[PM-32401] fix: Prevent TOTP autofill for non-premium accounts

[matt-livefront]

🎟️ Tracking

PM-32401

📔 Objective

This fixes an issue where non-premium accounts were able to use TOTP autofill.

• Adds an authorization check prior to autofilling OTP codes.
• Only creates ASOneTimeCodeCredentialIdentity for the credential identity store if authorized.

[claude]

Claude finished @matt-livefront's task in 1m 35s —— View job

---

Code Review: PM-32401 Prevent TOTP autofill for non-premium accounts

• Gather context and understand changes
• Review authorization logic across all layers
• Review test coverage
• Post review findings

Summary

Overall Assessment: ✅ APPROVE

This PR adds defense-in-depth authorization checks to prevent TOTP autofill for non-premium accounts that lack organizational TOTP access. Changes span three layers: a new centralized isTotpAuthorized(for:) method in TOTPService, filtering of OTP credential identities in CredentialIdentityFactory, and a guard in the credential provision path in AutofillCredentialService. Test coverage addresses all authorization permutations (premium, org-affiliated, unauthorized) across all modified components.

No findings. The authorization logic is consistent across both the identity registration and credential provision layers, premium status is fetched once per batch operation to avoid redundant calls, and the test updates correctly adopt the guard #available pattern for XCTest compatibility.

[github-actions]

Checkmarx One – Scan Summary & Details – 7948b683-d70c-457f-a1d6-4b611f44aa68

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

❌ Patch coverage is 92.00000% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.86%. Comparing base (aa0a9b0) to head (ee9af5d).
⚠️ Report is 11 commits behind head on main.

Files with missing lines	Patch %	Lines
...fill/Services/AutofillCredentialServiceTests.swift	82.19%	13 Missing ⚠️
...fill/Services/CredentialIdentityFactoryTests.swift	95.77%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2467      +/-   ##
==========================================
- Coverage   86.88%   86.86%   -0.02%     
==========================================
  Files        1841     1846       +5     
  Lines      162382   163149     +767     
==========================================
+ Hits       141078   141725     +647     
- Misses      21304    21424     +120     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[fedemkr]

Looks good, just one ⛏️

[fedemkr]

🎨 On XCTest the @available is not respected for the test runs (it does on new Swift Testing Framework), so if one runs this on iOS 17 simulator it will try to run the test and it will fail. I'd add a guard at the beginning as with other similar tests like in ASPasskeyCredentialRequestExtensionsTests.

Suggested change

	@available(iOS 18.0, *)
	func test_provideOTPCredential_totpAuthorized() async throws {
	func test_provideOTPCredential_totpAuthorized() async throws {
	guard #available(iOS 18.0, *) else {
	throw XCTSkip("Skipped on iOS < 18.0")
	}

Same applies to other tests here.

[matt-livefront]

Good catch, updated!

[fedemkr]

♻️ Perhaps we could create a tech debt task to update other places where this logic is used like DefaultVaultRepository or DefaultVaultListPreparedDataBuilder. What do you think?

[matt-livefront]

Yep, great idea, I added a ticket: https://bitwarden.atlassian.net/browse/PM-34016.