reverted user verification for passkeys (#9734)
This commit is contained in:
parent
cbb2fa9442
commit
8bd2118d77
|
@ -12,7 +12,7 @@ import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authenticatio
|
|||
import { BrowserRouterService } from "../../platform/popup/services/browser-router.service";
|
||||
|
||||
/**
|
||||
* This guard verifies the user's authetication status.
|
||||
* This guard verifies the user's authentication status.
|
||||
* If "Locked", it saves the intended route in memory and redirects to the lock screen. Otherwise, the intended route is allowed.
|
||||
*/
|
||||
export const fido2AuthGuard: CanActivateFn = async (
|
||||
|
@ -27,8 +27,10 @@ export const fido2AuthGuard: CanActivateFn = async (
|
|||
|
||||
if (authStatus === AuthenticationStatus.Locked) {
|
||||
// Appending fromLock=true to the query params to indicate that the user is being redirected from the lock screen, this is used for user verification.
|
||||
const previousUrl = `${state.url}&fromLock=true`;
|
||||
routerService.setPreviousUrl(previousUrl);
|
||||
// TODO: Revert to use previousUrl once user verification for passkeys is approved for production.
|
||||
// PM-4577 - https://github.com/bitwarden/clients/pull/8746
|
||||
// const previousUrl = `${state.url}&fromLock=true`;
|
||||
routerService.setPreviousUrl(state.url);
|
||||
return router.createUrlTree(["/lock"], { queryParams: route.queryParams });
|
||||
}
|
||||
|
||||
|
|
|
@ -27,6 +27,7 @@ import { LoginUriView } from "@bitwarden/common/vault/models/view/login-uri.view
|
|||
import { LoginView } from "@bitwarden/common/vault/models/view/login.view";
|
||||
import { SecureNoteView } from "@bitwarden/common/vault/models/view/secure-note.view";
|
||||
import { DialogService } from "@bitwarden/components";
|
||||
import { PasswordRepromptService } from "@bitwarden/vault";
|
||||
|
||||
import { ZonedMessageListenerService } from "../../../../platform/browser/zoned-message-listener.service";
|
||||
import {
|
||||
|
@ -59,7 +60,6 @@ export class Fido2Component implements OnInit, OnDestroy {
|
|||
protected data$: Observable<ViewData>;
|
||||
protected sessionId?: string;
|
||||
protected senderTabId?: string;
|
||||
protected fromLock?: boolean;
|
||||
protected ciphers?: CipherView[] = [];
|
||||
protected displayedCiphers?: CipherView[] = [];
|
||||
protected loading = false;
|
||||
|
@ -78,6 +78,7 @@ export class Fido2Component implements OnInit, OnDestroy {
|
|||
private logService: LogService,
|
||||
private dialogService: DialogService,
|
||||
private browserMessagingApi: ZonedMessageListenerService,
|
||||
private passwordRepromptService: PasswordRepromptService,
|
||||
private fido2UserVerificationService: Fido2UserVerificationService,
|
||||
) {}
|
||||
|
||||
|
@ -90,7 +91,6 @@ export class Fido2Component implements OnInit, OnDestroy {
|
|||
sessionId: queryParamMap.get("sessionId"),
|
||||
senderTabId: queryParamMap.get("senderTabId"),
|
||||
senderUrl: queryParamMap.get("senderUrl"),
|
||||
fromLock: queryParamMap.get("fromLock"),
|
||||
})),
|
||||
);
|
||||
|
||||
|
@ -103,7 +103,6 @@ export class Fido2Component implements OnInit, OnDestroy {
|
|||
this.sessionId = queryParams.sessionId;
|
||||
this.senderTabId = queryParams.senderTabId;
|
||||
this.url = queryParams.senderUrl;
|
||||
this.fromLock = queryParams.fromLock === "true";
|
||||
// For a 'NewSessionCreatedRequest', abort if it doesn't belong to the current session.
|
||||
if (
|
||||
message.type === "NewSessionCreatedRequest" &&
|
||||
|
@ -213,11 +212,9 @@ export class Fido2Component implements OnInit, OnDestroy {
|
|||
protected async submit() {
|
||||
const data = this.message$.value;
|
||||
if (data?.type === "PickCredentialRequest") {
|
||||
const userVerified = await this.fido2UserVerificationService.handleUserVerification(
|
||||
data.userVerification,
|
||||
this.cipher,
|
||||
this.fromLock,
|
||||
);
|
||||
// TODO: Revert to use fido2 user verification service once user verification for passkeys is approved for production.
|
||||
// PM-4577 - https://github.com/bitwarden/clients/pull/8746
|
||||
const userVerified = await this.handleUserVerification(data.userVerification, this.cipher);
|
||||
|
||||
this.send({
|
||||
sessionId: this.sessionId,
|
||||
|
@ -238,11 +235,9 @@ export class Fido2Component implements OnInit, OnDestroy {
|
|||
}
|
||||
}
|
||||
|
||||
const userVerified = await this.fido2UserVerificationService.handleUserVerification(
|
||||
data.userVerification,
|
||||
this.cipher,
|
||||
this.fromLock,
|
||||
);
|
||||
// TODO: Revert to use fido2 user verification service once user verification for passkeys is approved for production.
|
||||
// PM-4577 - https://github.com/bitwarden/clients/pull/8746
|
||||
const userVerified = await this.handleUserVerification(data.userVerification, this.cipher);
|
||||
|
||||
this.send({
|
||||
sessionId: this.sessionId,
|
||||
|
@ -259,21 +254,16 @@ export class Fido2Component implements OnInit, OnDestroy {
|
|||
const data = this.message$.value;
|
||||
if (data?.type === "ConfirmNewCredentialRequest") {
|
||||
const name = data.credentialName || data.rpId;
|
||||
const userVerified = await this.fido2UserVerificationService.handleUserVerification(
|
||||
data.userVerification,
|
||||
this.cipher,
|
||||
this.fromLock,
|
||||
);
|
||||
|
||||
if (!data.userVerification || userVerified) {
|
||||
// TODO: Revert to check for user verification once user verification for passkeys is approved for production.
|
||||
// PM-4577 - https://github.com/bitwarden/clients/pull/8746
|
||||
await this.createNewCipher(name);
|
||||
}
|
||||
|
||||
// We are bypassing user verification pending approval.
|
||||
this.send({
|
||||
sessionId: this.sessionId,
|
||||
cipherId: this.cipher?.id,
|
||||
type: "ConfirmNewCredentialResponse",
|
||||
userVerified,
|
||||
userVerified: data.userVerification,
|
||||
});
|
||||
}
|
||||
|
||||
|
@ -322,7 +312,6 @@ export class Fido2Component implements OnInit, OnDestroy {
|
|||
uilocation: "popout",
|
||||
senderTabId: this.senderTabId,
|
||||
sessionId: this.sessionId,
|
||||
fromLock: this.fromLock,
|
||||
userVerification: data.userVerification,
|
||||
singleActionPopout: `${VaultPopoutType.fido2Popout}_${this.sessionId}`,
|
||||
},
|
||||
|
@ -393,6 +382,20 @@ export class Fido2Component implements OnInit, OnDestroy {
|
|||
}
|
||||
}
|
||||
|
||||
// TODO: Remove and use fido2 user verification service once user verification for passkeys is approved for production.
|
||||
private async handleUserVerification(
|
||||
userVerificationRequested: boolean,
|
||||
cipher: CipherView,
|
||||
): Promise<boolean> {
|
||||
const masterPasswordRepromptRequired = cipher && cipher.reprompt !== 0;
|
||||
|
||||
if (masterPasswordRepromptRequired) {
|
||||
return await this.passwordRepromptService.showPasswordPrompt();
|
||||
}
|
||||
|
||||
return userVerificationRequested;
|
||||
}
|
||||
|
||||
private send(msg: BrowserFido2Message) {
|
||||
BrowserFido2UserInterfaceSession.sendMessage({
|
||||
sessionId: this.sessionId,
|
||||
|
|
|
@ -170,17 +170,14 @@ export class AddEditComponent extends BaseAddEditComponent {
|
|||
|
||||
async submit(): Promise<boolean> {
|
||||
const fido2SessionData = await firstValueFrom(this.fido2PopoutSessionData$);
|
||||
const { isFido2Session, sessionId, userVerification, fromLock } = fido2SessionData;
|
||||
const { isFido2Session, sessionId, userVerification } = fido2SessionData;
|
||||
const inFido2PopoutWindow = BrowserPopupUtils.inPopout(window) && isFido2Session;
|
||||
|
||||
// TODO: Revert to use fido2 user verification service once user verification for passkeys is approved for production.
|
||||
// PM-4577 - https://github.com/bitwarden/clients/pull/8746
|
||||
if (
|
||||
inFido2PopoutWindow &&
|
||||
userVerification &&
|
||||
!(await this.fido2UserVerificationService.handleUserVerification(
|
||||
userVerification,
|
||||
this.cipher,
|
||||
fromLock,
|
||||
))
|
||||
!(await this.handleFido2UserVerification(sessionId, userVerification))
|
||||
) {
|
||||
return false;
|
||||
}
|
||||
|
@ -389,4 +386,13 @@ export class AddEditComponent extends BaseAddEditComponent {
|
|||
this.load().catch((error) => this.logService.error(error));
|
||||
}
|
||||
}
|
||||
|
||||
// TODO: Remove and use fido2 user verification service once user verification for passkeys is approved for production.
|
||||
private async handleFido2UserVerification(
|
||||
sessionId: string,
|
||||
userVerification: boolean,
|
||||
): Promise<boolean> {
|
||||
// We are bypassing user verification pending approval for production.
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue