mirror of
https://github.com/bitwarden/browser.git
synced 2024-11-21 11:35:34 +01:00
Observable auth statuses (#8537)
* Observable has token * Allow access to user key state observable * Create observable auth status * Fix DI
This commit is contained in:
parent
c3c895230f
commit
136226b6be
@ -24,6 +24,7 @@ import {
|
||||
} from "../../../platform/background/service-factories/state-service.factory";
|
||||
|
||||
import { AccountServiceInitOptions, accountServiceFactory } from "./account-service.factory";
|
||||
import { TokenServiceInitOptions, tokenServiceFactory } from "./token-service.factory";
|
||||
|
||||
type AuthServiceFactoryOptions = FactoryOptions;
|
||||
|
||||
@ -32,7 +33,8 @@ export type AuthServiceInitOptions = AuthServiceFactoryOptions &
|
||||
MessagingServiceInitOptions &
|
||||
CryptoServiceInitOptions &
|
||||
ApiServiceInitOptions &
|
||||
StateServiceInitOptions;
|
||||
StateServiceInitOptions &
|
||||
TokenServiceInitOptions;
|
||||
|
||||
export function authServiceFactory(
|
||||
cache: { authService?: AbstractAuthService } & CachedServices,
|
||||
@ -49,6 +51,7 @@ export function authServiceFactory(
|
||||
await cryptoServiceFactory(cache, opts),
|
||||
await apiServiceFactory(cache, opts),
|
||||
await stateServiceFactory(cache, opts),
|
||||
await tokenServiceFactory(cache, opts),
|
||||
),
|
||||
);
|
||||
}
|
||||
|
@ -579,6 +579,7 @@ export default class MainBackground {
|
||||
this.cryptoService,
|
||||
this.apiService,
|
||||
this.stateService,
|
||||
this.tokenService,
|
||||
);
|
||||
|
||||
this.billingAccountProfileStateService = new DefaultBillingAccountProfileStateService(
|
||||
|
@ -503,6 +503,7 @@ export class Main {
|
||||
this.cryptoService,
|
||||
this.apiService,
|
||||
this.stateService,
|
||||
this.tokenService,
|
||||
);
|
||||
|
||||
this.configApiService = new ConfigApiService(this.apiService, this.tokenService);
|
||||
|
@ -349,6 +349,7 @@ const safeProviders: SafeProvider[] = [
|
||||
CryptoServiceAbstraction,
|
||||
ApiServiceAbstraction,
|
||||
StateServiceAbstraction,
|
||||
TokenService,
|
||||
],
|
||||
}),
|
||||
safeProvider({
|
||||
|
@ -1,10 +1,17 @@
|
||||
import { Observable } from "rxjs";
|
||||
|
||||
import { UserId } from "../../types/guid";
|
||||
import { AuthenticationStatus } from "../enums/authentication-status";
|
||||
|
||||
export abstract class AuthService {
|
||||
/** Authentication status for the active user */
|
||||
abstract activeAccountStatus$: Observable<AuthenticationStatus>;
|
||||
/**
|
||||
* Returns an observable authentication status for the given user id.
|
||||
* @note userId is a required parameter, null values will always return `AuthenticationStatus.LoggedOut`
|
||||
* @param userId The user id to check for an access token.
|
||||
*/
|
||||
abstract authStatusFor$(userId: UserId): Observable<AuthenticationStatus>;
|
||||
/** @deprecated use {@link activeAccountStatus$} instead */
|
||||
abstract getAuthStatus: (userId?: string) => Promise<AuthenticationStatus>;
|
||||
abstract logOut: (callback: () => void) => void;
|
||||
|
@ -1,8 +1,15 @@
|
||||
import { Observable } from "rxjs";
|
||||
|
||||
import { VaultTimeoutAction } from "../../enums/vault-timeout-action.enum";
|
||||
import { UserId } from "../../types/guid";
|
||||
import { DecodedAccessToken } from "../services/token.service";
|
||||
|
||||
export abstract class TokenService {
|
||||
/**
|
||||
* Returns an observable that emits a boolean indicating whether the user has an access token.
|
||||
* @param userId The user id to check for an access token.
|
||||
*/
|
||||
abstract hasAccessToken$(userId: UserId): Observable<boolean>;
|
||||
/**
|
||||
* Sets the access token, refresh token, API Key Client ID, and API Key Client Secret in memory or disk
|
||||
* based on the given vaultTimeoutAction and vaultTimeout and the derived access token user id.
|
||||
|
@ -1,13 +1,21 @@
|
||||
import { MockProxy, mock } from "jest-mock-extended";
|
||||
import { firstValueFrom } from "rxjs";
|
||||
import { firstValueFrom, of } from "rxjs";
|
||||
|
||||
import { FakeAccountService, mockAccountServiceWith } from "../../../spec";
|
||||
import {
|
||||
FakeAccountService,
|
||||
makeStaticByteArray,
|
||||
mockAccountServiceWith,
|
||||
trackEmissions,
|
||||
} from "../../../spec";
|
||||
import { ApiService } from "../../abstractions/api.service";
|
||||
import { CryptoService } from "../../platform/abstractions/crypto.service";
|
||||
import { MessagingService } from "../../platform/abstractions/messaging.service";
|
||||
import { StateService } from "../../platform/abstractions/state.service";
|
||||
import { Utils } from "../../platform/misc/utils";
|
||||
import { SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key";
|
||||
import { UserId } from "../../types/guid";
|
||||
import { UserKey } from "../../types/key";
|
||||
import { TokenService } from "../abstractions/token.service";
|
||||
import { AuthenticationStatus } from "../enums/authentication-status";
|
||||
|
||||
import { AuthService } from "./auth.service";
|
||||
@ -20,15 +28,18 @@ describe("AuthService", () => {
|
||||
let cryptoService: MockProxy<CryptoService>;
|
||||
let apiService: MockProxy<ApiService>;
|
||||
let stateService: MockProxy<StateService>;
|
||||
let tokenService: MockProxy<TokenService>;
|
||||
|
||||
const userId = Utils.newGuid() as UserId;
|
||||
const userKey = new SymmetricCryptoKey(makeStaticByteArray(32) as Uint8Array) as UserKey;
|
||||
|
||||
beforeEach(() => {
|
||||
accountService = mockAccountServiceWith(userId);
|
||||
messagingService = mock<MessagingService>();
|
||||
cryptoService = mock<CryptoService>();
|
||||
apiService = mock<ApiService>();
|
||||
stateService = mock<StateService>();
|
||||
messagingService = mock();
|
||||
cryptoService = mock();
|
||||
apiService = mock();
|
||||
stateService = mock();
|
||||
tokenService = mock();
|
||||
|
||||
sut = new AuthService(
|
||||
accountService,
|
||||
@ -36,26 +47,115 @@ describe("AuthService", () => {
|
||||
cryptoService,
|
||||
apiService,
|
||||
stateService,
|
||||
tokenService,
|
||||
);
|
||||
});
|
||||
|
||||
describe("activeAccountStatus$", () => {
|
||||
test.each([
|
||||
AuthenticationStatus.LoggedOut,
|
||||
AuthenticationStatus.Locked,
|
||||
AuthenticationStatus.Unlocked,
|
||||
])(
|
||||
`should emit %p when activeAccount$ emits an account with %p auth status`,
|
||||
async (status) => {
|
||||
accountService.activeAccountSubject.next({
|
||||
id: userId,
|
||||
email: "email",
|
||||
name: "name",
|
||||
status,
|
||||
});
|
||||
const accountInfo = {
|
||||
status: AuthenticationStatus.Unlocked,
|
||||
id: userId,
|
||||
email: "email",
|
||||
name: "name",
|
||||
};
|
||||
|
||||
expect(await firstValueFrom(sut.activeAccountStatus$)).toEqual(status);
|
||||
},
|
||||
);
|
||||
beforeEach(() => {
|
||||
accountService.activeAccountSubject.next(accountInfo);
|
||||
tokenService.hasAccessToken$.mockReturnValue(of(true));
|
||||
cryptoService.getInMemoryUserKeyFor$.mockReturnValue(of(undefined));
|
||||
});
|
||||
|
||||
it("emits LoggedOut when there is no active account", async () => {
|
||||
accountService.activeAccountSubject.next(undefined);
|
||||
|
||||
expect(await firstValueFrom(sut.activeAccountStatus$)).toEqual(
|
||||
AuthenticationStatus.LoggedOut,
|
||||
);
|
||||
});
|
||||
|
||||
it("emits LoggedOut when there is no access token", async () => {
|
||||
tokenService.hasAccessToken$.mockReturnValue(of(false));
|
||||
|
||||
expect(await firstValueFrom(sut.activeAccountStatus$)).toEqual(
|
||||
AuthenticationStatus.LoggedOut,
|
||||
);
|
||||
});
|
||||
|
||||
it("emits LoggedOut when there is no access token but has a user key", async () => {
|
||||
tokenService.hasAccessToken$.mockReturnValue(of(false));
|
||||
cryptoService.getInMemoryUserKeyFor$.mockReturnValue(of(userKey));
|
||||
|
||||
expect(await firstValueFrom(sut.activeAccountStatus$)).toEqual(
|
||||
AuthenticationStatus.LoggedOut,
|
||||
);
|
||||
});
|
||||
|
||||
it("emits Locked when there is an access token and no user key", async () => {
|
||||
tokenService.hasAccessToken$.mockReturnValue(of(true));
|
||||
cryptoService.getInMemoryUserKeyFor$.mockReturnValue(of(undefined));
|
||||
|
||||
expect(await firstValueFrom(sut.activeAccountStatus$)).toEqual(AuthenticationStatus.Locked);
|
||||
});
|
||||
|
||||
it("emits Unlocked when there is an access token and user key", async () => {
|
||||
tokenService.hasAccessToken$.mockReturnValue(of(true));
|
||||
cryptoService.getInMemoryUserKeyFor$.mockReturnValue(of(userKey));
|
||||
|
||||
expect(await firstValueFrom(sut.activeAccountStatus$)).toEqual(AuthenticationStatus.Unlocked);
|
||||
});
|
||||
|
||||
it("follows the current active user", async () => {
|
||||
const accountInfo2 = {
|
||||
status: AuthenticationStatus.Unlocked,
|
||||
id: Utils.newGuid() as UserId,
|
||||
email: "email2",
|
||||
name: "name2",
|
||||
};
|
||||
|
||||
const emissions = trackEmissions(sut.activeAccountStatus$);
|
||||
|
||||
tokenService.hasAccessToken$.mockReturnValue(of(true));
|
||||
cryptoService.getInMemoryUserKeyFor$.mockReturnValue(of(userKey));
|
||||
accountService.activeAccountSubject.next(accountInfo2);
|
||||
|
||||
expect(emissions).toEqual([AuthenticationStatus.Locked, AuthenticationStatus.Unlocked]);
|
||||
});
|
||||
});
|
||||
|
||||
describe("authStatusFor$", () => {
|
||||
beforeEach(() => {
|
||||
tokenService.hasAccessToken$.mockReturnValue(of(true));
|
||||
cryptoService.getInMemoryUserKeyFor$.mockReturnValue(of(undefined));
|
||||
});
|
||||
|
||||
it("emits LoggedOut when userId is null", async () => {
|
||||
expect(await firstValueFrom(sut.authStatusFor$(null))).toEqual(
|
||||
AuthenticationStatus.LoggedOut,
|
||||
);
|
||||
});
|
||||
|
||||
it("emits LoggedOut when there is no access token", async () => {
|
||||
tokenService.hasAccessToken$.mockReturnValue(of(false));
|
||||
|
||||
expect(await firstValueFrom(sut.authStatusFor$(userId))).toEqual(
|
||||
AuthenticationStatus.LoggedOut,
|
||||
);
|
||||
});
|
||||
|
||||
it("emits Locked when there is an access token and no user key", async () => {
|
||||
tokenService.hasAccessToken$.mockReturnValue(of(true));
|
||||
cryptoService.getInMemoryUserKeyFor$.mockReturnValue(of(undefined));
|
||||
|
||||
expect(await firstValueFrom(sut.authStatusFor$(userId))).toEqual(AuthenticationStatus.Locked);
|
||||
});
|
||||
|
||||
it("emits Unlocked when there is an access token and user key", async () => {
|
||||
tokenService.hasAccessToken$.mockReturnValue(of(true));
|
||||
cryptoService.getInMemoryUserKeyFor$.mockReturnValue(of(userKey));
|
||||
|
||||
expect(await firstValueFrom(sut.authStatusFor$(userId))).toEqual(
|
||||
AuthenticationStatus.Unlocked,
|
||||
);
|
||||
});
|
||||
});
|
||||
});
|
||||
|
@ -1,12 +1,22 @@
|
||||
import { Observable, distinctUntilChanged, map, shareReplay } from "rxjs";
|
||||
import {
|
||||
Observable,
|
||||
combineLatest,
|
||||
distinctUntilChanged,
|
||||
map,
|
||||
of,
|
||||
shareReplay,
|
||||
switchMap,
|
||||
} from "rxjs";
|
||||
|
||||
import { ApiService } from "../../abstractions/api.service";
|
||||
import { CryptoService } from "../../platform/abstractions/crypto.service";
|
||||
import { MessagingService } from "../../platform/abstractions/messaging.service";
|
||||
import { StateService } from "../../platform/abstractions/state.service";
|
||||
import { KeySuffixOptions } from "../../platform/enums";
|
||||
import { UserId } from "../../types/guid";
|
||||
import { AccountService } from "../abstractions/account.service";
|
||||
import { AuthService as AuthServiceAbstraction } from "../abstractions/auth.service";
|
||||
import { TokenService } from "../abstractions/token.service";
|
||||
import { AuthenticationStatus } from "../enums/authentication-status";
|
||||
|
||||
export class AuthService implements AuthServiceAbstraction {
|
||||
@ -18,9 +28,36 @@ export class AuthService implements AuthServiceAbstraction {
|
||||
protected cryptoService: CryptoService,
|
||||
protected apiService: ApiService,
|
||||
protected stateService: StateService,
|
||||
private tokenService: TokenService,
|
||||
) {
|
||||
this.activeAccountStatus$ = this.accountService.activeAccount$.pipe(
|
||||
map((account) => account.status),
|
||||
map((account) => account?.id),
|
||||
switchMap((userId) => {
|
||||
return this.authStatusFor$(userId);
|
||||
}),
|
||||
);
|
||||
}
|
||||
|
||||
authStatusFor$(userId: UserId): Observable<AuthenticationStatus> {
|
||||
if (userId == null) {
|
||||
return of(AuthenticationStatus.LoggedOut);
|
||||
}
|
||||
|
||||
return combineLatest([
|
||||
this.cryptoService.getInMemoryUserKeyFor$(userId),
|
||||
this.tokenService.hasAccessToken$(userId),
|
||||
]).pipe(
|
||||
map(([userKey, hasAccessToken]) => {
|
||||
if (!hasAccessToken) {
|
||||
return AuthenticationStatus.LoggedOut;
|
||||
}
|
||||
|
||||
if (!userKey) {
|
||||
return AuthenticationStatus.Locked;
|
||||
}
|
||||
|
||||
return AuthenticationStatus.Unlocked;
|
||||
}),
|
||||
distinctUntilChanged(),
|
||||
shareReplay({ bufferSize: 1, refCount: false }),
|
||||
);
|
||||
|
@ -1,4 +1,5 @@
|
||||
import { MockProxy, mock } from "jest-mock-extended";
|
||||
import { firstValueFrom } from "rxjs";
|
||||
|
||||
import { FakeSingleUserStateProvider, FakeGlobalStateProvider } from "../../../spec";
|
||||
import { VaultTimeoutAction } from "../../enums/vault-timeout-action.enum";
|
||||
@ -104,6 +105,61 @@ describe("TokenService", () => {
|
||||
const accessTokenKeyPartialSecureStorageKey = `_accessTokenKey`;
|
||||
const accessTokenKeySecureStorageKey = `${userIdFromAccessToken}${accessTokenKeyPartialSecureStorageKey}`;
|
||||
|
||||
describe("hasAccessToken$", () => {
|
||||
it("returns true when an access token exists in memory", async () => {
|
||||
// Arrange
|
||||
singleUserStateProvider
|
||||
.getFake(userIdFromAccessToken, ACCESS_TOKEN_MEMORY)
|
||||
.stateSubject.next([userIdFromAccessToken, accessTokenJwt]);
|
||||
|
||||
// Act
|
||||
const result = await firstValueFrom(tokenService.hasAccessToken$(userIdFromAccessToken));
|
||||
|
||||
// Assert
|
||||
expect(result).toEqual(true);
|
||||
});
|
||||
|
||||
it("returns true when an access token exists in disk", async () => {
|
||||
// Arrange
|
||||
singleUserStateProvider
|
||||
.getFake(userIdFromAccessToken, ACCESS_TOKEN_MEMORY)
|
||||
.stateSubject.next([userIdFromAccessToken, undefined]);
|
||||
|
||||
singleUserStateProvider
|
||||
.getFake(userIdFromAccessToken, ACCESS_TOKEN_DISK)
|
||||
.stateSubject.next([userIdFromAccessToken, accessTokenJwt]);
|
||||
|
||||
// Act
|
||||
const result = await firstValueFrom(tokenService.hasAccessToken$(userIdFromAccessToken));
|
||||
|
||||
// Assert
|
||||
expect(result).toEqual(true);
|
||||
});
|
||||
|
||||
it("returns true when an access token exists in secure storage", async () => {
|
||||
// Arrange
|
||||
singleUserStateProvider
|
||||
.getFake(userIdFromAccessToken, ACCESS_TOKEN_DISK)
|
||||
.stateSubject.next([userIdFromAccessToken, "encryptedAccessToken"]);
|
||||
|
||||
secureStorageService.get.mockResolvedValue(accessTokenKeyB64);
|
||||
|
||||
// Act
|
||||
const result = await firstValueFrom(tokenService.hasAccessToken$(userIdFromAccessToken));
|
||||
|
||||
// Assert
|
||||
expect(result).toEqual(true);
|
||||
});
|
||||
|
||||
it("should return false if no access token exists in memory, disk, or secure storage", async () => {
|
||||
// Act
|
||||
const result = await firstValueFrom(tokenService.hasAccessToken$(userIdFromAccessToken));
|
||||
|
||||
// Assert
|
||||
expect(result).toEqual(false);
|
||||
});
|
||||
});
|
||||
|
||||
describe("setAccessToken", () => {
|
||||
it("should throw an error if the access token is null", async () => {
|
||||
// Act
|
||||
|
@ -1,4 +1,4 @@
|
||||
import { firstValueFrom } from "rxjs";
|
||||
import { Observable, combineLatest, firstValueFrom, map } from "rxjs";
|
||||
import { Opaque } from "type-fest";
|
||||
|
||||
import { decodeJwtTokenToJson } from "@bitwarden/auth/common";
|
||||
@ -135,6 +135,15 @@ export class TokenService implements TokenServiceAbstraction {
|
||||
this.initializeState();
|
||||
}
|
||||
|
||||
hasAccessToken$(userId: UserId): Observable<boolean> {
|
||||
// FIXME Once once vault timeout action is observable, we can use it to determine storage location
|
||||
// and avoid the need to check both disk and memory.
|
||||
return combineLatest([
|
||||
this.singleUserStateProvider.get(userId, ACCESS_TOKEN_DISK).state$,
|
||||
this.singleUserStateProvider.get(userId, ACCESS_TOKEN_MEMORY).state$,
|
||||
]).pipe(map(([disk, memory]) => Boolean(disk || memory)));
|
||||
}
|
||||
|
||||
// pivoting to an approach where we create a symmetric key we store in secure storage
|
||||
// which is used to protect the data before persisting to disk.
|
||||
// We will also use the same symmetric key to decrypt the data when reading from disk.
|
||||
|
@ -13,6 +13,14 @@ import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key";
|
||||
|
||||
export abstract class CryptoService {
|
||||
abstract activeUserKey$: Observable<UserKey>;
|
||||
|
||||
/**
|
||||
* Returns the an observable key for the given user id.
|
||||
*
|
||||
* @note this observable represents only user keys stored in memory. A null value does not indicate that we cannot load a user key from storage.
|
||||
* @param userId The desired user
|
||||
*/
|
||||
abstract getInMemoryUserKeyFor$(userId: UserId): Observable<UserKey>;
|
||||
/**
|
||||
* Sets the provided user key and stores
|
||||
* any other necessary versions (such as auto, biometrics,
|
||||
|
@ -160,6 +160,10 @@ export class CryptoService implements CryptoServiceAbstraction {
|
||||
await this.setUserKey(key);
|
||||
}
|
||||
|
||||
getInMemoryUserKeyFor$(userId: UserId): Observable<UserKey> {
|
||||
return this.stateProvider.getUserState$(USER_KEY, userId);
|
||||
}
|
||||
|
||||
async getUserKey(userId?: UserId): Promise<UserKey> {
|
||||
let userKey = await firstValueFrom(this.stateProvider.getUserState$(USER_KEY, userId));
|
||||
if (userKey) {
|
||||
|
Loading…
Reference in New Issue
Block a user