Commit Graph

1965 Commits

Author SHA1 Message Date
Nick Krantz
30ab005da5
[PM-19168] Remove Archive Feature Flag (#19829)
* remove archive feature flag

* fix dependency within services module
2026-03-30 10:23:38 -05:00
Jared McCannon
2c011fcf69
[PM-30614] - Fix double event log in browser ext popup (#19657)
* Moved the task scheduler registration to the init method to ensure we're not re-registering it. Also made a no-op upload service for when the extension is popped out so we don't push events from both threads.
2026-03-30 09:33:54 -05:00
Addison Beck
02fe70eaeb
refactor(scheduling): extract @bitwarden/scheduling Nx leaf library (#19771) 2026-03-27 11:23:22 +00:00
Nick Krantz
ad7864084f
[PM-24476] At Risk Password setting (#19557)
* add setting to toggle the visibility of at-risk password settings

* add comments surrounding why/when notification setting is applicable
2026-03-26 08:58:43 -07:00
Brandon Treston
473929f0d8
remove feature flagged logic (#19718) 2026-03-25 14:09:55 -04:00
Jared Snider
8c35c781a8
Auth/PM-33353 - Password Login - refine prefetching of password prelogin data (#19510)
* PM-33353 - LoginStrategyService tests - add test to capture the bad behavior.

* PM-33353 - Extract Password Prelogin API logic to own service out of API service.

* PM-33353 - Rename prelogin request / response models to have password prefix for clarity

* PM-33353 - Build PasswordPrelogin domain service and domain model + tests

* PM-33353 - PasswordPrelogin - add barrel file

* PM-33353 - PasswordPreloginData - fromResponse - add validateKdfConfigForPrelogin so domain model is always valid.

* PM-33353 - Register PasswordPreloginApiService and PasswordPreloginService.

* PM-33353 - LoginComponent - wire up PasswordPreloginService

* PM-33353 - LoginStrategy updates - (1) Remove all password prelogin code from top level strategy service (2) Inject new PasswordPreloginService for use in the PasswordLoginStrategy.

* PM-33353 - Update Password Prelogin tests to use defaults

* PM-33353 - PasswordPreloginData model tests - update to use mins

* PM-33353 - Fix login strategy tests + get TS strict warnings fixed

* PM-33353 - Remove login component tests

* PM-33353 - Fix CLI

* PM-33353 - Password Login Strategy - add additional tests + fix misc issues + re-organized tests.

* PM-33353 - LoginComp - local AI review feedback - clean up prefetchPasswordPreloginData

* PM-33353 - Remove PM23801_PrefetchPasswordPrelogin feature flag

* PM-33353 - DefaultPasswordPreloginService - getPreloginData$ - fix shareReplay error bug state.

* PM-33353  - login-strategy.state.spec.ts - Remove incorrect todo and fix ts strict issues

* PM-33353 - Per PR feedback, Update PasswordPreloginService to add a cache clear mechanism to just tightly bound the service's memory to the lifetime of the key making process
2026-03-24 17:11:08 -04:00
Thomas Rittson
577bfbb231
Update all event import statements and remove re-exporting files (#19545)
Final import statement update after moving files to DIRT ownership
2026-03-24 16:00:39 -04:00
Jonathan Prusik
a966e75576
[PM-27368] Injected Autofill experiences should respect the user's "show animations" setting (#19622)
* toggle autofill animation based on user setting

* toggle inline-menu animation based on user setting

* toggle notification animation based on user setting

* review feedback changes

* add tests

* reformat comments
2026-03-24 15:48:17 -04:00
Jared Snider
ebd896f91a
Auth/PM-33261 - Multi-client Password Management (new for desktop & extension) (#19289)
* PM-32413 - Add hasPassword guard for future use.

* PM-32413 - Web - PasswordSettingsComp - add TODO for using new guard.

* PM-32413 - ChangePasswordComp - Add output emitter for when a password has been changed successfully.

* PM-32413 - Add feature flag

* PM-32413 - Desktop - implement change password component in a dialog.

* PM-32413 - Add change password to extension

* PM-32413 - Fix translations

* PM-32413 - Desktop - menu - add clean up todo

* PM-32413 - Feature flags - reset hardcoded true values

* PM-32413 - Add clean up todos

* PM-32413 - Extension Routing module - add hasPassword guard

* PM-32413 - add todo

* PM-32413 - Desktop / Extension - use  InputPasswordFlow.ChangePassword instead of  InputPasswordFlow.ChangePasswordWithOptionalUserKeyRotation

* PM-32413 - Finish last AI review items

* PM-32413 - Per PR feedback, update change-password-dialog title translation to one that we don't plan on removing.

* PM-32413 - Per PR feedback, update menu item id

* PM-32413 - Per local claud review - modify has-password to use UrlTree pattern.

* PM-32413 - ChangePassword comp - add  this.passwordChanged.emit(); in newly flagged code branch
2026-03-23 16:47:50 -04:00
Kyle Denney
87a636c9fc
[PM-30101] subscription discounts in web checkout (#19599)
* [PM-30101] subscription discounts in web checkout

fixing expired code

* fix missing parens

Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>

* fix typechecking

* missing tests

* fix test

* design feedback

only show discount badges in cart summary in checkout flows

* pr feedback

---------

Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
2026-03-23 13:16:33 -05:00
Jordan Aasen
d20e33c431
handle and parse errors messages for server errors in the browser (#19667) 2026-03-20 16:42:22 -07:00
Maciej Zieniuk
1b63466144
prevent the KM state used in SDK from caching and rxjs observable becoming hot observable (#19685) 2026-03-20 23:46:03 +01:00
Daniel James Smith
257b32aa7d
[PM-29480] Add dialog to cookie acquisition (#19655)
* feat: add full middleware pipeline support

* Retrieve cookies from storage and attach cookies using Electron session

* Register middleware to act on fetch redirect to acquire cookie for SSO

* Add missing tests

* fix: acquireCookies call

* fix: cookies not getting set

* feat: add vaultUrl to server communication config

* feat: adapt to receiving vaultUrl in acquireCookies

* fix: remove localhost connector override

* Fix requests can't be re-used

* Add small delay to ensure cookies are saved before retrying requests

* Fix vaultUrl being set twice

* Add mock clone method

* Fix sso-cookie.main tests

* Remove old FIXME

* Re-use request and fix test

* Add missing coverage checking that needsBootsrap is called

* In case the hostname can't be extracted, the response is returned

* Only check the responseType instead of also checking statuscodes for redirects

* Bump the sdk-version

* Prepend https:// if necessary before launching the connector url

* Add dialog to cookie acquisition

* Fix tests

* Add handling the user choosing cancel, which will now cancel the cookie acquisition

* Do not retry if needsBootstrap returns false

* Fix tests that hadn't been updated seen https:// was appended

* Move the sso cookie feature fully into desktop

* Move prompt to acquire cookie into ServerCommunicationConfigPlatformApiService and ensures that concurrent calls are dedupes during the callback await and when the dialog is open but no option has been chosen yet

* Fix broken import on sso-cookie.main.spec

* Update test suite, due to moving the dialog into the ServerCommunicationConfigPlatformApiService

* Fix import, that I missed from the move

* feat: move subscription into init function

---------

Co-authored-by: Andreas Coroiu <andreas.coroiu@gmail.com>
Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
2026-03-20 15:34:50 +00:00
Daniel James Smith
3c4d466f25
[PM-27125] Add cookies to fetch requests (#19588)
* feat: add full middleware pipeline support

* Retrieve cookies from storage and attach cookies using Electron session

* Register middleware to act on fetch redirect to acquire cookie for SSO

* Add missing tests

* fix: acquireCookies call

* fix: cookies not getting set

* feat: add vaultUrl to server communication config

* feat: adapt to receiving vaultUrl in acquireCookies

* fix: remove localhost connector override

* Fix requests can't be re-used

* Add small delay to ensure cookies are saved before retrying requests

* Fix vaultUrl being set twice

* Add mock clone method

* Fix sso-cookie.main tests

* Remove old FIXME

* Re-use request and fix test

* Add missing coverage checking that needsBootsrap is called

* In case the hostname can't be extracted, the response is returned

* Only check the responseType instead of also checking statuscodes for redirects

* Bump the sdk-version

* Prepend https:// if necessary before launching the connector url

* Do not retry if needsBootstrap returns false

---------

Co-authored-by: Andreas Coroiu <andreas.coroiu@gmail.com>
Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
2026-03-20 10:19:21 +01:00
Bernd Schoolmann
5b4e8c10f0
[PM-33345] Bump typescript to 5.9 (#19461)
* Bump typescript to 5.9

* Fix km types

* Fix auth types

* Fix remaining types

* Fix spec files eslint

* Fix eslint

* Prettier

* Make SendHashedPassword Uint8Array<ArrayBuffer>

* Update rul tester

* Fix tests

* Fix tests
2026-03-19 23:13:06 +01:00
John Harrington
4c9965a75f
[PM-33232] Update UX implemented in PM-33219 to resolve VULN-458 (#19514)
* send AuthType in request payload and allow empty email field

* re-introduce validation enforcing non-empty email field
2026-03-19 13:36:32 -07:00
rr-bw
411156aeaa
refactor(input-password-flows): [Auth/PM-27086] Use new KM Data Types in InputPasswordComponent flows - Change Password (#18507)
Updates the `ChangePasswordService` (`changePassword()` and `changePasswordForAccountRecovery()`) to use the new KM data types :
- `MasterPasswordAuthenticationData`
- `MasterPasswordUnlockData`

This allows us to move away from the deprecated `makeMasterKey()` method (which takes email as salt) as we seek to eventually separate the email from the salt.

Also moves current password validation into the default and web change password services.

Behind feature flag: `pm-27086-update-authentication-apis-for-input-password`
2026-03-19 10:40:14 -07:00
Jordan Aasen
c117c20755
Revert "handle and parse errors messages for server errors in the browser (#19566)" (#19662)
This reverts commit 7318376528.
2026-03-19 10:01:38 -07:00
Maciej Zieniuk
17ddfd2e20
remove pm-28813-data-recovery-tool feature flag (#19635) 2026-03-19 16:45:46 +01:00
Leslie Tilton
bfb47cc9da
Add TrendWidget Feature Work (#19639)
* [PM-27772] Add TrendWidget component with Chart.js implementation (#19078)

Add reusable TrendWidget component with Chart.js line chart for displaying risk trends over time in Access Intelligence.

- Configurable datetime/linear x-axis scales
- Theme-aware colors from design system (brand-700/400, gray-200/600)
- Full i18n support (10 new translation keys)
- Loading spinner and error state handling
- Proper Chart.js lifecycle management

* [PM-28530] Implement period selector UI component (#19162)

* feat(dirt): define TimePeriod type for risk-over-time period selector

Add const object type for 5 time periods (month, 3mo, 6mo, 12mo, all)
following ADR-0025 no-enum pattern. Includes PeriodOption interface
and PERIOD_OPTIONS config for rendering.

[PM-28530]

* feat(dirt): create PeriodSelectorComponent using bit-menu

Custom trigger button with bit-menu dropdown for risk-over-time
time period selection. No clear button, neutral styling matching
Figma design. Check icon marks current selection.

[PM-28530]

* feat(dirt): add barrel export for period selector

[PM-28530]

* feat(dirt): add i18n strings for period selector options

Add translation keys for time period labels: pastMonth, last3Months,
last6Months, last12Months, and timePeriod placeholder.

[PM-28530]

* feat(dirt): add Storybook stories for PeriodSelectorComponent

Stories for default state, pre-selected 3 months, and disabled state.

[PM-28530]

* test(dirt): add unit tests for PeriodSelectorComponent

Tests cover default state, period options with pre-translated labels,
selection changes, and selected label reactivity.

[PM-28530]

* feat(dirt): integrate PeriodSelector into TrendWidget component

Replace placeholder with dirt-period-selector dropdown. Add TimePeriod
to TrendWidgetTimespan mapping layer to bridge the two type systems.
Remove standalone Storybook story and disabled input per review feedback
— component now lives inside TrendWidget, not standalone.

[PM-28530]

* refactor(dirt): replace model() with signal() + output() for PeriodSelector

Switch from Angular's model() API to the signal() + output() pattern
used throughout the Access Intelligence module. This matches the
existing convention in TrendWidget (selectedTimespan/timespanChanged),
app-table-row-scrollable (checkboxChange/selectAllChange), and
review-applications-view (onToggleSelection/onToggleAll).

Changes:
- Replace model<TimePeriod>() with signal<TimePeriod>() for internal state
- Add explicit selectedPeriodChange output for parent notification
- Manual .emit() in selectPeriod() to match module convention
- Update test to verify output emission via subscribe spy

No functional change — both patterns emit selectedPeriodChange events.
The template binding (selectedPeriodChange)="..." is unchanged.

* refactor(dirt): update labels to match Figma and unify type system

Update period selector labels per Figma design:
- "Last 3 months" → "Past 3 months" (past3Months)
- "Last 6 months" → "Past 6 months" (past6Months)
- "Last 12 months" → "Past year" (pastYear)
- "All" → "All time" (allTime, new key — pre-existing "all" key untouched)

Rename TimePeriod const keys to match labels:
- Last3Months → Past3Months
- Last6Months → Past6Months
- Last12Months → PastYear
- All → AllTime
Wire values unchanged ("month", "3mo", "6mo", "12mo", "all") to
preserve server API compatibility.

Remove TrendWidgetTimespan entirely — TrendWidget now uses TimePeriod
directly for signals, outputs, and data model. Eliminates the temporary
mapping layer (timePeriodMap + onPeriodSelectorChange). Period selector
wires directly to onTimespanChange().

[PM-28530]

* [PM-28533] Add view selector to TrendWidget component (#19163)

Adds the view selector button group to the TrendWidget component. Hooks up to existing signal and emits events when the view mode is changed. In future development, the parent component of TrendWidget will need to handle these events to fetch updated chart data from the API.

View options are:

Applications
Passwords
Members

* Fix TimePeriod type errors in TrendWidget stories (#19239)

Replace invalid "past-month" string literals with TimePeriod.PastMonth
constant to match the TimePeriod type definition. The TimePeriod const
object uses "month" as the value for PastMonth, not "past-month".

* [PM-32056] Add feature flag for access intelligence trend chart (#19164)

* feat(dirt): add feature flag for access intelligence trend chart

Register the `pm-26961-access-intelligence-trend-chart` feature flag
to gate the upcoming TrendChart widget in the Activity tab. Default
is FALSE (disabled). PM-32057 will consume this flag when wiring up
the widget component.

[PM-32056]

* feat(dirt): read trend chart feature flag in activity component

Inject ConfigService into AllActivityComponent and read the
AccessIntelligenceTrendChart flag on init. This prepares the
component for the TrendChart widget to be conditionally rendered.

[PM-32056]

* feat(dirt): add conditional wrapper for trend chart widget

Add an @if block gated by the AccessIntelligenceTrendChart feature
flag in the Activity tab template. The TrendChart widget will be
placed inside this block when wired up.

[PM-32056]

* reset package files to main

* install chartjs using node v22

* add chartjs to dirt team deps (#19244)

* [PM-32055] Download TrendWidget chart to PNG and CSV (#19245)

This PR adds a download button to the TrendWidget component that supports downloading the "Risk over time" chart data as a PNG or in CSV format.

Logic to dynamically add a chart title and x/y axis labels is included. This required creating a service that recreates a copy of the chart with title and axis labels applied, in an off screen canvas element, and then exporting to blob for file download. This logic is owned by the ChartExportService.

* Fix readonly variables. Update chart variable to use signal

* Fix any type in test file

---------

Co-authored-by: Brad <44413459+lastbestdev@users.noreply.github.com>
Co-authored-by: Alex <55413326+AlexRubik@users.noreply.github.com>
Co-authored-by: Brad Deibert <bdeibert@bitwarden.com>
2026-03-18 16:04:04 -05:00
Jordan Aasen
7318376528
handle and parse errors messages for server errors in the browser (#19566) 2026-03-18 10:26:25 -07:00
Addison Beck
662e4c7740
feat(platform): extract vaultUrl from /api/config response (#19469)
* feat(platform): extract vaultUrl from /api/config response

Updates DefaultConfigService to extract the vault URL from the server's
/api/config response and populate it in the ServerCommunicationConfig that
gets passed to the SDK.

The vaultUrl field is extracted from response.environment.vault using
optional chaining to safely handle cases where the environment field may
be undefined. This follows the TypeScript camelCase naming convention and
integrates with the SDK's vault_url parameter added in the previous SDK
commits.

This enables the SDK to receive an explicit vault URL for SSO cookie
acquisition redirects, which fixes two critical issues:
1. Port preservation: Prevents localhost:8000 being stripped to localhost
   in local development environments
2. Multi-subdomain routing: Ensures redirects use vault.bitwarden.com
   instead of api.bitwarden.com when the cookie domain differs from the
   vault hostname

The TypeScript interface definition will be added in the next commit to
complete type safety.

Refs: PM-33352

* fix(platform): add vaultUrl parameter to noop acquireCookies

Updates the NoopServerCommunicationConfigPlatformApiService implementation
to match the SDK's ServerCommunicationConfigPlatformApi trait interface
change from SDK PR #832.

The SDK's acquire_cookies() method now requires both hostname and
vault_url parameters. This commit adds the vaultUrl parameter to the
noop implementation's method signature to maintain TypeScript type
compatibility.

The noop service remains a no-op - it continues to return undefined
but now accepts the additional parameter that the SDK interface expects.
This prevents TypeScript compilation errors when the clients repo updates
to SDK version 0.2.0-main.580 or later.

Refs: PM-33352

* feat: update sdk

* fix: add missing vault_url to tests

* review: guard ssoCookieVendor on vaultUrl

Passing undefined for vaultUrl into the SDK's Rust
SsoCookieVendorConfig struct causes a panic at the WASM
boundary. Extract vaultUrl into a local variable and add a
null guard so that configs missing a vault URL fall back to
{ bootstrap: { type: "direct" } } instead of reaching the
SDK with an incomplete struct.

Update the existing ssoCookieVendor test to assert vaultUrl
in the expected output, and add a new case verifying the
direct fallback when environment is absent.

---------

Co-authored-by: Andreas Coroiu <andreas.coroiu@gmail.com>
2026-03-18 12:54:30 -04:00
Todd Martin
9744785a31
fix(environment): Handle unordered environment update events on logout
* Introduce check on user environment state

* Add additional check.

* Updated test comments.

* Added comment to explain change.
2026-03-17 22:05:11 -04:00
Justin Baur
5acb7c8503
[PM-19659] Add server-notifications README (#16203)
* Add `server-notifications` README

* Apply suggestions from code review

Co-authored-by: Todd Martin <106564991+trmartin4@users.noreply.github.com>

* Formatting

* Docs update from feedback

* Update libs/common/src/platform/server-notifications/README.md

Co-authored-by: Derek Nance <dnance@bitwarden.com>

* Add and Fix links

---------

Co-authored-by: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Co-authored-by: Derek Nance <dnance@bitwarden.com>
2026-03-17 20:03:28 -04:00
Dave
4ff3395754
[PM-29796] Parameter validation with pattern match (#19500)
* feat(accept-organization-component) [PM-29796]: Validate Id expected shape.

* feat(utils) [PM-29796]: Remove invalidUrlParams.

* feat(utils) [PM-29796]: Re-add URL pattern matching detection with updated naming and comments.

* feat(accept-organization) [PM-29796]: Update component handling for id validation.

* feat(utils) [PM-29796]: Improve pattern-matching on utils.

* comment(accept-organization) [PM-29796]: Add comments on handling pattern.

* comment(accept-organization) [PM-29796]: Comments around authedHandler handling.

* refactor(utils) [PM-29796]: One entry per line with trailing comments for Prettier.

* refactor(accept-organization) [PM-29796]: Abstract handleInvalidInvite to its own method.

* docs(utils) [PM-29796]: Add/ungroup comments on declared match patterns.

* test(utils) [PM-29796]: Update tests and comments.

---------

Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
2026-03-17 17:50:35 -04:00
Leslie Tilton
54f690df44
[PM-33797] AIV2: Standardize Models and Services: Models and Feature flag (#19612)
* feat(access-intelligence): add V2 data model family, feature flag, and encryption service abstraction

* fix(access-intelligence): remove premature services export from barrel
2026-03-17 16:50:23 -05:00
Jackson Engstrom
56ef1dd3f4
[PM-32180] Change when premium upgrade happens (#19593)
* adds premium-upsell service

* adds and updates tests

* changes name and type in test file

* fixes strict ts

* Update libs/angular/src/vault/services/premium-upsell.service.spec.ts

fix import

Co-authored-by: Jordan Aasen <166539328+jaasen-livefront@users.noreply.github.com>

* change initial value and fix import order

---------

Co-authored-by: Jordan Aasen <166539328+jaasen-livefront@users.noreply.github.com>
2026-03-17 14:11:04 -07:00
Andreas Coroiu
300b920457
[PM-32248] [PM-32233] [PM-32235] Block links from opening in electron window (#19317)
* feat: block window creation from main web renderer

* feat: redirect safe urls to external browser

* [PM-32235] Block unsafe open external call with arbitrary web vault url argument (#19322)

* feat: add safe shell class with openExternal impl

* feat: add lint rule to avoid directy openExternal usage

* feat: replace all unsafe usages

* feat: allow multiple allow-lists

* feat: update usages

* chore: remove static version of function

* fix: additional usages

* fix: tests

* fix: construct arguments

* fix: lint

* feat: block insecure weburls
2026-03-17 15:42:20 +01:00
Bernd Schoolmann
e97450abba
chore: bump sdk-internal to 0.2.0-main.608 (#19587)
* chore: bump @bitwarden/sdk-internal to 0.2.0-main.608

* [PM-30584] Move key-connector migration to sdk (#19360)

* Move key-connector migration to sdk

* Remove unused import

* Fix DI

* Fix dependencies on cli

* Fix types

* Fix import order

* fix tests

* Remove unused import

* Rename feature flag
2026-03-17 08:24:44 -05:00
Daniel James Smith
255a4ae4e5
Let tldts check for invalid characters within URI/hostname (#19415)
Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
2026-03-17 14:09:31 +01:00
Jordan Aasen
adfee0dc0e
pass null in cipher service (#19538) 2026-03-16 09:37:22 -07:00
Nik Gilmore
34fad756de
[PM-33374] Fix getAllDecrypted when using the SDK (#19503)
* Bump SDK version

* Change SDK call to CiphersClient::list() to CiphersClient::get_all()

* Update mocks in tests to use ciphersService.get_all
2026-03-13 14:59:36 -07:00
John Harrington
a0e8c2d209
introduce feature flag pm-31885-send-controls (#19356) 2026-03-13 14:49:17 -07:00
Jason Ng
55d0595184
[PM-29250] remove browser premium spotlight flag. update spec files (#19364) 2026-03-13 14:56:40 -04:00
Patrick-Pimentel-Bitwarden
d4b4c8a164
fix(register): [PM-27085] Account Register Uses New Data Types (#18470)
* fix(register): [PM-27085] Account Register Uses New Data Types - Initial changes.

* test(register): [PM-27085] Account Register Uses New Data Types - Fixed tests.

* test(register): [PM-27085] Account Register Uses New Data Types - Updated tests.

* feat(register): [PM-27085] Account Register Uses New Data Types - Added feature flag.

* fix(register): [PM-27085] Account Register Uses New Data Types - Removed unnecessary part of the payload.

* fix(register): [PM-27085] Account Register Uses New Data Types - Changed the feature flag to be gated with the other password input changes.

* fix(register): [PM-27085] Account Register Uses New Data Types - Added protection for feature flagged state.

* fix(register): [PM-27085] Account Register Uses New Data Types - Removed unnecessary comment.

* fix(register): [PM-27085] Account Register Uses New Data Types - Addressed feedback.

* fix(register): [PM-27085] Account Register Uses New Data Types - Fixed tests and added comment.

* fix(register): [PM-27085] Account Register Uses New Data Types - Fixed another test.

* fix(register): [PM-27085] Account Register Uses New Data Types - And last test fix.

* fix(register): [PM-27085] Account Register Uses New Data Types - Removed unneeded code.

* fix(register): [PM-27085] Account Register Uses New Data Types - Updated comments and fixed code from feedback.

* fix(register): [PM-27085] Account Register Uses New Data Types - Updated comments again with small styling fix.

* fix(register): [PM-27085] Account Register Uses New Data Types - Switched to snapshot testing and explicit checks for unlock and authentication data for feature flag on. Also addressed pr comments.

* test(register): [PM-27085] Account Register Uses New Data Types - Made explicit checks for critical pieces of data in tests.

* fix(feature-flag): [PM-27085] Account Register Uses New Data Types - Added in feedback from comments. Default registration tests have snapshots now and web registration has more dry code.
2026-03-13 14:04:49 -04:00
Bernd Schoolmann
363f6445e3
[PM-31115] Support ephemeral pin envelope state in SDK (#19491)
* Support ephemeral pin envelope state in SDK

* Fix tests

* chore: bump @bitwarden/sdk-internal to 0.2.0-main.597

* Eslint

* Prettier
2026-03-13 16:11:47 +01:00
Jared
44ef7c1f54
[PM-31475] Remove decline event log for org data ownership policy (#19450)
* feat(event): add support for self-revocation event type and corresponding localization messages

* fix(tests): update transfer rejection logging test to ensure no event is logged when a user rejects a transfer

* feat(event-logs): add OrganizationUser_SelfRevoked event type and logging
2026-03-12 12:33:37 -04:00
Jared
3548a358cf
Refactor VaultTimeoutAction from enum to const object for improved type safety and flexibility (#19499) 2026-03-12 11:43:16 -04:00
Daniel James Smith
46bb683d7b
[PM-29232] Add cookie acquisition (#19392)
* Add cookie acquisition to ServerCommunicationConfigService

* Fix DI for ServerCommunicationConfigPlatformApiService

* Rename param for acquireCookie from hostname to url

---------

Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
2026-03-11 16:52:44 +01:00
Ike
c8c66a8bf1
[PM-32424] Send Access Enumeration protection (#19422)
* feat: remove reference to otp_invalid response since it is not used anymore

* remove usage of otpInvalid in CLI receive command

* fix: remove vestigial error types.

* chore: update sdk

* chore: fix failing test

---------

Co-authored-by: John Harrington <84741727+harr1424@users.noreply.github.com>
2026-03-11 11:37:07 -04:00
Daniel James Smith
5707b0064c
[PM-32915] Angular updates to TwoFactorIconComponent (#19306)
* Make TwoFactorIconComponent standalone

* Angular updates to TwoFactorIconComponent

- Migrate TwoFactorProviderType from enum to const (ADR25)
- Migrate Inputs to Signals
- Make provider a required input
- Use new Control Flow syntax
- Use OnPush change detection
- Memoize function for legacy providers (providers with png image)
- Add documentation
- Remove @ts-strict-ignore
- Fix type in TwoFactorSetupDuoComponent as it would default to number because of the migration of TwoFactorProviderType (enum to const). Now it can be overridden with any value of TwoFactorProviderType

* Add type guard for TwoFactorProviderType and fix CLI

* PM-32915 - Update TwoFactorProviderType to mark U2f as deprecated in favor of WebAuthn

* PM-32915 - TwoFactorIconComp - refactor to eliminate legacy providers and just use new, already available duo and yubikey SVG icons.

* PM-32915 - Add TODOs for cleaning up mfaType usages.

* PM-32915 - Remove unncessary ng-container

---------

Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
Co-authored-by: Jared Snider <jsnider@bitwarden.com>
Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
2026-03-11 15:28:01 +00:00
Andreas Coroiu
35d25b7f8e
[PM-24047] Make popout windows respect vault timeout when unfocused (#19019)
* PM-24047: Make popout windows respect vault timeout when unfocused

Replace the heartbeat message-passing mechanism for popup detection
with direct browser API queries (getContexts on MV3, getExtensionViews
on MV2/Safari) that can distinguish focused from unfocused popout
windows. Unfocused popout windows no longer prevent vault timeout.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* PM-24047: Add isAnyViewFocused(), revert isPopupOpen() to simple popup detection

Addresses PR review feedback by separating focus-aware logic from the
isPopupOpen() semantics, which other callers depend on for simple
popup detection:

- BrowserApi.isPopupOpen(): reverted to return views.length > 0 for
  popup-type views only (original behavior)
- BrowserApi.isAnyViewFocused(): new method that checks popup views
  (always focused), sidebar tab views (always focused), and popout
  tab views (focused only if document.hasFocus() is true)
- BrowserPlatformUtilsService.isPopupOpen(): simplified MV3 path
  uses getContexts({ contextTypes: ['POPUP'] })
- BrowserPlatformUtilsService.isAnyViewFocused(): new method with
  MV3 (POPUP/SIDE_PANEL/focused TAB) and MV2/Safari paths
- PlatformUtilsService: adds isAnyViewFocused() to the interface
- Web/Desktop/CLI stubs return false (no popout windows)
- VaultTimeoutService now calls isAnyViewFocused() instead of
  isPopupOpen() so unfocused popouts don't block vault timeout

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* PM-24047: Move MV3/MV2 routing into BrowserApi

isPopupOpen() and isAnyViewFocused() now use feature detection for
chrome.runtime.getContexts to select the right API internally,
rather than having the routing in BrowserPlatformUtilsService.
This means BrowserApi is the single owner of view-detection logic,
and the service methods are simple one-line delegations.

Using typeof getContexts === "function" rather than isManifestVersion()
handles Safari naturally: if Safari doesn't support getContexts it
falls back to getExtensionViews, without needing an explicit isSafari()
exclusion.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* PM-24047: Scope MV3/MV2 routing refactor to isAnyViewFocused only

isPopupOpen() keeps its existing pattern (MV3/MV2 routing in the
service, simple getExtensionViews in BrowserApi) to avoid touching
unrelated code. Only isAnyViewFocused() has its routing moved into
BrowserApi via feature detection.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* PM-24047: Restore isPopupOpen to main branch implementation

isPopupOpen() and its tests are restored exactly to the main branch
version (heartbeat-based approach). Only isAnyViewFocused is new code.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* PM-24047: Refactor isPopupOpen() to use getContexts/getViews instead of heartbeat

Replaces the message-passing heartbeat approach with the same
chrome.runtime.getContexts() (MV3) / chrome.extension.getViews() (MV2/Safari)
introspection pattern used by isAnyViewFocused(). This eliminates the need
for a heartbeat listener in the popup and makes both methods consistent.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* PM-24047: Simplify isAnyViewFocused() using Array.some()

Collapse the two separate POPUP/SIDE_PANEL checks into a single .some()
call, and replace the synchronous MV2/Safari tab view loop with .some().
The async TAB/popout window check stays as a for loop.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* PM-24047: improve tabs loop readability somewhat

* PM-24047: Fix MV3 popout focus check using wrong uilocation filter

The TAB context filter was checking for `uilocation=sidebar` instead of
`uilocation=popout`. In MV3, sidebars are SIDE_PANEL contexts (already
handled above), so this filter never matched, causing focused popout
windows to be silently ignored and the vault to timeout while a user was
actively viewing one.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* PM-24047: Rename isViewOpen to isViewFocused for semantic accuracy

The variable and parameter previously named isViewOpen reflected
the old "is any view open?" semantics. After the refactor to
isAnyViewFocused(), the naming is updated to match the actual
behavior: checking whether a view is focused, not merely open.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-03-11 14:10:32 +01:00
Maciej Zieniuk
0465bb2fb1
[PM-31112] Local user data key state declaration (#19471)
* client managed state

* sdk upgrade

* bad cherry-pick
2026-03-11 11:19:38 +01:00
Thomas Avery
c842f76539
[PM-27297] Remove ConsolidatedSessionTimeoutComponent feature flag (#18616)
* Remove flag

* Remove legacy components

* Update unit tests

* update messages json
2026-03-10 13:09:35 -05:00
Daniel James Smith
bffc14b594
[PM-31198] Remove the hostname from serverCommunicationConfig as the cookieDomain can be used (#19445)
* Remove the hostname from serverCommunicationConfig as the cookieDomain can be used

* Fix types issue

---------

Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com>
2026-03-10 09:12:01 -05:00
Thomas Rittson
7943da240c
[PM-28488] Move event logging code to DIRT folders (#19336)
* Add re-exports from old locations to maintain backward compatibility
2026-03-10 14:58:06 +01:00
Oscar Hinton
b373e9c1ff
[PM-28754] [PM-28755] Cleanup desktop ui milestone 1 & 2 (#19081)
Removes feature flags for milestone 1 and 2 for desktop ui migration.
2026-03-10 12:02:23 +01:00
Bernd Schoolmann
b8206503b5
[PM-31049] Enable unlock via SDK (#18907)
* Add unlock service

* Move methods

* Prettier

* Fix type errors

* Prettier

* Fix test

* Fix module order

* Attempt to fix tests

* Use unlock service for unlocking

* Featureflag logic

* Add support for setting client managed state

* Add support for biometric unlock

* Add biometric unlock via SDK

* Prettier

* Cleanup CODEOWNERS

* Fix init with client managed state

* Backport biometric unlock and legacy master-key logic

* Add tests for biometrics

* Prettier

* Add biometric unlock to abstract unlock service

* Fix build

* tmp

* Fix tests

* Fix types

* Fix build

* Prettier

* Cleanup

* Fix import order

* Fix tests

* Eslint

* Fix tests

* Prettier

* Load feature flags before crypto init

* Prettier

* Clean up SDK config

* Prettier

* Fix eslint

* Prettier

* Update libs/key-management-ui/src/lock/components/master-password-lock/master-password-lock.component.ts

Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>

---------

Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
2026-03-10 11:47:04 +01:00
Bernd Schoolmann
a412a47be7
Fix left-over ts5.9/ts7 incompatibility (#19388) 2026-03-10 06:26:17 -04:00
Jared
ecbab67b8b
Enhance MasterPassword policy handling in tests and service (#19350)
* Add tests to verify behavior when organizations do not use policies and when users are exempt as owners.
* Update service logic to correctly handle policy retrieval based on user type and organization settings.
2026-03-09 11:52:23 -04:00