mirror of
https://github.com/bitwarden/clients.git
synced 2026-06-19 21:02:50 +08:00
07c2c2af20
* [EC-1070] Introduce flag for enforcing master password policy on login * [EC-1070] Update master password policy form Add the ability to toggle enforceOnLogin flag in web * [EC-1070] Add API method to retrieve all policies for the current user * [EC-1070] Refactor forcePasswordReset in state service to support more options - Use an options class to provide a reason and optional organization id - Use the OnDiskMemory storage location so the option persists between the same auth session * [AC-1070] Retrieve single master password policy from identity token response Additionally, store the policy in the login strategy for future use * [EC-1070] Introduce master password evaluation in the password login strategy - If a master password policy is returned from the identity result, evaluate the password. - If the password does not meet the requirements, save the forcePasswordReset options - Add support for 2FA by storing the results of the password evaluation on the login strategy instance - Add unit tests to password login strategy * [AC-1070] Modify admin password reset component to support update master password on login - Modify the warning message to depend on the reason - Use the forcePasswordResetOptions in the update temp password component * [EC-1070] Require current master password when updating weak mp on login - Inject user verification service to verify the user - Conditionally show the current master password field only when updating a weak mp. Admin reset does not require the current master password. * [EC-1070] Implement password policy check during vault unlock Checking the master password during unlock is the only applicable place to enforce the master password policy check for SSO users. * [EC-1070] CLI - Add ability to load MP policies on login Inject policyApi and organization services into the login command * [EC-1070] CLI - Refactor update temp password logic to support updating weak passwords - Introduce new shared method for collecting a valid and confirmed master password from the CLI and generating a new encryption key - Add separate methods for updating temp passwords and weak passwords. - Utilize those methods during login flow if not using an API key * [EC-1070] Add route guard to force password reset when required * [AC-1070] Use master password policy from verify password response in lock component * [EC-1070] Update labels in update password component * [AC-1070] Fix policy service tests * [AC-1070] CLI - Force sync before any password reset flow Move up the call to sync the vault before attempting to collect a new master password. Ensures the master password policies are available. * [AC-1070] Remove unused getAllPolicies method from policy api service * [AC-1070] Fix missing enforceOnLogin copy in policy service * [AC-1070] Include current master password on desktop/browser update password page templates * [AC-1070] Check for forced password reset on account switch in Desktop * [AC-1070] Rename WeakMasterPasswordOnLogin to WeakMasterPassword * [AC-1070] Update AuthServiceInitOptions * [AC-1070] Add None force reset password reason * [AC-1070] Remove redundant ForcePasswordResetOptions class and replace with ForcePasswordResetReason enum * [AC-1070] Rename ForceResetPasswordReason file * [AC-1070] Simplify conditional * [AC-1070] Refactor logic that saves password reset flag * [AC-1070] Remove redundant constructors * [AC-1070] Remove unnecessary state service call * [AC-1070] Update master password policy component - Use typed reactive form - Use CL form components - Remove bootstrap - Update error component to support min/max - Use Utils.minimumPasswordLength value for min value form validation * [AC-1070] Cleanup leftover html comment * [AC-1070] Remove overridden default values from MasterPasswordPolicyResponse * [AC-1070] Hide current master password input in browser for admin password reset * [AC-1070] Remove clientside user verification * [AC-1070] Update temp password web component to use CL - Use CL for form inputs in the Web component template - Remove most of the bootstrap classes in the Web component template - Use userVerificationService to build the password request - Remove redundant current master password null check * [AC-1070] Replace repeated user inputs email parsing helpers - Update passwordStrength() method to accept an optional email argument that will be parsed into separate user inputs for use with zxcvbn - Remove all other repeated getUserInput helper methods that parsed user emails and use the new passwordStrength signature * [AC-1070] Fix broken login command after forcePasswordReset enum refactor * [AC-1070] Reduce side effects in base login strategy - Remove masterPasswordPolicy property from base login.strategy.ts - Include an IdentityResponse in base startLogin() in addition to AuthResult - Use the new IdentityResponse to parse the master password policy info only in the PasswordLoginStrategy * [AC-1070] Cleanup password login strategy tests * [AC-1070] Remove unused field * [AC-1070] Strongly type postAccountVerifyPassword API service method - Remove redundant verify master password response - Use MasterPasswordPolicyResponse instead * [AC-1070] Use ForceResetPassword.None during account switch check * [AC-1070] Fix check for forcePasswordReset reason after addition of None * [AC-1070] Redirect a user home if on the update temp password page without a reason * [AC-1070] Use bit-select and bit-option * [AC-1070] Reduce explicit form control definitions for readability * [AC-1070] Import SelectModule in Shared web module * [AC-1070] Add check for missing 'at' symbol * [AC-1070] Remove redundant unpacking and null coalescing * [AC-1070] Update passwordStrength signature and add jsdocs * [AC-1070] Remove variable abbreviation * [AC-1070] Restore Id attributes on form inputs * [AC-1070] Clarify input value min/max error messages * [AC-1070] Add input min/max value example to storybook * [AC-1070] Add missing spinner to update temp password form * [AC-1070] Add missing ids to form elements * [AC-1070] Remove duplicate force sync and update comment * [AC-1070] Switch backticks to quotation marks --------- Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
290 lines
9.4 KiB
TypeScript
290 lines
9.4 KiB
TypeScript
import { Directive, OnDestroy, OnInit } from "@angular/core";
|
|
import { ActivatedRoute, Router } from "@angular/router";
|
|
import * as DuoWebSDK from "duo_web_sdk";
|
|
import { first } from "rxjs/operators";
|
|
|
|
import { ApiService } from "@bitwarden/common/abstractions/api.service";
|
|
import { AppIdService } from "@bitwarden/common/abstractions/appId.service";
|
|
import { EnvironmentService } from "@bitwarden/common/abstractions/environment.service";
|
|
import { I18nService } from "@bitwarden/common/abstractions/i18n.service";
|
|
import { LogService } from "@bitwarden/common/abstractions/log.service";
|
|
import { PlatformUtilsService } from "@bitwarden/common/abstractions/platformUtils.service";
|
|
import { StateService } from "@bitwarden/common/abstractions/state.service";
|
|
import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
|
|
import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
|
|
import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
|
|
import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
|
|
import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
|
|
import { ForceResetPasswordReason } from "@bitwarden/common/auth/models/domain/force-reset-password-reason";
|
|
import { TokenTwoFactorRequest } from "@bitwarden/common/auth/models/request/identity-token/token-two-factor.request";
|
|
import { TwoFactorEmailRequest } from "@bitwarden/common/auth/models/request/two-factor-email.request";
|
|
import { TwoFactorProviders } from "@bitwarden/common/auth/services/two-factor.service";
|
|
import { WebAuthnIFrame } from "@bitwarden/common/auth/webauthn-iframe";
|
|
|
|
import { CaptchaProtectedComponent } from "./captcha-protected.component";
|
|
|
|
@Directive()
|
|
export class TwoFactorComponent extends CaptchaProtectedComponent implements OnInit, OnDestroy {
|
|
token = "";
|
|
remember = false;
|
|
webAuthnReady = false;
|
|
webAuthnNewTab = false;
|
|
providers = TwoFactorProviders;
|
|
providerType = TwoFactorProviderType;
|
|
selectedProviderType: TwoFactorProviderType = TwoFactorProviderType.Authenticator;
|
|
webAuthnSupported = false;
|
|
webAuthn: WebAuthnIFrame = null;
|
|
title = "";
|
|
twoFactorEmail: string = null;
|
|
formPromise: Promise<any>;
|
|
emailPromise: Promise<any>;
|
|
identifier: string = null;
|
|
onSuccessfulLogin: () => Promise<any>;
|
|
onSuccessfulLoginNavigate: () => Promise<any>;
|
|
|
|
protected loginRoute = "login";
|
|
protected successRoute = "vault";
|
|
|
|
constructor(
|
|
protected authService: AuthService,
|
|
protected router: Router,
|
|
protected i18nService: I18nService,
|
|
protected apiService: ApiService,
|
|
protected platformUtilsService: PlatformUtilsService,
|
|
protected win: Window,
|
|
protected environmentService: EnvironmentService,
|
|
protected stateService: StateService,
|
|
protected route: ActivatedRoute,
|
|
protected logService: LogService,
|
|
protected twoFactorService: TwoFactorService,
|
|
protected appIdService: AppIdService,
|
|
protected loginService: LoginService
|
|
) {
|
|
super(environmentService, i18nService, platformUtilsService);
|
|
this.webAuthnSupported = this.platformUtilsService.supportsWebAuthn(win);
|
|
}
|
|
|
|
async ngOnInit() {
|
|
if (!this.authing || this.twoFactorService.getProviders() == null) {
|
|
this.router.navigate([this.loginRoute]);
|
|
return;
|
|
}
|
|
|
|
this.route.queryParams.pipe(first()).subscribe((qParams) => {
|
|
if (qParams.identifier != null) {
|
|
this.identifier = qParams.identifier;
|
|
}
|
|
});
|
|
|
|
if (this.needsLock) {
|
|
this.successRoute = "lock";
|
|
}
|
|
|
|
if (this.win != null && this.webAuthnSupported) {
|
|
const webVaultUrl = this.environmentService.getWebVaultUrl();
|
|
this.webAuthn = new WebAuthnIFrame(
|
|
this.win,
|
|
webVaultUrl,
|
|
this.webAuthnNewTab,
|
|
this.platformUtilsService,
|
|
this.i18nService,
|
|
(token: string) => {
|
|
this.token = token;
|
|
this.submit();
|
|
},
|
|
(error: string) => {
|
|
this.platformUtilsService.showToast("error", this.i18nService.t("errorOccurred"), error);
|
|
},
|
|
(info: string) => {
|
|
if (info === "ready") {
|
|
this.webAuthnReady = true;
|
|
}
|
|
}
|
|
);
|
|
}
|
|
|
|
this.selectedProviderType = this.twoFactorService.getDefaultProvider(this.webAuthnSupported);
|
|
await this.init();
|
|
}
|
|
|
|
ngOnDestroy(): void {
|
|
this.cleanupWebAuthn();
|
|
this.webAuthn = null;
|
|
}
|
|
|
|
async init() {
|
|
if (this.selectedProviderType == null) {
|
|
this.title = this.i18nService.t("loginUnavailable");
|
|
return;
|
|
}
|
|
|
|
this.cleanupWebAuthn();
|
|
this.title = (TwoFactorProviders as any)[this.selectedProviderType].name;
|
|
const providerData = this.twoFactorService.getProviders().get(this.selectedProviderType);
|
|
switch (this.selectedProviderType) {
|
|
case TwoFactorProviderType.WebAuthn:
|
|
if (!this.webAuthnNewTab) {
|
|
setTimeout(() => {
|
|
this.authWebAuthn();
|
|
}, 500);
|
|
}
|
|
break;
|
|
case TwoFactorProviderType.Duo:
|
|
case TwoFactorProviderType.OrganizationDuo:
|
|
setTimeout(() => {
|
|
DuoWebSDK.init({
|
|
iframe: undefined,
|
|
host: providerData.Host,
|
|
sig_request: providerData.Signature,
|
|
submit_callback: async (f: HTMLFormElement) => {
|
|
const sig = f.querySelector('input[name="sig_response"]') as HTMLInputElement;
|
|
if (sig != null) {
|
|
this.token = sig.value;
|
|
await this.submit();
|
|
}
|
|
},
|
|
});
|
|
}, 0);
|
|
break;
|
|
case TwoFactorProviderType.Email:
|
|
this.twoFactorEmail = providerData.Email;
|
|
if (this.twoFactorService.getProviders().size > 1) {
|
|
await this.sendEmail(false);
|
|
}
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
}
|
|
|
|
async submit() {
|
|
await this.setupCaptcha();
|
|
|
|
if (this.token == null || this.token === "") {
|
|
this.platformUtilsService.showToast(
|
|
"error",
|
|
this.i18nService.t("errorOccurred"),
|
|
this.i18nService.t("verificationCodeRequired")
|
|
);
|
|
return;
|
|
}
|
|
|
|
if (this.selectedProviderType === TwoFactorProviderType.WebAuthn) {
|
|
if (this.webAuthn != null) {
|
|
this.webAuthn.stop();
|
|
} else {
|
|
return;
|
|
}
|
|
} else if (
|
|
this.selectedProviderType === TwoFactorProviderType.Email ||
|
|
this.selectedProviderType === TwoFactorProviderType.Authenticator
|
|
) {
|
|
this.token = this.token.replace(" ", "").trim();
|
|
}
|
|
|
|
try {
|
|
await this.doSubmit();
|
|
} catch {
|
|
if (this.selectedProviderType === TwoFactorProviderType.WebAuthn && this.webAuthn != null) {
|
|
this.webAuthn.start();
|
|
}
|
|
}
|
|
}
|
|
|
|
async doSubmit() {
|
|
this.formPromise = this.authService.logInTwoFactor(
|
|
new TokenTwoFactorRequest(this.selectedProviderType, this.token, this.remember),
|
|
this.captchaToken
|
|
);
|
|
const response: AuthResult = await this.formPromise;
|
|
const disableFavicon = await this.stateService.getDisableFavicon();
|
|
await this.stateService.setDisableFavicon(!!disableFavicon);
|
|
if (this.handleCaptchaRequired(response)) {
|
|
return;
|
|
}
|
|
if (this.onSuccessfulLogin != null) {
|
|
this.loginService.clearValues();
|
|
this.onSuccessfulLogin();
|
|
}
|
|
if (response.resetMasterPassword) {
|
|
this.successRoute = "set-password";
|
|
}
|
|
if (response.forcePasswordReset !== ForceResetPasswordReason.None) {
|
|
this.successRoute = "update-temp-password";
|
|
}
|
|
if (this.onSuccessfulLoginNavigate != null) {
|
|
this.loginService.clearValues();
|
|
this.onSuccessfulLoginNavigate();
|
|
} else {
|
|
this.loginService.clearValues();
|
|
this.router.navigate([this.successRoute], {
|
|
queryParams: {
|
|
identifier: this.identifier,
|
|
},
|
|
});
|
|
}
|
|
}
|
|
|
|
async sendEmail(doToast: boolean) {
|
|
if (this.selectedProviderType !== TwoFactorProviderType.Email) {
|
|
return;
|
|
}
|
|
|
|
if (this.emailPromise != null) {
|
|
return;
|
|
}
|
|
|
|
try {
|
|
const request = new TwoFactorEmailRequest();
|
|
request.email = this.authService.email;
|
|
request.masterPasswordHash = this.authService.masterPasswordHash;
|
|
request.deviceIdentifier = await this.appIdService.getAppId();
|
|
request.authRequestAccessCode = this.authService.accessCode;
|
|
request.authRequestId = this.authService.authRequestId;
|
|
this.emailPromise = this.apiService.postTwoFactorEmail(request);
|
|
await this.emailPromise;
|
|
if (doToast) {
|
|
this.platformUtilsService.showToast(
|
|
"success",
|
|
null,
|
|
this.i18nService.t("verificationCodeEmailSent", this.twoFactorEmail)
|
|
);
|
|
}
|
|
} catch (e) {
|
|
this.logService.error(e);
|
|
}
|
|
|
|
this.emailPromise = null;
|
|
}
|
|
|
|
authWebAuthn() {
|
|
const providerData = this.twoFactorService.getProviders().get(this.selectedProviderType);
|
|
|
|
if (!this.webAuthnSupported || this.webAuthn == null) {
|
|
return;
|
|
}
|
|
|
|
this.webAuthn.init(providerData);
|
|
}
|
|
|
|
private cleanupWebAuthn() {
|
|
if (this.webAuthn != null) {
|
|
this.webAuthn.stop();
|
|
this.webAuthn.cleanup();
|
|
}
|
|
}
|
|
|
|
get authing(): boolean {
|
|
return (
|
|
this.authService.authingWithPassword() ||
|
|
this.authService.authingWithSso() ||
|
|
this.authService.authingWithUserApiKey() ||
|
|
this.authService.authingWithPasswordless()
|
|
);
|
|
}
|
|
|
|
get needsLock(): boolean {
|
|
return this.authService.authingWithSso() || this.authService.authingWithUserApiKey();
|
|
}
|
|
}
|