From c2829cd71b835f9be56e97e5ba8637c5f8490a9a Mon Sep 17 00:00:00 2001
From: Matt Gibson <mgibson@bitwarden.com>
Date: Fri, 23 Aug 2024 10:51:42 -0700
Subject: [PATCH] Remove password hint responses from API (#10523)

* Log reloading behavior

* Remove hints from responses.

changing password implies updating the hint, but no longer displays the old one. This is a security risk for shoulder surfing and breaks the escrow model we have where it is only shared via email when requested.

* Update change password hint label
---
 apps/desktop/src/main/window.main.ts                        | 2 ++
 apps/web/src/app/auth/settings/account/profile.component.ts | 5 +----
 .../src/app/auth/settings/change-password.component.html    | 2 +-
 apps/web/src/app/auth/settings/change-password.component.ts | 6 ++++--
 apps/web/src/locales/en/messages.json                       | 3 +++
 .../src/auth/models/request/update-profile.request.ts       | 4 +---
 libs/common/src/models/response/profile.response.ts         | 2 --
 7 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/apps/desktop/src/main/window.main.ts b/apps/desktop/src/main/window.main.ts
index deb370201f..029a0527c6 100644
--- a/apps/desktop/src/main/window.main.ts
+++ b/apps/desktop/src/main/window.main.ts
@@ -51,6 +51,7 @@ export class WindowMain {
     // Perform a hard reload of the render process by crashing it. This is suboptimal but ensures that all memory gets
     // cleared, as the process itself will be completely garbage collected.
     ipcMain.on("reload-process", async () => {
+      this.logService.info("Reloading render process");
       // User might have changed theme, ensure the window is updated.
       this.win.setBackgroundColor(await this.getBackgroundColor());
 
@@ -65,6 +66,7 @@ export class WindowMain {
       // FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
       // eslint-disable-next-line @typescript-eslint/no-floating-promises
       this.session.clearCache();
+      this.logService.info("Render process reloaded");
     });
 
     return new Promise<void>((resolve, reject) => {
diff --git a/apps/web/src/app/auth/settings/account/profile.component.ts b/apps/web/src/app/auth/settings/account/profile.component.ts
index fa111c9fa6..a960adfe5d 100644
--- a/apps/web/src/app/auth/settings/account/profile.component.ts
+++ b/apps/web/src/app/auth/settings/account/profile.component.ts
@@ -62,10 +62,7 @@ export class ProfileComponent implements OnInit, OnDestroy {
   }
 
   submit = async () => {
-    const request = new UpdateProfileRequest(
-      this.formGroup.get("name").value,
-      this.profile.masterPasswordHint,
-    );
+    const request = new UpdateProfileRequest(this.formGroup.get("name").value);
     await this.apiService.putProfile(request);
     this.platformUtilsService.showToast("success", null, this.i18nService.t("accountUpdated"));
   };
diff --git a/apps/web/src/app/auth/settings/change-password.component.html b/apps/web/src/app/auth/settings/change-password.component.html
index 7c3c22b3d7..b5c8677405 100644
--- a/apps/web/src/app/auth/settings/change-password.component.html
+++ b/apps/web/src/app/auth/settings/change-password.component.html
@@ -111,7 +111,7 @@
     </div>
   </div>
   <div class="form-group">
-    <label for="masterPasswordHint">{{ "masterPassHintLabel" | i18n }}</label>
+    <label for="masterPasswordHint">{{ "newMasterPassHint" | i18n }}</label>
     <input
       id="masterPasswordHint"
       class="form-control"
diff --git a/apps/web/src/app/auth/settings/change-password.component.ts b/apps/web/src/app/auth/settings/change-password.component.ts
index e6290a60fb..5279c05032 100644
--- a/apps/web/src/app/auth/settings/change-password.component.ts
+++ b/apps/web/src/app/auth/settings/change-password.component.ts
@@ -83,7 +83,6 @@ export class ChangePasswordComponent
       this.router.navigate(["/settings/security/two-factor"]);
     }
 
-    this.masterPasswordHint = (await this.apiService.getProfile()).masterPasswordHint;
     await super.ngOnInit();
 
     this.characterMinimumMessage = this.i18nService.t("characterMinimum", this.minimumLength);
@@ -138,7 +137,10 @@ export class ChangePasswordComponent
   }
 
   async submit() {
-    if (this.masterPasswordHint != null && this.masterPasswordHint == this.masterPassword) {
+    if (
+      this.masterPasswordHint != null &&
+      this.masterPasswordHint.toLowerCase() === this.masterPassword.toLowerCase()
+    ) {
       this.platformUtilsService.showToast(
         "error",
         this.i18nService.t("errorOccurred"),
diff --git a/apps/web/src/locales/en/messages.json b/apps/web/src/locales/en/messages.json
index a445e09901..40e4789923 100644
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -905,6 +905,9 @@
   "masterPassHint": {
     "message": "Master password hint (optional)"
   },
+  "newMasterPassHint": {
+    "message": "New master password hint (optional)"
+  },
   "masterPassHintLabel": {
     "message": "Master password hint"
   },
diff --git a/libs/common/src/auth/models/request/update-profile.request.ts b/libs/common/src/auth/models/request/update-profile.request.ts
index 14ed554dc9..01ec51076f 100644
--- a/libs/common/src/auth/models/request/update-profile.request.ts
+++ b/libs/common/src/auth/models/request/update-profile.request.ts
@@ -1,10 +1,8 @@
 export class UpdateProfileRequest {
   name: string;
-  masterPasswordHint: string;
   culture = "en-US"; // deprecated
 
-  constructor(name: string, masterPasswordHint: string) {
+  constructor(name: string) {
     this.name = name;
-    this.masterPasswordHint = masterPasswordHint ? masterPasswordHint : null;
   }
 }
diff --git a/libs/common/src/models/response/profile.response.ts b/libs/common/src/models/response/profile.response.ts
index 3d5fde9ac4..6b6555fc56 100644
--- a/libs/common/src/models/response/profile.response.ts
+++ b/libs/common/src/models/response/profile.response.ts
@@ -10,7 +10,6 @@ export class ProfileResponse extends BaseResponse {
   name: string;
   email: string;
   emailVerified: boolean;
-  masterPasswordHint: string;
   premiumPersonally: boolean;
   premiumFromOrganization: boolean;
   culture: string;
@@ -32,7 +31,6 @@ export class ProfileResponse extends BaseResponse {
     this.name = this.getResponseProperty("Name");
     this.email = this.getResponseProperty("Email");
     this.emailVerified = this.getResponseProperty("EmailVerified");
-    this.masterPasswordHint = this.getResponseProperty("MasterPasswordHint");
     this.premiumPersonally = this.getResponseProperty("Premium");
     this.premiumFromOrganization = this.getResponseProperty("PremiumFromOrganization");
     this.culture = this.getResponseProperty("Culture");