bitwarden-browser/libs/common/src/auth/login-strategies/sso-login.strategy.ts

import { ApiService } from "../../abstractions/api.service";
import { AppIdService } from "../../platform/abstractions/app-id.service";
import { CryptoService } from "../../platform/abstractions/crypto.service";
import { LogService } from "../../platform/abstractions/log.service";
import { MessagingService } from "../../platform/abstractions/messaging.service";
import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
import { StateService } from "../../platform/abstractions/state.service";
import { KeyConnectorService } from "../abstractions/key-connector.service";
import { TokenService } from "../abstractions/token.service";
import { TwoFactorService } from "../abstractions/two-factor.service";
import { SsoLogInCredentials } from "../models/domain/log-in-credentials";
import { SsoTokenRequest } from "../models/request/identity-token/sso-token.request";
import { IdentityTokenResponse } from "../models/response/identity-token.response";

import { LogInStrategy } from "./login.strategy";

export class SsoLogInStrategy extends LogInStrategy {
  tokenRequest: SsoTokenRequest;
  orgId: string;

  // A session token server side to serve as an authentication factor for the user
  // in order to send email OTPs to the user's configured 2FA email address
  // as we don't have a master password hash or other verifiable secret when using SSO.
  ssoEmail2FaSessionToken?: string;
  email?: string; // email not preserved through SSO process so get from server

  constructor(
    cryptoService: CryptoService,
    apiService: ApiService,
    tokenService: TokenService,
    appIdService: AppIdService,
    platformUtilsService: PlatformUtilsService,
    messagingService: MessagingService,
    logService: LogService,
    stateService: StateService,
    twoFactorService: TwoFactorService,
    private keyConnectorService: KeyConnectorService
  ) {
    super(
      cryptoService,
      apiService,
      tokenService,
      appIdService,
      platformUtilsService,
      messagingService,
      logService,
      stateService,
      twoFactorService
    );
  }

  async setUserKey(tokenResponse: IdentityTokenResponse) {
    const newSsoUser = tokenResponse.key == null;

    if (tokenResponse.keyConnectorUrl != null) {
      if (!newSsoUser) {
        await this.keyConnectorService.getAndSetKey(tokenResponse.keyConnectorUrl);
      } else {
        await this.keyConnectorService.convertNewSsoUserToKeyConnector(tokenResponse, this.orgId);
      }
    }
  }

  async logIn(credentials: SsoLogInCredentials) {
    this.orgId = credentials.orgId;
    this.tokenRequest = new SsoTokenRequest(
      credentials.code,
      credentials.codeVerifier,
      credentials.redirectUrl,
      await this.buildTwoFactor(credentials.twoFactor),
      await this.buildDeviceRequest()
    );

    const [ssoAuthResult] = await this.startLogIn();

    this.email = ssoAuthResult.email;
    this.ssoEmail2FaSessionToken = ssoAuthResult.ssoEmail2FaSessionToken;

    return ssoAuthResult;
  }
}
[Tech debt] Refactor authService and remove LogInHelper (#588) * Use different strategy classes for different types of login * General refactor and cleanup of auth logic * Create subclasses for different types of login credentials * Create subclasses for different types of tokenRequests * Create TwoFactorService, move code out of authService * refactor base CLI commands to use new interface 2022-02-01 00:51:32 +01:00			`import { ApiService } from "../../abstractions/api.service";`
Platform/pm 19/platform team file moves (#5460) * Rename service-factory folder * Move cryptographic service factories * Move crypto models * Move crypto services * Move domain base class * Platform code owners * Move desktop log services * Move log files * Establish component library ownership * Move background listeners * Move background background * Move localization to Platform * Move browser alarms to Platform * Move browser state to Platform * Move CLI state to Platform * Move Desktop native concerns to Platform * Move flag and misc to Platform * Lint fixes * Move electron state to platform * Move web state to Platform * Move lib state to Platform * Fix broken tests * Rename interface to idiomatic TS * `npm run prettier` :robot: * Resolve review feedback * Set platform as owners of web core and shared * Expand moved services * Fix test types --------- Co-authored-by: Hinton <hinton@users.noreply.github.com> 2023-06-06 22:34:53 +02:00			`import { AppIdService } from "../../platform/abstractions/app-id.service";`
			`import { CryptoService } from "../../platform/abstractions/crypto.service";`
			`import { LogService } from "../../platform/abstractions/log.service";`
			`import { MessagingService } from "../../platform/abstractions/messaging.service";`
			`import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";`
			`import { StateService } from "../../platform/abstractions/state.service";`
Auth/ps 2298 reorg auth (#4564) * Move auth service factories to Auth team * Move authentication componenets to Auth team * Move auth guard services to Auth team * Move Duo content script to Auth team * Move auth CLI commands to Auth team * Move Desktop Account components to Auth Team * Move Desktop guards to Auth team * Move two-factor provider images to Auth team * Move web Accounts components to Auth Team * Move web settings components to Auth Team * Move web two factor images to Auth Team * Fix missed import changes for Auth Team * Fix Linting errors * Fix missed CLI imports * Fix missed Desktop imports * Revert images move * Fix missed imports in Web * Move angular lib components to Auth Team * Move angular auth guards to Auth team * Move strategy specs to Auth team * Update .eslintignore for new paths * Move lib common abstractions to Auth team * Move services to Auth team * Move common lib enums to Auth team * Move webauthn iframe to Auth team * Move lib common domain models to Auth team * Move common lib requests to Auth team * Move response models to Auth team * Clean up whitelist * Move bit web components to Auth team * Move SSO and SCIM files to Auth team * Revert move SCIM to Auth team SCIM belongs to Admin Console team * Move captcha to Auth team * Move key connector to Auth team * Move emergency access to auth team * Delete extra file * linter fixes * Move kdf config to auth team * Fix whitelist * Fix duo autoformat * Complete two factor provider request move * Fix whitelist names * Fix login capitalization * Revert hint dependency reordering * Revert hint dependency reordering * Revert hint component This components is being picked up as a move between clients * Move web hint component to Auth team * Move new files to auth team * Fix desktop build * Fix browser build 2023-02-06 22:53:37 +01:00			`import { KeyConnectorService } from "../abstractions/key-connector.service";`
			`import { TokenService } from "../abstractions/token.service";`
			`import { TwoFactorService } from "../abstractions/two-factor.service";`
			`import { SsoLogInCredentials } from "../models/domain/log-in-credentials";`
			`import { SsoTokenRequest } from "../models/request/identity-token/sso-token.request";`
			`import { IdentityTokenResponse } from "../models/response/identity-token.response";`
[Tech debt] Refactor authService and remove LogInHelper (#588) * Use different strategy classes for different types of login * General refactor and cleanup of auth logic * Create subclasses for different types of login credentials * Create subclasses for different types of tokenRequests * Create TwoFactorService, move code out of authService * refactor base CLI commands to use new interface 2022-02-01 00:51:32 +01:00
Auth/ps 2298 reorg auth (#4564) * Move auth service factories to Auth team * Move authentication componenets to Auth team * Move auth guard services to Auth team * Move Duo content script to Auth team * Move auth CLI commands to Auth team * Move Desktop Account components to Auth Team * Move Desktop guards to Auth team * Move two-factor provider images to Auth team * Move web Accounts components to Auth Team * Move web settings components to Auth Team * Move web two factor images to Auth Team * Fix missed import changes for Auth Team * Fix Linting errors * Fix missed CLI imports * Fix missed Desktop imports * Revert images move * Fix missed imports in Web * Move angular lib components to Auth Team * Move angular auth guards to Auth team * Move strategy specs to Auth team * Update .eslintignore for new paths * Move lib common abstractions to Auth team * Move services to Auth team * Move common lib enums to Auth team * Move webauthn iframe to Auth team * Move lib common domain models to Auth team * Move common lib requests to Auth team * Move response models to Auth team * Clean up whitelist * Move bit web components to Auth team * Move SSO and SCIM files to Auth team * Revert move SCIM to Auth team SCIM belongs to Admin Console team * Move captcha to Auth team * Move key connector to Auth team * Move emergency access to auth team * Delete extra file * linter fixes * Move kdf config to auth team * Fix whitelist * Fix duo autoformat * Complete two factor provider request move * Fix whitelist names * Fix login capitalization * Revert hint dependency reordering * Revert hint dependency reordering * Revert hint component This components is being picked up as a move between clients * Move web hint component to Auth team * Move new files to auth team * Fix desktop build * Fix browser build 2023-02-06 22:53:37 +01:00			`import { LogInStrategy } from "./login.strategy";`
Add eslint (#610) 2022-02-22 15:39:11 +01:00
[Tech debt] Refactor authService and remove LogInHelper (#588) * Use different strategy classes for different types of login * General refactor and cleanup of auth logic * Create subclasses for different types of login credentials * Create subclasses for different types of tokenRequests * Create TwoFactorService, move code out of authService * refactor base CLI commands to use new interface 2022-02-01 00:51:32 +01:00			`export class SsoLogInStrategy extends LogInStrategy {`
			`tokenRequest: SsoTokenRequest;`
			`orgId: string;`

Defect/PM-1196 - SSO with Email 2FA Flow - Email Required error fixed (#5280) * PM-1196- First draft of solution for solving SSO login with email 2FA not working; this is a working solution but we need to leverage it to build a better solution with a different server generated token vs a OTP. * PM-1196 - Swap from OTP to SSO Email 2FA session token. Working now, but going to revisit whether or not email should come down from the server. Need to clean up the commented out items if we decide email stays encrypted in the session token. * PM-1196 - Email needs to come down from server after SSO in order to flow through to the 2FA comp and be sent to the server * PM-1196 - For email 2FA, if the email is no longer available due to the auth service 2 min expiration clearing the auth state, then we need to show a message explaining that (same message as when a OTP is submitted after expiration) vs actually sending the request without an email and getting a validation error from the server * PM-1196 - (1) Make optional properties optional (2) Update tests to pass (3) Add new test for Email 2FA having additional auth result information * PM-1196 - Remove unnecessary optional chaining operator b/c I go my wires crossed on how it works and the login strategy is not going to be null or undefined... 2023-05-04 20:57:11 +02:00			`// A session token server side to serve as an authentication factor for the user`
			`// in order to send email OTPs to the user's configured 2FA email address`
			`// as we don't have a master password hash or other verifiable secret when using SSO.`
			`ssoEmail2FaSessionToken?: string;`
			`email?: string; // email not preserved through SSO process so get from server`

[Tech debt] Refactor authService and remove LogInHelper (#588) * Use different strategy classes for different types of login * General refactor and cleanup of auth logic * Create subclasses for different types of login credentials * Create subclasses for different types of tokenRequests * Create TwoFactorService, move code out of authService * refactor base CLI commands to use new interface 2022-02-01 00:51:32 +01:00			`constructor(`
			`cryptoService: CryptoService,`
			`apiService: ApiService,`
			`tokenService: TokenService,`
			`appIdService: AppIdService,`
			`platformUtilsService: PlatformUtilsService,`
			`messagingService: MessagingService,`
			`logService: LogService,`
			`stateService: StateService,`
			`twoFactorService: TwoFactorService,`
			`private keyConnectorService: KeyConnectorService`
			`) {`
			`super(`
			`cryptoService,`
			`apiService,`
			`tokenService,`
			`appIdService,`
			`platformUtilsService,`
			`messagingService,`
			`logService,`
			`stateService,`
			`twoFactorService`
			`);`
			`}`

[EC-836] Trying to confirm 2018 user account to organization returns 404 (#4214) * Fix migration logic to create keypair for old account * Rename onSuccessfulLogin to reflect usage * Rewrite loginStrategy spec with jest-mock-ex * Rewrite tests with jest-mock-extended * Assert call order * Fix linting 2022-12-28 15:12:11 +01:00			`async setUserKey(tokenResponse: IdentityTokenResponse) {`
[Tech debt] Refactor authService and remove LogInHelper (#588) * Use different strategy classes for different types of login * General refactor and cleanup of auth logic * Create subclasses for different types of login credentials * Create subclasses for different types of tokenRequests * Create TwoFactorService, move code out of authService * refactor base CLI commands to use new interface 2022-02-01 00:51:32 +01:00			`const newSsoUser = tokenResponse.key == null;`

			`if (tokenResponse.keyConnectorUrl != null) {`
			`if (!newSsoUser) {`
			`await this.keyConnectorService.getAndSetKey(tokenResponse.keyConnectorUrl);`
			`} else {`
			`await this.keyConnectorService.convertNewSsoUserToKeyConnector(tokenResponse, this.orgId);`
			`}`
			`}`
			`}`

			`async logIn(credentials: SsoLogInCredentials) {`
			`this.orgId = credentials.orgId;`
			`this.tokenRequest = new SsoTokenRequest(`
			`credentials.code,`
			`credentials.codeVerifier,`
			`credentials.redirectUrl,`
			`await this.buildTwoFactor(credentials.twoFactor),`
			`await this.buildDeviceRequest()`
			`);`

Defect/PM-1196 - SSO with Email 2FA Flow - Email Required error fixed (#5280) * PM-1196- First draft of solution for solving SSO login with email 2FA not working; this is a working solution but we need to leverage it to build a better solution with a different server generated token vs a OTP. * PM-1196 - Swap from OTP to SSO Email 2FA session token. Working now, but going to revisit whether or not email should come down from the server. Need to clean up the commented out items if we decide email stays encrypted in the session token. * PM-1196 - Email needs to come down from server after SSO in order to flow through to the 2FA comp and be sent to the server * PM-1196 - For email 2FA, if the email is no longer available due to the auth service 2 min expiration clearing the auth state, then we need to show a message explaining that (same message as when a OTP is submitted after expiration) vs actually sending the request without an email and getting a validation error from the server * PM-1196 - (1) Make optional properties optional (2) Update tests to pass (3) Add new test for Email 2FA having additional auth result information * PM-1196 - Remove unnecessary optional chaining operator b/c I go my wires crossed on how it works and the login strategy is not going to be null or undefined... 2023-05-04 20:57:11 +02:00			`const [ssoAuthResult] = await this.startLogIn();`

			`this.email = ssoAuthResult.email;`
			`this.ssoEmail2FaSessionToken = ssoAuthResult.ssoEmail2FaSessionToken;`

			`return ssoAuthResult;`
[Tech debt] Refactor authService and remove LogInHelper (#588) * Use different strategy classes for different types of login * General refactor and cleanup of auth logic * Create subclasses for different types of login credentials * Create subclasses for different types of tokenRequests * Create TwoFactorService, move code out of authService * refactor base CLI commands to use new interface 2022-02-01 00:51:32 +01:00			`}`
			`}`