-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth/PM-5263 - TokenService State Provider Migration #7975
Auth/PM-5263 - TokenService State Provider Migration #7975
Conversation
…itions setup (2) Ported over core state service getTimeoutBasedStorageOptions method logic into local determineStorageLocation method (3) Updated majority of methods to use state provider state
…other state methods after migration code complete.
…ve user id as it wasn't used and it simplifies the new state provider implementation (2) Convert away from state svc to state provider state.
No New Or Fixed Issues Found |
…Svc and TokenService: (1) For writes, require callers to pass in vault timeout data (2) For reads, we can just check both locations. This approach has 1 less state call than the previous implementation and is safe as long as the clear logic properly works and is executed anytime a user changes their vault timeout action (lock or log out) & vault timeout (numeric value)
…clude vault timeout info.
…meout details and pass to token service when setting token info.
…rvice-state-provider-migration + state definitions merge conflict
…ate service use case.
…sages of getAccessToken. WIP
…required by state service (2) TokenSvc - Update getToken to take an optional userId to handle another state service case (3) Add some documentation to TokenSvc abstraction.
…ervice which accessed token service state directly with calls to the new token service methods instead.
…action and vault timeout from state service in order to pass to new token service endpoints for setting API key client id and secret.
… remove account scaffold logic for clearing removed account data. The same functionality will exist in the state provider framework via lifecycle hooks cleaning up this data and users getting initialized with null data by default.
…p deps not working)
…that I missed initially to get browser building.
…/setAccessToken/decodeAccessToken
…ct type to match actual account
…Token, and clearRefreshToken based on PR feedback to remove optional user ids where possible and improve public interface (2) TokenSvc Abstraction - update docs and abstractions based on removed user ids and changed logic (3) TokenSvc tests - update tests to add new test cases, remove no longer relevant ones, and update test names.
…rvice-state-provider-migration + migrate.ts merge conflicts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Providing an approval with some comments, let me know if you need a re-review.
…rvice-state-provider-migration + main.ts merge conflict resolution.
5dec551
…rvice-state-provider-migration + merge conflict resolution in migrate.ts
6ba04e0
…rvice-state-provider-migration + migrate merge conflict resolution
Per discussion with Auth team, we will be QA'ing this in |
Type of change
Objective
Resolve PM-5263 by migrating all
TokenService
owned data to theStateProvider
framework while adding tests and refactoring as necessary.Resolve PM-3566 by storing the access token and refresh token in secure storage for clients that support it instead of disk.
Resolve PM-6212 by migrating away from a single global state entry for 2FA tokens for n users to a global
Record<email, TwoFactorTokens>
Code changes
State Provider Implementation
KeyDefinition
s forTokenService
stateEMAIL_TWO_FACTOR_TOKEN_RECORD_DISK_LOCAL
and how the new implementation for 2FA tokens differs from the old implementation. We now have a global record which maps user emails to their respective 2FA tokens. This is a large improvement over the existing implementation which only has a single global entry for 2FA token and no corresponding user information associated with it. This will resolve issues with incorrect 2FA tokens being submitted when there are multiple users on the same computer (rare, but possible w/ the current implementation)KeyDefinition
worksTokenService
to implement all get/sets/clears for access token, refresh token, 2FA token, API key client id, API key client secretVaultTimeoutAction
andVaultTimeout
data for set logic to avoid circular dependency issues with theVaultTimeoutSettingsService
. We plan on re-evaluating this approach once theVaultTimeoutSettingService
is migrated toStateProvider
in Auth/PM-5501 - VaultTimeoutSettingsService State Provider Migration #7925 (it's blocked by this work). We are considering sharing KeyDefinitions between the two services so that the methods can just directly access theVaultTimeoutAction
andVaultTimeout
fromStateProvider
directly as the intermediary service.DecodedAccessToken
custom type so we can have typing on our Bitwarden Access TokenActiveStateProvider
due to circular dependency issues. We got around that by using theGlobalStateProvider
and sharing theACCOUNT_ACTIVE_ACCOUNT_ID
KeyDefinition
.clearTokens(...)
to leverage new, single responsibility clear methods for each piece of state that we needed to clearTokenService.decodeToken
method into auth owned, generic utility funcdecodeJwtTokenToJson
as we needed the ability to decode non-Bitwarden owned access tokens in thelibs/importer/src/importers/lastpass/access/vault.ts
logic.TokenService
Account
TokenService
getTimeoutBasedStorageOptions
TokenService
to support methods that still require access token state.StateService
TokenService
method callsTokenService
setTokens
TokenService
implementation into account.Dependency Updates
TokenService
to webStateService
PlatformUtilsService
into theTokenService
which creates a circular dependency issue on desktop specifically.SUPPORTS_SECURE_STORAGE
injection token and let it use theplatformUtilsService.supportsSecureStorage()
method generally to get its value.TokenService
deps - AddingStateProvider
+SecureStorageService
+SUPPORTS_SECURE_STORAGE
injection tokenApiService
deps - AddingStateService
StateService
deps - AddingTokenService
TokenService
requiredPlatformUtilsService
to be implemented firstStateService
intoApiService
platformUtilsServiceOptions
becauseStateService
now requiresTokenService
which requiresplatformUtilsServiceOptions
in order to know how to create it.stateServiceFactory
tokenServiceFactory
TokenService
toBrowserStateService
TokenService
toBrowserStateService
testsgetBgService<TokenService>
logic as no longer required due toStateProvider
implementationTokenService
instantiation with new deps and place beforeStateService
StateService
toApiService
StateService
toNodeApiService
Extracted
decodeJwtTokenToJson(...)
Utility Function fromTokenService
auth/common
importsSUPPORTS_SECURE_STORAGE
injection token by referencing new constantELECTRON_SUPPORTS_SECURE_STORAGE
defined in theElectronPlatformUtilsService
TokenService
intoElectronStateService
singleUserStateProvider
andactiveUserStateProvider
out into constants similar toglobalStateProvider
TokenService
with proper dependencies for desktopELECTRON_SUPPORTS_SECURE_STORAGE
State Migrations
2FA Token Changes to support new state structure of
Record<email, TwoFactorToken>
SSO_EMAIL
to persist user entered email through SSO process on all clients + fix class not implementing its abstraction.getSsoEmail
andsetSsoEmail
methodsSsoLoginService
and pass into basetokenService.getTwoFactorToken(email)
method now requires email so we must get email as a new param tobuildTwoFactor(...)
in order to check if they have a saved 2FA token.SsoLoginCredentials
SsoLoginCredentials
AuthRequestLoginStrategy
to pass email into base login strategy for use with looking up 2FA Token.PasswordLoginStrategy
to pass email into base login strategy for use with looking up 2FA Token.SsoLoginStrategy
to pass email into base login strategy for use with looking up 2FA Token.LastPass Importer Updates
TokenService.decodeToken
and replace withdecodeJwtTokenToJson
utility function; removeTokenService
fromVault.ts
TokenService
dependency fromLastPassDirectImportService
as it is no longer required - onlyVault.ts
used it.Screenshots
Web
MP Login works
PM-5263.-.TokenSvc.State.Provider.Migration.-.Web.Login.works.mov
MP Login - Remember 2FA Token works
PM-5263.-.Web.-.Standard.Login.-.Remember.2FA.Token.Works.mov
Login with Device - Remember 2FA Token works
PM-5263.-.Web.-.Login.with.Device.-.Remember.2FA.Token.Works.mov
SSO Login - Remember 2FA Token works
PM-5263.-.Web.-.SSO.Login.-.Remember.2FA.Token.Works.mov
Browser Extension
MP Login works
PM-5263.-.TokenSvc.State.Provider.Migration.-.Browser.Extension.Login.works.mov
MP Login - Remember 2FA Token works
PM-5263.-.Browser.Extension.-.MP.Login.-.Remember.2FA.Token.Works.mov
Login with Device - Remember 2FA Token works
PM-5263.-.Browser.Extension.-.Login.with.device.-.Remember.2FA.Token.Works.mov
SSO Login - Remember 2FA Token works
PM-5263.-.Browser.Extension.-.SSO.Login.-.Remember.2FA.Token.Works.mov
Desktop
MP Login works
PM-5263.-.TokenSvc.State.Provider.Migration.-.Desktop.Login.works.mov
MP Login - Remember 2FA Token works
PM-5263.-.Desktop.-.MP.Login.-.Remember.2FA.Token.Works.mov
SSO Login - Remember 2FA Token works
PM-5263.-.Desktop.-.SSO.Login.-.Remember.2FA.Token.Works.mov
CLI
MP Login works
Before you submit