mirror of
https://github.com/bitwarden/browser.git
synced 2024-12-21 16:18:28 +01:00
[PM-1222] Store passkeys in Bitwarden vault (#4715)
* [EC-598] feat: scaffold content scripting * [EC-598] feat: load page script from content script * [EC-598] feat: succesfully intercept methods * [EC-598] feat: add better support for messaging * [EC-598] feat: implement calls to new service * [EC-598] feat: add ability to return responses * [EC-598] feat: half-implemented params mapping * [EC-598] feat: add b64 conversion * [EC-598] feat: half-implemented user interfacing * [EC-598] feat: initial working user verification * [EC-598] feat: center popup * [EC-598] feat: add basic cancel button * [EC-598] feat: confirm new credentials * [EC-598] feat: add cbor-redux npm package * [EC-598] feat: initial version of credential creation * [EC-598] feat: fully working credential creation * [EC-598] feat: fully working register and assert flow * [EC-598] feat: properly check for presence * [EC-598] feat: rudimentar error handling * [EC-598] feat: transparent passthrough of platform authenticators * [EC-598] feat: improve error handling * [EC-598] feat: use browser as fallback when vault does not contain requested credential * [EC-598] feat: add fido2Key to cipher * [EC-598] feat: successfully store passkeys in vault * [EC-598] feat: implement passwordless vault auth * [EC-598] feat: add basic support for managing passkeys * [EC-598] feat: show new cipher being added * [EC-598] feat: allow user to pick which credential to use * [EC-598] feat: differntiate between resident auth and 2fa * [EC-598] feat: add some padding to popout * [EC-598] feat: allow storage of more information * [EC-598] feat: show user name as sub title * [EC-598] feat: show all available data * [EC-598] chore: clean up console logs * [EC-598] feat: fix google issues Google does not like self-signed packed format. I've removed the attestation statement all-together untill further notice. We're don't really have any statements so * [EC-598] fix: temporarily remove origin check * [EC-598] fix: user interaction not being awaited sometimes Only one handler can return a response. That handler needs to return true to indicated it's intention to eventually do so. Our issue was that multiple handlers were returning truthy values, causing a race condition. * [EC-598] fix: messenger crashing The messenger is listening to all DOM communcation, most of which is formatted differently. We were not handling these cases properly which resulted in attempts to access undefined fields. * [EC-598] feat: add basic test-case for messenger * [EC-598] feat: add test for request/response * [EC-598] feat: add initial one-way support for aborting * [EC-598] feat: add ability to throw errors across messenger * [EC-598] feat: transition to using exceptions * [EC-598] feat: add abort controller all the way to service * [EC-598] feat: ability to abort from page script * [EC-598] feat: add automatic default timeouts * [EC-598] chore: move component from generic popup fodler * [EC-598] chore: collect all passkeys stuff under common folder * [EC-598] fix: filter messages from other sources * [EC-598] chore: add small todo comment * [EC-598] feat: add timeout and UV to params * [EC-598] feat: implement full support for timeouts * [EC-598] feat: start creating separate authenticator service * [EC-598] feat: first tested rule in new authentitcator * [EC-598] feat: allow user to confirm duplication * [EC-598] feat: add check for unsupported algorithms * [EC-598] feat: add check for invalid option values * [EC-598] feat: handle unsupported pinAuth * [EC-598] feat: confirm new credentials * [EC-598] feat: rearrange order of execution * [EC-598] chore: rearrange tests * [EC-598] feat: add support for saving discoverable credential * [EC-598] feat: remove ability to duplicate excluded credentials * [EC-598] chore: rearrange tests * [EC-598] feat: add support for non-discoverable credentials * [EC-598] chore: use webauthn authenticator model as base instead of CTAP * [EC-598] feat: don't leak internal errors during creation * [EC-598] feat: tweak key data to contain separate type and algorithm * [EC-598] feat: add counter to fido2key * [EC-598] feat: complete implementation of `makeCredential` * [EC-598] feat: add ignored enterpriseAttestation param * [EC-598] feat: start implementing `getAssertion` * [EC-598] feat: add separate `nonDiscoverableId` to keys * [EC-598] fix: properly convert credentials to guid raw format * [EC-598] chore: add todo tests about deleted items * [EC-598] feat: implement missing credential checks * [EC-598] feat: add user confirmation test to assertion also rewrite to use cipher views in tests * [EC-598] feat: increment counter during assertion * [EC-598] feat: implement assertion * [EC-598] feat: add signatures to attestation * [EC-598] feat: add general error handling for attestation * [EC-598] feat: start working on new `Fido2ClientService` * [EC-598] feat: check user id length * [EC-598] feat: check origin and rp.id effective domains * [EC-598] feat: check for supported key algorithms * [EC-598] feat: hash client data and throw if aborted * [EC-598] feat: extend return from authenticator * [EC-598] feat: fully implement createCredential * [EC-598] feat: implement assertCredential * [EC-598] feat: make everything compile again * [EC-598] feat: remove orgigin * [EC-598] fix: rpId validation logic * [EC-598] fix: some smaller bugs * [EC-598] fix: flag saying authData doesnt contain attestation * [EC-598] fix: wrong flags in tests * [EC-598] fix: data not getting saved properly * [EC-598] fix: invalid signature due to double hashing * [EC-598] chore: clean up unusued function * [EC-598] feat: fully wokring non-discoverable implementation * [EC-598] feat: add initial implementation of UI sessions * [EC-598] feat: fully refactored user interface Now uses sessions instead of single request-response style communcation * [EC-598] feat: make fallback working again * [EC-598] feat: add rudimentary support for excluded credentials * [EC-598] fix: send correct excluded cipher ids * [EC-598] feat: wait for session close before closing window * [EC-598] feat: test unique signatures * [EC-598] chore: clean up old commented code * [EC-598] feat: do not exclude organization credentials * [EC-598] chore: remove unused clas * [EC-598] fix: remove platform attachment check * [EC-598] chore: rename webauthn folder to fido2 * [EC-598] chore: continue rename webauthn to fido2 * [EC-598] feat: interpret rk preferred as required Fixes GoDaddy issues * [EC-598] fix: bug preventing fallback on assertion * [EC-598] feat: inform user when no credentials are found * [EC-598] chore: add some more console logs for debugging * [EC-598] feat: very basic scroll when picking credentials * [EC-598] chore: tweak unique signature test * [EC-598] chore: tweak how unassigned rpId gets calcuated * [EC-598] fix: response prototype chains * [EC-598] feat: allow discoverable credentials to be used for non-discoverable assertions * [EC-598] fix: counter not being saved correctly * [EC-598] fix: bug in result mapping * [EC-598] feat: add support for user verifiction using MP during attestation * [EC-598] feat: add support for user verifiction using MP during assertion * [EC-598] feat: quick fix noop service * [EC-598] chore: refactor observables a little bit * [EC-598] feat: show unsupported user verification error * [EC-598] feat: add logging to fido2 authenticator * [EC-598] feat: add logging to fido2 client * [EC-598] feat: close popout directly from bg script * [EC-598] chore: clean up page-script * [EC-598] feat: add webauthn polyfill * [EC-598] feat: polyfill platform authenticator support * [EC-598] feat: only show fallback options if supported * [EC-598] fix: reponse not correctly polyfilled * [EC-598] chore: add name to polyfill classes * [EC-598] chore: update unsupported UV copy * [EC-598] fix: race condition when opening new popout * Fixed lint issues * [PM-1500] Add feature flag to enable passkeys (#5406) * Added launch darkly feature flag to passkeys implementation * fixed linter * Updated fido2 client service test to accomodate feature flag * Updated fido2client service to include unit test for feature flag * Renamed enable pass keys to fido2 vault credentials, added unit test when feature flag is not enabled * fixed failing Login domain test case * [EC-598] chore: remove unecessary return statement * [EC-598] chore: remove unnecessary eslint disable * [PM-1975] Move FIDO2 files into vault folder (#5496) * Moved fido2 models to vault in libs * Moved fido2 models to vault in libs * Moved fido2 services and abstractions to vault folder in libs * Moved fido2 popup to vault folder on the browser * Updated import path after moving files to the vault folder * Moved authenticator abstraction and service to the vault folder * Updated content and page script path * Added content script, page script and background messaging to vault * fixed lint issue * Updated reference paths * Added missing fallbacksupported property in test files * Added missing fallbacksupported to the newSession method * [PM-2560] Fix Firefox default passkeys handling (#5690) * Return callback response in addListener * Add clarifying comment * Isolate returning the callback to fido2 commands * Update apps/browser/src/platform/browser/browser-api.ts Co-authored-by: Cesar Gonzalez <cesar.a.gonzalezcs@gmail.com> * Fix formatting --------- Co-authored-by: Cesar Gonzalez <cesar.a.gonzalezcs@gmail.com> * [PM-1976] Display passkeys properly on the browser (#5616) * Removed passkeys from the vault types filter and added fucntion to get the count of Fido2keys and Login types * Updated build filter to take Fido2key type as a Login type * Updated icon font files * Updated vault items and view to handle changes with fido2keys * Updated add edit view for fido2keys * Prevent moving passkeys to an organization where it exists * Prevent moving passkeys to an organization where it exists * Added view for non-discoverable passkeys * Added diaglog to inform user that passkey won't be copied when cloning a non discoverable key * Muted text that shows cipher item is available for 2fa * Changed conditional to check if an organization already has the same passkey item * Muted text to align with figma designs and used rpId for the application input value * Modified checkFido2KeyExistsInOrg function to workk with discoverable and non discoverable keys * Differentiate between non-discoverable and discoverable keys when moving to an organization * Added suggested changes from PR review * Updated font files css changes * Fixed bug preventing launch bitton from working for Login types (#5639) * [PM-1574] Display passkeys on web (#5651) * Allowed discoverable Fido2key type to be displayed alongside Login type * Added view during edit for discoverable and non-discoverable passkeys * Fixed PR comments, added relvant tests to domain changes * Fixed imports and updated the launch function to use the Launchable interface * Added launch on vault filter for fido2key types * Added missing passkey text field in edit view (#5800) * [PM-1977] Display passkeys properly on the desktop (#5763) * Allowed discoverable Fido2key type to be displayed alongside Login type * Added view during edit for discoverable and non-discoverable passkeys * Fixed PR comments, added relvant tests to domain changes * Fixed imports and updated the launch function to use the Launchable interface * Added fido2key to login filter and added view display for fido2key * Added passkeys view for non discoverable passkeys and edit view for passkeys * Fixed PR comments * switched date format to short * [PM-3046] [PM-3047] Defects for discoverable and non-discoverable passkeys on desktop and web (#5847) * Added missing passkey text field in edit view (#5800) * Added dialog to clone no discoverable passkeys on web and desktop.Also, removed clone on the desktop for discoverable passkeys and added passkey view to non- discoverable passkeys on desktop during edit * Prevent cloning dialog on non fido2key ciphers * Made fido2key use website favicon if avaialble instead of the passkey icon * Do not display passkey view on clone edit for dekstop * Do not display passkey view on clone edit for browser * Prevented movement of passkeys ND or D to an organization once one exists and also made it possible for org memebers with user roles to move passkeys to an organization. (#5868) * two step passkey view was outside the conditional (#5872) * fixed merge conflict * [PM-2907] Shopify Passkey Broken on Firefox When Extension is Installed (#6003) * [PM-2907] Shopify Passkey Broken on Firefox When Extension is Installed * [PM-2907] Shopify Passkey Broken on Firefox When Extension is Installed * [PM-2907] Shopify Passkey Broken on Firefox When Extension is Installed * Added passkey fallback imaged and added extension to image name on the icons component * [PM-3155] CLI: Editing a cipher with a non-discoverable passkey causes the passkey to be removed (#6055) * Added fido2keyexport for the CLI and added the fido2key field to the login response for the CLI * Added fido2keyexport for the CLI and added the fido2key field to the login response for the CLI * Removed unneccesary code * Added non discoverable passkey to template * [PM-2270] Renamed Fido2Key.userName to Fido2Key.userDisplayName (#6005) * Renamed fido2key property username to userDisplayName * Renamed username property on fido2key object to userdisplayname * updated username to userDisplayName in fido2 export * Update libs/angular/src/vault/vault-filter/models/vault-filter.model.ts Co-authored-by: Oscar Hinton <Hinton@users.noreply.github.com> * [PM-3775] feat: import v0.4.0 (#6183) * [PM-3660] Address PR feedback (#6157) * [PM-3660] chore: simplify object assignment * [PM-3660] fix: remove unused origin field * [PM-3660] feat: add Fido2Key tests * [PM-3660] chore: convert popOut to async func * [PM-3660] chore: refactor if-statements * [PM-3660] chore: simplify closePopOut * [PM-3660] fix: remove confusing comment * [PM-3660] chore: move guid utils away from platform utils * [PM-3660] chore: use null instead of undefined * [PM-3660] chore: use `switch` instead of `if` * [EC-598] fix: popup not closing bug * [PM-1859] Refactor to credentialId (#6034) * PM-1859 Refactor to credentialId * PM-1859 Minor changes * PM-1859 Fix credentialId initialization logic * PM-1859 Added missing logic * PM-1859 Fixed logic to use credentialID instead of cipher.id * [PM-1859] fix: missing renames --------- Co-authored-by: Andreas Coroiu <andreas.coroiu@gmail.com> * [PM-1722] gracefully fail if site prompts user for passkey on load (#6089) * added error logic to look for options.mediation in page-script * moved the options mediation logic into the try catch. changed error to FallbackRequestedError * [PM-1224] Ensure Passkeys Not Requested From Iframes (#6057) * added isNotIFrame method to page-script * added NotAllowedError to assertCredential in fido2 * remove excess comments * refactor fido2-client.service. created new errorhandling method for similar code between create and assert * update types and naming convention for new method in fido2-client.service * Did a reset to previous commit withiout the refactoring to reduce code duplication, Renamed isNotIframeCheck function and fixed other commits * Revert "update types and naming convention for new method in fido2-client.service" This reverts commit1f5499b9bb
. * Revert "refactor fido2-client.service. created new errorhandling method for similar code between create and assert" This reverts commit3115c0d2a1
. * updated test cases * removed forward slashes --------- Co-authored-by: gbubemismith <gsmithwalter@gmail.com> * [EC-598] Window Messaging Fix; (#6223) Co-authored-by: Cesar Gonzalez <cgonzalez@bitwarden.com> Co-authored-by: SmithThe4th <gsmith@bitwarden.com> * updated test cases and services using the config service * [PM-3807] All passkeys as login ciphers - Minimal implementation to minimize blockers (#6233) * [PM-3807] feat: remove non-discoverable from fido2 user interface class * [PM-3807] feat: merge fido2 component ui * [PM-3807] feat: return `cipherId` from user interface * [PM-3807] feat: merge credential creation logic in authenticator * [PM-3807] feat: merge credential assertion logic in authenticator --------- Co-authored-by: gbubemismith <gsmithwalter@gmail.com> * [PM-3807] Store all passkeys as login cipher type (#6255) * [PM-3807] feat: add `discoverable` property to fido2keys * [PM-3807] feat: assign discoverable property during creation * [PM-3807] feat: save discoverable field to server * [PM-3807] feat: filter credentials by rpId AND discoverable * [PM-3807] chore: remove discoverable tests which are no longer needed * [PM-3807] chore: remove all logic for handling standalone Fido2Key View and components will be cleaned up as part of UI tickets * [PM-3807] fix: add missing discoverable property handling to tests * [PM-3862] chore: move browser fido2 user interface to vault folder (#6265) * [PM-2207], [PM-1245], [PM-3302] Make browser login, lock, and 2fa components handle configurable redirect routes (#5989) * Initial work * Added lock and login redirect and added functionality to abort when in login or locked state * uncommented cipher row * added query params to logi component * Proof of concept for change detection fix * Remove leftover comment * Refactored message listener observable to handle angular change detection * cleanup and removed unused references * Refactored the connect method be seperating to the pop out logic to a seperate method * Added comment to explain code change on the message listener * Removed unused types * Initial work * Added lock and login redirect and added functionality to abort when in login or locked state * uncommented cipher row * added query params to logi component * Proof of concept for change detection fix * Remove leftover comment * Refactored message listener observable to handle angular change detection * cleanup and removed unused references * Refactored the connect method be seperating to the pop out logic to a seperate method * Added comment to explain code change on the message listener * Removed unused types * Added full synce service to the fido2 authenticator to ensure the full sync is completed before getting all decrypted ciphers * Added full synce service to the fido2 authenticator to ensure the full sync is completed before getting all decrypted ciphers * Code cleanup to remove sessionId from login component * Refactored components to make the redirectUrl more generic, fixed code review comments * Commented out ensureUnlockedVault for this PR * Fixed destroy subject inheritance issue on the login componenet * Fixed lock component error * Added function to run inside angular zone * Merged branch with master and fixed conflicts * Changed redirect logic on login and 2fa to use callbacks * fixed pr comments * Updated the messageListener observable version to use same logic from the callback version and added comment on the callback version * Refactored fido2 popup to use auth guard when routing to component, added BrowserRouterService to track previous page and route using that * Updated components to use browserRouterService for routing to previous page * Removed auth status reference from browser-fido2-user-interface service * Removed activated route from lock component * Removed route in base class constructor * removed unused comments and method * refactored router service to not store on the disk * [PM-3783] feat: patch `chrome.runtime.onMessage` event listeners (cherry picked from commit2ca241a0d4
) * Fixed PR comments * Fixed PR comments * Revert "[PM-3783] feat: patch `chrome.runtime.onMessage` event listeners" This reverts commited6a713688
. --------- Co-authored-by: Thomas Rittson <trittson@bitwarden.com> Co-authored-by: Andreas Coroiu <andreas.coroiu@gmail.com> * [PM-3807] Store passkeys as array (#6288) * [PM-3807] feat: store passkeys as array * [PM-3807] fix: issues in views * [PM-3807] fix: additional view bugs * [PM-3807] fix: check array length * [PM-3807] fix: I secretly like build errors * [PM-3970] Empty list of ciphers when logging in via fido 2 popout (#6321) * fix: sync not being properly called * fix: don't call sync everywhere * [PM-3905] Address PR feedback v2 (#6322) * [PM-3905] chore: move webauthn utils to vault * [PM-3905] chore: make static function private * [PM-3905] chore: add documentation to user interface classes * [PM-3905] chore: clean up unused abort controllers * [PM-3905] chore: add documentation to fido2 client and authenticatio * [PM-3905] chore: extract create credential params mapping to separate function * [PM-3905] chore: extract get assertion params mapping to separate function * [PM-3905] chore: assign requireResidentKey as separate variable * [PM-3905] feat: started rewrite of messenger Basic message sending implemented, now using message channels instead of rxjs * [PM-3905] feat: complete rewrite of messenger * [PM-3905] chore: clarify why we're assigning to window * [PM-3905] feat: clean up tests * [PM-3905] docs: document messenger class * [PM-3905] feat: remove `requestId` which is no longer needed * [PM-3905] feat: simplify message structure * [PM-3905] chore: typo * [PM-3905] chore: clean up old file * [PM-3905] chore: tweak doc comment * [PM-3905] feat: create separate class for managing aborts * [PM-3905] chore: move abort manager to vault * [PM-3980] Add a creationDate field to the Fido2Key object (#6334) * Added creationDate field to be used on the passkeys view instead of the cipher.creationDate * Fixed comments from PR * added to the constructor and sorted out other comments * Exported Fido2KeyExport through index.ts * Fixed iso string issue where the date wasn't converted back to Date (#6364) * [PM-4045] Get error returned when editing an item with a passkey in the CLI (#6379) * Creationdate doesn't get converted to a date * Creationdate doesn't get converted to a date * removed null assignment * [PM-3810] Unify Passkeys view (#6335) * Removed standalone fido2key view, update login view to show created date when a fido2key is present, reverted icon component to previous state without fido2key type, removed filters to handle standalone fido2key as login type * Allow duplication * Removed launchable behaviours from fido2 key view * Reworked desktop views from standalone fido2keys to unified fido2keys in the login * Reworked web views from standalone fido2keys to unified fido2keys in the login * Fixed test case to not create standalone fido2keys * Updated views to use fido2key creation date * removed unused locale * moved logic from template to class * Removed fido2key ciphertype * Removed fido2key ciphertype references * PM-2559 Messaging Rework for Passkey Bug (#6282) * [PM-2559] Messaging Rework - Update browser-api messageListener removing promises to fix Firefox bug Co-authored-by: Cesar Gonzalez <cgonzalez@bitwarden.com> * Resolved merge conflicts from vault item encryption. * moved passkeys ontop totp code to align with the add edit view (#6466) * Bug during reafactoring where the hostname is not used if the rpId is undefined (#6484) * [PM-4054] Rename Fido2Key to Fido2Credential (#6442) * Rename Fido2Key to Fido2Credential * Fix export * Remove unnecessary alis in export * Make test less wordly --------- Co-authored-by: gbubemismith <gsmithwalter@gmail.com> * [PM-3812][PM-3809] Unify Create and Login Passkeys UI (#6403) * PM-1235 Added component to display passkey on auth flow * PM-1235 Implement basic structure and behaviour of UI * PM-1235 Added localised strings * PM-1235 Improved button UI * Implemented view passkey button * Implemented multiple matching passkeys * Refactored fido2 popup to use browser popout windows service * [PM-3807] feat: remove non-discoverable from fido2 user interface class * [PM-3807] feat: merge fido2 component ui * [PM-3807] feat: return `cipherId` from user interface * [PM-3807] feat: merge credential creation logic in authenticator * [PM-3807] feat: merge credential assertion logic in authenticator * updated test cases and services using the config service * [PM-3807] feat: add `discoverable` property to fido2keys * [PM-3807] feat: assign discoverable property during creation * [PM-3807] feat: save discoverable field to server * [PM-3807] feat: filter credentials by rpId AND discoverable * [PM-3807] chore: remove discoverable tests which are no longer needed * [PM-3807] chore: remove all logic for handling standalone Fido2Key View and components will be cleaned up as part of UI tickets * [PM-3807] fix: add missing discoverable property handling to tests * updated locales with new text * Updated popout windows service to use defined type for custom width and height * Update on unifying auth flow ui to align with architecture changes * Moved click event * Throw dom exception error if tab is null * updated fido2key object to array * removed discoverable key in client inerface service for now * Get senderTabId from the query params and send to the view cipher component to allow the pop out close when the close button is clicked on the view cipher component * Refactored view item if passkeys exists and the cipher row views by having an extra ng-conatiner for each case * Allow fido2 pop out close wehn cancle is clicked on add edit component * Removed makshift run in angular zone * created focus directive to target first element in ngFor for displayed ciphers in fido2 * Refactored to use switch statement and added condtional on search and add div * Adjusted footer link and added more features to the login flow * Added host listener to abort when window is closed * remove custom focus directive. instead stuck focus logic into fido2-cipher-row component * Fixed bug where close and cancel on view and add component does not abort the fido2 request * show info dialog when user account does not have master password * Removed PopupUtilsService * show info dialog when user account does not have master password * Added comments * Added comments * made row height consistent * update logo to be dynamic with theme selection * added new translation key * Dis some styling to align cipher items * Changed passkey icon fill color * updated flow of focus and selected items in the passkey popup * Fixed bug when picking a credential * Added text to lock popout screen * Added passkeys test to home view * changed class name * Added uilocation as a query paramter to know if the user is in the popout window * update fido2 component for dynamic subtitleText as well as additional appA11yTitle attrs * moved another method out of html * Added window id return to single action popout and used the window id to close and abort the popout * removed duplicate activatedroute * added a doNotSaveUrl true to 2fa options, so the previousUrl can remain as the fido2 url * Added a div to restrict the use browser link ot the buttom left * reverted view change which is handled by the view pr * Updated locales text and removed unused variable * Fixed issue where new cipher is not created for non discoverable keys * switched from using svg for the logo to CL * removed svg files * default to browser implmentation if user is logged out of the browser exetension * removed passkeys knowledge from login, 2fa * Added fido2 use browser link component and a state service to reduce passkeys knowledge on the lock component * removed function and removed unnecessary comment * reverted to former * [PM-4148] Added descriptive error messages (#6475) * Added descriptive error messages * Added descriptive error messages * replaced fido2 state service with higher order inject functions * removed null check for tab * refactor fido2 cipher row component * added a static abort function to the browser interface service * removed width from content * uncommented code * removed sessionId from query params and redudant styles * Put back removed sessionId * Added fallbackRequested parameter to abortPopout and added comments to the standalone function * minor styling update to fix padding and color on selected ciphers * update padding again to address vertical pushdown of cipher selection --------- Co-authored-by: Carlos Gonçalves <cgoncalves@bitwarden.com> Co-authored-by: Andreas Coroiu <andreas.coroiu@gmail.com> Co-authored-by: jng <jng@bitwarden.com> * padding update for focused cipher row in popup * Updated fido2Credentials to initialize as null instead of empty array (#6548) * Updated fido2Credentials to be null instead of empty string * Updated cipher tests. * Fixed tests. * Updated view and clone logic. * Updated templates to handle null value. * Further null checks. * [PM-4226] Create login item on the fly and add passkey item to it (#6552) * Use the + button to ad an item and then save a passkey on the added item * switch if to tenary * [PM-4284] Passkey popout is not pulling correct URI for website opened (#6549) * Used url from sender window in getting matching logins * Rough draft to combine user verification required and master password required prompts * Revert "Rough draft to combine user verification required and master password required prompts" This reverts commitf72d6f877f
. * Remove array initialization that is not necessary. (#6563) * removed unused code from login, 2fa components (#6565) * Moved clearing of passkey from submit to load when cloning. (#6567) * [PM-4280] MP reprompt not respected on passkey creation and retrieval (#6550) * Rough draft to combine user verification required and master password required prompts * Updated the handle user verification logic * allow same behaviour for master password reprompt and user verification * added test cases and merged conditions * [PM-4226] Add Cipher With Passkey Flow Change (#6569) * changed the add login item with passkey to require master password repompt first before creating the cipher item * removed userVerified variable * combined conditionals * added passkey not copied alert when cloning for organizations (#6579) * [PM-4296] Cannot login to Bitwarden with FIDO2 WebAuthn if extension is installed and logged in (#6576) * removed sameOriginWithAncestors check on fido2 assertions * removed sameOriginWithAncestors check on fido2 assertions * [PM-4333] fix: change transport to `internal` (#6594) * Address PR feedback (#6572) * remove listeners for safari * removed unused i18n tokens * changed link to button for accessibilty purposes * Fix potential reference error by restoring the typeof check for chrome * added fromNullable to reduces repetitive logic * Revert "added fromNullable to reduces repetitive logic" This reverts commitce5fc9c278
. * Added js docs to fido2credential export * refined jsdocs comments * added documentation to fido2 auth guard * Removed unused i18n tokens, uneccesary whitespaces and comments --------- Co-authored-by: gbubemismith <gsmithwalter@gmail.com> Co-authored-by: SmithThe4th <gsmith@bitwarden.com> Co-authored-by: Robyn MacCallum <robyntmaccallum@gmail.com> Co-authored-by: Cesar Gonzalez <cesar.a.gonzalezcs@gmail.com> Co-authored-by: Oscar Hinton <Hinton@users.noreply.github.com> Co-authored-by: Carlos Gonçalves <cgoncalves@bitwarden.com> Co-authored-by: Jason Ng <jng@bitwarden.com> Co-authored-by: Todd Martin <106564991+trmartin4@users.noreply.github.com> Co-authored-by: Cesar Gonzalez <cgonzalez@bitwarden.com> Co-authored-by: Thomas Rittson <trittson@bitwarden.com> Co-authored-by: Todd Martin <tmartin@bitwarden.com>
This commit is contained in:
parent
ffb67be0a2
commit
ba7a211f0d
@ -1253,6 +1253,9 @@
|
||||
"typeIdentity": {
|
||||
"message": "Identity"
|
||||
},
|
||||
"typePasskey": {
|
||||
"message": "Passkey"
|
||||
},
|
||||
"passwordHistory": {
|
||||
"message": "Password history"
|
||||
},
|
||||
@ -2445,5 +2448,56 @@
|
||||
"turnOffMasterPasswordPromptToEditField": {
|
||||
"message": "Turn off master password re-prompt to edit this field",
|
||||
"description": "Message appearing below the autofill on load message when master password reprompt is set for a vault item."
|
||||
},
|
||||
"passkeyNotCopied": {
|
||||
"message": "Passkey will not be copied"
|
||||
},
|
||||
"passkeyNotCopiedAlert": {
|
||||
"message": "The passkey will not be copied to the cloned item. Do you want to continue cloning this item?"
|
||||
},
|
||||
"passkeyFeatureIsNotImplementedForAccountsWithoutMasterPassword": {
|
||||
"message": "Verification required by the initiating site. This feature is not yet implemented for accounts without master password."
|
||||
},
|
||||
"logInWithPasskey": {
|
||||
"message": "Log in with passkey?"
|
||||
},
|
||||
"passkeyAlreadyExists": {
|
||||
"message": "A passkey already exists for this application."
|
||||
},
|
||||
"noPasskeysFoundForThisApplication": {
|
||||
"message": "No passkeys found for this application."
|
||||
},
|
||||
"noMatchingPasskeyLogin": {
|
||||
"message": "You do not have a matching login for this site."
|
||||
},
|
||||
"confirm": {
|
||||
"message": "Confirm"
|
||||
},
|
||||
"savePasskey": {
|
||||
"message": "Save passkey"
|
||||
},
|
||||
"savePasskeyNewLogin": {
|
||||
"message": "Save passkey as new login"
|
||||
},
|
||||
"choosePasskey": {
|
||||
"message": "Choose a login to save this passkey to"
|
||||
},
|
||||
"passkeyItem": {
|
||||
"message": "Passkey Item"
|
||||
},
|
||||
"overwritePasskey": {
|
||||
"message": "Overwrite passkey?"
|
||||
},
|
||||
"overwritePasskeyAlert": {
|
||||
"message": "This item already contains a passkey. Are you sure you want to overwrite the current passkey?"
|
||||
},
|
||||
"featureNotSupported": {
|
||||
"message": "Feature not yet supported"
|
||||
},
|
||||
"yourPasskeyIsLocked": {
|
||||
"message": "Authentication required to use passkey. Verify your identity to continue."
|
||||
},
|
||||
"useBrowserName": {
|
||||
"message": "Use browser"
|
||||
}
|
||||
}
|
||||
|
34
apps/browser/src/auth/guards/fido2-auth.guard.ts
Normal file
34
apps/browser/src/auth/guards/fido2-auth.guard.ts
Normal file
@ -0,0 +1,34 @@
|
||||
import { inject } from "@angular/core";
|
||||
import {
|
||||
ActivatedRouteSnapshot,
|
||||
CanActivateFn,
|
||||
Router,
|
||||
RouterStateSnapshot,
|
||||
} from "@angular/router";
|
||||
|
||||
import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
|
||||
import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
|
||||
|
||||
import { BrowserRouterService } from "../../platform/popup/services/browser-router.service";
|
||||
|
||||
/**
|
||||
* This guard verifies the user's authetication status.
|
||||
* If "Locked", it saves the intended route in memory and redirects to the lock screen. Otherwise, the intended route is allowed.
|
||||
*/
|
||||
export const fido2AuthGuard: CanActivateFn = async (
|
||||
route: ActivatedRouteSnapshot,
|
||||
state: RouterStateSnapshot
|
||||
) => {
|
||||
const routerService = inject(BrowserRouterService);
|
||||
const authService = inject(AuthService);
|
||||
const router = inject(Router);
|
||||
|
||||
const authStatus = await authService.getAuthStatus();
|
||||
|
||||
if (authStatus === AuthenticationStatus.Locked) {
|
||||
routerService.setPreviousUrl(state.url);
|
||||
return router.createUrlTree(["/lock"], { queryParams: route.queryParams });
|
||||
}
|
||||
|
||||
return true;
|
||||
};
|
@ -11,6 +11,7 @@
|
||||
</div>
|
||||
</header>
|
||||
<main tabindex="-1">
|
||||
<ng-container *ngIf="fido2PopoutSessionData$ | async as fido2Data">
|
||||
<div class="box">
|
||||
<div class="box-content">
|
||||
<div
|
||||
@ -62,7 +63,13 @@
|
||||
</div>
|
||||
</div>
|
||||
<div id="masterPasswordHelp" class="box-footer">
|
||||
<p>{{ "yourVaultIsLocked" | i18n }}</p>
|
||||
<p>
|
||||
{{
|
||||
fido2Data.isFido2Session
|
||||
? ("yourPasskeyIsLocked" | i18n)
|
||||
: ("yourVaultIsLocked" | i18n)
|
||||
}}
|
||||
</p>
|
||||
{{ "loggedInAsOn" | i18n : email : webVaultHostname }}
|
||||
</div>
|
||||
</div>
|
||||
@ -79,7 +86,7 @@
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
<p class="text-center">
|
||||
<p class="text-center" *ngIf="!fido2Data.isFido2Session">
|
||||
<button type="button" appStopClick (click)="logOut()">{{ "logOut" | i18n }}</button>
|
||||
</p>
|
||||
<app-private-mode-warning></app-private-mode-warning>
|
||||
@ -87,5 +94,8 @@
|
||||
<p class="text-center text-muted" *ngIf="pendingBiometric">
|
||||
<i class="bwi bwi-spinner bwi-spin" aria-hidden="true"></i> {{ "awaitDesktop" | i18n }}
|
||||
</p>
|
||||
|
||||
<app-fido2-use-browser-link></app-fido2-use-browser-link>
|
||||
</ng-container>
|
||||
</main>
|
||||
</form>
|
||||
|
@ -22,6 +22,8 @@ import { PasswordStrengthServiceAbstraction } from "@bitwarden/common/tools/pass
|
||||
import { DialogService } from "@bitwarden/components";
|
||||
|
||||
import { BiometricErrors, BiometricErrorTypes } from "../../models/biometricErrors";
|
||||
import { BrowserRouterService } from "../../platform/popup/services/browser-router.service";
|
||||
import { fido2PopoutSessionData$ } from "../../vault/fido2/browser-fido2-user-interface.service";
|
||||
|
||||
@Component({
|
||||
selector: "app-lock",
|
||||
@ -32,6 +34,7 @@ export class LockComponent extends BaseLockComponent {
|
||||
|
||||
biometricError: string;
|
||||
pendingBiometric = false;
|
||||
fido2PopoutSessionData$ = fido2PopoutSessionData$();
|
||||
|
||||
constructor(
|
||||
router: Router,
|
||||
@ -52,7 +55,8 @@ export class LockComponent extends BaseLockComponent {
|
||||
private authService: AuthService,
|
||||
dialogService: DialogService,
|
||||
deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction,
|
||||
userVerificationService: UserVerificationService
|
||||
userVerificationService: UserVerificationService,
|
||||
private routerService: BrowserRouterService
|
||||
) {
|
||||
super(
|
||||
router,
|
||||
@ -76,6 +80,15 @@ export class LockComponent extends BaseLockComponent {
|
||||
);
|
||||
this.successRoute = "/tabs/current";
|
||||
this.isInitialLockScreen = (window as any).previousPopupUrl == null;
|
||||
|
||||
super.onSuccessfulSubmit = async () => {
|
||||
const previousUrl = this.routerService.getPreviousUrl();
|
||||
if (previousUrl) {
|
||||
this.router.navigateByUrl(previousUrl);
|
||||
} else {
|
||||
this.router.navigate([this.successRoute]);
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
async ngOnInit() {
|
||||
|
@ -20,17 +20,16 @@ export default class ContextMenusBackground {
|
||||
|
||||
BrowserApi.messageListener(
|
||||
"contextmenus.background",
|
||||
async (
|
||||
(
|
||||
msg: { command: string; data: LockedVaultPendingNotificationsItem },
|
||||
sender: chrome.runtime.MessageSender,
|
||||
sendResponse: any
|
||||
sender: chrome.runtime.MessageSender
|
||||
) => {
|
||||
if (msg.command === "unlockCompleted" && msg.data.target === "contextmenus.background") {
|
||||
await this.contextMenuClickedHandler.cipherAction(
|
||||
msg.data.commandToRetry.msg.data,
|
||||
msg.data.commandToRetry.sender.tab
|
||||
);
|
||||
await BrowserApi.tabSendMessageData(sender.tab, "closeNotificationBar");
|
||||
this.contextMenuClickedHandler
|
||||
.cipherAction(msg.data.commandToRetry.msg.data, msg.data.commandToRetry.sender.tab)
|
||||
.then(() => {
|
||||
BrowserApi.tabSendMessageData(sender.tab, "closeNotificationBar");
|
||||
});
|
||||
}
|
||||
}
|
||||
);
|
||||
|
@ -47,8 +47,8 @@ export default class NotificationBackground {
|
||||
|
||||
BrowserApi.messageListener(
|
||||
"notification.background",
|
||||
async (msg: any, sender: chrome.runtime.MessageSender) => {
|
||||
await this.processMessage(msg, sender);
|
||||
(msg: any, sender: chrome.runtime.MessageSender) => {
|
||||
this.processMessage(msg, sender);
|
||||
}
|
||||
);
|
||||
|
||||
|
@ -25,17 +25,11 @@ export default class CommandsBackground {
|
||||
}
|
||||
|
||||
async init() {
|
||||
BrowserApi.messageListener(
|
||||
"commands.background",
|
||||
async (msg: any, sender: chrome.runtime.MessageSender, sendResponse: any) => {
|
||||
BrowserApi.messageListener("commands.background", (msg: any) => {
|
||||
if (msg.command === "unlockCompleted" && msg.data.target === "commands.background") {
|
||||
await this.processCommand(
|
||||
msg.data.commandToRetry.msg.command,
|
||||
msg.data.commandToRetry.sender
|
||||
);
|
||||
this.processCommand(msg.data.commandToRetry.msg.command, msg.data.commandToRetry.sender);
|
||||
}
|
||||
}
|
||||
);
|
||||
});
|
||||
|
||||
if (chrome && chrome.commands) {
|
||||
chrome.commands.onCommand.addListener(async (command: string) => {
|
||||
|
@ -87,6 +87,9 @@ import { SendApiService as SendApiServiceAbstraction } from "@bitwarden/common/t
|
||||
import { InternalSendService as InternalSendServiceAbstraction } from "@bitwarden/common/tools/send/services/send.service.abstraction";
|
||||
import { CipherService as CipherServiceAbstraction } from "@bitwarden/common/vault/abstractions/cipher.service";
|
||||
import { CollectionService as CollectionServiceAbstraction } from "@bitwarden/common/vault/abstractions/collection.service";
|
||||
import { Fido2AuthenticatorService as Fido2AuthenticatorServiceAbstraction } from "@bitwarden/common/vault/abstractions/fido2/fido2-authenticator.service.abstraction";
|
||||
import { Fido2ClientService as Fido2ClientServiceAbstraction } from "@bitwarden/common/vault/abstractions/fido2/fido2-client.service.abstraction";
|
||||
import { Fido2UserInterfaceService as Fido2UserInterfaceServiceAbstraction } from "@bitwarden/common/vault/abstractions/fido2/fido2-user-interface.service.abstraction";
|
||||
import { CipherFileUploadService as CipherFileUploadServiceAbstraction } from "@bitwarden/common/vault/abstractions/file-upload/cipher-file-upload.service";
|
||||
import { FolderApiServiceAbstraction } from "@bitwarden/common/vault/abstractions/folder/folder-api.service.abstraction";
|
||||
import { InternalFolderService as InternalFolderServiceAbstraction } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction";
|
||||
@ -95,6 +98,8 @@ import { SyncService as SyncServiceAbstraction } from "@bitwarden/common/vault/a
|
||||
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
|
||||
import { CipherService } from "@bitwarden/common/vault/services/cipher.service";
|
||||
import { CollectionService } from "@bitwarden/common/vault/services/collection.service";
|
||||
import { Fido2AuthenticatorService } from "@bitwarden/common/vault/services/fido2/fido2-authenticator.service";
|
||||
import { Fido2ClientService } from "@bitwarden/common/vault/services/fido2/fido2-client.service";
|
||||
import { CipherFileUploadService } from "@bitwarden/common/vault/services/file-upload/cipher-file-upload.service";
|
||||
import { FolderApiService } from "@bitwarden/common/vault/services/folder/folder-api.service";
|
||||
import { SyncNotifierService } from "@bitwarden/common/vault/services/sync/sync-notifier.service";
|
||||
@ -138,9 +143,11 @@ import BrowserPlatformUtilsService from "../platform/services/browser-platform-u
|
||||
import { BrowserStateService } from "../platform/services/browser-state.service";
|
||||
import { KeyGenerationService } from "../platform/services/key-generation.service";
|
||||
import { LocalBackedSessionStorageService } from "../platform/services/local-backed-session-storage.service";
|
||||
import { PopupUtilsService } from "../popup/services/popup-utils.service";
|
||||
import { BrowserSendService } from "../services/browser-send.service";
|
||||
import { BrowserSettingsService } from "../services/browser-settings.service";
|
||||
import VaultTimeoutService from "../services/vault-timeout/vault-timeout.service";
|
||||
import { BrowserFido2UserInterfaceService } from "../vault/fido2/browser-fido2-user-interface.service";
|
||||
import { BrowserFolderService } from "../vault/services/browser-folder.service";
|
||||
import { VaultFilterService } from "../vault/services/vault-filter.service";
|
||||
|
||||
@ -204,6 +211,9 @@ export default class MainBackground {
|
||||
sendApiService: SendApiServiceAbstraction;
|
||||
userVerificationApiService: UserVerificationApiServiceAbstraction;
|
||||
syncNotifierService: SyncNotifierServiceAbstraction;
|
||||
fido2UserInterfaceService: Fido2UserInterfaceServiceAbstraction;
|
||||
fido2AuthenticatorService: Fido2AuthenticatorServiceAbstraction;
|
||||
fido2ClientService: Fido2ClientServiceAbstraction;
|
||||
avatarUpdateService: AvatarUpdateServiceAbstraction;
|
||||
mainContextMenuHandler: MainContextMenuHandler;
|
||||
cipherContextMenuHandler: CipherContextMenuHandler;
|
||||
@ -213,6 +223,7 @@ export default class MainBackground {
|
||||
devicesService: DevicesServiceAbstraction;
|
||||
deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction;
|
||||
authRequestCryptoService: AuthRequestCryptoServiceAbstraction;
|
||||
popupUtilsService: PopupUtilsService;
|
||||
browserPopoutWindowService: BrowserPopoutWindowService;
|
||||
|
||||
// Passed to the popup for Safari to workaround issues with theming, downloading, etc.
|
||||
@ -370,7 +381,7 @@ export default class MainBackground {
|
||||
// AuthService should send the messages to the background not popup.
|
||||
send = (subscriber: string, arg: any = {}) => {
|
||||
const message = Object.assign({}, { command: subscriber }, arg);
|
||||
that.runtimeBackground.processMessage(message, that as any, null);
|
||||
that.runtimeBackground.processMessage(message, that as any);
|
||||
};
|
||||
})();
|
||||
|
||||
@ -569,6 +580,22 @@ export default class MainBackground {
|
||||
|
||||
this.browserPopoutWindowService = new BrowserPopoutWindowService();
|
||||
|
||||
this.fido2UserInterfaceService = new BrowserFido2UserInterfaceService(
|
||||
this.browserPopoutWindowService
|
||||
);
|
||||
this.fido2AuthenticatorService = new Fido2AuthenticatorService(
|
||||
this.cipherService,
|
||||
this.fido2UserInterfaceService,
|
||||
this.syncService,
|
||||
this.logService
|
||||
);
|
||||
this.fido2ClientService = new Fido2ClientService(
|
||||
this.fido2AuthenticatorService,
|
||||
this.configService,
|
||||
this.authService,
|
||||
this.logService
|
||||
);
|
||||
|
||||
const systemUtilsServiceReloadCallback = () => {
|
||||
const forceWindowReload =
|
||||
this.platformUtilsService.isSafari() ||
|
||||
|
@ -383,7 +383,7 @@ export class NativeMessagingBackground {
|
||||
return;
|
||||
}
|
||||
|
||||
this.runtimeBackground.processMessage({ command: "unlocked" }, null, null);
|
||||
this.runtimeBackground.processMessage({ command: "unlocked" }, null);
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
@ -14,6 +14,7 @@ import { BrowserPopoutWindowService } from "../platform/popup/abstractions/brows
|
||||
import { BrowserStateService } from "../platform/services/abstractions/browser-state.service";
|
||||
import { BrowserEnvironmentService } from "../platform/services/browser-environment.service";
|
||||
import BrowserPlatformUtilsService from "../platform/services/browser-platform-utils.service";
|
||||
import { AbortManager } from "../vault/background/abort-manager";
|
||||
|
||||
import MainBackground from "./main.background";
|
||||
import LockedVaultPendingNotificationsItem from "./models/lockedVaultPendingNotificationsItem";
|
||||
@ -23,6 +24,7 @@ export default class RuntimeBackground {
|
||||
private pageDetailsToAutoFill: any[] = [];
|
||||
private onInstalledReason: string = null;
|
||||
private lockedVaultPendingNotifications: LockedVaultPendingNotificationsItem[] = [];
|
||||
private abortManager = new AbortManager();
|
||||
|
||||
constructor(
|
||||
private main: MainBackground,
|
||||
@ -50,12 +52,27 @@ export default class RuntimeBackground {
|
||||
}
|
||||
|
||||
await this.checkOnInstalled();
|
||||
const backgroundMessageListener = async (
|
||||
const backgroundMessageListener = (
|
||||
msg: any,
|
||||
sender: chrome.runtime.MessageSender,
|
||||
sendResponse: any
|
||||
) => {
|
||||
await this.processMessage(msg, sender, sendResponse);
|
||||
const messagesWithResponse = [
|
||||
"checkFido2FeatureEnabled",
|
||||
"fido2RegisterCredentialRequest",
|
||||
"fido2GetCredentialRequest",
|
||||
];
|
||||
|
||||
if (messagesWithResponse.includes(msg.command)) {
|
||||
this.processMessage(msg, sender).then(
|
||||
(value) => sendResponse({ result: value }),
|
||||
(error) => sendResponse({ error: { ...error, message: error.message } })
|
||||
);
|
||||
return true;
|
||||
}
|
||||
|
||||
this.processMessage(msg, sender);
|
||||
return false;
|
||||
};
|
||||
|
||||
BrowserApi.messageListener("runtime.background", backgroundMessageListener);
|
||||
@ -64,7 +81,7 @@ export default class RuntimeBackground {
|
||||
}
|
||||
}
|
||||
|
||||
async processMessage(msg: any, sender: chrome.runtime.MessageSender, sendResponse: any) {
|
||||
async processMessage(msg: any, sender: chrome.runtime.MessageSender) {
|
||||
const cipherId = msg.data?.cipherId;
|
||||
|
||||
switch (msg.command) {
|
||||
@ -282,8 +299,19 @@ export default class RuntimeBackground {
|
||||
case "getClickedElementResponse":
|
||||
this.platformUtilsService.copyToClipboard(msg.identifier, { window: window });
|
||||
break;
|
||||
default:
|
||||
case "fido2AbortRequest":
|
||||
this.abortManager.abort(msg.abortedRequestId);
|
||||
break;
|
||||
case "checkFido2FeatureEnabled":
|
||||
return await this.main.fido2ClientService.isFido2FeatureEnabled();
|
||||
case "fido2RegisterCredentialRequest":
|
||||
return await this.abortManager.runWithAbortController(msg.requestId, (abortController) =>
|
||||
this.main.fido2ClientService.createCredential(msg.data, sender.tab, abortController)
|
||||
);
|
||||
case "fido2GetCredentialRequest":
|
||||
return await this.abortManager.runWithAbortController(msg.requestId, (abortController) =>
|
||||
this.main.fido2ClientService.assertCredential(msg.data, sender.tab, abortController)
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -17,7 +17,7 @@
|
||||
"content_scripts": [
|
||||
{
|
||||
"all_frames": true,
|
||||
"js": ["content/trigger-autofill-script-injection.js"],
|
||||
"js": ["content/trigger-autofill-script-injection.js", "content/fido2/content-script.js"],
|
||||
"matches": ["http://*/*", "https://*/*", "file:///*"],
|
||||
"run_at": "document_start"
|
||||
},
|
||||
@ -93,6 +93,7 @@
|
||||
}
|
||||
},
|
||||
"web_accessible_resources": [
|
||||
"content/fido2/page-script.js",
|
||||
"notification/bar.html",
|
||||
"images/icon38.png",
|
||||
"images/icon38_locked.png"
|
||||
|
@ -106,7 +106,12 @@
|
||||
},
|
||||
"web_accessible_resources": [
|
||||
{
|
||||
"resources": ["notification/bar.html", "images/icon38.png", "images/icon38_locked.png"],
|
||||
"resources": [
|
||||
"content/webauthn/page-script.js",
|
||||
"notification/bar.html",
|
||||
"images/icon38.png",
|
||||
"images/icon38_locked.png"
|
||||
],
|
||||
"matches": ["<all_urls>"]
|
||||
}
|
||||
],
|
||||
|
@ -1,3 +1,5 @@
|
||||
import { Observable } from "rxjs";
|
||||
|
||||
import { DeviceType } from "@bitwarden/common/enums";
|
||||
|
||||
import { TabMessage } from "../../types/tab-messages";
|
||||
@ -35,6 +37,10 @@ export class BrowserApi {
|
||||
);
|
||||
}
|
||||
|
||||
static async removeWindow(windowId: number) {
|
||||
await chrome.windows.remove(windowId);
|
||||
}
|
||||
|
||||
static async getTabFromCurrentWindowId(): Promise<chrome.tabs.Tab> | null {
|
||||
return await BrowserApi.tabsQueryFirst({
|
||||
active: true,
|
||||
@ -199,6 +205,14 @@ export class BrowserApi {
|
||||
BrowserApi.removeTab(tabToClose.id);
|
||||
}
|
||||
|
||||
static createNewWindow(
|
||||
url: string,
|
||||
focused = true,
|
||||
type: chrome.windows.createTypeEnum = "normal"
|
||||
) {
|
||||
chrome.windows.create({ url, focused, type });
|
||||
}
|
||||
|
||||
// Keep track of all the events registered in a Safari popup so we can remove
|
||||
// them when the popup gets unloaded, otherwise we cause a memory leak
|
||||
private static registeredMessageListeners: any[] = [];
|
||||
@ -206,7 +220,11 @@ export class BrowserApi {
|
||||
|
||||
static messageListener(
|
||||
name: string,
|
||||
callback: (message: any, sender: chrome.runtime.MessageSender, response: any) => void
|
||||
callback: (
|
||||
message: any,
|
||||
sender: chrome.runtime.MessageSender,
|
||||
sendResponse: any
|
||||
) => boolean | void
|
||||
) {
|
||||
// eslint-disable-next-line no-restricted-syntax
|
||||
chrome.runtime.onMessage.addListener(callback);
|
||||
@ -244,6 +262,27 @@ export class BrowserApi {
|
||||
};
|
||||
}
|
||||
|
||||
static messageListener$() {
|
||||
return new Observable<unknown>((subscriber) => {
|
||||
const handler = (message: unknown) => {
|
||||
subscriber.next(message);
|
||||
};
|
||||
|
||||
BrowserApi.messageListener("message", handler);
|
||||
|
||||
return () => {
|
||||
chrome.runtime.onMessage.removeListener(handler);
|
||||
|
||||
if (BrowserApi.isSafariApi) {
|
||||
const index = BrowserApi.registeredMessageListeners.indexOf(handler);
|
||||
if (index !== -1) {
|
||||
BrowserApi.registeredMessageListeners.splice(index, 1);
|
||||
}
|
||||
}
|
||||
};
|
||||
});
|
||||
}
|
||||
|
||||
static sendMessage(subscriber: string, arg: any = {}) {
|
||||
const message = Object.assign({}, { command: subscriber }, arg);
|
||||
return chrome.runtime.sendMessage(message);
|
||||
|
@ -73,10 +73,9 @@ export class SessionSyncer {
|
||||
|
||||
private listenForUpdates() {
|
||||
// This is an unawaited promise, but it will be executed asynchronously in the background.
|
||||
BrowserApi.messageListener(
|
||||
this.updateMessageCommand,
|
||||
async (message) => await this.updateFromMessage(message)
|
||||
);
|
||||
BrowserApi.messageListener(this.updateMessageCommand, (message) => {
|
||||
this.updateFromMessage(message);
|
||||
});
|
||||
}
|
||||
|
||||
async updateFromMessage(message: any) {
|
||||
|
@ -28,6 +28,15 @@ interface BrowserPopoutWindowService {
|
||||
}
|
||||
): Promise<void>;
|
||||
closePasswordRepromptPrompt(): Promise<void>;
|
||||
openFido2Popout(
|
||||
senderWindow: chrome.tabs.Tab,
|
||||
promptData: {
|
||||
sessionId: string;
|
||||
senderTabId: number;
|
||||
fallbackSupported: boolean;
|
||||
}
|
||||
): Promise<number>;
|
||||
closeFido2Popout(): Promise<void>;
|
||||
}
|
||||
|
||||
export { BrowserPopoutWindowService };
|
||||
|
@ -95,29 +95,71 @@ class BrowserPopoutWindowService implements BrowserPopupWindowServiceInterface {
|
||||
await this.closeSingleActionPopout("passwordReprompt");
|
||||
}
|
||||
|
||||
async openFido2Popout(
|
||||
senderWindow: chrome.tabs.Tab,
|
||||
{
|
||||
sessionId,
|
||||
senderTabId,
|
||||
fallbackSupported,
|
||||
}: {
|
||||
sessionId: string;
|
||||
senderTabId: number;
|
||||
fallbackSupported: boolean;
|
||||
}
|
||||
): Promise<number> {
|
||||
await this.closeFido2Popout();
|
||||
|
||||
const promptWindowPath =
|
||||
"popup/index.html#/fido2" +
|
||||
"?uilocation=popout" +
|
||||
`&sessionId=${sessionId}` +
|
||||
`&fallbackSupported=${fallbackSupported}` +
|
||||
`&senderTabId=${senderTabId}` +
|
||||
`&senderUrl=${encodeURIComponent(senderWindow.url)}`;
|
||||
|
||||
return await this.openSingleActionPopout(
|
||||
senderWindow.windowId,
|
||||
promptWindowPath,
|
||||
"fido2Popout",
|
||||
{
|
||||
width: 200,
|
||||
height: 500,
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
async closeFido2Popout(): Promise<void> {
|
||||
await this.closeSingleActionPopout("fido2Popout");
|
||||
}
|
||||
|
||||
private async openSingleActionPopout(
|
||||
senderWindowId: number,
|
||||
popupWindowURL: string,
|
||||
singleActionPopoutKey: string
|
||||
) {
|
||||
singleActionPopoutKey: string,
|
||||
options: chrome.windows.CreateData = {}
|
||||
): Promise<number> {
|
||||
const senderWindow = senderWindowId && (await BrowserApi.getWindow(senderWindowId));
|
||||
const url = chrome.extension.getURL(popupWindowURL);
|
||||
const offsetRight = 15;
|
||||
const offsetTop = 90;
|
||||
const popupWidth = this.defaultPopoutWindowOptions.width;
|
||||
/// Use overrides in `options` if provided, otherwise use default
|
||||
const popupWidth = options?.width || this.defaultPopoutWindowOptions.width;
|
||||
const windowOptions = senderWindow
|
||||
? {
|
||||
...this.defaultPopoutWindowOptions,
|
||||
url,
|
||||
left: senderWindow.left + senderWindow.width - popupWidth - offsetRight,
|
||||
top: senderWindow.top + offsetTop,
|
||||
...options,
|
||||
url,
|
||||
}
|
||||
: { ...this.defaultPopoutWindowOptions, url };
|
||||
: { ...this.defaultPopoutWindowOptions, url, ...options };
|
||||
|
||||
const popupWindow = await BrowserApi.createWindow(windowOptions);
|
||||
|
||||
await this.closeSingleActionPopout(singleActionPopoutKey);
|
||||
this.singleActionPopoutTabIds[singleActionPopoutKey] = popupWindow?.tabs[0].id;
|
||||
|
||||
return popupWindow.id;
|
||||
}
|
||||
|
||||
private async closeSingleActionPopout(popoutKey: string) {
|
||||
|
@ -0,0 +1,37 @@
|
||||
import { Injectable } from "@angular/core";
|
||||
import { ActivatedRouteSnapshot, NavigationEnd, Router } from "@angular/router";
|
||||
import { filter } from "rxjs";
|
||||
|
||||
@Injectable({
|
||||
providedIn: "root",
|
||||
})
|
||||
export class BrowserRouterService {
|
||||
private previousUrl?: string = undefined;
|
||||
|
||||
constructor(router: Router) {
|
||||
router.events
|
||||
.pipe(filter((e) => e instanceof NavigationEnd))
|
||||
.subscribe((event: NavigationEnd) => {
|
||||
const state: ActivatedRouteSnapshot = router.routerState.snapshot.root;
|
||||
|
||||
let child = state.firstChild;
|
||||
while (child.firstChild) {
|
||||
child = child.firstChild;
|
||||
}
|
||||
|
||||
const updateUrl = !child?.data?.doNotSaveUrl ?? true;
|
||||
|
||||
if (updateUrl) {
|
||||
this.setPreviousUrl(event.url);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
getPreviousUrl() {
|
||||
return this.previousUrl;
|
||||
}
|
||||
|
||||
setPreviousUrl(url: string) {
|
||||
this.previousUrl = url;
|
||||
}
|
||||
}
|
@ -11,6 +11,7 @@ import {
|
||||
import { canAccessFeature } from "@bitwarden/angular/guard/feature-flag.guard";
|
||||
import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
|
||||
|
||||
import { fido2AuthGuard } from "../auth/guards/fido2-auth.guard";
|
||||
import { EnvironmentComponent } from "../auth/popup/environment.component";
|
||||
import { HintComponent } from "../auth/popup/hint.component";
|
||||
import { HomeComponent } from "../auth/popup/home.component";
|
||||
@ -31,6 +32,7 @@ import { SendAddEditComponent } from "../tools/popup/send/send-add-edit.componen
|
||||
import { SendGroupingsComponent } from "../tools/popup/send/send-groupings.component";
|
||||
import { SendTypeComponent } from "../tools/popup/send/send-type.component";
|
||||
import { ExportComponent } from "../tools/popup/settings/export.component";
|
||||
import { Fido2Component } from "../vault/popup/components/fido2/fido2.component";
|
||||
import { AddEditComponent } from "../vault/popup/components/vault/add-edit.component";
|
||||
import { AttachmentsComponent } from "../vault/popup/components/vault/attachments.component";
|
||||
import { CollectionsComponent } from "../vault/popup/components/vault/collections.component";
|
||||
@ -73,6 +75,12 @@ const routes: Routes = [
|
||||
canActivate: [UnauthGuard],
|
||||
data: { state: "home" },
|
||||
},
|
||||
{
|
||||
path: "fido2",
|
||||
component: Fido2Component,
|
||||
canActivate: [fido2AuthGuard],
|
||||
data: { state: "fido2" },
|
||||
},
|
||||
{
|
||||
path: "login",
|
||||
component: LoginComponent,
|
||||
@ -95,7 +103,7 @@ const routes: Routes = [
|
||||
path: "lock",
|
||||
component: LockComponent,
|
||||
canActivate: [lockGuard()],
|
||||
data: { state: "lock" },
|
||||
data: { state: "lock", doNotSaveUrl: true },
|
||||
},
|
||||
{
|
||||
path: "2fa",
|
||||
|
@ -80,11 +80,7 @@ export class AppComponent implements OnInit, OnDestroy {
|
||||
window.onkeypress = () => this.recordActivity();
|
||||
});
|
||||
|
||||
(window as any).bitwardenPopupMainMessageListener = async (
|
||||
msg: any,
|
||||
sender: any,
|
||||
sendResponse: any
|
||||
) => {
|
||||
const bitwardenPopupMainMessageListener = (msg: any, sender: any) => {
|
||||
if (msg.command === "doneLoggingOut") {
|
||||
this.authService.logOut(async () => {
|
||||
if (msg.expired) {
|
||||
@ -102,15 +98,13 @@ export class AppComponent implements OnInit, OnDestroy {
|
||||
this.changeDetectorRef.detectChanges();
|
||||
} else if (msg.command === "authBlocked") {
|
||||
this.router.navigate(["home"]);
|
||||
} else if (msg.command === "locked") {
|
||||
if (msg.userId == null || msg.userId === (await this.stateService.getUserId())) {
|
||||
} else if (msg.command === "locked" && msg.userId == null) {
|
||||
this.router.navigate(["lock"]);
|
||||
}
|
||||
} else if (msg.command === "showDialog") {
|
||||
await this.ngZone.run(() => this.showDialog(msg));
|
||||
this.showDialog(msg);
|
||||
} else if (msg.command === "showNativeMessagingFinterprintDialog") {
|
||||
// TODO: Should be refactored to live in another service.
|
||||
await this.ngZone.run(() => this.showNativeMessagingFingerprintDialog(msg));
|
||||
this.showNativeMessagingFingerprintDialog(msg);
|
||||
} else if (msg.command === "showToast") {
|
||||
this.showToast(msg);
|
||||
} else if (msg.command === "reloadProcess") {
|
||||
@ -133,7 +127,8 @@ export class AppComponent implements OnInit, OnDestroy {
|
||||
}
|
||||
};
|
||||
|
||||
BrowserApi.messageListener("app.component", (window as any).bitwardenPopupMainMessageListener);
|
||||
(window as any).bitwardenPopupMainMessageListener = bitwardenPopupMainMessageListener;
|
||||
BrowserApi.messageListener("app.component", bitwardenPopupMainMessageListener);
|
||||
|
||||
// eslint-disable-next-line rxjs/no-async-subscribe
|
||||
this.router.events.pipe(takeUntil(this.destroy$)).subscribe(async (event) => {
|
||||
|
@ -39,6 +39,9 @@ import { SendTypeComponent } from "../tools/popup/send/send-type.component";
|
||||
import { ExportComponent } from "../tools/popup/settings/export.component";
|
||||
import { ActionButtonsComponent } from "../vault/popup/components/action-buttons.component";
|
||||
import { CipherRowComponent } from "../vault/popup/components/cipher-row.component";
|
||||
import { Fido2CipherRowComponent } from "../vault/popup/components/fido2/fido2-cipher-row.component";
|
||||
import { Fido2UseBrowserLinkComponent } from "../vault/popup/components/fido2/fido2-use-browser-link.component";
|
||||
import { Fido2Component } from "../vault/popup/components/fido2/fido2.component";
|
||||
import { AddEditCustomFieldsComponent } from "../vault/popup/components/vault/add-edit-custom-fields.component";
|
||||
import { AddEditComponent } from "../vault/popup/components/vault/add-edit.component";
|
||||
import { AttachmentsComponent } from "../vault/popup/components/vault/attachments.component";
|
||||
@ -111,6 +114,8 @@ import "../platform/popup/locales";
|
||||
EnvironmentComponent,
|
||||
ExcludedDomainsComponent,
|
||||
ExportComponent,
|
||||
Fido2CipherRowComponent,
|
||||
Fido2UseBrowserLinkComponent,
|
||||
FolderAddEditComponent,
|
||||
FoldersComponent,
|
||||
VaultFilterComponent,
|
||||
@ -148,6 +153,7 @@ import "../platform/popup/locales";
|
||||
ViewCustomFieldsComponent,
|
||||
RemovePasswordComponent,
|
||||
VaultSelectComponent,
|
||||
Fido2Component,
|
||||
HelpAndFeedbackComponent,
|
||||
AutofillComponent,
|
||||
EnvironmentSelectorComponent,
|
||||
|
BIN
apps/browser/src/popup/images/bwi-passkey.png
Normal file
BIN
apps/browser/src/popup/images/bwi-passkey.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.1 KiB |
@ -153,6 +153,14 @@ body.body-full {
|
||||
margin: 15px 0 15px 0;
|
||||
}
|
||||
|
||||
.useBrowserlink {
|
||||
padding: 0 10px 5px 10px;
|
||||
position: fixed;
|
||||
bottom: 10px;
|
||||
left: 0;
|
||||
right: 0;
|
||||
}
|
||||
|
||||
app-options {
|
||||
.box {
|
||||
margin: 10px 0;
|
||||
@ -175,3 +183,170 @@ app-vault-attachments {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
app-fido2 {
|
||||
.auth-wrapper {
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
padding: 12px 24px 12px 24px;
|
||||
|
||||
.auth-header {
|
||||
display: flex;
|
||||
justify-content: space-between;
|
||||
align-items: center;
|
||||
|
||||
.left {
|
||||
padding-right: 10px;
|
||||
|
||||
.logo {
|
||||
display: inline-flex;
|
||||
align-items: center;
|
||||
|
||||
i.bwi {
|
||||
font-size: 35px;
|
||||
margin-right: 3px;
|
||||
@include themify($themes) {
|
||||
color: themed("primaryColor");
|
||||
}
|
||||
}
|
||||
|
||||
span {
|
||||
font-size: 45px;
|
||||
font-weight: 300;
|
||||
margin-top: -3px;
|
||||
@include themify($themes) {
|
||||
color: themed("primaryColor");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
.search {
|
||||
padding: 7px 10px;
|
||||
width: 100%;
|
||||
text-align: left;
|
||||
position: relative;
|
||||
display: flex;
|
||||
|
||||
.bwi {
|
||||
position: absolute;
|
||||
top: 15px;
|
||||
left: 20px;
|
||||
|
||||
@include themify($themes) {
|
||||
color: themed("labelColor");
|
||||
}
|
||||
}
|
||||
|
||||
input {
|
||||
width: 100%;
|
||||
margin: 0;
|
||||
border: none;
|
||||
padding: 5px 10px 5px 30px;
|
||||
border-radius: $border-radius;
|
||||
|
||||
&:focus {
|
||||
border-radius: $border-radius;
|
||||
outline: none;
|
||||
}
|
||||
|
||||
&[type="search"]::-webkit-search-cancel-button {
|
||||
-webkit-appearance: none;
|
||||
appearance: none;
|
||||
background-repeat: no-repeat;
|
||||
mask-image: none;
|
||||
-webkit-mask-image: none;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
.auth-flow {
|
||||
display: flex;
|
||||
align-items: flex-start;
|
||||
flex-direction: column;
|
||||
margin-top: 32px;
|
||||
margin-bottom: 32px;
|
||||
|
||||
.subtitle {
|
||||
font-family: Open Sans;
|
||||
font-size: 24px;
|
||||
font-style: normal;
|
||||
font-weight: 600;
|
||||
line-height: 32px;
|
||||
}
|
||||
|
||||
.box.list {
|
||||
overflow-y: auto;
|
||||
}
|
||||
|
||||
.box-content {
|
||||
max-height: 140px;
|
||||
}
|
||||
|
||||
@media screen and (min-height: 501px) and (max-height: 600px) {
|
||||
.box-content {
|
||||
max-height: 200px;
|
||||
}
|
||||
}
|
||||
|
||||
@media screen and (min-height: 601px) {
|
||||
.box-content {
|
||||
max-height: 260px;
|
||||
}
|
||||
}
|
||||
|
||||
.box-content-row {
|
||||
display: flex;
|
||||
justify-content: center;
|
||||
align-items: center;
|
||||
margin: 0px;
|
||||
padding: 0px;
|
||||
margin-bottom: 12px;
|
||||
|
||||
button {
|
||||
min-height: 44px;
|
||||
}
|
||||
|
||||
.row-main {
|
||||
border-radius: 6px;
|
||||
padding: 5px 0px 5px 12px;
|
||||
|
||||
&:focus {
|
||||
@include themify($themes) {
|
||||
padding: 3px 0px 3px 10px;
|
||||
border: 2px solid themed("headerInputBackgroundFocusColor");
|
||||
}
|
||||
}
|
||||
|
||||
&.row-selected {
|
||||
@include themify($themes) {
|
||||
outline: none;
|
||||
padding-left: 7px;
|
||||
border-left: 5px solid themed("primaryColor");
|
||||
background-color: themed("headerBackgroundHoverColor");
|
||||
color: themed("headerColor");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
.row-main-content {
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
justify-content: center;
|
||||
|
||||
.detail {
|
||||
min-height: 15px;
|
||||
display: block;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
.btn {
|
||||
width: 100%;
|
||||
font-size: 16px;
|
||||
font-weight: 600;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -3,6 +3,16 @@ import { fromEvent, Subscription } from "rxjs";
|
||||
|
||||
import { BrowserApi } from "../../platform/browser/browser-api";
|
||||
|
||||
export type Popout =
|
||||
| {
|
||||
type: "window";
|
||||
window: chrome.windows.Window;
|
||||
}
|
||||
| {
|
||||
type: "tab";
|
||||
tab: chrome.tabs.Tab;
|
||||
};
|
||||
|
||||
@Injectable()
|
||||
export class PopupUtilsService {
|
||||
private unloadSubscription: Subscription;
|
||||
@ -45,12 +55,16 @@ export class PopupUtilsService {
|
||||
}
|
||||
}
|
||||
|
||||
popOut(win: Window, href: string = null): void {
|
||||
async popOut(
|
||||
win: Window,
|
||||
href: string = null,
|
||||
options: { center?: boolean } = {}
|
||||
): Promise<Popout> {
|
||||
if (href === null) {
|
||||
href = win.location.href;
|
||||
}
|
||||
|
||||
if (typeof chrome !== "undefined" && chrome.windows && chrome.windows.create) {
|
||||
if (typeof chrome !== "undefined" && chrome?.windows?.create != null) {
|
||||
if (href.indexOf("?uilocation=") > -1) {
|
||||
href = href
|
||||
.replace("uilocation=popup", "uilocation=popout")
|
||||
@ -63,24 +77,43 @@ export class PopupUtilsService {
|
||||
}
|
||||
|
||||
const bodyRect = document.querySelector("body").getBoundingClientRect();
|
||||
chrome.windows.create({
|
||||
const width = Math.round(bodyRect.width ? bodyRect.width + 60 : 375);
|
||||
const height = Math.round(bodyRect.height || 600);
|
||||
const top = options.center ? Math.round((screen.height - height) / 2) : undefined;
|
||||
const left = options.center ? Math.round((screen.width - width) / 2) : undefined;
|
||||
const window = await BrowserApi.createWindow({
|
||||
url: href,
|
||||
type: "popup",
|
||||
width: Math.round(bodyRect.width ? bodyRect.width + 60 : 375),
|
||||
height: Math.round(bodyRect.height || 600),
|
||||
width,
|
||||
height,
|
||||
top,
|
||||
left,
|
||||
});
|
||||
|
||||
if (this.inPopup(win)) {
|
||||
if (win && this.inPopup(win)) {
|
||||
BrowserApi.closePopup(win);
|
||||
}
|
||||
} else if (typeof chrome !== "undefined" && chrome.tabs && chrome.tabs.create) {
|
||||
|
||||
return { type: "window", window };
|
||||
} else if (chrome?.tabs?.create != null) {
|
||||
href = href
|
||||
.replace("uilocation=popup", "uilocation=tab")
|
||||
.replace("uilocation=popout", "uilocation=tab")
|
||||
.replace("uilocation=sidebar", "uilocation=tab");
|
||||
chrome.tabs.create({
|
||||
url: href,
|
||||
});
|
||||
|
||||
const tab = await BrowserApi.createNewTab(href);
|
||||
return { type: "tab", tab };
|
||||
} else {
|
||||
throw new Error("Cannot open tab or window");
|
||||
}
|
||||
}
|
||||
|
||||
closePopOut(popout: Popout): Promise<void> {
|
||||
switch (popout.type) {
|
||||
case "window":
|
||||
return BrowserApi.removeWindow(popout.window.id);
|
||||
case "tab":
|
||||
return BrowserApi.removeTab(popout.tab.id);
|
||||
}
|
||||
}
|
||||
|
||||
|
21
apps/browser/src/vault/background/abort-manager.ts
Normal file
21
apps/browser/src/vault/background/abort-manager.ts
Normal file
@ -0,0 +1,21 @@
|
||||
type Runner<T> = (abortController: AbortController) => Promise<T>;
|
||||
|
||||
/**
|
||||
* Manages abort controllers for long running tasks and allow separate
|
||||
* execution contexts to abort each other by using ids.
|
||||
*/
|
||||
export class AbortManager {
|
||||
private abortControllers = new Map<string, AbortController>();
|
||||
|
||||
runWithAbortController<T>(id: string, runner: Runner<T>): Promise<T> {
|
||||
const abortController = new AbortController();
|
||||
this.abortControllers.set(id, abortController);
|
||||
return runner(abortController).finally(() => {
|
||||
this.abortControllers.delete(id);
|
||||
});
|
||||
}
|
||||
|
||||
abort(id: string) {
|
||||
this.abortControllers.get(id)?.abort();
|
||||
}
|
||||
}
|
@ -0,0 +1,366 @@
|
||||
import { inject } from "@angular/core";
|
||||
import { ActivatedRoute } from "@angular/router";
|
||||
import {
|
||||
BehaviorSubject,
|
||||
EmptyError,
|
||||
filter,
|
||||
firstValueFrom,
|
||||
fromEvent,
|
||||
fromEventPattern,
|
||||
map,
|
||||
merge,
|
||||
Observable,
|
||||
Subject,
|
||||
switchMap,
|
||||
take,
|
||||
takeUntil,
|
||||
throwError,
|
||||
} from "rxjs";
|
||||
|
||||
import { Utils } from "@bitwarden/common/platform/misc/utils";
|
||||
import { UserRequestedFallbackAbortReason } from "@bitwarden/common/vault/abstractions/fido2/fido2-client.service.abstraction";
|
||||
import {
|
||||
Fido2UserInterfaceService as Fido2UserInterfaceServiceAbstraction,
|
||||
Fido2UserInterfaceSession,
|
||||
NewCredentialParams,
|
||||
PickCredentialParams,
|
||||
} from "@bitwarden/common/vault/abstractions/fido2/fido2-user-interface.service.abstraction";
|
||||
|
||||
import { BrowserApi } from "../../platform/browser/browser-api";
|
||||
import { BrowserPopoutWindowService } from "../../platform/popup/abstractions/browser-popout-window.service";
|
||||
|
||||
const BrowserFido2MessageName = "BrowserFido2UserInterfaceServiceMessage";
|
||||
|
||||
/**
|
||||
* Function to retrieve FIDO2 session data from query parameters.
|
||||
* Expected to be used within components tied to routes with these query parameters.
|
||||
*/
|
||||
export function fido2PopoutSessionData$() {
|
||||
const route = inject(ActivatedRoute);
|
||||
|
||||
return route.queryParams.pipe(
|
||||
map((queryParams) => ({
|
||||
isFido2Session: queryParams.sessionId != null,
|
||||
sessionId: queryParams.sessionId as string,
|
||||
fallbackSupported: queryParams.fallbackSupported === "true",
|
||||
userVerification: queryParams.userVerification === "true",
|
||||
}))
|
||||
);
|
||||
}
|
||||
|
||||
export class SessionClosedError extends Error {
|
||||
constructor() {
|
||||
super("Fido2UserInterfaceSession was closed");
|
||||
}
|
||||
}
|
||||
|
||||
export type BrowserFido2Message = { sessionId: string } & (
|
||||
| /**
|
||||
* This message is used by popouts to announce that they are ready
|
||||
* to recieve messages.
|
||||
**/ {
|
||||
type: "ConnectResponse";
|
||||
}
|
||||
/**
|
||||
* This message is used to announce the creation of a new session.
|
||||
* It is used by popouts to know when to close.
|
||||
**/
|
||||
| {
|
||||
type: "NewSessionCreatedRequest";
|
||||
}
|
||||
| {
|
||||
type: "PickCredentialRequest";
|
||||
cipherIds: string[];
|
||||
userVerification: boolean;
|
||||
fallbackSupported: boolean;
|
||||
}
|
||||
| {
|
||||
type: "PickCredentialResponse";
|
||||
cipherId?: string;
|
||||
userVerified: boolean;
|
||||
}
|
||||
| {
|
||||
type: "ConfirmNewCredentialRequest";
|
||||
credentialName: string;
|
||||
userName: string;
|
||||
userVerification: boolean;
|
||||
fallbackSupported: boolean;
|
||||
}
|
||||
| {
|
||||
type: "ConfirmNewCredentialResponse";
|
||||
cipherId: string;
|
||||
userVerified: boolean;
|
||||
}
|
||||
| {
|
||||
type: "InformExcludedCredentialRequest";
|
||||
existingCipherIds: string[];
|
||||
fallbackSupported: boolean;
|
||||
}
|
||||
| {
|
||||
type: "InformCredentialNotFoundRequest";
|
||||
fallbackSupported: boolean;
|
||||
}
|
||||
| {
|
||||
type: "AbortRequest";
|
||||
}
|
||||
| {
|
||||
type: "AbortResponse";
|
||||
fallbackRequested: boolean;
|
||||
}
|
||||
);
|
||||
|
||||
/**
|
||||
* Browser implementation of the {@link Fido2UserInterfaceService}.
|
||||
* The user interface is implemented as a popout and the service uses the browser's messaging API to communicate with it.
|
||||
*/
|
||||
export class BrowserFido2UserInterfaceService implements Fido2UserInterfaceServiceAbstraction {
|
||||
constructor(private browserPopoutWindowService: BrowserPopoutWindowService) {}
|
||||
|
||||
async newSession(
|
||||
fallbackSupported: boolean,
|
||||
tab: chrome.tabs.Tab,
|
||||
abortController?: AbortController
|
||||
): Promise<Fido2UserInterfaceSession> {
|
||||
return await BrowserFido2UserInterfaceSession.create(
|
||||
this.browserPopoutWindowService,
|
||||
fallbackSupported,
|
||||
tab,
|
||||
abortController
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export class BrowserFido2UserInterfaceSession implements Fido2UserInterfaceSession {
|
||||
static async create(
|
||||
browserPopoutWindowService: BrowserPopoutWindowService,
|
||||
fallbackSupported: boolean,
|
||||
tab: chrome.tabs.Tab,
|
||||
abortController?: AbortController
|
||||
): Promise<BrowserFido2UserInterfaceSession> {
|
||||
return new BrowserFido2UserInterfaceSession(
|
||||
browserPopoutWindowService,
|
||||
fallbackSupported,
|
||||
tab,
|
||||
abortController
|
||||
);
|
||||
}
|
||||
|
||||
static sendMessage(msg: BrowserFido2Message) {
|
||||
BrowserApi.sendMessage(BrowserFido2MessageName, msg);
|
||||
}
|
||||
|
||||
static abortPopout(sessionId: string, fallbackRequested = false) {
|
||||
this.sendMessage({
|
||||
sessionId: sessionId,
|
||||
type: "AbortResponse",
|
||||
fallbackRequested: fallbackRequested,
|
||||
});
|
||||
}
|
||||
|
||||
static confirmNewCredentialResponse(sessionId: string, cipherId: string, userVerified: boolean) {
|
||||
this.sendMessage({
|
||||
sessionId: sessionId,
|
||||
type: "ConfirmNewCredentialResponse",
|
||||
cipherId,
|
||||
userVerified,
|
||||
});
|
||||
}
|
||||
|
||||
private closed = false;
|
||||
private messages$ = (BrowserApi.messageListener$() as Observable<BrowserFido2Message>).pipe(
|
||||
filter((msg) => msg.sessionId === this.sessionId)
|
||||
);
|
||||
private connected$ = new BehaviorSubject(false);
|
||||
private windowClosed$: Observable<number>;
|
||||
private destroy$ = new Subject<void>();
|
||||
|
||||
private constructor(
|
||||
private readonly browserPopoutWindowService: BrowserPopoutWindowService,
|
||||
private readonly fallbackSupported: boolean,
|
||||
private readonly tab: chrome.tabs.Tab,
|
||||
readonly abortController = new AbortController(),
|
||||
readonly sessionId = Utils.newGuid()
|
||||
) {
|
||||
this.messages$
|
||||
.pipe(
|
||||
filter((msg) => msg.type === "ConnectResponse"),
|
||||
take(1),
|
||||
takeUntil(this.destroy$)
|
||||
)
|
||||
.subscribe(() => {
|
||||
this.connected$.next(true);
|
||||
});
|
||||
|
||||
// Handle session aborted by RP
|
||||
fromEvent(abortController.signal, "abort")
|
||||
.pipe(takeUntil(this.destroy$))
|
||||
.subscribe(() => {
|
||||
this.close();
|
||||
BrowserFido2UserInterfaceSession.sendMessage({
|
||||
type: "AbortRequest",
|
||||
sessionId: this.sessionId,
|
||||
});
|
||||
});
|
||||
|
||||
// Handle session aborted by user
|
||||
this.messages$
|
||||
.pipe(
|
||||
filter((msg) => msg.type === "AbortResponse"),
|
||||
take(1),
|
||||
takeUntil(this.destroy$)
|
||||
)
|
||||
.subscribe((msg) => {
|
||||
if (msg.type === "AbortResponse") {
|
||||
this.close();
|
||||
this.abort(msg.fallbackRequested);
|
||||
}
|
||||
});
|
||||
|
||||
this.windowClosed$ = fromEventPattern(
|
||||
(handler: any) => chrome.windows.onRemoved.addListener(handler),
|
||||
(handler: any) => chrome.windows.onRemoved.removeListener(handler)
|
||||
);
|
||||
|
||||
BrowserFido2UserInterfaceSession.sendMessage({
|
||||
type: "NewSessionCreatedRequest",
|
||||
sessionId,
|
||||
});
|
||||
}
|
||||
|
||||
async pickCredential({
|
||||
cipherIds,
|
||||
userVerification,
|
||||
}: PickCredentialParams): Promise<{ cipherId: string; userVerified: boolean }> {
|
||||
const data: BrowserFido2Message = {
|
||||
type: "PickCredentialRequest",
|
||||
cipherIds,
|
||||
sessionId: this.sessionId,
|
||||
userVerification,
|
||||
fallbackSupported: this.fallbackSupported,
|
||||
};
|
||||
|
||||
await this.send(data);
|
||||
const response = await this.receive("PickCredentialResponse");
|
||||
|
||||
return { cipherId: response.cipherId, userVerified: response.userVerified };
|
||||
}
|
||||
|
||||
async confirmNewCredential({
|
||||
credentialName,
|
||||
userName,
|
||||
userVerification,
|
||||
}: NewCredentialParams): Promise<{ cipherId: string; userVerified: boolean }> {
|
||||
const data: BrowserFido2Message = {
|
||||
type: "ConfirmNewCredentialRequest",
|
||||
sessionId: this.sessionId,
|
||||
credentialName,
|
||||
userName,
|
||||
userVerification,
|
||||
fallbackSupported: this.fallbackSupported,
|
||||
};
|
||||
|
||||
await this.send(data);
|
||||
const response = await this.receive("ConfirmNewCredentialResponse");
|
||||
|
||||
return { cipherId: response.cipherId, userVerified: response.userVerified };
|
||||
}
|
||||
|
||||
async informExcludedCredential(existingCipherIds: string[]): Promise<void> {
|
||||
const data: BrowserFido2Message = {
|
||||
type: "InformExcludedCredentialRequest",
|
||||
sessionId: this.sessionId,
|
||||
existingCipherIds,
|
||||
fallbackSupported: this.fallbackSupported,
|
||||
};
|
||||
|
||||
await this.send(data);
|
||||
await this.receive("AbortResponse");
|
||||
}
|
||||
|
||||
async ensureUnlockedVault(): Promise<void> {
|
||||
await this.connect();
|
||||
}
|
||||
|
||||
async informCredentialNotFound(): Promise<void> {
|
||||
const data: BrowserFido2Message = {
|
||||
type: "InformCredentialNotFoundRequest",
|
||||
sessionId: this.sessionId,
|
||||
fallbackSupported: this.fallbackSupported,
|
||||
};
|
||||
|
||||
await this.send(data);
|
||||
await this.receive("AbortResponse");
|
||||
}
|
||||
|
||||
async close() {
|
||||
await this.browserPopoutWindowService.closeFido2Popout();
|
||||
this.closed = true;
|
||||
this.destroy$.next();
|
||||
this.destroy$.complete();
|
||||
}
|
||||
|
||||
private async abort(fallback = false) {
|
||||
this.abortController.abort(fallback ? UserRequestedFallbackAbortReason : undefined);
|
||||
}
|
||||
|
||||
private async send(msg: BrowserFido2Message): Promise<void> {
|
||||
if (!this.connected$.value) {
|
||||
await this.connect();
|
||||
}
|
||||
BrowserFido2UserInterfaceSession.sendMessage(msg);
|
||||
}
|
||||
|
||||
private async receive<T extends BrowserFido2Message["type"]>(
|
||||
type: T
|
||||
): Promise<BrowserFido2Message & { type: T }> {
|
||||
try {
|
||||
const response = await firstValueFrom(
|
||||
this.messages$.pipe(
|
||||
filter((msg) => msg.sessionId === this.sessionId && msg.type === type),
|
||||
takeUntil(this.destroy$)
|
||||
)
|
||||
);
|
||||
return response as BrowserFido2Message & { type: T };
|
||||
} catch (error) {
|
||||
if (error instanceof EmptyError) {
|
||||
throw new SessionClosedError();
|
||||
}
|
||||
throw error;
|
||||
}
|
||||
}
|
||||
|
||||
private async connect(): Promise<void> {
|
||||
if (this.closed) {
|
||||
throw new Error("Cannot re-open closed session");
|
||||
}
|
||||
|
||||
const connectPromise = firstValueFrom(
|
||||
merge(
|
||||
this.connected$.pipe(filter((connected) => connected === true)),
|
||||
fromEvent(this.abortController.signal, "abort").pipe(
|
||||
switchMap(() => throwError(() => new SessionClosedError()))
|
||||
)
|
||||
)
|
||||
);
|
||||
|
||||
const popoutId = await this.browserPopoutWindowService.openFido2Popout(this.tab, {
|
||||
sessionId: this.sessionId,
|
||||
senderTabId: this.tab.id,
|
||||
fallbackSupported: this.fallbackSupported,
|
||||
});
|
||||
|
||||
this.windowClosed$
|
||||
.pipe(
|
||||
filter((windowId) => {
|
||||
return popoutId === windowId;
|
||||
}),
|
||||
takeUntil(this.destroy$)
|
||||
)
|
||||
.subscribe(() => {
|
||||
this.close();
|
||||
this.abort();
|
||||
});
|
||||
|
||||
await connectPromise;
|
||||
}
|
||||
}
|
81
apps/browser/src/vault/fido2/content/content-script.ts
Normal file
81
apps/browser/src/vault/fido2/content/content-script.ts
Normal file
@ -0,0 +1,81 @@
|
||||
import { Message, MessageType } from "./messaging/message";
|
||||
import { Messenger } from "./messaging/messenger";
|
||||
|
||||
function checkFido2FeatureEnabled() {
|
||||
chrome.runtime.sendMessage(
|
||||
{ command: "checkFido2FeatureEnabled" },
|
||||
(response: { result?: boolean }) => initializeFido2ContentScript(response.result)
|
||||
);
|
||||
}
|
||||
|
||||
function initializeFido2ContentScript(isFido2FeatureEnabled: boolean) {
|
||||
if (isFido2FeatureEnabled !== true) {
|
||||
return;
|
||||
}
|
||||
|
||||
const s = document.createElement("script");
|
||||
s.src = chrome.runtime.getURL("content/fido2/page-script.js");
|
||||
(document.head || document.documentElement).appendChild(s);
|
||||
|
||||
const messenger = Messenger.forDOMCommunication(window);
|
||||
|
||||
messenger.handler = async (message, abortController) => {
|
||||
const requestId = Date.now().toString();
|
||||
const abortHandler = () =>
|
||||
chrome.runtime.sendMessage({
|
||||
command: "fido2AbortRequest",
|
||||
abortedRequestId: requestId,
|
||||
});
|
||||
abortController.signal.addEventListener("abort", abortHandler);
|
||||
|
||||
if (message.type === MessageType.CredentialCreationRequest) {
|
||||
return new Promise((resolve, reject) => {
|
||||
chrome.runtime.sendMessage(
|
||||
{
|
||||
command: "fido2RegisterCredentialRequest",
|
||||
data: message.data,
|
||||
requestId: requestId,
|
||||
},
|
||||
(response) => {
|
||||
if (response.error !== undefined) {
|
||||
return reject(response.error);
|
||||
}
|
||||
|
||||
resolve({
|
||||
type: MessageType.CredentialCreationResponse,
|
||||
result: response.result,
|
||||
});
|
||||
}
|
||||
);
|
||||
});
|
||||
}
|
||||
|
||||
if (message.type === MessageType.CredentialGetRequest) {
|
||||
return new Promise((resolve, reject) => {
|
||||
chrome.runtime.sendMessage(
|
||||
{
|
||||
command: "fido2GetCredentialRequest",
|
||||
data: message.data,
|
||||
requestId: requestId,
|
||||
},
|
||||
(response) => {
|
||||
if (response.error !== undefined) {
|
||||
return reject(response.error);
|
||||
}
|
||||
|
||||
resolve({
|
||||
type: MessageType.CredentialGetResponse,
|
||||
result: response.result,
|
||||
});
|
||||
}
|
||||
);
|
||||
}).finally(() =>
|
||||
abortController.signal.removeEventListener("abort", abortHandler)
|
||||
) as Promise<Message>;
|
||||
}
|
||||
|
||||
return undefined;
|
||||
};
|
||||
}
|
||||
|
||||
checkFido2FeatureEnabled();
|
60
apps/browser/src/vault/fido2/content/messaging/message.ts
Normal file
60
apps/browser/src/vault/fido2/content/messaging/message.ts
Normal file
@ -0,0 +1,60 @@
|
||||
import {
|
||||
CreateCredentialParams,
|
||||
CreateCredentialResult,
|
||||
AssertCredentialParams,
|
||||
AssertCredentialResult,
|
||||
} from "@bitwarden/common/vault/abstractions/fido2/fido2-client.service.abstraction";
|
||||
|
||||
export enum MessageType {
|
||||
CredentialCreationRequest,
|
||||
CredentialCreationResponse,
|
||||
CredentialGetRequest,
|
||||
CredentialGetResponse,
|
||||
AbortRequest,
|
||||
AbortResponse,
|
||||
ErrorResponse,
|
||||
}
|
||||
|
||||
export type CredentialCreationRequest = {
|
||||
type: MessageType.CredentialCreationRequest;
|
||||
data: CreateCredentialParams;
|
||||
};
|
||||
|
||||
export type CredentialCreationResponse = {
|
||||
type: MessageType.CredentialCreationResponse;
|
||||
result?: CreateCredentialResult;
|
||||
};
|
||||
|
||||
export type CredentialGetRequest = {
|
||||
type: MessageType.CredentialGetRequest;
|
||||
data: AssertCredentialParams;
|
||||
};
|
||||
|
||||
export type CredentialGetResponse = {
|
||||
type: MessageType.CredentialGetResponse;
|
||||
result?: AssertCredentialResult;
|
||||
};
|
||||
|
||||
export type AbortRequest = {
|
||||
type: MessageType.AbortRequest;
|
||||
abortedRequestId: string;
|
||||
};
|
||||
|
||||
export type ErrorResponse = {
|
||||
type: MessageType.ErrorResponse;
|
||||
error: string;
|
||||
};
|
||||
|
||||
export type AbortResponse = {
|
||||
type: MessageType.AbortResponse;
|
||||
abortedRequestId: string;
|
||||
};
|
||||
|
||||
export type Message =
|
||||
| CredentialCreationRequest
|
||||
| CredentialCreationResponse
|
||||
| CredentialGetRequest
|
||||
| CredentialGetResponse
|
||||
| AbortRequest
|
||||
| AbortResponse
|
||||
| ErrorResponse;
|
154
apps/browser/src/vault/fido2/content/messaging/messenger.spec.ts
Normal file
154
apps/browser/src/vault/fido2/content/messaging/messenger.spec.ts
Normal file
@ -0,0 +1,154 @@
|
||||
import { Utils } from "@bitwarden/common/platform/misc/utils";
|
||||
|
||||
import { Message } from "./message";
|
||||
import { Channel, MessageWithMetadata, Messenger } from "./messenger";
|
||||
|
||||
describe("Messenger", () => {
|
||||
let messengerA: Messenger;
|
||||
let messengerB: Messenger;
|
||||
let handlerA: TestMessageHandler;
|
||||
let handlerB: TestMessageHandler;
|
||||
|
||||
beforeEach(() => {
|
||||
// jest does not support MessageChannel
|
||||
window.MessageChannel = MockMessageChannel as any;
|
||||
|
||||
const channelPair = new TestChannelPair();
|
||||
messengerA = new Messenger(channelPair.channelA);
|
||||
messengerB = new Messenger(channelPair.channelB);
|
||||
|
||||
handlerA = new TestMessageHandler();
|
||||
handlerB = new TestMessageHandler();
|
||||
messengerA.handler = handlerA.handler;
|
||||
messengerB.handler = handlerB.handler;
|
||||
});
|
||||
|
||||
it("should deliver message to B when sending request from A", () => {
|
||||
const request = createRequest();
|
||||
messengerA.request(request);
|
||||
|
||||
const received = handlerB.recieve();
|
||||
|
||||
expect(received.length).toBe(1);
|
||||
expect(received[0].message).toMatchObject(request);
|
||||
});
|
||||
|
||||
it("should return response from B when sending request from A", async () => {
|
||||
const request = createRequest();
|
||||
const response = createResponse();
|
||||
const requestPromise = messengerA.request(request);
|
||||
const received = handlerB.recieve();
|
||||
received[0].respond(response);
|
||||
|
||||
const returned = await requestPromise;
|
||||
|
||||
expect(returned).toMatchObject(response);
|
||||
});
|
||||
|
||||
it("should throw error from B when sending request from A that fails", async () => {
|
||||
const request = createRequest();
|
||||
const error = new Error("Test error");
|
||||
const requestPromise = messengerA.request(request);
|
||||
const received = handlerB.recieve();
|
||||
|
||||
received[0].reject(error);
|
||||
|
||||
await expect(requestPromise).rejects.toThrow();
|
||||
});
|
||||
|
||||
it("should deliver abort signal to B when requesting abort", () => {
|
||||
const abortController = new AbortController();
|
||||
messengerA.request(createRequest(), abortController);
|
||||
abortController.abort();
|
||||
|
||||
const received = handlerB.recieve();
|
||||
|
||||
expect(received[0].abortController.signal.aborted).toBe(true);
|
||||
});
|
||||
});
|
||||
|
||||
type TestMessage = MessageWithMetadata & { testId: string };
|
||||
|
||||
function createRequest(): TestMessage {
|
||||
return { testId: Utils.newGuid(), type: "TestRequest" } as any;
|
||||
}
|
||||
|
||||
function createResponse(): TestMessage {
|
||||
return { testId: Utils.newGuid(), type: "TestResponse" } as any;
|
||||
}
|
||||
|
||||
class TestChannelPair {
|
||||
readonly channelA: Channel;
|
||||
readonly channelB: Channel;
|
||||
|
||||
constructor() {
|
||||
const broadcastChannel = new MockMessageChannel<MessageWithMetadata>();
|
||||
|
||||
this.channelA = {
|
||||
addEventListener: (listener) => (broadcastChannel.port1.onmessage = listener),
|
||||
postMessage: (message, port) => broadcastChannel.port1.postMessage(message, port),
|
||||
};
|
||||
|
||||
this.channelB = {
|
||||
addEventListener: (listener) => (broadcastChannel.port2.onmessage = listener),
|
||||
postMessage: (message, port) => broadcastChannel.port2.postMessage(message, port),
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
class TestMessageHandler {
|
||||
readonly handler: (
|
||||
message: TestMessage,
|
||||
abortController?: AbortController
|
||||
) => Promise<Message | undefined>;
|
||||
|
||||
private recievedMessages: {
|
||||
message: TestMessage;
|
||||
respond: (response: TestMessage) => void;
|
||||
reject: (error: Error) => void;
|
||||
abortController?: AbortController;
|
||||
}[] = [];
|
||||
|
||||
constructor() {
|
||||
this.handler = (message, abortController) =>
|
||||
new Promise((resolve, reject) => {
|
||||
this.recievedMessages.push({
|
||||
message,
|
||||
abortController,
|
||||
respond: (response) => resolve(response),
|
||||
reject: (error) => reject(error),
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
recieve() {
|
||||
const received = this.recievedMessages;
|
||||
this.recievedMessages = [];
|
||||
return received;
|
||||
}
|
||||
}
|
||||
|
||||
class MockMessageChannel<T> {
|
||||
port1 = new MockMessagePort<T>();
|
||||
port2 = new MockMessagePort<T>();
|
||||
|
||||
constructor() {
|
||||
this.port1.remotePort = this.port2;
|
||||
this.port2.remotePort = this.port1;
|
||||
}
|
||||
}
|
||||
|
||||
class MockMessagePort<T> {
|
||||
onmessage: ((ev: MessageEvent<T>) => any) | null;
|
||||
remotePort: MockMessagePort<T>;
|
||||
|
||||
postMessage(message: T, port?: MessagePort) {
|
||||
this.remotePort.onmessage(
|
||||
new MessageEvent("message", { data: message, ports: port ? [port] : [] })
|
||||
);
|
||||
}
|
||||
|
||||
close() {
|
||||
// Do nothing
|
||||
}
|
||||
}
|
130
apps/browser/src/vault/fido2/content/messaging/messenger.ts
Normal file
130
apps/browser/src/vault/fido2/content/messaging/messenger.ts
Normal file
@ -0,0 +1,130 @@
|
||||
import { Message, MessageType } from "./message";
|
||||
|
||||
const SENDER = "bitwarden-webauthn";
|
||||
|
||||
type PostMessageFunction = (message: MessageWithMetadata, remotePort: MessagePort) => void;
|
||||
|
||||
export type Channel = {
|
||||
addEventListener: (listener: (message: MessageEvent<MessageWithMetadata>) => void) => void;
|
||||
postMessage: PostMessageFunction;
|
||||
};
|
||||
|
||||
export type Metadata = { SENDER: typeof SENDER };
|
||||
export type MessageWithMetadata = Message & Metadata;
|
||||
type Handler = (
|
||||
message: MessageWithMetadata,
|
||||
abortController?: AbortController
|
||||
) => Promise<Message | undefined>;
|
||||
|
||||
/**
|
||||
* A class that handles communication between the page and content script. It converts
|
||||
* the browser's broadcasting API into a request/response API with support for seamlessly
|
||||
* handling aborts and exceptions across separate execution contexts.
|
||||
*/
|
||||
export class Messenger {
|
||||
/**
|
||||
* Creates a messenger that uses the browser's `window.postMessage` API to initiate
|
||||
* requests in the content script. Every request will then create it's own
|
||||
* `MessageChannel` through which all subsequent communication will be sent through.
|
||||
*
|
||||
* @param window the window object to use for communication
|
||||
* @returns a `Messenger` instance
|
||||
*/
|
||||
static forDOMCommunication(window: Window) {
|
||||
const windowOrigin = window.location.origin;
|
||||
|
||||
return new Messenger({
|
||||
postMessage: (message, port) => window.postMessage(message, windowOrigin, [port]),
|
||||
addEventListener: (listener) =>
|
||||
window.addEventListener("message", (event: MessageEvent<unknown>) => {
|
||||
if (event.origin !== windowOrigin) {
|
||||
return;
|
||||
}
|
||||
|
||||
listener(event as MessageEvent<MessageWithMetadata>);
|
||||
}),
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* The handler that will be called when a message is recieved. The handler should return
|
||||
* a promise that resolves to the response message. If the handler throws an error, the
|
||||
* error will be sent back to the sender.
|
||||
*/
|
||||
handler?: Handler;
|
||||
|
||||
constructor(private broadcastChannel: Channel) {
|
||||
this.broadcastChannel.addEventListener(async (event) => {
|
||||
if (this.handler === undefined) {
|
||||
return;
|
||||
}
|
||||
|
||||
const message = event.data;
|
||||
const port = event.ports?.[0];
|
||||
if (message?.SENDER !== SENDER || message == null || port == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
const abortController = new AbortController();
|
||||
port.onmessage = (event: MessageEvent<MessageWithMetadata>) => {
|
||||
if (event.data.type === MessageType.AbortRequest) {
|
||||
abortController.abort();
|
||||
}
|
||||
};
|
||||
|
||||
try {
|
||||
const handlerResponse = await this.handler(message, abortController);
|
||||
port.postMessage({ ...handlerResponse, SENDER });
|
||||
} catch (error) {
|
||||
port.postMessage({
|
||||
SENDER,
|
||||
type: MessageType.ErrorResponse,
|
||||
error: JSON.stringify(error, Object.getOwnPropertyNames(error)),
|
||||
});
|
||||
} finally {
|
||||
port.close();
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Sends a request to the content script and returns the response.
|
||||
* AbortController signals will be forwarded to the content script.
|
||||
*
|
||||
* @param request data to send to the content script
|
||||
* @param abortController the abort controller that might be used to abort the request
|
||||
* @returns the response from the content script
|
||||
*/
|
||||
async request(request: Message, abortController?: AbortController): Promise<Message> {
|
||||
const requestChannel = new MessageChannel();
|
||||
const { port1: localPort, port2: remotePort } = requestChannel;
|
||||
|
||||
try {
|
||||
const promise = new Promise<Message>((resolve) => {
|
||||
localPort.onmessage = (event: MessageEvent<MessageWithMetadata>) => resolve(event.data);
|
||||
});
|
||||
|
||||
const abortListener = () =>
|
||||
localPort.postMessage({
|
||||
metadata: { SENDER },
|
||||
type: MessageType.AbortRequest,
|
||||
});
|
||||
abortController?.signal.addEventListener("abort", abortListener);
|
||||
|
||||
this.broadcastChannel.postMessage({ ...request, SENDER }, remotePort);
|
||||
const response = await promise;
|
||||
|
||||
abortController?.signal.removeEventListener("abort", abortListener);
|
||||
|
||||
if (response.type === MessageType.ErrorResponse) {
|
||||
const error = new Error();
|
||||
Object.assign(error, JSON.parse(response.error));
|
||||
throw error;
|
||||
}
|
||||
|
||||
return response;
|
||||
} finally {
|
||||
localPort.close();
|
||||
}
|
||||
}
|
||||
}
|
140
apps/browser/src/vault/fido2/content/page-script.ts
Normal file
140
apps/browser/src/vault/fido2/content/page-script.ts
Normal file
@ -0,0 +1,140 @@
|
||||
import { FallbackRequestedError } from "@bitwarden/common/vault/abstractions/fido2/fido2-client.service.abstraction";
|
||||
|
||||
import { WebauthnUtils } from "../webauthn-utils";
|
||||
|
||||
import { MessageType } from "./messaging/message";
|
||||
import { Messenger } from "./messaging/messenger";
|
||||
|
||||
const BrowserPublicKeyCredential = window.PublicKeyCredential;
|
||||
|
||||
const browserNativeWebauthnSupport = window.PublicKeyCredential != undefined;
|
||||
let browserNativeWebauthnPlatformAuthenticatorSupport = false;
|
||||
if (!browserNativeWebauthnSupport) {
|
||||
// Polyfill webauthn support
|
||||
try {
|
||||
// credentials is read-only if supported, use type-casting to force assignment
|
||||
(navigator as any).credentials = {
|
||||
async create() {
|
||||
throw new Error("Webauthn not supported in this browser.");
|
||||
},
|
||||
async get() {
|
||||
throw new Error("Webauthn not supported in this browser.");
|
||||
},
|
||||
};
|
||||
window.PublicKeyCredential = class PolyfillPublicKeyCredential {
|
||||
static isUserVerifyingPlatformAuthenticatorAvailable() {
|
||||
return Promise.resolve(true);
|
||||
}
|
||||
} as any;
|
||||
window.AuthenticatorAttestationResponse =
|
||||
class PolyfillAuthenticatorAttestationResponse {} as any;
|
||||
} catch {
|
||||
/* empty */
|
||||
}
|
||||
}
|
||||
|
||||
if (browserNativeWebauthnSupport) {
|
||||
BrowserPublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable().then((available) => {
|
||||
browserNativeWebauthnPlatformAuthenticatorSupport = available;
|
||||
|
||||
if (!available) {
|
||||
// Polyfill platform authenticator support
|
||||
window.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable = () =>
|
||||
Promise.resolve(true);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
const browserCredentials = {
|
||||
create: navigator.credentials.create.bind(
|
||||
navigator.credentials
|
||||
) as typeof navigator.credentials.create,
|
||||
get: navigator.credentials.get.bind(navigator.credentials) as typeof navigator.credentials.get,
|
||||
};
|
||||
|
||||
const messenger = Messenger.forDOMCommunication(window);
|
||||
|
||||
function isSameOriginWithAncestors() {
|
||||
try {
|
||||
return window.self === window.top;
|
||||
} catch {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
navigator.credentials.create = async (
|
||||
options?: CredentialCreationOptions,
|
||||
abortController?: AbortController
|
||||
): Promise<Credential> => {
|
||||
const fallbackSupported =
|
||||
(options?.publicKey?.authenticatorSelection.authenticatorAttachment === "platform" &&
|
||||
browserNativeWebauthnPlatformAuthenticatorSupport) ||
|
||||
(options?.publicKey?.authenticatorSelection.authenticatorAttachment !== "platform" &&
|
||||
browserNativeWebauthnSupport);
|
||||
try {
|
||||
const isNotIframe = isSameOriginWithAncestors();
|
||||
|
||||
const response = await messenger.request(
|
||||
{
|
||||
type: MessageType.CredentialCreationRequest,
|
||||
data: WebauthnUtils.mapCredentialCreationOptions(
|
||||
options,
|
||||
window.location.origin,
|
||||
isNotIframe,
|
||||
fallbackSupported
|
||||
),
|
||||
},
|
||||
abortController
|
||||
);
|
||||
|
||||
if (response.type !== MessageType.CredentialCreationResponse) {
|
||||
throw new Error("Something went wrong.");
|
||||
}
|
||||
|
||||
return WebauthnUtils.mapCredentialRegistrationResult(response.result);
|
||||
} catch (error) {
|
||||
if (error && error.fallbackRequested && fallbackSupported) {
|
||||
return await browserCredentials.create(options);
|
||||
}
|
||||
|
||||
throw error;
|
||||
}
|
||||
};
|
||||
|
||||
navigator.credentials.get = async (
|
||||
options?: CredentialRequestOptions,
|
||||
abortController?: AbortController
|
||||
): Promise<Credential> => {
|
||||
const fallbackSupported = browserNativeWebauthnSupport;
|
||||
|
||||
try {
|
||||
if (options?.mediation && options.mediation !== "optional") {
|
||||
throw new FallbackRequestedError();
|
||||
}
|
||||
|
||||
const response = await messenger.request(
|
||||
{
|
||||
type: MessageType.CredentialGetRequest,
|
||||
data: WebauthnUtils.mapCredentialRequestOptions(
|
||||
options,
|
||||
window.location.origin,
|
||||
true,
|
||||
fallbackSupported
|
||||
),
|
||||
},
|
||||
abortController
|
||||
);
|
||||
|
||||
if (response.type !== MessageType.CredentialGetResponse) {
|
||||
throw new Error("Something went wrong.");
|
||||
}
|
||||
|
||||
return WebauthnUtils.mapCredentialAssertResult(response.result);
|
||||
} catch (error) {
|
||||
if (error && error.fallbackRequested && fallbackSupported) {
|
||||
return await browserCredentials.get(options);
|
||||
}
|
||||
|
||||
throw error;
|
||||
}
|
||||
};
|
141
apps/browser/src/vault/fido2/webauthn-utils.ts
Normal file
141
apps/browser/src/vault/fido2/webauthn-utils.ts
Normal file
@ -0,0 +1,141 @@
|
||||
import {
|
||||
CreateCredentialParams,
|
||||
CreateCredentialResult,
|
||||
AssertCredentialParams,
|
||||
AssertCredentialResult,
|
||||
} from "@bitwarden/common/vault/abstractions/fido2/fido2-client.service.abstraction";
|
||||
import { Fido2Utils } from "@bitwarden/common/vault/services/fido2/fido2-utils";
|
||||
|
||||
export class WebauthnUtils {
|
||||
static mapCredentialCreationOptions(
|
||||
options: CredentialCreationOptions,
|
||||
origin: string,
|
||||
sameOriginWithAncestors: boolean,
|
||||
fallbackSupported: boolean
|
||||
): CreateCredentialParams {
|
||||
const keyOptions = options.publicKey;
|
||||
|
||||
if (keyOptions == undefined) {
|
||||
throw new Error("Public-key options not found");
|
||||
}
|
||||
|
||||
return {
|
||||
origin,
|
||||
attestation: keyOptions.attestation,
|
||||
authenticatorSelection: {
|
||||
requireResidentKey: keyOptions.authenticatorSelection?.requireResidentKey,
|
||||
residentKey: keyOptions.authenticatorSelection?.residentKey,
|
||||
userVerification: keyOptions.authenticatorSelection?.userVerification,
|
||||
},
|
||||
challenge: Fido2Utils.bufferToString(keyOptions.challenge),
|
||||
excludeCredentials: keyOptions.excludeCredentials?.map((credential) => ({
|
||||
id: Fido2Utils.bufferToString(credential.id),
|
||||
transports: credential.transports,
|
||||
type: credential.type,
|
||||
})),
|
||||
extensions: undefined, // extensions not currently supported
|
||||
pubKeyCredParams: keyOptions.pubKeyCredParams.map((params) => ({
|
||||
alg: params.alg,
|
||||
type: params.type,
|
||||
})),
|
||||
rp: {
|
||||
id: keyOptions.rp.id,
|
||||
name: keyOptions.rp.name,
|
||||
},
|
||||
user: {
|
||||
id: Fido2Utils.bufferToString(keyOptions.user.id),
|
||||
displayName: keyOptions.user.displayName,
|
||||
},
|
||||
timeout: keyOptions.timeout,
|
||||
sameOriginWithAncestors,
|
||||
fallbackSupported,
|
||||
};
|
||||
}
|
||||
|
||||
static mapCredentialRegistrationResult(result: CreateCredentialResult): PublicKeyCredential {
|
||||
const credential = {
|
||||
id: result.credentialId,
|
||||
rawId: Fido2Utils.stringToBuffer(result.credentialId),
|
||||
type: "public-key",
|
||||
authenticatorAttachment: "cross-platform",
|
||||
response: {
|
||||
clientDataJSON: Fido2Utils.stringToBuffer(result.clientDataJSON),
|
||||
attestationObject: Fido2Utils.stringToBuffer(result.attestationObject),
|
||||
|
||||
getAuthenticatorData(): ArrayBuffer {
|
||||
return Fido2Utils.stringToBuffer(result.authData);
|
||||
},
|
||||
|
||||
getPublicKey(): ArrayBuffer {
|
||||
return null;
|
||||
},
|
||||
|
||||
getPublicKeyAlgorithm(): number {
|
||||
return result.publicKeyAlgorithm;
|
||||
},
|
||||
|
||||
getTransports(): string[] {
|
||||
return result.transports;
|
||||
},
|
||||
} as AuthenticatorAttestationResponse,
|
||||
getClientExtensionResults: () => ({}),
|
||||
} as PublicKeyCredential;
|
||||
|
||||
// Modify prototype chains to fix `instanceof` calls.
|
||||
// This makes these objects indistinguishable from the native classes.
|
||||
// Unfortunately PublicKeyCredential does not have a javascript constructor so `extends` does not work here.
|
||||
Object.setPrototypeOf(credential.response, AuthenticatorAttestationResponse.prototype);
|
||||
Object.setPrototypeOf(credential, PublicKeyCredential.prototype);
|
||||
|
||||
return credential;
|
||||
}
|
||||
|
||||
static mapCredentialRequestOptions(
|
||||
options: CredentialRequestOptions,
|
||||
origin: string,
|
||||
sameOriginWithAncestors: boolean,
|
||||
fallbackSupported: boolean
|
||||
): AssertCredentialParams {
|
||||
const keyOptions = options.publicKey;
|
||||
|
||||
if (keyOptions == undefined) {
|
||||
throw new Error("Public-key options not found");
|
||||
}
|
||||
|
||||
return {
|
||||
origin,
|
||||
allowedCredentialIds:
|
||||
keyOptions.allowCredentials?.map((c) => Fido2Utils.bufferToString(c.id)) ?? [],
|
||||
challenge: Fido2Utils.bufferToString(keyOptions.challenge),
|
||||
rpId: keyOptions.rpId,
|
||||
userVerification: keyOptions.userVerification,
|
||||
timeout: keyOptions.timeout,
|
||||
sameOriginWithAncestors,
|
||||
fallbackSupported,
|
||||
};
|
||||
}
|
||||
|
||||
static mapCredentialAssertResult(result: AssertCredentialResult): PublicKeyCredential {
|
||||
const credential = {
|
||||
id: result.credentialId,
|
||||
rawId: Fido2Utils.stringToBuffer(result.credentialId),
|
||||
type: "public-key",
|
||||
response: {
|
||||
authenticatorData: Fido2Utils.stringToBuffer(result.authenticatorData),
|
||||
clientDataJSON: Fido2Utils.stringToBuffer(result.clientDataJSON),
|
||||
signature: Fido2Utils.stringToBuffer(result.signature),
|
||||
userHandle: Fido2Utils.stringToBuffer(result.userHandle),
|
||||
} as AuthenticatorAssertionResponse,
|
||||
getClientExtensionResults: () => ({}),
|
||||
authenticatorAttachment: "cross-platform",
|
||||
} as PublicKeyCredential;
|
||||
|
||||
// Modify prototype chains to fix `instanceof` calls.
|
||||
// This makes these objects indistinguishable from the native classes.
|
||||
// Unfortunately PublicKeyCredential does not have a javascript constructor so `extends` does not work here.
|
||||
Object.setPrototypeOf(credential.response, AuthenticatorAssertionResponse.prototype);
|
||||
Object.setPrototypeOf(credential, PublicKeyCredential.prototype);
|
||||
|
||||
return credential;
|
||||
}
|
||||
}
|
@ -0,0 +1,27 @@
|
||||
<div
|
||||
role="group"
|
||||
appA11yTitle="{{ cipher.name }} {{ cipher.subTitle }}"
|
||||
class="virtual-scroll-item"
|
||||
[ngClass]="{ 'override-last': !last }"
|
||||
>
|
||||
<div class="box-content-row box-content-row-flex">
|
||||
<button
|
||||
type="button"
|
||||
(click)="selectCipher(cipher)"
|
||||
tabindex="0"
|
||||
appStopClick
|
||||
title="{{ title }} - {{ cipher.name }}"
|
||||
[ngClass]="{ 'row-main': true, 'row-selected': isSelected && !isSearching }"
|
||||
>
|
||||
<app-vault-icon [cipher]="cipher"></app-vault-icon>
|
||||
<div class="row-main-content">
|
||||
<span class="text">
|
||||
<span class="truncate-box">
|
||||
<span class="truncate">{{ cipher.name }}</span>
|
||||
</span>
|
||||
</span>
|
||||
<span class="detail" *ngIf="cipher.subTitle">{{ cipher.subTitle }}</span>
|
||||
</div>
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
@ -0,0 +1,20 @@
|
||||
import { Component, EventEmitter, Input, Output } from "@angular/core";
|
||||
|
||||
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
|
||||
|
||||
@Component({
|
||||
selector: "app-fido2-cipher-row",
|
||||
templateUrl: "fido2-cipher-row.component.html",
|
||||
})
|
||||
export class Fido2CipherRowComponent {
|
||||
@Output() onSelected = new EventEmitter<CipherView>();
|
||||
@Input() cipher: CipherView;
|
||||
@Input() last: boolean;
|
||||
@Input() title: string;
|
||||
@Input() isSearching: boolean;
|
||||
@Input() isSelected: boolean;
|
||||
|
||||
selectCipher(c: CipherView) {
|
||||
this.onSelected.emit(c);
|
||||
}
|
||||
}
|
@ -0,0 +1,5 @@
|
||||
<div class="useBrowserlink" *ngIf="(fido2PopoutSessionData$ | async).fallbackSupported">
|
||||
<button appStopClick type="button" (click)="abort()">
|
||||
{{ "useBrowserName" | i18n }}
|
||||
</button>
|
||||
</div>
|
@ -0,0 +1,21 @@
|
||||
import { Component } from "@angular/core";
|
||||
import { firstValueFrom } from "rxjs";
|
||||
|
||||
import {
|
||||
BrowserFido2UserInterfaceSession,
|
||||
fido2PopoutSessionData$,
|
||||
} from "../../../fido2/browser-fido2-user-interface.service";
|
||||
|
||||
@Component({
|
||||
selector: "app-fido2-use-browser-link",
|
||||
templateUrl: "fido2-use-browser-link.component.html",
|
||||
})
|
||||
export class Fido2UseBrowserLinkComponent {
|
||||
fido2PopoutSessionData$ = fido2PopoutSessionData$();
|
||||
|
||||
async abort() {
|
||||
const sessionData = await firstValueFrom(this.fido2PopoutSessionData$);
|
||||
BrowserFido2UserInterfaceSession.abortPopout(sessionData.sessionId, true);
|
||||
return;
|
||||
}
|
||||
}
|
@ -0,0 +1,139 @@
|
||||
<ng-container *ngIf="data$ | async as data">
|
||||
<div class="auth-wrapper">
|
||||
<div class="auth-header">
|
||||
<div class="left">
|
||||
<ng-container *ngIf="data.message.type != 'PickCredentialRequest'">
|
||||
<div class="logo">
|
||||
<i class="bwi bwi-shield"></i>
|
||||
</div>
|
||||
</ng-container>
|
||||
<ng-container *ngIf="data.message.type == 'PickCredentialRequest'">
|
||||
<div class="logo">
|
||||
<i class="bwi bwi-shield"></i><span><strong>bit</strong>warden</span>
|
||||
</div>
|
||||
</ng-container>
|
||||
</div>
|
||||
<ng-container *ngIf="data.message.type == 'ConfirmNewCredentialRequest'">
|
||||
<div class="search">
|
||||
<input
|
||||
type="{{ searchTypeSearch ? 'search' : 'text' }}"
|
||||
placeholder="{{ 'searchVault' | i18n }}"
|
||||
id="search"
|
||||
[(ngModel)]="searchText"
|
||||
(input)="search(200)"
|
||||
autocomplete="off"
|
||||
appAutofocus
|
||||
/>
|
||||
<i class="bwi bwi-search" aria-hidden="true"></i>
|
||||
</div>
|
||||
<div class="right">
|
||||
<button type="button" (click)="addCipher()" appA11yTitle="{{ 'addItem' | i18n }}">
|
||||
<i class="bwi bwi-plus bwi-lg bwi-fw" aria-hidden="true"></i>
|
||||
</button>
|
||||
</div>
|
||||
</ng-container>
|
||||
</div>
|
||||
|
||||
<ng-container>
|
||||
<ng-container
|
||||
*ngIf="
|
||||
data.message.type === 'PickCredentialRequest' ||
|
||||
data.message.type === 'ConfirmNewCredentialRequest'
|
||||
"
|
||||
>
|
||||
<div class="auth-flow">
|
||||
<p class="subtitle" appA11yTitle="{{ subtitleText | i18n }}">
|
||||
{{ subtitleText | i18n }}
|
||||
</p>
|
||||
<!-- Display when ciphers exist -->
|
||||
<ng-container *ngIf="displayedCiphers.length > 0">
|
||||
<div class="box list">
|
||||
<div class="box-content">
|
||||
<app-fido2-cipher-row
|
||||
*ngFor="let cipherItem of displayedCiphers"
|
||||
[cipher]="cipherItem"
|
||||
[isSearching]="searchPending"
|
||||
title="{{ 'passkeyItem' | i18n }}"
|
||||
(onSelected)="selectedPasskey($event)"
|
||||
[isSelected]="cipher === cipherItem"
|
||||
></app-fido2-cipher-row>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="box">
|
||||
<button
|
||||
type="submit"
|
||||
(click)="submit()"
|
||||
class="btn primary block"
|
||||
appA11yTitle="{{ credentialText | i18n }}"
|
||||
>
|
||||
<span [hidden]="loading">
|
||||
{{ credentialText | i18n }}
|
||||
</span>
|
||||
<i
|
||||
class="bwi bwi-spinner bwi-lg bwi-spin"
|
||||
[hidden]="!loading"
|
||||
aria-hidden="true"
|
||||
></i>
|
||||
</button>
|
||||
</div>
|
||||
</ng-container>
|
||||
|
||||
<ng-container *ngIf="!displayedCiphers.length">
|
||||
<div class="box">
|
||||
<button
|
||||
type="submit"
|
||||
(click)="saveNewLogin()"
|
||||
class="btn primary block"
|
||||
appA11yTitle="{{ 'savePasskeyNewLogin' | i18n }}"
|
||||
>
|
||||
<span [hidden]="loading">
|
||||
{{ "savePasskeyNewLogin" | i18n }}
|
||||
</span>
|
||||
<i
|
||||
class="bwi bwi-spinner bwi-lg bwi-spin"
|
||||
[hidden]="!loading"
|
||||
aria-hidden="true"
|
||||
></i>
|
||||
</button>
|
||||
</div>
|
||||
</ng-container>
|
||||
</div>
|
||||
</ng-container>
|
||||
<ng-container *ngIf="data.message.type == 'InformExcludedCredentialRequest'">
|
||||
<div class="auth-flow">
|
||||
<p class="subtitle">{{ "passkeyAlreadyExists" | i18n }}</p>
|
||||
<div class="box list">
|
||||
<div class="box-content">
|
||||
<app-fido2-cipher-row
|
||||
*ngFor="let cipherItem of displayedCiphers"
|
||||
[cipher]="cipherItem"
|
||||
title="{{ 'passkeyItem' | i18n }}"
|
||||
(onSelected)="selectedPasskey($event)"
|
||||
[isSelected]="cipher === cipherItem"
|
||||
></app-fido2-cipher-row>
|
||||
</div>
|
||||
</div>
|
||||
<button type="button" class="btn primary block" (click)="viewPasskey()">
|
||||
<span [hidden]="loading">{{ "viewItem" | i18n }}</span>
|
||||
<i class="bwi bwi-spinner bwi-lg bwi-spin" [hidden]="!loading" aria-hidden="true"></i>
|
||||
</button>
|
||||
</div>
|
||||
</ng-container>
|
||||
<ng-container *ngIf="data.message.type == 'InformCredentialNotFoundRequest'">
|
||||
<div class="auth-flow">
|
||||
<p class="subtitle">{{ "noPasskeysFoundForThisApplication" | i18n }}</p>
|
||||
</div>
|
||||
<button type="button" class="btn primary block" (click)="abort(false)">
|
||||
<span [hidden]="loading">{{ "close" | i18n }}</span>
|
||||
<i class="bwi bwi-spinner bwi-lg bwi-spin" [hidden]="!loading" aria-hidden="true"></i>
|
||||
</button>
|
||||
</ng-container>
|
||||
</ng-container>
|
||||
<div class="useBrowserlink">
|
||||
<button *ngIf="data.fallbackSupported" appStopClick type="button" (click)="abort(true)">
|
||||
{{ "useBrowserName" | i18n }}
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
</ng-container>
|
427
apps/browser/src/vault/popup/components/fido2/fido2.component.ts
Normal file
427
apps/browser/src/vault/popup/components/fido2/fido2.component.ts
Normal file
@ -0,0 +1,427 @@
|
||||
import { Component, OnDestroy, OnInit } from "@angular/core";
|
||||
import { ActivatedRoute, Router } from "@angular/router";
|
||||
import {
|
||||
BehaviorSubject,
|
||||
combineLatest,
|
||||
concatMap,
|
||||
filter,
|
||||
map,
|
||||
Observable,
|
||||
Subject,
|
||||
take,
|
||||
takeUntil,
|
||||
} from "rxjs";
|
||||
|
||||
import { SearchService } from "@bitwarden/common/abstractions/search.service";
|
||||
import { SettingsService } from "@bitwarden/common/abstractions/settings.service";
|
||||
import { SecureNoteType } from "@bitwarden/common/enums";
|
||||
import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
|
||||
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
|
||||
import { Utils } from "@bitwarden/common/platform/misc/utils";
|
||||
import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
|
||||
import { CipherRepromptType } from "@bitwarden/common/vault/enums/cipher-reprompt-type";
|
||||
import { CipherType } from "@bitwarden/common/vault/enums/cipher-type";
|
||||
import { CardView } from "@bitwarden/common/vault/models/view/card.view";
|
||||
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
|
||||
import { IdentityView } from "@bitwarden/common/vault/models/view/identity.view";
|
||||
import { LoginUriView } from "@bitwarden/common/vault/models/view/login-uri.view";
|
||||
import { LoginView } from "@bitwarden/common/vault/models/view/login.view";
|
||||
import { SecureNoteView } from "@bitwarden/common/vault/models/view/secure-note.view";
|
||||
import { DialogService } from "@bitwarden/components";
|
||||
import { PasswordRepromptService } from "@bitwarden/vault";
|
||||
|
||||
import { BrowserApi } from "../../../../platform/browser/browser-api";
|
||||
import {
|
||||
BrowserFido2Message,
|
||||
BrowserFido2UserInterfaceSession,
|
||||
} from "../../../fido2/browser-fido2-user-interface.service";
|
||||
|
||||
interface ViewData {
|
||||
message: BrowserFido2Message;
|
||||
fallbackSupported: boolean;
|
||||
}
|
||||
|
||||
@Component({
|
||||
selector: "app-fido2",
|
||||
templateUrl: "fido2.component.html",
|
||||
styleUrls: [],
|
||||
})
|
||||
export class Fido2Component implements OnInit, OnDestroy {
|
||||
private destroy$ = new Subject<void>();
|
||||
private hasSearched = false;
|
||||
private searchTimeout: any = null;
|
||||
private hasLoadedAllCiphers = false;
|
||||
|
||||
protected cipher: CipherView;
|
||||
protected searchTypeSearch = false;
|
||||
protected searchPending = false;
|
||||
protected searchText: string;
|
||||
protected url: string;
|
||||
protected hostname: string;
|
||||
protected data$: Observable<ViewData>;
|
||||
protected sessionId?: string;
|
||||
protected senderTabId?: string;
|
||||
protected ciphers?: CipherView[] = [];
|
||||
protected displayedCiphers?: CipherView[] = [];
|
||||
protected loading = false;
|
||||
protected subtitleText: string;
|
||||
protected credentialText: string;
|
||||
|
||||
private message$ = new BehaviorSubject<BrowserFido2Message>(null);
|
||||
|
||||
constructor(
|
||||
private router: Router,
|
||||
private activatedRoute: ActivatedRoute,
|
||||
private cipherService: CipherService,
|
||||
private passwordRepromptService: PasswordRepromptService,
|
||||
private platformUtilsService: PlatformUtilsService,
|
||||
private settingsService: SettingsService,
|
||||
private searchService: SearchService,
|
||||
private logService: LogService,
|
||||
private dialogService: DialogService
|
||||
) {}
|
||||
|
||||
ngOnInit() {
|
||||
this.searchTypeSearch = !this.platformUtilsService.isSafari();
|
||||
|
||||
const queryParams$ = this.activatedRoute.queryParamMap.pipe(
|
||||
take(1),
|
||||
map((queryParamMap) => ({
|
||||
sessionId: queryParamMap.get("sessionId"),
|
||||
senderTabId: queryParamMap.get("senderTabId"),
|
||||
senderUrl: queryParamMap.get("senderUrl"),
|
||||
}))
|
||||
);
|
||||
|
||||
combineLatest([queryParams$, BrowserApi.messageListener$() as Observable<BrowserFido2Message>])
|
||||
.pipe(
|
||||
concatMap(async ([queryParams, message]) => {
|
||||
this.sessionId = queryParams.sessionId;
|
||||
this.senderTabId = queryParams.senderTabId;
|
||||
this.url = queryParams.senderUrl;
|
||||
// For a 'NewSessionCreatedRequest', abort if it doesn't belong to the current session.
|
||||
if (
|
||||
message.type === "NewSessionCreatedRequest" &&
|
||||
message.sessionId !== queryParams.sessionId
|
||||
) {
|
||||
this.abort(false);
|
||||
return;
|
||||
}
|
||||
|
||||
// Ignore messages that don't belong to the current session.
|
||||
if (message.sessionId !== queryParams.sessionId) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (message.type === "AbortRequest") {
|
||||
this.abort(false);
|
||||
return;
|
||||
}
|
||||
|
||||
// Show dialog if user account does not have master password
|
||||
if (!(await this.passwordRepromptService.enabled())) {
|
||||
await this.dialogService.openSimpleDialog({
|
||||
title: { key: "featureNotSupported" },
|
||||
content: { key: "passkeyFeatureIsNotImplementedForAccountsWithoutMasterPassword" },
|
||||
acceptButtonText: { key: "ok" },
|
||||
cancelButtonText: null,
|
||||
type: "info",
|
||||
});
|
||||
|
||||
this.abort(true);
|
||||
return;
|
||||
}
|
||||
|
||||
return message;
|
||||
}),
|
||||
filter((message) => !!message),
|
||||
takeUntil(this.destroy$)
|
||||
)
|
||||
.subscribe((message) => {
|
||||
this.message$.next(message);
|
||||
});
|
||||
|
||||
this.data$ = this.message$.pipe(
|
||||
filter((message) => message != undefined),
|
||||
concatMap(async (message) => {
|
||||
switch (message.type) {
|
||||
case "ConfirmNewCredentialRequest": {
|
||||
const equivalentDomains = this.settingsService.getEquivalentDomains(this.url);
|
||||
|
||||
this.ciphers = (await this.cipherService.getAllDecrypted()).filter(
|
||||
(cipher) => cipher.type === CipherType.Login && !cipher.isDeleted
|
||||
);
|
||||
this.displayedCiphers = this.ciphers.filter((cipher) =>
|
||||
cipher.login.matchesUri(this.url, equivalentDomains)
|
||||
);
|
||||
|
||||
if (this.displayedCiphers.length > 0) {
|
||||
this.selectedPasskey(this.displayedCiphers[0]);
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
case "PickCredentialRequest": {
|
||||
this.ciphers = await Promise.all(
|
||||
message.cipherIds.map(async (cipherId) => {
|
||||
const cipher = await this.cipherService.get(cipherId);
|
||||
return cipher.decrypt(
|
||||
await this.cipherService.getKeyForCipherKeyDecryption(cipher)
|
||||
);
|
||||
})
|
||||
);
|
||||
this.displayedCiphers = [...this.ciphers];
|
||||
if (this.displayedCiphers.length > 0) {
|
||||
this.selectedPasskey(this.displayedCiphers[0]);
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
case "InformExcludedCredentialRequest": {
|
||||
this.ciphers = await Promise.all(
|
||||
message.existingCipherIds.map(async (cipherId) => {
|
||||
const cipher = await this.cipherService.get(cipherId);
|
||||
return cipher.decrypt(
|
||||
await this.cipherService.getKeyForCipherKeyDecryption(cipher)
|
||||
);
|
||||
})
|
||||
);
|
||||
this.displayedCiphers = [...this.ciphers];
|
||||
|
||||
if (this.displayedCiphers.length > 0) {
|
||||
this.selectedPasskey(this.displayedCiphers[0]);
|
||||
}
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
this.subtitleText =
|
||||
this.displayedCiphers.length > 0
|
||||
? this.getCredentialSubTitleText(message.type)
|
||||
: "noMatchingPasskeyLogin";
|
||||
|
||||
this.credentialText = this.getCredentialButtonText(message.type);
|
||||
return {
|
||||
message,
|
||||
fallbackSupported: "fallbackSupported" in message && message.fallbackSupported,
|
||||
};
|
||||
}),
|
||||
takeUntil(this.destroy$)
|
||||
);
|
||||
|
||||
queryParams$.pipe(takeUntil(this.destroy$)).subscribe((queryParams) => {
|
||||
this.send({
|
||||
sessionId: queryParams.sessionId,
|
||||
type: "ConnectResponse",
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
async submit() {
|
||||
const data = this.message$.value;
|
||||
if (data?.type === "PickCredentialRequest") {
|
||||
const userVerified = await this.handleUserVerification(data.userVerification, this.cipher);
|
||||
|
||||
this.send({
|
||||
sessionId: this.sessionId,
|
||||
cipherId: this.cipher.id,
|
||||
type: "PickCredentialResponse",
|
||||
userVerified,
|
||||
});
|
||||
} else if (data?.type === "ConfirmNewCredentialRequest") {
|
||||
if (this.cipher.login.hasFido2Credentials) {
|
||||
const confirmed = await this.dialogService.openSimpleDialog({
|
||||
title: { key: "overwritePasskey" },
|
||||
content: { key: "overwritePasskeyAlert" },
|
||||
type: "info",
|
||||
});
|
||||
|
||||
if (!confirmed) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
const userVerified = await this.handleUserVerification(data.userVerification, this.cipher);
|
||||
|
||||
this.send({
|
||||
sessionId: this.sessionId,
|
||||
cipherId: this.cipher.id,
|
||||
type: "ConfirmNewCredentialResponse",
|
||||
userVerified,
|
||||
});
|
||||
}
|
||||
|
||||
this.loading = true;
|
||||
}
|
||||
|
||||
async saveNewLogin() {
|
||||
const data = this.message$.value;
|
||||
if (data?.type === "ConfirmNewCredentialRequest") {
|
||||
let userVerified = false;
|
||||
if (data.userVerification) {
|
||||
userVerified = await this.passwordRepromptService.showPasswordPrompt();
|
||||
}
|
||||
|
||||
if (!data.userVerification || userVerified) {
|
||||
await this.createNewCipher();
|
||||
}
|
||||
|
||||
this.send({
|
||||
sessionId: this.sessionId,
|
||||
cipherId: this.cipher?.id,
|
||||
type: "ConfirmNewCredentialResponse",
|
||||
userVerified,
|
||||
});
|
||||
}
|
||||
|
||||
this.loading = true;
|
||||
}
|
||||
|
||||
getCredentialSubTitleText(messageType: string): string {
|
||||
return messageType == "ConfirmNewCredentialRequest" ? "choosePasskey" : "logInWithPasskey";
|
||||
}
|
||||
|
||||
getCredentialButtonText(messageType: string): string {
|
||||
return messageType == "ConfirmNewCredentialRequest" ? "savePasskey" : "confirm";
|
||||
}
|
||||
|
||||
selectedPasskey(item: CipherView) {
|
||||
this.cipher = item;
|
||||
}
|
||||
|
||||
viewPasskey() {
|
||||
this.router.navigate(["/view-cipher"], {
|
||||
queryParams: {
|
||||
cipherId: this.cipher.id,
|
||||
uilocation: "popout",
|
||||
senderTabId: this.senderTabId,
|
||||
sessionId: this.sessionId,
|
||||
},
|
||||
});
|
||||
}
|
||||
|
||||
addCipher() {
|
||||
const data = this.message$.value;
|
||||
|
||||
if (data?.type !== "ConfirmNewCredentialRequest") {
|
||||
return;
|
||||
}
|
||||
|
||||
this.router.navigate(["/add-cipher"], {
|
||||
queryParams: {
|
||||
name: Utils.getHostname(this.url),
|
||||
uri: this.url,
|
||||
uilocation: "popout",
|
||||
senderTabId: this.senderTabId,
|
||||
sessionId: this.sessionId,
|
||||
userVerification: data.userVerification,
|
||||
},
|
||||
});
|
||||
}
|
||||
|
||||
async loadLoginCiphers() {
|
||||
this.ciphers = (await this.cipherService.getAllDecrypted()).filter(
|
||||
(cipher) => cipher.type === CipherType.Login && !cipher.isDeleted
|
||||
);
|
||||
if (!this.hasLoadedAllCiphers) {
|
||||
this.hasLoadedAllCiphers = !this.searchService.isSearchable(this.searchText);
|
||||
}
|
||||
await this.search(null);
|
||||
}
|
||||
|
||||
async search(timeout: number = null) {
|
||||
this.searchPending = false;
|
||||
if (this.searchTimeout != null) {
|
||||
clearTimeout(this.searchTimeout);
|
||||
}
|
||||
|
||||
if (timeout == null) {
|
||||
this.hasSearched = this.searchService.isSearchable(this.searchText);
|
||||
this.displayedCiphers = await this.searchService.searchCiphers(
|
||||
this.searchText,
|
||||
null,
|
||||
this.ciphers
|
||||
);
|
||||
return;
|
||||
}
|
||||
this.searchPending = true;
|
||||
this.searchTimeout = setTimeout(async () => {
|
||||
this.hasSearched = this.searchService.isSearchable(this.searchText);
|
||||
if (!this.hasLoadedAllCiphers && !this.hasSearched) {
|
||||
await this.loadLoginCiphers();
|
||||
} else {
|
||||
this.displayedCiphers = await this.searchService.searchCiphers(
|
||||
this.searchText,
|
||||
null,
|
||||
this.ciphers
|
||||
);
|
||||
}
|
||||
this.searchPending = false;
|
||||
this.selectedPasskey(this.displayedCiphers[0]);
|
||||
}, timeout);
|
||||
}
|
||||
|
||||
abort(fallback: boolean) {
|
||||
this.unload(fallback);
|
||||
window.close();
|
||||
}
|
||||
|
||||
unload(fallback = false) {
|
||||
this.send({
|
||||
sessionId: this.sessionId,
|
||||
type: "AbortResponse",
|
||||
fallbackRequested: fallback,
|
||||
});
|
||||
}
|
||||
|
||||
ngOnDestroy(): void {
|
||||
this.destroy$.next();
|
||||
this.destroy$.complete();
|
||||
}
|
||||
|
||||
private buildCipher() {
|
||||
this.cipher = new CipherView();
|
||||
this.cipher.name = Utils.getHostname(this.url);
|
||||
this.cipher.type = CipherType.Login;
|
||||
this.cipher.login = new LoginView();
|
||||
this.cipher.login.uris = [new LoginUriView()];
|
||||
this.cipher.login.uris[0].uri = this.url;
|
||||
this.cipher.card = new CardView();
|
||||
this.cipher.identity = new IdentityView();
|
||||
this.cipher.secureNote = new SecureNoteView();
|
||||
this.cipher.secureNote.type = SecureNoteType.Generic;
|
||||
this.cipher.reprompt = CipherRepromptType.None;
|
||||
}
|
||||
|
||||
private async createNewCipher() {
|
||||
this.buildCipher();
|
||||
const cipher = await this.cipherService.encrypt(this.cipher);
|
||||
try {
|
||||
await this.cipherService.createWithServer(cipher);
|
||||
this.cipher.id = cipher.id;
|
||||
} catch (e) {
|
||||
this.logService.error(e);
|
||||
}
|
||||
}
|
||||
|
||||
private async handleUserVerification(
|
||||
userVerification: boolean,
|
||||
cipher: CipherView
|
||||
): Promise<boolean> {
|
||||
const masterPasswordRepromptRequiered = cipher && cipher.reprompt !== 0;
|
||||
const verificationRequired = userVerification || masterPasswordRepromptRequiered;
|
||||
|
||||
if (!verificationRequired) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return await this.passwordRepromptService.showPasswordPrompt();
|
||||
}
|
||||
|
||||
private send(msg: BrowserFido2Message) {
|
||||
BrowserFido2UserInterfaceSession.sendMessage({
|
||||
sessionId: this.sessionId,
|
||||
...msg,
|
||||
});
|
||||
}
|
||||
}
|
@ -129,6 +129,18 @@
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!--Passkey-->
|
||||
<div class="box" *ngIf="cipher.login.hasFido2Credentials && !cloneMode">
|
||||
<div class="box-content">
|
||||
<div class="box-content-row text-muted">
|
||||
<span class="row-label">{{ "typePasskey" | i18n }}</span>
|
||||
{{ "dateCreated" | i18n }}
|
||||
{{ cipher.login.fido2Credentials[0].creationDate | date : "short" }}
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="box-content-row" appBoxRow>
|
||||
<label for="loginTotp">{{ "authenticatorKeyTotp" | i18n }}</label>
|
||||
<input
|
||||
|
@ -1,6 +1,7 @@
|
||||
import { Location } from "@angular/common";
|
||||
import { Component } from "@angular/core";
|
||||
import { ActivatedRoute, Router } from "@angular/router";
|
||||
import { firstValueFrom } from "rxjs";
|
||||
import { first } from "rxjs/operators";
|
||||
|
||||
import { AddEditComponent as BaseAddEditComponent } from "@bitwarden/angular/vault/components/add-edit.component";
|
||||
@ -24,6 +25,10 @@ import { PasswordRepromptService } from "@bitwarden/vault";
|
||||
|
||||
import { BrowserApi } from "../../../../platform/browser/browser-api";
|
||||
import { PopupUtilsService } from "../../../../popup/services/popup-utils.service";
|
||||
import {
|
||||
BrowserFido2UserInterfaceSession,
|
||||
fido2PopoutSessionData$,
|
||||
} from "../../../fido2/browser-fido2-user-interface.service";
|
||||
|
||||
@Component({
|
||||
selector: "app-vault-add-edit",
|
||||
@ -39,6 +44,8 @@ export class AddEditComponent extends BaseAddEditComponent {
|
||||
uilocation?: "popout" | "popup" | "sidebar" | "tab";
|
||||
inPopout = false;
|
||||
|
||||
private fido2PopoutSessionData$ = fido2PopoutSessionData$();
|
||||
|
||||
constructor(
|
||||
cipherService: CipherService,
|
||||
folderService: FolderService,
|
||||
@ -159,11 +166,33 @@ export class AddEditComponent extends BaseAddEditComponent {
|
||||
}
|
||||
|
||||
async submit(): Promise<boolean> {
|
||||
const fido2SessionData = await firstValueFrom(this.fido2PopoutSessionData$);
|
||||
// Would be refactored after rework is done on the windows popout service
|
||||
if (
|
||||
this.inPopout &&
|
||||
fido2SessionData.isFido2Session &&
|
||||
!(await this.handleFido2UserVerification(
|
||||
fido2SessionData.sessionId,
|
||||
fido2SessionData.userVerification
|
||||
))
|
||||
) {
|
||||
return false;
|
||||
}
|
||||
|
||||
const success = await super.submit();
|
||||
if (!success) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (this.inPopout && fido2SessionData.isFido2Session) {
|
||||
BrowserFido2UserInterfaceSession.confirmNewCredentialResponse(
|
||||
fido2SessionData.sessionId,
|
||||
this.cipher.id,
|
||||
fido2SessionData.userVerification
|
||||
);
|
||||
return true;
|
||||
}
|
||||
|
||||
if (this.popupUtilsService.inTab(window)) {
|
||||
this.popupUtilsService.disableCloseTabWarning();
|
||||
this.messagingService.send("closeTab", { delay: 1000 });
|
||||
@ -204,9 +233,16 @@ export class AddEditComponent extends BaseAddEditComponent {
|
||||
}
|
||||
}
|
||||
|
||||
cancel() {
|
||||
async cancel() {
|
||||
super.cancel();
|
||||
|
||||
// Would be refactored after rework is done on the windows popout service
|
||||
const sessionData = await firstValueFrom(this.fido2PopoutSessionData$);
|
||||
if (this.inPopout && sessionData.isFido2Session) {
|
||||
BrowserFido2UserInterfaceSession.abortPopout(sessionData.sessionId);
|
||||
return;
|
||||
}
|
||||
|
||||
if (this.senderTabId && this.inPopout) {
|
||||
this.close();
|
||||
return;
|
||||
@ -291,6 +327,18 @@ export class AddEditComponent extends BaseAddEditComponent {
|
||||
}, 200);
|
||||
}
|
||||
|
||||
private async handleFido2UserVerification(
|
||||
sessionId: string,
|
||||
userVerification: boolean
|
||||
): Promise<boolean> {
|
||||
if (userVerification && !(await this.passwordRepromptService.showPasswordPrompt())) {
|
||||
BrowserFido2UserInterfaceSession.abortPopout(sessionId);
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
repromptChanged() {
|
||||
super.repromptChanged();
|
||||
|
||||
|
@ -70,7 +70,9 @@
|
||||
<div class="icon"><i class="bwi bwi-fw bwi-lg bwi-globe"></i></div>
|
||||
<span class="text">{{ "typeLogin" | i18n }}</span>
|
||||
</div>
|
||||
<span class="row-sub-label">{{ typeCounts.get(cipherType.Login) || 0 }}</span>
|
||||
<span class="row-sub-label">
|
||||
{{ typeCounts.get(cipherType.Login) || 0 }}
|
||||
</span>
|
||||
<span><i class="bwi bwi-angle-right bwi-lg row-sub-icon"></i></span>
|
||||
</button>
|
||||
<button
|
||||
|
@ -142,6 +142,18 @@
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!--Passkey-->
|
||||
<div class="box" *ngIf="cipher.login.hasFido2Credentials">
|
||||
<div class="box-content">
|
||||
<div class="box-content-row text-muted">
|
||||
<span class="row-label">{{ "typePasskey" | i18n }}</span>
|
||||
{{ "dateCreated" | i18n }}
|
||||
{{ cipher.login.fido2Credentials[0].creationDate | date : "short" }}
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div
|
||||
class="box-content-row box-content-row-flex totp"
|
||||
[ngClass]="{ low: totpLow }"
|
||||
@ -190,7 +202,6 @@
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="box-content-row box-content-row-flex totp" *ngIf="showPremiumRequiredTotp">
|
||||
<div class="row-main">
|
||||
<span class="row-label">{{ "verificationCodeTotp" | i18n }}</span>
|
||||
|
@ -1,7 +1,7 @@
|
||||
import { Location } from "@angular/common";
|
||||
import { ChangeDetectorRef, Component, NgZone } from "@angular/core";
|
||||
import { ActivatedRoute, Router } from "@angular/router";
|
||||
import { Subject, takeUntil } from "rxjs";
|
||||
import { Subject, firstValueFrom, takeUntil } from "rxjs";
|
||||
import { first } from "rxjs/operators";
|
||||
|
||||
import { ViewComponent as BaseViewComponent } from "@bitwarden/angular/vault/components/view.component";
|
||||
@ -29,6 +29,10 @@ import { PasswordRepromptService } from "@bitwarden/vault";
|
||||
import { AutofillService } from "../../../../autofill/services/abstractions/autofill.service";
|
||||
import { BrowserApi } from "../../../../platform/browser/browser-api";
|
||||
import { PopupUtilsService } from "../../../../popup/services/popup-utils.service";
|
||||
import {
|
||||
BrowserFido2UserInterfaceSession,
|
||||
fido2PopoutSessionData$,
|
||||
} from "../../../fido2/browser-fido2-user-interface.service";
|
||||
|
||||
const BroadcasterSubscriptionId = "ChildViewComponent";
|
||||
|
||||
@ -57,6 +61,7 @@ export class ViewComponent extends BaseViewComponent {
|
||||
loadPageDetailsTimeout: number;
|
||||
inPopout = false;
|
||||
cipherType = CipherType;
|
||||
private fido2PopoutSessionData$ = fido2PopoutSessionData$();
|
||||
|
||||
private destroy$ = new Subject<void>();
|
||||
|
||||
@ -301,7 +306,14 @@ export class ViewComponent extends BaseViewComponent {
|
||||
return false;
|
||||
}
|
||||
|
||||
close() {
|
||||
async close() {
|
||||
// Would be refactored after rework is done on the windows popout service
|
||||
const sessionData = await firstValueFrom(this.fido2PopoutSessionData$);
|
||||
if (this.inPopout && sessionData.isFido2Session) {
|
||||
BrowserFido2UserInterfaceSession.abortPopout(sessionData.sessionId);
|
||||
return;
|
||||
}
|
||||
|
||||
if (this.inPopout && this.senderTabId) {
|
||||
BrowserApi.focusTab(this.senderTabId);
|
||||
window.close();
|
||||
|
@ -160,6 +160,8 @@ const mainConfig = {
|
||||
"content/notificationBar": "./src/autofill/content/notification-bar.ts",
|
||||
"content/contextMenuHandler": "./src/autofill/content/context-menu-handler.ts",
|
||||
"content/message_handler": "./src/autofill/content/message_handler.ts",
|
||||
"content/fido2/content-script": "./src/vault/fido2/content/content-script.ts",
|
||||
"content/fido2/page-script": "./src/vault/fido2/content/page-script.ts",
|
||||
"notification/bar": "./src/autofill/notification/bar.ts",
|
||||
"encrypt-worker": "../../libs/common/src/platform/services/cryptography/encrypt.worker.ts",
|
||||
},
|
||||
|
BIN
apps/desktop/src/images/bwi-passkey.png
Normal file
BIN
apps/desktop/src/images/bwi-passkey.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.1 KiB |
@ -2416,6 +2416,15 @@
|
||||
"submenu": {
|
||||
"message": "Submenu"
|
||||
},
|
||||
"typePasskey": {
|
||||
"message": "Passkey"
|
||||
},
|
||||
"passkeyNotCopied": {
|
||||
"message": "Passkey will not be copied"
|
||||
},
|
||||
"passkeyNotCopiedAlert": {
|
||||
"message": "The passkey will not be copied to the cloned item. Do you want to continue cloning this item?"
|
||||
},
|
||||
"aliasDomain": {
|
||||
"message": "Alias domain"
|
||||
}
|
||||
|
@ -114,6 +114,17 @@
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
<!--Passkey-->
|
||||
<div
|
||||
class="box-content-row text-muted"
|
||||
*ngIf="cipher.login.hasFido2Credentials && !cloneMode"
|
||||
appBoxRow
|
||||
>
|
||||
<span class="row-label">{{ "typePasskey" | i18n }}</span>
|
||||
{{ "dateCreated" | i18n }}
|
||||
{{ cipher.login.fido2Credentials[0].creationDate | date : "short" }}
|
||||
</div>
|
||||
|
||||
<div class="box-content-row" appBoxRow>
|
||||
<label for="loginTotp">{{ "authenticatorKeyTotp" | i18n }}</label>
|
||||
<input
|
||||
|
@ -118,6 +118,12 @@
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
<!--Passkey-->
|
||||
<div class="box-content-row text-muted" *ngIf="cipher.login.hasFido2Credentials">
|
||||
<span class="row-label">{{ "typePasskey" | i18n }}</span>
|
||||
{{ "dateCreated" | i18n }}
|
||||
{{ cipher.login.fido2Credentials[0].creationDate | date : "short" }}
|
||||
</div>
|
||||
<div
|
||||
class="box-content-row box-content-row-flex totp"
|
||||
[ngClass]="{ low: totpLow }"
|
||||
|
@ -1,7 +1,7 @@
|
||||
import { Component, NgZone, OnDestroy, OnInit } from "@angular/core";
|
||||
import { Component, NgZone, OnInit } from "@angular/core";
|
||||
import { FormBuilder } from "@angular/forms";
|
||||
import { ActivatedRoute, Router } from "@angular/router";
|
||||
import { Subject, takeUntil } from "rxjs";
|
||||
import { takeUntil } from "rxjs";
|
||||
import { first } from "rxjs/operators";
|
||||
|
||||
import { LoginComponent as BaseLoginComponent } from "@bitwarden/angular/auth/components/login.component";
|
||||
@ -34,14 +34,13 @@ import { RouterService, StateService } from "../../core";
|
||||
selector: "app-login",
|
||||
templateUrl: "login.component.html",
|
||||
})
|
||||
export class LoginComponent extends BaseLoginComponent implements OnInit, OnDestroy {
|
||||
// eslint-disable-next-line rxjs-angular/prefer-takeuntil
|
||||
export class LoginComponent extends BaseLoginComponent implements OnInit {
|
||||
showResetPasswordAutoEnrollWarning = false;
|
||||
enforcedPasswordPolicyOptions: MasterPasswordPolicyOptions;
|
||||
policies: ListResponse<PolicyResponse>;
|
||||
showPasswordless = false;
|
||||
|
||||
private destroy$ = new Subject<void>();
|
||||
|
||||
constructor(
|
||||
devicesApiService: DevicesApiServiceAbstraction,
|
||||
appIdService: AppIdService,
|
||||
@ -146,11 +145,6 @@ export class LoginComponent extends BaseLoginComponent implements OnInit, OnDest
|
||||
}
|
||||
}
|
||||
|
||||
ngOnDestroy(): void {
|
||||
this.destroy$.next();
|
||||
this.destroy$.complete();
|
||||
}
|
||||
|
||||
async goAfterLogIn() {
|
||||
const masterPassword = this.formGroup.value.masterPassword;
|
||||
|
||||
|
@ -1,3 +1,4 @@
|
||||
import { DatePipe } from "@angular/common";
|
||||
import { Component } from "@angular/core";
|
||||
|
||||
import { AuditService } from "@bitwarden/common/abstractions/audit.service";
|
||||
@ -47,7 +48,8 @@ export class EmergencyAddEditComponent extends BaseAddEditComponent {
|
||||
organizationService: OrganizationService,
|
||||
logService: LogService,
|
||||
sendApiService: SendApiService,
|
||||
dialogService: DialogService
|
||||
dialogService: DialogService,
|
||||
datePipe: DatePipe
|
||||
) {
|
||||
super(
|
||||
cipherService,
|
||||
@ -66,7 +68,8 @@ export class EmergencyAddEditComponent extends BaseAddEditComponent {
|
||||
logService,
|
||||
passwordRepromptService,
|
||||
sendApiService,
|
||||
dialogService
|
||||
dialogService,
|
||||
datePipe
|
||||
);
|
||||
}
|
||||
|
||||
|
@ -100,6 +100,7 @@
|
||||
{{ "launch" | i18n }}
|
||||
</a>
|
||||
</ng-container>
|
||||
|
||||
<button bitMenuItem type="button" (click)="attachments()">
|
||||
<i class="bwi bwi-fw bwi-paperclip" aria-hidden="true"></i>
|
||||
{{ "attachments" | i18n }}
|
||||
|
@ -89,10 +89,7 @@
|
||||
[showGroups]="showGroups"
|
||||
[showPremiumFeatures]="showPremiumFeatures"
|
||||
[useEvents]="useEvents"
|
||||
[cloneable]="
|
||||
(item.cipher.organizationId && cloneableOrganizationCiphers) ||
|
||||
item.cipher.organizationId == null
|
||||
"
|
||||
[cloneable]="canClone(item)"
|
||||
[organizations]="allOrganizations"
|
||||
[collections]="allCollections"
|
||||
[checked]="selection.isSelected(item)"
|
||||
|
@ -148,6 +148,13 @@ export class VaultItemsComponent {
|
||||
});
|
||||
}
|
||||
|
||||
protected canClone(vaultItem: VaultItem) {
|
||||
return (
|
||||
(vaultItem.cipher.organizationId && this.cloneableOrganizationCiphers) ||
|
||||
vaultItem.cipher.organizationId == null
|
||||
);
|
||||
}
|
||||
|
||||
private refreshItems() {
|
||||
const collections: VaultItem[] = this.collections.map((collection) => ({ collection }));
|
||||
const ciphers: VaultItem[] = this.ciphers.map((cipher) => ({ cipher }));
|
||||
|
@ -191,6 +191,25 @@
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
<ng-container *ngIf="cipher.login.hasFido2Credentials">
|
||||
<div class="row">
|
||||
<div class="col-6 form-group">
|
||||
<label for="loginFido2credential">{{ "typePasskey" | i18n }}</label>
|
||||
<div class="input-group">
|
||||
<input
|
||||
id="loginFido2credential"
|
||||
class="form-control"
|
||||
type="text"
|
||||
name="Login.Fido2credential"
|
||||
[value]="fido2CredentialCreationDateValue"
|
||||
appInputVerbatim
|
||||
disabled
|
||||
readonly
|
||||
/>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</ng-container>
|
||||
<div class="tw-flex tw-flex-row">
|
||||
<div class="tw-mb-4 tw-w-1/2">
|
||||
<label for="loginTotp">{{ "authenticatorKeyTotp" | i18n }}</label>
|
||||
|
@ -1,3 +1,4 @@
|
||||
import { DatePipe } from "@angular/common";
|
||||
import { Component, OnDestroy, OnInit } from "@angular/core";
|
||||
|
||||
import { AddEditComponent as BaseAddEditComponent } from "@bitwarden/angular/vault/components/add-edit.component";
|
||||
@ -18,7 +19,7 @@ import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.servi
|
||||
import { CollectionService } from "@bitwarden/common/vault/abstractions/collection.service";
|
||||
import { FolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction";
|
||||
import { CipherType } from "@bitwarden/common/vault/enums/cipher-type";
|
||||
import { LoginUriView } from "@bitwarden/common/vault/models/view/login-uri.view";
|
||||
import { Launchable } from "@bitwarden/common/vault/interfaces/launchable";
|
||||
import { DialogService } from "@bitwarden/components";
|
||||
import { PasswordRepromptService } from "@bitwarden/vault";
|
||||
|
||||
@ -42,6 +43,15 @@ export class AddEditComponent extends BaseAddEditComponent implements OnInit, On
|
||||
protected totpInterval: number;
|
||||
protected override componentName = "app-vault-add-edit";
|
||||
|
||||
get fido2CredentialCreationDateValue(): string {
|
||||
const dateCreated = this.i18nService.t("dateCreated");
|
||||
const creationDate = this.datePipe.transform(
|
||||
this.cipher?.login?.fido2Credentials?.[0]?.creationDate,
|
||||
"short"
|
||||
);
|
||||
return `${dateCreated} ${creationDate}`;
|
||||
}
|
||||
|
||||
constructor(
|
||||
cipherService: CipherService,
|
||||
folderService: FolderService,
|
||||
@ -59,7 +69,8 @@ export class AddEditComponent extends BaseAddEditComponent implements OnInit, On
|
||||
logService: LogService,
|
||||
passwordRepromptService: PasswordRepromptService,
|
||||
sendApiService: SendApiService,
|
||||
dialogService: DialogService
|
||||
dialogService: DialogService,
|
||||
private datePipe: DatePipe
|
||||
) {
|
||||
super(
|
||||
cipherService,
|
||||
@ -131,7 +142,7 @@ export class AddEditComponent extends BaseAddEditComponent implements OnInit, On
|
||||
}
|
||||
}
|
||||
|
||||
launch(uri: LoginUriView) {
|
||||
launch(uri: Launchable) {
|
||||
if (!uri.canLaunch) {
|
||||
return;
|
||||
}
|
||||
|
@ -721,6 +721,18 @@ export class VaultComponent implements OnInit, OnDestroy {
|
||||
}
|
||||
|
||||
async cloneCipher(cipher: CipherView) {
|
||||
if (cipher.login?.hasFido2Credentials) {
|
||||
const confirmed = await this.dialogService.openSimpleDialog({
|
||||
title: { key: "passkeyNotCopied" },
|
||||
content: { key: "passkeyNotCopiedAlert" },
|
||||
type: "info",
|
||||
});
|
||||
|
||||
if (!confirmed) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
const component = await this.editCipher(cipher);
|
||||
component.cloneMode = true;
|
||||
}
|
||||
|
@ -1,3 +1,4 @@
|
||||
import { DatePipe } from "@angular/common";
|
||||
import { Component } from "@angular/core";
|
||||
|
||||
import { ApiService } from "@bitwarden/common/abstractions/api.service";
|
||||
@ -49,7 +50,8 @@ export class AddEditComponent extends BaseAddEditComponent {
|
||||
passwordRepromptService: PasswordRepromptService,
|
||||
organizationService: OrganizationService,
|
||||
sendApiService: SendApiService,
|
||||
dialogService: DialogService
|
||||
dialogService: DialogService,
|
||||
datePipe: DatePipe
|
||||
) {
|
||||
super(
|
||||
cipherService,
|
||||
@ -68,7 +70,8 @@ export class AddEditComponent extends BaseAddEditComponent {
|
||||
logService,
|
||||
passwordRepromptService,
|
||||
sendApiService,
|
||||
dialogService
|
||||
dialogService,
|
||||
datePipe
|
||||
);
|
||||
}
|
||||
|
||||
|
@ -644,6 +644,18 @@ export class VaultComponent implements OnInit, OnDestroy {
|
||||
}
|
||||
|
||||
async cloneCipher(cipher: CipherView) {
|
||||
if (cipher.login?.hasFido2Credentials) {
|
||||
const confirmed = await this.dialogService.openSimpleDialog({
|
||||
title: { key: "passkeyNotCopied" },
|
||||
content: { key: "passkeyNotCopiedAlert" },
|
||||
type: "info",
|
||||
});
|
||||
|
||||
if (!confirmed) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
const collections = (await firstValueFrom(this.vaultFilterService.filteredCollections$)).filter(
|
||||
(c) => !c.readOnly && c.id != Unassigned
|
||||
);
|
||||
|
BIN
apps/web/src/images/bwi-passkey.png
Normal file
BIN
apps/web/src/images/bwi-passkey.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.1 KiB |
@ -7277,5 +7277,14 @@
|
||||
},
|
||||
"customBillingEnd": {
|
||||
"message": " page for latest invoicing."
|
||||
},
|
||||
"typePasskey": {
|
||||
"message": "Passkey"
|
||||
},
|
||||
"passkeyNotCopied": {
|
||||
"message": "Passkey will not be copied"
|
||||
},
|
||||
"passkeyNotCopiedAlert": {
|
||||
"message": "The passkey will not be copied to the cloned item. Do you want to continue cloning this item?"
|
||||
}
|
||||
}
|
||||
|
@ -1,7 +1,8 @@
|
||||
import { Directive, ElementRef, NgZone, OnInit, ViewChild } from "@angular/core";
|
||||
import { Directive, ElementRef, NgZone, OnDestroy, OnInit, ViewChild } from "@angular/core";
|
||||
import { FormBuilder, Validators } from "@angular/forms";
|
||||
import { ActivatedRoute, Router } from "@angular/router";
|
||||
import { take } from "rxjs/operators";
|
||||
import { Subject } from "rxjs";
|
||||
import { take, takeUntil } from "rxjs/operators";
|
||||
|
||||
import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
|
||||
import { DevicesApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/devices-api.service.abstraction";
|
||||
@ -27,7 +28,7 @@ import {
|
||||
import { CaptchaProtectedComponent } from "./captcha-protected.component";
|
||||
|
||||
@Directive()
|
||||
export class LoginComponent extends CaptchaProtectedComponent implements OnInit {
|
||||
export class LoginComponent extends CaptchaProtectedComponent implements OnInit, OnDestroy {
|
||||
@ViewChild("masterPasswordInput", { static: true }) masterPasswordInput: ElementRef;
|
||||
|
||||
showPassword = false;
|
||||
@ -53,6 +54,8 @@ export class LoginComponent extends CaptchaProtectedComponent implements OnInit
|
||||
protected successRoute = "vault";
|
||||
protected forcePasswordResetRoute = "update-temp-password";
|
||||
|
||||
protected destroy$ = new Subject<void>();
|
||||
|
||||
get loggedEmail() {
|
||||
return this.formGroup.value.email;
|
||||
}
|
||||
@ -83,15 +86,18 @@ export class LoginComponent extends CaptchaProtectedComponent implements OnInit
|
||||
}
|
||||
|
||||
async ngOnInit() {
|
||||
this.route?.queryParams.subscribe((params) => {
|
||||
if (params != null) {
|
||||
const queryParamsEmail = params["email"];
|
||||
this.route?.queryParams.pipe(takeUntil(this.destroy$)).subscribe((params) => {
|
||||
if (!params) {
|
||||
return;
|
||||
}
|
||||
|
||||
const queryParamsEmail = params.email;
|
||||
|
||||
if (queryParamsEmail != null && queryParamsEmail.indexOf("@") > -1) {
|
||||
this.formGroup.get("email").setValue(queryParamsEmail);
|
||||
this.loginService.setEmail(queryParamsEmail);
|
||||
this.paramEmailSet = true;
|
||||
}
|
||||
}
|
||||
});
|
||||
let email = this.loginService.getEmail();
|
||||
|
||||
@ -109,6 +115,11 @@ export class LoginComponent extends CaptchaProtectedComponent implements OnInit
|
||||
this.formGroup.get("rememberEmail")?.setValue(rememberEmail);
|
||||
}
|
||||
|
||||
ngOnDestroy() {
|
||||
this.destroy$.next();
|
||||
this.destroy$.complete();
|
||||
}
|
||||
|
||||
async submit(showToast = true) {
|
||||
const data = this.formGroup.value;
|
||||
|
||||
|
@ -53,7 +53,7 @@
|
||||
<glyph unicode="" glyph-name="plus" data-tags="bw-plus" d="M992 420.864h-416c-8.486 0-16.627 3.372-22.63 9.373-5.997 6.001-9.37 14.14-9.37 22.627v411.136c0 8.487-3.373 16.626-9.37 22.627-6.003 6.001-14.144 9.373-22.63 9.373s-16.627-3.371-22.627-9.373c-6.001-6.001-9.373-14.14-9.373-22.627v-411.136c0-8.487-3.372-16.627-9.373-22.627s-14.14-9.373-22.627-9.373h-416c-4.202 0-8.364-0.828-12.246-2.436s-7.41-3.965-10.381-6.937c-2.972-2.972-5.329-6.499-6.937-10.381s-2.436-8.044-2.436-12.246c0-4.202 0.828-8.364 2.436-12.246s3.965-7.41 6.937-10.381c2.972-2.972 6.499-5.329 10.381-6.937s8.044-2.436 12.246-2.436h416c8.487 0 16.627-3.372 22.627-9.373s9.373-14.14 9.373-22.627v-420.864c0-8.486 3.372-16.627 9.373-22.63 6.001-5.997 14.14-9.37 22.627-9.37s16.627 3.373 22.63 9.37c5.997 6.003 9.37 14.144 9.37 22.63v420.864c0 8.487 3.373 16.626 9.37 22.627 6.003 6.001 14.144 9.373 22.63 9.373h416c8.486 0 16.627 3.372 22.63 9.373 5.997 6.001 9.37 14.14 9.37 22.627s-3.373 16.627-9.37 22.627c-6.003 6.001-14.144 9.373-22.63 9.373v0z" />
|
||||
<glyph unicode="" glyph-name="star" data-tags="bw-star" d="M251.392-96c-19.539 0.038-38.554 6.317-54.272 17.92-13.35 9.728-23.703 23.008-29.88 38.323-6.177 15.322-7.932 32.064-5.064 48.333l39.296 223.488c0.672 3.962 0.351 8.032-0.932 11.84s-3.493 7.238-6.428 9.984l-166.528 158.272c-12.113 11.374-20.749 25.951-24.907 42.038s-3.665 33.023 1.419 48.842c5.174 16.164 14.832 30.525 27.851 41.414s28.861 17.855 45.685 20.090l230.4 32.64c4.243 0.558 8.289 2.129 11.798 4.58s6.376 5.709 8.362 9.5l102.528 203.328c7.606 14.958 19.226 27.503 33.559 36.229s30.813 13.29 47.596 13.178v0c16.768 0.114 33.242-4.449 47.565-13.176s25.933-21.274 33.523-36.232v0l102.976-203.392c1.958-3.78 4.8-7.029 8.288-9.47 3.494-2.441 7.52-4.001 11.744-4.546l230.4-32.64c16.819-2.235 32.666-9.202 45.683-20.090s22.675-25.25 27.853-41.414c5.082-15.819 5.574-32.755 1.414-48.842-4.154-16.087-12.794-30.664-24.902-42.038l-166.4-158.272c-2.944-2.746-5.158-6.17-6.458-9.978-1.293-3.808-1.626-7.878-0.966-11.846l39.36-223.488c2.867-16.269 1.114-33.011-5.069-48.333-6.176-15.315-16.525-28.595-29.875-38.323-13.702-10.086-29.946-16.154-46.899-17.523-16.96-1.363-33.965 2.022-49.101 9.779l-206.336 105.536c-3.917 1.99-8.25 3.027-12.64 3.027-4.396 0-8.726-1.037-12.643-3.027l-205.888-105.6c-13.039-6.656-27.472-10.125-42.112-10.112v0zM511.874 800c-4.938 0.063-9.793-1.244-14.030-3.774s-7.689-6.187-9.972-10.562l-102.912-203.264c-6.607-12.996-16.265-24.197-28.147-32.646s-25.633-13.892-40.077-15.866l-230.080-32.64c-4.906-0.575-9.546-2.535-13.377-5.652s-6.694-7.261-8.255-11.948c-1.462-4.344-1.636-9.018-0.5-13.459s3.532-8.457 6.9-11.565l166.4-158.336c10.595-10.017 18.547-22.5 23.148-36.335 4.6-13.834 5.707-28.593 3.22-42.961l-38.976-223.552c-0.807-4.531-0.302-9.197 1.456-13.446 1.757-4.256 4.694-7.917 8.464-10.554 4.132-3.091 9.058-4.941 14.203-5.338s10.296 0.678 14.853 3.098l205.824 105.6c12.972 6.656 27.341 10.125 41.923 10.125 14.579 0 28.947-3.469 41.92-10.125l205.696-105.6c4.55-2.432 9.702-3.507 14.854-3.11 5.146 0.397 10.074 2.253 14.202 5.35 3.763 2.656 6.694 6.33 8.448 10.592s2.266 8.934 1.472 13.472l-39.296 223.424c-2.534 14.362-1.459 29.126 3.13 42.971 4.595 13.843 12.557 26.326 23.174 36.325l166.4 158.336c3.386 3.094 5.798 7.11 6.931 11.556 1.139 4.445 0.954 9.126-0.531 13.468-1.517 4.701-4.358 8.865-8.186 11.988s-8.474 5.072-13.382 5.612l-230.080 32.64c-14.4 2.024-28.090 7.498-39.917 15.956-11.821 8.458-21.427 19.649-27.987 32.62l-102.848 203.264c-2.298 4.38-5.76 8.038-10.010 10.569s-9.114 3.835-14.054 3.767v0z" />
|
||||
<glyph unicode="" glyph-name="list" data-tags="bw-list" d="M992.003 426.693h-773.694c-8.487 0-16.626 3.372-22.627 9.373s-9.373 14.14-9.373 22.627c0 8.487 3.372 16.627 9.373 22.628s14.14 9.372 22.627 9.372h773.694c8.486 0 16.627-3.372 22.63-9.372s9.37-14.141 9.37-22.628c0-8.487-3.366-16.626-9.37-22.627s-14.144-9.373-22.63-9.373zM32.001 426.95c-4.215-0.072-8.392 0.803-12.224 2.56-3.764 1.512-7.231 3.679-10.24 6.4-5.846 6.242-9.076 14.488-9.024 23.040-0.033 8.358 3.206 16.399 9.024 22.4 4.641 4.36 10.412 7.33 16.657 8.575s12.714 0.713 18.671-1.535c3.789-1.746 7.252-4.127 10.24-7.040 5.771-6.022 8.963-14.060 8.896-22.4 0.052-8.552-3.178-16.798-9.024-23.040-3.009-2.721-6.476-4.888-10.24-6.4-3.997-1.808-8.352-2.684-12.736-2.56zM991.991 576.006h-773.697c-8.487 0-16.627 3.372-22.627 9.373s-9.373 14.14-9.373 22.627c0 8.487 3.372 16.627 9.373 22.627s14.14 9.373 22.627 9.373h773.697c8.486 0 16.627-3.372 22.624-9.373 6.003-6.001 9.376-14.14 9.376-22.627s-3.373-16.627-9.376-22.627c-5.997-6.001-14.138-9.373-22.624-9.373zM32.765 576.006c-4.405-0.126-8.782 0.749-12.8 2.56-3.903 1.51-7.406 3.897-10.24 6.976-3.060 2.902-5.48 6.412-7.104 10.304-1.547 3.878-2.433 7.988-2.624 12.16 0.229 4.139 1.092 8.219 2.56 12.096 1.592 3.91 4.015 7.426 7.104 10.304 2.849 3.076 6.347 5.481 10.24 7.040 5.933 2.406 12.44 3.021 18.718 1.77s12.052-4.314 16.61-8.81c2.906-3.031 5.304-6.51 7.104-10.304 1.178-3.921 1.74-8.002 1.664-12.096 0.039-4.132-0.61-8.241-1.92-12.16-1.601-3.905-4.023-7.42-7.104-10.304-2.834-3.079-6.337-5.466-10.24-6.976-3.752-1.725-7.839-2.598-11.968-2.56zM991.991 277.382h-773.697c-8.487 0-16.627 3.372-22.627 9.373s-9.373 14.14-9.373 22.627c0 8.487 3.372 16.627 9.373 22.627s14.14 9.373 22.627 9.373h773.697c8.486 0 16.627-3.372 22.624-9.373 6.003-6.001 9.376-14.14 9.376-22.627s-3.373-16.626-9.376-22.627c-5.997-6.001-14.138-9.373-22.624-9.373zM32.765 277.255c-4.378 0.152-8.701 1.017-12.8 2.56-3.8 1.699-7.268 4.061-10.24 6.976-5.936 6.009-9.407 14.023-9.728 22.464 0.17 4.147 1.036 8.236 2.56 12.096 1.741 3.999 4.143 7.677 7.104 10.88 6.272 5.591 14.381 8.68 22.784 8.68s16.512-3.089 22.784-8.68c5.662-6.312 8.785-14.497 8.768-22.976 0.050-8.381-3.19-16.447-9.024-22.464-2.972-2.915-6.44-5.277-10.24-6.976-3.833-1.466-7.871-2.33-11.968-2.56v0zM992.003 128.006h-773.694c-8.487 0-16.626 3.373-22.627 9.37-6.001 6.003-9.373 14.144-9.373 22.63s3.372 16.627 9.373 22.63c6.001 5.997 14.14 9.37 22.627 9.37h773.694c8.486 0 16.627-3.373 22.63-9.37 6.003-6.003 9.37-14.144 9.37-22.63s-3.366-16.627-9.37-22.63c-6.003-5.997-14.144-9.37-22.63-9.37zM32.767 128.006c-4.406-0.128-8.782 0.749-12.8 2.56-3.903 1.51-7.406 3.898-10.24 6.976-5.857 6.010-9.121 14.074-9.088 22.464-0.072 8.346 3.174 16.384 9.024 22.336 6.126 5.882 14.291 9.165 22.784 9.165s16.657-3.283 22.784-9.165c5.756-5.997 8.908-14.022 8.768-22.336 0.050-8.378-3.19-16.448-9.024-22.464-2.835-3.078-6.338-5.466-10.24-6.976-3.752-1.722-7.839-2.598-11.968-2.56v0z" />
|
||||
<glyph unicode="" glyph-name="angle-down" data-tags="bw-angle-down" d="M1015.392 629.834c12.058-12.92 11.36-33.169-1.555-45.228l-414.5-386.865c-49.179-45.901-125.495-45.901-174.674 0l-414.497 386.865c-12.92 12.059-13.618 32.308-1.56 45.228s32.308 13.618 45.228 1.56l414.497-386.863c24.589-22.95 62.748-22.95 87.337 0l414.495 386.863c12.922 12.058 33.171 11.36 45.229-1.56z" />
|
||||
<glyph unicode="" glyph-name="angle-right" data-tags="bw-angle-right" d="M266.166 887.394c12.92 12.059 33.169 11.36 45.228-1.56l386.865-414.498c45.901-49.178 45.901-125.495 0-174.673l-386.865-414.5c-12.059-12.915-32.308-13.613-45.228-1.555s-13.618 32.307-1.56 45.229l386.863 414.495c22.95 24.589 22.95 62.748 0 87.337l-386.863 414.497c-12.058 12.92-11.36 33.169 1.56 45.228z" />
|
||||
<glyph unicode="" glyph-name="external-link" data-tags="bw-external-link" d="M992.002 364.351c-8.493 0-16.627-3.372-22.63-9.373s-9.37-14.14-9.37-22.627v-354.176c0.166-10.982-4.019-21.587-11.648-29.491s-18.074-12.467-29.056-12.685h-814.595c-10.983 0.218-21.432 4.781-29.060 12.685s-11.815 18.509-11.644 29.491v811.456c-0.11 5.455 0.855 10.878 2.841 15.96s4.954 9.722 8.734 13.657c3.78 3.934 8.298 7.085 13.296 9.274s10.378 3.37 15.833 3.478h348.544c8.487 0 16.627 3.371 22.628 9.373s9.372 14.14 9.372 22.627c0 8.487-3.372 16.626-9.372 22.627s-14.141 9.373-22.628 9.373h-348.544c-13.859-0.109-27.562-2.946-40.324-8.351s-24.336-13.27-34.058-23.147c-9.723-9.877-17.405-21.573-22.607-34.419s-7.824-26.591-7.715-40.451v-811.456c-0.17-27.955 10.759-54.842 30.39-74.746s46.358-31.213 74.314-31.43h814.595c27.955 0.218 54.682 11.526 74.31 31.43s30.56 46.79 30.394 74.746v354.176c0 8.487-3.373 16.627-9.376 22.627s-14.138 9.373-22.624 9.373zM958.844 895.999l-174.976-0.576c-8.448-0.373-16.422-3.992-22.272-10.102-5.843-6.11-9.107-14.241-9.107-22.698s3.264-16.587 9.107-22.698c5.85-6.11 13.824-9.729 22.272-10.102l97.856 0.384c0 0 12.8 0 8.128-10.496l-316.608-338.304c-5.536-6.422-8.378-14.739-7.917-23.207 0.454-8.468 4.166-16.433 10.362-22.223 6.202-5.791 14.394-8.959 22.874-8.842s16.589 3.512 22.618 9.472l319.168 341.12c0.787 0.602 1.709 1.002 2.682 1.164s1.978 0.081 2.912-0.235c0.934-0.316 1.779-0.859 2.458-1.579s1.165-1.596 1.421-2.55v0-107.456c-0.192-4.429 0.512-8.852 2.074-13.002 1.555-4.15 3.942-7.941 7.008-11.144s6.746-5.753 10.822-7.495c4.077-1.741 8.467-2.639 12.896-2.639 4.435 0 8.826 0.898 12.902 2.639s7.757 4.291 10.822 7.495c3.066 3.203 5.453 6.995 7.008 11.144 1.562 4.15 2.266 8.573 2.067 13.002l-0.576 172.8c-0.032 14.854-5.939 29.091-16.429 39.606s-24.717 16.454-39.571 16.522v0z" />
|
||||
<glyph unicode="" glyph-name="refresh" data-tags="bw-refresh" d="M1009.622 638.015c-6.669 3.825-14.566 4.895-22.016 2.983-7.443-1.913-13.85-6.657-17.856-13.223l-57.6-96.832c-1.005-1.662-2.451-3.009-4.186-3.887s-3.68-1.251-5.613-1.078c-1.933 0.173-3.782 0.886-5.331 2.058s-2.733 2.756-3.43 4.57c-36.41 101.348-108.269 186.097-202.304 238.592-105.747 60.056-230.767 76.43-348.413 45.632-117.227-29.444-217.977-104.207-280.128-207.872-30.484-50.468-50.396-106.604-58.526-165s-4.31-117.836 11.23-174.712c15.533-57.318 42.372-110.944 78.94-157.734s82.124-85.792 133.988-114.714c105.749-60.051 230.769-76.422 348.413-45.632 97.837 24.672 184.755 81.043 247.168 160.32 2.323 2.95 4.026 6.336 5.011 9.952 0.986 3.622 1.235 7.405 0.736 11.123s-1.741 7.296-3.654 10.528c-1.907 3.226-4.448 6.042-7.469 8.269-6.176 4.582-13.888 6.592-21.517 5.6s-14.573-4.902-19.379-10.912c-54.477-69.203-130.342-118.419-215.744-139.968-102.709-26.867-211.85-12.582-304.189 39.808-45.217 25.299-84.925 59.373-116.796 100.224s-55.263 87.654-68.804 137.664c-13.568 49.663-16.905 101.565-9.809 152.557s24.477 100.010 51.089 144.083c54.184 90.289 141.929 155.436 244.032 181.184 102.732 26.861 211.889 12.579 304.253-39.808 80.314-44.867 142.176-116.682 174.656-202.752 0.685-1.968 0.742-4.098 0.179-6.102-0.57-2.004-1.734-3.786-3.347-5.104s-3.59-2.111-5.67-2.271c-2.074-0.159-4.147 0.323-5.946 1.38l-99.776 56.256c-6.81 3.921-14.886 5.024-22.502 3.075s-14.17-6.796-18.266-13.507c-1.85-3.218-3.046-6.773-3.507-10.458-0.467-3.685-0.186-7.425 0.813-11.002 1.005-3.576 2.707-6.916 5.018-9.825s5.178-5.328 8.429-7.114l182.4-103.36c6.701-3.617 14.534-4.532 21.888-2.56 3.68 0.925 7.136 2.566 10.176 4.829 3.046 2.262 5.613 5.101 7.552 8.355l106.112 177.6c1.939 3.206 3.206 6.769 3.731 10.476 0.531 3.707 0.307 7.482-0.653 11.101s-2.643 7.007-4.941 9.964c-2.298 2.956-5.171 5.42-8.442 7.243z" />
|
||||
<glyph unicode="" glyph-name="discourse" data-tags="bw-discourse" d="M516.343 896c-280.229 0-516.343-225.143-516.343-503.086 0-8.914 0.229-520.914 0.229-520.914l516.114 0.457c280.457 0 507.657 233.829 507.657 511.771s-227.2 511.771-507.657 511.771zM512 91.429c-44.343 0-86.629 9.829-124.343 27.657l-185.371-45.943 52.343 171.429c-22.4 41.371-35.2 88.914-35.2 139.429 0 161.6 130.971 292.571 292.571 292.571s292.571-130.971 292.571-292.571c0-161.6-130.971-292.571-292.571-292.571z" />
|
||||
@ -71,7 +71,7 @@
|
||||
<glyph unicode="" glyph-name="sign-out" data-tags="bw-sign-out" d="M929.28 417.6l-119.616 128c-5.946 6.348-14.163 10.076-22.854 10.364-8.685 0.288-17.133-2.888-23.482-8.828s-10.080-14.16-10.368-22.85c-0.288-8.69 2.886-17.138 8.832-23.486l66.816-71.488c0 0 8.576-9.536-2.176-13.12l-463.427 1.664c-4.308 0.017-8.578-0.816-12.564-2.451s-7.611-4.041-10.666-7.078c-3.055-3.037-5.482-6.648-7.14-10.625s-2.516-8.241-2.525-12.55c-0.017-8.696 3.417-17.044 9.548-23.212s14.46-9.65 23.156-9.684l467.203-1.6c0.973-0.153 1.901-0.547 2.688-1.147s1.408-1.386 1.818-2.289c0.41-0.902 0.582-1.891 0.512-2.878-0.077-0.988-0.39-1.941-0.922-2.774v0l-78.464-73.536c-3.149-2.941-5.69-6.474-7.469-10.397-1.786-3.92-2.778-8.157-2.918-12.464-0.147-4.307 0.557-8.595 2.067-12.627 1.517-4.038 3.808-7.731 6.752-10.88 2.938-3.149 6.47-5.683 10.394-7.469 3.923-1.779 8.16-2.771 12.461-2.918 4.307-0.147 8.602 0.557 12.634 2.074 4.032 1.51 7.731 3.802 10.88 6.746l126.208 118.080c10.861 10.193 17.242 24.28 17.734 39.169s-4.947 29.366-15.11 40.255v0zM928-128h-832c-25.46 0-49.879 10.112-67.882 28.115s-28.118 42.426-28.118 67.885v832c0 25.46 10.115 49.879 28.118 67.882s42.422 28.118 67.882 28.118h827.136c25.459 0 49.882-10.114 67.885-28.118s28.115-42.422 28.115-67.882v-137.92c0-8.487-3.373-16.627-9.37-22.627-6.003-6.001-14.144-9.373-22.63-9.373s-16.627 3.372-22.63 9.373c-5.997 6.001-9.37 14.14-9.37 22.627v137.92c0 8.487-3.373 16.627-9.37 22.627-6.003 6.001-14.144 9.373-22.63 9.373h-827.136c-8.487 0-16.627-3.372-22.627-9.373s-9.373-14.14-9.373-22.627v-832c0-8.486 3.372-16.627 9.373-22.63 6.001-5.997 14.14-9.37 22.627-9.37h832c8.486 0 16.627 3.373 22.63 9.37 5.997 6.003 9.37 14.144 9.37 22.63v135.36c0 8.486 3.373 16.627 9.37 22.63 6.003 5.997 14.144 9.37 22.63 9.37s16.627-3.373 22.63-9.37c5.997-6.003 9.37-14.144 9.37-22.63v-135.36c0-25.459-10.112-49.882-28.115-67.885s-42.426-28.115-67.885-28.115z" />
|
||||
<glyph unicode="" glyph-name="share" data-tags="bw-share" d="M885.207 149.567c-23.891-0.077-47.36-6.33-68.122-18.163-20.755-11.834-38.099-28.838-50.342-49.357l-504.126 239.68c9.807 18.616 15.087 39.283 15.409 60.322s-4.321 41.858-13.553 60.766l504.254 240.064c18.035-27.951 45.542-48.461 77.478-57.769s66.157-6.788 96.384 7.096c30.227 13.884 54.432 38.202 68.179 68.492s16.115 64.522 6.662 96.413c-9.453 31.892-30.093 59.307-58.125 77.214s-61.581 25.107-94.49 20.277c-32.909-4.83-62.976-21.364-84.685-46.571-21.702-25.206-33.594-57.394-33.485-90.657 0.096-10.926 1.517-21.8 4.224-32.384l-512.766-244.032c-19.144 19.636-43.676 33.163-70.5 38.871s-54.738 3.344-80.219-6.796c-25.482-10.14-47.389-27.599-62.957-50.177s-24.1-49.26-24.52-76.682c-0.419-27.421 7.293-54.353 22.164-77.395s36.234-41.164 61.394-52.077c25.16-10.913 52.988-14.132 79.974-9.242 26.986 4.883 51.92 17.655 71.655 36.698l514.43-244.48c-5.978-28.070-3.11-57.306 8.211-83.68 11.315-26.374 30.534-48.589 55.002-63.59 24.474-15.002 52.986-22.054 81.626-20.179s55.994 12.582 78.298 30.65c22.304 18.061 38.464 42.592 46.246 70.221 7.782 27.622 6.816 56.986-2.778 84.032-9.587 27.053-27.328 50.47-50.771 67.021-23.45 16.557-51.45 25.434-80.154 25.414v0zM885.207 850.495c18.432 0 36.454-5.467 51.776-15.709 15.328-10.242 27.27-24.799 34.323-41.83s8.89-35.77 5.293-53.848c-3.603-18.078-12.48-34.682-25.523-47.711-13.037-13.029-29.645-21.899-47.725-25.487s-36.819-1.734-53.843 5.329c-17.030 7.063-31.578 19.016-41.811 34.349-10.227 15.332-15.686 33.355-15.674 51.788 0.038 24.719 9.882 48.414 27.379 65.876s41.216 27.261 65.933 27.244h-0.128zM139.097 290.815c-18.427 0-36.441 5.463-51.763 15.7s-27.267 24.786-34.321 41.809c-7.055 17.023-8.904 35.756-5.313 53.83s12.459 34.678 25.484 47.713c13.026 13.035 29.624 21.914 47.695 25.517s36.806 1.766 53.834-5.277c17.028-7.043 31.586-18.977 41.833-34.292s15.723-33.325 15.735-51.752c0-24.72-9.815-48.428-27.289-65.914s-41.175-27.317-65.895-27.334zM885.207-82.369c-18.432 0-36.448 5.466-51.776 15.706-15.322 10.246-27.27 24.8-34.317 41.83-7.053 17.030-8.896 35.776-5.293 53.85 3.597 18.080 12.48 34.682 25.517 47.712 13.043 13.030 29.651 21.901 47.731 25.485 18.080 3.59 36.819 1.734 53.843-5.325 17.024-7.066 31.578-19.021 41.805-34.349 10.234-15.334 15.686-33.357 15.674-51.789-0.051-24.691-9.882-48.358-27.354-65.811-17.466-17.453-41.133-27.277-65.83-27.309v0z" />
|
||||
<glyph unicode="" glyph-name="clock" data-tags="bw-clock" d="M512-127.999c-101.264 0-200.254 30.029-284.452 86.285-84.198 56.262-149.822 136.224-188.574 229.779-38.752 93.558-48.892 196.504-29.136 295.822s68.519 190.548 140.124 262.152c71.604 71.604 162.834 120.368 262.152 140.123s202.267 9.616 295.822-29.136c93.555-38.752 173.517-104.377 229.779-188.574 56.256-84.198 86.285-183.188 86.285-284.452-0.154-135.744-54.144-265.888-150.131-361.869-95.981-95.987-226.125-149.978-361.869-150.131zM512 832.001c-88.606 0-175.222-26.275-248.895-75.502s-131.094-119.195-165.002-201.056c-33.908-81.861-42.78-171.939-25.494-258.843s59.954-166.73 122.608-229.386c62.653-62.65 142.479-105.318 229.383-122.605s176.981-8.416 258.844 25.491c81.862 33.914 151.827 91.334 201.056 165.005s75.501 160.29 75.501 248.896c-0.134 118.775-47.379 232.647-131.366 316.634s-197.856 131.23-316.634 131.366v0zM387.197 225.793c-6.404 0-12.661 1.92-17.962 5.51s-9.403 8.691-11.774 14.643c-2.371 5.946-2.903 12.468-1.526 18.723s4.597 11.951 9.246 16.355l116.416 110.4v323.264c0 8.487 3.372 16.627 9.372 22.628s14.141 9.372 22.63 9.372c8.486 0 16.621-3.372 22.624-9.372s9.376-14.141 9.376-22.628v-337.088c-0.013-4.337-0.896-8.627-2.618-12.609-1.715-3.983-4.224-7.575-7.366-10.559l-126.403-119.807c-5.937-5.658-13.817-8.819-22.016-8.832v0z" />
|
||||
<glyph unicode="" glyph-name="angle-left" data-tags="bw-angle-left" d="M722.515-119.392c-12.915-12.058-33.165-11.36-45.229 1.555l-386.861 414.5c-45.9 49.179-45.9 125.495 0 174.674l386.861 414.497c12.064 12.92 32.314 13.618 45.229 1.56 12.922-12.059 13.619-32.308 1.562-45.228l-386.864-414.497c-22.95-24.589-22.95-62.748-0.001-87.337l386.865-414.495c12.058-12.922 11.36-33.171-1.562-45.229z" />
|
||||
<glyph unicode="" glyph-name="angle-down" data-tags="bw-angle-down" d="M1015.392 629.834c12.058-12.92 11.36-33.169-1.555-45.228l-414.5-386.865c-49.179-45.901-125.495-45.901-174.674 0l-414.497 386.865c-12.92 12.059-13.618 32.308-1.56 45.228s32.308 13.618 45.228 1.56l414.497-386.863c24.589-22.95 62.748-22.95 87.337 0l414.495 386.863c12.922 12.058 33.171 11.36 45.229-1.56z" />
|
||||
<glyph unicode="" glyph-name="caret-left" data-tags="bw-caret-left" d="M267.171 406.468c-19.731-19.357-16.259-27.798 3.196-46.654l392.431-410.214c26.573-26.611 40.192-19.264 40.192 19.213v831.921c0 36.2-13.734 46.248-40.019 19.926l-395.799-414.191zM212.801 327.454c-27.734 34.086-27.734 80.554 0 114.64l398.166 415.959c68.419 71.587 157.033 35.957 157.033-57.32v-831.921c0-93.274-95.936-132.41-157.033-57.318l-398.166 415.96z" />
|
||||
<glyph unicode="" glyph-name="square" data-tags="bw-square" horiz-adv-x="1280" d="M1056-127.616h-832c-25.46 0-49.879 10.112-67.882 28.115s-28.118 42.426-28.118 67.885v832c0 25.46 10.115 49.879 28.118 67.882s42.422 28.118 67.882 28.118h832c25.459 0 49.882-10.114 67.885-28.118s28.115-42.422 28.115-67.882v-832c0-25.459-10.112-49.882-28.115-67.885s-42.426-28.115-67.885-28.115zM224 832.384c-8.487 0-16.627-3.371-22.627-9.373s-9.373-14.141-9.373-22.627v-832c0-8.486 3.372-16.627 9.373-22.63 6.001-5.997 14.14-9.37 22.627-9.37h832c8.486 0 16.627 3.373 22.63 9.37 5.997 6.003 9.37 14.144 9.37 22.63v832c0 8.486-3.373 16.626-9.37 22.627-6.003 6.001-14.144 9.373-22.63 9.373h-832z" />
|
||||
<glyph unicode="" glyph-name="collection" data-tags="bw-collection" d="M928-64h-831.999c-25.586 0.166-50.061 10.477-68.057 28.666s-28.045 42.771-27.943 68.358v491.072c-0.017 25.531 10.069 50.031 28.056 68.15s42.413 28.385 67.944 28.554h831.999c25.53-0.169 49.958-10.435 67.942-28.554 17.99-18.119 28.077-42.62 28.058-68.15v-491.072c0.102-25.587-9.946-50.17-27.942-68.358s-42.47-28.499-68.058-28.666v0zM96.001 556.416c-8.487 0-16.626-3.372-22.627-9.373s-9.373-14.14-9.373-22.627v-491.072c-0.042-4.23 0.755-8.422 2.344-12.346 1.589-3.917 3.939-7.482 6.915-10.49s6.518-5.389 10.421-7.021c3.903-1.626 8.091-2.464 12.32-2.464h831.999c4.23 0 8.416 0.838 12.32 2.464 3.904 1.632 7.45 4.013 10.419 7.021 2.976 3.008 5.331 6.573 6.918 10.49 1.587 3.923 2.387 8.115 2.342 12.346v490.752c0 8.487-3.373 16.626-9.37 22.627-6.003 6.001-14.144 9.373-22.63 9.373l-831.999 0.32zM906.88 682.752h-798.787c-5.792 0.308-11.245 2.826-15.236 7.035s-6.216 9.789-6.216 15.589c0 5.8 2.225 11.38 6.216 15.589s9.444 6.726 15.236 7.035h798.787c5.792-0.308 11.245-2.826 15.232-7.035 3.994-4.209 6.214-9.789 6.214-15.589s-2.221-11.38-6.214-15.589c-3.987-4.209-9.44-6.726-15.232-7.035v0zM858.24 786.752h-701.507c-5.792 0.308-11.245 2.826-15.236 7.035s-6.216 9.789-6.216 15.589c0 5.8 2.225 11.38 6.216 15.589s9.444 6.726 15.236 7.035h701.507c5.792-0.308 11.245-2.826 15.232-7.035 3.994-4.209 6.221-9.789 6.221-15.589s-2.227-11.38-6.221-15.589c-3.987-4.209-9.44-6.726-15.232-7.035v0z" />
|
||||
@ -131,9 +131,9 @@
|
||||
<glyph unicode="" glyph-name="youtube" data-tags="bw-youtube" d="M836.909 760.15c-153.773 10.496-496.258 10.453-649.816 0-166.272-11.349-185.856-111.787-187.093-376.149 1.237-263.892 20.651-364.756 187.093-376.148 153.6-10.458 496.043-10.496 649.816 0 166.272 11.347 185.856 111.782 187.091 376.148-1.235 263.893-20.653 364.757-187.091 376.149v0zM384 213.331v341.336l341.331-170.368-341.331-170.968z" />
|
||||
<glyph unicode="" glyph-name="ban" data-tags="bw-ban" d="M512 832c-246.976 0-448-201.024-448-448s201.024-448 448-448c246.976 0 448 201.024 448 448s-201.024 448-448 448zM512-128c-282.304 0-512 229.696-512 512s229.696 512 512 512c282.304 0 512-229.696 512-512s-229.696-512-512-512zM859.271 686.007l-649.28-649.28c-15.269-15.269-37.789-17.59-50.349-5.030-12.495 12.495-10.174 35.016 5.094 50.285l649.28 649.28c15.269 15.269 37.789 17.59 50.285 5.094 12.56-12.56 10.239-35.081-5.030-50.349z" />
|
||||
<glyph unicode="" glyph-name="camera" data-tags="bw-camera" d="M924.352 704h-821.952c-27.136 0-53.184-11.264-72.384-31.36s-30.016-47.296-30.016-75.712v-553.856c0-28.416 10.816-55.616 30.016-75.712s45.248-31.36 72.384-31.36h819.2c27.136 0 53.184 11.264 72.384 31.36s30.016 47.296 30.016 75.712v553.856c0 27.904-10.432 54.72-28.992 74.752-18.624 19.968-43.968 31.552-70.656 32.32zM955.712 43.072c0-9.472-3.584-18.56-9.984-25.216-6.4-6.72-15.104-10.496-24.128-10.496h-819.2c-9.024 0-17.728 3.776-24.128 10.496-6.4 6.656-9.984 15.744-9.984 25.216v553.856c0 9.472 3.584 18.56 9.984 25.216 6.4 6.72 15.104 10.496 24.128 10.496h819.2c9.024 0 17.728-3.776 24.128-10.496 6.4-6.656 9.984-15.744 9.984-25.216v-553.856zM876.806 571.565h-139.14c-3.567 0-6.989-2.624-9.511-7.296-2.522-4.736-3.927-11.072-3.927-17.664 0-6.656 1.405-12.992 3.927-17.664 2.522-4.736 5.945-7.36 9.511-7.36h137.987c3.567 0 6.989 2.624 9.511 7.36 2.522 4.672 3.927 11.008 3.927 17.664 0 6.592-1.405 12.928-3.927 17.664-2.522 4.672-5.945 7.296-9.511 7.296h1.153zM185.6 652.8l76.8 102.4c6.016 8.064 15.552 12.8 25.6 12.8 0 0 448 0 448 0 10.048 0 19.584-4.736 25.6-12.8l76.8-102.4 51.2 38.4-76.8 102.4c-18.112 24.192-46.592 38.4-76.8 38.4h-448c-30.208 0-58.688-14.208-76.8-38.4 0 0-76.8-102.4-76.8-102.4l51.2-38.4zM512 544c-123.648 0-224-100.352-224-224s100.352-224 224-224c123.648 0 224 100.352 224 224s-100.352 224-224 224zM512 499.2c98.88 0 179.2-80.32 179.2-179.2s-80.32-179.2-179.2-179.2c-98.88 0-179.2 80.32-179.2 179.2s80.32 179.2 179.2 179.2z" />
|
||||
<glyph unicode="" glyph-name="angle-right" data-tags="bw-angle-right" d="M266.166 887.394c12.92 12.059 33.169 11.36 45.228-1.56l386.865-414.498c45.901-49.178 45.901-125.495 0-174.673l-386.865-414.5c-12.059-12.915-32.308-13.613-45.228-1.555s-13.618 32.307-1.56 45.229l386.863 414.495c22.95 24.589 22.95 62.748 0 87.337l-386.863 414.497c-12.058 12.92-11.36 33.169 1.56 45.228z" />
|
||||
<glyph unicode="" glyph-name="angle-up" data-tags="bw-angle-up" d="M8.606 173.485c-12.059 12.915-11.36 33.165 1.56 45.229l414.498 386.861c49.178 45.9 125.495 45.9 174.673 0l414.5-386.861c12.915-12.064 13.613-32.314 1.555-45.229-12.058-12.922-32.307-13.619-45.229-1.562l-414.495 386.864c-24.589 22.95-62.748 22.95-87.337 0.001l-414.497-386.865c-12.92-12.058-33.169-11.36-45.228 1.562z" />
|
||||
<glyph unicode="" glyph-name="desktop" data-tags="bwi-desktop" d="M270.651 0.733c0 14.498 11.753 26.252 26.252 26.252h438.020c14.498 0 26.252-11.754 26.252-26.252s-11.754-26.252-26.252-26.252h-438.020c-14.499 0-26.252 11.754-26.252 26.252zM411.444 0.733v125.15h52.502v-125.15h-52.502zM552.235 0.733v125.15h52.502v-125.15h-52.502zM-10.935 725.265c0 37.695 30.558 68.254 68.254 68.254h909.364c37.695 0 68.253-30.557 68.253-68.254v-557.383c0-37.695-30.557-68.254-68.253-68.254h-909.364c-37.695 0-68.254 30.557-68.254 68.254v557.383zM57.319 741.017c-8.698 0-15.75-7.052-15.75-15.75v-557.383c0-8.699 7.052-15.75 15.75-15.75h909.364c8.698 0 15.75 7.051 15.75 15.75v557.383c0 8.698-7.052 15.75-15.75 15.75h-909.364zM82.93 662.262c0 20.298 16.453 36.751 36.751 36.751h787.537c20.298 0 36.751-16.453 36.751-36.751v-430.52c0-20.298-16.453-36.751-36.751-36.751h-787.537c-20.298 0-36.751 16.453-36.751 36.751v430.52zM119.681 667.513c-2.899 0-5.251-2.35-5.251-5.251v-430.52c0-2.899 2.35-5.251 5.251-5.251h787.537c2.899 0 5.251 2.35 5.251 5.251v430.52c0 2.899-2.35 5.251-5.251 5.251h-787.537z" />
|
||||
<glyph unicode="" glyph-name="angle-up" data-tags="bw-angle-up" d="M8.606 173.485c-12.059 12.915-11.36 33.165 1.56 45.229l414.498 386.861c49.178 45.9 125.495 45.9 174.673 0l414.5-386.861c12.915-12.064 13.613-32.314 1.555-45.229-12.058-12.922-32.307-13.619-45.229-1.562l-414.495 386.864c-24.589 22.95-62.748 22.95-87.337 0.001l-414.497-386.865c-12.92-12.058-33.169-11.36-45.228 1.562z" />
|
||||
<glyph unicode="" glyph-name="angle-left" data-tags="bw-angle-left" d="M722.515-119.392c-12.915-12.058-33.165-11.36-45.229 1.555l-386.861 414.5c-45.9 49.179-45.9 125.495 0 174.674l386.861 414.497c12.064 12.92 32.314 13.618 45.229 1.56 12.922-12.059 13.619-32.308 1.562-45.228l-386.864-414.497c-22.95-24.589-22.95-62.748-0.001-87.337l386.865-414.495c12.058-12.922 11.36-33.171-1.562-45.229z" />
|
||||
<glyph unicode="" glyph-name="share-arrow" data-tags="bw-share-arrow" d="M926.469 752.44l-232.749 134.772c-7.044 4.125-15.434 5.29-23.337 3.242s-14.675-7.143-18.83-14.17c-2.043-3.454-3.383-7.281-3.939-11.258s-0.314-8.024 0.71-11.907c1.019-3.883 2.803-7.524 5.248-10.711 2.439-3.188 5.489-5.859 8.97-7.858l165.023-95.507c-115.078-23.892-751.894-183.976-750.165-804.989 0.114-8.113 3.416-15.854 9.193-21.546 5.776-5.698 13.564-8.89 21.675-8.89v0c8.134 0 15.939 3.21 21.719 8.934s9.069 13.495 9.15 21.626c-2.814 124.382 28.738 247.127 91.184 354.733s153.366 195.9 262.755 255.167c109.934 65.243 230.062 111.513 355.357 136.871l-99.705-168.48c-2.037-3.457-3.37-7.284-3.92-11.258s-0.309-8.020 0.716-11.9c1.019-3.881 2.803-7.52 5.235-10.708 2.439-3.188 5.482-5.862 8.958-7.868 4.025-2.316 8.52-3.707 13.15-4.075 5.767-0.476 11.551 0.678 16.694 3.331 5.137 2.652 9.433 6.696 12.384 11.671l135.821 229.044c2.025 3.476 3.34 7.319 3.871 11.306 0.525 3.988 0.253 8.040-0.797 11.923s-2.865 7.517-5.328 10.694c-2.469 3.177-5.544 5.832-9.044 7.812v0zM-44.466 1588.254c-0.005 0-0.010-0.006-0.015-0.006l-0.030-0.006-0.297-0.043-1.379-0.241c-1.262-0.216-3.202-0.561-5.773-1.050-5.143-0.975-12.811-2.506-22.643-4.705-19.67-4.402-47.951-11.446-81.963-21.966-68.134-21.065-158.667-55.883-248.88-110.841-179.916-109.608-356.857-297.814-355.968-618.218 0.049-17.048-13.736-30.907-30.782-30.954-17.052-0.047-30.905 13.736-30.955 30.784-0.963 348.516 193.567 554.131 385.585 671.113 95.755 58.334 191.304 95.006 262.762 117.102 35.784 11.063 65.676 18.521 86.729 23.231 10.531 2.352 18.863 4.019 24.628 5.112 2.883 0.55 5.126 0.951 6.682 1.222l1.814 0.309 0.666 0.105 0.052 0.013c0.018 0 0.035 0.006 4.894-30.48l-4.859 30.486c16.836 2.68 32.66-8.792 35.343-25.627 2.683-16.829-8.781-32.646-25.606-35.339-0.001 0-0.001 0-0.003 0z" />
|
||||
<glyph unicode="" glyph-name="eye-slash" data-tags="bw-eye-slash" d="M919.609 358.255c-76.096-69.696-229.952-189.504-406.976-189.504-51.2 0-97.792 9.024-144.576 24.896l63.808 63.872c24.576-14.144 49.984-22.272 80.192-22.080 84.096 0.704 151.232 63.936 151.808 147.776 0.192 30.144-8.512 58.944-23.936 82.304l82.752 82.752c84.544-41.088 155.136-97.92 198.4-138.432 15.36-14.336 14.144-37.312-1.472-51.584zM407.417 383.279c-1.28 58.432 46.784 104 104.256 104 17.28 0 33.6-4.224 48.064-11.584l-139.712-139.712c-7.808 14.016-12.608 30.080-12.608 47.296zM615.545 383.279c-1.216-55.616-46.592-99.584-103.168-100.416-16.768-0.192-29.568 2.88-45.376 9.792l137.792 137.792c7.232-13.888 10.752-30.464 10.752-47.168zM103.609 357.999c-16.384 14.72-16.96 38.336-1.6 52.672 76.16 71.36 231.168 189.568 410.048 190.592 52.032 0.256 100.224-9.536 146.816-26.432l-64.384-64.384c-24.384 15.232-51.84 24.32-82.56 24.32-84.096 0-154.24-67.2-153.024-151.488 0.448-30.528 10.048-58.56 26.24-82.176l-81.28-81.28c-85.824 40.512-155.904 98.304-200.256 138.176zM1007.545 425.583c-6.016 7.040-93.248 108.224-229.312 178.304l174.144 173.952c12.544 12.544 13.504 32 0.96 44.48-12.48 12.672-33.472 13.376-46.016 0.896l-190.976-190.912c-62.592 25.088-130.496 40.96-205.44 40.96-278.848 0.192-482.688-236.48-498.048-253.952-17.472-19.776-17.088-49.024 0.32-66.304 6.080-7.104 113.728-124.288 236.928-187.008l-176.384-176.384c-12.48-12.48-13.248-31.872-0.768-44.416 6.272-6.272 14.464-9.408 22.656-9.408s17.088 2.432 23.296 8.576l192.96 193.088c62.080-24.448 126.464-40.64 200.384-40.192 280.064 1.728 478.72 228.608 494.976 246.784 1.408 1.6 3.584 3.648 4.864 5.312 17.664 22.464 15.488 56.32-4.544 76.224z" />
|
||||
<glyph unicode="" glyph-name="file" data-tags="bw-file" d="M896-32c0-17.664-14.336-32-32-32h-704c-17.664 0-32 14.336-32 32v832c0 17.664 14.336 32 32 32h397.632c17.664 0 32-14.336 32-32v-194.496c0-53.056 43.008-96 96-96h178.368c17.664 0 32-14.4 32-32v-509.504zM653.632 764.8c0 11.072 13.504 16.512 21.184 8.576l173.632-179.008c7.616-7.808 2.048-20.864-8.832-20.864h-153.984c-17.664 0-32 14.336-32 32v159.296zM941.952 589.952l-278.080 286.592c-12.032 12.48-28.608 19.456-45.952 19.456h-489.92c-35.392 0-64-28.608-64-64v-896c0-35.392 28.608-64 64-64h768c35.392 0 64 28.608 64 64v609.344c0 16.64-6.528 32.64-18.048 44.608z" />
|
||||
@ -185,6 +185,8 @@
|
||||
<glyph unicode="" glyph-name="up-down-btn" data-tags="bw-up-down-btn" d="M456.202-102.797l-348.145 248.678c-75.997 54.285-37.594 174.118 55.799 174.118h696.292c93.389 0 131.795-119.833 55.795-174.118l-348.143-248.678c-33.379-23.84-78.219-23.84-111.597 0zM493.4-50.714c11.126-7.949 26.073-7.949 37.199 0l348.146 248.672c25.331 18.093 12.531 58.042-18.598 58.042h-696.292c-31.131 0-43.932-39.949-18.6-58.042l348.145-248.672zM567.798 870.794l348.144-248.675c76-54.284 37.594-174.118-55.795-174.118h-696.292c-93.393 0-131.795 119.836-55.799 174.118l348.145 248.675c33.379 23.842 78.219 23.842 111.597 0zM530.6 818.716c-11.126 7.947-26.073 7.947-37.199 0l-348.145-248.675c-25.332-18.095-12.531-58.040 18.6-58.040h696.292c31.13 0 43.93 39.945 18.598 58.040l-348.146 248.675z" />
|
||||
<glyph unicode="" glyph-name="caret-up" data-tags="bw-caret-up" d="M534.468 628.829c-19.357 19.731-27.798 16.259-46.654-3.196l-410.214-392.431c-26.614-26.573-19.264-40.192 19.215-40.192h831.921c36.198 0 46.246 13.734 19.923 40.019l-414.191 395.799zM455.454 683.199c34.086 27.734 80.554 27.734 114.64 0l415.96-398.166c71.584-68.419 35.955-157.033-57.318-157.033h-831.921c-93.277 0-132.413 95.936-57.32 157.033l415.959 398.166z" />
|
||||
<glyph unicode="" glyph-name="caret-down" data-tags="bw-caret-down" d="M489.532 139.168c19.357-19.731 27.798-16.256 46.654 3.2l410.214 392.428c26.611 26.574 19.264 40.194-19.213 40.194l-831.921 0.001c-36.2 0-46.248-13.736-19.926-40.019l414.191-395.804zM568.546 84.8c-34.086-27.731-80.554-27.731-114.64 0l-415.959 398.167c-71.587 68.42-35.957 157.033 57.32 157.033h831.921c93.274 0 132.41-95.934 57.318-157.033l-415.96-398.167z" />
|
||||
<glyph unicode="" glyph-name="passkey" data-tags="passkey" d="M171.866 100.531c-28.794 0-52.141 23.341-52.141 52.134s23.347 52.134 52.141 52.134c28.794 0 52.134-23.341 52.134-52.134s-23.341-52.134-52.134-52.134zM336.23 423.597c-71.622 45.381-119.174 125.34-119.174 216.403 0 141.385 114.618 256 256.003 256s256-114.615 256-256c0-91.064-47.547-171.022-119.17-216.403 61.672-22.859 115.894-60.723 158.11-109.085 11.29-12.579 21.253-23.994 28.108-33.718l114.25 0.104 113.644-109.313-160-142.784-64 64-64-64-64 64-64-61.44-191.164 0.262c-42.392-59.162-113.22-97.222-192.632-95.571-126.49 2.63-226.842 105.030-224.154 228.717 2.694 123.683 107.418 221.813 233.907 219.18 7.2-0.15 14.323-0.623 21.344-1.406 6.304 4.097 13.485 8.49 21.619 13.196 18.816 10.858 38.643 20.2 59.309 27.859zM422.251 280.453l289.060 0.263c-8.424 9.26-19.715 20.508-36.449 33.795-55.383 43.498-125.517 69.489-201.804 69.489-47.366 0-92.361-10.020-132.924-28.029 33.408-18.139 61.646-44.193 82.116-75.517zM281.056 640c0-106.038 85.965-192 192.003-192s192 85.962 192 192-85.961 192-192 192c-106.038 0-192.003-85.962-192.003-192zM383.994 95.667l198.295-0.269 90.625 86.995 63.086-63.085 64 64 66.5-66.496 63.35 56.531-45.255 43.533-496.955-0.454-18.963 29.018c-28.486 43.592-78.259 73.319-136.051 74.522-92.531 1.926-166.694-69.562-168.589-156.589-1.894-86.976 69.011-161.408 161.498-163.334 57.805-1.203 108.877 26.438 139.277 68.858l19.181 26.771z" />
|
||||
<glyph unicode="" glyph-name="lock-encrypted" data-tags="bw-lock-encrypted" d="M496 368c0-14.216-6.18-26.989-16-35.778v-44.222c0-17.673-14.327-32-32-32s-32 14.327-32 32v44.222c-9.82 8.789-16 21.562-16 35.778 0 26.509 21.491 48 48 48s48-21.491 48-48zM352 0c17.673 0 32 14.33 32 32s-14.327 32-32 32c-17.673 0-32-14.33-32-32s14.327-32 32-32zM480 0c17.673 0 32 14.33 32 32s-14.327 32-32 32c-17.673 0-32-14.33-32-32s14.327-32 32-32zM640 32c0-17.67-14.327-32-32-32s-32 14.33-32 32c0 17.67 14.327 32 32 32s32-14.33 32-32zM736 0c17.67 0 32 14.33 32 32s-14.33 32-32 32c-17.67 0-32-14.33-32-32s14.33-32 32-32zM896 32c0-17.67-14.33-32-32-32s-32 14.33-32 32c0 17.67 14.33 32 32 32s32-14.33 32-32zM192 640c0 139.201 115.547 256 256 256 140.401 0 256-116.204 256-256v-99.201c73.030-14.824 128-63.393 128-140.799v-208h32c88.365 0 160-71.635 160-160s-71.635-160-160-160h-512c-36.026 0-69.272 11.904-96.015 32h-31.985c-88.365 0-160 55.635-160 144v352c0 77.407 54.968 125.975 128 140.799v99.201zM352 192h416v208c0 53.020-42.982 80-96 80h-448c-53.020 0-96-26.98-96-80v-352c0-46.323 32.81-68.986 76.46-78.010-8.025 19.072-12.46 40.019-12.46 62.010 0 88.365 71.635 160 160 160zM448 832c-106.336 0-192-89.362-192-192v-96h384v96c0 103.132-85.612 192-192 192zM352 128c-53.020 0-96-42.982-96-96s42.98-96 96-96h512c53.018 0 96 42.982 96 96s-42.982 96-96 96h-512z" />
|
||||
<glyph unicode="" glyph-name="rocket" data-tags="rocket" d="M650.515 648.267c33.538 33.532 87.904 33.532 121.443 0 33.538-33.538 33.538-87.904 0-121.443s-87.904-33.538-121.443 0c-33.532 33.538-33.532 87.904 0 121.443zM750.801 627.113c-21.855 21.856-57.284 21.856-79.134 0-21.856-21.855-21.856-57.284 0-79.134 21.855-21.855 57.284-21.855 79.134 0s21.855 57.284 0 79.134zM493.141 680.645c113.184 90.608 223.416 148.836 310.181 180.552 43.273 15.818 81.527 25.336 111.933 28.691 15.138 1.668 29.339 1.929 41.709 0.19 11.507-1.615 25.903-5.552 36.583-16.232l3.981-3.981c10.68-10.679 14.617-25.076 16.232-36.582 1.739-12.377 1.478-26.572-0.19-41.71-3.356-30.406-12.874-68.659-28.691-111.932-31.716-86.771-89.944-196.998-180.552-310.187-29.487-36.837-59.902-73.855-91.847-111.076l30.789-145.412c4.388-20.715-0.21-42.314-12.654-59.447l-89.489-123.202c-35.299-48.598-110.586-37.857-130.894 18.67l-31.576 87.886-74.269-74.269c-5.844-5.844-15.313-5.844-21.151 0-5.844 5.845-5.844 15.313 0 21.152l80.747 80.747-47.795 47.794-162.229-162.229c-5.844-5.844-15.313-5.844-21.151 0s-5.844 15.313 0 21.151l162.229 162.229-54.059 54.060-306.392-306.392c-5.844-5.844-15.313-5.844-21.151 0-5.844 5.845-5.844 15.313 0 21.151l306.391 306.392-54.059 54.060-61.939-61.939c-5.845-5.844-15.313-5.844-21.151 0-5.845 5.844-5.845 15.313 0 21.151l61.938 61.939-47.794 47.794-112.086-112.086c-5.844-5.844-15.312-5.844-21.151 0-5.844 5.845-5.844 15.313 0 21.152l109.675 109.669-100.568 36.13c-56.526 20.307-67.261 95.6-18.663 130.894l123.202 89.489c17.132 12.444 38.73 17.041 59.446 12.654l145.412-30.789c37.221 31.945 74.238 62.36 111.076 91.847zM952.797 829.985c-0.744 0.223-2.062 0.551-4.14 0.84-5.79 0.812-14.652 0.934-26.837-0.411-24.234-2.675-57.643-10.683-97.952-25.414-80.389-29.379-184.973-84.318-293.329-171.062-38.013-30.432-76.092-61.749-114.295-94.665-2.919-4.249-6.879-7.644-11.433-9.895-54.88-47.714-110.027-98.85-165.607-155.478l258.391-258.39c56.628 55.58 107.765 110.728 155.48 165.609 2.25 4.551 5.643 8.51 9.89 11.427 32.912 38.205 64.235 76.284 94.667 114.298 86.744 108.362 141.683 212.941 171.063 293.329 14.73 40.309 22.744 73.723 25.414 97.952 1.345 12.179 1.222 21.047 0.411 26.837-0.29 2.078-0.619 3.397-0.84 4.14l-0.875 0.875zM224.258 561.056c-4.141 0.875-8.464-0.045-11.889-2.533l-123.202-89.489c-9.719-7.058-7.573-22.117 3.736-26.177l96.234-34.573c45.935 47.161 91.519 90.548 136.803 131.242l-101.677 21.529zM663.214 202.25c-40.694-45.278-84.081-90.868-131.243-136.803l34.574-96.235c4.061-11.304 19.119-13.455 26.177-3.736l89.489 123.202c2.488 3.425 3.408 7.748 2.533 11.889l-21.529 101.678z" />
|
||||
<glyph unicode="" glyph-name="ellipsis-h" data-tags="ellipsis-h" d="M876.633 299.353c-46.75 0-84.647 37.897-84.647 84.647s37.897 84.647 84.647 84.647c46.75 0 84.647-37.897 84.647-84.647s-37.897-84.647-84.647-84.647zM512 299.353c-46.75 0-84.647 37.897-84.647 84.647s37.897 84.647 84.647 84.647c46.75 0 84.647-37.897 84.647-84.647s-37.897-84.647-84.647-84.647zM147.367 299.353c-46.75 0-84.647 37.897-84.647 84.647s37.897 84.647 84.647 84.647c46.75 0 84.647-37.897 84.647-84.647s-37.897-84.647-84.647-84.647z" />
|
||||
<glyph unicode="" glyph-name="ellipsis-v" data-tags="ellipsis-v" d="M427.353 19.367c0 46.75 37.897 84.647 84.647 84.647s84.647-37.897 84.647-84.647c0-46.75-37.897-84.647-84.647-84.647s-84.647 37.897-84.647 84.647zM427.353 384c0 46.75 37.897 84.647 84.647 84.647s84.647-37.897 84.647-84.647c0-46.75-37.897-84.647-84.647-84.647s-84.647 37.897-84.647 84.647zM427.353 748.633c0 46.75 37.897 84.647 84.647 84.647s84.647-37.897 84.647-84.647c0-46.75-37.897-84.647-84.647-84.647s-84.647 37.897-84.647 84.647z" />
|
||||
|
Before Width: | Height: | Size: 286 KiB After Width: | Height: | Size: 289 KiB |
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -130,7 +130,7 @@ $icons: (
|
||||
"hamburger": "\e972",
|
||||
"bw-folder-open-f1": "\e93e",
|
||||
"desktop": "\e96a",
|
||||
"angle-up": "\e96b",
|
||||
"angle-up": "\e969",
|
||||
"user": "\e900",
|
||||
"user-f": "\e901",
|
||||
"key": "\e902",
|
||||
@ -158,7 +158,7 @@ $icons: (
|
||||
"plus": "\e918",
|
||||
"star": "\e919",
|
||||
"list": "\e91a",
|
||||
"angle-down": "\e91b",
|
||||
"angle-down": "\e92d",
|
||||
"external-link": "\e91c",
|
||||
"refresh": "\e91d",
|
||||
"search": "\e91f",
|
||||
@ -175,7 +175,7 @@ $icons: (
|
||||
"sign-out": "\e92a",
|
||||
"share": "\e92b",
|
||||
"clock": "\e92c",
|
||||
"angle-left": "\e92d",
|
||||
"angle-left": "\e96b",
|
||||
"caret-left": "\e92e",
|
||||
"square": "\e92f",
|
||||
"collection": "\e930",
|
||||
@ -225,7 +225,7 @@ $icons: (
|
||||
"wrench": "\e965",
|
||||
"ban": "\e967",
|
||||
"camera": "\e968",
|
||||
"angle-right": "\e969",
|
||||
"angle-right": "\e91b",
|
||||
"eye-slash": "\e96d",
|
||||
"file": "\e96e",
|
||||
"paste": "\e96f",
|
||||
@ -262,6 +262,8 @@ $icons: (
|
||||
"up-down-btn": "\e99c",
|
||||
"caret-up": "\e99d",
|
||||
"caret-down": "\e99e",
|
||||
"passkey": "\e99f",
|
||||
"lock-encrypted": "\e9a0",
|
||||
);
|
||||
|
||||
@each $name, $glyph in $icons {
|
||||
|
@ -267,6 +267,11 @@ export class AddEditComponent implements OnInit, OnDestroy {
|
||||
}
|
||||
}
|
||||
|
||||
// We don't want to copy passkeys when we clone a cipher
|
||||
if (this.cloneMode && this.cipher?.login?.hasFido2Credentials) {
|
||||
this.cipher.login.fido2Credentials = null;
|
||||
}
|
||||
|
||||
this.folders$ = this.folderService.folderViews$;
|
||||
|
||||
if (this.editMode && this.previousCipherId !== this.cipherId) {
|
||||
@ -324,7 +329,7 @@ export class AddEditComponent implements OnInit, OnDestroy {
|
||||
: this.collections.filter((c) => (c as any).checked).map((c) => c.id);
|
||||
}
|
||||
|
||||
// Clear current Cipher Id to trigger "Add" cipher flow
|
||||
// Clear current Cipher Id if exists to trigger "Add" cipher flow
|
||||
if (this.cloneMode) {
|
||||
this.cipher.id = null;
|
||||
}
|
||||
|
@ -29,10 +29,10 @@ import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.servi
|
||||
import { FolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction";
|
||||
import { CipherRepromptType } from "@bitwarden/common/vault/enums/cipher-reprompt-type";
|
||||
import { CipherType } from "@bitwarden/common/vault/enums/cipher-type";
|
||||
import { Launchable } from "@bitwarden/common/vault/interfaces/launchable";
|
||||
import { AttachmentView } from "@bitwarden/common/vault/models/view/attachment.view";
|
||||
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
|
||||
import { FolderView } from "@bitwarden/common/vault/models/view/folder.view";
|
||||
import { LoginUriView } from "@bitwarden/common/vault/models/view/login-uri.view";
|
||||
import { DialogService } from "@bitwarden/components";
|
||||
import { PasswordRepromptService } from "@bitwarden/vault";
|
||||
|
||||
@ -62,6 +62,7 @@ export class ViewComponent implements OnDestroy, OnInit {
|
||||
fieldType = FieldType;
|
||||
checkPasswordPromise: Promise<number>;
|
||||
folder: FolderView;
|
||||
cipherType = CipherType;
|
||||
|
||||
private totpInterval: any;
|
||||
private previousCipherId: string;
|
||||
@ -156,6 +157,18 @@ export class ViewComponent implements OnDestroy, OnInit {
|
||||
}
|
||||
|
||||
async clone() {
|
||||
if (this.cipher.login?.hasFido2Credentials) {
|
||||
const confirmed = await this.dialogService.openSimpleDialog({
|
||||
title: { key: "passkeyNotCopied" },
|
||||
content: { key: "passkeyNotCopiedAlert" },
|
||||
type: "info",
|
||||
});
|
||||
|
||||
if (!confirmed) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
if (await this.promptPassword()) {
|
||||
this.onCloneCipher.emit(this.cipher);
|
||||
return true;
|
||||
@ -295,7 +308,7 @@ export class ViewComponent implements OnDestroy, OnInit {
|
||||
}
|
||||
}
|
||||
|
||||
launch(uri: LoginUriView, cipherId?: string) {
|
||||
launch(uri: Launchable, cipherId?: string) {
|
||||
if (!uri.canLaunch) {
|
||||
return;
|
||||
}
|
||||
|
@ -1,6 +1,7 @@
|
||||
export enum FeatureFlag {
|
||||
DisplayEuEnvironmentFlag = "display-eu-environment",
|
||||
DisplayLowKdfIterationWarningFlag = "display-kdf-iteration-warning",
|
||||
Fido2VaultCredentials = "fido2-vault-credentials",
|
||||
TrustedDeviceEncryption = "trusted-device-encryption",
|
||||
PasswordlessLogin = "passwordless-login",
|
||||
AutofillV2 = "autofill-v2",
|
||||
|
@ -1,3 +1,6 @@
|
||||
import { JsonObject } from "type-fest";
|
||||
|
||||
import { Fido2CredentialApi } from "../../vault/api/fido2-credential.api";
|
||||
import { BaseResponse } from "../response/base.response";
|
||||
|
||||
import { LoginUriApi } from "./login-uri.api";
|
||||
@ -9,6 +12,7 @@ export class LoginApi extends BaseResponse {
|
||||
passwordRevisionDate: string;
|
||||
totp: string;
|
||||
autofillOnPageLoad: boolean;
|
||||
fido2Credentials?: Fido2CredentialApi[];
|
||||
|
||||
constructor(data: any = null) {
|
||||
super(data);
|
||||
@ -25,5 +29,12 @@ export class LoginApi extends BaseResponse {
|
||||
if (uris != null) {
|
||||
this.uris = uris.map((u: any) => new LoginUriApi(u));
|
||||
}
|
||||
|
||||
const fido2Credentials = this.getResponseProperty("Fido2Credentials");
|
||||
if (fido2Credentials != null) {
|
||||
this.fido2Credentials = fido2Credentials.map(
|
||||
(key: JsonObject) => new Fido2CredentialApi(key)
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
125
libs/common/src/models/export/fido2-credential.export.ts
Normal file
125
libs/common/src/models/export/fido2-credential.export.ts
Normal file
@ -0,0 +1,125 @@
|
||||
import { EncString } from "../../platform/models/domain/enc-string";
|
||||
import { Fido2Credential } from "../../vault/models/domain/fido2-credential";
|
||||
import { Fido2CredentialView } from "../../vault/models/view/fido2-credential.view";
|
||||
|
||||
/**
|
||||
* Represents format of Fido2 Credentials in JSON exports.
|
||||
*/
|
||||
export class Fido2CredentialExport {
|
||||
/**
|
||||
* Generates a template for Fido2CredentialExport
|
||||
* @returns Instance of Fido2CredentialExport with predefined values.
|
||||
*/
|
||||
static template(): Fido2CredentialExport {
|
||||
const req = new Fido2CredentialExport();
|
||||
req.credentialId = "keyId";
|
||||
req.keyType = "keyType";
|
||||
req.keyAlgorithm = "keyAlgorithm";
|
||||
req.keyCurve = "keyCurve";
|
||||
req.keyValue = "keyValue";
|
||||
req.rpId = "rpId";
|
||||
req.userHandle = "userHandle";
|
||||
req.counter = "counter";
|
||||
req.rpName = "rpName";
|
||||
req.userDisplayName = "userDisplayName";
|
||||
req.discoverable = "false";
|
||||
req.creationDate = null;
|
||||
return req;
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts a Fido2CredentialExport object to its view representation.
|
||||
* @param req - The Fido2CredentialExport object to be converted.
|
||||
* @param view - (Optional) The Fido2CredentialView object to popualte with Fido2CredentialExport data
|
||||
* @returns Fido2CredentialView - The populated view, or a new instance if none was provided.
|
||||
*/
|
||||
static toView(req: Fido2CredentialExport, view = new Fido2CredentialView()) {
|
||||
view.credentialId = req.credentialId;
|
||||
view.keyType = req.keyType as "public-key";
|
||||
view.keyAlgorithm = req.keyAlgorithm as "ECDSA";
|
||||
view.keyCurve = req.keyCurve as "P-256";
|
||||
view.keyValue = req.keyValue;
|
||||
view.rpId = req.rpId;
|
||||
view.userHandle = req.userHandle;
|
||||
view.counter = parseInt(req.counter);
|
||||
view.rpName = req.rpName;
|
||||
view.userDisplayName = req.userDisplayName;
|
||||
view.discoverable = req.discoverable === "true";
|
||||
view.creationDate = new Date(req.creationDate);
|
||||
return view;
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts a Fido2CredentialExport object to its domain representation.
|
||||
* @param req - The Fido2CredentialExport object to be converted.
|
||||
* @param domain - (Optional) The Fido2Credential object to popualte with Fido2CredentialExport data
|
||||
* @returns Fido2Credential - The populated domain, or a new instance if none was provided.
|
||||
*/
|
||||
static toDomain(req: Fido2CredentialExport, domain = new Fido2Credential()) {
|
||||
domain.credentialId = req.credentialId != null ? new EncString(req.credentialId) : null;
|
||||
domain.keyType = req.keyType != null ? new EncString(req.keyType) : null;
|
||||
domain.keyAlgorithm = req.keyAlgorithm != null ? new EncString(req.keyAlgorithm) : null;
|
||||
domain.keyCurve = req.keyCurve != null ? new EncString(req.keyCurve) : null;
|
||||
domain.keyValue = req.keyValue != null ? new EncString(req.keyValue) : null;
|
||||
domain.rpId = req.rpId != null ? new EncString(req.rpId) : null;
|
||||
domain.userHandle = req.userHandle != null ? new EncString(req.userHandle) : null;
|
||||
domain.counter = req.counter != null ? new EncString(req.counter) : null;
|
||||
domain.rpName = req.rpName != null ? new EncString(req.rpName) : null;
|
||||
domain.userDisplayName =
|
||||
req.userDisplayName != null ? new EncString(req.userDisplayName) : null;
|
||||
domain.discoverable = req.discoverable != null ? new EncString(req.discoverable) : null;
|
||||
domain.creationDate = req.creationDate;
|
||||
return domain;
|
||||
}
|
||||
|
||||
credentialId: string;
|
||||
keyType: string;
|
||||
keyAlgorithm: string;
|
||||
keyCurve: string;
|
||||
keyValue: string;
|
||||
rpId: string;
|
||||
userHandle: string;
|
||||
counter: string;
|
||||
rpName: string;
|
||||
userDisplayName: string;
|
||||
discoverable: string;
|
||||
creationDate: Date;
|
||||
|
||||
/**
|
||||
* Constructs a new Fid2CredentialExport instance.
|
||||
*
|
||||
* @param o - The credential storing the data being exported. When not provided, an empty export is created instead.
|
||||
*/
|
||||
constructor(o?: Fido2CredentialView | Fido2Credential) {
|
||||
if (o == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (o instanceof Fido2CredentialView) {
|
||||
this.credentialId = o.credentialId;
|
||||
this.keyType = o.keyType;
|
||||
this.keyAlgorithm = o.keyAlgorithm;
|
||||
this.keyCurve = o.keyCurve;
|
||||
this.keyValue = o.keyValue;
|
||||
this.rpId = o.rpId;
|
||||
this.userHandle = o.userHandle;
|
||||
this.counter = String(o.counter);
|
||||
this.rpName = o.rpName;
|
||||
this.userDisplayName = o.userDisplayName;
|
||||
this.discoverable = String(o.discoverable);
|
||||
} else {
|
||||
this.credentialId = o.credentialId?.encryptedString;
|
||||
this.keyType = o.keyType?.encryptedString;
|
||||
this.keyAlgorithm = o.keyAlgorithm?.encryptedString;
|
||||
this.keyCurve = o.keyCurve?.encryptedString;
|
||||
this.keyValue = o.keyValue?.encryptedString;
|
||||
this.rpId = o.rpId?.encryptedString;
|
||||
this.userHandle = o.userHandle?.encryptedString;
|
||||
this.counter = o.counter?.encryptedString;
|
||||
this.rpName = o.rpName?.encryptedString;
|
||||
this.userDisplayName = o.userDisplayName?.encryptedString;
|
||||
this.discoverable = o.discoverable?.encryptedString;
|
||||
}
|
||||
this.creationDate = o.creationDate;
|
||||
}
|
||||
}
|
@ -9,3 +9,4 @@ export { FolderExport } from "./folder.export";
|
||||
export { IdentityExport } from "./identity.export";
|
||||
export { LoginUriExport } from "./login-uri.export";
|
||||
export { SecureNoteExport } from "./secure-note.export";
|
||||
export { Fido2CredentialExport } from "./fido2-credential.export";
|
||||
|
@ -2,6 +2,7 @@ import { EncString } from "../../platform/models/domain/enc-string";
|
||||
import { Login as LoginDomain } from "../../vault/models/domain/login";
|
||||
import { LoginView } from "../../vault/models/view/login.view";
|
||||
|
||||
import { Fido2CredentialExport } from "./fido2-credential.export";
|
||||
import { LoginUriExport } from "./login-uri.export";
|
||||
|
||||
export class LoginExport {
|
||||
@ -11,6 +12,7 @@ export class LoginExport {
|
||||
req.username = "jdoe";
|
||||
req.password = "myp@ssword123";
|
||||
req.totp = "JBSWY3DPEHPK3PXP";
|
||||
req.fido2Credentials = [Fido2CredentialExport.template()];
|
||||
return req;
|
||||
}
|
||||
|
||||
@ -21,6 +23,9 @@ export class LoginExport {
|
||||
view.username = req.username;
|
||||
view.password = req.password;
|
||||
view.totp = req.totp;
|
||||
if (req.fido2Credentials != null) {
|
||||
view.fido2Credentials = req.fido2Credentials.map((key) => Fido2CredentialExport.toView(key));
|
||||
}
|
||||
return view;
|
||||
}
|
||||
|
||||
@ -31,6 +36,8 @@ export class LoginExport {
|
||||
domain.username = req.username != null ? new EncString(req.username) : null;
|
||||
domain.password = req.password != null ? new EncString(req.password) : null;
|
||||
domain.totp = req.totp != null ? new EncString(req.totp) : null;
|
||||
// Fido2credentials are currently not supported for exports.
|
||||
|
||||
return domain;
|
||||
}
|
||||
|
||||
@ -38,6 +45,7 @@ export class LoginExport {
|
||||
username: string;
|
||||
password: string;
|
||||
totp: string;
|
||||
fido2Credentials: Fido2CredentialExport[] = [];
|
||||
|
||||
constructor(o?: LoginView | LoginDomain) {
|
||||
if (o == null) {
|
||||
@ -52,6 +60,10 @@ export class LoginExport {
|
||||
}
|
||||
}
|
||||
|
||||
if (o.fido2Credentials != null) {
|
||||
this.fido2Credentials = o.fido2Credentials.map((key) => new Fido2CredentialExport(key));
|
||||
}
|
||||
|
||||
if (o instanceof LoginView) {
|
||||
this.username = o.username;
|
||||
this.password = o.password;
|
||||
|
@ -0,0 +1,143 @@
|
||||
/**
|
||||
* This class represents an abstraction of the WebAuthn Authenticator model as described by W3C:
|
||||
* https://www.w3.org/TR/webauthn-3/#sctn-authenticator-model
|
||||
*
|
||||
* The authenticator provides key management and cryptographic signatures.
|
||||
*/
|
||||
export abstract class Fido2AuthenticatorService {
|
||||
/**
|
||||
* Create and save a new credential as described in:
|
||||
* https://www.w3.org/TR/webauthn-3/#sctn-op-make-cred
|
||||
*
|
||||
* @param params Parameters for creating a new credential
|
||||
* @param abortController An AbortController that can be used to abort the operation.
|
||||
* @returns A promise that resolves with the new credential and an attestation signature.
|
||||
**/
|
||||
makeCredential: (
|
||||
params: Fido2AuthenticatorMakeCredentialsParams,
|
||||
tab: chrome.tabs.Tab,
|
||||
abortController?: AbortController
|
||||
) => Promise<Fido2AuthenticatorMakeCredentialResult>;
|
||||
|
||||
/**
|
||||
* Generate an assertion using an existing credential as describe in:
|
||||
* https://www.w3.org/TR/webauthn-3/#sctn-op-get-assertion
|
||||
*
|
||||
* @param params Parameters for generating an assertion
|
||||
* @param abortController An AbortController that can be used to abort the operation.
|
||||
* @returns A promise that resolves with the asserted credential and an assertion signature.
|
||||
*/
|
||||
getAssertion: (
|
||||
params: Fido2AuthenticatorGetAssertionParams,
|
||||
tab: chrome.tabs.Tab,
|
||||
abortController?: AbortController
|
||||
) => Promise<Fido2AuthenticatorGetAssertionResult>;
|
||||
}
|
||||
|
||||
export enum Fido2AlgorithmIdentifier {
|
||||
ES256 = -7,
|
||||
RS256 = -257,
|
||||
}
|
||||
|
||||
export enum Fido2AutenticatorErrorCode {
|
||||
Unknown = "UnknownError",
|
||||
NotSupported = "NotSupportedError",
|
||||
InvalidState = "InvalidStateError",
|
||||
NotAllowed = "NotAllowedError",
|
||||
Constraint = "ConstraintError",
|
||||
}
|
||||
|
||||
export class Fido2AutenticatorError extends Error {
|
||||
constructor(readonly errorCode: Fido2AutenticatorErrorCode) {
|
||||
super(errorCode);
|
||||
}
|
||||
}
|
||||
|
||||
export interface PublicKeyCredentialDescriptor {
|
||||
id: BufferSource;
|
||||
transports?: ("ble" | "hybrid" | "internal" | "nfc" | "usb")[];
|
||||
type: "public-key";
|
||||
}
|
||||
|
||||
/**
|
||||
* Parameters for {@link Fido2AuthenticatorService.makeCredential}
|
||||
*
|
||||
* This interface represents the input parameters described in
|
||||
* https://www.w3.org/TR/webauthn-3/#sctn-op-make-cred
|
||||
*/
|
||||
export interface Fido2AuthenticatorMakeCredentialsParams {
|
||||
/** The hash of the serialized client data, provided by the client. */
|
||||
hash: BufferSource;
|
||||
/** The Relying Party's PublicKeyCredentialRpEntity. */
|
||||
rpEntity: {
|
||||
name: string;
|
||||
id?: string;
|
||||
};
|
||||
/** The user account’s PublicKeyCredentialUserEntity, containing the user handle given by the Relying Party. */
|
||||
userEntity: {
|
||||
id: BufferSource;
|
||||
name?: string;
|
||||
displayName?: string;
|
||||
icon?: string;
|
||||
};
|
||||
/** A sequence of pairs of PublicKeyCredentialType and public key algorithms (COSEAlgorithmIdentifier) requested by the Relying Party. This sequence is ordered from most preferred to least preferred. The authenticator makes a best-effort to create the most preferred credential that it can. */
|
||||
credTypesAndPubKeyAlgs: {
|
||||
alg: number;
|
||||
type: "public-key"; // not used
|
||||
}[];
|
||||
/** An OPTIONAL list of PublicKeyCredentialDescriptor objects provided by the Relying Party with the intention that, if any of these are known to the authenticator, it SHOULD NOT create a new credential. excludeCredentialDescriptorList contains a list of known credentials. */
|
||||
excludeCredentialDescriptorList?: PublicKeyCredentialDescriptor[];
|
||||
/** A map from extension identifiers to their authenticator extension inputs, created by the client based on the extensions requested by the Relying Party, if any. */
|
||||
extensions?: {
|
||||
appid?: string;
|
||||
appidExclude?: string;
|
||||
credProps?: boolean;
|
||||
uvm?: boolean;
|
||||
};
|
||||
/** A Boolean value that indicates that individually-identifying attestation MAY be returned by the authenticator. */
|
||||
enterpriseAttestationPossible?: boolean; // Ignored by bitwarden at the moment
|
||||
/** The effective resident key requirement for credential creation, a Boolean value determined by the client. Resident is synonymous with discoverable. */
|
||||
requireResidentKey: boolean;
|
||||
requireUserVerification: boolean;
|
||||
/** Forwarded to user interface */
|
||||
fallbackSupported: boolean;
|
||||
/** The constant Boolean value true. It is included here as a pseudo-parameter to simplify applying this abstract authenticator model to implementations that may wish to make a test of user presence optional although WebAuthn does not. */
|
||||
// requireUserPresence: true; // Always required
|
||||
}
|
||||
|
||||
export interface Fido2AuthenticatorMakeCredentialResult {
|
||||
credentialId: BufferSource;
|
||||
attestationObject: BufferSource;
|
||||
authData: BufferSource;
|
||||
publicKeyAlgorithm: number;
|
||||
}
|
||||
|
||||
/**
|
||||
* Parameters for {@link Fido2AuthenticatorService.getAssertion}
|
||||
|
||||
* This interface represents the input parameters described in
|
||||
* https://www.w3.org/TR/webauthn-3/#sctn-op-get-assertion
|
||||
*/
|
||||
export interface Fido2AuthenticatorGetAssertionParams {
|
||||
/** The caller’s RP ID, as determined by the user agent and the client. */
|
||||
rpId: string;
|
||||
/** The hash of the serialized client data, provided by the client. */
|
||||
hash: BufferSource;
|
||||
allowCredentialDescriptorList: PublicKeyCredentialDescriptor[];
|
||||
/** The effective user verification requirement for assertion, a Boolean value provided by the client. */
|
||||
requireUserVerification: boolean;
|
||||
/** The constant Boolean value true. It is included here as a pseudo-parameter to simplify applying this abstract authenticator model to implementations that may wish to make a test of user presence optional although WebAuthn does not. */
|
||||
// requireUserPresence: boolean; // Always required
|
||||
extensions: unknown;
|
||||
/** Forwarded to user interface */
|
||||
fallbackSupported: boolean;
|
||||
}
|
||||
|
||||
export interface Fido2AuthenticatorGetAssertionResult {
|
||||
selectedCredential: {
|
||||
id: Uint8Array;
|
||||
userHandle?: Uint8Array;
|
||||
};
|
||||
authenticatorData: Uint8Array;
|
||||
signature: Uint8Array;
|
||||
}
|
@ -0,0 +1,174 @@
|
||||
export const UserRequestedFallbackAbortReason = "UserRequestedFallback";
|
||||
|
||||
export type UserVerification = "discouraged" | "preferred" | "required";
|
||||
|
||||
/**
|
||||
* This class represents an abstraction of the WebAuthn Client as described by W3C:
|
||||
* https://www.w3.org/TR/webauthn-3/#webauthn-client
|
||||
*
|
||||
* The WebAuthn Client is an intermediary entity typically implemented in the user agent
|
||||
* (in whole, or in part). Conceptually, it underlies the Web Authentication API and embodies
|
||||
* the implementation of the Web Authentication API's operations.
|
||||
*
|
||||
* It is responsible for both marshalling the inputs for the underlying authenticator operations,
|
||||
* and for returning the results of the latter operations to the Web Authentication API's callers.
|
||||
*/
|
||||
export abstract class Fido2ClientService {
|
||||
/**
|
||||
* Allows WebAuthn Relying Party scripts to request the creation of a new public key credential source.
|
||||
* For more information please see: https://www.w3.org/TR/webauthn-3/#sctn-createCredential
|
||||
*
|
||||
* @param params The parameters for the credential creation operation.
|
||||
* @param abortController An AbortController that can be used to abort the operation.
|
||||
* @returns A promise that resolves with the new credential.
|
||||
*/
|
||||
createCredential: (
|
||||
params: CreateCredentialParams,
|
||||
tab: chrome.tabs.Tab,
|
||||
abortController?: AbortController
|
||||
) => Promise<CreateCredentialResult>;
|
||||
|
||||
/**
|
||||
* Allows WebAuthn Relying Party scripts to discover and use an existing public key credential, with the user’s consent.
|
||||
* Relying Party script can optionally specify some criteria to indicate what credential sources are acceptable to it.
|
||||
* For more information please see: https://www.w3.org/TR/webauthn-3/#sctn-getAssertion
|
||||
*
|
||||
* @param params The parameters for the credential assertion operation.
|
||||
* @param abortController An AbortController that can be used to abort the operation.
|
||||
* @returns A promise that resolves with the asserted credential.
|
||||
*/
|
||||
assertCredential: (
|
||||
params: AssertCredentialParams,
|
||||
tab: chrome.tabs.Tab,
|
||||
abortController?: AbortController
|
||||
) => Promise<AssertCredentialResult>;
|
||||
|
||||
isFido2FeatureEnabled: () => Promise<boolean>;
|
||||
}
|
||||
|
||||
/**
|
||||
* Parameters for creating a new credential.
|
||||
*/
|
||||
export interface CreateCredentialParams {
|
||||
/** The Relaying Parties origin, see: https://html.spec.whatwg.org/multipage/browsers.html#concept-origin */
|
||||
origin: string;
|
||||
/**
|
||||
* A value which is true if and only if the caller’s environment settings object is same-origin with its ancestors.
|
||||
* It is false if caller is cross-origin.
|
||||
* */
|
||||
sameOriginWithAncestors: boolean;
|
||||
/** The Relying Party's preference for attestation conveyance */
|
||||
attestation?: "direct" | "enterprise" | "indirect" | "none";
|
||||
/** The Relying Party's requirements of the authenticator used in the creation of the credential. */
|
||||
authenticatorSelection?: {
|
||||
// authenticatorAttachment?: AuthenticatorAttachment; // not used
|
||||
requireResidentKey?: boolean;
|
||||
residentKey?: "discouraged" | "preferred" | "required";
|
||||
userVerification?: UserVerification;
|
||||
};
|
||||
/** Challenge intended to be used for generating the newly created credential's attestation object. */
|
||||
challenge: string; // b64 encoded
|
||||
/**
|
||||
* This member is intended for use by Relying Parties that wish to limit the creation of multiple credentials for
|
||||
* the same account on a single authenticator. The client is requested to return an error if the new credential would
|
||||
* be created on an authenticator that also contains one of the credentials enumerated in this parameter.
|
||||
* */
|
||||
excludeCredentials?: {
|
||||
id: string; // b64 encoded
|
||||
transports?: ("ble" | "hybrid" | "internal" | "nfc" | "usb")[];
|
||||
type: "public-key";
|
||||
}[];
|
||||
/**
|
||||
* This member contains additional parameters requesting additional processing by the client and authenticator.
|
||||
* Not currently supported.
|
||||
**/
|
||||
extensions?: {
|
||||
appid?: string;
|
||||
appidExclude?: string;
|
||||
credProps?: boolean;
|
||||
uvm?: boolean;
|
||||
};
|
||||
/**
|
||||
* This member contains information about the desired properties of the credential to be created.
|
||||
* The sequence is ordered from most preferred to least preferred.
|
||||
* The client makes a best-effort to create the most preferred credential that it can.
|
||||
*/
|
||||
pubKeyCredParams: PublicKeyCredentialParam[];
|
||||
/** Data about the Relying Party responsible for the request. */
|
||||
rp: {
|
||||
id?: string;
|
||||
name: string;
|
||||
};
|
||||
/** Data about the user account for which the Relying Party is requesting attestation. */
|
||||
user: {
|
||||
id: string; // b64 encoded
|
||||
displayName: string;
|
||||
};
|
||||
/** Forwarded to user interface */
|
||||
fallbackSupported: boolean;
|
||||
/**
|
||||
* This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete.
|
||||
* This is treated as a hint, and MAY be overridden by the client.
|
||||
**/
|
||||
timeout?: number;
|
||||
}
|
||||
|
||||
/**
|
||||
* The result of creating a new credential.
|
||||
*/
|
||||
export interface CreateCredentialResult {
|
||||
credentialId: string;
|
||||
clientDataJSON: string;
|
||||
attestationObject: string;
|
||||
authData: string;
|
||||
publicKeyAlgorithm: number;
|
||||
transports: string[];
|
||||
}
|
||||
|
||||
/**
|
||||
* Parameters for asserting a credential.
|
||||
*/
|
||||
export interface AssertCredentialParams {
|
||||
allowedCredentialIds: string[];
|
||||
rpId: string;
|
||||
origin: string;
|
||||
challenge: string;
|
||||
userVerification?: UserVerification;
|
||||
timeout: number;
|
||||
sameOriginWithAncestors: boolean;
|
||||
fallbackSupported: boolean;
|
||||
}
|
||||
|
||||
/**
|
||||
* The result of asserting a credential.
|
||||
*/
|
||||
export interface AssertCredentialResult {
|
||||
credentialId: string;
|
||||
clientDataJSON: string;
|
||||
authenticatorData: string;
|
||||
signature: string;
|
||||
userHandle: string;
|
||||
}
|
||||
|
||||
/**
|
||||
* A description of a key type and algorithm.
|
||||
*
|
||||
* @example {
|
||||
* alg: -7, // ES256
|
||||
* type: "public-key"
|
||||
* }
|
||||
*/
|
||||
export interface PublicKeyCredentialParam {
|
||||
alg: number;
|
||||
type: "public-key";
|
||||
}
|
||||
|
||||
/**
|
||||
* Error thrown when the user requests a fallback to the browser's built-in WebAuthn implementation.
|
||||
*/
|
||||
export class FallbackRequestedError extends Error {
|
||||
readonly fallbackRequested = true;
|
||||
constructor() {
|
||||
super("FallbackRequested");
|
||||
}
|
||||
}
|
@ -0,0 +1,103 @@
|
||||
/**
|
||||
* Parameters used to ask the user to confirm the creation of a new credential.
|
||||
*/
|
||||
export interface NewCredentialParams {
|
||||
/**
|
||||
* The name of the credential.
|
||||
*/
|
||||
credentialName: string;
|
||||
|
||||
/**
|
||||
* The name of the user.
|
||||
*/
|
||||
userName: string;
|
||||
|
||||
/**
|
||||
* Whether or not the user must be verified before completing the operation.
|
||||
*/
|
||||
userVerification: boolean;
|
||||
}
|
||||
|
||||
/**
|
||||
* Parameters used to ask the user to pick a credential from a list of existing credentials.
|
||||
*/
|
||||
export interface PickCredentialParams {
|
||||
/**
|
||||
* The IDs of the credentials that the user can pick from.
|
||||
*/
|
||||
cipherIds: string[];
|
||||
|
||||
/**
|
||||
* Whether or not the user must be verified before completing the operation.
|
||||
*/
|
||||
userVerification: boolean;
|
||||
}
|
||||
|
||||
/**
|
||||
* This service is used to provide a user interface with which the user can control FIDO2 operations.
|
||||
* It acts as a way to remote control the user interface from the background script.
|
||||
*
|
||||
* The service is session based and is intended to be used by the FIDO2 authenticator to open a window,
|
||||
* and then use this window to ask the user for input and/or display messages to the user.
|
||||
*/
|
||||
export abstract class Fido2UserInterfaceService {
|
||||
/**
|
||||
* Creates a new session.
|
||||
* Note: This will not necessarily open a window until it is needed to request something from the user.
|
||||
*
|
||||
* @param fallbackSupported Whether or not the browser natively supports WebAuthn.
|
||||
* @param abortController An abort controller that can be used to cancel/close the session.
|
||||
*/
|
||||
newSession: (
|
||||
fallbackSupported: boolean,
|
||||
tab: chrome.tabs.Tab,
|
||||
abortController?: AbortController
|
||||
) => Promise<Fido2UserInterfaceSession>;
|
||||
}
|
||||
|
||||
export abstract class Fido2UserInterfaceSession {
|
||||
/**
|
||||
* Ask the user to pick a credential from a list of existing credentials.
|
||||
*
|
||||
* @param params The parameters to use when asking the user to pick a credential.
|
||||
* @param abortController An abort controller that can be used to cancel/close the session.
|
||||
* @returns The ID of the cipher that contains the credentials the user picked.
|
||||
*/
|
||||
pickCredential: (
|
||||
params: PickCredentialParams
|
||||
) => Promise<{ cipherId: string; userVerified: boolean }>;
|
||||
|
||||
/**
|
||||
* Ask the user to confirm the creation of a new credential.
|
||||
*
|
||||
* @param params The parameters to use when asking the user to confirm the creation of a new credential.
|
||||
* @param abortController An abort controller that can be used to cancel/close the session.
|
||||
* @returns The ID of the cipher where the new credential should be saved.
|
||||
*/
|
||||
confirmNewCredential: (
|
||||
params: NewCredentialParams
|
||||
) => Promise<{ cipherId: string; userVerified: boolean }>;
|
||||
|
||||
/**
|
||||
* Make sure that the vault is unlocked.
|
||||
* This will open a window and ask the user to login or unlock the vault if necessary.
|
||||
*/
|
||||
ensureUnlockedVault: () => Promise<void>;
|
||||
|
||||
/**
|
||||
* Inform the user that the operation was cancelled because their vault contains excluded credentials.
|
||||
*
|
||||
* @param existingCipherIds The IDs of the excluded credentials.
|
||||
*/
|
||||
informExcludedCredential: (existingCipherIds: string[]) => Promise<void>;
|
||||
|
||||
/**
|
||||
* Inform the user that the operation was cancelled because their vault does not contain any useable credentials.
|
||||
*/
|
||||
informCredentialNotFound: (abortController?: AbortController) => Promise<void>;
|
||||
|
||||
/**
|
||||
* Close the session, including any windows that may be open.
|
||||
*/
|
||||
close: () => void;
|
||||
}
|
36
libs/common/src/vault/api/fido2-credential.api.ts
Normal file
36
libs/common/src/vault/api/fido2-credential.api.ts
Normal file
@ -0,0 +1,36 @@
|
||||
import { BaseResponse } from "../../models/response/base.response";
|
||||
|
||||
export class Fido2CredentialApi extends BaseResponse {
|
||||
credentialId: string;
|
||||
keyType: "public-key";
|
||||
keyAlgorithm: "ECDSA";
|
||||
keyCurve: "P-256";
|
||||
keyValue: string;
|
||||
rpId: string;
|
||||
userHandle: string;
|
||||
counter: string;
|
||||
rpName: string;
|
||||
userDisplayName: string;
|
||||
discoverable: string;
|
||||
creationDate: string;
|
||||
|
||||
constructor(data: any = null) {
|
||||
super(data);
|
||||
if (data == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
this.credentialId = this.getResponseProperty("CredentialId");
|
||||
this.keyType = this.getResponseProperty("KeyType");
|
||||
this.keyAlgorithm = this.getResponseProperty("KeyAlgorithm");
|
||||
this.keyCurve = this.getResponseProperty("KeyCurve");
|
||||
this.keyValue = this.getResponseProperty("keyValue");
|
||||
this.rpId = this.getResponseProperty("RpId");
|
||||
this.userHandle = this.getResponseProperty("UserHandle");
|
||||
this.counter = this.getResponseProperty("Counter");
|
||||
this.rpName = this.getResponseProperty("RpName");
|
||||
this.userDisplayName = this.getResponseProperty("UserDisplayName");
|
||||
this.discoverable = this.getResponseProperty("Discoverable");
|
||||
this.creationDate = this.getResponseProperty("CreationDate");
|
||||
}
|
||||
}
|
4
libs/common/src/vault/interfaces/launchable.ts
Normal file
4
libs/common/src/vault/interfaces/launchable.ts
Normal file
@ -0,0 +1,4 @@
|
||||
export interface Launchable {
|
||||
launchUri: string;
|
||||
canLaunch: boolean;
|
||||
}
|
35
libs/common/src/vault/models/data/fido2-credential.data.ts
Normal file
35
libs/common/src/vault/models/data/fido2-credential.data.ts
Normal file
@ -0,0 +1,35 @@
|
||||
import { Fido2CredentialApi } from "../../api/fido2-credential.api";
|
||||
|
||||
export class Fido2CredentialData {
|
||||
credentialId: string;
|
||||
keyType: "public-key";
|
||||
keyAlgorithm: "ECDSA";
|
||||
keyCurve: "P-256";
|
||||
keyValue: string;
|
||||
rpId: string;
|
||||
userHandle: string;
|
||||
counter: string;
|
||||
rpName: string;
|
||||
userDisplayName: string;
|
||||
discoverable: string;
|
||||
creationDate: string;
|
||||
|
||||
constructor(data?: Fido2CredentialApi) {
|
||||
if (data == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
this.credentialId = data.credentialId;
|
||||
this.keyType = data.keyType;
|
||||
this.keyAlgorithm = data.keyAlgorithm;
|
||||
this.keyCurve = data.keyCurve;
|
||||
this.keyValue = data.keyValue;
|
||||
this.rpId = data.rpId;
|
||||
this.userHandle = data.userHandle;
|
||||
this.counter = data.counter;
|
||||
this.rpName = data.rpName;
|
||||
this.userDisplayName = data.userDisplayName;
|
||||
this.discoverable = data.discoverable;
|
||||
this.creationDate = data.creationDate;
|
||||
}
|
||||
}
|
@ -1,5 +1,6 @@
|
||||
import { LoginApi } from "../../../models/api/login.api";
|
||||
|
||||
import { Fido2CredentialData } from "./fido2-credential.data";
|
||||
import { LoginUriData } from "./login-uri.data";
|
||||
|
||||
export class LoginData {
|
||||
@ -9,6 +10,7 @@ export class LoginData {
|
||||
passwordRevisionDate: string;
|
||||
totp: string;
|
||||
autofillOnPageLoad: boolean;
|
||||
fido2Credentials?: Fido2CredentialData[];
|
||||
|
||||
constructor(data?: LoginApi) {
|
||||
if (data == null) {
|
||||
@ -24,5 +26,9 @@ export class LoginData {
|
||||
if (data.uris) {
|
||||
this.uris = data.uris.map((u) => new LoginUriData(u));
|
||||
}
|
||||
|
||||
if (data.fido2Credentials) {
|
||||
this.fido2Credentials = data.fido2Credentials?.map((key) => new Fido2CredentialData(key));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
167
libs/common/src/vault/models/domain/fido2-credential.spec.ts
Normal file
167
libs/common/src/vault/models/domain/fido2-credential.spec.ts
Normal file
@ -0,0 +1,167 @@
|
||||
import { mockEnc } from "../../../../spec";
|
||||
import { EncryptionType } from "../../../enums";
|
||||
import { EncString } from "../../../platform/models/domain/enc-string";
|
||||
import { Fido2CredentialData } from "../data/fido2-credential.data";
|
||||
|
||||
import { Fido2Credential } from "./fido2-credential";
|
||||
|
||||
describe("Fido2Credential", () => {
|
||||
let mockDate: Date;
|
||||
|
||||
beforeEach(() => {
|
||||
mockDate = new Date("2023-01-01T12:00:00.000Z");
|
||||
});
|
||||
|
||||
describe("constructor", () => {
|
||||
it("returns all fields null when given empty data parameter", () => {
|
||||
const data = new Fido2CredentialData();
|
||||
const credential = new Fido2Credential(data);
|
||||
|
||||
expect(credential).toEqual({
|
||||
credentialId: null,
|
||||
keyType: null,
|
||||
keyAlgorithm: null,
|
||||
keyCurve: null,
|
||||
keyValue: null,
|
||||
rpId: null,
|
||||
userHandle: null,
|
||||
rpName: null,
|
||||
userDisplayName: null,
|
||||
counter: null,
|
||||
discoverable: null,
|
||||
creationDate: null,
|
||||
});
|
||||
});
|
||||
|
||||
it("returns all fields as EncStrings except creationDate when given full Fido2CredentialData", () => {
|
||||
const data: Fido2CredentialData = {
|
||||
credentialId: "credentialId",
|
||||
keyType: "public-key",
|
||||
keyAlgorithm: "ECDSA",
|
||||
keyCurve: "P-256",
|
||||
keyValue: "keyValue",
|
||||
rpId: "rpId",
|
||||
userHandle: "userHandle",
|
||||
counter: "counter",
|
||||
rpName: "rpName",
|
||||
userDisplayName: "userDisplayName",
|
||||
discoverable: "discoverable",
|
||||
creationDate: mockDate.toISOString(),
|
||||
};
|
||||
const credential = new Fido2Credential(data);
|
||||
|
||||
expect(credential).toEqual({
|
||||
credentialId: { encryptedString: "credentialId", encryptionType: 0 },
|
||||
keyType: { encryptedString: "public-key", encryptionType: 0 },
|
||||
keyAlgorithm: { encryptedString: "ECDSA", encryptionType: 0 },
|
||||
keyCurve: { encryptedString: "P-256", encryptionType: 0 },
|
||||
keyValue: { encryptedString: "keyValue", encryptionType: 0 },
|
||||
rpId: { encryptedString: "rpId", encryptionType: 0 },
|
||||
userHandle: { encryptedString: "userHandle", encryptionType: 0 },
|
||||
counter: { encryptedString: "counter", encryptionType: 0 },
|
||||
rpName: { encryptedString: "rpName", encryptionType: 0 },
|
||||
userDisplayName: { encryptedString: "userDisplayName", encryptionType: 0 },
|
||||
discoverable: { encryptedString: "discoverable", encryptionType: 0 },
|
||||
creationDate: mockDate,
|
||||
});
|
||||
});
|
||||
|
||||
it("should not populate fields when data parameter is not given", () => {
|
||||
const credential = new Fido2Credential();
|
||||
|
||||
expect(credential).toEqual({
|
||||
credentialId: null,
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe("decrypt", () => {
|
||||
it("decrypts and populates all fields when populated with EncStrings", async () => {
|
||||
const credential = new Fido2Credential();
|
||||
credential.credentialId = mockEnc("credentialId");
|
||||
credential.keyType = mockEnc("keyType");
|
||||
credential.keyAlgorithm = mockEnc("keyAlgorithm");
|
||||
credential.keyCurve = mockEnc("keyCurve");
|
||||
credential.keyValue = mockEnc("keyValue");
|
||||
credential.rpId = mockEnc("rpId");
|
||||
credential.userHandle = mockEnc("userHandle");
|
||||
credential.counter = mockEnc("2");
|
||||
credential.rpName = mockEnc("rpName");
|
||||
credential.userDisplayName = mockEnc("userDisplayName");
|
||||
credential.discoverable = mockEnc("true");
|
||||
credential.creationDate = mockDate;
|
||||
|
||||
const credentialView = await credential.decrypt(null);
|
||||
|
||||
expect(credentialView).toEqual({
|
||||
credentialId: "credentialId",
|
||||
keyType: "keyType",
|
||||
keyAlgorithm: "keyAlgorithm",
|
||||
keyCurve: "keyCurve",
|
||||
keyValue: "keyValue",
|
||||
rpId: "rpId",
|
||||
userHandle: "userHandle",
|
||||
rpName: "rpName",
|
||||
userDisplayName: "userDisplayName",
|
||||
counter: 2,
|
||||
discoverable: true,
|
||||
creationDate: mockDate,
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe("toFido2CredentialData", () => {
|
||||
it("encodes to data object when converted from Fido2CredentialData and back", () => {
|
||||
const data: Fido2CredentialData = {
|
||||
credentialId: "credentialId",
|
||||
keyType: "public-key",
|
||||
keyAlgorithm: "ECDSA",
|
||||
keyCurve: "P-256",
|
||||
keyValue: "keyValue",
|
||||
rpId: "rpId",
|
||||
userHandle: "userHandle",
|
||||
counter: "2",
|
||||
rpName: "rpName",
|
||||
userDisplayName: "userDisplayName",
|
||||
discoverable: "true",
|
||||
creationDate: mockDate.toISOString(),
|
||||
};
|
||||
|
||||
const credential = new Fido2Credential(data);
|
||||
const result = credential.toFido2CredentialData();
|
||||
|
||||
expect(result).toEqual(data);
|
||||
});
|
||||
});
|
||||
|
||||
describe("fromJSON", () => {
|
||||
it("recreates equivalent object when converted to JSON and back", () => {
|
||||
const credential = new Fido2Credential();
|
||||
credential.credentialId = createEncryptedEncString("credentialId");
|
||||
credential.keyType = createEncryptedEncString("keyType");
|
||||
credential.keyAlgorithm = createEncryptedEncString("keyAlgorithm");
|
||||
credential.keyCurve = createEncryptedEncString("keyCurve");
|
||||
credential.keyValue = createEncryptedEncString("keyValue");
|
||||
credential.rpId = createEncryptedEncString("rpId");
|
||||
credential.userHandle = createEncryptedEncString("userHandle");
|
||||
credential.counter = createEncryptedEncString("2");
|
||||
credential.rpName = createEncryptedEncString("rpName");
|
||||
credential.userDisplayName = createEncryptedEncString("userDisplayName");
|
||||
credential.discoverable = createEncryptedEncString("discoverable");
|
||||
credential.creationDate = mockDate;
|
||||
|
||||
const json = JSON.stringify(credential);
|
||||
const result = Fido2Credential.fromJSON(JSON.parse(json));
|
||||
|
||||
expect(result).toEqual(credential);
|
||||
});
|
||||
|
||||
it("returns null if input is null", () => {
|
||||
expect(Fido2Credential.fromJSON(null)).toBeNull();
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
function createEncryptedEncString(s: string): EncString {
|
||||
return new EncString(`${EncryptionType.AesCbc256_HmacSha256_B64}.${s}`);
|
||||
}
|
146
libs/common/src/vault/models/domain/fido2-credential.ts
Normal file
146
libs/common/src/vault/models/domain/fido2-credential.ts
Normal file
@ -0,0 +1,146 @@
|
||||
import { Jsonify } from "type-fest";
|
||||
|
||||
import Domain from "../../../platform/models/domain/domain-base";
|
||||
import { EncString } from "../../../platform/models/domain/enc-string";
|
||||
import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
|
||||
import { Fido2CredentialData } from "../data/fido2-credential.data";
|
||||
import { Fido2CredentialView } from "../view/fido2-credential.view";
|
||||
|
||||
export class Fido2Credential extends Domain {
|
||||
credentialId: EncString | null = null;
|
||||
keyType: EncString;
|
||||
keyAlgorithm: EncString;
|
||||
keyCurve: EncString;
|
||||
keyValue: EncString;
|
||||
rpId: EncString;
|
||||
userHandle: EncString;
|
||||
counter: EncString;
|
||||
rpName: EncString;
|
||||
userDisplayName: EncString;
|
||||
discoverable: EncString;
|
||||
creationDate: Date;
|
||||
|
||||
constructor(obj?: Fido2CredentialData) {
|
||||
super();
|
||||
if (obj == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
this.buildDomainModel(
|
||||
this,
|
||||
obj,
|
||||
{
|
||||
credentialId: null,
|
||||
keyType: null,
|
||||
keyAlgorithm: null,
|
||||
keyCurve: null,
|
||||
keyValue: null,
|
||||
rpId: null,
|
||||
userHandle: null,
|
||||
counter: null,
|
||||
rpName: null,
|
||||
userDisplayName: null,
|
||||
discoverable: null,
|
||||
},
|
||||
[]
|
||||
);
|
||||
this.creationDate = obj.creationDate != null ? new Date(obj.creationDate) : null;
|
||||
}
|
||||
|
||||
async decrypt(orgId: string, encKey?: SymmetricCryptoKey): Promise<Fido2CredentialView> {
|
||||
const view = await this.decryptObj(
|
||||
new Fido2CredentialView(),
|
||||
{
|
||||
credentialId: null,
|
||||
keyType: null,
|
||||
keyAlgorithm: null,
|
||||
keyCurve: null,
|
||||
keyValue: null,
|
||||
rpId: null,
|
||||
userHandle: null,
|
||||
rpName: null,
|
||||
userDisplayName: null,
|
||||
discoverable: null,
|
||||
},
|
||||
orgId,
|
||||
encKey
|
||||
);
|
||||
|
||||
const { counter } = await this.decryptObj(
|
||||
{ counter: "" },
|
||||
{
|
||||
counter: null,
|
||||
},
|
||||
orgId,
|
||||
encKey
|
||||
);
|
||||
// Counter will end up as NaN if this fails
|
||||
view.counter = parseInt(counter);
|
||||
|
||||
const { discoverable } = await this.decryptObj(
|
||||
{ discoverable: "" },
|
||||
{
|
||||
discoverable: null,
|
||||
},
|
||||
orgId,
|
||||
encKey
|
||||
);
|
||||
view.discoverable = discoverable === "true";
|
||||
view.creationDate = this.creationDate;
|
||||
|
||||
return view;
|
||||
}
|
||||
|
||||
toFido2CredentialData(): Fido2CredentialData {
|
||||
const i = new Fido2CredentialData();
|
||||
i.creationDate = this.creationDate.toISOString();
|
||||
this.buildDataModel(this, i, {
|
||||
credentialId: null,
|
||||
keyType: null,
|
||||
keyAlgorithm: null,
|
||||
keyCurve: null,
|
||||
keyValue: null,
|
||||
rpId: null,
|
||||
userHandle: null,
|
||||
counter: null,
|
||||
rpName: null,
|
||||
userDisplayName: null,
|
||||
discoverable: null,
|
||||
});
|
||||
return i;
|
||||
}
|
||||
|
||||
static fromJSON(obj: Jsonify<Fido2Credential>): Fido2Credential {
|
||||
if (obj == null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
const credentialId = EncString.fromJSON(obj.credentialId);
|
||||
const keyType = EncString.fromJSON(obj.keyType);
|
||||
const keyAlgorithm = EncString.fromJSON(obj.keyAlgorithm);
|
||||
const keyCurve = EncString.fromJSON(obj.keyCurve);
|
||||
const keyValue = EncString.fromJSON(obj.keyValue);
|
||||
const rpId = EncString.fromJSON(obj.rpId);
|
||||
const userHandle = EncString.fromJSON(obj.userHandle);
|
||||
const counter = EncString.fromJSON(obj.counter);
|
||||
const rpName = EncString.fromJSON(obj.rpName);
|
||||
const userDisplayName = EncString.fromJSON(obj.userDisplayName);
|
||||
const discoverable = EncString.fromJSON(obj.discoverable);
|
||||
const creationDate = obj.creationDate != null ? new Date(obj.creationDate) : null;
|
||||
|
||||
return Object.assign(new Fido2Credential(), obj, {
|
||||
credentialId,
|
||||
keyType,
|
||||
keyAlgorithm,
|
||||
keyCurve,
|
||||
keyValue,
|
||||
rpId,
|
||||
userHandle,
|
||||
counter,
|
||||
rpName,
|
||||
userDisplayName,
|
||||
discoverable,
|
||||
creationDate,
|
||||
});
|
||||
}
|
||||
}
|
@ -3,10 +3,15 @@ import { mock } from "jest-mock-extended";
|
||||
import { mockEnc, mockFromJson } from "../../../../spec";
|
||||
import { UriMatchType } from "../../../enums";
|
||||
import { EncryptedString, EncString } from "../../../platform/models/domain/enc-string";
|
||||
import { Fido2CredentialApi } from "../../api/fido2-credential.api";
|
||||
import { LoginData } from "../../models/data/login.data";
|
||||
import { Login } from "../../models/domain/login";
|
||||
import { LoginUri } from "../../models/domain/login-uri";
|
||||
import { LoginUriView } from "../../models/view/login-uri.view";
|
||||
import { Fido2CredentialData } from "../data/fido2-credential.data";
|
||||
import { Fido2CredentialView } from "../view/fido2-credential.view";
|
||||
|
||||
import { Fido2Credential } from "./fido2-credential";
|
||||
|
||||
describe("Login DTO", () => {
|
||||
it("Convert from empty LoginData", () => {
|
||||
@ -23,6 +28,7 @@ describe("Login DTO", () => {
|
||||
});
|
||||
|
||||
it("Convert from full LoginData", () => {
|
||||
const fido2CredentialData = initializeFido2Credential(new Fido2CredentialData());
|
||||
const data: LoginData = {
|
||||
uris: [{ uri: "uri", match: UriMatchType.Domain }],
|
||||
username: "username",
|
||||
@ -30,6 +36,7 @@ describe("Login DTO", () => {
|
||||
passwordRevisionDate: "2022-01-31T12:00:00.000Z",
|
||||
totp: "123",
|
||||
autofillOnPageLoad: false,
|
||||
fido2Credentials: [fido2CredentialData],
|
||||
};
|
||||
const login = new Login(data);
|
||||
|
||||
@ -40,6 +47,7 @@ describe("Login DTO", () => {
|
||||
password: { encryptedString: "password", encryptionType: 0 },
|
||||
totp: { encryptedString: "123", encryptionType: 0 },
|
||||
uris: [{ match: 0, uri: { encryptedString: "uri", encryptionType: 0 } }],
|
||||
fido2Credentials: [encryptFido2Credential(fido2CredentialData)],
|
||||
});
|
||||
});
|
||||
|
||||
@ -56,12 +64,16 @@ describe("Login DTO", () => {
|
||||
loginUri.decrypt.mockResolvedValue(loginUriView);
|
||||
|
||||
const login = new Login();
|
||||
const decryptedFido2Credential = Symbol();
|
||||
login.uris = [loginUri];
|
||||
login.username = mockEnc("encrypted username");
|
||||
login.password = mockEnc("encrypted password");
|
||||
login.passwordRevisionDate = new Date("2022-01-31T12:00:00.000Z");
|
||||
login.totp = mockEnc("encrypted totp");
|
||||
login.autofillOnPageLoad = true;
|
||||
login.fido2Credentials = [
|
||||
{ decrypt: jest.fn().mockReturnValue(decryptedFido2Credential) } as any,
|
||||
];
|
||||
|
||||
const loginView = await login.decrypt(null);
|
||||
expect(loginView).toEqual({
|
||||
@ -80,6 +92,7 @@ describe("Login DTO", () => {
|
||||
},
|
||||
],
|
||||
autofillOnPageLoad: true,
|
||||
fido2Credentials: [decryptedFido2Credential],
|
||||
});
|
||||
});
|
||||
|
||||
@ -91,6 +104,7 @@ describe("Login DTO", () => {
|
||||
passwordRevisionDate: "2022-01-31T12:00:00.000Z",
|
||||
totp: "123",
|
||||
autofillOnPageLoad: false,
|
||||
fido2Credentials: [initializeFido2Credential(new Fido2CredentialData())],
|
||||
};
|
||||
const login = new Login(data);
|
||||
|
||||
@ -104,6 +118,7 @@ describe("Login DTO", () => {
|
||||
jest.spyOn(EncString, "fromJSON").mockImplementation(mockFromJson);
|
||||
jest.spyOn(LoginUri, "fromJSON").mockImplementation(mockFromJson);
|
||||
const passwordRevisionDate = new Date("2022-01-31T12:00:00.000Z");
|
||||
const fido2CreationDate = new Date("2023-01-01T12:00:00.000Z");
|
||||
|
||||
const actual = Login.fromJSON({
|
||||
uris: ["loginUri1", "loginUri2"] as any,
|
||||
@ -111,6 +126,22 @@ describe("Login DTO", () => {
|
||||
password: "myPassword" as EncryptedString,
|
||||
passwordRevisionDate: passwordRevisionDate.toISOString(),
|
||||
totp: "myTotp" as EncryptedString,
|
||||
fido2Credentials: [
|
||||
{
|
||||
credentialId: "keyId" as EncryptedString,
|
||||
keyType: "keyType" as EncryptedString,
|
||||
keyAlgorithm: "keyAlgorithm" as EncryptedString,
|
||||
keyCurve: "keyCurve" as EncryptedString,
|
||||
keyValue: "keyValue" as EncryptedString,
|
||||
rpId: "rpId" as EncryptedString,
|
||||
userHandle: "userHandle" as EncryptedString,
|
||||
counter: "counter" as EncryptedString,
|
||||
rpName: "rpName" as EncryptedString,
|
||||
userDisplayName: "userDisplayName" as EncryptedString,
|
||||
discoverable: "discoverable" as EncryptedString,
|
||||
creationDate: fido2CreationDate.toISOString(),
|
||||
},
|
||||
],
|
||||
});
|
||||
|
||||
expect(actual).toEqual({
|
||||
@ -119,6 +150,22 @@ describe("Login DTO", () => {
|
||||
password: "myPassword_fromJSON",
|
||||
passwordRevisionDate: passwordRevisionDate,
|
||||
totp: "myTotp_fromJSON",
|
||||
fido2Credentials: [
|
||||
{
|
||||
credentialId: "keyId_fromJSON",
|
||||
keyType: "keyType_fromJSON",
|
||||
keyAlgorithm: "keyAlgorithm_fromJSON",
|
||||
keyCurve: "keyCurve_fromJSON",
|
||||
keyValue: "keyValue_fromJSON",
|
||||
rpId: "rpId_fromJSON",
|
||||
userHandle: "userHandle_fromJSON",
|
||||
counter: "counter_fromJSON",
|
||||
rpName: "rpName_fromJSON",
|
||||
userDisplayName: "userDisplayName_fromJSON",
|
||||
discoverable: "discoverable_fromJSON",
|
||||
creationDate: fido2CreationDate,
|
||||
},
|
||||
],
|
||||
});
|
||||
expect(actual).toBeInstanceOf(Login);
|
||||
});
|
||||
@ -128,3 +175,42 @@ describe("Login DTO", () => {
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
type Fido2CredentialLike = Fido2CredentialData | Fido2CredentialView | Fido2CredentialApi;
|
||||
function initializeFido2Credential<T extends Fido2CredentialLike>(key: T): T {
|
||||
key.credentialId = "credentialId";
|
||||
key.keyType = "public-key";
|
||||
key.keyAlgorithm = "ECDSA";
|
||||
key.keyCurve = "P-256";
|
||||
key.keyValue = "keyValue";
|
||||
key.rpId = "rpId";
|
||||
key.userHandle = "userHandle";
|
||||
key.counter = "counter";
|
||||
key.rpName = "rpName";
|
||||
key.userDisplayName = "userDisplayName";
|
||||
key.discoverable = "discoverable";
|
||||
key.creationDate = "2023-01-01T12:00:00.000Z";
|
||||
return key;
|
||||
}
|
||||
|
||||
function encryptFido2Credential(key: Fido2CredentialLike): Fido2Credential {
|
||||
const encrypted = new Fido2Credential();
|
||||
encrypted.credentialId = { encryptedString: key.credentialId, encryptionType: 0 } as EncString;
|
||||
encrypted.keyType = { encryptedString: key.keyType, encryptionType: 0 } as EncString;
|
||||
encrypted.keyAlgorithm = { encryptedString: key.keyAlgorithm, encryptionType: 0 } as EncString;
|
||||
encrypted.keyCurve = { encryptedString: key.keyCurve, encryptionType: 0 } as EncString;
|
||||
encrypted.keyValue = { encryptedString: key.keyValue, encryptionType: 0 } as EncString;
|
||||
encrypted.rpId = { encryptedString: key.rpId, encryptionType: 0 } as EncString;
|
||||
encrypted.userHandle = { encryptedString: key.userHandle, encryptionType: 0 } as EncString;
|
||||
encrypted.counter = { encryptedString: key.counter, encryptionType: 0 } as EncString;
|
||||
encrypted.rpName = { encryptedString: key.rpName, encryptionType: 0 } as EncString;
|
||||
encrypted.userDisplayName = {
|
||||
encryptedString: key.userDisplayName,
|
||||
encryptionType: 0,
|
||||
} as EncString;
|
||||
encrypted.discoverable = { encryptedString: key.discoverable, encryptionType: 0 } as EncString;
|
||||
|
||||
// not encrypted
|
||||
encrypted.creationDate = new Date(key.creationDate);
|
||||
return encrypted;
|
||||
}
|
||||
|
@ -6,6 +6,7 @@ import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-cr
|
||||
import { LoginData } from "../data/login.data";
|
||||
import { LoginView } from "../view/login.view";
|
||||
|
||||
import { Fido2Credential } from "./fido2-credential";
|
||||
import { LoginUri } from "./login-uri";
|
||||
|
||||
export class Login extends Domain {
|
||||
@ -15,6 +16,7 @@ export class Login extends Domain {
|
||||
passwordRevisionDate?: Date;
|
||||
totp: EncString;
|
||||
autofillOnPageLoad: boolean;
|
||||
fido2Credentials: Fido2Credential[];
|
||||
|
||||
constructor(obj?: LoginData) {
|
||||
super();
|
||||
@ -42,6 +44,10 @@ export class Login extends Domain {
|
||||
this.uris.push(new LoginUri(u));
|
||||
});
|
||||
}
|
||||
|
||||
if (obj.fido2Credentials) {
|
||||
this.fido2Credentials = obj.fido2Credentials.map((key) => new Fido2Credential(key));
|
||||
}
|
||||
}
|
||||
|
||||
async decrypt(orgId: string, encKey?: SymmetricCryptoKey): Promise<LoginView> {
|
||||
@ -64,6 +70,12 @@ export class Login extends Domain {
|
||||
}
|
||||
}
|
||||
|
||||
if (this.fido2Credentials != null) {
|
||||
view.fido2Credentials = await Promise.all(
|
||||
this.fido2Credentials.map((key) => key.decrypt(orgId, encKey))
|
||||
);
|
||||
}
|
||||
|
||||
return view;
|
||||
}
|
||||
|
||||
@ -85,6 +97,10 @@ export class Login extends Domain {
|
||||
});
|
||||
}
|
||||
|
||||
if (this.fido2Credentials != null && this.fido2Credentials.length > 0) {
|
||||
l.fido2Credentials = this.fido2Credentials.map((key) => key.toFido2CredentialData());
|
||||
}
|
||||
|
||||
return l;
|
||||
}
|
||||
|
||||
@ -99,13 +115,16 @@ export class Login extends Domain {
|
||||
const passwordRevisionDate =
|
||||
obj.passwordRevisionDate == null ? null : new Date(obj.passwordRevisionDate);
|
||||
const uris = obj.uris?.map((uri: any) => LoginUri.fromJSON(uri));
|
||||
const fido2Credentials =
|
||||
obj.fido2Credentials?.map((key) => Fido2Credential.fromJSON(key)) ?? [];
|
||||
|
||||
return Object.assign(new Login(), obj, {
|
||||
username,
|
||||
password,
|
||||
totp,
|
||||
passwordRevisionDate: passwordRevisionDate,
|
||||
uris: uris,
|
||||
passwordRevisionDate,
|
||||
uris,
|
||||
fido2Credentials,
|
||||
});
|
||||
}
|
||||
}
|
||||
|
@ -4,6 +4,7 @@ import { IdentityApi } from "../../../models/api/identity.api";
|
||||
import { LoginUriApi } from "../../../models/api/login-uri.api";
|
||||
import { LoginApi } from "../../../models/api/login.api";
|
||||
import { SecureNoteApi } from "../../../models/api/secure-note.api";
|
||||
import { Fido2CredentialApi } from "../../api/fido2-credential.api";
|
||||
import { CipherRepromptType } from "../../enums/cipher-reprompt-type";
|
||||
import { CipherType } from "../../enums/cipher-type";
|
||||
import { Cipher } from "../domain/cipher";
|
||||
@ -63,6 +64,31 @@ export class CipherRequest {
|
||||
return uri;
|
||||
});
|
||||
}
|
||||
|
||||
if (cipher.login.fido2Credentials != null) {
|
||||
this.login.fido2Credentials = cipher.login.fido2Credentials.map((key) => {
|
||||
const keyApi = new Fido2CredentialApi();
|
||||
keyApi.credentialId =
|
||||
key.credentialId != null ? key.credentialId.encryptedString : null;
|
||||
keyApi.keyType =
|
||||
key.keyType != null ? (key.keyType.encryptedString as "public-key") : null;
|
||||
keyApi.keyAlgorithm =
|
||||
key.keyAlgorithm != null ? (key.keyAlgorithm.encryptedString as "ECDSA") : null;
|
||||
keyApi.keyCurve =
|
||||
key.keyCurve != null ? (key.keyCurve.encryptedString as "P-256") : null;
|
||||
keyApi.keyValue = key.keyValue != null ? key.keyValue.encryptedString : null;
|
||||
keyApi.rpId = key.rpId != null ? key.rpId.encryptedString : null;
|
||||
keyApi.rpName = key.rpName != null ? key.rpName.encryptedString : null;
|
||||
keyApi.counter = key.counter != null ? key.counter.encryptedString : null;
|
||||
keyApi.userHandle = key.userHandle != null ? key.userHandle.encryptedString : null;
|
||||
keyApi.userDisplayName =
|
||||
key.userDisplayName != null ? key.userDisplayName.encryptedString : null;
|
||||
keyApi.discoverable =
|
||||
key.discoverable != null ? key.discoverable.encryptedString : null;
|
||||
keyApi.creationDate = key.creationDate != null ? key.creationDate.toISOString() : null;
|
||||
return keyApi;
|
||||
});
|
||||
}
|
||||
break;
|
||||
case CipherType.SecureNote:
|
||||
this.secureNote = new SecureNoteApi();
|
||||
|
29
libs/common/src/vault/models/view/fido2-credential.view.ts
Normal file
29
libs/common/src/vault/models/view/fido2-credential.view.ts
Normal file
@ -0,0 +1,29 @@
|
||||
import { Jsonify } from "type-fest";
|
||||
|
||||
import { ItemView } from "./item.view";
|
||||
|
||||
export class Fido2CredentialView extends ItemView {
|
||||
credentialId: string;
|
||||
keyType: "public-key";
|
||||
keyAlgorithm: "ECDSA";
|
||||
keyCurve: "P-256";
|
||||
keyValue: string;
|
||||
rpId: string;
|
||||
userHandle: string;
|
||||
counter: number;
|
||||
rpName: string;
|
||||
userDisplayName: string;
|
||||
discoverable: boolean;
|
||||
creationDate: Date = null;
|
||||
|
||||
get subTitle(): string {
|
||||
return this.userDisplayName;
|
||||
}
|
||||
|
||||
static fromJSON(obj: Partial<Jsonify<Fido2CredentialView>>): Fido2CredentialView {
|
||||
const creationDate = obj.creationDate != null ? new Date(obj.creationDate) : null;
|
||||
return Object.assign(new Fido2CredentialView(), obj, {
|
||||
creationDate,
|
||||
});
|
||||
}
|
||||
}
|
@ -5,6 +5,7 @@ import { linkedFieldOption } from "../../../misc/linkedFieldOption.decorator";
|
||||
import { Utils } from "../../../platform/misc/utils";
|
||||
import { Login } from "../domain/login";
|
||||
|
||||
import { Fido2CredentialView } from "./fido2-credential.view";
|
||||
import { ItemView } from "./item.view";
|
||||
import { LoginUriView } from "./login-uri.view";
|
||||
|
||||
@ -18,6 +19,7 @@ export class LoginView extends ItemView {
|
||||
totp: string = null;
|
||||
uris: LoginUriView[] = null;
|
||||
autofillOnPageLoad: boolean = null;
|
||||
fido2Credentials: Fido2CredentialView[] = null;
|
||||
|
||||
constructor(l?: Login) {
|
||||
super();
|
||||
@ -63,6 +65,10 @@ export class LoginView extends ItemView {
|
||||
return this.uris != null && this.uris.length > 0;
|
||||
}
|
||||
|
||||
get hasFido2Credentials(): boolean {
|
||||
return this.fido2Credentials != null && this.fido2Credentials.length > 0;
|
||||
}
|
||||
|
||||
matchesUri(
|
||||
targetUri: string,
|
||||
equivalentDomains: Set<string>,
|
||||
@ -79,10 +85,12 @@ export class LoginView extends ItemView {
|
||||
const passwordRevisionDate =
|
||||
obj.passwordRevisionDate == null ? null : new Date(obj.passwordRevisionDate);
|
||||
const uris = obj.uris?.map((uri: any) => LoginUriView.fromJSON(uri));
|
||||
const fido2Credentials = obj.fido2Credentials?.map((key) => Fido2CredentialView.fromJSON(key));
|
||||
|
||||
return Object.assign(new LoginView(), obj, {
|
||||
passwordRevisionDate: passwordRevisionDate,
|
||||
uris: uris,
|
||||
passwordRevisionDate,
|
||||
uris,
|
||||
fido2Credentials,
|
||||
});
|
||||
}
|
||||
}
|
||||
|
@ -30,6 +30,7 @@ import { CipherData } from "../models/data/cipher.data";
|
||||
import { Attachment } from "../models/domain/attachment";
|
||||
import { Card } from "../models/domain/card";
|
||||
import { Cipher } from "../models/domain/cipher";
|
||||
import { Fido2Credential } from "../models/domain/fido2-credential";
|
||||
import { Field } from "../models/domain/field";
|
||||
import { Identity } from "../models/domain/identity";
|
||||
import { Login } from "../models/domain/login";
|
||||
@ -1136,6 +1137,38 @@ export class CipherService implements CipherServiceAbstraction {
|
||||
cipher.login.uris.push(loginUri);
|
||||
}
|
||||
}
|
||||
|
||||
if (model.login.fido2Credentials != null) {
|
||||
cipher.login.fido2Credentials = await Promise.all(
|
||||
model.login.fido2Credentials.map(async (viewKey) => {
|
||||
const domainKey = new Fido2Credential();
|
||||
await this.encryptObjProperty(
|
||||
viewKey,
|
||||
domainKey,
|
||||
{
|
||||
credentialId: null,
|
||||
keyType: null,
|
||||
keyAlgorithm: null,
|
||||
keyCurve: null,
|
||||
keyValue: null,
|
||||
rpId: null,
|
||||
rpName: null,
|
||||
userHandle: null,
|
||||
userDisplayName: null,
|
||||
origin: null,
|
||||
},
|
||||
key
|
||||
);
|
||||
domainKey.counter = await this.cryptoService.encrypt(String(viewKey.counter), key);
|
||||
domainKey.discoverable = await this.cryptoService.encrypt(
|
||||
String(viewKey.discoverable),
|
||||
key
|
||||
);
|
||||
domainKey.creationDate = viewKey.creationDate;
|
||||
return domainKey;
|
||||
})
|
||||
);
|
||||
}
|
||||
return;
|
||||
case CipherType.SecureNote:
|
||||
cipher.secureNote = new SecureNote();
|
||||
|
494
libs/common/src/vault/services/fido2/cbor.ts
Normal file
494
libs/common/src/vault/services/fido2/cbor.ts
Normal file
@ -0,0 +1,494 @@
|
||||
/**
|
||||
The MIT License (MIT)
|
||||
|
||||
Copyright (c) 2014-2016 Patrick Gansterer <paroga@paroga.com>
|
||||
Copyright (c) 2020-present Aaron Huggins <ahuggins@aaronhuggins.com>
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
|
||||
Exported from GitHub release version 0.4.0
|
||||
*/
|
||||
|
||||
/* eslint-disable */
|
||||
/** @hidden */
|
||||
const POW_2_24 = 5.960464477539063e-8;
|
||||
/** @hidden */
|
||||
const POW_2_32 = 4294967296;
|
||||
/** @hidden */
|
||||
const POW_2_53 = 9007199254740992;
|
||||
/** @hidden */
|
||||
const DECODE_CHUNK_SIZE = 8192;
|
||||
|
||||
/** @hidden */
|
||||
function objectIs(x: any, y: any) {
|
||||
if (typeof Object.is === "function") return Object.is(x, y);
|
||||
|
||||
// SameValue algorithm
|
||||
// Steps 1-5, 7-10
|
||||
if (x === y) {
|
||||
// Steps 6.b-6.e: +0 != -0
|
||||
return x !== 0 || 1 / x === 1 / y;
|
||||
}
|
||||
|
||||
// Step 6.a: NaN == NaN
|
||||
return x !== x && y !== y;
|
||||
}
|
||||
|
||||
/** A function that extracts tagged values. */
|
||||
type TaggedValueFunction = (value: any, tag: number) => TaggedValue;
|
||||
/** A function that extracts simple values. */
|
||||
type SimpleValueFunction = (value: any) => SimpleValue;
|
||||
|
||||
/** Convenience class for structuring a tagged value. */
|
||||
export class TaggedValue {
|
||||
constructor(value: any, tag: number) {
|
||||
this.value = value;
|
||||
this.tag = tag;
|
||||
}
|
||||
|
||||
value: any;
|
||||
tag: number;
|
||||
}
|
||||
|
||||
/** Convenience class for structuring a simple value. */
|
||||
export class SimpleValue {
|
||||
constructor(value: any) {
|
||||
this.value = value;
|
||||
}
|
||||
|
||||
value: any;
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts a Concise Binary Object Representation (CBOR) buffer into an object.
|
||||
* @param {ArrayBuffer|SharedArrayBuffer} data - A valid CBOR buffer.
|
||||
* @param {Function} [tagger] - A function that extracts tagged values. This function is called for each member of the object.
|
||||
* @param {Function} [simpleValue] - A function that extracts simple values. This function is called for each member of the object.
|
||||
* @returns {any} The CBOR buffer converted to a JavaScript value.
|
||||
*/
|
||||
export function decode<T = any>(
|
||||
data: ArrayBuffer | SharedArrayBuffer,
|
||||
tagger?: TaggedValueFunction,
|
||||
simpleValue?: SimpleValueFunction
|
||||
): T {
|
||||
let dataView = new DataView(data);
|
||||
let ta = new Uint8Array(data);
|
||||
let offset = 0;
|
||||
let tagValueFunction: TaggedValueFunction = function (value: number, tag: number): any {
|
||||
return new TaggedValue(value, tag);
|
||||
};
|
||||
let simpleValFunction: SimpleValueFunction = function (value: number): SimpleValue {
|
||||
return undefined as unknown as SimpleValue;
|
||||
};
|
||||
|
||||
if (typeof tagger === "function") tagValueFunction = tagger;
|
||||
if (typeof simpleValue === "function") simpleValFunction = simpleValue;
|
||||
|
||||
function commitRead<T>(length: number, value: T): T {
|
||||
offset += length;
|
||||
return value;
|
||||
}
|
||||
function readArrayBuffer(length: number) {
|
||||
return commitRead(length, new Uint8Array(data, offset, length));
|
||||
}
|
||||
function readFloat16() {
|
||||
let tempArrayBuffer = new ArrayBuffer(4);
|
||||
let tempDataView = new DataView(tempArrayBuffer);
|
||||
let value = readUint16();
|
||||
|
||||
let sign = value & 0x8000;
|
||||
let exponent = value & 0x7c00;
|
||||
let fraction = value & 0x03ff;
|
||||
|
||||
if (exponent === 0x7c00) exponent = 0xff << 10;
|
||||
else if (exponent !== 0) exponent += (127 - 15) << 10;
|
||||
else if (fraction !== 0) return (sign ? -1 : 1) * fraction * POW_2_24;
|
||||
|
||||
tempDataView.setUint32(0, (sign << 16) | (exponent << 13) | (fraction << 13));
|
||||
return tempDataView.getFloat32(0);
|
||||
}
|
||||
function readFloat32(): number {
|
||||
return commitRead(4, dataView.getFloat32(offset));
|
||||
}
|
||||
function readFloat64(): number {
|
||||
return commitRead(8, dataView.getFloat64(offset));
|
||||
}
|
||||
function readUint8(): number {
|
||||
return commitRead(1, ta[offset]);
|
||||
}
|
||||
function readUint16(): number {
|
||||
return commitRead(2, dataView.getUint16(offset));
|
||||
}
|
||||
function readUint32(): number {
|
||||
return commitRead(4, dataView.getUint32(offset));
|
||||
}
|
||||
function readUint64(): number {
|
||||
return readUint32() * POW_2_32 + readUint32();
|
||||
}
|
||||
function readBreak(): boolean {
|
||||
if (ta[offset] !== 0xff) return false;
|
||||
offset += 1;
|
||||
return true;
|
||||
}
|
||||
function readLength(additionalInformation: number): number {
|
||||
if (additionalInformation < 24) return additionalInformation;
|
||||
if (additionalInformation === 24) return readUint8();
|
||||
if (additionalInformation === 25) return readUint16();
|
||||
if (additionalInformation === 26) return readUint32();
|
||||
if (additionalInformation === 27) return readUint64();
|
||||
if (additionalInformation === 31) return -1;
|
||||
throw new Error("Invalid length encoding");
|
||||
}
|
||||
function readIndefiniteStringLength(majorType: number): number {
|
||||
let initialByte = readUint8();
|
||||
if (initialByte === 0xff) return -1;
|
||||
let length = readLength(initialByte & 0x1f);
|
||||
if (length < 0 || initialByte >> 5 !== majorType)
|
||||
throw new Error("Invalid indefinite length element");
|
||||
return length;
|
||||
}
|
||||
|
||||
function appendUtf16Data(utf16data: number[], length: number) {
|
||||
for (let i = 0; i < length; ++i) {
|
||||
let value = readUint8();
|
||||
if (value & 0x80) {
|
||||
if (value < 0xe0) {
|
||||
value = ((value & 0x1f) << 6) | (readUint8() & 0x3f);
|
||||
length -= 1;
|
||||
} else if (value < 0xf0) {
|
||||
value = ((value & 0x0f) << 12) | ((readUint8() & 0x3f) << 6) | (readUint8() & 0x3f);
|
||||
length -= 2;
|
||||
} else {
|
||||
value =
|
||||
((value & 0x0f) << 18) |
|
||||
((readUint8() & 0x3f) << 12) |
|
||||
((readUint8() & 0x3f) << 6) |
|
||||
(readUint8() & 0x3f);
|
||||
length -= 3;
|
||||
}
|
||||
}
|
||||
|
||||
if (value < 0x10000) {
|
||||
utf16data.push(value);
|
||||
} else {
|
||||
value -= 0x10000;
|
||||
utf16data.push(0xd800 | (value >> 10));
|
||||
utf16data.push(0xdc00 | (value & 0x3ff));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function decodeItem(): any {
|
||||
let initialByte = readUint8();
|
||||
let majorType = initialByte >> 5;
|
||||
let additionalInformation = initialByte & 0x1f;
|
||||
let i;
|
||||
let length;
|
||||
|
||||
if (majorType === 7) {
|
||||
switch (additionalInformation) {
|
||||
case 25:
|
||||
return readFloat16();
|
||||
case 26:
|
||||
return readFloat32();
|
||||
case 27:
|
||||
return readFloat64();
|
||||
}
|
||||
}
|
||||
|
||||
length = readLength(additionalInformation);
|
||||
if (length < 0 && (majorType < 2 || 6 < majorType)) throw new Error("Invalid length");
|
||||
|
||||
switch (majorType) {
|
||||
case 0:
|
||||
return length;
|
||||
case 1:
|
||||
return -1 - length;
|
||||
case 2:
|
||||
if (length < 0) {
|
||||
let elements = [];
|
||||
let fullArrayLength = 0;
|
||||
while ((length = readIndefiniteStringLength(majorType)) >= 0) {
|
||||
fullArrayLength += length;
|
||||
elements.push(readArrayBuffer(length));
|
||||
}
|
||||
let fullArray = new Uint8Array(fullArrayLength);
|
||||
let fullArrayOffset = 0;
|
||||
for (i = 0; i < elements.length; ++i) {
|
||||
fullArray.set(elements[i], fullArrayOffset);
|
||||
fullArrayOffset += elements[i].length;
|
||||
}
|
||||
return fullArray;
|
||||
}
|
||||
return readArrayBuffer(length);
|
||||
case 3:
|
||||
let utf16data: number[] = [];
|
||||
if (length < 0) {
|
||||
while ((length = readIndefiniteStringLength(majorType)) >= 0)
|
||||
appendUtf16Data(utf16data, length);
|
||||
} else {
|
||||
appendUtf16Data(utf16data, length);
|
||||
}
|
||||
let string = "";
|
||||
for (i = 0; i < utf16data.length; i += DECODE_CHUNK_SIZE) {
|
||||
string += String.fromCharCode.apply(null, utf16data.slice(i, i + DECODE_CHUNK_SIZE));
|
||||
}
|
||||
return string;
|
||||
case 4:
|
||||
let retArray;
|
||||
if (length < 0) {
|
||||
retArray = [];
|
||||
while (!readBreak()) retArray.push(decodeItem());
|
||||
} else {
|
||||
retArray = new Array(length);
|
||||
for (i = 0; i < length; ++i) retArray[i] = decodeItem();
|
||||
}
|
||||
return retArray;
|
||||
case 5:
|
||||
let retObject: any = {};
|
||||
for (i = 0; i < length || (length < 0 && !readBreak()); ++i) {
|
||||
let key = decodeItem();
|
||||
retObject[key] = decodeItem();
|
||||
}
|
||||
return retObject;
|
||||
case 6:
|
||||
return tagValueFunction(decodeItem(), length);
|
||||
case 7:
|
||||
switch (length) {
|
||||
case 20:
|
||||
return false;
|
||||
case 21:
|
||||
return true;
|
||||
case 22:
|
||||
return null;
|
||||
case 23:
|
||||
return undefined;
|
||||
default:
|
||||
return simpleValFunction(length);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
let ret = decodeItem();
|
||||
if (offset !== data.byteLength) throw new Error("Remaining bytes");
|
||||
return ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts a JavaScript value to a Concise Binary Object Representation (CBOR) buffer.
|
||||
* @param {any} value - A JavaScript value, usually an object or array, to be converted.
|
||||
* @returns {ArrayBuffer} The JavaScript value converted to CBOR format.
|
||||
*/
|
||||
export function encode<T = any>(value: T): ArrayBuffer {
|
||||
let data = new ArrayBuffer(256);
|
||||
let dataView = new DataView(data);
|
||||
let byteView = new Uint8Array(data);
|
||||
let lastLength: number;
|
||||
let offset = 0;
|
||||
|
||||
function prepareWrite(length: number): DataView {
|
||||
let newByteLength = data.byteLength;
|
||||
let requiredLength = offset + length;
|
||||
while (newByteLength < requiredLength) newByteLength <<= 1;
|
||||
if (newByteLength !== data.byteLength) {
|
||||
let oldDataView = dataView;
|
||||
data = new ArrayBuffer(newByteLength);
|
||||
dataView = new DataView(data);
|
||||
byteView = new Uint8Array(data);
|
||||
let uint32count = (offset + 3) >> 2;
|
||||
for (let i = 0; i < uint32count; ++i)
|
||||
dataView.setUint32(i << 2, oldDataView.getUint32(i << 2));
|
||||
}
|
||||
|
||||
lastLength = length;
|
||||
return dataView;
|
||||
}
|
||||
function commitWrite(...args: any[]) {
|
||||
offset += lastLength;
|
||||
}
|
||||
function writeFloat64(val: number) {
|
||||
commitWrite(prepareWrite(8).setFloat64(offset, val));
|
||||
}
|
||||
function writeUint8(val: number) {
|
||||
commitWrite(prepareWrite(1).setUint8(offset, val));
|
||||
}
|
||||
function writeUint8Array(val: number[] | Uint8Array) {
|
||||
prepareWrite(val.length);
|
||||
byteView.set(val, offset);
|
||||
commitWrite();
|
||||
}
|
||||
function writeUint16(val: number) {
|
||||
commitWrite(prepareWrite(2).setUint16(offset, val));
|
||||
}
|
||||
function writeUint32(val: number) {
|
||||
commitWrite(prepareWrite(4).setUint32(offset, val));
|
||||
}
|
||||
function writeUint64(val: number) {
|
||||
let low = val % POW_2_32;
|
||||
let high = (val - low) / POW_2_32;
|
||||
let view = prepareWrite(8);
|
||||
view.setUint32(offset, high);
|
||||
view.setUint32(offset + 4, low);
|
||||
commitWrite();
|
||||
}
|
||||
function writeVarUint(val: number, mod: number = 0) {
|
||||
if (val <= 0xff) {
|
||||
if (val < 24) {
|
||||
writeUint8(val | mod);
|
||||
} else {
|
||||
writeUint8(0x18 | mod);
|
||||
writeUint8(val);
|
||||
}
|
||||
} else if (val <= 0xffff) {
|
||||
writeUint8(0x19 | mod);
|
||||
writeUint16(val);
|
||||
} else if (val <= 0xffffffff) {
|
||||
writeUint8(0x1a | mod);
|
||||
writeUint32(val);
|
||||
} else {
|
||||
writeUint8(0x1b | mod);
|
||||
writeUint64(val);
|
||||
}
|
||||
}
|
||||
function writeTypeAndLength(type: number, length: number) {
|
||||
if (length < 24) {
|
||||
writeUint8((type << 5) | length);
|
||||
} else if (length < 0x100) {
|
||||
writeUint8((type << 5) | 24);
|
||||
writeUint8(length);
|
||||
} else if (length < 0x10000) {
|
||||
writeUint8((type << 5) | 25);
|
||||
writeUint16(length);
|
||||
} else if (length < 0x100000000) {
|
||||
writeUint8((type << 5) | 26);
|
||||
writeUint32(length);
|
||||
} else {
|
||||
writeUint8((type << 5) | 27);
|
||||
writeUint64(length);
|
||||
}
|
||||
}
|
||||
|
||||
function encodeItem(val: any) {
|
||||
let i;
|
||||
|
||||
if (val === false) return writeUint8(0xf4);
|
||||
if (val === true) return writeUint8(0xf5);
|
||||
if (val === null) return writeUint8(0xf6);
|
||||
if (val === undefined) return writeUint8(0xf7);
|
||||
if (objectIs(val, -0)) return writeUint8Array([0xf9, 0x80, 0x00]);
|
||||
|
||||
switch (typeof val) {
|
||||
case "number":
|
||||
if (Math.floor(val) === val) {
|
||||
if (0 <= val && val <= POW_2_53) return writeTypeAndLength(0, val);
|
||||
if (-POW_2_53 <= val && val < 0) return writeTypeAndLength(1, -(val + 1));
|
||||
}
|
||||
writeUint8(0xfb);
|
||||
return writeFloat64(val);
|
||||
|
||||
case "string":
|
||||
let utf8data = [];
|
||||
for (i = 0; i < val.length; ++i) {
|
||||
let charCode = val.charCodeAt(i);
|
||||
if (charCode < 0x80) {
|
||||
utf8data.push(charCode);
|
||||
} else if (charCode < 0x800) {
|
||||
utf8data.push(0xc0 | (charCode >> 6));
|
||||
utf8data.push(0x80 | (charCode & 0x3f));
|
||||
} else if (charCode < 0xd800 || charCode >= 0xe000) {
|
||||
utf8data.push(0xe0 | (charCode >> 12));
|
||||
utf8data.push(0x80 | ((charCode >> 6) & 0x3f));
|
||||
utf8data.push(0x80 | (charCode & 0x3f));
|
||||
} else {
|
||||
charCode = (charCode & 0x3ff) << 10;
|
||||
charCode |= val.charCodeAt(++i) & 0x3ff;
|
||||
charCode += 0x10000;
|
||||
|
||||
utf8data.push(0xf0 | (charCode >> 18));
|
||||
utf8data.push(0x80 | ((charCode >> 12) & 0x3f));
|
||||
utf8data.push(0x80 | ((charCode >> 6) & 0x3f));
|
||||
utf8data.push(0x80 | (charCode & 0x3f));
|
||||
}
|
||||
}
|
||||
|
||||
writeTypeAndLength(3, utf8data.length);
|
||||
return writeUint8Array(utf8data);
|
||||
|
||||
default:
|
||||
let length;
|
||||
let converted;
|
||||
if (Array.isArray(val)) {
|
||||
length = val.length;
|
||||
writeTypeAndLength(4, length);
|
||||
for (i = 0; i < length; i += 1) encodeItem(val[i]);
|
||||
} else if (val instanceof Uint8Array) {
|
||||
writeTypeAndLength(2, val.length);
|
||||
writeUint8Array(val);
|
||||
} else if (ArrayBuffer.isView(val)) {
|
||||
converted = new Uint8Array(val.buffer);
|
||||
writeTypeAndLength(2, converted.length);
|
||||
writeUint8Array(converted);
|
||||
} else if (
|
||||
val instanceof ArrayBuffer ||
|
||||
(typeof SharedArrayBuffer === "function" && val instanceof SharedArrayBuffer)
|
||||
) {
|
||||
converted = new Uint8Array(val);
|
||||
writeTypeAndLength(2, converted.length);
|
||||
writeUint8Array(converted);
|
||||
} else if (val instanceof TaggedValue) {
|
||||
writeVarUint(val.tag, 0b11000000);
|
||||
encodeItem(val.value);
|
||||
} else {
|
||||
let keys = Object.keys(val);
|
||||
length = keys.length;
|
||||
writeTypeAndLength(5, length);
|
||||
for (i = 0; i < length; i += 1) {
|
||||
let key = keys[i];
|
||||
encodeItem(key);
|
||||
encodeItem(val[key]);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
encodeItem(value);
|
||||
|
||||
if ("slice" in data) return data.slice(0, offset);
|
||||
|
||||
let ret = new ArrayBuffer(offset);
|
||||
let retView = new DataView(ret);
|
||||
for (let i = 0; i < offset; ++i) retView.setUint8(i, dataView.getUint8(i));
|
||||
return ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* An intrinsic object that provides functions to convert JavaScript values
|
||||
* to and from the Concise Binary Object Representation (CBOR) format.
|
||||
*/
|
||||
export const CBOR: {
|
||||
decode: <T = any>(
|
||||
data: ArrayBuffer | SharedArrayBuffer,
|
||||
tagger?: TaggedValueFunction,
|
||||
simpleValue?: SimpleValueFunction
|
||||
) => T;
|
||||
encode: <T = any>(value: T) => ArrayBuffer;
|
||||
} = {
|
||||
decode,
|
||||
encode,
|
||||
};
|
53
libs/common/src/vault/services/fido2/domain-utils.spec.ts
Normal file
53
libs/common/src/vault/services/fido2/domain-utils.spec.ts
Normal file
@ -0,0 +1,53 @@
|
||||
import { isValidRpId } from "./domain-utils";
|
||||
|
||||
// Spec: If options.rp.id is not a registrable domain suffix of and is not equal to effectiveDomain, return a DOMException whose name is "SecurityError", and terminate this algorithm.
|
||||
describe("validateRpId", () => {
|
||||
it("should not be valid when rpId is more specific than origin", () => {
|
||||
const rpId = "sub.login.bitwarden.com";
|
||||
const origin = "https://login.bitwarden.com:1337";
|
||||
|
||||
expect(isValidRpId(rpId, origin)).toBe(false);
|
||||
});
|
||||
|
||||
it("should not be valid when effective domains of rpId and origin do not match", () => {
|
||||
const rpId = "passwordless.dev";
|
||||
const origin = "https://login.bitwarden.com:1337";
|
||||
|
||||
expect(isValidRpId(rpId, origin)).toBe(false);
|
||||
});
|
||||
|
||||
it("should not be valid when subdomains are the same but effective domains of rpId and origin do not match", () => {
|
||||
const rpId = "login.passwordless.dev";
|
||||
const origin = "https://login.bitwarden.com:1337";
|
||||
|
||||
expect(isValidRpId(rpId, origin)).toBe(false);
|
||||
});
|
||||
|
||||
it("should be valid when domains of rpId and origin are the same", () => {
|
||||
const rpId = "bitwarden.com";
|
||||
const origin = "https://bitwarden.com";
|
||||
|
||||
expect(isValidRpId(rpId, origin)).toBe(true);
|
||||
});
|
||||
|
||||
it("should be valid when origin is a subdomain of rpId", () => {
|
||||
const rpId = "bitwarden.com";
|
||||
const origin = "https://login.bitwarden.com:1337";
|
||||
|
||||
expect(isValidRpId(rpId, origin)).toBe(true);
|
||||
});
|
||||
|
||||
it("should be valid when domains of rpId and origin are the same and they are both subdomains", () => {
|
||||
const rpId = "login.bitwarden.com";
|
||||
const origin = "https://login.bitwarden.com:1337";
|
||||
|
||||
expect(isValidRpId(rpId, origin)).toBe(true);
|
||||
});
|
||||
|
||||
it("should be valid when origin is a subdomain of rpId and they are both subdomains", () => {
|
||||
const rpId = "login.bitwarden.com";
|
||||
const origin = "https://sub.login.bitwarden.com:1337";
|
||||
|
||||
expect(isValidRpId(rpId, origin)).toBe(true);
|
||||
});
|
||||
});
|
11
libs/common/src/vault/services/fido2/domain-utils.ts
Normal file
11
libs/common/src/vault/services/fido2/domain-utils.ts
Normal file
@ -0,0 +1,11 @@
|
||||
import { parse } from "tldts";
|
||||
|
||||
export function isValidRpId(rpId: string, origin: string) {
|
||||
const parsedOrigin = parse(origin, { allowPrivateDomains: true });
|
||||
const parsedRpId = parse(rpId, { allowPrivateDomains: true });
|
||||
|
||||
return (
|
||||
parsedOrigin.domain === parsedRpId.domain &&
|
||||
parsedOrigin.subdomain.endsWith(parsedRpId.subdomain)
|
||||
);
|
||||
}
|
124
libs/common/src/vault/services/fido2/ecdsa-utils.ts
Normal file
124
libs/common/src/vault/services/fido2/ecdsa-utils.ts
Normal file
@ -0,0 +1,124 @@
|
||||
/*
|
||||
Copyright 2015 D2L Corporation
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License. */
|
||||
|
||||
// Changes:
|
||||
// - Cherry-pick the methods that we have a need for.
|
||||
// - Add typings.
|
||||
// - Original code is made for running in node, this version is adapted to work in the browser.
|
||||
|
||||
// https://github.com/Brightspace/node-ecdsa-sig-formatter/blob/master/src/param-bytes-for-alg.js
|
||||
|
||||
function getParamSize(keySize: number) {
|
||||
const result = ((keySize / 8) | 0) + (keySize % 8 === 0 ? 0 : 1);
|
||||
return result;
|
||||
}
|
||||
|
||||
const paramBytesForAlg = {
|
||||
ES256: getParamSize(256),
|
||||
ES384: getParamSize(384),
|
||||
ES512: getParamSize(521),
|
||||
};
|
||||
|
||||
type Alg = keyof typeof paramBytesForAlg;
|
||||
|
||||
function getParamBytesForAlg(alg: Alg) {
|
||||
const paramBytes = paramBytesForAlg[alg];
|
||||
if (paramBytes) {
|
||||
return paramBytes;
|
||||
}
|
||||
|
||||
throw new Error('Unknown algorithm "' + alg + '"');
|
||||
}
|
||||
|
||||
// https://github.com/Brightspace/node-ecdsa-sig-formatter/blob/master/src/ecdsa-sig-formatter.js
|
||||
|
||||
const MAX_OCTET = 0x80,
|
||||
CLASS_UNIVERSAL = 0,
|
||||
PRIMITIVE_BIT = 0x20,
|
||||
TAG_SEQ = 0x10,
|
||||
TAG_INT = 0x02,
|
||||
ENCODED_TAG_SEQ = TAG_SEQ | PRIMITIVE_BIT | (CLASS_UNIVERSAL << 6),
|
||||
ENCODED_TAG_INT = TAG_INT | (CLASS_UNIVERSAL << 6);
|
||||
|
||||
function countPadding(buf: Uint8Array, start: number, stop: number) {
|
||||
let padding = 0;
|
||||
while (start + padding < stop && buf[start + padding] === 0) {
|
||||
++padding;
|
||||
}
|
||||
|
||||
const needsSign = buf[start + padding] >= MAX_OCTET;
|
||||
if (needsSign) {
|
||||
--padding;
|
||||
}
|
||||
|
||||
return padding;
|
||||
}
|
||||
|
||||
export function joseToDer(signature: Uint8Array, alg: Alg) {
|
||||
const paramBytes = getParamBytesForAlg(alg);
|
||||
|
||||
const signatureBytes = signature.length;
|
||||
if (signatureBytes !== paramBytes * 2) {
|
||||
throw new TypeError(
|
||||
'"' +
|
||||
alg +
|
||||
'" signatures must be "' +
|
||||
paramBytes * 2 +
|
||||
'" bytes, saw "' +
|
||||
signatureBytes +
|
||||
'"'
|
||||
);
|
||||
}
|
||||
|
||||
const rPadding = countPadding(signature, 0, paramBytes);
|
||||
const sPadding = countPadding(signature, paramBytes, signature.length);
|
||||
const rLength = paramBytes - rPadding;
|
||||
const sLength = paramBytes - sPadding;
|
||||
|
||||
const rsBytes = 1 + 1 + rLength + 1 + 1 + sLength;
|
||||
|
||||
const shortLength = rsBytes < MAX_OCTET;
|
||||
|
||||
const dst = new Uint8Array((shortLength ? 2 : 3) + rsBytes);
|
||||
|
||||
let offset = 0;
|
||||
dst[offset++] = ENCODED_TAG_SEQ;
|
||||
if (shortLength) {
|
||||
dst[offset++] = rsBytes;
|
||||
} else {
|
||||
dst[offset++] = MAX_OCTET | 1;
|
||||
dst[offset++] = rsBytes & 0xff;
|
||||
}
|
||||
dst[offset++] = ENCODED_TAG_INT;
|
||||
dst[offset++] = rLength;
|
||||
if (rPadding < 0) {
|
||||
dst[offset++] = 0;
|
||||
dst.set(signature.subarray(0, paramBytes), offset);
|
||||
offset += paramBytes;
|
||||
} else {
|
||||
dst.set(signature.subarray(rPadding, paramBytes), offset);
|
||||
offset += paramBytes;
|
||||
}
|
||||
dst[offset++] = ENCODED_TAG_INT;
|
||||
dst[offset++] = sLength;
|
||||
if (sPadding < 0) {
|
||||
dst[offset++] = 0;
|
||||
dst.set(signature.subarray(paramBytes), offset);
|
||||
} else {
|
||||
dst.set(signature.subarray(paramBytes + sPadding), offset);
|
||||
}
|
||||
|
||||
return dst;
|
||||
}
|
@ -0,0 +1,826 @@
|
||||
import { TextEncoder } from "util";
|
||||
|
||||
import { mock, MockProxy } from "jest-mock-extended";
|
||||
|
||||
import { Utils } from "../../../platform/misc/utils";
|
||||
import { CipherService } from "../../abstractions/cipher.service";
|
||||
import {
|
||||
Fido2AutenticatorErrorCode,
|
||||
Fido2AuthenticatorGetAssertionParams,
|
||||
Fido2AuthenticatorMakeCredentialsParams,
|
||||
} from "../../abstractions/fido2/fido2-authenticator.service.abstraction";
|
||||
import {
|
||||
Fido2UserInterfaceService,
|
||||
Fido2UserInterfaceSession,
|
||||
NewCredentialParams,
|
||||
} from "../../abstractions/fido2/fido2-user-interface.service.abstraction";
|
||||
import { SyncService } from "../../abstractions/sync/sync.service.abstraction";
|
||||
import { CipherRepromptType } from "../../enums/cipher-reprompt-type";
|
||||
import { CipherType } from "../../enums/cipher-type";
|
||||
import { Cipher } from "../../models/domain/cipher";
|
||||
import { CipherView } from "../../models/view/cipher.view";
|
||||
import { Fido2CredentialView } from "../../models/view/fido2-credential.view";
|
||||
import { LoginView } from "../../models/view/login.view";
|
||||
|
||||
import { CBOR } from "./cbor";
|
||||
import { AAGUID, Fido2AuthenticatorService } from "./fido2-authenticator.service";
|
||||
import { Fido2Utils } from "./fido2-utils";
|
||||
import { guidToRawFormat } from "./guid-utils";
|
||||
|
||||
const RpId = "bitwarden.com";
|
||||
|
||||
describe("FidoAuthenticatorService", () => {
|
||||
let cipherService!: MockProxy<CipherService>;
|
||||
let userInterface!: MockProxy<Fido2UserInterfaceService>;
|
||||
let userInterfaceSession!: MockProxy<Fido2UserInterfaceSession>;
|
||||
let syncService!: MockProxy<SyncService>;
|
||||
let authenticator!: Fido2AuthenticatorService;
|
||||
let tab!: chrome.tabs.Tab;
|
||||
|
||||
beforeEach(async () => {
|
||||
cipherService = mock<CipherService>();
|
||||
userInterface = mock<Fido2UserInterfaceService>();
|
||||
userInterfaceSession = mock<Fido2UserInterfaceSession>();
|
||||
userInterface.newSession.mockResolvedValue(userInterfaceSession);
|
||||
syncService = mock<SyncService>();
|
||||
authenticator = new Fido2AuthenticatorService(cipherService, userInterface, syncService);
|
||||
tab = { id: 123, windowId: 456 } as chrome.tabs.Tab;
|
||||
});
|
||||
|
||||
describe("makeCredential", () => {
|
||||
let invalidParams!: InvalidParams;
|
||||
|
||||
beforeEach(async () => {
|
||||
invalidParams = await createInvalidParams();
|
||||
});
|
||||
|
||||
describe("invalid input parameters", () => {
|
||||
// Spec: Check if at least one of the specified combinations of PublicKeyCredentialType and cryptographic parameters in credTypesAndPubKeyAlgs is supported. If not, return an error code equivalent to "NotSupportedError" and terminate the operation.
|
||||
it("should throw error when input does not contain any supported algorithms", async () => {
|
||||
const result = async () =>
|
||||
await authenticator.makeCredential(invalidParams.unsupportedAlgorithm, tab);
|
||||
|
||||
await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.NotSupported);
|
||||
});
|
||||
|
||||
it("should throw error when requireResidentKey has invalid value", async () => {
|
||||
const result = async () => await authenticator.makeCredential(invalidParams.invalidRk, tab);
|
||||
|
||||
await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.Unknown);
|
||||
});
|
||||
|
||||
it("should throw error when requireUserVerification has invalid value", async () => {
|
||||
const result = async () => await authenticator.makeCredential(invalidParams.invalidUv, tab);
|
||||
|
||||
await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.Unknown);
|
||||
});
|
||||
|
||||
/**
|
||||
* Spec: If requireUserVerification is true and the authenticator cannot perform user verification, return an error code equivalent to "ConstraintError" and terminate the operation.
|
||||
* Deviation: User verification is checked before checking for excluded credentials
|
||||
**/
|
||||
/** TODO: This test should only be activated if we disable support for user verification */
|
||||
it.skip("should throw error if requireUserVerification is set to true", async () => {
|
||||
const params = await createParams({ requireUserVerification: true });
|
||||
|
||||
const result = async () => await authenticator.makeCredential(params, tab);
|
||||
|
||||
await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.Constraint);
|
||||
});
|
||||
|
||||
it("should not request confirmation from user", async () => {
|
||||
userInterfaceSession.confirmNewCredential.mockResolvedValue({
|
||||
cipherId: "75280e7e-a72e-4d6c-bf1e-d37238352f9b",
|
||||
userVerified: false,
|
||||
});
|
||||
const invalidParams = await createInvalidParams();
|
||||
|
||||
for (const p of Object.values(invalidParams)) {
|
||||
try {
|
||||
await authenticator.makeCredential(p, tab);
|
||||
// eslint-disable-next-line no-empty
|
||||
} catch {}
|
||||
}
|
||||
expect(userInterfaceSession.confirmNewCredential).not.toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
|
||||
describe.skip("when extensions parameter is present", () => undefined);
|
||||
|
||||
describe("vault contains excluded credential", () => {
|
||||
let excludedCipher: CipherView;
|
||||
let params: Fido2AuthenticatorMakeCredentialsParams;
|
||||
|
||||
beforeEach(async () => {
|
||||
excludedCipher = createCipherView(
|
||||
{ type: CipherType.Login },
|
||||
{ credentialId: Utils.newGuid() }
|
||||
);
|
||||
params = await createParams({
|
||||
excludeCredentialDescriptorList: [
|
||||
{
|
||||
id: guidToRawFormat(excludedCipher.login.fido2Credentials[0].credentialId),
|
||||
type: "public-key",
|
||||
},
|
||||
],
|
||||
});
|
||||
cipherService.get.mockImplementation(async (id) =>
|
||||
id === excludedCipher.id ? ({ decrypt: () => excludedCipher } as any) : undefined
|
||||
);
|
||||
cipherService.getAllDecrypted.mockResolvedValue([excludedCipher]);
|
||||
});
|
||||
|
||||
/**
|
||||
* Spec: collect an authorization gesture confirming user consent for creating a new credential.
|
||||
* Deviation: Consent is not asked and the user is simply informed of the situation.
|
||||
**/
|
||||
it("should inform user", async () => {
|
||||
userInterfaceSession.informExcludedCredential.mockResolvedValue();
|
||||
|
||||
try {
|
||||
await authenticator.makeCredential(params, tab);
|
||||
// eslint-disable-next-line no-empty
|
||||
} catch {}
|
||||
|
||||
expect(userInterfaceSession.informExcludedCredential).toHaveBeenCalled();
|
||||
});
|
||||
|
||||
/** Spec: return an error code equivalent to "NotAllowedError" and terminate the operation. */
|
||||
it("should throw error", async () => {
|
||||
userInterfaceSession.informExcludedCredential.mockResolvedValue();
|
||||
|
||||
const result = async () => await authenticator.makeCredential(params, tab);
|
||||
|
||||
await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.NotAllowed);
|
||||
});
|
||||
|
||||
/** Devation: Organization ciphers are not checked against excluded credentials, even if the user has access to them. */
|
||||
it("should not inform user of duplication when the excluded credential belongs to an organization", async () => {
|
||||
userInterfaceSession.informExcludedCredential.mockResolvedValue();
|
||||
excludedCipher.organizationId = "someOrganizationId";
|
||||
|
||||
try {
|
||||
await authenticator.makeCredential(params, tab);
|
||||
// eslint-disable-next-line no-empty
|
||||
} catch {}
|
||||
|
||||
expect(userInterfaceSession.informExcludedCredential).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it("should not inform user of duplication when input data does not pass checks", async () => {
|
||||
userInterfaceSession.informExcludedCredential.mockResolvedValue();
|
||||
const invalidParams = await createInvalidParams();
|
||||
|
||||
for (const p of Object.values(invalidParams)) {
|
||||
try {
|
||||
await authenticator.makeCredential(p, tab);
|
||||
// eslint-disable-next-line no-empty
|
||||
} catch {}
|
||||
}
|
||||
expect(userInterfaceSession.informExcludedCredential).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it.todo(
|
||||
"should not throw error if the excluded credential has been marked as deleted in the vault"
|
||||
);
|
||||
});
|
||||
|
||||
describe("credential creation", () => {
|
||||
let existingCipher: CipherView;
|
||||
let params: Fido2AuthenticatorMakeCredentialsParams;
|
||||
|
||||
beforeEach(async () => {
|
||||
existingCipher = createCipherView({ type: CipherType.Login });
|
||||
params = await createParams({ requireResidentKey: false });
|
||||
cipherService.get.mockImplementation(async (id) =>
|
||||
id === existingCipher.id ? ({ decrypt: () => existingCipher } as any) : undefined
|
||||
);
|
||||
cipherService.getAllDecrypted.mockResolvedValue([existingCipher]);
|
||||
});
|
||||
|
||||
/**
|
||||
* Spec: Collect an authorization gesture confirming user consent for creating a new credential. The prompt for the authorization gesture is shown by the authenticator if it has its own output capability. The prompt SHOULD display rpEntity.id, rpEntity.name, userEntity.name and userEntity.displayName, if possible.
|
||||
* Deviation: Only `rpEntity.name` and `userEntity.name` is shown.
|
||||
* */
|
||||
for (const userVerification of [true, false]) {
|
||||
it(`should request confirmation from user when user verification is ${userVerification}`, async () => {
|
||||
params.requireUserVerification = userVerification;
|
||||
userInterfaceSession.confirmNewCredential.mockResolvedValue({
|
||||
cipherId: existingCipher.id,
|
||||
userVerified: userVerification,
|
||||
});
|
||||
|
||||
await authenticator.makeCredential(params, tab);
|
||||
|
||||
expect(userInterfaceSession.confirmNewCredential).toHaveBeenCalledWith({
|
||||
credentialName: params.rpEntity.name,
|
||||
userName: params.userEntity.displayName,
|
||||
userVerification,
|
||||
} as NewCredentialParams);
|
||||
});
|
||||
}
|
||||
|
||||
it("should save credential to vault if request confirmed by user", async () => {
|
||||
const encryptedCipher = Symbol();
|
||||
userInterfaceSession.confirmNewCredential.mockResolvedValue({
|
||||
cipherId: existingCipher.id,
|
||||
userVerified: false,
|
||||
});
|
||||
cipherService.encrypt.mockResolvedValue(encryptedCipher as unknown as Cipher);
|
||||
|
||||
await authenticator.makeCredential(params, tab);
|
||||
|
||||
const saved = cipherService.encrypt.mock.lastCall?.[0];
|
||||
expect(saved).toEqual(
|
||||
expect.objectContaining({
|
||||
type: CipherType.Login,
|
||||
name: existingCipher.name,
|
||||
|
||||
login: expect.objectContaining({
|
||||
fido2Credentials: [
|
||||
expect.objectContaining({
|
||||
credentialId: expect.anything(),
|
||||
keyType: "public-key",
|
||||
keyAlgorithm: "ECDSA",
|
||||
keyCurve: "P-256",
|
||||
rpId: params.rpEntity.id,
|
||||
rpName: params.rpEntity.name,
|
||||
userHandle: Fido2Utils.bufferToString(params.userEntity.id),
|
||||
counter: 0,
|
||||
userDisplayName: params.userEntity.displayName,
|
||||
discoverable: false,
|
||||
}),
|
||||
],
|
||||
}),
|
||||
})
|
||||
);
|
||||
expect(cipherService.updateWithServer).toHaveBeenCalledWith(encryptedCipher);
|
||||
});
|
||||
|
||||
/** Spec: If the user does not consent or if user verification fails, return an error code equivalent to "NotAllowedError" and terminate the operation. */
|
||||
it("should throw error if user denies creation request", async () => {
|
||||
userInterfaceSession.confirmNewCredential.mockResolvedValue({
|
||||
cipherId: undefined,
|
||||
userVerified: false,
|
||||
});
|
||||
const params = await createParams();
|
||||
|
||||
const result = async () => await authenticator.makeCredential(params, tab);
|
||||
|
||||
await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.NotAllowed);
|
||||
});
|
||||
|
||||
it("should throw error if user verification fails and cipher requires reprompt", async () => {
|
||||
params.requireUserVerification = false;
|
||||
userInterfaceSession.confirmNewCredential.mockResolvedValue({
|
||||
cipherId: existingCipher.id,
|
||||
userVerified: false,
|
||||
});
|
||||
const encryptedCipher = { ...existingCipher, reprompt: CipherRepromptType.Password };
|
||||
cipherService.get.mockResolvedValue(encryptedCipher as unknown as Cipher);
|
||||
|
||||
const result = async () => await authenticator.makeCredential(params, tab);
|
||||
|
||||
await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.Unknown);
|
||||
});
|
||||
|
||||
/** Spec: If any error occurred while creating the new credential object, return an error code equivalent to "UnknownError" and terminate the operation. */
|
||||
it("should throw unkown error if creation fails", async () => {
|
||||
const encryptedCipher = Symbol();
|
||||
userInterfaceSession.confirmNewCredential.mockResolvedValue({
|
||||
cipherId: existingCipher.id,
|
||||
userVerified: false,
|
||||
});
|
||||
cipherService.encrypt.mockResolvedValue(encryptedCipher as unknown as Cipher);
|
||||
cipherService.updateWithServer.mockRejectedValue(new Error("Internal error"));
|
||||
|
||||
const result = async () => await authenticator.makeCredential(params, tab);
|
||||
|
||||
await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.Unknown);
|
||||
});
|
||||
});
|
||||
|
||||
describe(`attestation of new credential`, () => {
|
||||
const cipherId = "75280e7e-a72e-4d6c-bf1e-d37238352f9b";
|
||||
const credentialId = "52217b91-73f1-4fea-b3f2-54a7959fd5aa";
|
||||
const credentialIdBytes = new Uint8Array([
|
||||
0x52, 0x21, 0x7b, 0x91, 0x73, 0xf1, 0x4f, 0xea, 0xb3, 0xf2, 0x54, 0xa7, 0x95, 0x9f, 0xd5,
|
||||
0xaa,
|
||||
]);
|
||||
let params: Fido2AuthenticatorMakeCredentialsParams;
|
||||
|
||||
beforeEach(async () => {
|
||||
const cipher = createCipherView({ id: cipherId, type: CipherType.Login });
|
||||
params = await createParams();
|
||||
userInterfaceSession.confirmNewCredential.mockResolvedValue({
|
||||
cipherId,
|
||||
userVerified: false,
|
||||
});
|
||||
cipherService.get.mockImplementation(async (cipherId) =>
|
||||
cipherId === cipher.id ? ({ decrypt: () => cipher } as any) : undefined
|
||||
);
|
||||
cipherService.getAllDecrypted.mockResolvedValue([await cipher]);
|
||||
cipherService.encrypt.mockImplementation(async (cipher) => {
|
||||
cipher.login.fido2Credentials[0].credentialId = credentialId; // Replace id for testability
|
||||
return {} as any;
|
||||
});
|
||||
cipherService.createWithServer.mockImplementation(async (cipher) => {
|
||||
cipher.id = cipherId;
|
||||
return cipher;
|
||||
});
|
||||
cipherService.updateWithServer.mockImplementation(async (cipher) => {
|
||||
cipher.id = cipherId;
|
||||
return cipher;
|
||||
});
|
||||
});
|
||||
|
||||
it("should return attestation object", async () => {
|
||||
const result = await authenticator.makeCredential(params, tab);
|
||||
|
||||
const attestationObject = CBOR.decode(
|
||||
Fido2Utils.bufferSourceToUint8Array(result.attestationObject).buffer
|
||||
);
|
||||
|
||||
const encAuthData: Uint8Array = attestationObject.authData;
|
||||
const rpIdHash = encAuthData.slice(0, 32);
|
||||
const flags = encAuthData.slice(32, 33);
|
||||
const counter = encAuthData.slice(33, 37);
|
||||
const aaguid = encAuthData.slice(37, 53);
|
||||
const credentialIdLength = encAuthData.slice(53, 55);
|
||||
const credentialId = encAuthData.slice(55, 71);
|
||||
// Unsure how to test public key
|
||||
// const publicKey = encAuthData.slice(87);
|
||||
|
||||
expect(encAuthData.length).toBe(71 + 77);
|
||||
expect(attestationObject.fmt).toBe("none");
|
||||
expect(attestationObject.attStmt).toEqual({});
|
||||
expect(rpIdHash).toEqual(
|
||||
new Uint8Array([
|
||||
0x22, 0x6b, 0xb3, 0x92, 0x02, 0xff, 0xf9, 0x22, 0xdc, 0x74, 0x05, 0xcd, 0x28, 0xa8,
|
||||
0x34, 0x5a, 0xc4, 0xf2, 0x64, 0x51, 0xd7, 0x3d, 0x0b, 0x40, 0xef, 0xf3, 0x1d, 0xc1,
|
||||
0xd0, 0x5c, 0x3d, 0xc3,
|
||||
])
|
||||
);
|
||||
expect(flags).toEqual(new Uint8Array([0b01000001])); // UP = true, AD = true
|
||||
expect(counter).toEqual(new Uint8Array([0, 0, 0, 0])); // 0 because of new counter
|
||||
expect(aaguid).toEqual(AAGUID);
|
||||
expect(credentialIdLength).toEqual(new Uint8Array([0, 16])); // 16 bytes because we're using GUIDs
|
||||
expect(credentialId).toEqual(credentialIdBytes);
|
||||
});
|
||||
});
|
||||
|
||||
async function createParams(
|
||||
params: Partial<Fido2AuthenticatorMakeCredentialsParams> = {}
|
||||
): Promise<Fido2AuthenticatorMakeCredentialsParams> {
|
||||
return {
|
||||
hash: params.hash ?? (await createClientDataHash()),
|
||||
rpEntity: params.rpEntity ?? {
|
||||
name: "Bitwarden",
|
||||
id: RpId,
|
||||
},
|
||||
userEntity: params.userEntity ?? {
|
||||
id: randomBytes(64),
|
||||
name: "jane.doe@bitwarden.com",
|
||||
displayName: "Jane Doe",
|
||||
icon: " data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAOhJREFUeNpiFI+9E8DAwDAfiAUYSAMfgDiQBVmzlSYnUTqPXf/OANWzngVZ87pKKaIMCGp/BjeEhRjFMKAjx8bQFC2CIs9CpHNxAiYGCsEQM4Cfiwm3AY9f/yZogIcRN4ZahAFv/jAcu4E7xMNtecEYpAakFqsX8me9Yvj07R+G5jR3foaJqWJgOZAaZMAIzAv/kQV05NgZ5hdIMMiKQJIIyEYrDU6wrYkTXjBcefQTvwGwwCoJFGJIBdoMArN3fmToWf+O4SMW14EMeI8rJ8Jcgexn9BwJCoNEaNbEACCN+DSDsjNAgAEAri9Zii/uDMsAAAAASUVORK5CYII=",
|
||||
},
|
||||
credTypesAndPubKeyAlgs: params.credTypesAndPubKeyAlgs ?? [
|
||||
{
|
||||
alg: -7, // ES256
|
||||
type: "public-key",
|
||||
},
|
||||
],
|
||||
excludeCredentialDescriptorList: params.excludeCredentialDescriptorList ?? [
|
||||
{
|
||||
id: randomBytes(16),
|
||||
transports: ["internal"],
|
||||
type: "public-key",
|
||||
},
|
||||
],
|
||||
requireResidentKey: params.requireResidentKey ?? false,
|
||||
requireUserVerification: params.requireUserVerification ?? false,
|
||||
fallbackSupported: params.fallbackSupported ?? false,
|
||||
extensions: params.extensions ?? {
|
||||
appid: undefined,
|
||||
appidExclude: undefined,
|
||||
credProps: undefined,
|
||||
uvm: false as boolean,
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
type InvalidParams = Awaited<ReturnType<typeof createInvalidParams>>;
|
||||
async function createInvalidParams() {
|
||||
return {
|
||||
unsupportedAlgorithm: await createParams({
|
||||
credTypesAndPubKeyAlgs: [{ alg: 9001, type: "public-key" }],
|
||||
}),
|
||||
invalidRk: await createParams({ requireResidentKey: "invalid-value" as any }),
|
||||
invalidUv: await createParams({
|
||||
requireUserVerification: "invalid-value" as any,
|
||||
}),
|
||||
};
|
||||
}
|
||||
});
|
||||
|
||||
describe("getAssertion", () => {
|
||||
let invalidParams!: InvalidParams;
|
||||
|
||||
beforeEach(async () => {
|
||||
invalidParams = await createInvalidParams();
|
||||
});
|
||||
|
||||
describe("invalid input parameters", () => {
|
||||
it("should throw error when requireUserVerification has invalid value", async () => {
|
||||
const result = async () => await authenticator.getAssertion(invalidParams.invalidUv, tab);
|
||||
|
||||
await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.Unknown);
|
||||
});
|
||||
|
||||
/**
|
||||
* Spec: If requireUserVerification is true and the authenticator cannot perform user verification, return an error code equivalent to "ConstraintError" and terminate the operation.
|
||||
* Deviation: User verification is checked before checking for excluded credentials
|
||||
**/
|
||||
/** NOTE: This test should only be activated if we disable support for user verification */
|
||||
it.skip("should throw error if requireUserVerification is set to true", async () => {
|
||||
const params = await createParams({ requireUserVerification: true });
|
||||
|
||||
const result = async () => await authenticator.getAssertion(params, tab);
|
||||
|
||||
await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.Constraint);
|
||||
});
|
||||
});
|
||||
|
||||
describe("vault is missing non-discoverable credential", () => {
|
||||
let credentialId: string;
|
||||
let params: Fido2AuthenticatorGetAssertionParams;
|
||||
|
||||
beforeEach(async () => {
|
||||
credentialId = Utils.newGuid();
|
||||
params = await createParams({
|
||||
allowCredentialDescriptorList: [
|
||||
{ id: guidToRawFormat(credentialId), type: "public-key" },
|
||||
],
|
||||
rpId: RpId,
|
||||
});
|
||||
});
|
||||
|
||||
/**
|
||||
* Spec: If credentialOptions is now empty, return an error code equivalent to "NotAllowedError" and terminate the operation.
|
||||
* Deviation: We do not throw error but instead inform the user and allow the user to fallback to browser implementation.
|
||||
**/
|
||||
it("should inform user if no credential exists", async () => {
|
||||
cipherService.getAllDecrypted.mockResolvedValue([]);
|
||||
userInterfaceSession.informCredentialNotFound.mockResolvedValue();
|
||||
|
||||
try {
|
||||
await authenticator.getAssertion(params, tab);
|
||||
// eslint-disable-next-line no-empty
|
||||
} catch {}
|
||||
|
||||
expect(userInterfaceSession.informCredentialNotFound).toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it("should inform user if credential exists but rpId does not match", async () => {
|
||||
const cipher = await createCipherView({ type: CipherType.Login });
|
||||
cipher.login.fido2Credentials[0].credentialId = credentialId;
|
||||
cipher.login.fido2Credentials[0].rpId = "mismatch-rpid";
|
||||
cipherService.getAllDecrypted.mockResolvedValue([cipher]);
|
||||
userInterfaceSession.informCredentialNotFound.mockResolvedValue();
|
||||
|
||||
try {
|
||||
await authenticator.getAssertion(params, tab);
|
||||
// eslint-disable-next-line no-empty
|
||||
} catch {}
|
||||
|
||||
expect(userInterfaceSession.informCredentialNotFound).toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
|
||||
describe("vault is missing discoverable credential", () => {
|
||||
let params: Fido2AuthenticatorGetAssertionParams;
|
||||
|
||||
beforeEach(async () => {
|
||||
params = await createParams({
|
||||
allowCredentialDescriptorList: [],
|
||||
rpId: RpId,
|
||||
});
|
||||
cipherService.getAllDecrypted.mockResolvedValue([]);
|
||||
});
|
||||
|
||||
/** Spec: If credentialOptions is now empty, return an error code equivalent to "NotAllowedError" and terminate the operation. */
|
||||
it("should throw error", async () => {
|
||||
const result = async () => await authenticator.getAssertion(params, tab);
|
||||
|
||||
await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.NotAllowed);
|
||||
});
|
||||
});
|
||||
|
||||
describe("vault contains credential", () => {
|
||||
let credentialIds: string[];
|
||||
let ciphers: CipherView[];
|
||||
let params: Fido2AuthenticatorGetAssertionParams;
|
||||
|
||||
beforeEach(async () => {
|
||||
credentialIds = [Utils.newGuid(), Utils.newGuid()];
|
||||
ciphers = [
|
||||
await createCipherView(
|
||||
{ type: CipherType.Login },
|
||||
{ credentialId: credentialIds[0], rpId: RpId, discoverable: false }
|
||||
),
|
||||
await createCipherView(
|
||||
{ type: CipherType.Login },
|
||||
{ credentialId: credentialIds[1], rpId: RpId, discoverable: true }
|
||||
),
|
||||
];
|
||||
params = await createParams({
|
||||
allowCredentialDescriptorList: credentialIds.map((credentialId) => ({
|
||||
id: guidToRawFormat(credentialId),
|
||||
type: "public-key",
|
||||
})),
|
||||
rpId: RpId,
|
||||
});
|
||||
cipherService.getAllDecrypted.mockResolvedValue(ciphers);
|
||||
});
|
||||
|
||||
it("should ask for all credentials in list when `params` contains allowedCredentials list", async () => {
|
||||
userInterfaceSession.pickCredential.mockResolvedValue({
|
||||
cipherId: ciphers[0].id,
|
||||
userVerified: false,
|
||||
});
|
||||
|
||||
await authenticator.getAssertion(params, tab);
|
||||
|
||||
expect(userInterfaceSession.pickCredential).toHaveBeenCalledWith({
|
||||
cipherIds: ciphers.map((c) => c.id),
|
||||
userVerification: false,
|
||||
});
|
||||
});
|
||||
|
||||
it("should only ask for discoverable credentials matched by rpId when params does not contains allowedCredentials list", async () => {
|
||||
params.allowCredentialDescriptorList = undefined;
|
||||
const discoverableCiphers = ciphers.filter((c) => c.login.fido2Credentials[0].discoverable);
|
||||
userInterfaceSession.pickCredential.mockResolvedValue({
|
||||
cipherId: discoverableCiphers[0].id,
|
||||
userVerified: false,
|
||||
});
|
||||
|
||||
await authenticator.getAssertion(params, tab);
|
||||
|
||||
expect(userInterfaceSession.pickCredential).toHaveBeenCalledWith({
|
||||
cipherIds: [discoverableCiphers[0].id],
|
||||
userVerification: false,
|
||||
});
|
||||
});
|
||||
|
||||
for (const userVerification of [true, false]) {
|
||||
/** Spec: Prompt the user to select a public key credential source selectedCredential from credentialOptions. */
|
||||
it(`should request confirmation from user when user verification is ${userVerification}`, async () => {
|
||||
params.requireUserVerification = userVerification;
|
||||
userInterfaceSession.pickCredential.mockResolvedValue({
|
||||
cipherId: ciphers[0].id,
|
||||
userVerified: userVerification,
|
||||
});
|
||||
|
||||
await authenticator.getAssertion(params, tab);
|
||||
|
||||
expect(userInterfaceSession.pickCredential).toHaveBeenCalledWith({
|
||||
cipherIds: ciphers.map((c) => c.id),
|
||||
userVerification,
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
/** Spec: If the user does not consent, return an error code equivalent to "NotAllowedError" and terminate the operation. */
|
||||
it("should throw error", async () => {
|
||||
userInterfaceSession.pickCredential.mockResolvedValue({
|
||||
cipherId: undefined,
|
||||
userVerified: false,
|
||||
});
|
||||
|
||||
const result = async () => await authenticator.getAssertion(params, tab);
|
||||
|
||||
await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.NotAllowed);
|
||||
});
|
||||
|
||||
it("should throw error if user verification fails and cipher requires reprompt", async () => {
|
||||
ciphers[0].reprompt = CipherRepromptType.Password;
|
||||
userInterfaceSession.pickCredential.mockResolvedValue({
|
||||
cipherId: ciphers[0].id,
|
||||
userVerified: false,
|
||||
});
|
||||
|
||||
const result = async () => await authenticator.getAssertion(params, tab);
|
||||
|
||||
await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.NotAllowed);
|
||||
});
|
||||
});
|
||||
|
||||
describe("assertion of credential", () => {
|
||||
let keyPair: CryptoKeyPair;
|
||||
let credentialIds: string[];
|
||||
let selectedCredentialId: string;
|
||||
let ciphers: CipherView[];
|
||||
let fido2Credentials: Fido2CredentialView[];
|
||||
let params: Fido2AuthenticatorGetAssertionParams;
|
||||
|
||||
const init = async () => {
|
||||
keyPair = await createKeyPair();
|
||||
credentialIds = [Utils.newGuid(), Utils.newGuid()];
|
||||
const keyValue = Fido2Utils.bufferToString(
|
||||
await crypto.subtle.exportKey("pkcs8", keyPair.privateKey)
|
||||
);
|
||||
ciphers = credentialIds.map((id) =>
|
||||
createCipherView(
|
||||
{ type: CipherType.Login },
|
||||
{ credentialId: id, rpId: RpId, counter: 9000, keyValue }
|
||||
)
|
||||
);
|
||||
fido2Credentials = ciphers.map((c) => c.login.fido2Credentials[0]);
|
||||
selectedCredentialId = credentialIds[0];
|
||||
params = await createParams({
|
||||
allowCredentialDescriptorList: credentialIds.map((credentialId) => ({
|
||||
id: guidToRawFormat(credentialId),
|
||||
type: "public-key",
|
||||
})),
|
||||
rpId: RpId,
|
||||
});
|
||||
cipherService.getAllDecrypted.mockResolvedValue(ciphers);
|
||||
userInterfaceSession.pickCredential.mockResolvedValue({
|
||||
cipherId: ciphers[0].id,
|
||||
userVerified: false,
|
||||
});
|
||||
};
|
||||
beforeEach(init);
|
||||
|
||||
/** Spec: Increment the credential associated signature counter */
|
||||
it("should increment counter", async () => {
|
||||
const encrypted = Symbol();
|
||||
cipherService.encrypt.mockResolvedValue(encrypted as any);
|
||||
|
||||
await authenticator.getAssertion(params, tab);
|
||||
|
||||
expect(cipherService.updateWithServer).toHaveBeenCalledWith(encrypted);
|
||||
|
||||
expect(cipherService.encrypt).toHaveBeenCalledWith(
|
||||
expect.objectContaining({
|
||||
id: ciphers[0].id,
|
||||
login: expect.objectContaining({
|
||||
fido2Credentials: [
|
||||
expect.objectContaining({
|
||||
counter: 9001,
|
||||
}),
|
||||
],
|
||||
}),
|
||||
})
|
||||
);
|
||||
});
|
||||
|
||||
it("should return an assertion result", async () => {
|
||||
const result = await authenticator.getAssertion(params, tab);
|
||||
|
||||
const encAuthData = result.authenticatorData;
|
||||
const rpIdHash = encAuthData.slice(0, 32);
|
||||
const flags = encAuthData.slice(32, 33);
|
||||
const counter = encAuthData.slice(33, 37);
|
||||
|
||||
expect(result.selectedCredential.id).toEqual(guidToRawFormat(selectedCredentialId));
|
||||
expect(result.selectedCredential.userHandle).toEqual(
|
||||
Fido2Utils.stringToBuffer(fido2Credentials[0].userHandle)
|
||||
);
|
||||
expect(rpIdHash).toEqual(
|
||||
new Uint8Array([
|
||||
0x22, 0x6b, 0xb3, 0x92, 0x02, 0xff, 0xf9, 0x22, 0xdc, 0x74, 0x05, 0xcd, 0x28, 0xa8,
|
||||
0x34, 0x5a, 0xc4, 0xf2, 0x64, 0x51, 0xd7, 0x3d, 0x0b, 0x40, 0xef, 0xf3, 0x1d, 0xc1,
|
||||
0xd0, 0x5c, 0x3d, 0xc3,
|
||||
])
|
||||
);
|
||||
expect(flags).toEqual(new Uint8Array([0b00000001])); // UP = true
|
||||
expect(counter).toEqual(new Uint8Array([0, 0, 0x23, 0x29])); // 9001 in hex
|
||||
|
||||
// Verify signature
|
||||
// TODO: Cannot verify signature because it has been converted into DER format
|
||||
// const sigBase = new Uint8Array([
|
||||
// ...result.authenticatorData,
|
||||
// ...Fido2Utils.bufferSourceToUint8Array(params.hash),
|
||||
// ]);
|
||||
// const isValidSignature = await crypto.subtle.verify(
|
||||
// { name: "ECDSA", hash: { name: "SHA-256" } },
|
||||
// keyPair.publicKey,
|
||||
// result.signature,
|
||||
// sigBase
|
||||
// );
|
||||
// expect(isValidSignature).toBe(true);
|
||||
});
|
||||
|
||||
it("should always generate unique signatures even if the input is the same", async () => {
|
||||
const signatures = new Set();
|
||||
|
||||
for (let i = 0; i < 10; ++i) {
|
||||
await init(); // Reset inputs
|
||||
const result = await authenticator.getAssertion(params, tab);
|
||||
|
||||
const counter = result.authenticatorData.slice(33, 37);
|
||||
expect(counter).toEqual(new Uint8Array([0, 0, 0x23, 0x29])); // double check that the counter doesn't change
|
||||
|
||||
const signature = Fido2Utils.bufferToString(result.signature);
|
||||
if (signatures.has(signature)) {
|
||||
throw new Error("Found duplicate signature");
|
||||
}
|
||||
signatures.add(signature);
|
||||
}
|
||||
});
|
||||
|
||||
/** Spec: If any error occurred while generating the assertion signature, return an error code equivalent to "UnknownError" and terminate the operation. */
|
||||
it("should throw unkown error if creation fails", async () => {
|
||||
cipherService.updateWithServer.mockRejectedValue(new Error("Internal error"));
|
||||
|
||||
const result = async () => await authenticator.getAssertion(params, tab);
|
||||
|
||||
await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.Unknown);
|
||||
});
|
||||
});
|
||||
|
||||
async function createParams(
|
||||
params: Partial<Fido2AuthenticatorGetAssertionParams> = {}
|
||||
): Promise<Fido2AuthenticatorGetAssertionParams> {
|
||||
return {
|
||||
rpId: params.rpId ?? RpId,
|
||||
hash: params.hash ?? (await createClientDataHash()),
|
||||
allowCredentialDescriptorList: params.allowCredentialDescriptorList ?? [],
|
||||
requireUserVerification: params.requireUserVerification ?? false,
|
||||
extensions: params.extensions ?? {},
|
||||
fallbackSupported: params.fallbackSupported ?? false,
|
||||
};
|
||||
}
|
||||
|
||||
type InvalidParams = Awaited<ReturnType<typeof createInvalidParams>>;
|
||||
async function createInvalidParams() {
|
||||
const emptyRpId = await createParams();
|
||||
emptyRpId.rpId = undefined as any;
|
||||
return {
|
||||
emptyRpId,
|
||||
invalidUv: await createParams({
|
||||
requireUserVerification: "invalid-value" as any,
|
||||
}),
|
||||
};
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
function createCipherView(
|
||||
data: Partial<Omit<CipherView, "fido2Credential">> = {},
|
||||
fido2Credential: Partial<Fido2CredentialView> = {}
|
||||
): CipherView {
|
||||
const cipher = new CipherView();
|
||||
cipher.id = data.id ?? Utils.newGuid();
|
||||
cipher.type = CipherType.Login;
|
||||
cipher.localData = {};
|
||||
|
||||
const fido2CredentialView = new Fido2CredentialView();
|
||||
fido2CredentialView.credentialId = fido2Credential.credentialId ?? Utils.newGuid();
|
||||
fido2CredentialView.rpId = fido2Credential.rpId ?? RpId;
|
||||
fido2CredentialView.counter = fido2Credential.counter ?? 0;
|
||||
fido2CredentialView.userHandle =
|
||||
fido2Credential.userHandle ?? Fido2Utils.bufferToString(randomBytes(16));
|
||||
fido2CredentialView.keyAlgorithm = fido2Credential.keyAlgorithm ?? "ECDSA";
|
||||
fido2CredentialView.keyCurve = fido2Credential.keyCurve ?? "P-256";
|
||||
fido2CredentialView.discoverable = fido2Credential.discoverable ?? true;
|
||||
fido2CredentialView.keyValue =
|
||||
fido2CredentialView.keyValue ??
|
||||
"MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgTC-7XDZipXbaVBlnkjlBgO16ZmqBZWejK2iYo6lV0dehRANCAASOcM2WduNq1DriRYN7ZekvZz-bRhA-qNT4v0fbp5suUFJyWmgOQ0bybZcLXHaerK5Ep1JiSrQcewtQNgLtry7f";
|
||||
|
||||
cipher.login = new LoginView();
|
||||
cipher.login.fido2Credentials = [fido2CredentialView];
|
||||
|
||||
return cipher;
|
||||
}
|
||||
|
||||
async function createClientDataHash() {
|
||||
const encoder = new TextEncoder();
|
||||
const clientData = encoder.encode(
|
||||
JSON.stringify({
|
||||
type: "webauthn.create",
|
||||
challenge: Fido2Utils.bufferToString(randomBytes(16)),
|
||||
origin: RpId,
|
||||
crossOrigin: false,
|
||||
})
|
||||
);
|
||||
return await crypto.subtle.digest({ name: "SHA-256" }, clientData);
|
||||
}
|
||||
|
||||
/** This is a fake function that always returns the same byte sequence */
|
||||
function randomBytes(length: number) {
|
||||
return new Uint8Array(Array.from({ length }, (_, k) => k % 255));
|
||||
}
|
||||
|
||||
async function createKeyPair() {
|
||||
return await crypto.subtle.generateKey(
|
||||
{
|
||||
name: "ECDSA",
|
||||
namedCurve: "P-256",
|
||||
},
|
||||
true,
|
||||
["sign", "verify"]
|
||||
);
|
||||
}
|
@ -0,0 +1,545 @@
|
||||
import { LogService } from "../../../platform/abstractions/log.service";
|
||||
import { Utils } from "../../../platform/misc/utils";
|
||||
import { CipherService } from "../../abstractions/cipher.service";
|
||||
import {
|
||||
Fido2AlgorithmIdentifier,
|
||||
Fido2AutenticatorError,
|
||||
Fido2AutenticatorErrorCode,
|
||||
Fido2AuthenticatorGetAssertionParams,
|
||||
Fido2AuthenticatorGetAssertionResult,
|
||||
Fido2AuthenticatorMakeCredentialResult,
|
||||
Fido2AuthenticatorMakeCredentialsParams,
|
||||
Fido2AuthenticatorService as Fido2AuthenticatorServiceAbstraction,
|
||||
PublicKeyCredentialDescriptor,
|
||||
} from "../../abstractions/fido2/fido2-authenticator.service.abstraction";
|
||||
import { Fido2UserInterfaceService } from "../../abstractions/fido2/fido2-user-interface.service.abstraction";
|
||||
import { SyncService } from "../../abstractions/sync/sync.service.abstraction";
|
||||
import { CipherRepromptType } from "../../enums/cipher-reprompt-type";
|
||||
import { CipherType } from "../../enums/cipher-type";
|
||||
import { CipherView } from "../../models/view/cipher.view";
|
||||
import { Fido2CredentialView } from "../../models/view/fido2-credential.view";
|
||||
|
||||
import { CBOR } from "./cbor";
|
||||
import { joseToDer } from "./ecdsa-utils";
|
||||
import { Fido2Utils } from "./fido2-utils";
|
||||
import { guidToRawFormat, guidToStandardFormat } from "./guid-utils";
|
||||
|
||||
// AAGUID: 6e8248d5-b479-40db-a3d8-11116f7e8349
|
||||
export const AAGUID = new Uint8Array([
|
||||
0xd5, 0x48, 0x82, 0x6e, 0x79, 0xb4, 0xdb, 0x40, 0xa3, 0xd8, 0x11, 0x11, 0x6f, 0x7e, 0x83, 0x49,
|
||||
]);
|
||||
|
||||
const KeyUsages: KeyUsage[] = ["sign"];
|
||||
|
||||
/**
|
||||
* Bitwarden implementation of the WebAuthn Authenticator Model as described by W3C
|
||||
* https://www.w3.org/TR/webauthn-3/#sctn-authenticator-model
|
||||
*
|
||||
* It is highly recommended that the W3C specification is used a reference when reading this code.
|
||||
*/
|
||||
export class Fido2AuthenticatorService implements Fido2AuthenticatorServiceAbstraction {
|
||||
constructor(
|
||||
private cipherService: CipherService,
|
||||
private userInterface: Fido2UserInterfaceService,
|
||||
private syncService: SyncService,
|
||||
private logService?: LogService
|
||||
) {}
|
||||
|
||||
async makeCredential(
|
||||
params: Fido2AuthenticatorMakeCredentialsParams,
|
||||
tab: chrome.tabs.Tab,
|
||||
abortController?: AbortController
|
||||
): Promise<Fido2AuthenticatorMakeCredentialResult> {
|
||||
const userInterfaceSession = await this.userInterface.newSession(
|
||||
params.fallbackSupported,
|
||||
tab,
|
||||
abortController
|
||||
);
|
||||
|
||||
try {
|
||||
if (params.credTypesAndPubKeyAlgs.every((p) => p.alg !== Fido2AlgorithmIdentifier.ES256)) {
|
||||
const requestedAlgorithms = params.credTypesAndPubKeyAlgs.map((p) => p.alg).join(", ");
|
||||
this.logService?.warning(
|
||||
`[Fido2Authenticator] No compatible algorithms found, RP requested: ${requestedAlgorithms}`
|
||||
);
|
||||
throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.NotSupported);
|
||||
}
|
||||
|
||||
if (
|
||||
params.requireResidentKey != undefined &&
|
||||
typeof params.requireResidentKey !== "boolean"
|
||||
) {
|
||||
this.logService?.error(
|
||||
`[Fido2Authenticator] Invalid 'requireResidentKey' value: ${String(
|
||||
params.requireResidentKey
|
||||
)}`
|
||||
);
|
||||
throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.Unknown);
|
||||
}
|
||||
|
||||
if (
|
||||
params.requireUserVerification != undefined &&
|
||||
typeof params.requireUserVerification !== "boolean"
|
||||
) {
|
||||
this.logService?.error(
|
||||
`[Fido2Authenticator] Invalid 'requireUserVerification' value: ${String(
|
||||
params.requireUserVerification
|
||||
)}`
|
||||
);
|
||||
throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.Unknown);
|
||||
}
|
||||
|
||||
await userInterfaceSession.ensureUnlockedVault();
|
||||
await this.syncService.fullSync(false);
|
||||
|
||||
const existingCipherIds = await this.findExcludedCredentials(
|
||||
params.excludeCredentialDescriptorList
|
||||
);
|
||||
if (existingCipherIds.length > 0) {
|
||||
this.logService?.info(
|
||||
`[Fido2Authenticator] Aborting due to excluded credential found in vault.`
|
||||
);
|
||||
await userInterfaceSession.informExcludedCredential(existingCipherIds);
|
||||
throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.NotAllowed);
|
||||
}
|
||||
|
||||
let cipher: CipherView;
|
||||
let fido2Credential: Fido2CredentialView;
|
||||
let keyPair: CryptoKeyPair;
|
||||
let userVerified = false;
|
||||
let credentialId: string;
|
||||
const response = await userInterfaceSession.confirmNewCredential({
|
||||
credentialName: params.rpEntity.name,
|
||||
userName: params.userEntity.displayName,
|
||||
userVerification: params.requireUserVerification,
|
||||
});
|
||||
const cipherId = response.cipherId;
|
||||
userVerified = response.userVerified;
|
||||
|
||||
if (cipherId === undefined) {
|
||||
this.logService?.warning(
|
||||
`[Fido2Authenticator] Aborting because user confirmation was not recieved.`
|
||||
);
|
||||
throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.NotAllowed);
|
||||
}
|
||||
|
||||
try {
|
||||
keyPair = await createKeyPair();
|
||||
|
||||
const encrypted = await this.cipherService.get(cipherId);
|
||||
cipher = await encrypted.decrypt(
|
||||
await this.cipherService.getKeyForCipherKeyDecryption(encrypted)
|
||||
);
|
||||
|
||||
if (
|
||||
!userVerified &&
|
||||
(params.requireUserVerification || cipher.reprompt !== CipherRepromptType.None)
|
||||
) {
|
||||
this.logService?.warning(
|
||||
`[Fido2Authenticator] Aborting because user verification was unsuccessful.`
|
||||
);
|
||||
throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.NotAllowed);
|
||||
}
|
||||
|
||||
fido2Credential = await createKeyView(params, keyPair.privateKey);
|
||||
cipher.login.fido2Credentials = [fido2Credential];
|
||||
const reencrypted = await this.cipherService.encrypt(cipher);
|
||||
await this.cipherService.updateWithServer(reencrypted);
|
||||
credentialId = fido2Credential.credentialId;
|
||||
} catch (error) {
|
||||
this.logService?.error(
|
||||
`[Fido2Authenticator] Aborting because of unknown error when creating credential: ${error}`
|
||||
);
|
||||
throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.Unknown);
|
||||
}
|
||||
|
||||
const authData = await generateAuthData({
|
||||
rpId: params.rpEntity.id,
|
||||
credentialId: guidToRawFormat(credentialId),
|
||||
counter: fido2Credential.counter,
|
||||
userPresence: true,
|
||||
userVerification: userVerified,
|
||||
keyPair,
|
||||
});
|
||||
const attestationObject = new Uint8Array(
|
||||
CBOR.encode({
|
||||
fmt: "none",
|
||||
attStmt: {},
|
||||
authData,
|
||||
})
|
||||
);
|
||||
|
||||
return {
|
||||
credentialId: guidToRawFormat(credentialId),
|
||||
attestationObject,
|
||||
authData,
|
||||
publicKeyAlgorithm: -7,
|
||||
};
|
||||
} finally {
|
||||
userInterfaceSession.close();
|
||||
}
|
||||
}
|
||||
|
||||
async getAssertion(
|
||||
params: Fido2AuthenticatorGetAssertionParams,
|
||||
tab: chrome.tabs.Tab,
|
||||
abortController?: AbortController
|
||||
): Promise<Fido2AuthenticatorGetAssertionResult> {
|
||||
const userInterfaceSession = await this.userInterface.newSession(
|
||||
params.fallbackSupported,
|
||||
tab,
|
||||
abortController
|
||||
);
|
||||
try {
|
||||
if (
|
||||
params.requireUserVerification != undefined &&
|
||||
typeof params.requireUserVerification !== "boolean"
|
||||
) {
|
||||
this.logService?.error(
|
||||
`[Fido2Authenticator] Invalid 'requireUserVerification' value: ${String(
|
||||
params.requireUserVerification
|
||||
)}`
|
||||
);
|
||||
throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.Unknown);
|
||||
}
|
||||
|
||||
let cipherOptions: CipherView[];
|
||||
|
||||
await userInterfaceSession.ensureUnlockedVault();
|
||||
await this.syncService.fullSync(false);
|
||||
|
||||
if (params.allowCredentialDescriptorList?.length > 0) {
|
||||
cipherOptions = await this.findCredentialsById(
|
||||
params.allowCredentialDescriptorList,
|
||||
params.rpId
|
||||
);
|
||||
} else {
|
||||
cipherOptions = await this.findCredentialsByRp(params.rpId);
|
||||
}
|
||||
|
||||
if (cipherOptions.length === 0) {
|
||||
this.logService?.info(
|
||||
`[Fido2Authenticator] Aborting because no matching credentials were found in the vault.`
|
||||
);
|
||||
await userInterfaceSession.informCredentialNotFound();
|
||||
throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.NotAllowed);
|
||||
}
|
||||
|
||||
const response = await userInterfaceSession.pickCredential({
|
||||
cipherIds: cipherOptions.map((cipher) => cipher.id),
|
||||
userVerification: params.requireUserVerification,
|
||||
});
|
||||
const selectedCipherId = response.cipherId;
|
||||
const userVerified = response.userVerified;
|
||||
const selectedCipher = cipherOptions.find((c) => c.id === selectedCipherId);
|
||||
|
||||
if (selectedCipher === undefined) {
|
||||
this.logService?.error(
|
||||
`[Fido2Authenticator] Aborting because the selected credential could not be found.`
|
||||
);
|
||||
throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.NotAllowed);
|
||||
}
|
||||
|
||||
if (
|
||||
!userVerified &&
|
||||
(params.requireUserVerification || selectedCipher.reprompt !== CipherRepromptType.None)
|
||||
) {
|
||||
this.logService?.warning(
|
||||
`[Fido2Authenticator] Aborting because user verification was unsuccessful.`
|
||||
);
|
||||
throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.NotAllowed);
|
||||
}
|
||||
|
||||
try {
|
||||
const selectedFido2Credential = selectedCipher.login.fido2Credentials[0];
|
||||
const selectedCredentialId = selectedFido2Credential.credentialId;
|
||||
|
||||
++selectedFido2Credential.counter;
|
||||
|
||||
selectedCipher.localData = {
|
||||
...selectedCipher.localData,
|
||||
lastUsedDate: new Date().getTime(),
|
||||
};
|
||||
const encrypted = await this.cipherService.encrypt(selectedCipher);
|
||||
await this.cipherService.updateWithServer(encrypted);
|
||||
|
||||
const authenticatorData = await generateAuthData({
|
||||
rpId: selectedFido2Credential.rpId,
|
||||
credentialId: guidToRawFormat(selectedCredentialId),
|
||||
counter: selectedFido2Credential.counter,
|
||||
userPresence: true,
|
||||
userVerification: userVerified,
|
||||
});
|
||||
|
||||
const signature = await generateSignature({
|
||||
authData: authenticatorData,
|
||||
clientDataHash: params.hash,
|
||||
privateKey: await getPrivateKeyFromFido2Credential(selectedFido2Credential),
|
||||
});
|
||||
|
||||
return {
|
||||
authenticatorData,
|
||||
selectedCredential: {
|
||||
id: guidToRawFormat(selectedCredentialId),
|
||||
userHandle: Fido2Utils.stringToBuffer(selectedFido2Credential.userHandle),
|
||||
},
|
||||
signature,
|
||||
};
|
||||
} catch (error) {
|
||||
this.logService?.error(
|
||||
`[Fido2Authenticator] Aborting because of unknown error when asserting credential: ${error}`
|
||||
);
|
||||
throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.Unknown);
|
||||
}
|
||||
} finally {
|
||||
userInterfaceSession.close();
|
||||
}
|
||||
}
|
||||
|
||||
/** Finds existing crendetials and returns the `cipherId` for each one */
|
||||
private async findExcludedCredentials(
|
||||
credentials: PublicKeyCredentialDescriptor[]
|
||||
): Promise<string[]> {
|
||||
const ids: string[] = [];
|
||||
|
||||
for (const credential of credentials) {
|
||||
try {
|
||||
ids.push(guidToStandardFormat(credential.id));
|
||||
// eslint-disable-next-line no-empty
|
||||
} catch {}
|
||||
}
|
||||
|
||||
if (ids.length === 0) {
|
||||
return [];
|
||||
}
|
||||
|
||||
const ciphers = await this.cipherService.getAllDecrypted();
|
||||
return ciphers
|
||||
.filter(
|
||||
(cipher) =>
|
||||
!cipher.isDeleted &&
|
||||
cipher.organizationId == undefined &&
|
||||
cipher.type === CipherType.Login &&
|
||||
cipher.login.hasFido2Credentials &&
|
||||
ids.includes(cipher.login.fido2Credentials[0].credentialId)
|
||||
)
|
||||
.map((cipher) => cipher.id);
|
||||
}
|
||||
|
||||
private async findCredentialsById(
|
||||
credentials: PublicKeyCredentialDescriptor[],
|
||||
rpId: string
|
||||
): Promise<CipherView[]> {
|
||||
const ids: string[] = [];
|
||||
|
||||
for (const credential of credentials) {
|
||||
try {
|
||||
ids.push(guidToStandardFormat(credential.id));
|
||||
// eslint-disable-next-line no-empty
|
||||
} catch {}
|
||||
}
|
||||
|
||||
if (ids.length === 0) {
|
||||
return [];
|
||||
}
|
||||
|
||||
const ciphers = await this.cipherService.getAllDecrypted();
|
||||
return ciphers.filter(
|
||||
(cipher) =>
|
||||
!cipher.isDeleted &&
|
||||
cipher.type === CipherType.Login &&
|
||||
cipher.login.hasFido2Credentials &&
|
||||
cipher.login.fido2Credentials[0].rpId === rpId &&
|
||||
ids.includes(cipher.login.fido2Credentials[0].credentialId)
|
||||
);
|
||||
}
|
||||
|
||||
private async findCredentialsByRp(rpId: string): Promise<CipherView[]> {
|
||||
const ciphers = await this.cipherService.getAllDecrypted();
|
||||
return ciphers.filter(
|
||||
(cipher) =>
|
||||
!cipher.isDeleted &&
|
||||
cipher.type === CipherType.Login &&
|
||||
cipher.login.hasFido2Credentials &&
|
||||
cipher.login.fido2Credentials[0].rpId === rpId &&
|
||||
cipher.login.fido2Credentials[0].discoverable
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
async function createKeyPair() {
|
||||
return await crypto.subtle.generateKey(
|
||||
{
|
||||
name: "ECDSA",
|
||||
namedCurve: "P-256",
|
||||
},
|
||||
true,
|
||||
KeyUsages
|
||||
);
|
||||
}
|
||||
|
||||
async function createKeyView(
|
||||
params: Fido2AuthenticatorMakeCredentialsParams,
|
||||
keyValue: CryptoKey
|
||||
): Promise<Fido2CredentialView> {
|
||||
if (keyValue.algorithm.name !== "ECDSA" && (keyValue.algorithm as any).namedCurve !== "P-256") {
|
||||
throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.Unknown);
|
||||
}
|
||||
|
||||
const pkcs8Key = await crypto.subtle.exportKey("pkcs8", keyValue);
|
||||
const fido2Credential = new Fido2CredentialView();
|
||||
fido2Credential.credentialId = Utils.newGuid();
|
||||
fido2Credential.keyType = "public-key";
|
||||
fido2Credential.keyAlgorithm = "ECDSA";
|
||||
fido2Credential.keyCurve = "P-256";
|
||||
fido2Credential.keyValue = Fido2Utils.bufferToString(pkcs8Key);
|
||||
fido2Credential.rpId = params.rpEntity.id;
|
||||
fido2Credential.userHandle = Fido2Utils.bufferToString(params.userEntity.id);
|
||||
fido2Credential.counter = 0;
|
||||
fido2Credential.rpName = params.rpEntity.name;
|
||||
fido2Credential.userDisplayName = params.userEntity.displayName;
|
||||
fido2Credential.discoverable = params.requireResidentKey;
|
||||
fido2Credential.creationDate = new Date();
|
||||
|
||||
return fido2Credential;
|
||||
}
|
||||
|
||||
async function getPrivateKeyFromFido2Credential(
|
||||
fido2Credential: Fido2CredentialView
|
||||
): Promise<CryptoKey> {
|
||||
const keyBuffer = Fido2Utils.stringToBuffer(fido2Credential.keyValue);
|
||||
return await crypto.subtle.importKey(
|
||||
"pkcs8",
|
||||
keyBuffer,
|
||||
{
|
||||
name: fido2Credential.keyAlgorithm,
|
||||
namedCurve: fido2Credential.keyCurve,
|
||||
} as EcKeyImportParams,
|
||||
true,
|
||||
KeyUsages
|
||||
);
|
||||
}
|
||||
|
||||
interface AuthDataParams {
|
||||
rpId: string;
|
||||
credentialId: BufferSource;
|
||||
userPresence: boolean;
|
||||
userVerification: boolean;
|
||||
counter: number;
|
||||
keyPair?: CryptoKeyPair;
|
||||
}
|
||||
|
||||
async function generateAuthData(params: AuthDataParams) {
|
||||
const authData: Array<number> = [];
|
||||
|
||||
const rpIdHash = new Uint8Array(
|
||||
await crypto.subtle.digest({ name: "SHA-256" }, Utils.fromByteStringToArray(params.rpId))
|
||||
);
|
||||
authData.push(...rpIdHash);
|
||||
|
||||
const flags = authDataFlags({
|
||||
extensionData: false,
|
||||
attestationData: params.keyPair != undefined,
|
||||
userVerification: params.userVerification,
|
||||
userPresence: params.userPresence,
|
||||
});
|
||||
authData.push(flags);
|
||||
|
||||
// add 4 bytes of counter - we use time in epoch seconds as monotonic counter
|
||||
// TODO: Consider changing this to a cryptographically safe random number
|
||||
const counter = params.counter;
|
||||
authData.push(
|
||||
((counter & 0xff000000) >> 24) & 0xff,
|
||||
((counter & 0x00ff0000) >> 16) & 0xff,
|
||||
((counter & 0x0000ff00) >> 8) & 0xff,
|
||||
counter & 0x000000ff
|
||||
);
|
||||
|
||||
if (params.keyPair) {
|
||||
// attestedCredentialData
|
||||
const attestedCredentialData: Array<number> = [];
|
||||
|
||||
attestedCredentialData.push(...AAGUID);
|
||||
|
||||
// credentialIdLength (2 bytes) and credential Id
|
||||
const rawId = Fido2Utils.bufferSourceToUint8Array(params.credentialId);
|
||||
const credentialIdLength = [(rawId.length - (rawId.length & 0xff)) / 256, rawId.length & 0xff];
|
||||
attestedCredentialData.push(...credentialIdLength);
|
||||
attestedCredentialData.push(...rawId);
|
||||
|
||||
const publicKeyJwk = await crypto.subtle.exportKey("jwk", params.keyPair.publicKey);
|
||||
// COSE format of the EC256 key
|
||||
const keyX = Utils.fromUrlB64ToArray(publicKeyJwk.x);
|
||||
const keyY = Utils.fromUrlB64ToArray(publicKeyJwk.y);
|
||||
|
||||
// Can't get `cbor-redux` to encode in CTAP2 canonical CBOR. So we do it manually:
|
||||
const coseBytes = new Uint8Array(77);
|
||||
coseBytes.set([0xa5, 0x01, 0x02, 0x03, 0x26, 0x20, 0x01, 0x21, 0x58, 0x20], 0);
|
||||
coseBytes.set(keyX, 10);
|
||||
coseBytes.set([0x22, 0x58, 0x20], 10 + 32);
|
||||
coseBytes.set(keyY, 10 + 32 + 3);
|
||||
|
||||
// credential public key - convert to array from CBOR encoded COSE key
|
||||
attestedCredentialData.push(...coseBytes);
|
||||
|
||||
authData.push(...attestedCredentialData);
|
||||
}
|
||||
|
||||
return new Uint8Array(authData);
|
||||
}
|
||||
|
||||
interface SignatureParams {
|
||||
authData: Uint8Array;
|
||||
clientDataHash: BufferSource;
|
||||
privateKey: CryptoKey;
|
||||
}
|
||||
|
||||
async function generateSignature(params: SignatureParams) {
|
||||
const sigBase = new Uint8Array([
|
||||
...params.authData,
|
||||
...Fido2Utils.bufferSourceToUint8Array(params.clientDataHash),
|
||||
]);
|
||||
const p1336_signature = new Uint8Array(
|
||||
await crypto.subtle.sign(
|
||||
{
|
||||
name: "ECDSA",
|
||||
hash: { name: "SHA-256" },
|
||||
},
|
||||
params.privateKey,
|
||||
sigBase
|
||||
)
|
||||
);
|
||||
|
||||
const asn1Der_signature = joseToDer(p1336_signature, "ES256");
|
||||
|
||||
return asn1Der_signature;
|
||||
}
|
||||
|
||||
interface Flags {
|
||||
extensionData: boolean;
|
||||
attestationData: boolean;
|
||||
userVerification: boolean;
|
||||
userPresence: boolean;
|
||||
}
|
||||
|
||||
function authDataFlags(options: Flags): number {
|
||||
let flags = 0;
|
||||
|
||||
if (options.extensionData) {
|
||||
flags |= 0b1000000;
|
||||
}
|
||||
|
||||
if (options.attestationData) {
|
||||
flags |= 0b01000000;
|
||||
}
|
||||
|
||||
if (options.userVerification) {
|
||||
flags |= 0b00000100;
|
||||
}
|
||||
|
||||
if (options.userPresence) {
|
||||
flags |= 0b00000001;
|
||||
}
|
||||
|
||||
return flags;
|
||||
}
|
@ -0,0 +1,463 @@
|
||||
import { mock, MockProxy } from "jest-mock-extended";
|
||||
|
||||
import { AuthService } from "../../../auth/abstractions/auth.service";
|
||||
import { AuthenticationStatus } from "../../../auth/enums/authentication-status";
|
||||
import { ConfigServiceAbstraction } from "../../../platform/abstractions/config/config.service.abstraction";
|
||||
import { Utils } from "../../../platform/misc/utils";
|
||||
import {
|
||||
Fido2AutenticatorError,
|
||||
Fido2AutenticatorErrorCode,
|
||||
Fido2AuthenticatorGetAssertionResult,
|
||||
Fido2AuthenticatorMakeCredentialResult,
|
||||
} from "../../abstractions/fido2/fido2-authenticator.service.abstraction";
|
||||
import {
|
||||
AssertCredentialParams,
|
||||
CreateCredentialParams,
|
||||
FallbackRequestedError,
|
||||
} from "../../abstractions/fido2/fido2-client.service.abstraction";
|
||||
|
||||
import { Fido2AuthenticatorService } from "./fido2-authenticator.service";
|
||||
import { Fido2ClientService } from "./fido2-client.service";
|
||||
import { Fido2Utils } from "./fido2-utils";
|
||||
import { guidToRawFormat } from "./guid-utils";
|
||||
|
||||
const RpId = "bitwarden.com";
|
||||
|
||||
describe("FidoAuthenticatorService", () => {
|
||||
let authenticator!: MockProxy<Fido2AuthenticatorService>;
|
||||
let configService!: MockProxy<ConfigServiceAbstraction>;
|
||||
let authService!: MockProxy<AuthService>;
|
||||
let client!: Fido2ClientService;
|
||||
let tab!: chrome.tabs.Tab;
|
||||
|
||||
beforeEach(async () => {
|
||||
authenticator = mock<Fido2AuthenticatorService>();
|
||||
configService = mock<ConfigServiceAbstraction>();
|
||||
authService = mock<AuthService>();
|
||||
|
||||
client = new Fido2ClientService(authenticator, configService, authService);
|
||||
configService.getFeatureFlag.mockResolvedValue(true);
|
||||
tab = { id: 123, windowId: 456 } as chrome.tabs.Tab;
|
||||
});
|
||||
|
||||
describe("createCredential", () => {
|
||||
describe("input parameters validation", () => {
|
||||
// Spec: If sameOriginWithAncestors is false, return a "NotAllowedError" DOMException.
|
||||
it("should throw error if sameOriginWithAncestors is false", async () => {
|
||||
const params = createParams({ sameOriginWithAncestors: false });
|
||||
|
||||
const result = async () => await client.createCredential(params, tab);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toMatchObject({ name: "NotAllowedError" });
|
||||
await rejects.toBeInstanceOf(DOMException);
|
||||
});
|
||||
|
||||
// Spec: If the length of options.user.id is not between 1 and 64 bytes (inclusive) then return a TypeError.
|
||||
it("should throw error if user.id is too small", async () => {
|
||||
const params = createParams({ user: { id: "", displayName: "name" } });
|
||||
|
||||
const result = async () => await client.createCredential(params, tab);
|
||||
|
||||
await expect(result).rejects.toBeInstanceOf(TypeError);
|
||||
});
|
||||
|
||||
// Spec: If the length of options.user.id is not between 1 and 64 bytes (inclusive) then return a TypeError.
|
||||
it("should throw error if user.id is too large", async () => {
|
||||
const params = createParams({
|
||||
user: {
|
||||
id: "YWJzb2x1dGVseS13YXktd2F5LXRvby1sYXJnZS1iYXNlNjQtZW5jb2RlZC11c2VyLWlkLWJpbmFyeS1zZXF1ZW5jZQ",
|
||||
displayName: "name",
|
||||
},
|
||||
});
|
||||
|
||||
const result = async () => await client.createCredential(params, tab);
|
||||
|
||||
await expect(result).rejects.toBeInstanceOf(TypeError);
|
||||
});
|
||||
|
||||
// Spec: If callerOrigin is an opaque origin, return a DOMException whose name is "NotAllowedError", and terminate this algorithm.
|
||||
// Not sure how to check this, or if it matters.
|
||||
it.todo("should throw error if origin is an opaque origin");
|
||||
|
||||
// Spec: Let effectiveDomain be the callerOrigin’s effective domain. If effective domain is not a valid domain, then return a DOMException whose name is "SecurityError" and terminate this algorithm.
|
||||
it("should throw error if origin is not a valid domain name", async () => {
|
||||
const params = createParams({
|
||||
origin: "invalid-domain-name",
|
||||
});
|
||||
|
||||
const result = async () => await client.createCredential(params, tab);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toMatchObject({ name: "SecurityError" });
|
||||
await rejects.toBeInstanceOf(DOMException);
|
||||
});
|
||||
|
||||
// Spec: If options.rp.id is not a registrable domain suffix of and is not equal to effectiveDomain, return a DOMException whose name is "SecurityError", and terminate this algorithm.
|
||||
it("should throw error if rp.id is not valid for this origin", async () => {
|
||||
const params = createParams({
|
||||
origin: "https://passwordless.dev",
|
||||
rp: { id: "bitwarden.com", name: "Bitwraden" },
|
||||
});
|
||||
|
||||
const result = async () => await client.createCredential(params, tab);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toMatchObject({ name: "SecurityError" });
|
||||
await rejects.toBeInstanceOf(DOMException);
|
||||
});
|
||||
|
||||
it("should throw error if origin is not an https domain", async () => {
|
||||
const params = createParams({
|
||||
origin: "http://passwordless.dev",
|
||||
rp: { id: "bitwarden.com", name: "Bitwraden" },
|
||||
});
|
||||
|
||||
const result = async () => await client.createCredential(params, tab);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toMatchObject({ name: "SecurityError" });
|
||||
await rejects.toBeInstanceOf(DOMException);
|
||||
});
|
||||
|
||||
// Spec: If credTypesAndPubKeyAlgs is empty, return a DOMException whose name is "NotSupportedError", and terminate this algorithm.
|
||||
it("should throw error if no support key algorithms were found", async () => {
|
||||
const params = createParams({
|
||||
pubKeyCredParams: [
|
||||
{ alg: -9001, type: "public-key" },
|
||||
{ alg: -7, type: "not-supported" as any },
|
||||
],
|
||||
});
|
||||
|
||||
const result = async () => await client.createCredential(params, tab);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toMatchObject({ name: "NotSupportedError" });
|
||||
await rejects.toBeInstanceOf(DOMException);
|
||||
});
|
||||
});
|
||||
|
||||
describe("aborting", () => {
|
||||
// Spec: If the options.signal is present and its aborted flag is set to true, return a DOMException whose name is "AbortError" and terminate this algorithm.
|
||||
it("should throw error if aborting using abort controller", async () => {
|
||||
const params = createParams({});
|
||||
const abortController = new AbortController();
|
||||
abortController.abort();
|
||||
|
||||
const result = async () => await client.createCredential(params, tab, abortController);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toMatchObject({ name: "AbortError" });
|
||||
await rejects.toBeInstanceOf(DOMException);
|
||||
});
|
||||
});
|
||||
|
||||
describe("creating a new credential", () => {
|
||||
it("should call authenticator.makeCredential", async () => {
|
||||
const params = createParams({
|
||||
authenticatorSelection: { residentKey: "required", userVerification: "required" },
|
||||
});
|
||||
authenticator.makeCredential.mockResolvedValue(createAuthenticatorMakeResult());
|
||||
|
||||
await client.createCredential(params, tab);
|
||||
|
||||
expect(authenticator.makeCredential).toHaveBeenCalledWith(
|
||||
expect.objectContaining({
|
||||
requireResidentKey: true,
|
||||
requireUserVerification: true,
|
||||
rpEntity: expect.objectContaining({
|
||||
id: RpId,
|
||||
}),
|
||||
userEntity: expect.objectContaining({
|
||||
displayName: params.user.displayName,
|
||||
}),
|
||||
}),
|
||||
tab,
|
||||
expect.anything()
|
||||
);
|
||||
});
|
||||
|
||||
// Spec: If any authenticator returns an error status equivalent to "InvalidStateError", Return a DOMException whose name is "InvalidStateError" and terminate this algorithm.
|
||||
it("should throw error if authenticator throws InvalidState", async () => {
|
||||
const params = createParams();
|
||||
authenticator.makeCredential.mockRejectedValue(
|
||||
new Fido2AutenticatorError(Fido2AutenticatorErrorCode.InvalidState)
|
||||
);
|
||||
|
||||
const result = async () => await client.createCredential(params, tab);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toMatchObject({ name: "InvalidStateError" });
|
||||
await rejects.toBeInstanceOf(DOMException);
|
||||
});
|
||||
|
||||
// This keeps sensetive information form leaking
|
||||
it("should throw NotAllowedError if authenticator throws unknown error", async () => {
|
||||
const params = createParams();
|
||||
authenticator.makeCredential.mockRejectedValue(new Error("unknown error"));
|
||||
|
||||
const result = async () => await client.createCredential(params, tab);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toMatchObject({ name: "NotAllowedError" });
|
||||
await rejects.toBeInstanceOf(DOMException);
|
||||
});
|
||||
|
||||
it("should throw FallbackRequestedError if feature flag is not enabled", async () => {
|
||||
const params = createParams();
|
||||
configService.getFeatureFlag.mockResolvedValue(false);
|
||||
|
||||
const result = async () => await client.createCredential(params, tab);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toThrow(FallbackRequestedError);
|
||||
});
|
||||
|
||||
it("should throw FallbackRequestedError if user is logged out", async () => {
|
||||
const params = createParams();
|
||||
authService.getAuthStatus.mockResolvedValue(AuthenticationStatus.LoggedOut);
|
||||
|
||||
const result = async () => await client.createCredential(params, tab);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toThrow(FallbackRequestedError);
|
||||
});
|
||||
});
|
||||
|
||||
function createParams(params: Partial<CreateCredentialParams> = {}): CreateCredentialParams {
|
||||
return {
|
||||
origin: params.origin ?? "https://bitwarden.com",
|
||||
sameOriginWithAncestors: params.sameOriginWithAncestors ?? true,
|
||||
attestation: params.attestation,
|
||||
authenticatorSelection: params.authenticatorSelection,
|
||||
challenge: params.challenge ?? "MzItYnl0ZXMtYmFzZTY0LWVuY29kZS1jaGFsbGVuZ2U",
|
||||
excludeCredentials: params.excludeCredentials,
|
||||
extensions: params.extensions,
|
||||
pubKeyCredParams: params.pubKeyCredParams ?? [
|
||||
{
|
||||
alg: -7,
|
||||
type: "public-key",
|
||||
},
|
||||
],
|
||||
rp: params.rp ?? {
|
||||
id: RpId,
|
||||
name: "Bitwarden",
|
||||
},
|
||||
user: params.user ?? {
|
||||
id: "YmFzZTY0LWVuY29kZWQtdXNlci1pZA",
|
||||
displayName: "User Name",
|
||||
},
|
||||
fallbackSupported: params.fallbackSupported ?? false,
|
||||
timeout: params.timeout,
|
||||
};
|
||||
}
|
||||
|
||||
function createAuthenticatorMakeResult(): Fido2AuthenticatorMakeCredentialResult {
|
||||
return {
|
||||
credentialId: guidToRawFormat(Utils.newGuid()),
|
||||
attestationObject: randomBytes(128),
|
||||
authData: randomBytes(64),
|
||||
publicKeyAlgorithm: -7,
|
||||
};
|
||||
}
|
||||
});
|
||||
|
||||
describe("assertCredential", () => {
|
||||
describe("invalid params", () => {
|
||||
// Spec: If callerOrigin is an opaque origin, return a DOMException whose name is "NotAllowedError", and terminate this algorithm.
|
||||
// Not sure how to check this, or if it matters.
|
||||
it.todo("should throw error if origin is an opaque origin");
|
||||
|
||||
// Spec: Let effectiveDomain be the callerOrigin’s effective domain. If effective domain is not a valid domain, then return a DOMException whose name is "SecurityError" and terminate this algorithm.
|
||||
it("should throw error if origin is not a valid domain name", async () => {
|
||||
const params = createParams({
|
||||
origin: "invalid-domain-name",
|
||||
});
|
||||
|
||||
const result = async () => await client.assertCredential(params, tab);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toMatchObject({ name: "SecurityError" });
|
||||
await rejects.toBeInstanceOf(DOMException);
|
||||
});
|
||||
|
||||
// Spec: If options.rp.id is not a registrable domain suffix of and is not equal to effectiveDomain, return a DOMException whose name is "SecurityError", and terminate this algorithm.
|
||||
it("should throw error if rp.id is not valid for this origin", async () => {
|
||||
const params = createParams({
|
||||
origin: "https://passwordless.dev",
|
||||
rpId: "bitwarden.com",
|
||||
});
|
||||
|
||||
const result = async () => await client.assertCredential(params, tab);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toMatchObject({ name: "SecurityError" });
|
||||
await rejects.toBeInstanceOf(DOMException);
|
||||
});
|
||||
|
||||
it("should throw error if origin is not an http domain", async () => {
|
||||
const params = createParams({
|
||||
origin: "http://passwordless.dev",
|
||||
rpId: "bitwarden.com",
|
||||
});
|
||||
|
||||
const result = async () => await client.assertCredential(params, tab);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toMatchObject({ name: "SecurityError" });
|
||||
await rejects.toBeInstanceOf(DOMException);
|
||||
});
|
||||
});
|
||||
|
||||
describe("aborting", () => {
|
||||
// Spec: If the options.signal is present and its aborted flag is set to true, return a DOMException whose name is "AbortError" and terminate this algorithm.
|
||||
it("should throw error if aborting using abort controller", async () => {
|
||||
const params = createParams({});
|
||||
const abortController = new AbortController();
|
||||
abortController.abort();
|
||||
|
||||
const result = async () => await client.assertCredential(params, tab, abortController);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toMatchObject({ name: "AbortError" });
|
||||
await rejects.toBeInstanceOf(DOMException);
|
||||
});
|
||||
});
|
||||
|
||||
describe("assert credential", () => {
|
||||
// Spec: If any authenticator returns an error status equivalent to "InvalidStateError", Return a DOMException whose name is "InvalidStateError" and terminate this algorithm.
|
||||
it("should throw error if authenticator throws InvalidState", async () => {
|
||||
const params = createParams();
|
||||
authenticator.getAssertion.mockRejectedValue(
|
||||
new Fido2AutenticatorError(Fido2AutenticatorErrorCode.InvalidState)
|
||||
);
|
||||
|
||||
const result = async () => await client.assertCredential(params, tab);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toMatchObject({ name: "InvalidStateError" });
|
||||
await rejects.toBeInstanceOf(DOMException);
|
||||
});
|
||||
|
||||
// This keeps sensetive information form leaking
|
||||
it("should throw NotAllowedError if authenticator throws unknown error", async () => {
|
||||
const params = createParams();
|
||||
authenticator.getAssertion.mockRejectedValue(new Error("unknown error"));
|
||||
|
||||
const result = async () => await client.assertCredential(params, tab);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toMatchObject({ name: "NotAllowedError" });
|
||||
await rejects.toBeInstanceOf(DOMException);
|
||||
});
|
||||
|
||||
it("should throw FallbackRequestedError if feature flag is not enabled", async () => {
|
||||
const params = createParams();
|
||||
configService.getFeatureFlag.mockResolvedValue(false);
|
||||
|
||||
const result = async () => await client.assertCredential(params, tab);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toThrow(FallbackRequestedError);
|
||||
});
|
||||
|
||||
it("should throw FallbackRequestedError if user is logged out", async () => {
|
||||
const params = createParams();
|
||||
authService.getAuthStatus.mockResolvedValue(AuthenticationStatus.LoggedOut);
|
||||
|
||||
const result = async () => await client.assertCredential(params, tab);
|
||||
|
||||
const rejects = expect(result).rejects;
|
||||
await rejects.toThrow(FallbackRequestedError);
|
||||
});
|
||||
});
|
||||
|
||||
describe("assert non-discoverable credential", () => {
|
||||
it("should call authenticator.assertCredential", async () => {
|
||||
const allowedCredentialIds = [
|
||||
Fido2Utils.bufferToString(guidToRawFormat(Utils.newGuid())),
|
||||
Fido2Utils.bufferToString(guidToRawFormat(Utils.newGuid())),
|
||||
Fido2Utils.bufferToString(Utils.fromByteStringToArray("not-a-guid")),
|
||||
];
|
||||
const params = createParams({
|
||||
userVerification: "required",
|
||||
allowedCredentialIds,
|
||||
});
|
||||
authenticator.getAssertion.mockResolvedValue(createAuthenticatorAssertResult());
|
||||
|
||||
await client.assertCredential(params, tab);
|
||||
|
||||
expect(authenticator.getAssertion).toHaveBeenCalledWith(
|
||||
expect.objectContaining({
|
||||
requireUserVerification: true,
|
||||
rpId: RpId,
|
||||
allowCredentialDescriptorList: [
|
||||
expect.objectContaining({
|
||||
id: Fido2Utils.stringToBuffer(allowedCredentialIds[0]),
|
||||
}),
|
||||
expect.objectContaining({
|
||||
id: Fido2Utils.stringToBuffer(allowedCredentialIds[1]),
|
||||
}),
|
||||
expect.objectContaining({
|
||||
id: Fido2Utils.stringToBuffer(allowedCredentialIds[2]),
|
||||
}),
|
||||
],
|
||||
}),
|
||||
tab,
|
||||
expect.anything()
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
describe("assert discoverable credential", () => {
|
||||
it("should call authenticator.assertCredential", async () => {
|
||||
const params = createParams({
|
||||
userVerification: "required",
|
||||
allowedCredentialIds: [],
|
||||
});
|
||||
authenticator.getAssertion.mockResolvedValue(createAuthenticatorAssertResult());
|
||||
|
||||
await client.assertCredential(params, tab);
|
||||
|
||||
expect(authenticator.getAssertion).toHaveBeenCalledWith(
|
||||
expect.objectContaining({
|
||||
requireUserVerification: true,
|
||||
rpId: RpId,
|
||||
allowCredentialDescriptorList: [],
|
||||
}),
|
||||
tab,
|
||||
expect.anything()
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
function createParams(params: Partial<AssertCredentialParams> = {}): AssertCredentialParams {
|
||||
return {
|
||||
allowedCredentialIds: params.allowedCredentialIds ?? [],
|
||||
challenge: params.challenge ?? Fido2Utils.bufferToString(randomBytes(16)),
|
||||
origin: params.origin ?? "https://bitwarden.com",
|
||||
rpId: params.rpId ?? RpId,
|
||||
timeout: params.timeout,
|
||||
userVerification: params.userVerification,
|
||||
sameOriginWithAncestors: true,
|
||||
fallbackSupported: params.fallbackSupported ?? false,
|
||||
};
|
||||
}
|
||||
|
||||
function createAuthenticatorAssertResult(): Fido2AuthenticatorGetAssertionResult {
|
||||
return {
|
||||
selectedCredential: {
|
||||
id: randomBytes(32),
|
||||
userHandle: randomBytes(32),
|
||||
},
|
||||
authenticatorData: randomBytes(64),
|
||||
signature: randomBytes(64),
|
||||
};
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
/** This is a fake function that always returns the same byte sequence */
|
||||
function randomBytes(length: number) {
|
||||
return new Uint8Array(Array.from({ length }, (_, k) => k % 255));
|
||||
}
|
409
libs/common/src/vault/services/fido2/fido2-client.service.ts
Normal file
409
libs/common/src/vault/services/fido2/fido2-client.service.ts
Normal file
@ -0,0 +1,409 @@
|
||||
import { parse } from "tldts";
|
||||
|
||||
import { AuthService } from "../../../auth/abstractions/auth.service";
|
||||
import { AuthenticationStatus } from "../../../auth/enums/authentication-status";
|
||||
import { FeatureFlag } from "../../../enums/feature-flag.enum";
|
||||
import { ConfigServiceAbstraction } from "../../../platform/abstractions/config/config.service.abstraction";
|
||||
import { LogService } from "../../../platform/abstractions/log.service";
|
||||
import { Utils } from "../../../platform/misc/utils";
|
||||
import {
|
||||
Fido2AutenticatorError,
|
||||
Fido2AutenticatorErrorCode,
|
||||
Fido2AuthenticatorGetAssertionParams,
|
||||
Fido2AuthenticatorMakeCredentialsParams,
|
||||
Fido2AuthenticatorService,
|
||||
PublicKeyCredentialDescriptor,
|
||||
} from "../../abstractions/fido2/fido2-authenticator.service.abstraction";
|
||||
import {
|
||||
AssertCredentialParams,
|
||||
AssertCredentialResult,
|
||||
CreateCredentialParams,
|
||||
CreateCredentialResult,
|
||||
FallbackRequestedError,
|
||||
Fido2ClientService as Fido2ClientServiceAbstraction,
|
||||
PublicKeyCredentialParam,
|
||||
UserRequestedFallbackAbortReason,
|
||||
UserVerification,
|
||||
} from "../../abstractions/fido2/fido2-client.service.abstraction";
|
||||
|
||||
import { isValidRpId } from "./domain-utils";
|
||||
import { Fido2Utils } from "./fido2-utils";
|
||||
|
||||
/**
|
||||
* Bitwarden implementation of the Web Authentication API as described by W3C
|
||||
* https://www.w3.org/TR/webauthn-3/#sctn-api
|
||||
*
|
||||
* It is highly recommended that the W3C specification is used a reference when reading this code.
|
||||
*/
|
||||
export class Fido2ClientService implements Fido2ClientServiceAbstraction {
|
||||
constructor(
|
||||
private authenticator: Fido2AuthenticatorService,
|
||||
private configService: ConfigServiceAbstraction,
|
||||
private authService: AuthService,
|
||||
private logService?: LogService
|
||||
) {}
|
||||
|
||||
async isFido2FeatureEnabled(): Promise<boolean> {
|
||||
return await this.configService.getFeatureFlag<boolean>(FeatureFlag.Fido2VaultCredentials);
|
||||
}
|
||||
|
||||
async createCredential(
|
||||
params: CreateCredentialParams,
|
||||
tab: chrome.tabs.Tab,
|
||||
abortController = new AbortController()
|
||||
): Promise<CreateCredentialResult> {
|
||||
const enableFido2VaultCredentials = await this.isFido2FeatureEnabled();
|
||||
|
||||
if (!enableFido2VaultCredentials) {
|
||||
this.logService?.warning(`[Fido2Client] Fido2VaultCredential is not enabled`);
|
||||
throw new FallbackRequestedError();
|
||||
}
|
||||
|
||||
const authStatus = await this.authService.getAuthStatus();
|
||||
|
||||
if (authStatus === AuthenticationStatus.LoggedOut) {
|
||||
this.logService?.warning(`[Fido2Client] Fido2VaultCredential is not enabled`);
|
||||
throw new FallbackRequestedError();
|
||||
}
|
||||
|
||||
if (!params.sameOriginWithAncestors) {
|
||||
this.logService?.warning(
|
||||
`[Fido2Client] Invalid 'sameOriginWithAncestors' value: ${params.sameOriginWithAncestors}`
|
||||
);
|
||||
throw new DOMException("Invalid 'sameOriginWithAncestors' value", "NotAllowedError");
|
||||
}
|
||||
|
||||
const userId = Fido2Utils.stringToBuffer(params.user.id);
|
||||
if (userId.length < 1 || userId.length > 64) {
|
||||
this.logService?.warning(
|
||||
`[Fido2Client] Invalid 'user.id' length: ${params.user.id} (${userId.length})`
|
||||
);
|
||||
throw new TypeError("Invalid 'user.id' length");
|
||||
}
|
||||
|
||||
const parsedOrigin = parse(params.origin, { allowPrivateDomains: true });
|
||||
params.rp.id = params.rp.id ?? parsedOrigin.hostname;
|
||||
|
||||
if (parsedOrigin.hostname == undefined || !params.origin.startsWith("https://")) {
|
||||
this.logService?.warning(`[Fido2Client] Invalid https origin: ${params.origin}`);
|
||||
throw new DOMException("'origin' is not a valid https origin", "SecurityError");
|
||||
}
|
||||
|
||||
if (!isValidRpId(params.rp.id, params.origin)) {
|
||||
this.logService?.warning(
|
||||
`[Fido2Client] 'rp.id' cannot be used with the current origin: rp.id = ${params.rp.id}; origin = ${params.origin}`
|
||||
);
|
||||
throw new DOMException("'rp.id' cannot be used with the current origin", "SecurityError");
|
||||
}
|
||||
|
||||
let credTypesAndPubKeyAlgs: PublicKeyCredentialParam[];
|
||||
if (params.pubKeyCredParams?.length > 0) {
|
||||
// Filter out all unsupported algorithms
|
||||
credTypesAndPubKeyAlgs = params.pubKeyCredParams.filter(
|
||||
(kp) => kp.alg === -7 && kp.type === "public-key"
|
||||
);
|
||||
} else {
|
||||
// Assign default algorithms
|
||||
credTypesAndPubKeyAlgs = [
|
||||
{ alg: -7, type: "public-key" },
|
||||
{ alg: -257, type: "public-key" },
|
||||
];
|
||||
}
|
||||
|
||||
if (credTypesAndPubKeyAlgs.length === 0) {
|
||||
const requestedAlgorithms = credTypesAndPubKeyAlgs.map((p) => p.alg).join(", ");
|
||||
this.logService?.warning(
|
||||
`[Fido2Client] No compatible algorithms found, RP requested: ${requestedAlgorithms}`
|
||||
);
|
||||
throw new DOMException("No supported key algorithms were found", "NotSupportedError");
|
||||
}
|
||||
|
||||
const collectedClientData = {
|
||||
type: "webauthn.create",
|
||||
challenge: params.challenge,
|
||||
origin: params.origin,
|
||||
crossOrigin: !params.sameOriginWithAncestors,
|
||||
// tokenBinding: {} // Not currently supported
|
||||
};
|
||||
const clientDataJSON = JSON.stringify(collectedClientData);
|
||||
const clientDataJSONBytes = Utils.fromByteStringToArray(clientDataJSON);
|
||||
const clientDataHash = await crypto.subtle.digest({ name: "SHA-256" }, clientDataJSONBytes);
|
||||
const makeCredentialParams = mapToMakeCredentialParams({
|
||||
params,
|
||||
credTypesAndPubKeyAlgs,
|
||||
clientDataHash,
|
||||
});
|
||||
|
||||
// Set timeout before invoking authenticator
|
||||
if (abortController.signal.aborted) {
|
||||
this.logService?.info(`[Fido2Client] Aborted with AbortController`);
|
||||
throw new DOMException("The operation either timed out or was not allowed.", "AbortError");
|
||||
}
|
||||
const timeout = setAbortTimeout(
|
||||
abortController,
|
||||
params.authenticatorSelection?.userVerification,
|
||||
params.timeout
|
||||
);
|
||||
|
||||
let makeCredentialResult;
|
||||
try {
|
||||
makeCredentialResult = await this.authenticator.makeCredential(
|
||||
makeCredentialParams,
|
||||
tab,
|
||||
abortController
|
||||
);
|
||||
} catch (error) {
|
||||
if (
|
||||
abortController.signal.aborted &&
|
||||
abortController.signal.reason === UserRequestedFallbackAbortReason
|
||||
) {
|
||||
this.logService?.info(`[Fido2Client] Aborting because user requested fallback`);
|
||||
throw new FallbackRequestedError();
|
||||
}
|
||||
|
||||
if (
|
||||
error instanceof Fido2AutenticatorError &&
|
||||
error.errorCode === Fido2AutenticatorErrorCode.InvalidState
|
||||
) {
|
||||
this.logService?.warning(`[Fido2Client] Unknown error: ${error}`);
|
||||
throw new DOMException("Unknown error occured.", "InvalidStateError");
|
||||
}
|
||||
|
||||
this.logService?.info(`[Fido2Client] Aborted by user: ${error}`);
|
||||
throw new DOMException(
|
||||
"The operation either timed out or was not allowed.",
|
||||
"NotAllowedError"
|
||||
);
|
||||
}
|
||||
|
||||
if (abortController.signal.aborted) {
|
||||
this.logService?.info(`[Fido2Client] Aborted with AbortController`);
|
||||
throw new DOMException("The operation either timed out or was not allowed.", "AbortError");
|
||||
}
|
||||
|
||||
clearTimeout(timeout);
|
||||
return {
|
||||
credentialId: Fido2Utils.bufferToString(makeCredentialResult.credentialId),
|
||||
attestationObject: Fido2Utils.bufferToString(makeCredentialResult.attestationObject),
|
||||
authData: Fido2Utils.bufferToString(makeCredentialResult.authData),
|
||||
clientDataJSON: Fido2Utils.bufferToString(clientDataJSONBytes),
|
||||
publicKeyAlgorithm: makeCredentialResult.publicKeyAlgorithm,
|
||||
transports: ["internal"],
|
||||
};
|
||||
}
|
||||
|
||||
async assertCredential(
|
||||
params: AssertCredentialParams,
|
||||
tab: chrome.tabs.Tab,
|
||||
abortController = new AbortController()
|
||||
): Promise<AssertCredentialResult> {
|
||||
const enableFido2VaultCredentials = await this.isFido2FeatureEnabled();
|
||||
|
||||
if (!enableFido2VaultCredentials) {
|
||||
this.logService?.warning(`[Fido2Client] Fido2VaultCredential is not enabled`);
|
||||
throw new FallbackRequestedError();
|
||||
}
|
||||
|
||||
const authStatus = await this.authService.getAuthStatus();
|
||||
|
||||
if (authStatus === AuthenticationStatus.LoggedOut) {
|
||||
this.logService?.warning(`[Fido2Client] Fido2VaultCredential is not enabled`);
|
||||
throw new FallbackRequestedError();
|
||||
}
|
||||
|
||||
const { domain: effectiveDomain } = parse(params.origin, { allowPrivateDomains: true });
|
||||
if (effectiveDomain == undefined) {
|
||||
this.logService?.warning(`[Fido2Client] Invalid origin: ${params.origin}`);
|
||||
throw new DOMException("'origin' is not a valid domain", "SecurityError");
|
||||
}
|
||||
|
||||
const parsedOrigin = parse(params.origin, { allowPrivateDomains: true });
|
||||
params.rpId = params.rpId ?? parsedOrigin.hostname;
|
||||
|
||||
if (parsedOrigin.hostname == undefined || !params.origin.startsWith("https://")) {
|
||||
this.logService?.warning(`[Fido2Client] Invalid https origin: ${params.origin}`);
|
||||
throw new DOMException("'origin' is not a valid https origin", "SecurityError");
|
||||
}
|
||||
|
||||
if (!isValidRpId(params.rpId, params.origin)) {
|
||||
this.logService?.warning(
|
||||
`[Fido2Client] 'rp.id' cannot be used with the current origin: rp.id = ${params.rpId}; origin = ${params.origin}`
|
||||
);
|
||||
throw new DOMException("'rp.id' cannot be used with the current origin", "SecurityError");
|
||||
}
|
||||
|
||||
const collectedClientData = {
|
||||
type: "webauthn.get",
|
||||
challenge: params.challenge,
|
||||
origin: params.origin,
|
||||
crossOrigin: !params.sameOriginWithAncestors,
|
||||
// tokenBinding: {} // Not currently supported
|
||||
};
|
||||
const clientDataJSON = JSON.stringify(collectedClientData);
|
||||
const clientDataJSONBytes = Utils.fromByteStringToArray(clientDataJSON);
|
||||
const clientDataHash = await crypto.subtle.digest({ name: "SHA-256" }, clientDataJSONBytes);
|
||||
const getAssertionParams = mapToGetAssertionParams({ params, clientDataHash });
|
||||
|
||||
if (abortController.signal.aborted) {
|
||||
this.logService?.info(`[Fido2Client] Aborted with AbortController`);
|
||||
throw new DOMException("The operation either timed out or was not allowed.", "AbortError");
|
||||
}
|
||||
|
||||
const timeout = setAbortTimeout(abortController, params.userVerification, params.timeout);
|
||||
|
||||
let getAssertionResult;
|
||||
try {
|
||||
getAssertionResult = await this.authenticator.getAssertion(
|
||||
getAssertionParams,
|
||||
tab,
|
||||
abortController
|
||||
);
|
||||
} catch (error) {
|
||||
if (
|
||||
abortController.signal.aborted &&
|
||||
abortController.signal.reason === UserRequestedFallbackAbortReason
|
||||
) {
|
||||
this.logService?.info(`[Fido2Client] Aborting because user requested fallback`);
|
||||
throw new FallbackRequestedError();
|
||||
}
|
||||
|
||||
if (
|
||||
error instanceof Fido2AutenticatorError &&
|
||||
error.errorCode === Fido2AutenticatorErrorCode.InvalidState
|
||||
) {
|
||||
this.logService?.warning(`[Fido2Client] Unknown error: ${error}`);
|
||||
throw new DOMException("Unknown error occured.", "InvalidStateError");
|
||||
}
|
||||
|
||||
this.logService?.info(`[Fido2Client] Aborted by user: ${error}`);
|
||||
throw new DOMException(
|
||||
"The operation either timed out or was not allowed.",
|
||||
"NotAllowedError"
|
||||
);
|
||||
}
|
||||
|
||||
if (abortController.signal.aborted) {
|
||||
this.logService?.info(`[Fido2Client] Aborted with AbortController`);
|
||||
throw new DOMException("The operation either timed out or was not allowed.", "AbortError");
|
||||
}
|
||||
clearTimeout(timeout);
|
||||
|
||||
return {
|
||||
authenticatorData: Fido2Utils.bufferToString(getAssertionResult.authenticatorData),
|
||||
clientDataJSON: Fido2Utils.bufferToString(clientDataJSONBytes),
|
||||
credentialId: Fido2Utils.bufferToString(getAssertionResult.selectedCredential.id),
|
||||
userHandle:
|
||||
getAssertionResult.selectedCredential.userHandle !== undefined
|
||||
? Fido2Utils.bufferToString(getAssertionResult.selectedCredential.userHandle)
|
||||
: undefined,
|
||||
signature: Fido2Utils.bufferToString(getAssertionResult.signature),
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
const TIMEOUTS = {
|
||||
NO_VERIFICATION: {
|
||||
DEFAULT: 120000,
|
||||
MIN: 30000,
|
||||
MAX: 180000,
|
||||
},
|
||||
WITH_VERIFICATION: {
|
||||
DEFAULT: 300000,
|
||||
MIN: 30000,
|
||||
MAX: 600000,
|
||||
},
|
||||
};
|
||||
|
||||
function setAbortTimeout(
|
||||
abortController: AbortController,
|
||||
userVerification?: UserVerification,
|
||||
timeout?: number
|
||||
): number {
|
||||
let clampedTimeout: number;
|
||||
|
||||
if (userVerification === "required") {
|
||||
timeout = timeout ?? TIMEOUTS.WITH_VERIFICATION.DEFAULT;
|
||||
clampedTimeout = Math.max(
|
||||
TIMEOUTS.WITH_VERIFICATION.MIN,
|
||||
Math.min(timeout, TIMEOUTS.WITH_VERIFICATION.MAX)
|
||||
);
|
||||
} else {
|
||||
timeout = timeout ?? TIMEOUTS.NO_VERIFICATION.DEFAULT;
|
||||
clampedTimeout = Math.max(
|
||||
TIMEOUTS.NO_VERIFICATION.MIN,
|
||||
Math.min(timeout, TIMEOUTS.NO_VERIFICATION.MAX)
|
||||
);
|
||||
}
|
||||
|
||||
return window.setTimeout(() => abortController.abort(), clampedTimeout);
|
||||
}
|
||||
|
||||
/**
|
||||
* Convert data gathered by the WebAuthn Client to a format that can be used by the authenticator.
|
||||
*/
|
||||
function mapToMakeCredentialParams({
|
||||
params,
|
||||
credTypesAndPubKeyAlgs,
|
||||
clientDataHash,
|
||||
}: {
|
||||
params: CreateCredentialParams;
|
||||
credTypesAndPubKeyAlgs: PublicKeyCredentialParam[];
|
||||
clientDataHash: ArrayBuffer;
|
||||
}): Fido2AuthenticatorMakeCredentialsParams {
|
||||
const excludeCredentialDescriptorList: PublicKeyCredentialDescriptor[] =
|
||||
params.excludeCredentials?.map((credential) => ({
|
||||
id: Fido2Utils.stringToBuffer(credential.id),
|
||||
transports: credential.transports,
|
||||
type: credential.type,
|
||||
})) ?? [];
|
||||
|
||||
const requireResidentKey =
|
||||
params.authenticatorSelection?.residentKey === "required" ||
|
||||
params.authenticatorSelection?.residentKey === "preferred" ||
|
||||
(params.authenticatorSelection?.residentKey === undefined &&
|
||||
params.authenticatorSelection?.requireResidentKey === true);
|
||||
|
||||
return {
|
||||
requireResidentKey,
|
||||
requireUserVerification: params.authenticatorSelection?.userVerification === "required",
|
||||
enterpriseAttestationPossible: params.attestation === "enterprise",
|
||||
excludeCredentialDescriptorList,
|
||||
credTypesAndPubKeyAlgs,
|
||||
hash: clientDataHash,
|
||||
rpEntity: {
|
||||
id: params.rp.id,
|
||||
name: params.rp.name,
|
||||
},
|
||||
userEntity: {
|
||||
id: Fido2Utils.stringToBuffer(params.user.id),
|
||||
displayName: params.user.displayName,
|
||||
},
|
||||
fallbackSupported: params.fallbackSupported,
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* Convert data gathered by the WebAuthn Client to a format that can be used by the authenticator.
|
||||
*/
|
||||
function mapToGetAssertionParams({
|
||||
params,
|
||||
clientDataHash,
|
||||
}: {
|
||||
params: AssertCredentialParams;
|
||||
clientDataHash: ArrayBuffer;
|
||||
}): Fido2AuthenticatorGetAssertionParams {
|
||||
const allowCredentialDescriptorList: PublicKeyCredentialDescriptor[] =
|
||||
params.allowedCredentialIds.map((id) => ({
|
||||
id: Fido2Utils.stringToBuffer(id),
|
||||
type: "public-key",
|
||||
}));
|
||||
|
||||
return {
|
||||
rpId: params.rpId,
|
||||
requireUserVerification: params.userVerification === "required",
|
||||
hash: clientDataHash,
|
||||
allowCredentialDescriptorList,
|
||||
extensions: {},
|
||||
fallbackSupported: params.fallbackSupported,
|
||||
};
|
||||
}
|
26
libs/common/src/vault/services/fido2/fido2-utils.ts
Normal file
26
libs/common/src/vault/services/fido2/fido2-utils.ts
Normal file
@ -0,0 +1,26 @@
|
||||
import { Utils } from "../../../platform/misc/utils";
|
||||
|
||||
export class Fido2Utils {
|
||||
static bufferToString(bufferSource: BufferSource): string {
|
||||
const buffer = Fido2Utils.bufferSourceToUint8Array(bufferSource);
|
||||
|
||||
return Utils.fromBufferToUrlB64(buffer);
|
||||
}
|
||||
|
||||
static stringToBuffer(str: string): Uint8Array {
|
||||
return Utils.fromUrlB64ToArray(str);
|
||||
}
|
||||
|
||||
static bufferSourceToUint8Array(bufferSource: BufferSource) {
|
||||
if (Fido2Utils.isArrayBuffer(bufferSource)) {
|
||||
return new Uint8Array(bufferSource);
|
||||
} else {
|
||||
return new Uint8Array(bufferSource.buffer);
|
||||
}
|
||||
}
|
||||
|
||||
/** Utility function to identify type of bufferSource. Necessary because of differences between runtimes */
|
||||
private static isArrayBuffer(bufferSource: BufferSource): bufferSource is ArrayBuffer {
|
||||
return bufferSource instanceof ArrayBuffer || bufferSource.buffer === undefined;
|
||||
}
|
||||
}
|
95
libs/common/src/vault/services/fido2/guid-utils.ts
Normal file
95
libs/common/src/vault/services/fido2/guid-utils.ts
Normal file
@ -0,0 +1,95 @@
|
||||
/*
|
||||
License for: guidToRawFormat, guidToStandardFormat
|
||||
Source: https://github.com/uuidjs/uuid/
|
||||
The MIT License (MIT)
|
||||
Copyright (c) 2010-2020 Robert Kieffer and other contributors
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
|
||||
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.*/
|
||||
|
||||
import { Utils } from "../../../platform/misc/utils";
|
||||
|
||||
/** Private array used for optimization */
|
||||
const byteToHex = Array.from({ length: 256 }, (_, i) => (i + 0x100).toString(16).substring(1));
|
||||
|
||||
/** Convert standard format (XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX) UUID to raw 16 byte array. */
|
||||
export function guidToRawFormat(guid: string) {
|
||||
if (!Utils.isGuid(guid)) {
|
||||
throw TypeError("GUID parameter is invalid");
|
||||
}
|
||||
|
||||
let v;
|
||||
const arr = new Uint8Array(16);
|
||||
|
||||
// Parse ########-....-....-....-............
|
||||
arr[0] = (v = parseInt(guid.slice(0, 8), 16)) >>> 24;
|
||||
arr[1] = (v >>> 16) & 0xff;
|
||||
arr[2] = (v >>> 8) & 0xff;
|
||||
arr[3] = v & 0xff;
|
||||
|
||||
// Parse ........-####-....-....-............
|
||||
arr[4] = (v = parseInt(guid.slice(9, 13), 16)) >>> 8;
|
||||
arr[5] = v & 0xff;
|
||||
|
||||
// Parse ........-....-####-....-............
|
||||
arr[6] = (v = parseInt(guid.slice(14, 18), 16)) >>> 8;
|
||||
arr[7] = v & 0xff;
|
||||
|
||||
// Parse ........-....-....-####-............
|
||||
arr[8] = (v = parseInt(guid.slice(19, 23), 16)) >>> 8;
|
||||
arr[9] = v & 0xff;
|
||||
|
||||
// Parse ........-....-....-....-############
|
||||
// (Use "/" to avoid 32-bit truncation when bit-shifting high-order bytes)
|
||||
arr[10] = ((v = parseInt(guid.slice(24, 36), 16)) / 0x10000000000) & 0xff;
|
||||
arr[11] = (v / 0x100000000) & 0xff;
|
||||
arr[12] = (v >>> 24) & 0xff;
|
||||
arr[13] = (v >>> 16) & 0xff;
|
||||
arr[14] = (v >>> 8) & 0xff;
|
||||
arr[15] = v & 0xff;
|
||||
|
||||
return arr;
|
||||
}
|
||||
|
||||
/** Convert raw 16 byte array to standard format (XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX) UUID. */
|
||||
export function guidToStandardFormat(bufferSource: BufferSource) {
|
||||
const arr =
|
||||
bufferSource instanceof ArrayBuffer
|
||||
? new Uint8Array(bufferSource)
|
||||
: new Uint8Array(bufferSource.buffer);
|
||||
// Note: Be careful editing this code! It's been tuned for performance
|
||||
// and works in ways you may not expect. See https://github.com/uuidjs/uuid/pull/434
|
||||
const guid = (
|
||||
byteToHex[arr[0]] +
|
||||
byteToHex[arr[1]] +
|
||||
byteToHex[arr[2]] +
|
||||
byteToHex[arr[3]] +
|
||||
"-" +
|
||||
byteToHex[arr[4]] +
|
||||
byteToHex[arr[5]] +
|
||||
"-" +
|
||||
byteToHex[arr[6]] +
|
||||
byteToHex[arr[7]] +
|
||||
"-" +
|
||||
byteToHex[arr[8]] +
|
||||
byteToHex[arr[9]] +
|
||||
"-" +
|
||||
byteToHex[arr[10]] +
|
||||
byteToHex[arr[11]] +
|
||||
byteToHex[arr[12]] +
|
||||
byteToHex[arr[13]] +
|
||||
byteToHex[arr[14]] +
|
||||
byteToHex[arr[15]]
|
||||
).toLowerCase();
|
||||
|
||||
// Consistency check for valid UUID. If this throws, it's likely due to one
|
||||
// of the following:
|
||||
// - One or more input array values don't map to a hex octet (leading to
|
||||
// "undefined" in the uuid)
|
||||
// - Invalid input values for the RFC `version` or `variant` fields
|
||||
if (!Utils.isGuid(guid)) {
|
||||
throw TypeError("Converted GUID is invalid");
|
||||
}
|
||||
|
||||
return guid;
|
||||
}
|
@ -0,0 +1,14 @@
|
||||
import {
|
||||
Fido2UserInterfaceService as Fido2UserInterfaceServiceAbstraction,
|
||||
Fido2UserInterfaceSession,
|
||||
} from "../../abstractions/fido2/fido2-user-interface.service.abstraction";
|
||||
|
||||
/**
|
||||
* Noop implementation of the {@link Fido2UserInterfaceService}.
|
||||
* This implementation does not provide any user interface.
|
||||
*/
|
||||
export class Fido2UserInterfaceService implements Fido2UserInterfaceServiceAbstraction {
|
||||
newSession(): Promise<Fido2UserInterfaceSession> {
|
||||
throw new Error("Not implemented exception");
|
||||
}
|
||||
}
|
6
package-lock.json
generated
6
package-lock.json
generated
@ -35,6 +35,7 @@
|
||||
"bootstrap": "4.6.0",
|
||||
"braintree-web-drop-in": "1.40.0",
|
||||
"bufferutil": "4.0.7",
|
||||
"cbor-redux": "^0.4.0",
|
||||
"chalk": "4.1.2",
|
||||
"commander": "7.2.0",
|
||||
"core-js": "3.32.0",
|
||||
@ -17669,6 +17670,11 @@
|
||||
"integrity": "sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==",
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/cbor-redux": {
|
||||
"version": "0.4.0",
|
||||
"resolved": "https://registry.npmjs.org/cbor-redux/-/cbor-redux-0.4.0.tgz",
|
||||
"integrity": "sha512-jP8BB9zF2uVTwbNXe7kRNIQRmKFMNKZcx0A+TCc6v3kJHoIKzKexQ+DjvXP/G5HuPF88myDdVE2grBOizsbMxg=="
|
||||
},
|
||||
"node_modules/ccount": {
|
||||
"version": "2.0.1",
|
||||
"resolved": "https://registry.npmjs.org/ccount/-/ccount-2.0.1.tgz",
|
||||
|
Loading…
Reference in New Issue
Block a user