[EC-598] feat: inform user when no credentials are found

apps/browser/src/fido2/popup/fido2/fido2.component.html

@@ -46,6 +46,14 @@
         </div>
       </div>
     </ng-container>
+    <ng-container *ngIf="data.type == 'InformCredentialNotFoundRequest'">
+      You do not have a matching login for this site.
+      <div class="box list">
+        <div class="box-content">
+          <app-cipher-row *ngFor="let cipher of ciphers" [cipher]="cipher"></app-cipher-row>
+        </div>
+      </div>
+    </ng-container>
     <button type="button" class="btn btn-outline-secondary" (click)="abort(true)">
       Use browser built-in
     </button>

apps/browser/src/services/fido2/browser-fido2-user-interface.service.ts

@@ -10,13 +10,13 @@ import {
   takeUntil,
 } from "rxjs";
 
-import { Utils } from "@bitwarden/common/misc/utils";
 import { UserRequestedFallbackAbortReason } from "@bitwarden/common/fido2/abstractions/fido2-client.service.abstraction";
 import {
   Fido2UserInterfaceService as Fido2UserInterfaceServiceAbstraction,
   Fido2UserInterfaceSession,
   NewCredentialParams,
 } from "@bitwarden/common/fido2/abstractions/fido2-user-interface.service.abstraction";
+import { Utils } from "@bitwarden/common/misc/utils";
 
 import { BrowserApi } from "../../browser/browserApi";
 import { PopupUtilsService } from "../../popup/services/popup-utils.service";
@@ -79,6 +79,9 @@ export type BrowserFido2Message = { sessionId: string } & (
       type: "InformExcludedCredentialRequest";
       existingCipherIds: string[];
     }
+  | {
+      type: "InformCredentialNotFoundRequest";
+    }
   | {
       type: "AbortRequest";
     }
@@ -240,6 +243,16 @@ export class BrowserFido2UserInterfaceSession implements Fido2UserInterfaceSessi
     await this.receive("AbortResponse");
   }
 
+  async informCredentialNotFound(): Promise<void> {
+    const data: BrowserFido2Message = {
+      type: "InformCredentialNotFoundRequest",
+      sessionId: this.sessionId,
+    };
+
+    await this.send(data);
+    await this.receive("AbortResponse");
+  }
+
   async close() {
     await this.send({ type: "CloseRequest", sessionId: this.sessionId });
     this.closed = true;

libs/common/src/fido2/abstractions/fido2-user-interface.service.abstraction.ts

@@ -25,5 +25,6 @@ export abstract class Fido2UserInterfaceSession {
     existingCipherIds: string[],
     abortController?: AbortController
   ) => Promise<void>;
+  informCredentialNotFound: (abortController?: AbortController) => Promise<void>;
   close: () => void;
 }

libs/common/src/fido2/services/fido2-authenticator.service.spec.ts

@@ -218,7 +218,7 @@ describe("FidoAuthenticatorService", () => {
       });
 
       /** Devation: Organization ciphers are not checked against excluded credentials, even if the user has access to them. */
-      it.only("should not inform user of duplication when the excluded credential belongs to an organization", async () => {
+      it("should not inform user of duplication when the excluded credential belongs to an organization", async () => {
         userInterfaceSession.informExcludedCredential.mockResolvedValue();
         excludedCipherView.organizationId = "someOrganizationId";
 
@@ -597,24 +597,35 @@ describe("FidoAuthenticatorService", () => {
         });
       });
 
-      /** Spec: If credentialOptions is now empty, return an error code equivalent to "NotAllowedError" and terminate the operation. */
-      it("should throw error if no credential exists", async () => {
+      /**
+       * Spec: If credentialOptions is now empty, return an error code equivalent to "NotAllowedError" and terminate the operation.
+       * Deviation: We do not throw error but instead inform the user and allow the user to fallback to browser implementation.
+       **/
+      it("should inform user if no credential exists", async () => {
         cipherService.getAllDecrypted.mockResolvedValue([]);
+        userInterfaceSession.informCredentialNotFound.mockResolvedValue();
 
-        const result = async () => await authenticator.getAssertion(params);
+        try {
+          await authenticator.getAssertion(params);
+          // eslint-disable-next-line no-empty
+        } catch {}
 
-        await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.NotAllowed);
+        expect(userInterfaceSession.informCredentialNotFound).toHaveBeenCalled();
       });
 
-      it("should throw error if credential exists but rpId does not match", async () => {
+      it("should inform user if credential exists but rpId does not match", async () => {
         const cipher = await createCipherView({ type: CipherType.Login });
         cipher.login.fido2Key.nonDiscoverableId = credentialId;
         cipher.login.fido2Key.rpId = "mismatch-rpid";
         cipherService.getAllDecrypted.mockResolvedValue([cipher]);
+        userInterfaceSession.informCredentialNotFound.mockResolvedValue();
 
-        const result = async () => await authenticator.getAssertion(params);
+        try {
+          await authenticator.getAssertion(params);
+          // eslint-disable-next-line no-empty
+        } catch {}
 
-        await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.NotAllowed);
+        expect(userInterfaceSession.informCredentialNotFound).toHaveBeenCalled();
       });
     });
 

libs/common/src/fido2/services/fido2-authenticator.service.ts

@@ -191,6 +191,7 @@ export class Fido2AuthenticatorService implements Fido2AuthenticatorServiceAbstr
       }
 
       if (cipherOptions.length === 0) {
+        await userInterfaceSession.informCredentialNotFound();
         throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.NotAllowed);
       }