reverted user verification for passkeys (#9734)
This commit is contained in:
parent
cbb2fa9442
commit
8bd2118d77
|
@ -12,7 +12,7 @@ import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authenticatio
|
||||||
import { BrowserRouterService } from "../../platform/popup/services/browser-router.service";
|
import { BrowserRouterService } from "../../platform/popup/services/browser-router.service";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This guard verifies the user's authetication status.
|
* This guard verifies the user's authentication status.
|
||||||
* If "Locked", it saves the intended route in memory and redirects to the lock screen. Otherwise, the intended route is allowed.
|
* If "Locked", it saves the intended route in memory and redirects to the lock screen. Otherwise, the intended route is allowed.
|
||||||
*/
|
*/
|
||||||
export const fido2AuthGuard: CanActivateFn = async (
|
export const fido2AuthGuard: CanActivateFn = async (
|
||||||
|
@ -27,8 +27,10 @@ export const fido2AuthGuard: CanActivateFn = async (
|
||||||
|
|
||||||
if (authStatus === AuthenticationStatus.Locked) {
|
if (authStatus === AuthenticationStatus.Locked) {
|
||||||
// Appending fromLock=true to the query params to indicate that the user is being redirected from the lock screen, this is used for user verification.
|
// Appending fromLock=true to the query params to indicate that the user is being redirected from the lock screen, this is used for user verification.
|
||||||
const previousUrl = `${state.url}&fromLock=true`;
|
// TODO: Revert to use previousUrl once user verification for passkeys is approved for production.
|
||||||
routerService.setPreviousUrl(previousUrl);
|
// PM-4577 - https://github.com/bitwarden/clients/pull/8746
|
||||||
|
// const previousUrl = `${state.url}&fromLock=true`;
|
||||||
|
routerService.setPreviousUrl(state.url);
|
||||||
return router.createUrlTree(["/lock"], { queryParams: route.queryParams });
|
return router.createUrlTree(["/lock"], { queryParams: route.queryParams });
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -27,6 +27,7 @@ import { LoginUriView } from "@bitwarden/common/vault/models/view/login-uri.view
|
||||||
import { LoginView } from "@bitwarden/common/vault/models/view/login.view";
|
import { LoginView } from "@bitwarden/common/vault/models/view/login.view";
|
||||||
import { SecureNoteView } from "@bitwarden/common/vault/models/view/secure-note.view";
|
import { SecureNoteView } from "@bitwarden/common/vault/models/view/secure-note.view";
|
||||||
import { DialogService } from "@bitwarden/components";
|
import { DialogService } from "@bitwarden/components";
|
||||||
|
import { PasswordRepromptService } from "@bitwarden/vault";
|
||||||
|
|
||||||
import { ZonedMessageListenerService } from "../../../../platform/browser/zoned-message-listener.service";
|
import { ZonedMessageListenerService } from "../../../../platform/browser/zoned-message-listener.service";
|
||||||
import {
|
import {
|
||||||
|
@ -59,7 +60,6 @@ export class Fido2Component implements OnInit, OnDestroy {
|
||||||
protected data$: Observable<ViewData>;
|
protected data$: Observable<ViewData>;
|
||||||
protected sessionId?: string;
|
protected sessionId?: string;
|
||||||
protected senderTabId?: string;
|
protected senderTabId?: string;
|
||||||
protected fromLock?: boolean;
|
|
||||||
protected ciphers?: CipherView[] = [];
|
protected ciphers?: CipherView[] = [];
|
||||||
protected displayedCiphers?: CipherView[] = [];
|
protected displayedCiphers?: CipherView[] = [];
|
||||||
protected loading = false;
|
protected loading = false;
|
||||||
|
@ -78,6 +78,7 @@ export class Fido2Component implements OnInit, OnDestroy {
|
||||||
private logService: LogService,
|
private logService: LogService,
|
||||||
private dialogService: DialogService,
|
private dialogService: DialogService,
|
||||||
private browserMessagingApi: ZonedMessageListenerService,
|
private browserMessagingApi: ZonedMessageListenerService,
|
||||||
|
private passwordRepromptService: PasswordRepromptService,
|
||||||
private fido2UserVerificationService: Fido2UserVerificationService,
|
private fido2UserVerificationService: Fido2UserVerificationService,
|
||||||
) {}
|
) {}
|
||||||
|
|
||||||
|
@ -90,7 +91,6 @@ export class Fido2Component implements OnInit, OnDestroy {
|
||||||
sessionId: queryParamMap.get("sessionId"),
|
sessionId: queryParamMap.get("sessionId"),
|
||||||
senderTabId: queryParamMap.get("senderTabId"),
|
senderTabId: queryParamMap.get("senderTabId"),
|
||||||
senderUrl: queryParamMap.get("senderUrl"),
|
senderUrl: queryParamMap.get("senderUrl"),
|
||||||
fromLock: queryParamMap.get("fromLock"),
|
|
||||||
})),
|
})),
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -103,7 +103,6 @@ export class Fido2Component implements OnInit, OnDestroy {
|
||||||
this.sessionId = queryParams.sessionId;
|
this.sessionId = queryParams.sessionId;
|
||||||
this.senderTabId = queryParams.senderTabId;
|
this.senderTabId = queryParams.senderTabId;
|
||||||
this.url = queryParams.senderUrl;
|
this.url = queryParams.senderUrl;
|
||||||
this.fromLock = queryParams.fromLock === "true";
|
|
||||||
// For a 'NewSessionCreatedRequest', abort if it doesn't belong to the current session.
|
// For a 'NewSessionCreatedRequest', abort if it doesn't belong to the current session.
|
||||||
if (
|
if (
|
||||||
message.type === "NewSessionCreatedRequest" &&
|
message.type === "NewSessionCreatedRequest" &&
|
||||||
|
@ -213,11 +212,9 @@ export class Fido2Component implements OnInit, OnDestroy {
|
||||||
protected async submit() {
|
protected async submit() {
|
||||||
const data = this.message$.value;
|
const data = this.message$.value;
|
||||||
if (data?.type === "PickCredentialRequest") {
|
if (data?.type === "PickCredentialRequest") {
|
||||||
const userVerified = await this.fido2UserVerificationService.handleUserVerification(
|
// TODO: Revert to use fido2 user verification service once user verification for passkeys is approved for production.
|
||||||
data.userVerification,
|
// PM-4577 - https://github.com/bitwarden/clients/pull/8746
|
||||||
this.cipher,
|
const userVerified = await this.handleUserVerification(data.userVerification, this.cipher);
|
||||||
this.fromLock,
|
|
||||||
);
|
|
||||||
|
|
||||||
this.send({
|
this.send({
|
||||||
sessionId: this.sessionId,
|
sessionId: this.sessionId,
|
||||||
|
@ -238,11 +235,9 @@ export class Fido2Component implements OnInit, OnDestroy {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
const userVerified = await this.fido2UserVerificationService.handleUserVerification(
|
// TODO: Revert to use fido2 user verification service once user verification for passkeys is approved for production.
|
||||||
data.userVerification,
|
// PM-4577 - https://github.com/bitwarden/clients/pull/8746
|
||||||
this.cipher,
|
const userVerified = await this.handleUserVerification(data.userVerification, this.cipher);
|
||||||
this.fromLock,
|
|
||||||
);
|
|
||||||
|
|
||||||
this.send({
|
this.send({
|
||||||
sessionId: this.sessionId,
|
sessionId: this.sessionId,
|
||||||
|
@ -259,21 +254,16 @@ export class Fido2Component implements OnInit, OnDestroy {
|
||||||
const data = this.message$.value;
|
const data = this.message$.value;
|
||||||
if (data?.type === "ConfirmNewCredentialRequest") {
|
if (data?.type === "ConfirmNewCredentialRequest") {
|
||||||
const name = data.credentialName || data.rpId;
|
const name = data.credentialName || data.rpId;
|
||||||
const userVerified = await this.fido2UserVerificationService.handleUserVerification(
|
// TODO: Revert to check for user verification once user verification for passkeys is approved for production.
|
||||||
data.userVerification,
|
// PM-4577 - https://github.com/bitwarden/clients/pull/8746
|
||||||
this.cipher,
|
|
||||||
this.fromLock,
|
|
||||||
);
|
|
||||||
|
|
||||||
if (!data.userVerification || userVerified) {
|
|
||||||
await this.createNewCipher(name);
|
await this.createNewCipher(name);
|
||||||
}
|
|
||||||
|
|
||||||
|
// We are bypassing user verification pending approval.
|
||||||
this.send({
|
this.send({
|
||||||
sessionId: this.sessionId,
|
sessionId: this.sessionId,
|
||||||
cipherId: this.cipher?.id,
|
cipherId: this.cipher?.id,
|
||||||
type: "ConfirmNewCredentialResponse",
|
type: "ConfirmNewCredentialResponse",
|
||||||
userVerified,
|
userVerified: data.userVerification,
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -322,7 +312,6 @@ export class Fido2Component implements OnInit, OnDestroy {
|
||||||
uilocation: "popout",
|
uilocation: "popout",
|
||||||
senderTabId: this.senderTabId,
|
senderTabId: this.senderTabId,
|
||||||
sessionId: this.sessionId,
|
sessionId: this.sessionId,
|
||||||
fromLock: this.fromLock,
|
|
||||||
userVerification: data.userVerification,
|
userVerification: data.userVerification,
|
||||||
singleActionPopout: `${VaultPopoutType.fido2Popout}_${this.sessionId}`,
|
singleActionPopout: `${VaultPopoutType.fido2Popout}_${this.sessionId}`,
|
||||||
},
|
},
|
||||||
|
@ -393,6 +382,20 @@ export class Fido2Component implements OnInit, OnDestroy {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO: Remove and use fido2 user verification service once user verification for passkeys is approved for production.
|
||||||
|
private async handleUserVerification(
|
||||||
|
userVerificationRequested: boolean,
|
||||||
|
cipher: CipherView,
|
||||||
|
): Promise<boolean> {
|
||||||
|
const masterPasswordRepromptRequired = cipher && cipher.reprompt !== 0;
|
||||||
|
|
||||||
|
if (masterPasswordRepromptRequired) {
|
||||||
|
return await this.passwordRepromptService.showPasswordPrompt();
|
||||||
|
}
|
||||||
|
|
||||||
|
return userVerificationRequested;
|
||||||
|
}
|
||||||
|
|
||||||
private send(msg: BrowserFido2Message) {
|
private send(msg: BrowserFido2Message) {
|
||||||
BrowserFido2UserInterfaceSession.sendMessage({
|
BrowserFido2UserInterfaceSession.sendMessage({
|
||||||
sessionId: this.sessionId,
|
sessionId: this.sessionId,
|
||||||
|
|
|
@ -170,17 +170,14 @@ export class AddEditComponent extends BaseAddEditComponent {
|
||||||
|
|
||||||
async submit(): Promise<boolean> {
|
async submit(): Promise<boolean> {
|
||||||
const fido2SessionData = await firstValueFrom(this.fido2PopoutSessionData$);
|
const fido2SessionData = await firstValueFrom(this.fido2PopoutSessionData$);
|
||||||
const { isFido2Session, sessionId, userVerification, fromLock } = fido2SessionData;
|
const { isFido2Session, sessionId, userVerification } = fido2SessionData;
|
||||||
const inFido2PopoutWindow = BrowserPopupUtils.inPopout(window) && isFido2Session;
|
const inFido2PopoutWindow = BrowserPopupUtils.inPopout(window) && isFido2Session;
|
||||||
|
|
||||||
|
// TODO: Revert to use fido2 user verification service once user verification for passkeys is approved for production.
|
||||||
|
// PM-4577 - https://github.com/bitwarden/clients/pull/8746
|
||||||
if (
|
if (
|
||||||
inFido2PopoutWindow &&
|
inFido2PopoutWindow &&
|
||||||
userVerification &&
|
!(await this.handleFido2UserVerification(sessionId, userVerification))
|
||||||
!(await this.fido2UserVerificationService.handleUserVerification(
|
|
||||||
userVerification,
|
|
||||||
this.cipher,
|
|
||||||
fromLock,
|
|
||||||
))
|
|
||||||
) {
|
) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
@ -389,4 +386,13 @@ export class AddEditComponent extends BaseAddEditComponent {
|
||||||
this.load().catch((error) => this.logService.error(error));
|
this.load().catch((error) => this.logService.error(error));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO: Remove and use fido2 user verification service once user verification for passkeys is approved for production.
|
||||||
|
private async handleFido2UserVerification(
|
||||||
|
sessionId: string,
|
||||||
|
userVerification: boolean,
|
||||||
|
): Promise<boolean> {
|
||||||
|
// We are bypassing user verification pending approval for production.
|
||||||
|
return true;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue