Merge branch 'master' into tde-key-model-migration

.github/workflows/brew-bump-cli.yml

@@ -23,7 +23,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "brew-bump-workflow-pat"

.github/workflows/brew-bump-desktop.yml

@@ -23,7 +23,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "brew-bump-workflow-pat"

.github/workflows/build-browser.yml

@@ -354,7 +354,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "crowdin-api-token"
@@ -416,7 +416,7 @@ jobs:
       - name: Retrieve secrets
         id: retrieve-secrets
         if: failure()
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "devops-alerts-slack-webhook-url"

.github/workflows/build-cli.yml

@@ -404,7 +404,7 @@ jobs:
       - name: Retrieve secrets
         id: retrieve-secrets
         if: failure()
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "devops-alerts-slack-webhook-url"

.github/workflows/build-desktop.yml

@@ -277,7 +277,7 @@ jobs:
           node-gyp install $(node -v)
 
       - name: Install AST
-        uses: bitwarden/gh-actions/install-ast@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/install-ast@37ffa14164a7308bc273829edfe75c97cd562375
 
       - name: Set up environmentF
         run: choco install checksum --no-progress
@@ -302,7 +302,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "code-signing-vault-url,
@@ -1190,7 +1190,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "crowdin-api-token"
@@ -1269,7 +1269,7 @@ jobs:
       - name: Retrieve secrets
         id: retrieve-secrets
         if: failure()
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "devops-alerts-slack-webhook-url"

.github/workflows/build-web.yml

@@ -235,7 +235,7 @@ jobs:
 
       - name: Retrieve github PAT secrets
         id: retrieve-secret-pat
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "github-pat-bitwarden-devops-bot-repo-scope"
@@ -243,7 +243,7 @@ jobs:
       - name: Setup DCT
         if: ${{ env.is_publish_branch == 'true' }}
         id: setup-dct
-        uses: bitwarden/gh-actions/setup-docker-trust@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/setup-docker-trust@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
           azure-keyvault-name: "bitwarden-ci"
@@ -291,7 +291,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "crowdin-api-token"
@@ -352,7 +352,7 @@ jobs:
       - name: Retrieve secrets
         id: retrieve-secrets
         if: failure()
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "devops-alerts-slack-webhook-url"

.github/workflows/crowdin-pull.yml

@@ -32,13 +32,13 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "crowdin-api-token, github-gpg-private-key, github-gpg-private-key-passphrase"
 
       - name: Download translations
-        uses: bitwarden/gh-actions/crowdin@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/crowdin@37ffa14164a7308bc273829edfe75c97cd562375
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}

.github/workflows/deploy-eu-prod-web.yml

@@ -0,0 +1,53 @@
+---
+name: Deploy Web to EU-PRD Cloud
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Branch name to deploy (examples: 'master', 'feature/sm')"
+        required: true
+        type: string
+        default: master
+
+jobs:
+  azure-deploy:
+    name: Deploy to Azure
+    runs-on: ubuntu-22.04
+    env:
+      _WEB_ARTIFACT: "web-*-cloud-euprd.zip"
+    steps:
+      - name: Login to Azure - EU Subscription
+        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.6
+        with:
+          creds: ${{ secrets.AZURE_KV_EU_PRD_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve Storage Account connection string
+        id: retrieve-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
+        with:
+          keyvault: webvault-westeurope-prod
+          secrets: "sa-bitwarden-web-vault-dev-key-temp"
+
+      - name: Download latest cloud asset
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
+        with:
+          workflow: build-web.yml
+          path: apps/web
+          workflow_conclusion: success
+          branch: ${{ github.event.inputs.tag }}
+          artifacts: ${{ env._WEB_ARTIFACT }}
+
+      - name: Unzip build asset
+        working-directory: apps/web
+        run: unzip ${{ env._WEB_ARTIFACT }}
+
+      - name: Deploy to Azure Storage Account
+        working-directory: apps/web
+        run: |
+          az storage blob upload-batch --source "./build" \
+            --destination '$web' \
+            --account-name "bwwebvault1itgprod" \
+            --connection-string "${{ steps.retrieve-secrets.outputs.sa-bitwarden-web-vault-dev-key-temp }}" \
+            --overwrite \
+            --no-progress

.github/workflows/deploy-non-prod-web.yml

@@ -64,7 +64,7 @@ jobs:
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Download latest cloud asset
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-web.yml
           path: apps/web

.github/workflows/deploy-prod-web.yml

@@ -1,13 +0,0 @@
----
-name: Deploy Web - EU Prod - STUB
-
-on:
-  workflow_dispatch:
-
-jobs:
-  stub-job:
-    name: Stub Job
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Stub Step
-        run: exit 0

.github/workflows/release-browser.yml

@@ -41,7 +41,7 @@ jobs:
 
       - name: Check Release Version
         id: version
-        uses: bitwarden/gh-actions/release-version-check@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/release-version-check@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           release-type: ${{ github.event.inputs.release_type }}
           project-type: ts
@@ -103,7 +103,7 @@ jobs:
 
       - name: Download latest Release build artifacts
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-browser.yml
           workflow_conclusion: success
@@ -116,7 +116,7 @@ jobs:
 
       - name: Dry Run - Download latest master build artifacts
         if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-browser.yml
           workflow_conclusion: success

.github/workflows/release-cli.yml

@@ -57,7 +57,7 @@ jobs:
 
       - name: Check Release Version
         id: version
-        uses: bitwarden/gh-actions/release-version-check@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/release-version-check@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           release-type: ${{ github.event.inputs.release_type }}
           project-type: ts
@@ -78,7 +78,7 @@ jobs:
 
       - name: Download all Release artifacts
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-cli.yml
           path: apps/cli
@@ -87,7 +87,7 @@ jobs:
 
       - name: Dry Run - Download all artifacts
         if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-cli.yml
           path: apps/cli
@@ -150,7 +150,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "snapcraft-store-token"
@@ -162,7 +162,7 @@ jobs:
 
       - name: Download artifacts
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-cli.yml
           path: apps/cli
@@ -172,7 +172,7 @@ jobs:
 
       - name: Dry Run - Download artifacts
         if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-cli.yml
           path: apps/cli
@@ -204,7 +204,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "cli-choco-api-key"
@@ -220,7 +220,7 @@ jobs:
 
       - name: Download artifacts
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-cli.yml
           path: apps/cli/dist
@@ -230,7 +230,7 @@ jobs:
 
       - name: Dry Run - Download artifacts
         if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-cli.yml
           path: apps/cli/dist
@@ -263,14 +263,14 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "npm-api-key"
 
       - name: Download artifacts
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-cli.yml
           path: apps/cli/build
@@ -280,7 +280,7 @@ jobs:
 
       - name: Dry Run - Download artifacts
         if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-cli.yml
           path: apps/cli/build

.github/workflows/release-desktop-beta.yml

@@ -47,7 +47,7 @@ jobs:
 
       - name: Check Release Version
         id: version
-        uses: bitwarden/gh-actions/release-version-check@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/release-version-check@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           release-type: 'Initial Release'
           project-type: ts
@@ -231,7 +231,7 @@ jobs:
           node-gyp install $(node -v)
 
       - name: Install AST
-        uses: bitwarden/gh-actions/install-ast@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/install-ast@37ffa14164a7308bc273829edfe75c97cd562375
 
       - name: Set up environment
         run: choco install checksum --no-progress
@@ -249,7 +249,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "code-signing-vault-url,
@@ -932,7 +932,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "aws-electron-access-id,

.github/workflows/release-desktop.yml

@@ -67,7 +67,7 @@ jobs:
 
       - name: Check Release Version
         id: version
-        uses: bitwarden/gh-actions/release-version-check@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/release-version-check@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           release-type: ${{ github.event.inputs.release_type }}
           project-type: ts
@@ -110,7 +110,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "aws-electron-access-id,
@@ -123,7 +123,7 @@ jobs:
 
       - name: Download all artifacts
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-desktop.yml
           workflow_conclusion: success
@@ -132,7 +132,7 @@ jobs:
 
       - name: Dry Run - Download all artifacts
         if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-desktop.yml
           workflow_conclusion: success
@@ -185,7 +185,7 @@ jobs:
           --endpoint-url https://${CF_ACCOUNT}.r2.cloudflarestorage.com
 
       - name: Get checksum files
-        uses: bitwarden/gh-actions/get-checksum@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-checksum@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           packages_dir: "apps/desktop/artifacts"
           file_path: "apps/desktop/artifacts/sha256-checksums.txt"
@@ -263,7 +263,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "snapcraft-store-token"
@@ -279,7 +279,7 @@ jobs:
 
       - name: Download Snap artifact
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-desktop.yml
           workflow_conclusion: success
@@ -289,7 +289,7 @@ jobs:
 
       - name: Dry Run - Download Snap artifact
         if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-desktop.yml
           workflow_conclusion: success
@@ -329,7 +329,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "cli-choco-api-key"
@@ -347,7 +347,7 @@ jobs:
 
       - name: Download choco artifact
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-desktop.yml
           workflow_conclusion: success
@@ -357,7 +357,7 @@ jobs:
 
       - name: Dry Run - Download choco artifact
         if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-desktop.yml
           workflow_conclusion: success
@@ -368,5 +368,5 @@ jobs:
       - name: Push to Chocolatey
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
         shell: pwsh
-        run: choco push
+        run: choco push --source=https://push.chocolatey.org/
         working-directory: apps/desktop/dist

.github/workflows/release-qa-web.yml

@@ -23,7 +23,7 @@ jobs:
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Download latest cloud asset
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-web.yml
           path: apps/web

.github/workflows/release-web.yml

@@ -38,7 +38,7 @@ jobs:
 
       - name: Check Release Version
         id: version
-        uses: bitwarden/gh-actions/release-version-check@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/release-version-check@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           release-type: ${{ github.event.inputs.release_type }}
           project-type: ts
@@ -70,7 +70,7 @@ jobs:
       ########## DockerHub ##########
       - name: Setup DCT
         id: setup-dct
-        uses: bitwarden/gh-actions/setup-docker-trust@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/setup-docker-trust@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
           azure-keyvault-name: "bitwarden-ci"
@@ -156,7 +156,7 @@ jobs:
 
       - name: Retrieve bot secrets
         id: retrieve-bot-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: bitwarden-ci
           secrets: "github-pat-bitwarden-devops-bot-repo-scope"
@@ -170,7 +170,7 @@ jobs:
 
       - name: Download latest cloud asset
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-web.yml
           path: assets
@@ -180,7 +180,7 @@ jobs:
 
       - name: Dry Run - Download latest cloud asset
         if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-web.yml
           path: assets
@@ -253,7 +253,7 @@ jobs:
 
       - name: Download latest build artifacts
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-web.yml
           path: apps/web/artifacts
@@ -264,7 +264,7 @@ jobs:
 
       - name: Dry Run - Download latest build artifacts
         if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/download-artifacts@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           workflow: build-web.yml
           path: apps/web/artifacts

.github/workflows/staged-rollout-desktop.yml

@@ -26,7 +26,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "aws-electron-access-id,

.github/workflows/version-bump.yml

@@ -49,7 +49,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/get-keyvault-secrets@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           keyvault: "bitwarden-ci"
           secrets: "github-gpg-private-key, github-gpg-private-key-passphrase"
@@ -86,14 +86,14 @@ jobs:
 
       - name: Bump Browser Version - Manifest
         if: ${{ github.event.inputs.client == 'Browser' || github.event.inputs.client == 'All' }}
-        uses: bitwarden/gh-actions/version-bump@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/version-bump@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           version: ${{ github.event.inputs.version_number }}
           file_path: "apps/browser/src/manifest.json"
 
       - name: Bump Browser Version - Manifest v3
         if: ${{ github.event.inputs.client == 'Browser' || github.event.inputs.client == 'All' }}
-        uses: bitwarden/gh-actions/version-bump@72594be690a4e7bfa87b1402b2aedc75acdbff12
+        uses: bitwarden/gh-actions/version-bump@37ffa14164a7308bc273829edfe75c97cd562375
         with:
           version: ${{ github.event.inputs.version_number }}
           file_path: "apps/browser/src/manifest.v3.json"

.github/workflows/workflow-linter.yml

@@ -8,4 +8,4 @@ on:
 
 jobs:
   call-workflow:
-    uses: bitwarden/gh-actions/.github/workflows/workflow-linter.yml@72594be690a4e7bfa87b1402b2aedc75acdbff12
+    uses: bitwarden/gh-actions/.github/workflows/workflow-linter.yml@37ffa14164a7308bc273829edfe75c97cd562375

apps/browser/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bitwarden/browser",
-  "version": "2023.5.0",
+  "version": "2023.5.1",
   "scripts": {
     "build": "webpack",
     "build:mv3": "cross-env MANIFEST_VERSION=3 webpack",

apps/browser/src/autofill/commands/autofill-tab-command.ts

@@ -46,6 +46,7 @@ export class AutofillTabCommand {
       onlyEmptyFields: false,
       onlyVisibleFields: false,
       fillNewPassword: true,
+      allowTotpAutofill: true,
     });
   }
 

apps/browser/src/autofill/services/abstractions/autofill.service.ts

@@ -21,6 +21,7 @@ export interface AutoFillOptions {
   fillNewPassword?: boolean;
   skipLastUsed?: boolean;
   allowUntrustedIframe?: boolean;
+  allowTotpAutofill?: boolean;
 }
 
 export interface FormData {

apps/browser/src/autofill/services/autofill-constants.ts

@@ -20,6 +20,17 @@ export class AutoFillConstants {
     "benutzer id",
   ];
 
+  static readonly TotpFieldNames: string[] = [
+    "totp",
+    "2fa",
+    "mfa",
+    "totpcode",
+    "2facode",
+    "mfacode",
+    "twofactor",
+    "twofactorcode",
+  ];
+
   static readonly PasswordFieldIgnoreList: string[] = [
     "onetimepassword",
     "captcha",

apps/browser/src/autofill/services/autofill.service.ts

@@ -32,6 +32,7 @@ export interface GenerateFillScriptOptions {
   onlyEmptyFields: boolean;
   onlyVisibleFields: boolean;
   fillNewPassword: boolean;
+  allowTotpAutofill: boolean;
   cipher: CipherView;
   tabUrl: string;
   defaultUriMatch: UriMatchType;
@@ -127,17 +128,19 @@ export default class AutofillService implements AutofillServiceInterface {
     const defaultUriMatch = (await this.stateService.getDefaultUriMatch()) ?? UriMatchType.Domain;
 
     let didAutofill = false;
-    options.pageDetails.forEach((pd) => {
+    await Promise.all(
+      options.pageDetails.map(async (pd) => {
         // make sure we're still on correct tab
         if (pd.tab.id !== tab.id || pd.tab.url !== tab.url) {
           return;
         }
 
-      const fillScript = this.generateFillScript(pd.details, {
+        const fillScript = await this.generateFillScript(pd.details, {
           skipUsernameOnlyFill: options.skipUsernameOnlyFill || false,
           onlyEmptyFields: options.onlyEmptyFields || false,
           onlyVisibleFields: options.onlyVisibleFields || false,
           fillNewPassword: options.fillNewPassword || false,
+          allowTotpAutofill: options.allowTotpAutofill || false,
           cipher: options.cipher,
           tabUrl: tab.url,
           defaultUriMatch: defaultUriMatch,
@@ -189,7 +192,8 @@ export default class AutofillService implements AutofillServiceInterface {
           }
           return null;
         });
-    });
+      })
+    );
 
     if (didAutofill) {
       this.eventCollectionService.collect(EventType.Cipher_ClientAutofilled, options.cipher.id);
@@ -244,6 +248,7 @@ export default class AutofillService implements AutofillServiceInterface {
       onlyVisibleFields: !fromCommand,
       fillNewPassword: fromCommand,
       allowUntrustedIframe: fromCommand,
+      allowTotpAutofill: fromCommand,
     });
 
     // Update last used index as autofill has succeed
@@ -280,10 +285,10 @@ export default class AutofillService implements AutofillServiceInterface {
     return tab;
   }
 
-  private generateFillScript(
+  private async generateFillScript(
     pageDetails: AutofillPageDetails,
     options: GenerateFillScriptOptions
-  ): AutofillScript {
+  ): Promise<AutofillScript> {
     if (!pageDetails || !options.cipher) {
       return null;
     }
@@ -333,7 +338,12 @@ export default class AutofillService implements AutofillServiceInterface {
 
     switch (options.cipher.type) {
       case CipherType.Login:
-        fillScript = this.generateLoginFillScript(fillScript, pageDetails, filledFields, options);
+        fillScript = await this.generateLoginFillScript(
+          fillScript,
+          pageDetails,
+          filledFields,
+          options
+        );
         break;
       case CipherType.Card:
         fillScript = this.generateCardFillScript(fillScript, pageDetails, filledFields, options);
@@ -353,20 +363,22 @@ export default class AutofillService implements AutofillServiceInterface {
     return fillScript;
   }
 
-  private generateLoginFillScript(
+  private async generateLoginFillScript(
     fillScript: AutofillScript,
     pageDetails: AutofillPageDetails,
     filledFields: { [id: string]: AutofillField },
     options: GenerateFillScriptOptions
-  ): AutofillScript {
+  ): Promise<AutofillScript> {
     if (!options.cipher.login) {
       return null;
     }
 
     const passwords: AutofillField[] = [];
     const usernames: AutofillField[] = [];
+    const totps: AutofillField[] = [];
     let pf: AutofillField = null;
     let username: AutofillField = null;
+    let totp: AutofillField = null;
     const login = options.cipher.login;
     fillScript.savedUrls =
       login?.uris?.filter((u) => u.match != UriMatchType.Never).map((u) => u.uri) ?? [];
@@ -420,6 +432,19 @@ export default class AutofillService implements AutofillServiceInterface {
             usernames.push(username);
           }
         }
+
+        if (options.allowTotpAutofill && login.totp) {
+          totp = this.findTotpField(pageDetails, pf, false, false, false);
+
+          if (!totp && !options.onlyVisibleFields) {
+            // not able to find any viewable totp fields. maybe there are some "hidden" ones?
+            totp = this.findTotpField(pageDetails, pf, true, true, true);
+          }
+
+          if (totp) {
+            totps.push(totp);
+          }
+        }
       });
     }
 
@@ -442,18 +467,42 @@ export default class AutofillService implements AutofillServiceInterface {
           usernames.push(username);
         }
       }
+
+      if (options.allowTotpAutofill && login.totp && pf.elementNumber > 0) {
+        totp = this.findTotpField(pageDetails, pf, false, false, true);
+
+        if (!totp && !options.onlyVisibleFields) {
+          // not able to find any viewable username fields. maybe there are some "hidden" ones?
+          totp = this.findTotpField(pageDetails, pf, true, true, true);
         }
 
-    if (!passwordFields.length && !options.skipUsernameOnlyFill) {
+        if (totp) {
+          totps.push(totp);
+        }
+      }
+    }
+
+    if (!passwordFields.length) {
       // No password fields on this page. Let's try to just fuzzy fill the username.
       pageDetails.fields.forEach((f) => {
         if (
+          !options.skipUsernameOnlyFill &&
           f.viewable &&
           (f.type === "text" || f.type === "email" || f.type === "tel") &&
           AutofillService.fieldIsFuzzyMatch(f, AutoFillConstants.UsernameFieldNames)
         ) {
           usernames.push(f);
         }
+
+        if (
+          options.allowTotpAutofill &&
+          f.viewable &&
+          (f.type === "text" || f.type === "number") &&
+          (AutofillService.fieldIsFuzzyMatch(f, AutoFillConstants.TotpFieldNames) ||
+            f.autoCompleteType === "one-time-code")
+        ) {
+          totps.push(f);
+        }
       });
     }
 
@@ -477,6 +526,20 @@ export default class AutofillService implements AutofillServiceInterface {
       AutofillService.fillByOpid(fillScript, p, login.password);
     });
 
+    if (options.allowTotpAutofill) {
+      await Promise.all(
+        totps.map(async (t) => {
+          if (Object.prototype.hasOwnProperty.call(filledFields, t.opid)) {
+            return;
+          }
+
+          filledFields[t.opid] = t;
+          const totpValue = await this.totpService.getCode(login.totp);
+          AutofillService.fillByOpid(fillScript, t, totpValue);
+        })
+      );
+    }
+
     fillScript = AutofillService.setFillScriptForFocus(filledFields, fillScript);
     return fillScript;
   }
@@ -1258,6 +1321,42 @@ export default class AutofillService implements AutofillServiceInterface {
     return usernameField;
   }
 
+  private findTotpField(
+    pageDetails: AutofillPageDetails,
+    passwordField: AutofillField,
+    canBeHidden: boolean,
+    canBeReadOnly: boolean,
+    withoutForm: boolean
+  ) {
+    let totpField: AutofillField = null;
+    for (let i = 0; i < pageDetails.fields.length; i++) {
+      const f = pageDetails.fields[i];
+      if (AutofillService.forCustomFieldsOnly(f)) {
+        continue;
+      }
+
+      if (
+        !f.disabled &&
+        (canBeReadOnly || !f.readonly) &&
+        (withoutForm || f.form === passwordField.form) &&
+        (canBeHidden || f.viewable) &&
+        (f.type === "text" || f.type === "number")
+      ) {
+        totpField = f;
+
+        if (
+          this.findMatchingFieldIndex(f, AutoFillConstants.TotpFieldNames) > -1 ||
+          f.autoCompleteType === "one-time-code"
+        ) {
+          // We found an exact match. No need to keep looking.
+          break;
+        }
+      }
+    }
+
+    return totpField;
+  }
+
   private findMatchingFieldIndex(field: AutofillField, names: string[]): number {
     for (let i = 0; i < names.length; i++) {
       if (names[i].indexOf("=") > -1) {
@@ -1267,6 +1366,12 @@ export default class AutofillService implements AutofillServiceInterface {
         if (this.fieldPropertyIsPrefixMatch(field, "htmlName", names[i], "name")) {
           return i;
         }
+        if (this.fieldPropertyIsPrefixMatch(field, "label-left", names[i], "label")) {
+          return i;
+        }
+        if (this.fieldPropertyIsPrefixMatch(field, "label-right", names[i], "label")) {
+          return i;
+        }
         if (this.fieldPropertyIsPrefixMatch(field, "label-tag", names[i], "label")) {
           return i;
         }
@@ -1284,6 +1389,12 @@ export default class AutofillService implements AutofillServiceInterface {
       if (this.fieldPropertyIsMatch(field, "htmlName", names[i])) {
         return i;
       }
+      if (this.fieldPropertyIsMatch(field, "label-left", names[i])) {
+        return i;
+      }
+      if (this.fieldPropertyIsMatch(field, "label-right", names[i])) {
+        return i;
+      }
       if (this.fieldPropertyIsMatch(field, "label-tag", names[i])) {
         return i;
       }

apps/browser/src/background/runtime.background.ts

@@ -224,6 +224,7 @@ export default class RuntimeBackground {
       cipher: this.main.loginToAutoFill,
       pageDetails: this.pageDetailsToAutoFill,
       fillNewPassword: true,
+      allowTotpAutofill: true,
     });
 
     if (totpCode != null) {

apps/browser/src/manifest.json

@@ -2,7 +2,7 @@
   "manifest_version": 2,
   "name": "__MSG_extName__",
   "short_name": "__MSG_appName__",
-  "version": "2023.5.0",
+  "version": "2023.5.1",
   "description": "__MSG_extDesc__",
   "default_locale": "en",
   "author": "Bitwarden Inc.",

apps/browser/src/manifest.v3.json

@@ -3,7 +3,7 @@
   "minimum_chrome_version": "102.0",
   "name": "__MSG_extName__",
   "short_name": "__MSG_appName__",
-  "version": "2023.5.0",
+  "version": "2023.5.1",
   "description": "__MSG_extDesc__",
   "default_locale": "en",
   "author": "Bitwarden Inc.",

apps/browser/src/vault/popup/components/vault/current-tab.component.ts

@@ -180,6 +180,7 @@ export class CurrentTabComponent implements OnInit, OnDestroy {
         pageDetails: this.pageDetails,
         doc: window.document,
         fillNewPassword: true,
+        allowTotpAutofill: true,
       });
       if (this.totpCode != null) {
         this.platformUtilsService.copyToClipboard(this.totpCode, { window: window });

apps/browser/src/vault/popup/components/vault/view.component.ts

@@ -288,6 +288,7 @@ export class ViewComponent extends BaseViewComponent {
         pageDetails: this.pageDetails,
         doc: window.document,
         fillNewPassword: true,
+        allowTotpAutofill: true,
       });
       if (this.totpCode != null) {
         this.platformUtilsService.copyToClipboard(this.totpCode, { window: window });

apps/cli/src/commands/serve.command.ts

@@ -245,6 +245,10 @@ export class ServeCommand {
     });
 
     router.post("/unlock", async (ctx, next) => {
+      // Do not allow guessing password location through serve command
+      delete ctx.request.query.passwordFile;
+      delete ctx.request.query.passwordEnv;
+
       const response = await this.unlockCommand.run(
         ctx.request.body.password == null ? null : (ctx.request.body.password as string),
         ctx.request.query

apps/desktop/src/locales/eo/messages.json

@@ -6,13 +6,13 @@
     "message": "Filtriloj"
   },
   "allItems": {
-    "message": "All items"
+    "message": "Ĉiuj Eroj"
   },
   "favorites": {
-    "message": "Favorites"
+    "message": "Plej ŝatataj"
   },
   "types": {
-    "message": "Types"
+    "message": "Tipoj"
   },
   "typeLogin": {
     "message": "Saluto"
@@ -21,7 +21,7 @@
     "message": "Karto"
   },
   "typeIdentity": {
-    "message": "Identity"
+    "message": "Idento"
   },
   "typeSecureNote": {
     "message": "Sekura noto"
@@ -30,10 +30,10 @@
     "message": "Dosierujoj"
   },
   "collections": {
-    "message": "Collections"
+    "message": "Kolektoj"
   },
   "searchVault": {
-    "message": "Search vault"
+    "message": "Traserĉu trezorejon"
   },
   "addItem": {
     "message": "Aldoni elementon"
@@ -45,10 +45,10 @@
     "message": "Kundividi"
   },
   "moveToOrganization": {
-    "message": "Move to organization"
+    "message": "Movu al organizo"
   },
   "movedItemToOrg": {
-    "message": "$ITEMNAME$ moved to $ORGNAME$",
+    "message": "$ITEMNAME$ moviĝis al $ORGNAME$",
     "placeholders": {
       "itemname": {
         "content": "$1",
@@ -61,7 +61,7 @@
     }
   },
   "moveToOrgDesc": {
-    "message": "Choose an organization that you wish to move this item to. Moving to an organization transfers ownership of the item to that organization. You will no longer be the direct owner of this item once it has been moved."
+    "message": "Elektu organizon kun kiu vi volas dividi ĉi tiun eron. Dividado transdonas posedon de la ero al la organizo. Vi ne plu estos la rekta posedanto de ĉi tiu ero post kiam ĝi estos dividita."
   },
   "attachments": {
     "message": "Aldonaĵoj"
@@ -104,10 +104,10 @@
     "message": "Retpoŝta adreso"
   },
   "verificationCodeTotp": {
-    "message": "Verification code (TOTP)"
+    "message": "Kontrola kodo (TOTP)"
   },
   "website": {
-    "message": "Website"
+    "message": "Retejo"
   },
   "notes": {
     "message": "Notoj"
@@ -116,10 +116,10 @@
     "message": "Propraj kampoj"
   },
   "launch": {
-    "message": "Launch"
+    "message": "Lanĉo"
   },
   "copyValue": {
-    "message": "Copy value",
+    "message": "Kopii valoron",
     "description": "Copy value to clipboard"
   },
   "minimizeOnCopyToClipboard": {

apps/desktop/src/locales/fi/messages.json

@@ -962,7 +962,7 @@
     "message": "Käynnistä automaattisesti kirjauduttaessa"
   },
   "openAtLoginDesc": {
-    "message": "Käynnistä sovellus automaattisesti kirjautumisen yhteydessä."
+    "message": "Käynnistä Bitwarden-sovellus automaattisesti kirjautumisen yhteydessä."
   },
   "alwaysShowDock": {
     "message": "Näytä aina Dockissa"

apps/web/config/euprd.json

@@ -1,8 +1,8 @@
 {
   "urls": {
     "icons": "https://icons.bitwarden.net",
-    "notifications": "https://notifications.bitwarden.net",
+    "notifications": "https://notifications.beta.bitwarden.net",
-    "scim": "https://scim.bitwarden.net"
+    "scim": "https://scim.beta.bitwarden.net"
   },
   "flags": {
     "secretsManager": true,

apps/web/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bitwarden/web-vault",
-  "version": "2023.5.0",
+  "version": "2023.5.1",
   "scripts": {
     "build:oss": "webpack",
     "build:bit": "webpack -c ../../bitwarden_license/bit-web/webpack.config.js",

apps/web/src/app/admin-console/organizations/members/components/member-dialog/member-dialog.component.ts

@@ -35,6 +35,7 @@ import {
 } from "../../../shared/components/access-selector";
 
 import { commaSeparatedEmails } from "./validators/comma-separated-emails.validator";
+import { freeOrgSeatLimitReachedValidator } from "./validators/free-org-inv-limit-reached.validator";
 
 export enum MemberDialogTab {
   Role = 0,
@@ -46,6 +47,7 @@ export interface MemberDialogParams {
   name: string;
   organizationId: string;
   organizationUserId: string;
+  allOrganizationUserEmails: string[];
   usesKeyConnector: boolean;
   initialTab?: MemberDialogTab;
 }
@@ -79,7 +81,7 @@ export class MemberDialogComponent implements OnInit, OnDestroy {
   protected groupAccessItems: AccessItemView[] = [];
   protected tabIndex: MemberDialogTab;
   protected formGroup = this.formBuilder.group({
-    emails: ["", [Validators.required, commaSeparatedEmails]],
+    emails: ["", { updateOn: "blur" }],
     type: OrganizationUserType.User,
     externalId: this.formBuilder.control({ value: "", disabled: true }),
     accessAllCollections: false,
@@ -167,6 +169,20 @@ export class MemberDialogComponent implements OnInit, OnDestroy {
         this.canUseCustomPermissions = organization.useCustomPermissions;
         this.canUseSecretsManager = organization.useSecretsManager && flagEnabled("secretsManager");
 
+        const emailsControlValidators = [
+          Validators.required,
+          commaSeparatedEmails,
+          freeOrgSeatLimitReachedValidator(
+            this.organization,
+            this.params.allOrganizationUserEmails,
+            this.i18nService.t("subscriptionFreePlan", organization.seats)
+          ),
+        ];
+
+        const emailsControl = this.formGroup.get("emails");
+        emailsControl.setValidators(emailsControlValidators);
+        emailsControl.updateValueAndValidity();
+
         this.collectionAccessItems = [].concat(
           collections.map((c) => mapCollectionToAccessItemView(c))
         );

apps/web/src/app/admin-console/organizations/members/components/member-dialog/validators/free-org-inv-limit-reached.validator.spec.ts

@@ -0,0 +1,106 @@
+import { AbstractControl, FormControl, ValidationErrors } from "@angular/forms";
+
+import { OrganizationUserType } from "@bitwarden/common/admin-console/enums";
+import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
+import { ProductType } from "@bitwarden/common/enums";
+
+import { freeOrgSeatLimitReachedValidator } from "./free-org-inv-limit-reached.validator";
+
+const orgFactory = (props: Partial<Organization> = {}) =>
+  Object.assign(
+    new Organization(),
+    {
+      id: "myOrgId",
+      enabled: true,
+      type: OrganizationUserType.Admin,
+    },
+    props
+  );
+
+describe("freeOrgSeatLimitReachedValidator", () => {
+  let organization: Organization;
+  let allOrganizationUserEmails: string[];
+  let validatorFn: (control: AbstractControl) => ValidationErrors | null;
+
+  beforeEach(() => {
+    allOrganizationUserEmails = ["user1@example.com"];
+  });
+
+  it("should return null when control value is empty", () => {
+    validatorFn = freeOrgSeatLimitReachedValidator(
+      organization,
+      allOrganizationUserEmails,
+      "You cannot invite more than 2 members without upgrading your plan."
+    );
+    const control = new FormControl("");
+
+    const result = validatorFn(control);
+
+    expect(result).toBeNull();
+  });
+
+  it("should return null when control value is null", () => {
+    validatorFn = freeOrgSeatLimitReachedValidator(
+      organization,
+      allOrganizationUserEmails,
+      "You cannot invite more than 2 members without upgrading your plan."
+    );
+    const control = new FormControl(null);
+
+    const result = validatorFn(control);
+
+    expect(result).toBeNull();
+  });
+
+  it("should return null when max seats are not exceeded on free plan", () => {
+    organization = orgFactory({
+      planProductType: ProductType.Free,
+      seats: 2,
+    });
+    validatorFn = freeOrgSeatLimitReachedValidator(
+      organization,
+      allOrganizationUserEmails,
+      "You cannot invite more than 2 members without upgrading your plan."
+    );
+    const control = new FormControl("user2@example.com");
+
+    const result = validatorFn(control);
+
+    expect(result).toBeNull();
+  });
+
+  it("should return validation error when max seats are exceeded on free plan", () => {
+    organization = orgFactory({
+      planProductType: ProductType.Free,
+      seats: 2,
+    });
+    const errorMessage = "You cannot invite more than 2 members without upgrading your plan.";
+    validatorFn = freeOrgSeatLimitReachedValidator(
+      organization,
+      allOrganizationUserEmails,
+      "You cannot invite more than 2 members without upgrading your plan."
+    );
+    const control = new FormControl("user2@example.com,user3@example.com");
+
+    const result = validatorFn(control);
+
+    expect(result).toStrictEqual({ freePlanLimitReached: { message: errorMessage } });
+  });
+
+  it("should return null when not on free plan", () => {
+    const control = new FormControl("user2@example.com,user3@example.com");
+    organization = orgFactory({
+      planProductType: ProductType.Enterprise,
+      seats: 100,
+    });
+    validatorFn = freeOrgSeatLimitReachedValidator(
+      organization,
+      allOrganizationUserEmails,
+      "You cannot invite more than 2 members without upgrading your plan."
+    );
+
+    const result = validatorFn(control);
+
+    expect(result).toBeNull();
+  });
+});

apps/web/src/app/admin-console/organizations/members/components/member-dialog/validators/free-org-inv-limit-reached.validator.ts

@@ -0,0 +1,36 @@
+import { AbstractControl, ValidationErrors, ValidatorFn } from "@angular/forms";
+
+import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
+import { ProductType } from "@bitwarden/common/enums";
+
+/**
+ * Checks if the limit of free organization seats has been reached when adding new users
+ * @param organization An object representing the organization
+ * @param allOrganizationUserEmails An array of strings with existing user email addresses
+ * @param errorMessage A localized string to display if validation fails
+ * @returns A function that validates an `AbstractControl` and returns `ValidationErrors` or `null`
+ */
+export function freeOrgSeatLimitReachedValidator(
+  organization: Organization,
+  allOrganizationUserEmails: string[],
+  errorMessage: string
+): ValidatorFn {
+  return (control: AbstractControl): ValidationErrors | null => {
+    if (control.value === "" || !control.value) {
+      return null;
+    }
+
+    const newEmailsToAdd = control.value
+      .split(",")
+      .filter(
+        (newEmailToAdd: string) =>
+          newEmailToAdd &&
+          !allOrganizationUserEmails.some((existingEmail) => existingEmail === newEmailToAdd)
+      );
+
+    return organization.planProductType === ProductType.Free &&
+      allOrganizationUserEmails.length + newEmailsToAdd.length > organization.seats
+      ? { freePlanLimitReached: { message: errorMessage } }
+      : null;
+  };
+}

apps/web/src/app/admin-console/organizations/members/people.component.ts

@@ -396,6 +396,7 @@ export class PeopleComponent
         name: this.userNamePipe.transform(user),
         organizationId: this.organization.id,
         organizationUserId: user != null ? user.id : null,
+        allOrganizationUserEmails: this.allUsers?.map((user) => user.email) ?? [],
         usesKeyConnector: user?.usesKeyConnector,
         initialTab: initialTab,
       },

apps/web/src/app/core/init.service.ts

@@ -38,11 +38,15 @@ export class InitService {
 
   init() {
     return async () => {
+      // Workaround to ignore stateService.activeAccount until process.env.URLS are set
+      // TODO: Remove this when implementing ticket PM-2637
+      this.environmentService.initialized = false;
       await this.stateService.init();
 
       const urls = process.env.URLS as Urls;
       urls.base ??= this.win.location.origin;
       this.environmentService.setUrls(urls);
+      this.environmentService.initialized = true;
 
       setTimeout(() => this.notificationsService.init(), 3000);
       (this.vaultTimeoutService as VaultTimeoutService).init(true);

apps/web/src/app/vault/individual-vault/vault.component.ts

@@ -38,7 +38,6 @@ import { OrganizationService } from "@bitwarden/common/admin-console/abstraction
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { TokenService } from "@bitwarden/common/auth/abstractions/token.service";
 import { DEFAULT_PBKDF2_ITERATIONS, EventType, KdfType } from "@bitwarden/common/enums";
-import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { ServiceUtils } from "@bitwarden/common/misc/serviceUtils";
 import { TreeNode } from "@bitwarden/common/models/domain/tree-node";
 import { BroadcasterService } from "@bitwarden/common/platform/abstractions/broadcaster.service";
@@ -857,19 +856,11 @@ export class VaultComponent implements OnInit, OnDestroy {
   }
 
   async isLowKdfIteration() {
-    const showLowKdfEnabled = await this.configService.getFeatureFlagBool(
-      FeatureFlag.DisplayLowKdfIterationWarningFlag
-    );
-
-    if (showLowKdfEnabled) {
     const kdfType = await this.stateService.getKdfType();
     const kdfOptions = await this.stateService.getKdfConfig();
     return kdfType === KdfType.PBKDF2_SHA256 && kdfOptions.iterations < DEFAULT_PBKDF2_ITERATIONS;
   }
 
-    return showLowKdfEnabled;
-  }
-
   protected async repromptCipher(ciphers: CipherView[]) {
     const notProtected = !ciphers.find((cipher) => cipher.reprompt !== CipherRepromptType.None);
 

apps/web/src/locales/da/messages.json

@@ -658,7 +658,7 @@
     "message": "Hovedadgangskoden er den adgangskode, du bruger, når du tilgår din boks. Det er meget vigtigt, at hovedadgangskoden ikke glemmes, da der ikke er nogen måde, hvorpå den kan genoprettes."
   },
   "masterPassImportant": {
-    "message": "Hovedadgangskoder kan ikke gendannes, hvis du glemmer dem!"
+    "message": "Hovedadgangskoden kan ikke gendannes, hvis den glemmes!"
   },
   "masterPassHintDesc": {
     "message": "Et hovedadgangskodetip kan bidrage til at komme i tanke om adgangskoden, hvis den glemmes."
@@ -5231,7 +5231,7 @@
     "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Connect login with SSO to your self-hosted decryption key server. Using this option, members won’t need to use their master passwords to decrypt vault data. The require SSO authentication and single organization policies are required to set up Key Connector decryption. Contact Bitwarden Support for set up assistance.'"
   },
   "memberDecryptionKeyConnectorDescLink": {
-    "message": "require SSO authentication and single organization policies",
+    "message": "kræver SSO-godkendelse samt enkeltorganisationspolitikker",
     "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Connect login with SSO to your self-hosted decryption key server. Using this option, members won’t need to use their master passwords to decrypt vault data. The require SSO authentication and single organization policies are required to set up Key Connector decryption. Contact Bitwarden Support for set up assistance.'"
   },
   "memberDecryptionKeyConnectorDescEnd": {

apps/web/src/locales/fi/messages.json

@@ -6553,7 +6553,7 @@
     "message": "Laskutuksen synkronoinnin ohje"
   },
   "licensePaidFeaturesHelp": {
-    "message": "Maksullisen lisenssin oiminaisuusopas"
+    "message": "Maksullisen lisenssin ominaisuusopas"
   },
   "selfHostGracePeriodHelp": {
     "message": "Kun tilauksesi päättyy, sinulla on 60 päivää aikaa päivittää organisaatiosi lisenssitiedosto ajan tasalle. Varoaika päättyy $GRACE_PERIOD_END_DATE$.",
@@ -6830,7 +6830,7 @@
     "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Once authenticated, members will decrypt vault data using a key stored on their device. The master password reset policy with automatic enrollment will turn on when this option is used.'"
   },
   "notFound": {
-    "message": "$RESOURCE$ ei löytynyt",
+    "message": "Resurssia $RESOURCE$ ei löytynyt",
     "placeholders": {
       "resource": {
         "content": "$1",

apps/web/src/locales/fr/messages.json

@@ -574,7 +574,7 @@
     "message": "Êtes-vous sûr de vouloir écraser le mot de passe actuel ?"
   },
   "editedFolder": {
-    "message": "Dossier modifié"
+    "message": "Dossier enregistré"
   },
   "addedFolder": {
     "message": "Dossier ajouté"
@@ -634,7 +634,7 @@
     "message": "Commencer la Période d'Essai"
   },
   "logIn": {
-    "message": "S'identifier"
+    "message": "Se connecter"
   },
   "logInInitiated": {
     "message": "Connexion initiée"
@@ -676,7 +676,7 @@
     "message": "Paramètres"
   },
   "passwordHint": {
-    "message": "Indice du mot de passe"
+    "message": "Indice de mot de passe"
   },
   "enterEmailToGetHint": {
     "message": "Saisissez l'adresse électronique de votre compte pour recevoir l'indice de votre mot de passe principal."
@@ -6900,6 +6900,6 @@
     "message": "Aucun mot de passe principal"
   },
   "removeMembersWithoutMasterPasswordWarning": {
-    "message": "La suppression des membres qui n'ont pas de mot de passe principal sans leur en définir un, peut restreindre l'accès à leur compte dans soin intégralité."
+    "message": "La suppression des membres qui n'ont pas de mot de passe principal sans leur en définir un, peut restreindre l'accès à leur compte dans son intégralité."
   }
 }

apps/web/src/locales/it/messages.json

@@ -6849,7 +6849,7 @@
     "description": "A 'fingerprint phrase' is a unique word phrase (similar to a passphrase) that a user can use to authenticate their organization's public key with another user, for the purposes of sharing."
   },
   "deviceApprovals": {
-    "message": "Approvazioni dispositivi"
+    "message": "Approva dispositivi"
   },
   "deviceApprovalsDesc": {
     "message": "Approva le richieste di accesso qui sotto per consentire ai membri di completare l'accesso. Le richieste non approvate scadono dopo 1 settimana. Verifica le informazioni del membro prima di approvare."
@@ -6870,7 +6870,7 @@
     "message": "Approva richiesta"
   },
   "noDeviceRequests": {
-    "message": "Nessuna richiesta dispositivo"
+    "message": "Nessuna richiesta da approvare"
   },
   "noDeviceRequestsDesc": {
     "message": "Le richieste di approvazione dei dispositivi dei membri appariranno qui"

apps/web/src/locales/pt_PT/messages.json

@@ -1001,7 +1001,7 @@
     "message": "Confirmar a palavra-passe do ficheiro"
   },
   "accountRestrictedOptionDescription": {
-    "message": "Use your account encryption key, derived from your account's username and Master Password, to encrypt the export and restrict import to only the current Bitwarden account."
+    "message": "Utilize a chave de encriptação da sua conta, derivada do nome de utilizador e da palavra-passe mestra da sua conta, para encriptar a exportação e restringir a importação apenas à conta Bitwarden atual."
   },
   "passwordProtectedOptionDescription": {
     "message": "Defina uma palavra-passe do ficheiro para encriptar a exportação e importe-a para qualquer conta Bitwarden utilizando a palavra-passe de desencriptação."
@@ -1256,7 +1256,7 @@
     "message": "Dados importados com sucesso"
   },
   "importSuccessNumberOfItems": {
-    "message": "A total of $AMOUNT$ items were imported.",
+    "message": "Foi importado um total de $AMOUNT$ itens.",
     "placeholders": {
       "amount": {
         "content": "$1",
@@ -1919,7 +1919,7 @@
     }
   },
   "premiumPriceWithFamilyPlan": {
-    "message": "Go premium for just $PRICE$ /year, or get premium accounts for $FAMILYPLANUSERCOUNT$ users and unlimited family sharing with a ",
+    "message": "Adquira uma conta Premium por apenas $PRICE$ /ano, ou obtenha contas Premium para $FAMILYPLANUSERCOUNT$ utilizadores e partilha familiar ilimitada com um ",
     "placeholders": {
       "price": {
         "content": "$1",
@@ -1932,7 +1932,7 @@
     }
   },
   "bitwardenFamiliesPlan": {
-    "message": "Bitwarden Families plan."
+    "message": "plano Familiar do Bitwarden."
   },
   "addons": {
     "message": "Addons"
@@ -2029,7 +2029,7 @@
     "message": "Cancelar subscrição"
   },
   "subscriptionExpiration": {
-    "message": "Subscription expiration"
+    "message": "Validade da subscrição"
   },
   "subscriptionCanceled": {
     "message": "A subscrição foi cancelada."
@@ -2265,7 +2265,7 @@
     }
   },
   "planNameFamilies": {
-    "message": "Famílias"
+    "message": "Familiar"
   },
   "planDescFamilies": {
     "message": "Para uso pessoal, para partilhar com a família e amigos."
@@ -2472,7 +2472,7 @@
     "message": "Tem a certeza de que pretende eliminar este grupo?"
   },
   "deleteMultipleGroupsConfirmation": {
-    "message": "Are you sure you want to delete the following $QUANTITY$ group(s)?",
+    "message": "Tem a certeza de que pretende eliminar o(s) seguinte(s) $QUANTITY$ grupo(s)?",
     "placeholders": {
       "quantity": {
         "content": "$1",
@@ -2532,7 +2532,7 @@
     "message": "Editar membro"
   },
   "fieldOnTabRequiresAttention": {
-    "message": "A field on the '$TAB$' tab requires your attention.",
+    "message": "Um campo no separador '$TAB$' precisa da sua atenção.",
     "placeholders": {
       "tab": {
         "content": "$1",
@@ -2823,7 +2823,7 @@
     }
   },
   "deletedCollections": {
-    "message": "Deleted collections"
+    "message": "Coleções eliminadas"
   },
   "deletedCollectionId": {
     "message": "Coleção $ID$ eliminada.",
@@ -2871,7 +2871,7 @@
     }
   },
   "deletedManyGroups": {
-    "message": "Deleted $QUANTITY$ group(s).",
+    "message": "$QUANTITY$ grupo(s) eliminados.",
     "placeholders": {
       "quantity": {
         "content": "$1",
@@ -3363,7 +3363,7 @@
     }
   },
   "subscriptionFreePlan": {
-    "message": "You cannot invite more than $COUNT$ members without upgrading your plan.",
+    "message": "Não pode convidar mais do que $COUNT$ membros sem atualizar o seu plano.",
     "placeholders": {
       "count": {
         "content": "$1",
@@ -3372,7 +3372,7 @@
     }
   },
   "subscriptionFamiliesPlan": {
-    "message": "You cannot invite more than $COUNT$ members without upgrading your plan. Please contact Customer Support to upgrade.",
+    "message": "Não pode convidar mais do que $COUNT$ membros sem atualizar o seu plano. Contacte o Apoio ao cliente para atualizar.",
     "placeholders": {
       "count": {
         "content": "$1",
@@ -3381,7 +3381,7 @@
     }
   },
   "subscriptionSponsoredFamiliesPlan": {
-    "message": "Your subscription allows for a total of $COUNT$ members. Your plan is sponsored and billed to an external organization.",
+    "message": "A sua subscrição permite um total de $COUNT$ membros. O seu plano é patrocinado e faturado por uma organização externa.",
     "placeholders": {
       "count": {
         "content": "$1",
@@ -5443,7 +5443,7 @@
     "message": "Histórico de faturação"
   },
   "backToReports": {
-    "message": "Back to reports"
+    "message": "Voltar aos relatórios"
   },
   "organizationPicker": {
     "message": "Organization picker"
@@ -5503,7 +5503,7 @@
     "message": "Palavra aleatória"
   },
   "service": {
-    "message": "Service"
+    "message": "Serviço"
   },
   "unknownCipher": {
     "message": "Item desconhecido, poderá ser necessário pedir autorização para aceder a este item."
@@ -5961,7 +5961,7 @@
     "message": "A eliminação de contas de serviço é permanente e irreversível."
   },
   "deleteServiceAccountsConfirmMessage": {
-    "message": "Delete $COUNT$ service accounts",
+    "message": "Eliminar $COUNT$ contas de serviço",
     "placeholders": {
       "count": {
         "content": "$1",
@@ -5970,13 +5970,13 @@
     }
   },
   "deleteServiceAccountToast": {
-    "message": "Service account deleted"
+    "message": "Conta de serviço eliminada"
   },
   "deleteServiceAccountsToast": {
-    "message": "Service accounts deleted"
+    "message": "Contas de serviço eliminadas"
   },
   "searchServiceAccounts": {
-    "message": "Search service accounts",
+    "message": "Procurar contas de serviço",
     "description": "Placeholder text for searching service accounts."
   },
   "editServiceAccount": {
@@ -6071,7 +6071,7 @@
     }
   },
   "deleteProjectInputLabel": {
-    "message": "Type \"$CONFIRM$\" to continue",
+    "message": "Escreva \"$CONFIRM$\" para continuar",
     "description": "Users are prompted to type 'confirm' to delete a project",
     "placeholders": {
       "confirm": {
@@ -6081,7 +6081,7 @@
     }
   },
   "deleteProjectConfirmMessage": {
-    "message": "Delete $PROJECT$",
+    "message": "Eliminar $PROJECT$",
     "description": "Confirmation prompt to delete a specific project, where '$PROJECT$' is a placeholder for the name of the project.",
     "placeholders": {
       "project": {
@@ -6091,7 +6091,7 @@
     }
   },
   "deleteProjectsConfirmMessage": {
-    "message": "Delete $COUNT$ Projects",
+    "message": "Eliminar $COUNT$ projetos",
     "description": "Confirmation prompt to delete multiple projects, where '$COUNT$' is a placeholder for the number of projects to be deleted.",
     "placeholders": {
       "count": {
@@ -6113,22 +6113,22 @@
     "description": "Message to be displayed when there are no projects to display in the list."
   },
   "smConfirmationRequired": {
-    "message": "Confirmation required",
+    "message": "Confirmação necessária",
     "description": "Indicates that user confirmation is required for an action to proceed."
   },
   "bulkDeleteProjectsErrorMessage": {
-    "message": "The following projects could not be deleted:",
+    "message": "Os seguintes projetos não puderam ser eliminados:",
     "description": "Message to be displayed when there is an error during bulk project deletion."
   },
   "softDeleteSuccessToast": {
-    "message": "Secret sent to trash",
+    "message": "Segredo movido para o lixo",
     "description": "Notification to be displayed when a secret is successfully sent to the trash."
   },
   "hardDeleteSuccessToast": {
-    "message": "Secret permanently deleted"
+    "message": "Segredo eliminado permanentemente"
   },
   "accessTokens": {
-    "message": "Access tokens",
+    "message": "Tokens de acesso",
     "description": "Title for the section displaying access tokens."
   },
   "newAccessToken": {
@@ -6136,7 +6136,7 @@
     "description": "Button label for creating a new access token."
   },
   "expires": {
-    "message": "Expires",
+    "message": "Expira a",
     "description": "Label for the expiration date of an access token."
   },
   "canRead": {
@@ -6144,11 +6144,11 @@
     "description": "Label for the access level of an access token (Read only)."
   },
   "accessTokensNoItemsTitle": {
-    "message": "No access tokens to show",
+    "message": "Sem tokens de acesso para mostrar",
     "description": "Title to be displayed when there are no access tokens to display in the list."
   },
   "accessTokensNoItemsDesc": {
-    "message": "To get started, create an access token",
+    "message": "Para começar, crie um token de acesso",
     "description": "Message to be displayed when there are no access tokens to display in the list."
   },
   "downloadAccessToken": {
@@ -6156,7 +6156,7 @@
     "description": "Message to be displayed before closing an access token, reminding the user to download or copy it."
   },
   "expiresOnAccessToken": {
-    "message": "Expires on:",
+    "message": "Expira a:",
     "description": "Label for the expiration date of an access token."
   },
   "accessTokenCallOutTitle": {
@@ -6164,15 +6164,15 @@
     "description": "Notification to inform the user that access tokens are only displayed once and cannot be retrieved again."
   },
   "copyToken": {
-    "message": "Copy token",
+    "message": "Copiar token",
     "description": "Copies the generated access token to the user's clipboard."
   },
   "accessToken": {
-    "message": "Access token",
+    "message": "Token de acesso",
     "description": "A unique string that gives a client application (eg. CLI) access to a secret or set of secrets."
   },
   "accessTokenExpirationRequired": {
-    "message": "Expiration date required",
+    "message": "Data de validade necessária",
     "description": "Error message indicating that an expiration date for the access token must be set."
   },
   "accessTokenCreatedAndCopied": {
@@ -6226,7 +6226,7 @@
     }
   },
   "groupInfo": {
-    "message": "Group info"
+    "message": "Informações do grupo"
   },
   "editGroupMembersDesc": {
     "message": "Grant members access to the group's assigned collections."
@@ -6241,22 +6241,22 @@
     "message": "If checked, this will replace all other collection permissions."
   },
   "selectMembers": {
-    "message": "Select members"
+    "message": "Selecionar membros"
   },
   "selectCollections": {
-    "message": "Select collections"
+    "message": "Selecionar coleções"
   },
   "role": {
     "message": "Função"
   },
   "removeMember": {
-    "message": "Remove member"
+    "message": "Remover membro"
   },
   "collection": {
-    "message": "Collection"
+    "message": "Coleção"
   },
   "noCollection": {
-    "message": "No collection"
+    "message": "Sem coleções"
   },
   "canView": {
     "message": "Pode ver"
@@ -6271,7 +6271,7 @@
     "message": "Pode editar, excepto palavras-passe"
   },
   "noCollectionsAdded": {
-    "message": "No collections added"
+    "message": "Sem coleções adicionadas"
   },
   "noMembersAdded": {
     "message": "No members added"
@@ -6364,28 +6364,28 @@
     }
   },
   "domainStatusVerified": {
-    "message": "Verified"
+    "message": "Verificado"
   },
   "domainStatusUnverified": {
-    "message": "Unverified"
+    "message": "Não verificado"
   },
   "domainNameTh": {
-    "message": "Name"
+    "message": "Nome"
   },
   "domainStatusTh": {
-    "message": "Status"
+    "message": "Estado"
   },
   "lastChecked": {
     "message": "Last checked"
   },
   "editDomain": {
-    "message": "Edit domain"
+    "message": "Editar domínio"
   },
   "domainFormInvalid": {
     "message": "There are form errors that need your attention"
   },
   "addedDomain": {
-    "message": "Added domain $DOMAIN$",
+    "message": "Domínio $DOMAIN$ adicionado",
     "placeholders": {
       "DOMAIN": {
         "content": "$1",
@@ -6421,16 +6421,16 @@
     }
   },
   "membersColumnHeader": {
-    "message": "Member/Group"
+    "message": "Membro/Grupo"
   },
   "groupAndMemberColumnHeader": {
-    "message": "Member"
+    "message": "Membro"
   },
   "selectGroupsAndMembers": {
-    "message": "Select groups and members"
+    "message": "Selecionar grupos e membros"
   },
   "selectGroups": {
-    "message": "Select groups"
+    "message": "Selecionar grupos"
   },
   "userPermissionOverrideHelper": {
     "message": "Permissions set for a member will replace permissions set by that member's group"
@@ -6439,13 +6439,13 @@
     "message": "No members or groups added"
   },
   "deleted": {
-    "message": "Deleted"
+    "message": "Eliminado"
   },
   "memberStatusFilter": {
     "message": "Member status filter"
   },
   "inviteMember": {
-    "message": "Invite member"
+    "message": "Convidar membro"
   },
   "needsConfirmation": {
     "message": "Needs confirmation"
@@ -6496,10 +6496,10 @@
     }
   },
   "server": {
-    "message": "Server"
+    "message": "Servidor"
   },
   "exportData": {
-    "message": "Export data"
+    "message": "Exportar dados"
   },
   "exportingOrganizationSecretDataTitle": {
     "message": "Exporting Organization Secret Data"
@@ -6619,13 +6619,13 @@
     "message": "This user can access the Secrets Manager Beta"
   },
   "important": {
-    "message": "Important:"
+    "message": "Importante:"
   },
   "viewAll": {
-    "message": "View all"
+    "message": "Ver tudo"
   },
   "showingPortionOfTotal": {
-    "message": "Showing $PORTION$ of $TOTAL$",
+    "message": "A mostrar $PORTION$ de $TOTAL$",
     "placeholders": {
       "portion": {
         "content": "$1",
@@ -6638,16 +6638,16 @@
     }
   },
   "resolveTheErrorsBelowAndTryAgain": {
-    "message": "Resolve the errors below and try again."
+    "message": "Resolva os erros abaixo e tente novamente."
   },
   "description": {
-    "message": "Description"
+    "message": "Descrição"
   },
   "errorReadingImportFile": {
-    "message": "An error occurred when trying to read the import file"
+    "message": "Ocorreu um erro ao tentar ler o ficheiro de importação"
   },
   "accessedSecret": {
-    "message": "Accessed secret $SECRET_ID$.",
+    "message": "Segredo $SECRET_ID$ acedido.",
     "placeholders": {
       "secret_id": {
         "content": "$1",
@@ -6660,29 +6660,29 @@
     "description": "Software Development Kit"
   },
   "createSecret": {
-    "message": "Create a secret"
+    "message": "Criar um segredo"
   },
   "createProject": {
-    "message": "Create a project"
+    "message": "Criar um projeto"
   },
   "createServiceAccount": {
-    "message": "Create a service account"
+    "message": "Criar uma conta de serviço"
   },
   "downloadThe": {
-    "message": "Download the",
+    "message": "Descarregar o",
     "description": "Link to a downloadable resource. This will be used as part of a larger phrase. Example: Download the Secrets Manager CLI"
   },
   "smCLI": {
-    "message": "Secrets Manager CLI"
+    "message": "gestor de segredos CLI"
   },
   "importSecrets": {
-    "message": "Import secrets"
+    "message": "Importar segredos"
   },
   "getStarted": {
-    "message": "Get started"
+    "message": "Começar"
   },
   "complete": {
-    "message": "$COMPLETED$/$TOTAL$ Complete",
+    "message": "$COMPLETED$/$TOTAL$ concluídos",
     "placeholders": {
       "COMPLETED": {
         "content": "$1",
@@ -6695,25 +6695,25 @@
     }
   },
   "restoreSecret": {
-    "message": "Restore secret"
+    "message": "Restaurar segredo"
   },
   "restoreSecrets": {
-    "message": "Restore secrets"
+    "message": "Restaurar segredos"
   },
   "restoreSecretPrompt": {
-    "message": "Are you sure you want to restore this secret?"
+    "message": "Tem a certeza de que quer recuperar este segredo?"
   },
   "restoreSecretsPrompt": {
-    "message": "Are you sure you want to restore these secrets?"
+    "message": "Tem a certeza de que quer recuperar estes segredos?"
   },
   "secretRestoredSuccessToast": {
-    "message": "Secret restored"
+    "message": "Segredo restaurado"
   },
   "secretsRestoredSuccessToast": {
-    "message": "Secrets restored"
+    "message": "Segredos restaurados"
   },
   "selectionIsRequired": {
-    "message": "Selection is required."
+    "message": "É necessária uma seleção."
   },
   "secretsManagerSubscriptionDesc": {
     "message": "Turn on organization access to the Secrets Manager at no charge during the Beta program. Users can be granted access to the Beta in Members."
@@ -6740,25 +6740,25 @@
     "message": "This action will remove your access to the service account."
   },
   "removeAccess": {
-    "message": "Remove access"
+    "message": "Remover acesso"
   },
   "checkForBreaches": {
-    "message": "Check known data breaches for this password"
+    "message": "Verificar violações de dados conhecidas para esta palavra-passe"
   },
   "exposedMasterPassword": {
-    "message": "Exposed Master Password"
+    "message": "Palavra-passe mestra exposta"
   },
   "exposedMasterPasswordDesc": {
-    "message": "Password found in a data breach. Use a unique password to protect your account. Are you sure you want to use an exposed password?"
+    "message": "Palavra-passe encontrada numa violação de dados. Utilize uma palavra-passe única para proteger a sua conta. Tem a certeza de que pretende utilizar uma palavra-passe exposta?"
   },
   "weakAndExposedMasterPassword": {
-    "message": "Weak and Exposed Master Password"
+    "message": "Palavra-passe mestra fraca e exposta"
   },
   "weakAndBreachedMasterPasswordDesc": {
-    "message": "Weak password identified and found in a data breach. Use a strong and unique password to protect your account. Are you sure you want to use this password?"
+    "message": "Palavra-passe fraca identificada e encontrada numa violação de dados. Utilize uma palavra-passe forte e única para proteger a sua conta. Tem a certeza de que pretende utilizar esta palavra-passe?"
   },
   "characterMinimum": {
-    "message": "$LENGTH$ character minimum",
+    "message": "$LENGTH$ caracteres no mínimo",
     "placeholders": {
       "length": {
         "content": "$1",
@@ -6783,14 +6783,14 @@
     "message": "Dispensar"
   },
   "notAvailableForFreeOrganization": {
-    "message": "This feature is not available for free organizations. Contact your organization owner to upgrade."
+    "message": "Esta funcionalidade não está disponível para organizações gratuitas. Contacte o proprietário da organização para atualizar."
   },
   "smProjectSecretsNoItemsNoAccess": {
-    "message": "Contact your organization's admin to manage secrets for this project.",
+    "message": "Contacte o administrador da sua organização para gerir os segredos deste projeto.",
     "description": "The message shown to the user under a project's secrets tab when the user only has read access to the project."
   },
   "enforceOnLoginDesc": {
-    "message": "Require existing members to change their passwords"
+    "message": "Exigir que os membros existentes alterem as suas palavras-passe"
   },
   "region": {
     "message": "Região"
@@ -6804,18 +6804,18 @@
     "description": "United States"
   },
   "smProjectDeleteAccessRestricted": {
-    "message": "You don't have permissions to delete this project",
+    "message": "Não tem permissões para eliminar este projeto",
     "description": "The individual description shown to the user when the user doesn't have access to delete a project."
   },
   "smProjectsDeleteBulkConfirmation": {
-    "message": "The following projects can not be deleted. Would you like to continue?",
+    "message": "Os seguintes projetos não podem ser eliminados. Gostaria de continuar?",
     "description": "The message shown to the user when bulk deleting projects and the user doesn't have access to some projects."
   },
   "updateKdfSettings": {
-    "message": "Update KDF settings"
+    "message": "Atualizar definições KDF"
   },
   "trustedDeviceEncryption": {
-    "message": "Trusted device encryption"
+    "message": "Encriptação de dispositivo de confiança"
   },
   "memberDecryptionTdeDescriptionStart": {
     "message": "Uma vez autenticados, os membros desencriptam os dados do cofre utilizando uma chave armazenada no seu dispositivo. A",

libs/angular/src/auth/components/environment-selector.component.ts

@@ -88,11 +88,10 @@ export class EnvironmentSelectorComponent implements OnInit, OnDestroy {
   }
 
   async updateEnvironmentInfo() {
+    this.selectedEnvironment = this.environmentService.selectedRegion;
     this.euServerFlagEnabled = await this.configService.getFeatureFlagBool(
       FeatureFlag.DisplayEuEnvironmentFlag
     );
-
-    this.selectedEnvironment = this.environmentService.selectedRegion;
   }
 
   close() {

libs/common/src/auth/services/auth.service.ts

@@ -304,10 +304,13 @@ export class AuthService implements AuthServiceAbstraction {
       throw new Error("Master key not found");
     }
     const encryptedKey = await this.cryptoService.rsaEncrypt(masterKey.encKey, pubKey.buffer);
-    const encryptedMasterPasswordHash = await this.cryptoService.rsaEncrypt(
+    let encryptedMasterPasswordHash = null;
+    if ((await this.stateService.getKeyHash()) != null) {
+      encryptedMasterPasswordHash = await this.cryptoService.rsaEncrypt(
         Utils.fromUtf8ToArray(await this.stateService.getKeyHash()),
         pubKey.buffer
       );
+    }
     const request = new PasswordlessAuthRequest(
       encryptedKey.encryptedString,
       encryptedMasterPasswordHash.encryptedString,

libs/common/src/platform/abstractions/environment.service.ts

@@ -28,6 +28,7 @@ export abstract class EnvironmentService {
   usUrls: Urls;
   euUrls: Urls;
   selectedRegion?: Region;
+  initialized = true;
 
   hasBaseUrl: () => boolean;
   getNotificationsUrl: () => string;

libs/common/src/platform/services/environment.service.ts

@@ -12,6 +12,7 @@ export class EnvironmentService implements EnvironmentServiceAbstraction {
   private readonly urlsSubject = new Subject<void>();
   urls: Observable<void> = this.urlsSubject.asObservable();
   selectedRegion?: Region;
+  initialized = true;
 
   protected baseUrl: string;
   protected webVaultUrl: string;
@@ -49,6 +50,9 @@ export class EnvironmentService implements EnvironmentServiceAbstraction {
     this.stateService.activeAccount$
       .pipe(
         concatMap(async () => {
+          if (!this.initialized) {
+            return;
+          }
           await this.setUrlsFromStorage();
         })
       )
@@ -157,22 +161,23 @@ export class EnvironmentService implements EnvironmentServiceAbstraction {
 
     // fix environment urls for old users
     if (savedUrls.base === "https://vault.bitwarden.com") {
-      this.setRegion(Region.US);
+      await this.setRegion(Region.US);
       return;
     }
     if (savedUrls.base === "https://vault.bitwarden.eu") {
-      this.setRegion(Region.EU);
+      await this.setRegion(Region.EU);
       return;
     }
 
     switch (region) {
       case Region.EU:
-        this.setRegion(Region.EU);
+        await this.setRegion(Region.EU);
         return;
       case Region.US:
-        this.setRegion(Region.US);
+        await this.setRegion(Region.US);
         return;
       case Region.SelfHosted:
+      case null:
       default:
         this.baseUrl = envUrls.base = savedUrls.base;
         this.webVaultUrl = savedUrls.webVault;
@@ -182,9 +187,9 @@ export class EnvironmentService implements EnvironmentServiceAbstraction {
         this.notificationsUrl = savedUrls.notifications;
         this.eventsUrl = envUrls.events = savedUrls.events;
         this.keyConnectorUrl = savedUrls.keyConnector;
+        await this.setRegion(Region.SelfHosted);
         // scimUrl is not saved to storage
         this.urlsSubject.next();
-        this.setRegion(Region.SelfHosted);
         break;
     }
   }
@@ -270,7 +275,7 @@ export class EnvironmentService implements EnvironmentServiceAbstraction {
       case Region.SelfHosted:
         // if user saves with empty fields, default to US
         if (this.isEmpty()) {
-          this.setRegion(Region.US);
+          await this.setRegion(Region.US);
         }
         break;
     }

package-lock.json

@@ -189,7 +189,7 @@
     },
     "apps/browser": {
       "name": "@bitwarden/browser",
-      "version": "2023.5.0"
+      "version": "2023.5.1"
     },
     "apps/cli": {
       "name": "@bitwarden/cli",
@@ -243,7 +243,7 @@
     },
     "apps/web": {
       "name": "@bitwarden/web-vault",
-      "version": "2023.5.0"
+      "version": "2023.5.1"
     },
     "libs/angular": {
       "name": "@bitwarden/angular",