[PM-9723] Refresh: LoginViaAuthRequestComponent

[rr-bw]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-9723

📔 Objective

Creates a refreshed and consolidated LoginViaAuthRequestComponent for use on all visual clients, which will be used when the UnauthenticatedExtensionUIRefresh is on.

Standard Auth Request Flows

Flow 1: Unauthed user requests approval from device; Approving device has a masterKey in memory.

• Unauthed user clicks "Login with device" > navigates to /login-with-device which creates a StandardAuthRequest >
  receives approval from a device with authRequestPublicKey(masterKey) > decrypts masterKey > decrypts userKey >
  proceed to vault

Flow 2: Unauthed user requests approval from device; Approving device does NOT have a masterKey in memory.

• Unauthed user clicks "Login with device" > navigates to /login-with-device which creates a StandardAuthRequest > receives approval from a device with authRequestPublicKey(userKey) > decrypts userKey > proceeds to vault

• Note: this flow is an uncommon scenario and relates to TDE off-boarding. The following describes how a user could get into this flow:

  • An SSO TD user logs into a device via an Admin auth request approval, therefore this device does NOT have a masterKey in memory.
  • The org admin does two things...
    • Changes the member decryption options from "Trusted devices" to "Master password" AND
    • Turns off the "Require single sign-on authentication" policy
  • On another device, the user clicks "Login with device", which they can do because the org no longer requires SSO.
  • The user approves from the device they had previously logged into with SSO TD, which does NOT have a masterKey in memory (see step 1 above).

Flow 3: Authed SSO TD user requests approval from device; Approving device has a masterKey in memory.

• SSO TD user authenticates via SSO > navigates to /login-initiated > clicks "Approve from your other device" > navigates to /login-with-device which creates a StandardAuthRequest > receives approval from device with authRequestPublicKey(masterKey) > decrypts masterKey > decrypts userKey > establishes trust (if required) > proceeds to vault

Flow 4: Authed SSO TD user requests approval from device; Approving device does NOT have a masterKey in memory.

• SSO TD user authenticates via SSO > navigates to /login-initiated > clicks "Approve from your other device" > navigates to /login-with-device which creates a StandardAuthRequest > receives approval from device with authRequestPublicKey(userKey) > decrypts userKey > establishes trust (if required) > proceeds to vault

Admin Auth Request Flows

Flow 1: Authed SSO TD user who has a masterKey in memory requests admin approval.

• SSO TD user who has a masterKey in memory authenticates via SSO > navigates to /login-initiated > clicks "Request admin approval" > navigates to /admin-approval-requested which creates an AdminAuthRequest > receives approval from device with authRequestPublicKey(masterKey) > decrypts masterKey > decrypts userKey > establishes trust (if required) > proceeds to vault

Flow 2: Authed SSO TD user who does NOT have a masterKey in memory requests admin approval.

• SSO TD user who does NOT have a masterKey in memory authenticates via SSO > navigates to /login-initiated > clicks "Request admin approval" > navigates to /admin-approval-requested which creates an AdminAuthRequest > receives approval from device with authRequestPublicKey(userKey) > decrypts userKey > establishes trust (if required) > proceeds to vault

Summary Table

Flow	Auth Status	Clicks Button [active route]	Navigates to	Approving device has masterKey in memory (see note 1)
Standard Flow 1	unauthed	"Login with device" [/login]	/login-with-device	yes
Standard Flow 2	unauthed	"Login with device" [/login]	/login-with-device	no
Standard Flow 3	authed	"Approve from your other device" [/login-initiated]	/login-with-device	yes
Standard Flow 4	authed	"Approve from your other device" [/login-initiated]	/login-with-device	no
Admin Flow 1	authed	"Request admin approval" [/login-initiated]	/admin-approval-requested	yes
Admin Flow 2	authed	"Request admin approval" [/login-initiated]	/admin-approval-requested	no

Note 1: The phrase "in memory" here is important. It is possible for a user to have a master password for their account, but not have a masterKey IN MEMORY for a specific device. For example, if a user registers an account with a master password, then joins an SSO TD org, then logs in to a device via SSO and admin auth request, they are now logged into that device but that device does not have masterKey IN MEMORY.

📸 Screenshots

Standard Auth Request Flow 1

Unauthed user requests approval from device; Approving device has a masterKey in memory.

standard-flow-1.mov

Standard Auth Request Flow 2

Unauthed user requests approval from device; Approving device does NOT have a masterKey in memory.

Note: this flow is an uncommon scenario and relates to TDE off-boarding. The following describes how a user could get into this flow:

1. An SSO TD user logs into a device via an Admin auth request approval, therefore this device does NOT have a masterKey in memory.
2. The org admin...
   2a. Changes the member decryption options from "Trusted devices" to "Master password" AND
   2b. Turns off the "Require single sign-on authentication" policy
3. On another device, the user clicks "Login with device", which they can do because the org no longer requires SSO.
4. The user approves from the device they had previously logged into with SSO TD, which does NOT have a masterKey in memory (see step 1 above).

standard-flow-2.mov

Standard Auth Request Flow 3

Authed SSO TD user requests approval from device; Approving device has a masterKey in memory.

standard-flow-3.mov

Standard Auth Request Flow 4

Authed SSO TD user requests approval from device; Approving device does NOT have a masterKey in memory.

standard-flow-4.mov

Admin Auth Request Flow 2

Authed SSO TD user requests admin approval.

admin-flow-2.mov

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[codecov]

Codecov Report

Attention: Patch coverage is 1.81818% with 216 lines in your changes missing coverage. Please review.

Project coverage is 33.42%. Comparing base (0308e6e) to head (aea6bb8).

✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...a-auth-request/login-via-auth-request.component.ts	0.00%	171 Missing ⚠️
.../services/auth-request/auth-request-api.service.ts	4.00%	24 Missing ⚠️
.../auth/login/login-via-auth-request-v1.component.ts	0.00%	3 Missing ⚠️
.../components/login-via-auth-request-v1.component.ts	0.00%	3 Missing ⚠️
.../auth/popup/login-via-auth-request-v1.component.ts	0.00%	2 Missing ⚠️
.../auth/login/login-via-auth-request-v1.component.ts	0.00%	2 Missing ⚠️
libs/auth/src/angular/icons/devices.icon.ts	0.00%	2 Missing ⚠️
apps/browser/src/popup/app-routing.module.ts	0.00%	1 Missing ⚠️
apps/browser/src/popup/app.module.ts	0.00%	1 Missing ⚠️
apps/desktop/src/app/app-routing.module.ts	0.00%	1 Missing ⚠️
... and 6 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11545      +/-   ##
==========================================
- Coverage   33.48%   33.42%   -0.07%     
==========================================
  Files        2846     2850       +4     
  Lines       89196    89399     +203     
  Branches    17002    17038      +36     
==========================================
+ Hits        29867    29878      +11     
- Misses      56976    57168     +192     
  Partials     2353     2353              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

Checkmarx One – Scan Summary & Details – e17d1f89-a1a5-44ee-8fdd-07a8acd72089

New Issues

Severity	Issue	Source File / Package	Checkmarx Insight
	Missing_HSTS_Header	/libs/common/src/services/api.service.ts: 228	Attack Vector
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/login/login-via-auth-request-v1.component.ts: 61	Attack Vector
	Client_DOM_Open_Redirect	/apps/browser/src/auth/popup/login-via-auth-request-v1.component.ts: 53	Attack Vector
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/login/login-via-auth-request-v1.component.ts: 61	Attack Vector
	Client_DOM_Open_Redirect	/apps/browser/src/auth/popup/login-via-auth-request-v1.component.ts: 53	Attack Vector
	Client_JQuery_Deprecated_Symbols	/apps/cli/src/service-container/service-container.ts: 876	Attack Vector

Fixed Issues

Severity	Issue	Source File / Package
	Client_Privacy_Violation	/apps/web/src/app/tools/risk-insights/password-health-members.component.html: 55
	Client_Privacy_Violation	/apps/web/src/app/tools/risk-insights/password-health-members.component.html: 50
	Client_Privacy_Violation	/apps/web/src/app/tools/risk-insights/password-health-members.component.html: 45
	Client_Privacy_Violation	/apps/web/src/app/tools/risk-insights/password-health-members.component.html: 50
	Client_Privacy_Violation	/apps/web/src/app/tools/risk-insights/password-health-members-uri.component.html: 40
	Client_Privacy_Violation	/apps/web/src/app/tools/risk-insights/password-health-members-uri.component.html: 40
	Client_Privacy_Violation	/apps/web/src/app/tools/risk-insights/password-health-members-uri.component.html: 35
	Client_Privacy_Violation	/apps/web/src/app/tools/risk-insights/password-health-members-uri.component.html: 45
	Client_Privacy_Violation	/apps/web/src/app/tools/risk-insights/password-health.component.html: 50
	Client_Privacy_Violation	/apps/web/src/app/tools/risk-insights/password-health.component.html: 45
	Client_Privacy_Violation	/apps/web/src/app/tools/risk-insights/password-health.component.html: 40
	Client_Privacy_Violation	/apps/web/src/app/tools/risk-insights/password-health.component.html: 45
	Client_Privacy_Violation	/libs/tools/generator/components/src/username-generator.component.html: 3
	Client_DOM_Open_Redirect	/apps/browser/src/auth/popup/login-via-auth-request.component.ts: 53
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/login/login-via-auth-request.component.ts: 61
	Client_DOM_Open_Redirect	/apps/browser/src/auth/popup/login-via-auth-request.component.ts: 53
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/login/login-via-auth-request.component.ts: 61

[JaredSnider-Bitwarden]

Excellent work. No major issues - just a few comments below:

[rr-bw]

@JaredSnider-Bitwarden

Am I correct in understanding that "Flow 1" here is not actually a flow? That is, when dealing with an Admin Auth Request, we are always receiving an encrypted UserKey, not a MasterKey, meaning Flow 1 is not truly a flow?

If I am correct, then I would re-write this section as one flow in total, making no mention of having a MasterKey in memory or not. Which would look like:

***********************************
     Admin Auth Request Flows
***********************************

Flow 1: Authed SSO TD user requests admin approval.

    SSO TD user authenticates via SSO > navigates to /login-initiated > clicks "Request admin approval"
      > navigates to /admin-approval-requested which creates an AdminAuthRequest
        > receives approval from device with authRequestPublicKey(userKey) > decrypts userKey
          > establishes trust (if required) > proceeds to vault

[rr-bw]

@JaredSnider-Bitwarden

Instead of checking the State to determine the codepath, as we did in the legacy component, I'm using the AuthStatus as this allows me to consolidate two things:

1. Getting the auth request from the server using the correct authenticated/unauthenticated endpoint.
   • Note that this now means Standard Flows 3-4, which are both authed, will now grab the auth request from getAuthRequest() (authed endpoint) instead of from getAuthResponse() (unauthed endpoint). Those flows were previously using the unauthed endpoint because even though they are authed flows, the case State.StandardAuthRequest sent them to the unauthed endpoint.
2. Handling the actual flow with a method name that distinguishes authenticated vs unauthenticated flows.