Updated decryptUserKeyWithMasterKey to requireUserId

2024-10-15 12:28:27 -04:00 · 2024-10-15 12:28:27 -04:00 · 37772ddd1c
parent 15e5a6d747
commit 37772ddd1c
16 changed files with 32 additions and 16 deletions
--- a/apps/web/src/app/auth/settings/change-password.component.ts
+++ b/apps/web/src/app/auth/settings/change-password.component.ts
@ -194,7 +194,7 @@ export class ChangePasswordComponent
      HashPurpose.LocalAuthorization,
    );

-    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey);
+    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey, userId);
    if (userKey == null) {
      this.toastService.showToast({
        variant: "error",
--- a/libs/angular/src/auth/components/lock.component.ts
+++ b/libs/angular/src/auth/components/lock.component.ts
@ -268,6 +268,7 @@ export class LockComponent implements OnInit, OnDestroy {

    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
      response.masterKey,
+      userId,
    );
    await this.setUserKeyAndContinue(userKey, userId, true);
  }
--- a/libs/angular/src/auth/guards/auth.guard.ts
+++ b/libs/angular/src/auth/guards/auth.guard.ts
@ -28,6 +28,7 @@ export const authGuard: CanActivateFn = async (
  const masterPasswordService = inject(MasterPasswordServiceAbstraction);

  const authStatus = await authService.getAuthStatus();
+  x;

  if (authStatus === AuthenticationStatus.LoggedOut) {
    messagingService.send("authBlocked", { url: routerState.url });
--- a/libs/auth/src/angular/lock/lock.component.ts
+++ b/libs/auth/src/angular/lock/lock.component.ts
@ -481,6 +481,7 @@ export class LockV2Component implements OnInit, OnDestroy {

    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
      masterPasswordVerificationResponse.masterKey,
+      this.activeAccount.id,
    );
    await this.setUserKeyAndContinue(userKey, true);
  }
--- a/libs/auth/src/common/login-strategies/auth-request-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/auth-request-login.strategy.ts
@ -114,7 +114,10 @@ export class AuthRequestLoginStrategy extends LoginStrategy {
  private async trySetUserKeyWithMasterKey(userId: UserId): Promise<void> {
    const masterKey = await firstValueFrom(this.masterPasswordService.masterKey$(userId));
    if (masterKey) {
-      const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey);
+      const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
+        masterKey,
+        userId,
+      );
      await this.cryptoService.setUserKey(userKey, userId);
    }
  }
--- a/libs/auth/src/common/login-strategies/password-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/password-login.strategy.ts
@ -186,7 +186,10 @@ export class PasswordLoginStrategy extends LoginStrategy {

    const masterKey = await firstValueFrom(this.masterPasswordService.masterKey$(userId));
    if (masterKey) {
-      const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey);
+      const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
+        masterKey,
+        userId,
+      );
      await this.cryptoService.setUserKey(userKey, userId);
    }
  }
--- a/libs/auth/src/common/login-strategies/sso-login.strategy.spec.ts
+++ b/libs/auth/src/common/login-strategies/sso-login.strategy.spec.ts
@ -499,7 +499,7 @@ describe("SsoLoginStrategy", () => {

      expect(masterPasswordService.mock.decryptUserKeyWithMasterKey).toHaveBeenCalledWith(
        masterKey,
-        undefined,
+        userId,
        undefined,
      );
      expect(cryptoService.setUserKey).toHaveBeenCalledWith(userKey, userId);
@ -555,7 +555,7 @@ describe("SsoLoginStrategy", () => {

      expect(masterPasswordService.mock.decryptUserKeyWithMasterKey).toHaveBeenCalledWith(
        masterKey,
-        undefined,
+        userId,
        undefined,
      );
      expect(cryptoService.setUserKey).toHaveBeenCalledWith(userKey, userId);
--- a/libs/auth/src/common/login-strategies/sso-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/sso-login.strategy.ts
@ -338,7 +338,7 @@ export class SsoLoginStrategy extends LoginStrategy {
      return;
    }

-    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey);
+    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey, userId);
    await this.cryptoService.setUserKey(userKey, userId);
  }

--- a/libs/auth/src/common/login-strategies/user-api-login.strategy.spec.ts
+++ b/libs/auth/src/common/login-strategies/user-api-login.strategy.spec.ts
@ -216,7 +216,7 @@ describe("UserApiLoginStrategy", () => {

    expect(masterPasswordService.mock.decryptUserKeyWithMasterKey).toHaveBeenCalledWith(
      masterKey,
-      undefined,
+      userId,
      undefined,
    );
    expect(cryptoService.setUserKey).toHaveBeenCalledWith(userKey, userId);
--- a/libs/auth/src/common/login-strategies/user-api-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/user-api-login.strategy.ts
@ -69,7 +69,10 @@ export class UserApiLoginStrategy extends LoginStrategy {
    if (response.apiUseKeyConnector) {
      const masterKey = await firstValueFrom(this.masterPasswordService.masterKey$(userId));
      if (masterKey) {
-        const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey);
+        const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
+          masterKey,
+          userId,
+        );
        await this.cryptoService.setUserKey(userKey, userId);
      }
    }
--- a/libs/auth/src/common/services/auth-request/auth-request.service.spec.ts
+++ b/libs/auth/src/common/services/auth-request/auth-request.service.spec.ts
@ -200,7 +200,7 @@ describe("AuthRequestService", () => {
      );
      expect(masterPasswordService.mock.decryptUserKeyWithMasterKey).toHaveBeenCalledWith(
        mockDecryptedMasterKey,
-        undefined,
+        mockUserId,
        undefined,
      );
      expect(cryptoService.setUserKey).toHaveBeenCalledWith(mockDecryptedUserKey, mockUserId);
--- a/libs/auth/src/common/services/auth-request/auth-request.service.ts
+++ b/libs/auth/src/common/services/auth-request/auth-request.service.ts
@ -150,7 +150,7 @@ export class AuthRequestService implements AuthRequestServiceAbstraction {
    );

    // Decrypt and set user key in state
-    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey);
+    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey, userId);

    // Set masterKey + masterKeyHash in state after decryption (in case decryption fails)
    await this.masterPasswordService.setMasterKey(masterKey, userId);
--- a/libs/auth/src/common/services/pin/pin.service.implementation.ts
+++ b/libs/auth/src/common/services/pin/pin.service.implementation.ts
@ -418,6 +418,7 @@ export class PinService implements PinServiceAbstraction {

    const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
      masterKey,
+      userId,
      encUserKey ? new EncString(encUserKey) : undefined,
    );

--- a/libs/common/src/auth/abstractions/master-password.service.abstraction.ts
+++ b/libs/common/src/auth/abstractions/master-password.service.abstraction.ts
@ -33,16 +33,16 @@ export abstract class MasterPasswordServiceAbstraction {
  /**
   * Decrypts the user key with the provided master key
   * @param masterKey The user's master key
+   *    * @param userId The desired user
   * @param userKey The user's encrypted symmetric key
-   * @param userId The desired user
   * @throws If either the MasterKey or UserKey are not resolved, or if the UserKey encryption type
   *         is neither AesCbc256_B64 nor AesCbc256_HmacSha256_B64
   * @returns The user key
   */
  abstract decryptUserKeyWithMasterKey: (
    masterKey: MasterKey,
+    userId: string,
    userKey?: EncString,
-    userId?: string,
  ) => Promise<UserKey>;
 }

--- a/libs/common/src/auth/services/master-password/fake-master-password.service.ts
+++ b/libs/common/src/auth/services/master-password/fake-master-password.service.ts
@ -64,9 +64,9 @@ export class FakeMasterPasswordService implements InternalMasterPasswordServiceA

  decryptUserKeyWithMasterKey(
    masterKey: MasterKey,
+    userId: string,
    userKey?: EncString,
-    userId?: string,
  ): Promise<UserKey> {
-    return this.mock.decryptUserKeyWithMasterKey(masterKey, userKey, userId);
+    return this.mock.decryptUserKeyWithMasterKey(masterKey, userId, userKey);
  }
 }
--- a/libs/common/src/auth/services/master-password/master-password.service.ts
+++ b/libs/common/src/auth/services/master-password/master-password.service.ts
@ -1,5 +1,7 @@
 import { firstValueFrom, map, Observable } from "rxjs";

+import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
+
 import { EncryptService } from "../../../platform/abstractions/encrypt.service";
 import { KeyGenerationService } from "../../../platform/abstractions/key-generation.service";
 import { StateService } from "../../../platform/abstractions/state.service";
@ -55,6 +57,7 @@ export class MasterPasswordService implements InternalMasterPasswordServiceAbstr
    private stateService: StateService,
    private keyGenerationService: KeyGenerationService,
    private encryptService: EncryptService,
+    private logService: LogService,
  ) {}

  masterKey$(userId: UserId): Observable<MasterKey> {
@ -149,10 +152,9 @@ export class MasterPasswordService implements InternalMasterPasswordServiceAbstr

  async decryptUserKeyWithMasterKey(
    masterKey: MasterKey,
+    userId: UserId,
    userKey?: EncString,
-    userId?: UserId,
  ): Promise<UserKey> {
-    userId ??= await firstValueFrom(this.stateProvider.activeUserId$);
    userKey ??= await this.getMasterKeyEncryptedUserKey(userId);
    masterKey ??= await firstValueFrom(this.masterKey$(userId));

@ -185,6 +187,7 @@ export class MasterPasswordService implements InternalMasterPasswordServiceAbstr
    }

    if (decUserKey == null) {
+      this.logService.warning("Failed to decrypt user key with master key.");
      return null;
    }