1
0
mirror of https://github.com/bitwarden/browser.git synced 2024-12-27 17:18:04 +01:00
bitwarden-browser/apps/web
Shane Melton 07c2c2af20
[AC-1070] Enforce master password policy on login (#4795)
* [EC-1070] Introduce flag for enforcing master password policy on login

* [EC-1070] Update master password policy form

Add the ability to toggle enforceOnLogin flag in web

* [EC-1070] Add API method to retrieve all policies for the current user

* [EC-1070] Refactor forcePasswordReset in state service to support more options

- Use an options class to provide a reason and optional organization id
- Use the OnDiskMemory storage location so the option persists between the same auth session

* [AC-1070] Retrieve single master password policy from identity token response

Additionally, store the policy in the login strategy for future use

* [EC-1070] Introduce master password evaluation in the password login strategy

- If a master password policy is returned from the identity result, evaluate the password.
- If the password does not meet the requirements, save the forcePasswordReset options
- Add support for 2FA by storing the results of the password evaluation on the login strategy instance
- Add unit tests to password login strategy

* [AC-1070] Modify admin password reset component to support update master password on login

- Modify the warning message to depend on the reason

- Use the forcePasswordResetOptions in the update temp password component

* [EC-1070] Require current master password when updating weak mp on login

- Inject user verification service to verify the user
- Conditionally show the current master password field only when updating a weak mp. Admin reset does not require the current master password.

* [EC-1070] Implement password policy check during vault unlock

Checking the master password during unlock is the only applicable place to enforce the master password policy check for SSO users.

* [EC-1070] CLI - Add ability to load MP policies on login

Inject policyApi and organization services into the login command

* [EC-1070] CLI - Refactor update temp password logic to support updating weak passwords

- Introduce new shared method for collecting a valid and confirmed master password from the CLI and generating a new encryption key
- Add separate methods for updating temp passwords and weak passwords.
- Utilize those methods during login flow if not using an API key

* [EC-1070] Add route guard to force password reset when required

* [AC-1070] Use master password policy from verify password response in lock component

* [EC-1070] Update labels in update password component

* [AC-1070] Fix policy service tests

* [AC-1070] CLI - Force sync before any password reset flow

Move up the call to sync the vault before attempting to collect a new master password. Ensures the master password policies are available.

* [AC-1070] Remove unused getAllPolicies method from policy api service

* [AC-1070] Fix missing enforceOnLogin copy in policy service

* [AC-1070] Include current master password on desktop/browser update password page templates

* [AC-1070] Check for forced password reset on account switch in Desktop

* [AC-1070] Rename WeakMasterPasswordOnLogin to WeakMasterPassword

* [AC-1070] Update AuthServiceInitOptions

* [AC-1070] Add None force reset password reason

* [AC-1070] Remove redundant ForcePasswordResetOptions class and replace with ForcePasswordResetReason enum

* [AC-1070] Rename ForceResetPasswordReason file

* [AC-1070] Simplify conditional

* [AC-1070] Refactor logic that saves password reset flag

* [AC-1070] Remove redundant constructors

* [AC-1070] Remove unnecessary state service call

* [AC-1070] Update master password policy component

- Use typed reactive form
- Use CL form components
- Remove bootstrap
- Update error component to support min/max
- Use Utils.minimumPasswordLength value for min value form validation

* [AC-1070] Cleanup leftover html comment

* [AC-1070] Remove overridden default values from MasterPasswordPolicyResponse

* [AC-1070] Hide current master password input in browser for admin password reset

* [AC-1070] Remove clientside user verification

* [AC-1070] Update temp password web component to use CL

- Use CL for form inputs in the Web component template
- Remove most of the bootstrap classes in the Web component template
- Use userVerificationService to build the password request
- Remove redundant current master password null check

* [AC-1070] Replace repeated user inputs email parsing helpers

- Update passwordStrength() method to accept an optional email argument that will be parsed into separate user inputs for use with zxcvbn
- Remove all other repeated getUserInput helper methods that parsed user emails and use the new passwordStrength signature

* [AC-1070] Fix broken login command after forcePasswordReset enum refactor

* [AC-1070] Reduce side effects in base login strategy

- Remove masterPasswordPolicy property from base login.strategy.ts
- Include an IdentityResponse in base startLogin() in addition to AuthResult
- Use the new IdentityResponse to parse the master password policy info only in the PasswordLoginStrategy

* [AC-1070] Cleanup password login strategy tests

* [AC-1070] Remove unused field

* [AC-1070] Strongly type postAccountVerifyPassword API service method

- Remove redundant verify master password response
- Use MasterPasswordPolicyResponse instead

* [AC-1070] Use ForceResetPassword.None during account switch check

* [AC-1070] Fix check for forcePasswordReset reason after addition of None

* [AC-1070] Redirect a user home if on the update temp password page without a reason

* [AC-1070] Use bit-select and bit-option

* [AC-1070] Reduce explicit form control definitions for readability

* [AC-1070] Import SelectModule in Shared web module

* [AC-1070] Add check for missing 'at' symbol

* [AC-1070] Remove redundant unpacking and null coalescing

* [AC-1070] Update passwordStrength signature and add jsdocs

* [AC-1070] Remove variable abbreviation

* [AC-1070] Restore Id attributes on form inputs

* [AC-1070] Clarify input value min/max error messages

* [AC-1070] Add input min/max value example to storybook

* [AC-1070] Add missing spinner to update temp password form

* [AC-1070] Add missing ids to form elements

* [AC-1070] Remove duplicate force sync and update comment

* [AC-1070] Switch backticks to quotation marks

---------

Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
2023-04-17 07:35:37 -07:00
..
.vscode Multi root workspace tweaks (#2858) 2022-06-13 21:39:36 -05:00
config Update POC to POC2 (#5033) 2023-03-21 10:24:22 -06:00
scripts Move web to apps/web and bitwarden_license/bit-web 2022-06-02 11:55:37 +02:00
src [AC-1070] Enforce master password policy on login (#4795) 2023-04-17 07:35:37 -07:00
.dockerignore Move web to apps/web and bitwarden_license/bit-web 2022-06-02 11:55:37 +02:00
.eslintrc.json [EC-7] Org Admin Vault Refresh Client V1 (#3925) 2022-11-02 09:57:25 -07:00
.gitignore Add webpack-bundle-analyzer command using npx (#2955) 2022-06-28 07:32:17 +10:00
config.js Use settings in base.json and merge config keys (#3804) 2022-10-18 12:00:40 +10:00
crowdin.yml Fix crowdin sync for web (#2853) 2022-06-07 21:31:53 +02:00
dev-server.shared.pem Move web to apps/web and bitwarden_license/bit-web 2022-06-02 11:55:37 +02:00
Dockerfile Move web to apps/web and bitwarden_license/bit-web 2022-06-02 11:55:37 +02:00
entrypoint.sh Move web to apps/web and bitwarden_license/bit-web 2022-06-02 11:55:37 +02:00
jest.config.js [EC-423] Fix unit tests (#3265) 2022-08-11 11:35:08 +10:00
package.json Bumped web version to 2023.3.0 (#5041) 2023-03-21 15:26:26 -06:00
postcss.config.js Move web to apps/web and bitwarden_license/bit-web 2022-06-02 11:55:37 +02:00
README.md Update urls to match the contributing docs (#4192) 2022-12-06 11:20:27 +01:00
tailwind.config.js [SM-45] Scaffold secrets manager module (#2989) 2022-07-22 11:16:24 +02:00
test.setup.ts [EC-423] Fix unit tests (#3265) 2022-08-11 11:35:08 +10:00
tsconfig.json [PM-328] Move common/importer to libs/importer (tools-migration) (#5060) 2023-03-23 11:43:27 +01:00
tsconfig.spec.json [EC-423] Fix unit tests (#3265) 2022-08-11 11:35:08 +10:00
webpack.config.js [SM-668] hash font asset names (#5054) 2023-03-23 17:51:03 -04:00

The Bitwarden web project is an Angular application that powers the web vault (https://vault.bitwarden.com/).

Github Workflow build on master Crowdin DockerHub gitter chat

Documentation

Please refer to the Web vault section of the Contributing Documentation for build instructions, recommended tooling, code style tips, and lots of other great information to get you started.