From 8bd2118d77dc696cf11d4d68e9f853405632b001 Mon Sep 17 00:00:00 2001 From: SmithThe4th Date: Thu, 20 Jun 2024 10:35:45 -0400 Subject: [PATCH] reverted user verification for passkeys (#9734) --- .../src/auth/guards/fido2-auth.guard.ts | 8 +-- .../popup/components/fido2/fido2.component.ts | 51 ++++++++++--------- .../components/vault/add-edit.component.ts | 20 +++++--- 3 files changed, 45 insertions(+), 34 deletions(-) diff --git a/apps/browser/src/auth/guards/fido2-auth.guard.ts b/apps/browser/src/auth/guards/fido2-auth.guard.ts index 0c4e6268bf..7d7f1f5c4e 100644 --- a/apps/browser/src/auth/guards/fido2-auth.guard.ts +++ b/apps/browser/src/auth/guards/fido2-auth.guard.ts @@ -12,7 +12,7 @@ import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authenticatio import { BrowserRouterService } from "../../platform/popup/services/browser-router.service"; /** - * This guard verifies the user's authetication status. + * This guard verifies the user's authentication status. * If "Locked", it saves the intended route in memory and redirects to the lock screen. Otherwise, the intended route is allowed. */ export const fido2AuthGuard: CanActivateFn = async ( @@ -27,8 +27,10 @@ export const fido2AuthGuard: CanActivateFn = async ( if (authStatus === AuthenticationStatus.Locked) { // Appending fromLock=true to the query params to indicate that the user is being redirected from the lock screen, this is used for user verification. - const previousUrl = `${state.url}&fromLock=true`; - routerService.setPreviousUrl(previousUrl); + // TODO: Revert to use previousUrl once user verification for passkeys is approved for production. + // PM-4577 - https://github.com/bitwarden/clients/pull/8746 + // const previousUrl = `${state.url}&fromLock=true`; + routerService.setPreviousUrl(state.url); return router.createUrlTree(["/lock"], { queryParams: route.queryParams }); } diff --git a/apps/browser/src/vault/popup/components/fido2/fido2.component.ts b/apps/browser/src/vault/popup/components/fido2/fido2.component.ts index 8d46cc6033..049dc30ef6 100644 --- a/apps/browser/src/vault/popup/components/fido2/fido2.component.ts +++ b/apps/browser/src/vault/popup/components/fido2/fido2.component.ts @@ -27,6 +27,7 @@ import { LoginUriView } from "@bitwarden/common/vault/models/view/login-uri.view import { LoginView } from "@bitwarden/common/vault/models/view/login.view"; import { SecureNoteView } from "@bitwarden/common/vault/models/view/secure-note.view"; import { DialogService } from "@bitwarden/components"; +import { PasswordRepromptService } from "@bitwarden/vault"; import { ZonedMessageListenerService } from "../../../../platform/browser/zoned-message-listener.service"; import { @@ -59,7 +60,6 @@ export class Fido2Component implements OnInit, OnDestroy { protected data$: Observable; protected sessionId?: string; protected senderTabId?: string; - protected fromLock?: boolean; protected ciphers?: CipherView[] = []; protected displayedCiphers?: CipherView[] = []; protected loading = false; @@ -78,6 +78,7 @@ export class Fido2Component implements OnInit, OnDestroy { private logService: LogService, private dialogService: DialogService, private browserMessagingApi: ZonedMessageListenerService, + private passwordRepromptService: PasswordRepromptService, private fido2UserVerificationService: Fido2UserVerificationService, ) {} @@ -90,7 +91,6 @@ export class Fido2Component implements OnInit, OnDestroy { sessionId: queryParamMap.get("sessionId"), senderTabId: queryParamMap.get("senderTabId"), senderUrl: queryParamMap.get("senderUrl"), - fromLock: queryParamMap.get("fromLock"), })), ); @@ -103,7 +103,6 @@ export class Fido2Component implements OnInit, OnDestroy { this.sessionId = queryParams.sessionId; this.senderTabId = queryParams.senderTabId; this.url = queryParams.senderUrl; - this.fromLock = queryParams.fromLock === "true"; // For a 'NewSessionCreatedRequest', abort if it doesn't belong to the current session. if ( message.type === "NewSessionCreatedRequest" && @@ -213,11 +212,9 @@ export class Fido2Component implements OnInit, OnDestroy { protected async submit() { const data = this.message$.value; if (data?.type === "PickCredentialRequest") { - const userVerified = await this.fido2UserVerificationService.handleUserVerification( - data.userVerification, - this.cipher, - this.fromLock, - ); + // TODO: Revert to use fido2 user verification service once user verification for passkeys is approved for production. + // PM-4577 - https://github.com/bitwarden/clients/pull/8746 + const userVerified = await this.handleUserVerification(data.userVerification, this.cipher); this.send({ sessionId: this.sessionId, @@ -238,11 +235,9 @@ export class Fido2Component implements OnInit, OnDestroy { } } - const userVerified = await this.fido2UserVerificationService.handleUserVerification( - data.userVerification, - this.cipher, - this.fromLock, - ); + // TODO: Revert to use fido2 user verification service once user verification for passkeys is approved for production. + // PM-4577 - https://github.com/bitwarden/clients/pull/8746 + const userVerified = await this.handleUserVerification(data.userVerification, this.cipher); this.send({ sessionId: this.sessionId, @@ -259,21 +254,16 @@ export class Fido2Component implements OnInit, OnDestroy { const data = this.message$.value; if (data?.type === "ConfirmNewCredentialRequest") { const name = data.credentialName || data.rpId; - const userVerified = await this.fido2UserVerificationService.handleUserVerification( - data.userVerification, - this.cipher, - this.fromLock, - ); - - if (!data.userVerification || userVerified) { - await this.createNewCipher(name); - } + // TODO: Revert to check for user verification once user verification for passkeys is approved for production. + // PM-4577 - https://github.com/bitwarden/clients/pull/8746 + await this.createNewCipher(name); + // We are bypassing user verification pending approval. this.send({ sessionId: this.sessionId, cipherId: this.cipher?.id, type: "ConfirmNewCredentialResponse", - userVerified, + userVerified: data.userVerification, }); } @@ -322,7 +312,6 @@ export class Fido2Component implements OnInit, OnDestroy { uilocation: "popout", senderTabId: this.senderTabId, sessionId: this.sessionId, - fromLock: this.fromLock, userVerification: data.userVerification, singleActionPopout: `${VaultPopoutType.fido2Popout}_${this.sessionId}`, }, @@ -393,6 +382,20 @@ export class Fido2Component implements OnInit, OnDestroy { } } + // TODO: Remove and use fido2 user verification service once user verification for passkeys is approved for production. + private async handleUserVerification( + userVerificationRequested: boolean, + cipher: CipherView, + ): Promise { + const masterPasswordRepromptRequired = cipher && cipher.reprompt !== 0; + + if (masterPasswordRepromptRequired) { + return await this.passwordRepromptService.showPasswordPrompt(); + } + + return userVerificationRequested; + } + private send(msg: BrowserFido2Message) { BrowserFido2UserInterfaceSession.sendMessage({ sessionId: this.sessionId, diff --git a/apps/browser/src/vault/popup/components/vault/add-edit.component.ts b/apps/browser/src/vault/popup/components/vault/add-edit.component.ts index 62f2737be2..bf7a6b07a5 100644 --- a/apps/browser/src/vault/popup/components/vault/add-edit.component.ts +++ b/apps/browser/src/vault/popup/components/vault/add-edit.component.ts @@ -170,17 +170,14 @@ export class AddEditComponent extends BaseAddEditComponent { async submit(): Promise { const fido2SessionData = await firstValueFrom(this.fido2PopoutSessionData$); - const { isFido2Session, sessionId, userVerification, fromLock } = fido2SessionData; + const { isFido2Session, sessionId, userVerification } = fido2SessionData; const inFido2PopoutWindow = BrowserPopupUtils.inPopout(window) && isFido2Session; + // TODO: Revert to use fido2 user verification service once user verification for passkeys is approved for production. + // PM-4577 - https://github.com/bitwarden/clients/pull/8746 if ( inFido2PopoutWindow && - userVerification && - !(await this.fido2UserVerificationService.handleUserVerification( - userVerification, - this.cipher, - fromLock, - )) + !(await this.handleFido2UserVerification(sessionId, userVerification)) ) { return false; } @@ -389,4 +386,13 @@ export class AddEditComponent extends BaseAddEditComponent { this.load().catch((error) => this.logService.error(error)); } } + + // TODO: Remove and use fido2 user verification service once user verification for passkeys is approved for production. + private async handleFido2UserVerification( + sessionId: string, + userVerification: boolean, + ): Promise { + // We are bypassing user verification pending approval for production. + return true; + } }