mirror of
https://github.com/bitwarden/browser.git
synced 2024-11-25 12:15:18 +01:00
[PS-616] [PS-795] Fix/withdraw master password reset without user verification (#2845)
* Limit enroll MPR modal to enrolling * Withdraw from MPR directly from org options * [PS-795] Fix Automatic mpr enrollment. Add reset password key to the accept request * Linter * Specify params type in accept components
This commit is contained in:
parent
a65d7370d4
commit
d5112cc8cb
@ -1,5 +1,5 @@
|
||||
import { Component } from "@angular/core";
|
||||
import { ActivatedRoute, Router } from "@angular/router";
|
||||
import { ActivatedRoute, Params, Router } from "@angular/router";
|
||||
|
||||
import { ApiService } from "jslib-common/abstractions/api.service";
|
||||
import { I18nService } from "jslib-common/abstractions/i18n.service";
|
||||
@ -31,7 +31,7 @@ export class AcceptEmergencyComponent extends BaseAcceptComponent {
|
||||
super(router, platformUtilsService, i18nService, route, stateService);
|
||||
}
|
||||
|
||||
async authedHandler(qParams: any): Promise<void> {
|
||||
async authedHandler(qParams: Params): Promise<void> {
|
||||
const request = new EmergencyAccessAcceptRequest();
|
||||
request.token = qParams.token;
|
||||
this.actionPromise = this.apiService.postEmergencyAccessAccept(qParams.id, request);
|
||||
@ -45,7 +45,7 @@ export class AcceptEmergencyComponent extends BaseAcceptComponent {
|
||||
this.router.navigate(["/vault"]);
|
||||
}
|
||||
|
||||
async unauthedHandler(qParams: any): Promise<void> {
|
||||
async unauthedHandler(qParams: Params): Promise<void> {
|
||||
this.name = qParams.name;
|
||||
if (this.name != null) {
|
||||
// Fix URL encoding of space issue with Angular
|
||||
|
@ -1,5 +1,5 @@
|
||||
import { Component } from "@angular/core";
|
||||
import { ActivatedRoute, Router } from "@angular/router";
|
||||
import { ActivatedRoute, Params, Router } from "@angular/router";
|
||||
|
||||
import { ApiService } from "jslib-common/abstractions/api.service";
|
||||
import { CryptoService } from "jslib-common/abstractions/crypto.service";
|
||||
@ -11,7 +11,6 @@ import { StateService } from "jslib-common/abstractions/state.service";
|
||||
import { Utils } from "jslib-common/misc/utils";
|
||||
import { Policy } from "jslib-common/models/domain/policy";
|
||||
import { OrganizationUserAcceptRequest } from "jslib-common/models/request/organizationUserAcceptRequest";
|
||||
import { OrganizationUserResetPasswordEnrollmentRequest } from "jslib-common/models/request/organizationUserResetPasswordEnrollmentRequest";
|
||||
|
||||
import { BaseAcceptComponent } from "../common/base.accept.component";
|
||||
|
||||
@ -38,44 +37,14 @@ export class AcceptOrganizationComponent extends BaseAcceptComponent {
|
||||
super(router, platformUtilsService, i18nService, route, stateService);
|
||||
}
|
||||
|
||||
async authedHandler(qParams: any): Promise<void> {
|
||||
const request = new OrganizationUserAcceptRequest();
|
||||
request.token = qParams.token;
|
||||
if (await this.performResetPasswordAutoEnroll(qParams)) {
|
||||
this.actionPromise = this.apiService
|
||||
.postOrganizationUserAccept(qParams.organizationId, qParams.organizationUserId, request)
|
||||
.then(() => {
|
||||
// Retrieve Public Key
|
||||
return this.apiService.getOrganizationKeys(qParams.organizationId);
|
||||
})
|
||||
.then(async (response) => {
|
||||
if (response == null) {
|
||||
throw new Error(this.i18nService.t("resetPasswordOrgKeysError"));
|
||||
}
|
||||
|
||||
const publicKey = Utils.fromB64ToArray(response.publicKey);
|
||||
|
||||
// RSA Encrypt user's encKey.key with organization public key
|
||||
const encKey = await this.cryptoService.getEncKey();
|
||||
const encryptedKey = await this.cryptoService.rsaEncrypt(encKey.key, publicKey.buffer);
|
||||
|
||||
// Create request and execute enrollment
|
||||
const resetRequest = new OrganizationUserResetPasswordEnrollmentRequest();
|
||||
resetRequest.resetPasswordKey = encryptedKey.encryptedString;
|
||||
|
||||
return this.apiService.putOrganizationUserResetPasswordEnrollment(
|
||||
qParams.organizationId,
|
||||
await this.stateService.getUserId(),
|
||||
resetRequest
|
||||
);
|
||||
});
|
||||
} else {
|
||||
this.actionPromise = this.apiService.postOrganizationUserAccept(
|
||||
async authedHandler(qParams: Params): Promise<void> {
|
||||
this.actionPromise = this.prepareAcceptRequest(qParams).then(async (request) => {
|
||||
await this.apiService.postOrganizationUserAccept(
|
||||
qParams.organizationId,
|
||||
qParams.organizationUserId,
|
||||
request
|
||||
);
|
||||
}
|
||||
});
|
||||
|
||||
await this.actionPromise;
|
||||
this.platformUtilService.showToast(
|
||||
@ -89,7 +58,7 @@ export class AcceptOrganizationComponent extends BaseAcceptComponent {
|
||||
this.router.navigate(["/vault"]);
|
||||
}
|
||||
|
||||
async unauthedHandler(qParams: any): Promise<void> {
|
||||
async unauthedHandler(qParams: Params): Promise<void> {
|
||||
this.orgName = qParams.organizationName;
|
||||
if (this.orgName != null) {
|
||||
// Fix URL encoding of space issue with Angular
|
||||
@ -98,6 +67,29 @@ export class AcceptOrganizationComponent extends BaseAcceptComponent {
|
||||
await this.stateService.setOrganizationInvitation(qParams);
|
||||
}
|
||||
|
||||
private async prepareAcceptRequest(qParams: Params): Promise<OrganizationUserAcceptRequest> {
|
||||
const request = new OrganizationUserAcceptRequest();
|
||||
request.token = qParams.token;
|
||||
|
||||
if (await this.performResetPasswordAutoEnroll(qParams)) {
|
||||
const response = await this.apiService.getOrganizationKeys(qParams.organizationId);
|
||||
|
||||
if (response == null) {
|
||||
throw new Error(this.i18nService.t("resetPasswordOrgKeysError"));
|
||||
}
|
||||
|
||||
const publicKey = Utils.fromB64ToArray(response.publicKey);
|
||||
|
||||
// RSA Encrypt user's encKey.key with organization public key
|
||||
const encKey = await this.cryptoService.getEncKey();
|
||||
const encryptedKey = await this.cryptoService.rsaEncrypt(encKey.key, publicKey.buffer);
|
||||
|
||||
// Add reset password key to accept request
|
||||
request.resetPasswordKey = encryptedKey.encryptedString;
|
||||
}
|
||||
return request;
|
||||
}
|
||||
|
||||
private async performResetPasswordAutoEnroll(qParams: any): Promise<boolean> {
|
||||
let policyList: Policy[] = null;
|
||||
try {
|
||||
|
@ -1,5 +1,5 @@
|
||||
import { Directive, OnInit } from "@angular/core";
|
||||
import { ActivatedRoute, Router } from "@angular/router";
|
||||
import { ActivatedRoute, Params, Router } from "@angular/router";
|
||||
import { first } from "rxjs/operators";
|
||||
|
||||
import { I18nService } from "jslib-common/abstractions/i18n.service";
|
||||
@ -25,8 +25,8 @@ export abstract class BaseAcceptComponent implements OnInit {
|
||||
protected stateService: StateService
|
||||
) {}
|
||||
|
||||
abstract authedHandler(qParams: any): Promise<void>;
|
||||
abstract unauthedHandler(qParams: any): Promise<void>;
|
||||
abstract authedHandler(qParams: Params): Promise<void>;
|
||||
abstract unauthedHandler(qParams: Params): Promise<void>;
|
||||
|
||||
ngOnInit() {
|
||||
this.route.queryParams.pipe(first()).subscribe(async (qParams) => {
|
||||
|
@ -14,7 +14,7 @@
|
||||
>
|
||||
<div class="modal-header">
|
||||
<h2 class="modal-title" id="enrollMasterPasswordResetTitle">
|
||||
{{ (isEnrolled ? "withdrawPasswordReset" : "enrollPasswordReset") | i18n }}
|
||||
{{ "enrollPasswordReset" | i18n }}
|
||||
</h2>
|
||||
<button
|
||||
type="button"
|
||||
@ -26,7 +26,7 @@
|
||||
</button>
|
||||
</div>
|
||||
<div class="modal-body">
|
||||
<app-callout type="warning" *ngIf="!isEnrolled">
|
||||
<app-callout type="warning">
|
||||
{{ "resetPasswordEnrollmentWarning" | i18n }}
|
||||
</app-callout>
|
||||
<app-user-verification [(ngModel)]="verification" name="secret"> </app-user-verification>
|
||||
|
@ -47,8 +47,6 @@ export class EnrollMasterPasswordReset {
|
||||
// Set variables
|
||||
let keyString: string = null;
|
||||
|
||||
// Enrolling
|
||||
if (!this.organization.resetPasswordEnrolled) {
|
||||
// Retrieve Public Key
|
||||
const orgKeys = await this.apiService.getOrganizationKeys(this.organization.id);
|
||||
if (orgKeys == null) {
|
||||
@ -70,15 +68,6 @@ export class EnrollMasterPasswordReset {
|
||||
this.organization.userId,
|
||||
request
|
||||
);
|
||||
} else {
|
||||
// Withdrawal
|
||||
request.resetPasswordKey = keyString;
|
||||
await this.apiService.putOrganizationUserResetPasswordEnrollment(
|
||||
this.organization.id,
|
||||
this.organization.userId,
|
||||
request
|
||||
);
|
||||
}
|
||||
|
||||
await this.syncService.fullSync(true);
|
||||
});
|
||||
@ -90,8 +79,4 @@ export class EnrollMasterPasswordReset {
|
||||
this.logService.error(e);
|
||||
}
|
||||
}
|
||||
|
||||
get isEnrolled(): boolean {
|
||||
return this.organization.resetPasswordEnrolled;
|
||||
}
|
||||
}
|
||||
|
@ -6,7 +6,11 @@
|
||||
></i>
|
||||
<span class="sr-only">{{ "loading" | i18n }}</span>
|
||||
</ng-container>
|
||||
<div *ngIf="loaded" class="tw-max-w-[300px] tw-min-w-[200px] tw-flex tw-flex-col">
|
||||
<div
|
||||
*ngIf="loaded"
|
||||
class="tw-max-w-[300px] tw-min-w-[200px] tw-flex tw-flex-col"
|
||||
[appApiAction]="actionPromise"
|
||||
>
|
||||
<button
|
||||
*ngIf="allowEnrollmentChanges(organization) && !organization.resetPasswordEnrolled"
|
||||
class="dropdown-item"
|
||||
|
@ -10,6 +10,7 @@ import { SyncService } from "jslib-common/abstractions/sync.service";
|
||||
import { PolicyType } from "jslib-common/enums/policyType";
|
||||
import { Organization } from "jslib-common/models/domain/organization";
|
||||
import { Policy } from "jslib-common/models/domain/policy";
|
||||
import { OrganizationUserResetPasswordEnrollmentRequest } from "jslib-common/models/request/organizationUserResetPasswordEnrollmentRequest";
|
||||
|
||||
import { EnrollMasterPasswordReset } from "../../organizations/users/enroll-master-password-reset.component";
|
||||
|
||||
@ -82,7 +83,6 @@ export class OrganizationOptionsComponent {
|
||||
this.platformUtilsService.showToast("success", null, "Unlinked SSO");
|
||||
await this.load();
|
||||
} catch (e) {
|
||||
this.platformUtilsService.showToast("error", this.i18nService.t("errorOccurred"), e.message);
|
||||
this.logService.error(e);
|
||||
}
|
||||
}
|
||||
@ -107,17 +107,38 @@ export class OrganizationOptionsComponent {
|
||||
this.platformUtilsService.showToast("success", null, this.i18nService.t("leftOrganization"));
|
||||
await this.load();
|
||||
} catch (e) {
|
||||
this.platformUtilsService.showToast("error", this.i18nService.t("errorOccurred"), e.message);
|
||||
this.logService.error(e);
|
||||
}
|
||||
}
|
||||
|
||||
async toggleResetPasswordEnrollment(org: Organization) {
|
||||
if (!this.organization.resetPasswordEnrolled) {
|
||||
this.modalService.open(EnrollMasterPasswordReset, {
|
||||
allowMultipleModals: true,
|
||||
data: {
|
||||
organization: org,
|
||||
},
|
||||
});
|
||||
} else {
|
||||
const request = new OrganizationUserResetPasswordEnrollmentRequest();
|
||||
request.masterPasswordHash = "ignored";
|
||||
request.resetPasswordKey = null;
|
||||
this.actionPromise = this.apiService.putOrganizationUserResetPasswordEnrollment(
|
||||
this.organization.id,
|
||||
this.organization.userId,
|
||||
request
|
||||
);
|
||||
try {
|
||||
await this.actionPromise;
|
||||
this.platformUtilsService.showToast(
|
||||
"success",
|
||||
null,
|
||||
this.i18nService.t("withdrawPasswordResetSuccess")
|
||||
);
|
||||
this.syncService.fullSync(true);
|
||||
} catch (e) {
|
||||
this.logService.error(e);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -1,4 +1,5 @@
|
||||
import { Component } from "@angular/core";
|
||||
import { Params } from "@angular/router";
|
||||
|
||||
import { BaseAcceptComponent } from "src/app/common/base.accept.component";
|
||||
|
||||
@ -12,11 +13,11 @@ export class AcceptFamilySponsorshipComponent extends BaseAcceptComponent {
|
||||
|
||||
requiredParameters = ["email", "token"];
|
||||
|
||||
async authedHandler(qParams: any) {
|
||||
async authedHandler(qParams: Params) {
|
||||
this.router.navigate(["/setup/families-for-enterprise"], { queryParams: qParams });
|
||||
}
|
||||
|
||||
async unauthedHandler(qParams: any) {
|
||||
async unauthedHandler(qParams: Params) {
|
||||
if (!qParams.register) {
|
||||
this.router.navigate(["/login"], { queryParams: { email: qParams.email } });
|
||||
} else {
|
||||
|
@ -1,5 +1,5 @@
|
||||
import { Component } from "@angular/core";
|
||||
import { ActivatedRoute, Router } from "@angular/router";
|
||||
import { ActivatedRoute, Params, Router } from "@angular/router";
|
||||
|
||||
import { ApiService } from "jslib-common/abstractions/api.service";
|
||||
import { I18nService } from "jslib-common/abstractions/i18n.service";
|
||||
@ -31,7 +31,7 @@ export class AcceptProviderComponent extends BaseAcceptComponent {
|
||||
super(router, platformUtilService, i18nService, route, stateService);
|
||||
}
|
||||
|
||||
async authedHandler(qParams: any) {
|
||||
async authedHandler(qParams: Params) {
|
||||
const request = new ProviderUserAcceptRequest();
|
||||
request.token = qParams.token;
|
||||
|
||||
@ -49,7 +49,7 @@ export class AcceptProviderComponent extends BaseAcceptComponent {
|
||||
this.router.navigate(["/vault"]);
|
||||
}
|
||||
|
||||
async unauthedHandler(qParams: any) {
|
||||
async unauthedHandler(qParams: Params) {
|
||||
this.providerName = qParams.providerName;
|
||||
}
|
||||
}
|
||||
|
@ -1,4 +1,5 @@
|
||||
import { Component } from "@angular/core";
|
||||
import { Params } from "@angular/router";
|
||||
|
||||
import { BaseAcceptComponent } from "src/app/common/base.accept.component";
|
||||
|
||||
@ -12,11 +13,11 @@ export class SetupProviderComponent extends BaseAcceptComponent {
|
||||
|
||||
requiredParameters = ["providerId", "email", "token"];
|
||||
|
||||
async authedHandler(qParams: any) {
|
||||
async authedHandler(qParams: Params) {
|
||||
this.router.navigate(["/providers/setup"], { queryParams: qParams });
|
||||
}
|
||||
|
||||
async unauthedHandler(qParams: any) {
|
||||
async unauthedHandler(qParams: Params) {
|
||||
// Empty
|
||||
}
|
||||
}
|
||||
|
@ -1,3 +1,5 @@
|
||||
export class OrganizationUserAcceptRequest {
|
||||
token: string;
|
||||
// Used to auto-enroll in master password reset
|
||||
resetPasswordKey: string;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user