead of
isPopupOpen() so unfocused popouts don't block vault timeout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* PM-24047: Move MV3/MV2 routing into BrowserApi
isPopupOpen() and isAnyViewFocused() now use feature detection for
chrome.runtime.getContexts to select the right API internally,
rather than having the routing in BrowserPlatformUtilsService.
This means BrowserApi is the single owner of view-detection logic,
and the service methods are simple one-line delegations.
Using typeof getContexts === "function" rather than isManifestVersion()
handles Safari naturally: if Safari doesn't support getContexts it
falls back to getExtensionViews, without needing an explicit isSafari()
exclusion.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* PM-24047: Scope MV3/MV2 routing refactor to isAnyViewFocused only
isPopupOpen() keeps its existing pattern (MV3/MV2 routing in the
service, simple getExtensionViews in BrowserApi) to avoid touching
unrelated code. Only isAnyViewFocused() has its routing moved into
BrowserApi via feature detection.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* PM-24047: Restore isPopupOpen to main branch implementation
isPopupOpen() and its tests are restored exactly to the main branch
version (heartbeat-based approach). Only isAnyViewFocused is new code.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* PM-24047: Refactor isPopupOpen() to use getContexts/getViews instead of heartbeat
Replaces the message-passing heartbeat approach with the same
chrome.runtime.getContexts() (MV3) / chrome.extension.getViews() (MV2/Safari)
introspection pattern used by isAnyViewFocused(). This eliminates the need
for a heartbeat listener in the popup and makes both methods consistent.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* PM-24047: Simplify isAnyViewFocused() using Array.some()
Collapse the two separate POPUP/SIDE_PANEL checks into a single .some()
call, and replace the synchronous MV2/Safari tab view loop with .some().
The async TAB/popout window check stays as a for loop.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* PM-24047: improve tabs loop readability somewhat
* PM-24047: Fix MV3 popout focus check using wrong uilocation filter
The TAB context filter was checking for `uilocation=sidebar` instead of
`uilocation=popout`. In MV3, sidebars are SIDE_PANEL contexts (already
handled above), so this filter never matched, causing focused popout
windows to be silently ignored and the vault to timeout while a user was
actively viewing one.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* PM-24047: Rename isViewOpen to isViewFocused for semantic accuracy
The variable and parameter previously named isViewOpen reflected
the old "is any view open?" semantics. After the refactor to
isAnyViewFocused(), the naming is updated to match the actual
behavior: checking whether a view is focused, not merely open.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
* feat: add bit-header component to component library
Add new bit-header component to libs/components with:
- Header component with left, center, and right content projection
- Storybook stories for documentation
- Export from component library index
* refactor: update web header to use bit-header component
- Refactor web-header to use new bit-header component from libs/components
- Extract account menu to separate component
- Update header module to import HeaderComponent
* delete web-header stories
---------
Co-authored-by: Will Martin <wmartin@Wills-MBP.attlocal.net>
* feat(billing): add taxId to upgrade organization request type
* feat(billing): implement tax ID validation for organization upgrades
* feat(billing): conditionally display tax ID field in upgrade form
* test(billing): add tax ID validation tests for organization upgrades
* fix(billing): PR feedback update
* fix(billing): remove tax id requirement for non-US billing
* test(billing): update tests for non-US billing address
* refactor: Adjust icon placement in org-switcher and nav-group components
* Move icons from 'end' to 'start' slot in org-switcher component for better alignment.
* Add conditional rendering for content in the 'start' slot of nav-group component.
* feat: Add warning icon support to navigation components
* Introduce `warningIcon` and `warningIconLabel` inputs in nav-base component for customizable warning icons.
* Update org-switcher and nav-group components to utilize the new warning icon functionality.
* Implement conditional rendering of warning icons in nav-item component for better user feedback.
* Enhance org-switcher component by replacing warning icon logic with a dedicated bit-icon element for better accessibility. Also, import IconModule to support the new icon usage.
* Refactor navigation components to remove deprecated warning icon properties and enhance structure. Updated org-switcher to utilize a dedicated bit-icon for accessibility improvements.
* Enhance org-switcher component by adding a margin utility class for improved layout consistency. Clean up nav-group component by removing deprecated slot logic for better maintainability.