[SSO] Merge feature/sso into master (#139)

* [SSO] Reset Master Password (#134)

* Initial commit of reset master password (sso)

* Updated line length error

* Updated import line again

* Added trailing comma

* restored reference data for RegisterRequest

* Updated tracking boolean name // added success route update based on passed boolean

* Added new API // reverted Register // deleted reset // added change pw and sso

* Changed redirect URI to protected to override in sub-class

* Updated api to setPassword // Updated request model name // Updated change password refs // Updated formatting

* Encoded necessary parts of authorize url // Added default catch error message

* Refactored methods inside change password base component // removed unnecesary query param for sso

* [lint] Fixed error (#137)

* Cleaned lint error

* Fixed sso lint error
This commit is contained in:
Vincent Salucci 2020-08-01 08:42:24 -05:00 committed by GitHub
parent 261a20031f
commit f301b92dc3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 295 additions and 1 deletions

View File

@ -42,6 +42,7 @@ import { PreloginRequest } from '../models/request/preloginRequest';
import { RegisterRequest } from '../models/request/registerRequest';
import { SeatRequest } from '../models/request/seatRequest';
import { SelectionReadOnlyRequest } from '../models/request/selectionReadOnlyRequest';
import { SetPasswordRequest } from '../models/request/setPasswordRequest';
import { StorageRequest } from '../models/request/storageRequest';
import { TaxInfoUpdateRequest } from '../models/request/taxInfoUpdateRequest';
import { TokenRequest } from '../models/request/tokenRequest';
@ -125,6 +126,7 @@ export abstract class ApiService {
postEmailToken: (request: EmailTokenRequest) => Promise<any>;
postEmail: (request: EmailRequest) => Promise<any>;
postPassword: (request: PasswordRequest) => Promise<any>;
setPassword: (request: SetPasswordRequest) => Promise<any>;
postSecurityStamp: (request: PasswordVerificationRequest) => Promise<any>;
deleteAccount: (request: PasswordVerificationRequest) => Promise<any>;
getAccountRevisionDate: () => Promise<number>;

View File

@ -0,0 +1,157 @@
import {
OnInit,
} from '@angular/core';
import {
Router,
} from '@angular/router';
import { ApiService } from '../../abstractions/api.service';
import { CipherService } from '../../abstractions/cipher.service';
import { CryptoService } from '../../abstractions/crypto.service';
import { FolderService } from '../../abstractions/folder.service';
import { I18nService } from '../../abstractions/i18n.service';
import { MessagingService } from '../../abstractions/messaging.service';
import { PasswordGenerationService } from '../../abstractions/passwordGeneration.service';
import { PlatformUtilsService } from '../../abstractions/platformUtils.service';
import { PolicyService } from '../../abstractions/policy.service';
import { SyncService } from '../../abstractions/sync.service';
import { UserService } from '../../abstractions/user.service';
import { CipherString } from '../../models/domain/cipherString';
import { MasterPasswordPolicyOptions } from '../../models/domain/masterPasswordPolicyOptions';
import { SymmetricCryptoKey } from '../../models/domain/symmetricCryptoKey';
export class ChangePasswordComponent implements OnInit {
newMasterPassword: string;
confirmNewMasterPassword: string;
formPromise: Promise<any>;
masterPasswordScore: number;
enforcedPolicyOptions: MasterPasswordPolicyOptions;
private masterPasswordStrengthTimeout: any;
private email: string;
constructor(protected apiService: ApiService, protected i18nService: I18nService,
protected cryptoService: CryptoService, protected messagingService: MessagingService,
protected userService: UserService, protected passwordGenerationService: PasswordGenerationService,
protected platformUtilsService: PlatformUtilsService, protected folderService: FolderService,
protected cipherService: CipherService, protected syncService: SyncService,
protected policyService: PolicyService, protected router: Router) { }
async ngOnInit() {
this.email = await this.userService.getEmail();
this.enforcedPolicyOptions = await this.policyService.getMasterPasswordPolicyOptions();
}
getPasswordScoreAlertDisplay() {
if (this.enforcedPolicyOptions == null) {
return '';
}
let str: string;
switch (this.enforcedPolicyOptions.minComplexity) {
case 4:
str = this.i18nService.t('strong');
break;
case 3:
str = this.i18nService.t('good');
break;
default:
str = this.i18nService.t('weak');
break;
}
return str + ' (' + this.enforcedPolicyOptions.minComplexity + ')';
}
async submit() {
const hasEncKey = await this.cryptoService.hasEncKey();
if (!hasEncKey) {
this.platformUtilsService.showToast('error', null, this.i18nService.t('updateKey'));
return;
}
if (this.newMasterPassword == null || this.newMasterPassword === '') {
this.platformUtilsService.showToast('error', this.i18nService.t('errorOccurred'),
this.i18nService.t('masterPassRequired'));
return;
}
if (this.newMasterPassword.length < 8) {
this.platformUtilsService.showToast('error', this.i18nService.t('errorOccurred'),
this.i18nService.t('masterPassLength'));
return;
}
if (this.newMasterPassword !== this.confirmNewMasterPassword) {
this.platformUtilsService.showToast('error', this.i18nService.t('errorOccurred'),
this.i18nService.t('masterPassDoesntMatch'));
return;
}
const strengthResult = this.passwordGenerationService.passwordStrength(this.newMasterPassword,
this.getPasswordStrengthUserInput());
if (this.enforcedPolicyOptions != null &&
!this.policyService.evaluateMasterPassword(
strengthResult.score,
this.newMasterPassword,
this.enforcedPolicyOptions)) {
this.platformUtilsService.showToast('error', this.i18nService.t('errorOccurred'),
this.i18nService.t('masterPasswordPolicyRequirementsNotMet'));
return;
}
if (strengthResult != null && strengthResult.score < 3) {
const result = await this.platformUtilsService.showDialog(this.i18nService.t('weakMasterPasswordDesc'),
this.i18nService.t('weakMasterPassword'), this.i18nService.t('yes'), this.i18nService.t('no'),
'warning');
if (!result) {
return;
}
}
if (!await this.setupSubmitActions()) {
return;
}
const email = await this.userService.getEmail();
const kdf = await this.userService.getKdf();
const kdfIterations = await this.userService.getKdfIterations();
const newKey = await this.cryptoService.makeKey(this.newMasterPassword, email.trim().toLowerCase(),
kdf, kdfIterations);
const newMasterPasswordHash = await this.cryptoService.hashPassword(this.newMasterPassword, newKey);
const newEncKey = await this.cryptoService.remakeEncKey(newKey);
await this.performSubmitActions(newMasterPasswordHash, newKey, newEncKey);
}
async setupSubmitActions(): Promise<boolean> {
// Override in sub-class
// Can be used for additional validation and/or other processes the should occur before changing passwords
return true;
}
async performSubmitActions(newMasterPasswordHash: string, newKey: SymmetricCryptoKey,
newEncKey: [SymmetricCryptoKey, CipherString]) {
// Override in sub-class
}
updatePasswordStrength() {
if (this.masterPasswordStrengthTimeout != null) {
clearTimeout(this.masterPasswordStrengthTimeout);
}
this.masterPasswordStrengthTimeout = setTimeout(() => {
const strengthResult = this.passwordGenerationService.passwordStrength(this.newMasterPassword,
this.getPasswordStrengthUserInput());
this.masterPasswordScore = strengthResult == null ? null : strengthResult.score;
}, 300);
}
private getPasswordStrengthUserInput() {
let userInput: string[] = [];
const atPosition = this.email.indexOf('@');
if (atPosition > -1) {
userInput = userInput.concat(this.email.substr(0, atPosition).trim().toLowerCase().split(/[^A-Za-z0-9]/));
}
return userInput;
}
}

View File

@ -0,0 +1,125 @@
import {
ActivatedRoute,
Router,
} from '@angular/router';
import { ApiService } from '../../abstractions/api.service';
import { AuthService } from '../../abstractions/auth.service';
import { CryptoFunctionService } from '../../abstractions/cryptoFunction.service';
import { I18nService } from '../../abstractions/i18n.service';
import { PasswordGenerationService } from '../../abstractions/passwordGeneration.service';
import { PlatformUtilsService } from '../../abstractions/platformUtils.service';
import { StateService } from '../../abstractions/state.service';
import { StorageService } from '../../abstractions/storage.service';
import { ConstantsService } from '../../services/constants.service';
import { Utils } from '../../misc/utils';
import { AuthResult } from '../../models/domain/authResult';
export class SsoComponent {
identifier: string;
loggingIn = false;
formPromise: Promise<AuthResult>;
onSuccessfulLogin: () => Promise<any>;
onSuccessfulLoginNavigate: () => Promise<any>;
onSuccessfulLoginTwoFactorNavigate: () => Promise<any>;
onSuccessfulLoginChangePasswordNavigate: () => Promise<any>;
protected twoFactorRoute = '2fa';
protected successRoute = 'lock';
protected changePasswordRoute = 'change-password';
protected redirectUri: string;
constructor(protected authService: AuthService, protected router: Router,
protected i18nService: I18nService, protected route: ActivatedRoute,
protected storageService: StorageService, protected stateService: StateService,
protected platformUtilsService: PlatformUtilsService, protected apiService: ApiService,
protected cryptoFunctionService: CryptoFunctionService,
protected passwordGenerationService: PasswordGenerationService) { }
async ngOnInit() {
const queryParamsSub = this.route.queryParams.subscribe(async (qParams) => {
if (qParams.code != null && qParams.state != null) {
const codeVerifier = await this.storageService.get<string>(ConstantsService.ssoCodeVerifierKey);
const state = await this.storageService.get<string>(ConstantsService.ssoStateKey);
await this.storageService.remove(ConstantsService.ssoCodeVerifierKey);
await this.storageService.remove(ConstantsService.ssoStateKey);
if (qParams.code != null && codeVerifier != null && state != null && state === qParams.state) {
await this.logIn(qParams.code, codeVerifier);
}
}
if (queryParamsSub != null) {
queryParamsSub.unsubscribe();
}
});
}
async submit() {
const passwordOptions: any = {
type: 'password',
length: 64,
uppercase: true,
lowercase: true,
numbers: true,
special: false,
};
const state = await this.passwordGenerationService.generatePassword(passwordOptions);
const codeVerifier = await this.passwordGenerationService.generatePassword(passwordOptions);
const codeVerifierHash = await this.cryptoFunctionService.hash(codeVerifier, 'sha256');
const codeChallenge = Utils.fromBufferToUrlB64(codeVerifierHash);
await this.storageService.save(ConstantsService.ssoCodeVerifierKey, codeVerifier);
await this.storageService.save(ConstantsService.ssoStateKey, state);
const authorizeUrl = this.apiService.identityBaseUrl + '/connect/authorize?' +
'client_id=web&redirect_uri=' + encodeURIComponent(this.redirectUri) + '&' +
'response_type=code&scope=api offline_access&' +
'state=' + state + '&code_challenge=' + codeChallenge + '&' +
'code_challenge_method=S256&response_mode=query&' +
'domain_hint=' + encodeURIComponent(this.identifier);
this.platformUtilsService.launchUri(authorizeUrl, { sameWindow: true });
}
private async logIn(code: string, codeVerifier: string) {
this.loggingIn = true;
try {
this.formPromise = this.authService.logInSso(code, codeVerifier, this.redirectUri);
const response = await this.formPromise;
if (response.twoFactor) {
this.platformUtilsService.eventTrack('SSO Logged In To Two-step');
if (this.onSuccessfulLoginTwoFactorNavigate != null) {
this.onSuccessfulLoginTwoFactorNavigate();
} else {
this.router.navigate([this.twoFactorRoute], {
queryParams: {
resetMasterPassword: response.resetMasterPassword,
},
});
}
} else if (response.resetMasterPassword) {
this.platformUtilsService.eventTrack('SSO - routing to complete registration');
if (this.onSuccessfulLoginChangePasswordNavigate != null) {
this.onSuccessfulLoginChangePasswordNavigate();
} else {
this.router.navigate([this.changePasswordRoute]);
}
} else {
const disableFavicon = await this.storageService.get<boolean>(ConstantsService.disableFaviconKey);
await this.stateService.save(ConstantsService.disableFaviconKey, !!disableFavicon);
if (this.onSuccessfulLogin != null) {
this.onSuccessfulLogin();
}
this.platformUtilsService.eventTrack('SSO Logged In');
if (this.onSuccessfulLoginNavigate != null) {
this.onSuccessfulLoginNavigate();
} else {
this.router.navigate([this.successRoute]);
}
}
} catch { }
this.loggingIn = false;
}
}

View File

@ -37,6 +37,7 @@ export class TwoFactorComponent implements OnInit, OnDestroy {
twoFactorEmail: string = null;
formPromise: Promise<any>;
emailPromise: Promise<any>;
resetMasterPassword: boolean = false;
onSuccessfulLogin: () => Promise<any>;
onSuccessfulLoginNavigate: () => Promise<any>;
@ -59,7 +60,7 @@ export class TwoFactorComponent implements OnInit, OnDestroy {
}
if (this.authService.authingWithSso()) {
this.successRoute = 'lock';
this.successRoute = this.resetMasterPassword ? 'reset-master-password' : 'lock';
}
if (this.initU2f && this.win != null && this.u2fSupported) {

View File

@ -0,0 +1,4 @@
export class SetPasswordRequest {
newMasterPasswordHash: string;
key: string;
}

View File

@ -46,6 +46,7 @@ import { PreloginRequest } from '../models/request/preloginRequest';
import { RegisterRequest } from '../models/request/registerRequest';
import { SeatRequest } from '../models/request/seatRequest';
import { SelectionReadOnlyRequest } from '../models/request/selectionReadOnlyRequest';
import { SetPasswordRequest } from '../models/request/setPasswordRequest';
import { StorageRequest } from '../models/request/storageRequest';
import { TaxInfoUpdateRequest } from '../models/request/taxInfoUpdateRequest';
import { TokenRequest } from '../models/request/tokenRequest';
@ -254,6 +255,10 @@ export class ApiService implements ApiServiceAbstraction {
return this.send('POST', '/accounts/password', request, true, false);
}
setPassword(request: SetPasswordRequest): Promise<any> {
return this.send('POST', '/accounts/set-password', request, true, false);
}
postSecurityStamp(request: PasswordVerificationRequest): Promise<any> {
return this.send('POST', '/accounts/security-stamp', request, true, false);
}