2022-02-01 00:51:32 +01:00
|
|
|
import { ApiService } from "../../abstractions/api.service";
|
2023-04-17 16:35:37 +02:00
|
|
|
import { PolicyService } from "../../admin-console/abstractions/policy/policy.service.abstraction";
|
|
|
|
import { MasterPasswordPolicyOptions } from "../../admin-console/models/domain/master-password-policy-options";
|
[AC-1266] Enums filename conventions (#5140)
* refactor: update clientType enum
* refactor: update deviceType filename
* refactor: update encryptedExportType filename
* refactor: update encryptionType filename
* refactor: update eventType filename
* refactor: update fieldType filename
* refactor: update fileUploadType filename
* refactor: update hashPurpose filename
* refactor: update htmlStorageLocation filename
* refactor: update kdfType filename
* refactor: update keySuffixOptions filename
* refactor: update linkedIdType filename
* refactor: update logLevelType filename
* refactor: update nativeMessagingVersion filename
* refactor: update notificationType filename
* refactor: update productType filename
* refactor: update secureNoteType filename
* refactor: update stateVersion filename
* refactor: update storageLocation filename
* refactor: update themeType filename
* refactor: update uriMatchType filename
* fix: update kdfType classes missed in initial pass, refs AC-1266
* fix: missing import update for device-type
* refactor: add barrel file for enums and update pathed import statements, refs AC-1266
* fix: incorrect import statements for web, refs AC-1266
* fix: missed import statement updates (browser), refs AC-1266
* fix: missed import statement changes (cli), refs AC-1266
* fix: missed import statement changes (desktop), refs AC-1266
* fix: prettier, refs AC-1266
* refactor: (libs) update relative paths to use barrel file, refs AC-1266
* fix: missed find/replace import statements for SecureNoteType, refs AC-1266
* refactor: apply .enum suffix to enums folder and modify leftover relative paths, refs AC-1266
* fix: find/replace errors for native-messaging-version, refs AC-1266
2023-04-05 05:42:21 +02:00
|
|
|
import { HashPurpose } from "../../enums";
|
2023-06-06 22:34:53 +02:00
|
|
|
import { AppIdService } from "../../platform/abstractions/app-id.service";
|
|
|
|
import { CryptoService } from "../../platform/abstractions/crypto.service";
|
|
|
|
import { LogService } from "../../platform/abstractions/log.service";
|
|
|
|
import { MessagingService } from "../../platform/abstractions/messaging.service";
|
|
|
|
import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
|
|
|
|
import { StateService } from "../../platform/abstractions/state.service";
|
|
|
|
import { SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key";
|
2023-04-17 16:35:37 +02:00
|
|
|
import { PasswordGenerationServiceAbstraction } from "../../tools/generator/password";
|
2023-02-06 22:53:37 +01:00
|
|
|
import { AuthService } from "../abstractions/auth.service";
|
|
|
|
import { TokenService } from "../abstractions/token.service";
|
|
|
|
import { TwoFactorService } from "../abstractions/two-factor.service";
|
|
|
|
import { AuthResult } from "../models/domain/auth-result";
|
2023-04-17 16:35:37 +02:00
|
|
|
import { ForceResetPasswordReason } from "../models/domain/force-reset-password-reason";
|
2023-02-06 22:53:37 +01:00
|
|
|
import { PasswordLogInCredentials } from "../models/domain/log-in-credentials";
|
|
|
|
import { PasswordTokenRequest } from "../models/request/identity-token/password-token.request";
|
|
|
|
import { TokenTwoFactorRequest } from "../models/request/identity-token/token-two-factor.request";
|
2023-04-17 16:35:37 +02:00
|
|
|
import { IdentityCaptchaResponse } from "../models/response/identity-captcha.response";
|
|
|
|
import { IdentityTokenResponse } from "../models/response/identity-token.response";
|
|
|
|
import { IdentityTwoFactorResponse } from "../models/response/identity-two-factor.response";
|
2022-02-01 00:51:32 +01:00
|
|
|
|
2023-02-06 22:53:37 +01:00
|
|
|
import { LogInStrategy } from "./login.strategy";
|
2022-02-01 00:51:32 +01:00
|
|
|
|
|
|
|
export class PasswordLogInStrategy extends LogInStrategy {
|
|
|
|
get email() {
|
|
|
|
return this.tokenRequest.email;
|
|
|
|
}
|
|
|
|
|
|
|
|
get masterPasswordHash() {
|
|
|
|
return this.tokenRequest.masterPasswordHash;
|
|
|
|
}
|
|
|
|
|
|
|
|
tokenRequest: PasswordTokenRequest;
|
|
|
|
|
|
|
|
private localHashedPassword: string;
|
|
|
|
private key: SymmetricCryptoKey;
|
|
|
|
|
2023-04-17 16:35:37 +02:00
|
|
|
/**
|
|
|
|
* Options to track if the user needs to update their password due to a password that does not meet an organization's
|
|
|
|
* master password policy.
|
|
|
|
*/
|
|
|
|
private forcePasswordResetReason: ForceResetPasswordReason = ForceResetPasswordReason.None;
|
|
|
|
|
2022-02-01 00:51:32 +01:00
|
|
|
constructor(
|
|
|
|
cryptoService: CryptoService,
|
|
|
|
apiService: ApiService,
|
|
|
|
tokenService: TokenService,
|
|
|
|
appIdService: AppIdService,
|
|
|
|
platformUtilsService: PlatformUtilsService,
|
|
|
|
messagingService: MessagingService,
|
|
|
|
logService: LogService,
|
2023-04-17 16:35:37 +02:00
|
|
|
protected stateService: StateService,
|
2022-02-01 00:51:32 +01:00
|
|
|
twoFactorService: TwoFactorService,
|
2023-04-17 16:35:37 +02:00
|
|
|
private passwordGenerationService: PasswordGenerationServiceAbstraction,
|
|
|
|
private policyService: PolicyService,
|
2022-02-01 00:51:32 +01:00
|
|
|
private authService: AuthService
|
|
|
|
) {
|
|
|
|
super(
|
|
|
|
cryptoService,
|
|
|
|
apiService,
|
|
|
|
tokenService,
|
|
|
|
appIdService,
|
|
|
|
platformUtilsService,
|
|
|
|
messagingService,
|
|
|
|
logService,
|
|
|
|
stateService,
|
|
|
|
twoFactorService
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2022-12-28 15:12:11 +01:00
|
|
|
async setUserKey() {
|
2022-02-01 00:51:32 +01:00
|
|
|
await this.cryptoService.setKey(this.key);
|
|
|
|
await this.cryptoService.setKeyHash(this.localHashedPassword);
|
|
|
|
}
|
|
|
|
|
2022-03-03 02:47:57 +01:00
|
|
|
async logInTwoFactor(
|
2022-10-18 19:01:42 +02:00
|
|
|
twoFactor: TokenTwoFactorRequest,
|
2022-03-03 02:47:57 +01:00
|
|
|
captchaResponse: string
|
|
|
|
): Promise<AuthResult> {
|
|
|
|
this.tokenRequest.captchaResponse = captchaResponse ?? this.captchaBypassToken;
|
2023-04-17 16:35:37 +02:00
|
|
|
const result = await super.logInTwoFactor(twoFactor);
|
|
|
|
|
|
|
|
// 2FA was successful, save the force update password options with the state service if defined
|
|
|
|
if (
|
|
|
|
!result.requiresTwoFactor &&
|
|
|
|
!result.requiresCaptcha &&
|
|
|
|
this.forcePasswordResetReason != ForceResetPasswordReason.None
|
|
|
|
) {
|
|
|
|
await this.stateService.setForcePasswordResetReason(this.forcePasswordResetReason);
|
|
|
|
result.forcePasswordReset = this.forcePasswordResetReason;
|
|
|
|
}
|
|
|
|
|
|
|
|
return result;
|
2022-03-03 02:47:57 +01:00
|
|
|
}
|
|
|
|
|
2022-02-01 00:51:32 +01:00
|
|
|
async logIn(credentials: PasswordLogInCredentials) {
|
|
|
|
const { email, masterPassword, captchaToken, twoFactor } = credentials;
|
|
|
|
|
|
|
|
this.key = await this.authService.makePreloginKey(masterPassword, email);
|
|
|
|
|
|
|
|
// Hash the password early (before authentication) so we don't persist it in memory in plaintext
|
|
|
|
this.localHashedPassword = await this.cryptoService.hashPassword(
|
|
|
|
masterPassword,
|
|
|
|
this.key,
|
|
|
|
HashPurpose.LocalAuthorization
|
|
|
|
);
|
|
|
|
const hashedPassword = await this.cryptoService.hashPassword(masterPassword, this.key);
|
|
|
|
|
|
|
|
this.tokenRequest = new PasswordTokenRequest(
|
|
|
|
email,
|
|
|
|
hashedPassword,
|
|
|
|
captchaToken,
|
|
|
|
await this.buildTwoFactor(twoFactor),
|
|
|
|
await this.buildDeviceRequest()
|
|
|
|
);
|
|
|
|
|
2023-04-17 16:35:37 +02:00
|
|
|
const [authResult, identityResponse] = await this.startLogIn();
|
|
|
|
const masterPasswordPolicyOptions =
|
|
|
|
this.getMasterPasswordPolicyOptionsFromResponse(identityResponse);
|
|
|
|
|
|
|
|
// The identity result can contain master password policies for the user's organizations
|
|
|
|
if (masterPasswordPolicyOptions?.enforceOnLogin) {
|
|
|
|
// If there is a policy active, evaluate the supplied password before its no longer in memory
|
|
|
|
const meetsRequirements = this.evaluateMasterPassword(
|
|
|
|
credentials,
|
|
|
|
masterPasswordPolicyOptions
|
|
|
|
);
|
|
|
|
|
|
|
|
if (!meetsRequirements) {
|
|
|
|
if (authResult.requiresCaptcha || authResult.requiresTwoFactor) {
|
|
|
|
// Save the flag to this strategy for later use as the master password is about to pass out of scope
|
|
|
|
this.forcePasswordResetReason = ForceResetPasswordReason.WeakMasterPassword;
|
|
|
|
} else {
|
|
|
|
// Authentication was successful, save the force update password options with the state service
|
|
|
|
await this.stateService.setForcePasswordResetReason(
|
|
|
|
ForceResetPasswordReason.WeakMasterPassword
|
|
|
|
);
|
|
|
|
authResult.forcePasswordReset = ForceResetPasswordReason.WeakMasterPassword;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return authResult;
|
|
|
|
}
|
|
|
|
|
|
|
|
private getMasterPasswordPolicyOptionsFromResponse(
|
|
|
|
response: IdentityTokenResponse | IdentityTwoFactorResponse | IdentityCaptchaResponse
|
|
|
|
): MasterPasswordPolicyOptions {
|
|
|
|
if (response == null || response instanceof IdentityCaptchaResponse) {
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
return MasterPasswordPolicyOptions.fromResponse(response.masterPasswordPolicy);
|
|
|
|
}
|
|
|
|
|
|
|
|
private evaluateMasterPassword(
|
|
|
|
{ masterPassword, email }: PasswordLogInCredentials,
|
|
|
|
options: MasterPasswordPolicyOptions
|
|
|
|
): boolean {
|
|
|
|
const passwordStrength = this.passwordGenerationService.passwordStrength(
|
|
|
|
masterPassword,
|
|
|
|
email
|
|
|
|
)?.score;
|
|
|
|
|
|
|
|
return this.policyService.evaluateMasterPassword(passwordStrength, masterPassword, options);
|
2022-02-01 00:51:32 +01:00
|
|
|
}
|
|
|
|
}
|