Commit Graph

2421 Commits

Author SHA1 Message Date
Maciej Zieniuk
bbea11388a
[PM-26057] Enforce session timeout policy (#17424)
* enforce session timeout policy

* better angular validation

* lint fix

* missing switch break

* fallback when timeout not supported with highest available timeout

* failing unit tests

* incorrect policy message

* vault timeout type adjustments

* fallback to "on browser refresh" for browser, when policy is set to "on system locked", but not available (Safari)

* docs, naming improvements

* fallback for current user session timeout to "on refresh", when policy is set to "on system locked", but not available.

* don't display policy message when the policy does not affect available timeout options

* 8 hours default when changing from non-numeric timeout to Custom.

* failing unit test

* missing locales, changing functions access to private, docs

* removal of redundant magic number

* missing await

* await once for available timeout options

* adjusted messaging

* unit test coverage

* vault timeout numeric module exports

* unit test coverage
2025-12-05 14:55:59 +01:00
bw-ghapp[bot]
e5fa527af1
Autosync the updated translations (#17825)
Co-authored-by: bitwarden-devops-bot <106330231+bitwarden-devops-bot@users.noreply.github.com>
2025-12-05 12:32:12 +01:00
Jonathan Prusik
cf806dcac4
do not trigger an update notification if the entered password matches a stored cipher with the same value and matching username (#17811) 2025-12-04 15:16:48 -05:00
Nick Krantz
dab1a37bfe
PM-24535 Web premium upgrade path for archive (#16854)
* add premium badge to web filter when the user does not have access to premium

* remove feature flag pass through in favor of showing/hiding archive vault observable

* refactor archive observable to be more generic

* add archive premium badge for the web

* show premium badge inline for archive filter

* show premium subscription ended message when user has archived ciphers

* fix missing refactor

* remove unneeded can archive check

* reference observable directly

* reduce the number of firstValueFroms by combining observables into a single stream

* fix failing tests

* add import to storybook

* update variable naming for premium filters

* pass event to `promptForPremium`

* remove check for organization

* fix footer variable reference

* refactor back to `hasArchiveFlagEnabled$` - more straight forward to the underlying logic

* update archive service test with new feature flag format
2025-12-03 14:19:26 -06:00
Jonathan Prusik
04d7744747
normalize lowercasing for cipher compared against lowercased input value (#17803) 2025-12-03 15:12:12 -05:00
Anders Åberg
28fbddb63f
fix(passkeys): [PM-28324] Add a guard that conditionally forces a popout depending on platform
* Add a guard that conditionally forces a popout depending on platform

* Test the routeguard

* Use mockImplementation instead.

* autoclose popout
2025-12-03 14:40:55 -05:00
Bernd Schoolmann
6e2203d6d4
[PM-18026] Implement forced, automatic KDF upgrades (#15937)
* Implement automatic kdf upgrades

* Fix kdf config not being updated

* Update legacy kdf state on master password unlock sync

* Fix cli build

* Fix

* Deduplicate prompts

* Fix dismiss time

* Fix default kdf setting

* Fix build

* Undo changes

* Fix test

* Fix prettier

* Fix test

* Update libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.ts

Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>

* Update libs/common/src/key-management/master-password/abstractions/master-password.service.abstraction.ts

Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>

* Update libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.ts

Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>

* Only sync when there is at least one migration

* Relative imports

* Add tech debt comment

* Resolve inconsistent prefix

* Clean up

* Update docs

* Use default PBKDF2 iteratinos instead of custom threshold

* Undo type check

* Fix build

* Add comment

* Cleanup

* Cleanup

* Address component feedback

* Use isnullorwhitespace

* Fix tests

* Allow migration only on vault

* Fix tests

* Run prettier

* Fix tests

* Prevent await race condition

* Fix min and default values in kdf migration

* Run sync only when a migration was run

* Update libs/common/src/key-management/encrypted-migrator/default-encrypted-migrator.ts

Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>

* Fix link not being blue

* Fix later button on browser

---------

Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
2025-12-03 19:04:18 +01:00
Jonathan Prusik
422e527516
[PM-28289] Address false-positives of new login save prompts (#17783)
* add values to TotpFieldNames constant

* add totp field check to username field qualification

* handle checking empty string cases

* update tests

* require stored username for new cipher notification prompt

* drop ambiguous token keyword from authoritative TOTP field names constant

* adjust shouldAttemptNotification logic for add and change cases
2025-12-03 11:46:48 -05:00
Jeffrey Holland
cf416388d7
Fix stale data issue in new login popout (#17307)
* Fix stale data issue in new login popout

* Update the comments

* Address critical claude code bot suggestions

* Clean out all stale data from pop up

* Fix cached cipher issue

* Fix caching issue between tab and overlay flow

* Address claude comments
2025-12-03 09:46:40 +01:00
Todd Martin
57b6d8ba58
chore: [PM-28640] revert script injection change
* chore: revert script injection change

* Removed async

* Adjust tests.

* Revert fido2.background.ts changes.

---------

Co-authored-by: Andreas Coroiu <andreas.coroiu@gmail.com>
2025-12-02 13:24:22 -05:00
Jonathan Prusik
f17890a26b
[PM-27798] Prevent inline menu from opening on the page outside of the viewport (#17664)
* cleanup

* prevent inline menu from opening on the page outside of the viewport

* update inline menu viewport check to include checks on all sides of the viewport

* use VisualViewport when available

* update tests
2025-12-02 11:31:35 -05:00
Stephon Brown
a9bf66e689
[PM-27600] Replace Hard-Coded Storage amount (#17393)
* feat(billing): add provided as a required property to premium response

* fix(billing): replace hard coded storage variables with retrieved plan

* tests(billing): add tests to pricing-summary service

* feat(billing): add optional property.

* fix(billing): update storage logic

* fix(billing): remove optional check

* fix(billing): remove optionality

* fix(billing): remove optionality

* fix(billing): refactored storage calculation logic

* feat(billing): add provided amounts to subscription-pricing-service

* fix(billing): update cloud premium component

* fix(billing): update desktop premium component

* fix(billing): update org plans component

* fix(billing) update stories and tests

* fix(billing): update messages

* fix(billing): replace storage sizes

* fix(billing): update messages

* fix(billing): update components

* fix(billing): update components for pricing and storage retrieval

* fix(billing): revert self-hosted change
2025-12-02 10:49:55 -05:00
Vicki League
37b233aad9
[CL-717] Fix autofill storybook config (#17757) 2025-12-01 17:20:40 -05:00
Jordan Aasen
99186e3651
[PM-28514] - fix item copy actions for totp. add specs (#17709)
* fix item copy actions for totp. add specs

* add test to satisfy claude
2025-12-01 13:52:59 -08:00
Vicki League
10424e227b
[CL-717][PM-27966] Update to Angular 20 and Storybook 9 (#17638) 2025-12-01 14:15:58 -05:00
Brandon Treston
b9d5724312
[PM-24011] Add handler for new policy sync push notification (#17465)
* add handler for new policy sync push notification

* fix story book build failure

* move logic into policy service, fix tests

* add account service

* add missing service to clie
2025-12-01 10:21:48 -05:00
bw-ghapp[bot]
9936330971
Autosync the updated translations (#17748)
Co-authored-by: bitwarden-devops-bot <106330231+bitwarden-devops-bot@users.noreply.github.com>
2025-12-01 12:07:13 +00:00
Github Actions
fc63c0c2cf Bumped client version(s) 2025-12-01 11:46:54 +00:00
Andreas Coroiu
2fd4a92cc5
[PM-28640] Fix passkeys not working on MV2 (#17701)
* fix: inject script contents directly

* fix: tests

* fix: tests

* fix: injection tests
2025-12-01 08:48:16 +01:00
bw-ghapp[bot]
15dcec72ad
Autosync the updated translations (#17712)
Co-authored-by: bitwarden-devops-bot <106330231+bitwarden-devops-bot@users.noreply.github.com>
2025-11-28 06:32:38 +01:00
Github Actions
09a6600b34 Bumped client version(s) 2025-11-27 14:03:16 +00:00
Bernd Schoolmann
eb4fd42153
[PM-28446] Log package types (#17496)
* User agent

* Update to use header

* Fix build on cli

* Replace unsandboxed with unknown

* Apply feedback

* Prevent sending null values
2025-11-27 00:22:59 +01:00
John Harrington
6f5491f7dc
PM-22143 Refactor TS enums to be const objects (Send specific enums) (#16399) 2025-11-26 15:08:59 -07:00
Jordan Aasen
598bb0b0d7
[PM-23384] - adjust copy for monthly price in Premium Upgrade dialog (#17668)
* adjust copy for month/annual price

* use i18n pipe

* remove annually key

* change per month to month
2025-11-26 20:34:58 +00:00
Nick Krantz
f27ce4342c
use default-trailing slot for attachments on the at-risk passwords page (#17203) 2025-11-25 19:53:20 -06:00
Nick Krantz
d444143a65
update translation key to use noun form of archive (#17500) 2025-11-25 16:33:13 -06:00
Jordan Aasen
94327b8caa
[PM-28817] - update copy for vault premium spotlight (#17667)
* update copy for vault premium spotlight

* remove unecessary observable

* fix logic
2025-11-25 13:59:09 -08:00
Daniel Riera
3de3bee08f
[PM-27821]Add validation of extension origin for uses of window.postMessage (#17476)
* PM-27821 - Replace chrome.runtime.getURL() with BrowserApi.getRuntimeURL() for consistency
- Add extension origin validation for all window.postMessage calls
- Implement token-based authentication for inline menu communications
- Add message source validation (event.source === globalThis.parent)
- Add command presence validation (- Update notification bar to validate message origins and commands
- Add extensionOrigin property to services using postMessage
- Generate session tokens for inline menu containers (32-char random)
- Validate tokens in message handlers to prevent unauthorized commands

* Add explicit token validation

* only set when receiving the trusted initNotificationBar message

* await windowmessageorigin before posting to parent

* fix tests

* the parent must include its origin in the message for notification bar race condition

* reduce if statements to one block and comment

* extract parentOrigin from the URL and set windoMessageOrigin accordingly

* consolidate if statements

* add bar.spec file

* fix merge conflict
2025-11-25 13:42:46 -05:00
Jordan Aasen
eae894123d
[PM-28376] - update copy for autofill confirmation dialog url list expand button (#17594)
* update copy for autofill confirmation dialog url list expand button

* fix tests
2025-11-25 10:33:21 -08:00
Nick Krantz
441783627b
[PM-26359] Archive Upgrade - Browser (#16904)
* add archive upgrade flow to more options menu

* add reprompt for archiving a cipher

* add premium badge for archive in settings

* update showArchive to only look at the feature flag

* add premium badge for browser settings

* add event to prompt for premium

* formatting

* update test
2025-11-25 11:28:34 -06:00
Dave
cf6569bfea
feat(user-decryption-options) [PM-26413]: Remove ActiveUserState from UserDecryptionOptionsService (#16894)
* feat(user-decryption-options) [PM-26413]: Update UserDecryptionOptionsService and tests to use UserId-only APIs.

* feat(user-decryption-options) [PM-26413]: Update InternalUserDecryptionOptionsService call sites to use UserId-only API.

* feat(user-decryption-options) [PM-26413] Update userDecryptionOptions$ call sites to use the UserId-only API.

* feat(user-decryption-options) [PM-26413]: Update additional call sites.

* feat(user-decryption-options) [PM-26413]: Update dependencies and an additional call site.

* feat(user-verification-service) [PM-26413]: Replace where allowed by unrestricted imports invocation of UserVerificationService.hasMasterPassword (deprecated) with UserDecryptionOptions.hasMasterPasswordById$. Additional work to complete as tech debt tracked in PM-27009.

* feat(user-decryption-options) [PM-26413]: Update for non-null strict adherence.

* feat(user-decryption-options) [PM-26413]: Update type safety and defensive returns.

* chore(user-decryption-options) [PM-26413]: Comment cleanup.

* feat(user-decryption-options) [PM-26413]: Update tests.

* feat(user-decryption-options) [PM-26413]: Standardize null-checking on active account id for new API consumption.

* feat(vault-timeout-settings-service) [PM-26413]: Add test cases to illustrate null active account from AccountService.

* fix(fido2-user-verification-service-spec) [PM-26413]: Update test harness to use FakeAccountService.

* fix(downstream-components) [PM-26413]: Prefer use of the getUserId operator in all authenticated contexts for user id provided to UserDecryptionOptionsService.

---------

Co-authored-by: bnagawiecki <107435978+bnagawiecki@users.noreply.github.com>
2025-11-25 11:23:22 -05:00
Ben Brooks
c04c1757ea
Revert "Lets shadow DOM check signal page update (#16114)" (commit 6129ca5366) (#17503)
Signed-off-by: Ben Brooks <bbrooks@bitwarden.com>
2025-11-25 08:06:03 -08:00
Bryan Cunningham
540da69daf
[CL-761] Enable strict template typechecking (#17334)
* enable strict template typechecking

* add callout component to module

* fixing popup action types

* fixing cipher item copy types

* fix archive cipher type

* fixing trash list items types

* fix remaining trash list item type errors

* use CipherViewLike as correct type

* change popup back directive to attribute selector

* allow undefined in popupBackAction handler

* Remove undefined from type

* fix error with firefox commercial build

---------

Co-authored-by: Vicki League <vleague@bitwarden.com>
2025-11-25 11:04:37 -05:00
Jordan Aasen
43fd99b002
[PM-24722][PM-27695] - add persistent callout in settings for non-premium users (#17246)
Some checks failed
Chromatic / Check PR run (push) Has been cancelled
Scan / Check PR run (push) Has been cancelled
Testing / Run tests (push) Has been cancelled
Testing / Run Rust tests on ${{ matrix.os }} (macos-14) (push) Has been cancelled
Testing / Run Rust tests on ${{ matrix.os }} (ubuntu-22.04) (push) Has been cancelled
Testing / Run Rust tests on ${{ matrix.os }} (windows-2022) (push) Has been cancelled
Testing / Rust Coverage (push) Has been cancelled
Chromatic / Chromatic (push) Has been cancelled
Scan / Checkmarx (push) Has been cancelled
Scan / Sonar (push) Has been cancelled
Testing / Upload to Codecov (push) Has been cancelled
* add persistent callout in settings for non-premium users

* remove premium v2 component

* add spec

* remove premium-v2.component.html

* fix title

* fix typo

* conditionally render h2

* re-add pemiumv2component. change class prop to observable

* change from bold to semibold

* remove unecessary tw classes. use transform: booleanAttribute

* add spotlight specs

* code cleanup
2025-11-24 13:49:05 -08:00
blackwood
883ff8968e
Allows limited internal message posting when host experience content is controlled (#17313) 2025-11-24 14:08:11 -05:00
Leslie Tilton
5779df2417
Correct phishing blocker file structure (#17477) 2025-11-24 10:46:28 -06:00
Bernd Schoolmann
13940a74ae
Fix biometrics unlock when pin is enabled (#17528) 2025-11-22 11:53:45 +01:00
Daniel Riera
279632d65f
[PM-28516] Inline menu is not working in main (#17524)
* PM-28516 alidate iframe and stylesheet URLs against their own origins to handle
cases where chrome assigns different extension ids in different contexts

* switch to regex to match exisiting match pattern

* updated regex to account for safari
2025-11-21 17:10:03 +00:00
Dave
daf7b7d2ce
fix(two-factor) [PM-21204]: Users without premium cannot disable premium 2FA (#17134)
* refactor(two-factor-service) [PM-21204]: Stub API methods in TwoFactorService (domain).

* refactor(two-factor-service) [PM-21204]: Build out stubs and add documentation.

* refactor(two-factor-service) [PM-21204]: Update TwoFactorApiService call sites to use TwoFactorService.

* refactor(two-fatcor) [PM-21204]: Remove deprecated and unused formPromise methods.

* refactor(two-factor) [PM-21204]: Move 2FA-supporting services into common/auth/two-factor feature namespace.

* refactor(two-factor) [PM-21204]: Update imports for service/init containers.

* feat(two-factor) [PM-21204]: Add a disabling flow for Premium 2FA when enabled on a non-Premium account.

* fix(two-factor-service) [PM-21204]: Fix type-safety of module constants.

* fix(multiple) [PM-21204]: Prettier.

* fix(user-verification-dialog) [PM-21204]: Remove bodyText configuration for this use.

* fix(user-verification-dialog) [PM-21204]: Improve the error message displayed to the user.
2025-11-21 10:35:34 -05:00
bw-ghapp[bot]
8077270ef8
Autosync the updated translations (#17529)
Co-authored-by: bitwarden-devops-bot <106330231+bitwarden-devops-bot@users.noreply.github.com>
2025-11-21 09:39:50 +01:00
Addison Beck
ba93526965
chore: create eslint rule to catch insecure page script injection (#17437)
* chore: create eslint rule to catch insecure page script injection

* chore: ignore existing lints

* review: tighten rule scope

* review: add tests
2025-11-20 19:45:49 -05:00
Jeffrey Holland
e23b2d0c98
Autofill/pm 25597 plex password generation (#16997)
* Correctly fill generated passwords and current password on plex.tv

* Correctly fill generated passwords and current password on plex.tv

* Leave existing forEach

* Add tests for changes
2025-11-20 16:31:05 +01:00
Nick Krantz
b00987180d
[PM-26688][PM-27710] Delay skeletons from showing + search (#17394)
* add custom operator for loading skeleton delays

* add `isCipherSearching$` observable to search service

* prevent vault skeleton from showing immediately

* add skeleton for search + delay to sends

* update fade-in-out component selector

* add fade-in-out component for generic use

* address memory leak by using defer to encapsulate `skeletonShownAt`

* add missing provider
2025-11-20 08:26:47 -06:00
Jonathan Prusik
7c4db701b9
[PM-27797] Prevent host page manipulation of inline menu popover attribute (#17400)
* turn off inline experience if host page aggressively competes for top of top-layer

* add alert message for top-layer hijack scenarios

* widen the backoff threshold

* refactor backoff logic to include popover attribute mutations

* improve getPageIsOpaque check

* do not attempt inline menu insertion if it has been disabled for security concerns

* fix typo

* cleanup

* add tests
2025-11-19 19:14:05 -05:00
Addison Beck
6d1c474fc5
fix: add world: MAIN to Firefox page script registration (#17466)
* chore: update @types/firefox-webext-browser

* fix: add world: MAIN to Firefox page script registration

* review: add world property to registration type
2025-11-19 20:13:41 +00:00
Addison Beck
e44ab1b411
fix: enable dynamic URLs for Chrome web accessible resources (#17429)
This commit adds use_dynamic_url: true to the extension's web_accessible_resources configuration. When enabled, Chrome generates random session-based GUIDs for extension resource URLs instead of using the predictable static extension ID. This enhances privacy by making extension resource URLs unpredictable and prevents third-party enumeration of installed extensions.

The feature is supported in Chrome 102+ and changes resource URLs from chrome-extension://[static-id]/resource to chrome-extension://[random-guid]/resource, with GUIDs regenerating each browser session while maintaining all existing extension functionality.

Addresses: https://bitwarden.atlassian.net/browse/PM-28344
2025-11-19 14:57:59 -05:00
Github Actions
64bfbf274a Bumped client version(s) 2025-11-19 00:18:10 +00:00
Jonathan Prusik
df03664827
[PM-27915] Add additional global styling collision defenses for pseudo-elements (#17340)
* add additional global styling collision defenses for pseudo-elements

* move internal stylesheet into closed shadow root
2025-11-18 14:49:12 -05:00
Will Martin
b952e6ea44
[PM-28071] add prod test domain for phishing detection (#17450) 2025-11-18 13:08:21 -05:00
bw-ghapp[bot]
bbb42d9b17
Autosync the updated translations (#17461)
Co-authored-by: bitwarden-devops-bot <106330231+bitwarden-devops-bot@users.noreply.github.com>
2025-11-18 18:36:24 +01:00