reverted user verification for passkeys (#9734)

This commit is contained in:
SmithThe4th 2024-06-20 10:35:45 -04:00 committed by GitHub
parent cbb2fa9442
commit 8bd2118d77
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 45 additions and 34 deletions

View File

@ -12,7 +12,7 @@ import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authenticatio
import { BrowserRouterService } from "../../platform/popup/services/browser-router.service"; import { BrowserRouterService } from "../../platform/popup/services/browser-router.service";
/** /**
* This guard verifies the user's authetication status. * This guard verifies the user's authentication status.
* If "Locked", it saves the intended route in memory and redirects to the lock screen. Otherwise, the intended route is allowed. * If "Locked", it saves the intended route in memory and redirects to the lock screen. Otherwise, the intended route is allowed.
*/ */
export const fido2AuthGuard: CanActivateFn = async ( export const fido2AuthGuard: CanActivateFn = async (
@ -27,8 +27,10 @@ export const fido2AuthGuard: CanActivateFn = async (
if (authStatus === AuthenticationStatus.Locked) { if (authStatus === AuthenticationStatus.Locked) {
// Appending fromLock=true to the query params to indicate that the user is being redirected from the lock screen, this is used for user verification. // Appending fromLock=true to the query params to indicate that the user is being redirected from the lock screen, this is used for user verification.
const previousUrl = `${state.url}&fromLock=true`; // TODO: Revert to use previousUrl once user verification for passkeys is approved for production.
routerService.setPreviousUrl(previousUrl); // PM-4577 - https://github.com/bitwarden/clients/pull/8746
// const previousUrl = `${state.url}&fromLock=true`;
routerService.setPreviousUrl(state.url);
return router.createUrlTree(["/lock"], { queryParams: route.queryParams }); return router.createUrlTree(["/lock"], { queryParams: route.queryParams });
} }

View File

@ -27,6 +27,7 @@ import { LoginUriView } from "@bitwarden/common/vault/models/view/login-uri.view
import { LoginView } from "@bitwarden/common/vault/models/view/login.view"; import { LoginView } from "@bitwarden/common/vault/models/view/login.view";
import { SecureNoteView } from "@bitwarden/common/vault/models/view/secure-note.view"; import { SecureNoteView } from "@bitwarden/common/vault/models/view/secure-note.view";
import { DialogService } from "@bitwarden/components"; import { DialogService } from "@bitwarden/components";
import { PasswordRepromptService } from "@bitwarden/vault";
import { ZonedMessageListenerService } from "../../../../platform/browser/zoned-message-listener.service"; import { ZonedMessageListenerService } from "../../../../platform/browser/zoned-message-listener.service";
import { import {
@ -59,7 +60,6 @@ export class Fido2Component implements OnInit, OnDestroy {
protected data$: Observable<ViewData>; protected data$: Observable<ViewData>;
protected sessionId?: string; protected sessionId?: string;
protected senderTabId?: string; protected senderTabId?: string;
protected fromLock?: boolean;
protected ciphers?: CipherView[] = []; protected ciphers?: CipherView[] = [];
protected displayedCiphers?: CipherView[] = []; protected displayedCiphers?: CipherView[] = [];
protected loading = false; protected loading = false;
@ -78,6 +78,7 @@ export class Fido2Component implements OnInit, OnDestroy {
private logService: LogService, private logService: LogService,
private dialogService: DialogService, private dialogService: DialogService,
private browserMessagingApi: ZonedMessageListenerService, private browserMessagingApi: ZonedMessageListenerService,
private passwordRepromptService: PasswordRepromptService,
private fido2UserVerificationService: Fido2UserVerificationService, private fido2UserVerificationService: Fido2UserVerificationService,
) {} ) {}
@ -90,7 +91,6 @@ export class Fido2Component implements OnInit, OnDestroy {
sessionId: queryParamMap.get("sessionId"), sessionId: queryParamMap.get("sessionId"),
senderTabId: queryParamMap.get("senderTabId"), senderTabId: queryParamMap.get("senderTabId"),
senderUrl: queryParamMap.get("senderUrl"), senderUrl: queryParamMap.get("senderUrl"),
fromLock: queryParamMap.get("fromLock"),
})), })),
); );
@ -103,7 +103,6 @@ export class Fido2Component implements OnInit, OnDestroy {
this.sessionId = queryParams.sessionId; this.sessionId = queryParams.sessionId;
this.senderTabId = queryParams.senderTabId; this.senderTabId = queryParams.senderTabId;
this.url = queryParams.senderUrl; this.url = queryParams.senderUrl;
this.fromLock = queryParams.fromLock === "true";
// For a 'NewSessionCreatedRequest', abort if it doesn't belong to the current session. // For a 'NewSessionCreatedRequest', abort if it doesn't belong to the current session.
if ( if (
message.type === "NewSessionCreatedRequest" && message.type === "NewSessionCreatedRequest" &&
@ -213,11 +212,9 @@ export class Fido2Component implements OnInit, OnDestroy {
protected async submit() { protected async submit() {
const data = this.message$.value; const data = this.message$.value;
if (data?.type === "PickCredentialRequest") { if (data?.type === "PickCredentialRequest") {
const userVerified = await this.fido2UserVerificationService.handleUserVerification( // TODO: Revert to use fido2 user verification service once user verification for passkeys is approved for production.
data.userVerification, // PM-4577 - https://github.com/bitwarden/clients/pull/8746
this.cipher, const userVerified = await this.handleUserVerification(data.userVerification, this.cipher);
this.fromLock,
);
this.send({ this.send({
sessionId: this.sessionId, sessionId: this.sessionId,
@ -238,11 +235,9 @@ export class Fido2Component implements OnInit, OnDestroy {
} }
} }
const userVerified = await this.fido2UserVerificationService.handleUserVerification( // TODO: Revert to use fido2 user verification service once user verification for passkeys is approved for production.
data.userVerification, // PM-4577 - https://github.com/bitwarden/clients/pull/8746
this.cipher, const userVerified = await this.handleUserVerification(data.userVerification, this.cipher);
this.fromLock,
);
this.send({ this.send({
sessionId: this.sessionId, sessionId: this.sessionId,
@ -259,21 +254,16 @@ export class Fido2Component implements OnInit, OnDestroy {
const data = this.message$.value; const data = this.message$.value;
if (data?.type === "ConfirmNewCredentialRequest") { if (data?.type === "ConfirmNewCredentialRequest") {
const name = data.credentialName || data.rpId; const name = data.credentialName || data.rpId;
const userVerified = await this.fido2UserVerificationService.handleUserVerification( // TODO: Revert to check for user verification once user verification for passkeys is approved for production.
data.userVerification, // PM-4577 - https://github.com/bitwarden/clients/pull/8746
this.cipher,
this.fromLock,
);
if (!data.userVerification || userVerified) {
await this.createNewCipher(name); await this.createNewCipher(name);
}
// We are bypassing user verification pending approval.
this.send({ this.send({
sessionId: this.sessionId, sessionId: this.sessionId,
cipherId: this.cipher?.id, cipherId: this.cipher?.id,
type: "ConfirmNewCredentialResponse", type: "ConfirmNewCredentialResponse",
userVerified, userVerified: data.userVerification,
}); });
} }
@ -322,7 +312,6 @@ export class Fido2Component implements OnInit, OnDestroy {
uilocation: "popout", uilocation: "popout",
senderTabId: this.senderTabId, senderTabId: this.senderTabId,
sessionId: this.sessionId, sessionId: this.sessionId,
fromLock: this.fromLock,
userVerification: data.userVerification, userVerification: data.userVerification,
singleActionPopout: `${VaultPopoutType.fido2Popout}_${this.sessionId}`, singleActionPopout: `${VaultPopoutType.fido2Popout}_${this.sessionId}`,
}, },
@ -393,6 +382,20 @@ export class Fido2Component implements OnInit, OnDestroy {
} }
} }
// TODO: Remove and use fido2 user verification service once user verification for passkeys is approved for production.
private async handleUserVerification(
userVerificationRequested: boolean,
cipher: CipherView,
): Promise<boolean> {
const masterPasswordRepromptRequired = cipher && cipher.reprompt !== 0;
if (masterPasswordRepromptRequired) {
return await this.passwordRepromptService.showPasswordPrompt();
}
return userVerificationRequested;
}
private send(msg: BrowserFido2Message) { private send(msg: BrowserFido2Message) {
BrowserFido2UserInterfaceSession.sendMessage({ BrowserFido2UserInterfaceSession.sendMessage({
sessionId: this.sessionId, sessionId: this.sessionId,

View File

@ -170,17 +170,14 @@ export class AddEditComponent extends BaseAddEditComponent {
async submit(): Promise<boolean> { async submit(): Promise<boolean> {
const fido2SessionData = await firstValueFrom(this.fido2PopoutSessionData$); const fido2SessionData = await firstValueFrom(this.fido2PopoutSessionData$);
const { isFido2Session, sessionId, userVerification, fromLock } = fido2SessionData; const { isFido2Session, sessionId, userVerification } = fido2SessionData;
const inFido2PopoutWindow = BrowserPopupUtils.inPopout(window) && isFido2Session; const inFido2PopoutWindow = BrowserPopupUtils.inPopout(window) && isFido2Session;
// TODO: Revert to use fido2 user verification service once user verification for passkeys is approved for production.
// PM-4577 - https://github.com/bitwarden/clients/pull/8746
if ( if (
inFido2PopoutWindow && inFido2PopoutWindow &&
userVerification && !(await this.handleFido2UserVerification(sessionId, userVerification))
!(await this.fido2UserVerificationService.handleUserVerification(
userVerification,
this.cipher,
fromLock,
))
) { ) {
return false; return false;
} }
@ -389,4 +386,13 @@ export class AddEditComponent extends BaseAddEditComponent {
this.load().catch((error) => this.logService.error(error)); this.load().catch((error) => this.logService.error(error));
} }
} }
// TODO: Remove and use fido2 user verification service once user verification for passkeys is approved for production.
private async handleFido2UserVerification(
sessionId: string,
userVerification: boolean,
): Promise<boolean> {
// We are bypassing user verification pending approval for production.
return true;
}
} }