Merge 04de618350 into d32365fbba

apps/cli/src/auth/commands/login.command.ts

@@ -13,6 +13,7 @@ import {
   SsoLoginCredentials,
   SsoUrlService,
   UserApiLoginCredentials,
+  UserDecryptionOptionsServiceAbstraction,
 } from "@bitwarden/auth/common";
 import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { PolicyApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/policy/policy-api.service.abstraction";
@@ -82,6 +83,7 @@ export class LoginCommand {
     protected ssoUrlService: SsoUrlService,
     protected i18nService: I18nService,
     protected masterPasswordService: MasterPasswordServiceAbstraction,
+    protected userDecryptionOptionsService: UserDecryptionOptionsServiceAbstraction,
     protected encryptedMigrator: EncryptedMigrator,
   ) {}
 
@@ -328,7 +330,11 @@ export class LoginCommand {
         return Response.error("Login failed.");
       }
 
-      if (response.resetMasterPassword) {
+      const userDecryptionOptions = await firstValueFrom(
+        this.userDecryptionOptionsService.userDecryptionOptionsById$(response.userId),
+      );
+
+      if (!userDecryptionOptions.hasMasterPassword) {
         return Response.error(
           "In order to log in with SSO from the CLI, you must first log in" +
             " through the web vault to set your master password.",

apps/cli/src/program.ts

@@ -195,6 +195,7 @@ export class Program extends BaseProgram {
             this.serviceContainer.ssoUrlService,
             this.serviceContainer.i18nService,
             this.serviceContainer.masterPasswordService,
+            this.serviceContainer.userDecryptionOptionsService,
             this.serviceContainer.encryptedMigrator,
           );
           const response = await command.run(email, password, options);

libs/auth/src/angular/sso/sso.component.ts

@@ -478,7 +478,7 @@ export class SsoComponent implements OnInit {
         !userDecryptionOpts.hasMasterPassword &&
         userDecryptionOpts.keyConnectorOption === undefined;
 
-      if (requireSetPassword || authResult.resetMasterPassword) {
+      if (requireSetPassword) {
         // Change implies going no password -> password in this case
         return await this.handleChangePasswordRequired(orgSsoIdentifier);
       }

libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts

@@ -487,7 +487,7 @@ export class TwoFactorAuthComponent implements OnInit, OnDestroy {
       !userDecryptionOpts.hasMasterPassword && userDecryptionOpts.keyConnectorOption === undefined;
 
     // New users without a master password must set a master password before advancing.
-    if (requireSetPassword || authResult.resetMasterPassword) {
+    if (requireSetPassword) {
       // Change implies going no password -> password in this case
       return await this.handleChangePasswordRequired(this.orgSsoIdentifier);
     }

libs/auth/src/common/login-strategies/login.strategy.spec.ts

@@ -101,7 +101,6 @@ export function identityTokenResponseFactory(
     KdfIterations: kdfIterations,
     Key: encryptedUserKey,
     PrivateKey: privateKey,
-    ResetMasterPassword: false,
     access_token: accessToken,
     expires_in: 3600,
     refresh_token: refreshToken,
@@ -301,7 +300,6 @@ describe("LoginStrategy", () => {
     it("builds AuthResult", async () => {
       const tokenResponse = identityTokenResponseFactory();
       tokenResponse.forcePasswordReset = true;
-      tokenResponse.resetMasterPassword = true;
 
       apiService.postIdentityToken.mockResolvedValue(tokenResponse);
 
@@ -310,7 +308,6 @@ describe("LoginStrategy", () => {
       const expected = new AuthResult();
       expected.masterPassword = "password";
       expected.userId = userId;
-      expected.resetMasterPassword = true;
       expected.twoFactorProviders = null;
       expect(result).toEqual(expected);
     });
@@ -326,7 +323,6 @@ describe("LoginStrategy", () => {
       const expected = new AuthResult();
       expected.masterPassword = "password";
       expected.userId = userId;
-      expected.resetMasterPassword = false;
       expected.twoFactorProviders = null;
       expect(result).toEqual(expected);
 

libs/auth/src/common/login-strategies/login.strategy.ts

@@ -249,8 +249,6 @@ export abstract class LoginStrategy {
     const userId = await this.saveAccountInformation(response);
     result.userId = userId;
 
-    result.resetMasterPassword = response.resetMasterPassword;
-
     if (response.twoFactorToken != null) {
       // note: we can read email from access token b/c it was saved in saveAccountInformation
       const userEmail = await this.tokenService.getEmail();

libs/auth/src/common/login-strategies/password-login.strategy.spec.ts

@@ -390,7 +390,6 @@ describe("PasswordLoginStrategy", () => {
         newDeviceOtp: deviceVerificationOtp,
       }),
     );
-    expect(result.resetMasterPassword).toBe(false);
     expect(result.userId).toBe(userId);
   });
 });

libs/auth/src/common/login-strategies/webauthn-login.strategy.spec.ts

@@ -212,7 +212,6 @@ describe("WebAuthnLoginStrategy", () => {
 
     expect(authResult).toBeInstanceOf(AuthResult);
     expect(authResult).toMatchObject({
-      resetMasterPassword: false,
       twoFactorProviders: null,
       requiresTwoFactor: false,
     });

libs/auth/src/common/services/login-strategies/login-strategy.service.spec.ts

@@ -491,7 +491,6 @@ describe("LoginStrategyService", () => {
         KdfParallelism: 1,
         Key: "KEY",
         PrivateKey: "PRIVATE_KEY",
-        ResetMasterPassword: false,
         access_token: "ACCESS_TOKEN",
         expires_in: 3600,
         refresh_token: "REFRESH_TOKEN",
@@ -559,7 +558,6 @@ describe("LoginStrategyService", () => {
         KdfParallelism: 1,
         Key: "KEY",
         PrivateKey: "PRIVATE_KEY",
-        ResetMasterPassword: false,
         access_token: "ACCESS_TOKEN",
         expires_in: 3600,
         refresh_token: "REFRESH_TOKEN",
@@ -625,7 +623,6 @@ describe("LoginStrategyService", () => {
         KdfIterations: PBKDF2KdfConfig.PRELOGIN_ITERATIONS_MIN - 1,
         Key: "KEY",
         PrivateKey: "PRIVATE_KEY",
-        ResetMasterPassword: false,
         access_token: "ACCESS_TOKEN",
         expires_in: 3600,
         refresh_token: "REFRESH_TOKEN",
@@ -689,7 +686,6 @@ describe("LoginStrategyService", () => {
         KdfParallelism: 1,
         Key: "KEY",
         PrivateKey: "PRIVATE_KEY",
-        ResetMasterPassword: false,
         access_token: "ACCESS_TOKEN",
         expires_in: 3600,
         refresh_token: "REFRESH_TOKEN",

libs/common/src/auth/models/domain/auth-result.ts

@@ -5,14 +5,6 @@ import { TwoFactorProviderType } from "../../enums/two-factor-provider-type";
 
 export class AuthResult {
   userId: UserId;
-  // TODO: PM-3287 - Remove this after 3 releases of backwards compatibility. - Target release 2023.12 for removal
-  /**
-   * @deprecated
-   * Replace with using UserDecryptionOptions to determine if the user does
-   * not have a master password and is not using Key Connector.
-   * */
-  resetMasterPassword = false;
-
   twoFactorProviders: Partial<Record<TwoFactorProviderType, Record<string, string>>> = null;
   ssoEmail2FaSessionToken?: string;
   email: string;

libs/common/src/auth/models/response/identity-token.response.ts

@@ -18,7 +18,6 @@ export class IdentityTokenResponse extends BaseResponse {
   tokenType: string;
 
   // Decryption Information
-  resetMasterPassword: boolean;
   privateKey: string; // userKeyEncryptedPrivateKey
   key?: EncString; // masterKeyEncryptedUserKey
   twoFactorToken: string;
@@ -52,7 +51,6 @@ export class IdentityTokenResponse extends BaseResponse {
       this.refreshToken = refreshToken;
     }
 
-    this.resetMasterPassword = this.getResponseProperty("ResetMasterPassword");
     this.privateKey = this.getResponseProperty("PrivateKey");
     const key = this.getResponseProperty("Key");
     if (key) {