[PM-26810] Add OTP support to VerifyPasswordScreen #6034

SaintPatrck · 2025-10-15T16:30:11Z

🎟️ Tracking

PM-26810

📔 Objective

This commit introduces support for One-Time Passcode (OTP) verification on the "Verify Password" screen, in addition to the existing master password verification. This is primarily for TDE users who do not have a master password set on their account.

The behavioral changes are as follows:

If a user does not have a master password, they will be prompted to enter a 6-digit OTP code that is automatically sent to their email address.
The UI displays a "Resend code" button for the OTP flow.
The primary action button label has been changed from "Unlock" to "Continue" to accommodate both verification flows.

Specific changes include:

ViewModel:
- VerifyPasswordViewModel now checks if the active account has a master password.
- If no master password exists, it automatically requests an OTP and updates the UI to reflect the OTP verification flow.
- New actions (ResendCodeClick, SendOtpCodeResultReceive, VerifyOtpResultReceive) and events (ShowSnackbar) have been added to handle the OTP logic.
- The UnlockClick action has been renamed to ContinueClick.
- The state has been updated to include a title, subtext, and showResendCodeButton to dynamically adjust the screen content.
UI (Screen & Composables):
- VerifyPasswordScreen.kt and its content composable have been updated to conditionally display either the master password field or the OTP code field based on the view model's state.
- A "Resend code" button is now shown for the OTP flow.
- The main button is now labeled "Continue" and triggers the ContinueClick action.
- A snackbar is now used to show feedback, for instance when an OTP code has been resent.
Strings:
- New string resources have been added for the OTP verification flow, such as "Verify your account email address".
Tests:
- VerifyPasswordViewModelTest and VerifyPasswordScreenTest have been extensively updated to cover the new OTP verification logic, state changes, and UI interactions. Existing tests were refactored to align with the new logic.

📸 Screenshots

Master Password verification

Before	After

OTP Verification

Before	After
N/A

⏰ Reminders before review

Contributor guidelines followed
All formatters and local linters executed and passed
Written new unit and / or integration tests where applicable
Protected functional changes with optionality (feature flags)
Used internationalization (i18n) for all UI strings
CI builds passed
Communicated to DevOps any deployment requirements
Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

👍 (:+1:) or similar for great changes
📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
❓ (:question:) for questions
🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
🎨 (:art:) for suggestions / improvements
❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
⛏ (:pick:) for minor or nitpick changes

github-actions · 2025-10-15T16:38:19Z

Checkmarx One – Scan Summary & Details – f033ca5c-d54d-46b5-8dd1-ac2d2d263661

New Issues (1)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	Privacy_Violation	/app/src/test/kotlin/com/x8bit/bitwarden/ui/vault/feature/exportitems/verifypassword/VerifyPasswordViewModelTest.kt: 459	details Method Lambda at line 459 of /app/src/test/kotlin/com/x8bit/bitwarden/ui/vault/feature/exportitems/verifypassword/VerifyPasswordViewModelTest.kt s... `ID: AVEwUKuxGeDQZWImpReErpMLex8%3D` Attack Vector

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~Privacy_Violation~~	/app/src/test/kotlin/com/x8bit/bitwarden/ui/vault/feature/exportitems/verifypassword/VerifyPasswordViewModelTest.kt: 303

...m/x8bit/bitwarden/ui/vault/feature/exportitems/verifypassword/VerifyPasswordViewModelTest.kt

codecov · 2025-10-15T17:00:54Z

Codecov Report

❌ Patch coverage is 86.44068% with 24 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.81%. Comparing base (f7cbcd2) to head (8d3011a).
⚠️ Report is 10 commits behind head on main.

Files with missing lines	Patch %	Lines
...exportitems/verifypassword/VerifyPasswordScreen.kt	75.55%	22 Missing ⚠️
...ortitems/verifypassword/VerifyPasswordViewModel.kt	97.53%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6034      +/-   ##
==========================================
+ Coverage   84.72%   84.81%   +0.09%     
==========================================
  Files         722      720       -2     
  Lines       54717    54776      +59     
  Branches     7583     7606      +23     
==========================================
+ Hits        46358    46458     +100     
+ Misses       5706     5657      -49     
- Partials     2653     2661       +8

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

...bit/bitwarden/ui/vault/feature/exportitems/verifypassword/handlers/VerifyPasswordHandlers.kt

...tlin/com/x8bit/bitwarden/ui/vault/feature/exportitems/verifypassword/VerifyPasswordScreen.kt

...n/com/x8bit/bitwarden/ui/vault/feature/exportitems/verifypassword/VerifyPasswordViewModel.kt

david-livefront · 2025-10-15T18:19:33Z

...n/com/x8bit/bitwarden/ui/vault/feature/exportitems/verifypassword/VerifyPasswordViewModel.kt

+        }
+        val message = when (val result = action.result) {
+            is RequestOtpResult.Error -> {
+                result.message?.asText() ?: BitwardenString.generic_error_message.asText()


Usually we display a dialog for errors and snackbars for success, right?

True. Nice catch. Thanks!

...n/com/x8bit/bitwarden/ui/vault/feature/exportitems/verifypassword/VerifyPasswordViewModel.kt

david-livefront · 2025-10-16T18:00:19Z

...tlin/com/x8bit/bitwarden/ui/vault/feature/exportitems/verifypassword/VerifyPasswordScreen.kt

+        Spacer(
+            Modifier
+                .height(12.dp)
+                .navigationBarsPadding(),


Does this work? Will the height parameter override the padding?

Unless I misunderstand, chaining modifiers is cumulative. Not to mention, these modifiers do different things. height literally sets the height of the Spacer while navigationBarsPadding() adds additional padding below the spacer, if needed. I'm not seeing any visual difference when this is used versus two separate spacers.

Setting the height, will not allow the padding to exceed the value set. so you end up with a total of 16pd of space, instead of 16 + padding.

You can see the difference here:

It's way more obvious on that screen than the VaultScreens. 🤦

Thanks for explaining. I'll keep that in mind. 👍

This commit introduces support for One-Time Passcode (OTP) verification on the "Verify Password" screen, in addition to the existing master password verification. This is primarily for TDE users who do not have a master password set on their account. The behavioral changes are as follows: * If a user does not have a master password, they will be prompted to enter a 6-digit OTP code that is automatically sent to their email address. * The UI displays a "Resend code" button for the OTP flow. * The primary action button label has been changed from "Unlock" to "Continue" to accommodate both verification flows. Specific changes include: * **ViewModel:** * `VerifyPasswordViewModel` now checks if the active account has a master password. * If no master password exists, it automatically requests an OTP and updates the UI to reflect the OTP verification flow. * New actions (`ResendCodeClick`, `SendOtpCodeResultReceive`, `VerifyOtpResultReceive`) and events (`ShowSnackbar`) have been added to handle the OTP logic. * The `UnlockClick` action has been renamed to `ContinueClick`. * The state has been updated to include a `title`, `subtext`, and `showResendCodeButton` to dynamically adjust the screen content. * **UI (Screen & Composables):** * `VerifyPasswordScreen.kt` and its content composable have been updated to conditionally display either the master password field or the OTP code field based on the view model's state. * A "Resend code" button is now shown for the OTP flow. * The main button is now labeled "Continue" and triggers the `ContinueClick` action. * A snackbar is now used to show feedback, for instance when an OTP code has been resent. * **Strings:** * New string resources have been added for the OTP verification flow, such as "Verify your account email address". * **Tests:** * `VerifyPasswordViewModelTest` and `VerifyPasswordScreenTest` have been extensively updated to cover the new OTP verification logic, state changes, and UI interactions. Existing tests were refactored to align with the new logic.

github-advanced-security bot found potential problems Oct 15, 2025

View reviewed changes

...m/x8bit/bitwarden/ui/vault/feature/exportitems/verifypassword/VerifyPasswordViewModelTest.kt Dismissed Show dismissed Hide dismissed

SaintPatrck marked this pull request as ready for review October 15, 2025 17:38

SaintPatrck requested review from a team, brian-livefront and david-livefront as code owners October 15, 2025 17:38

SaintPatrck enabled auto-merge October 15, 2025 17:54