Auth/PM-5263 - TokenService State provider migration bug fix to avoid persisting tokens in local storage (#8413)

* PM-5263 - Update token svc state provider migration to avoid persisting secrets that shouldn't exist in local storage to state provider local storage using new migration helper type. * PM-5263 - TokenSvc migration - tests TODO * write tests for migration * fix tests --------- Co-authored-by: Jake Fink <jfink@bitwarden.com>
2024-12-22 16:29:09 +01:00 · 2024-03-25 16:26:27 -04:00 · 2024-03-25 16:26:27 -04:00 · 899172722a
commit 899172722a
parent 0957b54d03
2 changed files with 109 additions and 55 deletions
--- a/libs/common/src/state-migrations/migrations/38-migrate-token-svc-to-state-provider.spec.ts
+++ b/libs/common/src/state-migrations/migrations/38-migrate-token-svc-to-state-provider.spec.ts
@ -124,6 +124,7 @@ describe("TokenServiceStateProviderMigrator", () => {
      sut = new TokenServiceStateProviderMigrator(37, 38);
    });

+    describe("Session storage", () => {
      it("should remove state service data from all accounts that have it", async () => {
        await sut.migrate(helper);

@ -175,14 +176,55 @@ describe("TokenServiceStateProviderMigrator", () => {
        expect(helper.setToUser).not.toHaveBeenCalledWith("user2", ACCESS_TOKEN_DISK, any());
        expect(helper.setToUser).not.toHaveBeenCalledWith("user2", REFRESH_TOKEN_DISK, any());
        expect(helper.setToUser).not.toHaveBeenCalledWith("user2", API_KEY_CLIENT_ID_DISK, any());
-      expect(helper.setToUser).not.toHaveBeenCalledWith("user2", API_KEY_CLIENT_SECRET_DISK, any());
+        expect(helper.setToUser).not.toHaveBeenCalledWith(
+          "user2",
+          API_KEY_CLIENT_SECRET_DISK,
+          any(),
+        );

        // Expect that we didn't migrate anything to user 3

        expect(helper.setToUser).not.toHaveBeenCalledWith("user3", ACCESS_TOKEN_DISK, any());
        expect(helper.setToUser).not.toHaveBeenCalledWith("user3", REFRESH_TOKEN_DISK, any());
        expect(helper.setToUser).not.toHaveBeenCalledWith("user3", API_KEY_CLIENT_ID_DISK, any());
-      expect(helper.setToUser).not.toHaveBeenCalledWith("user3", API_KEY_CLIENT_SECRET_DISK, any());
+        expect(helper.setToUser).not.toHaveBeenCalledWith(
+          "user3",
+          API_KEY_CLIENT_SECRET_DISK,
+          any(),
+        );
+      });
+    });
+    describe("Local storage", () => {
+      beforeEach(() => {
+        helper = mockMigrationHelper(preMigrationJson(), 37, "web-disk-local");
+      });
+      it("should remove state service data from all accounts that have it", async () => {
+        await sut.migrate(helper);
+
+        expect(helper.set).toHaveBeenCalledWith("user1", {
+          tokens: {
+            otherStuff: "overStuff2",
+          },
+          profile: {
+            email: "user1Email",
+            otherStuff: "overStuff3",
+          },
+          keys: {
+            otherStuff: "overStuff4",
+          },
+          otherStuff: "otherStuff5",
+        });
+
+        expect(helper.set).toHaveBeenCalledTimes(2);
+        expect(helper.set).not.toHaveBeenCalledWith("user2", any());
+        expect(helper.set).not.toHaveBeenCalledWith("user3", any());
+      });
+
+      it("should not migrate any data to local storage", async () => {
+        await sut.migrate(helper);
+
+        expect(helper.setToUser).not.toHaveBeenCalled();
+      });
    });
  });

--- a/libs/common/src/state-migrations/migrations/38-migrate-token-svc-to-state-provider.ts
+++ b/libs/common/src/state-migrations/migrations/38-migrate-token-svc-to-state-provider.ts
@ -84,7 +84,10 @@ export class TokenServiceStateProviderMigrator extends Migrator<37, 38> {

      if (existingAccessToken != null) {
        // Only migrate data that exists
+        if (helper.type !== "web-disk-local") {
+          // only migrate access token to session storage - never local.
          await helper.setToUser(userId, ACCESS_TOKEN_DISK, existingAccessToken);
+        }
        delete account.tokens.accessToken;
        updatedAccount = true;
      }
@ -93,7 +96,10 @@ export class TokenServiceStateProviderMigrator extends Migrator<37, 38> {
      const existingRefreshToken = account?.tokens?.refreshToken;

      if (existingRefreshToken != null) {
+        if (helper.type !== "web-disk-local") {
+          // only migrate refresh token to session storage - never local.
          await helper.setToUser(userId, REFRESH_TOKEN_DISK, existingRefreshToken);
+        }
        delete account.tokens.refreshToken;
        updatedAccount = true;
      }
@ -102,7 +108,10 @@ export class TokenServiceStateProviderMigrator extends Migrator<37, 38> {
      const existingApiKeyClientId = account?.profile?.apiKeyClientId;

      if (existingApiKeyClientId != null) {
+        if (helper.type !== "web-disk-local") {
+          // only migrate client id to session storage - never local.
          await helper.setToUser(userId, API_KEY_CLIENT_ID_DISK, existingApiKeyClientId);
+        }
        delete account.profile.apiKeyClientId;
        updatedAccount = true;
      }
@ -110,7 +119,10 @@ export class TokenServiceStateProviderMigrator extends Migrator<37, 38> {
      // Migrate API key client secret
      const existingApiKeyClientSecret = account?.keys?.apiKeyClientSecret;
      if (existingApiKeyClientSecret != null) {
+        if (helper.type !== "web-disk-local") {
+          // only migrate client secret to session storage - never local.
          await helper.setToUser(userId, API_KEY_CLIENT_SECRET_DISK, existingApiKeyClientSecret);
+        }
        delete account.keys.apiKeyClientSecret;
        updatedAccount = true;
      }