From cf6ed0d8a643d9729c5d350718c44521e2df26e9 Mon Sep 17 00:00:00 2001
From: Jake Fink <jfink@bitwarden.com>
Date: Thu, 30 Nov 2023 16:09:52 -0500
Subject: [PATCH] shallow copy credentials in strategies that store them
 (#7047)

- add warnings about dead objects in firefox
---
 .../src/auth/login-strategies/auth-request-login.strategy.ts  | 4 +++-
 .../src/auth/login-strategies/webauthn-login.strategy.ts      | 4 +++-
 libs/common/src/auth/services/auth.service.ts                 | 2 ++
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/libs/common/src/auth/login-strategies/auth-request-login.strategy.ts b/libs/common/src/auth/login-strategies/auth-request-login.strategy.ts
index abc6050df9..06aa750d8e 100644
--- a/libs/common/src/auth/login-strategies/auth-request-login.strategy.ts
+++ b/libs/common/src/auth/login-strategies/auth-request-login.strategy.ts
@@ -58,7 +58,9 @@ export class AuthRequestLoginStrategy extends LoginStrategy {
   }
 
   override async logIn(credentials: AuthRequestLoginCredentials) {
-    this.authRequestCredentials = credentials;
+    // NOTE: To avoid DeadObject references on Firefox, do not set the credentials object directly
+    // Use deep copy in future if objects are added that were created in popup
+    this.authRequestCredentials = { ...credentials };
 
     this.tokenRequest = new PasswordTokenRequest(
       credentials.email,
diff --git a/libs/common/src/auth/login-strategies/webauthn-login.strategy.ts b/libs/common/src/auth/login-strategies/webauthn-login.strategy.ts
index c3ae998113..dc8a05b5f9 100644
--- a/libs/common/src/auth/login-strategies/webauthn-login.strategy.ts
+++ b/libs/common/src/auth/login-strategies/webauthn-login.strategy.ts
@@ -61,7 +61,9 @@ export class WebAuthnLoginStrategy extends LoginStrategy {
   }
 
   async logIn(credentials: WebAuthnLoginCredentials) {
-    this.credentials = credentials;
+    // NOTE: To avoid DeadObject references on Firefox, do not set the credentials object directly
+    // Use deep copy in future if objects are added that were created in popup
+    this.credentials = { ...credentials };
 
     this.tokenRequest = new WebAuthnLoginTokenRequest(
       credentials.token,
diff --git a/libs/common/src/auth/services/auth.service.ts b/libs/common/src/auth/services/auth.service.ts
index f4771e1c8a..6f269af8e1 100644
--- a/libs/common/src/auth/services/auth.service.ts
+++ b/libs/common/src/auth/services/auth.service.ts
@@ -208,6 +208,8 @@ export class AuthService implements AuthServiceAbstraction {
         break;
     }
 
+    // Note: Do not set the credentials object directly on the strategy. They are
+    // created in the popup and can cause DeadObject references on Firefox.
     const result = await strategy.logIn(credentials as any);
 
     if (result?.requiresTwoFactor) {