Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PM-9723] Refresh: LoginViaAuthRequestComponent #11545

Merged
merged 62 commits into from
Nov 19, 2024
Merged

[PM-9723] Refresh: LoginViaAuthRequestComponent #11545

merged 62 commits into from
Nov 19, 2024

Conversation

rr-bw
Copy link
Contributor

@rr-bw rr-bw commented Oct 14, 2024
edited
Loading

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-9723

📔 Objective

Creates a refreshed and consolidated LoginViaAuthRequestComponent for use on all visual clients, which will be used when the UnauthenticatedExtensionUIRefresh is on.

Standard Auth Request Flows

Flow 1: Unauthed user requests approval from device; Approving device has a masterKey in memory.

  • Unauthed user clicks "Login with device" > navigates to /login-with-device which creates a StandardAuthRequest >
    receives approval from a device with authRequestPublicKey(masterKey) > decrypts masterKey > decrypts userKey >
    proceed to vault

Flow 2: Unauthed user requests approval from device; Approving device does NOT have a masterKey in memory.

  • Unauthed user clicks "Login with device" > navigates to /login-with-device which creates a StandardAuthRequest > receives approval from a device with authRequestPublicKey(userKey) > decrypts userKey > proceeds to vault

  • Note: this flow is an uncommon scenario and relates to TDE off-boarding. The following describes how a user could get into this flow:

    • Step 1: An SSO TD user logs into a device via an Admin auth request approval, therefore this device does NOT have a masterKey in memory.
    • Step 2: The org admin does two things...
      • Changes the member decryption options from "Trusted devices" to "Master password" AND
      • Turns off the "Require single sign-on authentication" policy
    • Step 3: On another device, the user clicks "Login with device", which they can do because the org no longer requires SSO.
    • Step 4: The user approves from the device they had previously logged into with SSO TD, which does NOT have a masterKey in memory (see step 1 above).

Flow 3: Authed SSO TD user requests approval from device; Approving device has a masterKey in memory.

  • SSO TD user authenticates via SSO > navigates to /login-initiated > clicks "Approve from your other device" > navigates to /login-with-device which creates a StandardAuthRequest > receives approval from device with authRequestPublicKey(masterKey) > decrypts masterKey > decrypts userKey > establishes trust (if required) > proceeds to vault

Flow 4: Authed SSO TD user requests approval from device; Approving device does NOT have a masterKey in memory.

  • SSO TD user authenticates via SSO > navigates to /login-initiated > clicks "Approve from your other device" > navigates to /login-with-device which creates a StandardAuthRequest > receives approval from device with authRequestPublicKey(userKey) > decrypts userKey > establishes trust (if required) > proceeds to vault

Admin Auth Request Flow

Flow: Authed SSO TD user requests admin approval.

  • SSO TD user authenticates via SSO > navigates to /login-initiated > clicks "Request admin approval" > navigates to /admin-approval-requested which creates an AdminAuthRequest > receives approval from device with authRequestPublicKey(userKey) > decrypts userKey > establishes trust (if required) > proceeds to vault

Summary Table

Flow Auth Status Clicks Button [active route] Navigates to Approving device has masterKey in memory (see note 1)
Standard Flow 1 unauthed "Login with device" [/login] /login-with-device yes
Standard Flow 2 unauthed "Login with device" [/login] /login-with-device no
Standard Flow 3 authed "Approve from your other device" [/login-initiated] /login-with-device yes
Standard Flow 4 authed "Approve from your other device" [/login-initiated] /login-with-device no
Admin Flow authed "Request admin approval" [/login-initiated] /admin-approval-requested NA - admin requests always send encrypted userKey

Note 1: The phrase "in memory" here is important. It is possible for a user to have a master password for their account, but not have a masterKey IN MEMORY for a specific device. For example, if a user registers an account with a master password, then joins an SSO TD org, then logs in to a device via SSO and admin auth request, they are now logged into that device but that device does not have masterKey IN MEMORY.

📸 Screenshots

Standard Auth Request Flow 1

Unauthed user requests approval from device; Approving device has a masterKey in memory.

standard-flow-1.mov

Standard Auth Request Flow 2

Unauthed user requests approval from device; Approving device does NOT have a masterKey in memory.

Note: this flow is an uncommon scenario and relates to TDE off-boarding. The following describes how a user could get into this flow:

  1. An SSO TD user logs into a device via an Admin auth request approval, therefore this device does NOT have a masterKey in memory.
  2. The org admin...
    2a. Changes the member decryption options from "Trusted devices" to "Master password" AND
    2b. Turns off the "Require single sign-on authentication" policy
  3. On another device, the user clicks "Login with device", which they can do because the org no longer requires SSO.
  4. The user approves from the device they had previously logged into with SSO TD, which does NOT have a masterKey in memory (see step 1 above).
standard-flow-2.mov

Standard Auth Request Flow 3

Authed SSO TD user requests approval from device; Approving device has a masterKey in memory.

standard-flow-3.mov

Standard Auth Request Flow 4

Authed SSO TD user requests approval from device; Approving device does NOT have a masterKey in memory.

standard-flow-4.mov

Admin Auth Request Flow

Authed SSO TD user requests admin approval.

(In the screencast, at the end there is a console.log that says "Admin Auth Request 2". Ignore the "2". It's just the Admin Auth Request Flow.)

admin-flow-2.mov

⏰ Reminders before review

  • Contributor guidelines followed
  • All formatters and local linters executed and passed
  • Written new unit and / or integration tests where applicable
  • Protected functional changes with optionality (feature flags)
  • Used internationalization (i18n) for all UI strings
  • CI builds passed
  • Communicated to DevOps any deployment requirements
  • Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

  • 👍 (:+1:) or similar for great changes
  • 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
  • ❓ (:question:) for questions
  • 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
  • 🎨 (:art:) for suggestions / improvements
  • ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
  • 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
  • ⛏ (:pick:) for minor or nitpick changes

@codecov Codecov
Copy link

codecov bot commented Oct 14, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 1.80995% with 217 lines in your changes missing coverage. Please review.

Project coverage is 33.44%. Comparing base (c17f582) to head (5bccf36).
Report is 3 commits behind head on main.

✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
...a-auth-request/login-via-auth-request.component.ts 0.00% 172 Missing ⚠️
.../services/auth-request/auth-request-api.service.ts 4.00% 24 Missing ⚠️
.../auth/login/login-via-auth-request-v1.component.ts 0.00% 3 Missing ⚠️
.../components/login-via-auth-request-v1.component.ts 0.00% 3 Missing ⚠️
.../auth/popup/login-via-auth-request-v1.component.ts 0.00% 2 Missing ⚠️
.../auth/login/login-via-auth-request-v1.component.ts 0.00% 2 Missing ⚠️
libs/auth/src/angular/icons/devices.icon.ts 0.00% 2 Missing ⚠️
apps/browser/src/popup/app-routing.module.ts 0.00% 1 Missing ⚠️
apps/browser/src/popup/app.module.ts 0.00% 1 Missing ⚠️
apps/desktop/src/app/app-routing.module.ts 0.00% 1 Missing ⚠️
... and 6 more
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #11545      +/-   ##
==========================================
- Coverage   33.46%   33.44%   -0.02%     
==========================================
  Files        2858     2863       +5     
  Lines       89396    89638     +242     
  Branches    17018    17059      +41     
==========================================
+ Hits        29919    29983      +64     
- Misses      57120    57294     +174     
- Partials     2357     2361       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚨 Try these New Features:

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 14, 2024
edited
Loading

Logo
Checkmarx One – Scan Summary & Detailse17d1f89-a1a5-44ee-8fdd-07a8acd72089

New Issues

Severity Issue Source File / Package Checkmarx Insight
MEDIUM Missing_HSTS_Header /libs/common/src/services/api.service.ts: 228 Attack Vector
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/login/login-via-auth-request-v1.component.ts: 61 Attack Vector
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/login-via-auth-request-v1.component.ts: 53 Attack Vector
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/login/login-via-auth-request-v1.component.ts: 61 Attack Vector
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/login-via-auth-request-v1.component.ts: 53 Attack Vector
LOW Client_JQuery_Deprecated_Symbols /apps/cli/src/service-container/service-container.ts: 876 Attack Vector

Fixed Issues

Severity Issue Source File / Package
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/risk-insights/password-health-members.component.html: 55
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/risk-insights/password-health-members.component.html: 50
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/risk-insights/password-health-members.component.html: 45
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/risk-insights/password-health-members.component.html: 50
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/risk-insights/password-health-members-uri.component.html: 40
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/risk-insights/password-health-members-uri.component.html: 40
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/risk-insights/password-health-members-uri.component.html: 35
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/risk-insights/password-health-members-uri.component.html: 45
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/risk-insights/password-health.component.html: 50
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/risk-insights/password-health.component.html: 45
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/risk-insights/password-health.component.html: 40
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/risk-insights/password-health.component.html: 45
MEDIUM Client_Privacy_Violation /libs/tools/generator/components/src/username-generator.component.html: 3
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/login-via-auth-request.component.ts: 53
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/login/login-via-auth-request.component.ts: 61
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/login-via-auth-request.component.ts: 53
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/login/login-via-auth-request.component.ts: 61

rr-bw added 19 commits October 15, 2024 11:03
@rr-bw
Merge branch 'main' into auth/pm-9723/login-via-auth-request-componen…
e4c6ea9 
…t-refresh
@rr-bw
Update Web route
44eb5a6
@rr-bw
Merge branch 'main' into auth/pm-9723/login-via-auth-request-componen…
0198707 
…t-refresh
@rr-bw
Update template for standard auth request
3c88925
@rr-bw
Update template for admin auth request
19556ac
@rr-bw
Update browser routes
78ca231
@rr-bw
Update desktop routes
65e65e4
@rr-bw
Add devices icon
17f024c
@rr-bw
update Web route for 'admin-approval-requested'
940f14c
@rr-bw
update browser and desktop routes for admin-approval-requested
8dcf015
@rr-bw
browser route cleanup and comment
2d1c603
@rr-bw
comments and cleanup
4f27362
@rr-bw
refactor use of deprecated method
1443f08
@rr-bw
refactor onSuccess navigation logic
3a675c8
@rr-bw
refactoring - use takeUntilDestroyed() instead of a destroy$ subject
9b924d7
@rr-bw
merge main, fix conflict
0350eee
@rr-bw
refactor - ngOnInit() logic
882f995
@rr-bw
refactor - renaming
4ea7d3f
@rr-bw
renaming
8381a00
JaredSnider-Bitwarden
JaredSnider-Bitwarden requested changes Nov 5, 2024
View reviewed changes
Copy link
Contributor

@JaredSnider-Bitwarden JaredSnider-Bitwarden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent work. No major issues - just a few comments below:

libs/common/src/auth/models/request/auth.request.ts Outdated Show resolved Hide resolved
libs/common/src/auth/models/response/auth-request.response.ts Outdated Show resolved Hide resolved
libs/common/src/services/api.service.ts Show resolved Hide resolved
libs/auth/src/angular/icons/devices.icon.ts Outdated Show resolved Hide resolved
libs/auth/src/angular/login-via-auth-request/login-via-auth-request.component.ts Show resolved Hide resolved
@rr-bw rr-bw requested review from JaredSnider-Bitwarden and removed request for ike-kottlowski November 7, 2024 01:04
rr-bw added 5 commits November 18, 2024 14:34
@rr-bw
update documentation comment
c76b5c4
@rr-bw
clarify documentation around Admin Flow
0fee265
@rr-bw
fix typo
dd11813
@rr-bw
Merge branch 'main' into auth/pm-9723/login-via-auth-request-componen…
8371657 
…t-refresh
@rr-bw
Update backToRoute for authed users
5bccf36 
We shouldn't use the type of auth request (Standard/Admin) to determine
what the backToRoute should be, since SSO TD authed users have the option
to use either a Standard or Admin flow. Instead, this commit uses the user's
authStatus to determine the backToRoute.
JaredSnider-Bitwarden
JaredSnider-Bitwarden approved these changes Nov 19, 2024
View reviewed changes
Copy link
Contributor

@JaredSnider-Bitwarden JaredSnider-Bitwarden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent work on this. Thank you very much for all the rounds of testing and thorough documentation. This is so much cleaner.

@rr-bw rr-bw merged commit 9429ae1 into main Nov 19, 2024
73 checks passed
@rr-bw rr-bw deleted the auth/pm-9723/login-via-auth-request-component-refresh branch November 19, 2024 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JaredSnider-Bitwarden JaredSnider-Bitwarden JaredSnider-Bitwarden approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rr-bw @JaredSnider-Bitwarden @withinfocus