-
Notifications
You must be signed in to change notification settings - Fork 137
[PS-74] Fix user authentication state checks #721
Conversation
Another option is to have a |
I think this may be worth doing. |
Just FYI: https://github.com/bitwarden/jslib/blob/master/common/src/enums/authenticationStatus.ts |
Thanks both! I'll do this. |
Further additional changes after the feedback above:
Related desktop PR: bitwarden/desktop#1464 Overall this still isn't perfect, it makes the checks more verbose in some places and less verbose in others, but on balance I still think it's an improvement and should hopefully avoid this regression popping up again. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@eliykat The code changes look fine, besides the things I commented on and some general questions/concerns
The heavy use of authStatus, does change the amount of work to be done in some parts.
For example authStatus()
not only replaces stateService.getIsAuthenticated()
but also vaultTimeoutService.isLocked()
. Which means when a user is logged in, we always check for the lock state of the vault, even if the calling code only wants to know if a user is authed.
The same goes for vaultTimeoutService.isLocked()
, which now always checks if the user is authed, which I guess is generally a good thing, just means as that method gets called often, it also does more than before.
In the first case it might be better to offer a authService.sAuthed()
instead of authService.getAuthStatus()
which also checks additional state.
common/src/services/auth.service.ts
Outdated
@@ -157,6 +159,31 @@ export class AuthService implements AuthServiceAbstraction { | |||
return this.logInStrategy instanceof PasswordLogInStrategy; | |||
} | |||
|
|||
async authStatus(userId?: string): Promise<AuthenticationStatus> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As this a method and not a property/field of a class, I'd prefer having a name indicating what it's doing. getAuthState
/retrieveAuthState
Similiar to the 'authing'-methods above. As they are returning booleans, they should maybe be renamed to isAuthingWithPassword
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Renamed to getAuthState
.
I think the 'authing' methods are clear enough, I don't really want to mess with them in this PR.
You raise some good points about performance. It's okay that we check whether the user is authenticated when getting lock status - that's required to get an accurate answer. But I agree that the reverse (checking lock status when asking if the user is authenticated) is unnecessary. How about we just leave all the
Using the new method felt a bit cumbersome in some places, that might be a better balance. |
That sounds like a good approach to go forward with. |
These changes have been made. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@eliykat Sorry for the delay on this. This is looking good now.
Had to resolve conflicts @djsmith85 |
* Remove keytar and biometric logic (#706) * [bug] CL - fix default button display and callout header class (#756) * [EC-142] Fix error during import of 1pux containing new email field format (#758) * Add support for complex email field type * Ensure complex email field type gets imported on identities * Update introduction for CL (#729) * Add jsdoc comments for user verification, password reprompt, and appApiAction (#754) * Rename and add comments to clarify password reprompt classes * Add comment for appApiAction * copy default options (#764) * Update jest configs to remove roots (#766) * Remove support for alreadyEncrypted (#762) * Add tests for domain models (#768) * Fix language always defaulting to english (#765) * Rename Export DTOs (#763) * [BEEEP] Allow linking to ciphers (#760) * Remove userId from data models (#771) * Add reorganization notice (#776) * Add reorganization notice * [BEEEP] Add banner component (#759) * [EC-159] [BEEEP] Remove factory providers in Angular DI (#775) * Forwarded email alias generation (#772) * generate forwarded alias with SL and AD * added forwarded email to type list * add ApiService dep * ApiServiceAbstraction * use proper status codes * only generate on button press * reset username to `-` * reset username when forwarded * Authorization header for anonaddy * use proper anonaddy json path * firefox relay support * update description for firefox * log username generation errors * PS-302 Added DeviceId to the 2FA email request and set it when calling the endpoint that's needed to see if it's a 2FA email because of a new device (#782) * [EC-154] [BEEEP] Add token for localesDirectory (#783) * Add token for localesDirectory * Add token for SYSTEM_LANGUAGE * [PS-74] Fix user authentication state checks (#721) * Create authService.authStatus, refactor isLocked checks * Rename authStatus -> getAuthStatus * [CP-30] Added creditCardNumber pipe for viewing saved card numbers properly (#590) Co-authored-by: Hinton <oscar@oscarhinton.com> * Fix linting (#789) * fix default forwardedService property name (#788) * Stop clearing list on every reload (#784) * [EC-151] Hide Subscription/Billing information for Provider-managed organizations (#777) * add canManageBilling permission and hasProvider helper method * [feat] End User Vault Refresh (#790) * Move access logic to org model (#713) * [feature] Allow for top level groupings to be collapsed (#712) * [End User Vault Refresh] Refactor route permission checking (#727) * Update admin access logic * Centralize route permission handling * Add permission check for disabled orgs * [EndUserVaultRefresh] Add base routing guard (#732) * Add a base class for Angular routing guards * Update Guard naming convention * Bump node-forge to 1.2.1 (#722) * Remove Internet Explorer logic (#723) * Username generator (#734) * add support for username generation * remove unused Router * pr feedback * Bump electron and related dependencies (#736) * PS-91 make isMacAppStore return true/false (#735) * return false if undefined from isMacAppStore * PS-91 use strict equality instead of null coalescing Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> * [bug] Fix Safari CSV importer for URL and Notes (#730) * Fix import path for safari importer (#740) * Force updates to be silent (#739) * support for username gen website setting (#738) * Fix jslibModule forms (#742) * Add DatePipe provider to JslibModule (#741) * Feature/move to jest (#744) * Switch to jest * Fix jslib-angular package name * Make angular test project * Split up tests by jslib project * Remove obsolete node test script * Use legacy deps with jest-preset-angular * Move web tests to common * Remove build from pipeline This was only being used because we were not using ts runners. We are now, so build is unnecessary * Remove the VerifyMasterPasswordComponent from jslib module (#747) * Add ellipsis pipe to jslib module (#746) * add ellipsis pipe to jslib module * Add ellipsis pipe to exports * Add ColorPasswordCountPipe to JslibModule (#751) * Generator cleanup (#753) * type is null by default * rename generator component * remove showWebsiteOption * shorthand if check * EC-134 Fix api token refresh (#749) * Fix apikey token refresh * Refactor: use class for TokenRequestTwoFactor * Remove keytar and biometric logic (#706) * [bug] CL - fix default button display and callout header class (#756) * [EC-142] Fix error during import of 1pux containing new email field format (#758) * Add support for complex email field type * Ensure complex email field type gets imported on identities * [euvr] Separate Billing Payment/History APIs (#750) * [euvr] Separate Billing Payment/History APIs * Updated to new accounts billing API * Removed getUserBilling as it will become obsolete once merged * [end user vault refresh] Base Changes For Vault Filters (#737) * [dependency] Update icons * Avoid duplicate fullSync api calls (#716) * Tweak component library slightly (#715) * Check runtime name vs mangled name (#724) * Add Chromatic (#719) * Update SECURITY.md (#725) * Update SECURITY.md Add link to our HackerOne program for submitting potential security issues. * Revise language on SECURITY.md * Remove error Response type check (#731) * Remove error Response type check Minimization is impacting type checking in a non-consistent way. The previous type check works locally, but not from build artifacts 🤷. We only set `captchaRequired` on our errors when we want a resubmit with captcha included, so we're safe keying off that * linter * [JslibModule] Add JslibModule (#733) * Add ellipsis pipe (#728) * add ellipsis pipe * run prettier * Account for ellipsis length in returned string * Fix complete words case * Fix another complete words issue * fix for if there are not spaces in long value * extract length check to beginning of method * condense if statements * remove log * [refactor] Add optional folders param to folderService.getAllNested() This will be used later for use cases where the vault filters service needs to build a list of nested folders that have been filtered by organization * [feature] Add organization filters This is an MVP implementation of the changes needed for the vault refresh. This includes collapsable top level groupings, and organization based filters that dynamically adjust folders and collections. * [refactor] Break down vault filter into several components These changes rename and rewrite the GroupingsComponent into a VaultFiltersModule. The module follows typical angular patterns for structure and purpose, and contain components for each filter type. The mostly communicate via Input and Output, and depend on a VaultFilterService for sending and recieving data from other parts of the product. * [bug] Add missing events for folder add/edit * [refactor] Dont directly change activeFilter in VaultFilterComponent * [refactor] Move DisplayMode to a dedicated file Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> Co-authored-by: Oscar Hinton <oscar@oscarhinton.com> Co-authored-by: Matt Gibson <mgibson@bitwarden.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: Robyn MacCallum <robyntmaccallum@gmail.com> * [CL-16 Component Library] Menu Dropdown (#761) * [bug] Add missing null check in vault filters (#769) * [bug] Add @Injectable to VaultFilterService (#781) * [fix] Ran prettier * [fix] Fix merge issue I used createUrlTree when merging guards because I knew that was the angular standard, didn't notice that redirect was a helper method from us * Remove BaseGuard (#791) Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> Co-authored-by: Thomas Rittson <trittson@bitwarden.com> Co-authored-by: Oscar Hinton <oscar@oscarhinton.com> Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com> Co-authored-by: Jake Fink <jfink@bitwarden.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: David Frankel <42774874+frankeld@users.noreply.github.com> Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com> Co-authored-by: Matt Gibson <mgibson@bitwarden.com> Co-authored-by: Robyn MacCallum <robyntmaccallum@gmail.com> Co-authored-by: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com> Co-authored-by: Vincent Salucci <vincesalucci21@gmail.com> * [EC-192] Use ts-jest instead of deprecated ts-jest/utils (#792) * [SG-230] “All Items” and “Trash” missing from Organization Vault (#795) Co-authored-by: Oscar Hinton <oscar@oscarhinton.com> Co-authored-by: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com> Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com> Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com> Co-authored-by: Federico Maccaroni <fedemkr@gmail.com> Co-authored-by: Anthony Garera <gareraanthony@gmail.com> Co-authored-by: Jake Fink <jfink@bitwarden.com> Co-authored-by: Addison Beck <addisonbeck1@gmail.com> Co-authored-by: Thomas Rittson <trittson@bitwarden.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: David Frankel <42774874+frankeld@users.noreply.github.com> Co-authored-by: Robyn MacCallum <robyntmaccallum@gmail.com> Co-authored-by: Vincent Salucci <vincesalucci21@gmail.com>
* Billing Sync Api Keys / Free Bitwarden Families Page updates (#767) * Work on billing sync api key maintenance * Add sync status call * Work on sync status copy * Return actual model * Update api calls/models * Fix linting * Run linting * Add in notAllowedValueAsync.validator.ts (#774) * Add in notAllowedValueAsync.validator.ts * Fix lint error * Run prettier * [PS-248] Feature/manage billing sync connection (#770) * Define org connection request and responses * Add organization connection API CRUD * Linter fixes * Handle create vs update in component * PR feedback * Remove unused import * Linter fixes * Use self hosted endpoints for f4e (#779) * Use self hosted endpoints for f4e * Call the method * Chore/merge/self hosted families for enterprise (#778) * Remove keytar and biometric logic (#706) * [bug] CL - fix default button display and callout header class (#756) * [EC-142] Fix error during import of 1pux containing new email field format (#758) * Add support for complex email field type * Ensure complex email field type gets imported on identities * Update introduction for CL (#729) * Add jsdoc comments for user verification, password reprompt, and appApiAction (#754) * Rename and add comments to clarify password reprompt classes * Add comment for appApiAction * copy default options (#764) * Update jest configs to remove roots (#766) * Remove support for alreadyEncrypted (#762) * Add tests for domain models (#768) * Fix language always defaulting to english (#765) * Rename Export DTOs (#763) * [BEEEP] Allow linking to ciphers (#760) * Remove userId from data models (#771) * Add reorganization notice (#776) * Add reorganization notice * [BEEEP] Add banner component (#759) Co-authored-by: Oscar Hinton <oscar@oscarhinton.com> Co-authored-by: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com> Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com> Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com> * Chore/merge/self hosted families for enterprise (#796) * Remove keytar and biometric logic (#706) * [bug] CL - fix default button display and callout header class (#756) * [EC-142] Fix error during import of 1pux containing new email field format (#758) * Add support for complex email field type * Ensure complex email field type gets imported on identities * Update introduction for CL (#729) * Add jsdoc comments for user verification, password reprompt, and appApiAction (#754) * Rename and add comments to clarify password reprompt classes * Add comment for appApiAction * copy default options (#764) * Update jest configs to remove roots (#766) * Remove support for alreadyEncrypted (#762) * Add tests for domain models (#768) * Fix language always defaulting to english (#765) * Rename Export DTOs (#763) * [BEEEP] Allow linking to ciphers (#760) * Remove userId from data models (#771) * Add reorganization notice (#776) * Add reorganization notice * [BEEEP] Add banner component (#759) * [EC-159] [BEEEP] Remove factory providers in Angular DI (#775) * Forwarded email alias generation (#772) * generate forwarded alias with SL and AD * added forwarded email to type list * add ApiService dep * ApiServiceAbstraction * use proper status codes * only generate on button press * reset username to `-` * reset username when forwarded * Authorization header for anonaddy * use proper anonaddy json path * firefox relay support * update description for firefox * log username generation errors * PS-302 Added DeviceId to the 2FA email request and set it when calling the endpoint that's needed to see if it's a 2FA email because of a new device (#782) * [EC-154] [BEEEP] Add token for localesDirectory (#783) * Add token for localesDirectory * Add token for SYSTEM_LANGUAGE * [PS-74] Fix user authentication state checks (#721) * Create authService.authStatus, refactor isLocked checks * Rename authStatus -> getAuthStatus * [CP-30] Added creditCardNumber pipe for viewing saved card numbers properly (#590) Co-authored-by: Hinton <oscar@oscarhinton.com> * Fix linting (#789) * fix default forwardedService property name (#788) * Stop clearing list on every reload (#784) * [EC-151] Hide Subscription/Billing information for Provider-managed organizations (#777) * add canManageBilling permission and hasProvider helper method * [feat] End User Vault Refresh (#790) * Move access logic to org model (#713) * [feature] Allow for top level groupings to be collapsed (#712) * [End User Vault Refresh] Refactor route permission checking (#727) * Update admin access logic * Centralize route permission handling * Add permission check for disabled orgs * [EndUserVaultRefresh] Add base routing guard (#732) * Add a base class for Angular routing guards * Update Guard naming convention * Bump node-forge to 1.2.1 (#722) * Remove Internet Explorer logic (#723) * Username generator (#734) * add support for username generation * remove unused Router * pr feedback * Bump electron and related dependencies (#736) * PS-91 make isMacAppStore return true/false (#735) * return false if undefined from isMacAppStore * PS-91 use strict equality instead of null coalescing Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> * [bug] Fix Safari CSV importer for URL and Notes (#730) * Fix import path for safari importer (#740) * Force updates to be silent (#739) * support for username gen website setting (#738) * Fix jslibModule forms (#742) * Add DatePipe provider to JslibModule (#741) * Feature/move to jest (#744) * Switch to jest * Fix jslib-angular package name * Make angular test project * Split up tests by jslib project * Remove obsolete node test script * Use legacy deps with jest-preset-angular * Move web tests to common * Remove build from pipeline This was only being used because we were not using ts runners. We are now, so build is unnecessary * Remove the VerifyMasterPasswordComponent from jslib module (#747) * Add ellipsis pipe to jslib module (#746) * add ellipsis pipe to jslib module * Add ellipsis pipe to exports * Add ColorPasswordCountPipe to JslibModule (#751) * Generator cleanup (#753) * type is null by default * rename generator component * remove showWebsiteOption * shorthand if check * EC-134 Fix api token refresh (#749) * Fix apikey token refresh * Refactor: use class for TokenRequestTwoFactor * Remove keytar and biometric logic (#706) * [bug] CL - fix default button display and callout header class (#756) * [EC-142] Fix error during import of 1pux containing new email field format (#758) * Add support for complex email field type * Ensure complex email field type gets imported on identities * [euvr] Separate Billing Payment/History APIs (#750) * [euvr] Separate Billing Payment/History APIs * Updated to new accounts billing API * Removed getUserBilling as it will become obsolete once merged * [end user vault refresh] Base Changes For Vault Filters (#737) * [dependency] Update icons * Avoid duplicate fullSync api calls (#716) * Tweak component library slightly (#715) * Check runtime name vs mangled name (#724) * Add Chromatic (#719) * Update SECURITY.md (#725) * Update SECURITY.md Add link to our HackerOne program for submitting potential security issues. * Revise language on SECURITY.md * Remove error Response type check (#731) * Remove error Response type check Minimization is impacting type checking in a non-consistent way. The previous type check works locally, but not from build artifacts 🤷. We only set `captchaRequired` on our errors when we want a resubmit with captcha included, so we're safe keying off that * linter * [JslibModule] Add JslibModule (#733) * Add ellipsis pipe (#728) * add ellipsis pipe * run prettier * Account for ellipsis length in returned string * Fix complete words case * Fix another complete words issue * fix for if there are not spaces in long value * extract length check to beginning of method * condense if statements * remove log * [refactor] Add optional folders param to folderService.getAllNested() This will be used later for use cases where the vault filters service needs to build a list of nested folders that have been filtered by organization * [feature] Add organization filters This is an MVP implementation of the changes needed for the vault refresh. This includes collapsable top level groupings, and organization based filters that dynamically adjust folders and collections. * [refactor] Break down vault filter into several components These changes rename and rewrite the GroupingsComponent into a VaultFiltersModule. The module follows typical angular patterns for structure and purpose, and contain components for each filter type. The mostly communicate via Input and Output, and depend on a VaultFilterService for sending and recieving data from other parts of the product. * [bug] Add missing events for folder add/edit * [refactor] Dont directly change activeFilter in VaultFilterComponent * [refactor] Move DisplayMode to a dedicated file Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> Co-authored-by: Oscar Hinton <oscar@oscarhinton.com> Co-authored-by: Matt Gibson <mgibson@bitwarden.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: Robyn MacCallum <robyntmaccallum@gmail.com> * [CL-16 Component Library] Menu Dropdown (#761) * [bug] Add missing null check in vault filters (#769) * [bug] Add @Injectable to VaultFilterService (#781) * [fix] Ran prettier * [fix] Fix merge issue I used createUrlTree when merging guards because I knew that was the angular standard, didn't notice that redirect was a helper method from us * Remove BaseGuard (#791) Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> Co-authored-by: Thomas Rittson <trittson@bitwarden.com> Co-authored-by: Oscar Hinton <oscar@oscarhinton.com> Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com> Co-authored-by: Jake Fink <jfink@bitwarden.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: David Frankel <42774874+frankeld@users.noreply.github.com> Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com> Co-authored-by: Matt Gibson <mgibson@bitwarden.com> Co-authored-by: Robyn MacCallum <robyntmaccallum@gmail.com> Co-authored-by: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com> Co-authored-by: Vincent Salucci <vincesalucci21@gmail.com> * [EC-192] Use ts-jest instead of deprecated ts-jest/utils (#792) * [SG-230] “All Items” and “Trash” missing from Organization Vault (#795) Co-authored-by: Oscar Hinton <oscar@oscarhinton.com> Co-authored-by: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com> Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com> Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com> Co-authored-by: Federico Maccaroni <fedemkr@gmail.com> Co-authored-by: Anthony Garera <gareraanthony@gmail.com> Co-authored-by: Jake Fink <jfink@bitwarden.com> Co-authored-by: Addison Beck <addisonbeck1@gmail.com> Co-authored-by: Thomas Rittson <trittson@bitwarden.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: David Frankel <42774874+frankeld@users.noreply.github.com> Co-authored-by: Robyn MacCallum <robyntmaccallum@gmail.com> Co-authored-by: Vincent Salucci <vincesalucci21@gmail.com> Co-authored-by: Justin Baur <admin@justinbaur.com> Co-authored-by: Justin Baur <136baur@gmail.com> Co-authored-by: Oscar Hinton <oscar@oscarhinton.com> Co-authored-by: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com> Co-authored-by: Daniel James Smith <djsmith85@users.noreply.github.com> Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com> Co-authored-by: Federico Maccaroni <fedemkr@gmail.com> Co-authored-by: Anthony Garera <gareraanthony@gmail.com> Co-authored-by: Jake Fink <jfink@bitwarden.com> Co-authored-by: Addison Beck <addisonbeck1@gmail.com> Co-authored-by: Thomas Rittson <trittson@bitwarden.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: David Frankel <42774874+frankeld@users.noreply.github.com> Co-authored-by: Robyn MacCallum <robyntmaccallum@gmail.com> Co-authored-by: Vincent Salucci <vincesalucci21@gmail.com>
Type of change
Objective
Fix #1557
Fix
LockGuardService
allowing access to the lock page when the user is actually logged out:Steps to reproduce: navigate to
<vault URL>/#/lock
when logged out.Code changes
Currently,
vaultTimeoutService.isLocked()
returns true if the user is logged out OR if the vault is locked, and it's the caller's responsibility to check both those states in the correct order. That is, you have to doawait stateService.getIsAuthenticated() && await vaultTimeoutService.isLocked()
to know if the vault is actually locked.#600 caused this regression by removing the
getIsAuthenticated
check, assuming - reasonably - that it was redundant.Rather than restore the original code in
LockGuardService
, we should makevaultTimeoutService.isLocked()
only return true if the vault is actually locked (and not just logged out).I'll need to do a sweep of each client when updating jslib, to make sure this won't break existing logic anywhere else.
Testing requirements
Confirm bug is fixed.
Before you submit
npm run lint
) (required)