Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PM-7879, PM-7635] Add server verification for master password to user verification #9523

Merged
merged 7 commits into from
Jun 14, 2024
Merged

[PM-7879, PM-7635] Add server verification for master password to user verification #9523

merged 7 commits into from
Jun 14, 2024

Conversation

jlf0dev
Copy link
Member

@jlf0dev jlf0dev commented Jun 5, 2024
edited by djsmith85
Loading

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-7879

📔 Objective

Fixes #9016

Adds support for server-side verification of master password to the UserVerificationService. Since this was so similar to the logic on the lock component, I have used it there as well.

I also started tests for our user verification service, there's a lot more to be written but this is a good starting point.

📸 Screenshots

Screen.Recording.2024-06-05.at.4.01.40.PM.mov

⏰ Reminders before review

  • Contributor guidelines followed
  • All formatters and local linters executed and passed
  • Written new unit and / or integration tests where applicable
  • Protected functional changes with optionality (feature flags)
  • Used internationalization (i18n) for all UI strings
  • CI builds passed
  • Communicated to DevOps any deployment requirements
  • Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

  • 👍 (:+1:) or similar for great changes
  • 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
  • ❓ (:question:) for questions
  • 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
  • 🎨 (:art:) for suggestions / improvements
  • ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
  • 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
  • ⛏ (:pick:) for minor or nitpick changes

@jlf0dev jlf0dev requested a review from a team as a code owner June 5, 2024 20:04
@github-actions github-actions bot added the needs-qa Marks a PR as requiring QA approval label Jun 5, 2024
@codecov Codecov
Copy link

codecov bot commented Jun 5, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 46.42857% with 30 lines in your changes missing coverage. Please review.

Project coverage is 28.77%. Comparing base (e3b4250) to head (52eb01b).
Report is 17 commits behind head on main.

Files Patch % Lines
apps/cli/src/auth/commands/unlock.command.ts 0.00% 15 Missing ⚠️
libs/angular/src/auth/components/lock.component.ts 0.00% 11 Missing ⚠️
...ces/user-verification/user-verification.service.ts 89.65% 2 Missing and 1 partial ⚠️
...user-verification/user-verification-api.service.ts 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #9523      +/-   ##
==========================================
+ Coverage   28.71%   28.77%   +0.05%     
==========================================
  Files        2497     2503       +6     
  Lines       72660    72851     +191     
  Branches    13542    13579      +37     
==========================================
+ Hits        20867    20963      +96     
- Misses      50191    50277      +86     
- Partials     1602     1611       +9

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 5, 2024
edited
Loading

Logo
Checkmarx One – Scan Summary & Details8470a1d8-e54c-45da-bc8a-aab38a91a88d

New Issues

Severity Issue Source File / Package Checkmarx Insight
MEDIUM Client_Privacy_Violation /apps/desktop/src/auth/lock.component.html: [32](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/lock.component.html# L32) Attack Vector
MEDIUM Client_Privacy_Violation /apps/web/src/app/auth/lock.component.html: [18](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/app/auth/lock.component.html# L18) Attack Vector
MEDIUM Unpinned Actions Full Length Commit SHA /build-browser.yml: [420](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//.github/workflows/build-browser.yml# L420) Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /build-browser.yml: [379](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//.github/workflows/build-browser.yml# L379) Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...

Fixed Issues

Severity Issue Source File / Package
HIGH Client_DOM_Code_Injection /apps/web/src/connectors/common.ts: [2](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/common.ts# L2)
HIGH Client_DOM_Code_Injection /apps/browser/src/autofill/services/collect-autofill-content.service.ts: [1072](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/autofill/services/collect-autofill-content.service.ts# L1072)
HIGH Client_DOM_Stored_XSS /apps/web/src/connectors/sso.ts: [33](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/sso.ts# L33)
HIGH Client_DOM_XSS /apps/browser/src/auth/scripts/duo.js: [285](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/scripts/duo.js# L285)
HIGH Client_DOM_XSS /apps/browser/src/auth/scripts/duo.js: [285](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/scripts/duo.js# L285)
HIGH Client_DOM_XSS /apps/desktop/src/auth/scripts/duo.js: [285](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/scripts/duo.js# L285)
HIGH Client_DOM_XSS /apps/desktop/src/auth/scripts/duo.js: [285](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/scripts/duo.js# L285)
HIGH Client_DOM_XSS /apps/web/src/connectors/common.ts: [2](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/common.ts# L2)
HIGH Client_DOM_XSS /apps/web/src/connectors/common.ts: [2](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/common.ts# L2)
HIGH Client_DOM_XSS /apps/web/src/connectors/common.ts: [2](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/common.ts# L2)
HIGH Client_DOM_XSS /apps/web/src/connectors/common.ts: [2](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/common.ts# L2)
HIGH Client_DOM_XSS /apps/web/src/connectors/sso.ts: [21](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/sso.ts# L21)
HIGH Client_DOM_XSS /apps/web/src/connectors/sso.ts: [19](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/sso.ts# L19)
HIGH Client_DOM_XSS /apps/web/src/connectors/sso.ts: [15](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/sso.ts# L15)
MEDIUM Absolute_Path_Traversal /apps/cli/src/oss-serve-configurator.ts: [310](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/cli/src/oss-serve-configurator.ts# L310)
MEDIUM Absolute_Path_Traversal /apps/cli/src/oss-serve-configurator.ts: [278](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/cli/src/oss-serve-configurator.ts# L278)
MEDIUM Absolute_Path_Traversal /apps/cli/src/oss-serve-configurator.ts: [278](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/cli/src/oss-serve-configurator.ts# L278)
MEDIUM Absolute_Path_Traversal /apps/cli/src/oss-serve-configurator.ts: [310](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/cli/src/oss-serve-configurator.ts# L310)
MEDIUM Angular_Improper_Type_Pipe_Usage /apps/web/src/app/layouts/product-switcher/product-switcher.component.html: [1](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/app/layouts/product-switcher/product-switcher.component.html# L1)
MEDIUM Angular_Improper_Type_Pipe_Usage /apps/browser/src/vault/popup/components/fido2/fido2-use-browser-link.component.html: [1](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/vault/popup/components/fido2/fido2-use-browser-link.component.html# L1)
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/password-generator-history.component.html: [11](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/app/tools/password-generator-history.component.html# L11)
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/password-generator-history.component.html: [11](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/app/tools/password-generator-history.component.html# L11)
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/password-generator-history.component.html: [11](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/app/tools/password-generator-history.component.html# L11)
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/password-generator-history.component.html: [11](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/app/tools/password-generator-history.component.html# L11)
MEDIUM Client_Privacy_Violation /apps/browser/src/background/runtime.background.ts: [323](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/background/runtime.background.ts# L323)
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/reports/pages/breach-report.component.html: [14](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/app/tools/reports/pages/breach-report.component.html# L14)
MEDIUM Client_Privacy_Violation /apps/browser/src/auth/popup/account-switching/account.component.ts: [12](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/popup/account-switching/account.component.ts# L12)
MEDIUM Client_Privacy_Violation /apps/browser/src/auth/popup/account-switching/account.component.ts: [12](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/popup/account-switching/account.component.ts# L12)
MEDIUM Client_Privacy_Violation /apps/browser/src/auth/popup/account-switching/account.component.ts: [12](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/popup/account-switching/account.component.ts# L12)
MEDIUM Client_Privacy_Violation /libs/components/src/color-password/color-password.component.ts: [26](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//libs/components/src/color-password/color-password.component.ts# L26)
MEDIUM Client_Privacy_Violation /bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts: [161](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts# L161)
MEDIUM Client_Privacy_Violation /apps/web/src/app/auth/lock.component.html: [18](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/app/auth/lock.component.html# L18)
MEDIUM Client_Privacy_Violation /apps/desktop/src/auth/lock.component.html: [32](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/lock.component.html# L32)
MEDIUM Client_Privacy_Violation /apps/desktop/src/vault/app/vault/view.component.html: [534](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/vault/app/vault/view.component.html# L534)
MEDIUM Client_Privacy_Violation /bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts: [161](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts# L161)
MEDIUM Client_Privacy_Violation /apps/web/src/connectors/webauthn-fallback.ts: [116](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/webauthn-fallback.ts# L116)
MEDIUM Client_Privacy_Violation /libs/components/src/color-password/color-password.component.ts: [14](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//libs/components/src/color-password/color-password.component.ts# L14)
MEDIUM Client_Privacy_Violation /apps/desktop/src/vault/app/vault/view.component.html: [60](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/vault/app/vault/view.component.html# L60)
MEDIUM Client_Privacy_Violation /apps/desktop/src/vault/app/vault/view.component.html: [56](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/vault/app/vault/view.component.html# L56)
MEDIUM Client_Privacy_Violation /apps/browser/src/tools/popup/generator/password-generator-history.component.html: [26](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/tools/popup/generator/password-generator-history.component.html# L26)
MEDIUM Client_Privacy_Violation /apps/browser/src/vault/popup/components/vault/password-history.component.html: [18](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/vault/popup/components/vault/password-history.component.html# L18)
MEDIUM Client_Privacy_Violation /apps/desktop/src/app/tools/password-generator-history.component.html: [15](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/app/tools/password-generator-history.component.html# L15)
MEDIUM Client_Privacy_Violation /apps/desktop/src/vault/app/vault/password-history.component.html: [12](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/vault/app/vault/password-history.component.html# L12)
MEDIUM Client_Privacy_Violation /apps/desktop/src/vault/app/vault/view.component.html: [50](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/vault/app/vault/view.component.html# L50)
MEDIUM Client_Privacy_Violation /libs/components/src/color-password/color-password.component.ts: [14](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//libs/components/src/color-password/color-password.component.ts# L14)
MEDIUM Client_Privacy_Violation /apps/browser/src/tools/popup/generator/password-generator-history.component.html: [26](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/tools/popup/generator/password-generator-history.component.html# L26)
MEDIUM Client_Privacy_Violation /apps/browser/src/vault/popup/components/vault/password-history.component.html: [18](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/vault/popup/components/vault/password-history.component.html# L18)
MEDIUM Client_Privacy_Violation /apps/desktop/src/app/tools/password-generator-history.component.html: [15](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/app/tools/password-generator-history.component.html# L15)
MEDIUM Client_Privacy_Violation /apps/desktop/src/vault/app/vault/password-history.component.html: [12](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/vault/app/vault/password-history.component.html# L12)
MEDIUM Missing_HSTS_Header /apps/cli/src/auth/commands/login.command.ts: [707](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/cli/src/auth/commands/login.command.ts# L707)
MEDIUM SSRF /libs/importer/src/importers/lastpass/access/services/rest-client.ts: [69](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//libs/importer/src/importers/lastpass/access/services/rest-client.ts# L69)
MEDIUM SSRF /libs/importer/src/importers/lastpass/access/services/rest-client.ts: [69](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//libs/importer/src/importers/lastpass/access/services/rest-client.ts# L69)
MEDIUM Unpinned Actions Full Length Commit SHA /build-browser.yml: [413](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//.github/workflows/build-browser.yml# L413)
MEDIUM Unpinned Actions Full Length Commit SHA /build-browser.yml: [372](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//.github/workflows/build-browser.yml# L372)
LOW Angular_Usage_of_Unsafe_DOM_Sanitizer /apps/desktop/src/app/components/avatar.component.ts: [75](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/app/components/avatar.component.ts# L75)
LOW Angular_Usage_of_Unsafe_DOM_Sanitizer /libs/components/src/avatar/avatar.component.ts: [80](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//libs/components/src/avatar/avatar.component.ts# L80)
LOW Angular_Usage_of_Unsafe_DOM_Sanitizer /libs/components/src/icon/icon.component.ts: [18](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//libs/components/src/icon/icon.component.ts# L18)
LOW Angular_Usage_of_Unsafe_DOM_Sanitizer /libs/components/src/icon/icon.component.ts: [18](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//libs/components/src/icon/icon.component.ts# L18)
LOW Client_DOM_Open_Redirect /apps/browser/src/platform/popup/layout/popup-header.component.ts: [29](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/platform/popup/layout/popup-header.component.ts# L29)
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/accessibility-cookie.component.html: [18](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/accessibility-cookie.component.html# L18)
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/common.ts: [2](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/common.ts# L2)
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/common.ts: [2](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/common.ts# L2)
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/common.ts: [2](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/common.ts# L2)
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/sso.ts: [21](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/sso.ts# L21)
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/common.ts: [2](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/common.ts# L2)
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/sso.ts: [19](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/sso.ts# L19)
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/common.ts: [2](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/common.ts# L2)
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/sso.ts: [15](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/sso.ts# L15)
LOW Client_DOM_Open_Redirect /apps/browser/src/tools/popup/generator/password-generator-history.component.ts: [18](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/tools/popup/generator/password-generator-history.component.ts# L18)
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/login/login-via-auth-request.component.ts: [60](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/login/login-via-auth-request.component.ts# L60)
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/login/login-via-auth-request.component.ts: [60](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/login/login-via-auth-request.component.ts# L60)
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/account-switching/current-account.component.ts: [35](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/popup/account-switching/current-account.component.ts# L35)
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/login-via-auth-request.component.ts: [52](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/popup/login-via-auth-request.component.ts# L52)
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/login-via-auth-request.component.ts: [52](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/popup/login-via-auth-request.component.ts# L52)
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/login/login-via-auth-request.component.ts: [60](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/login/login-via-auth-request.component.ts# L60)
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/login/login-via-auth-request.component.ts: [60](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/login/login-via-auth-request.component.ts# L60)
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/login-via-auth-request.component.ts: [52](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/popup/login-via-auth-request.component.ts# L52)
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/login-via-auth-request.component.ts: [52](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/popup/login-via-auth-request.component.ts# L52)
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/account-switching/account.component.ts: [24](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/popup/account-switching/account.component.ts# L24)
LOW Client_DOM_Open_Redirect /apps/browser/src/vault/popup/components/vault/password-history.component.ts: [21](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/vault/popup/components/vault/password-history.component.ts# L21)
LOW Client_DOM_Open_Redirect /apps/browser/src/billing/popup/settings/premium.component.ts: [27](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/billing/popup/settings/premium.component.ts# L27)
LOW Client_DOM_Open_Redirect /apps/browser/src/vault/popup/components/vault/attachments.component.ts: [32](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/vault/popup/components/vault/attachments.component.ts# L32)
LOW Client_DOM_Open_Redirect /libs/common/src/auth/iframe-component.ts: [49](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//libs/common/src/auth/iframe-component.ts# L49)
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/scripts/duo.js: [277](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/scripts/duo.js# L277)
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/scripts/duo.js: [277](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/scripts/duo.js# L277)
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: [277](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/scripts/duo.js# L277)
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: [277](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/scripts/duo.js# L277)
LOW Client_DOM_Open_Redirect /libs/common/src/auth/webauthn-iframe.ts: [25](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//libs/common/src/auth/webauthn-iframe.ts# L25)
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: [277](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/scripts/duo.js# L277)
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: [277](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/scripts/duo.js# L277)
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/scripts/duo.js: [277](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/scripts/duo.js# L277)
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/scripts/duo.js: [277](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/scripts/duo.js# L277)
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: [277](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/scripts/duo.js# L277)
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: [277](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/scripts/duo.js# L277)
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/scripts/duo.js: [277](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/scripts/duo.js# L277)
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/scripts/duo.js: [277](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/scripts/duo.js# L277)
LOW Client_DOM_Open_Redirect /libs/common/src/auth/webauthn-iframe.ts: [25](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//libs/common/src/auth/webauthn-iframe.ts# L25)
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: [277](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/scripts/duo.js# L277)
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: [277](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/auth/scripts/duo.js# L277)
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/scripts/duo.js: [277](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/scripts/duo.js# L277)
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/scripts/duo.js: [277](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/auth/scripts/duo.js# L277)
LOW Client_Hardcoded_Domain /libs/common/src/billing/services/payment-processors/stripe.service.ts: [23](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//libs/common/src/billing/services/payment-processors/stripe.service.ts# L23)
LOW Client_Hardcoded_Domain /apps/web/src/app/billing/shared/payment.component.ts: [68](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/app/billing/shared/payment.component.ts# L68)
LOW Client_Hardcoded_Domain /apps/web/src/app/billing/shared/payment.component.ts: [68](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/app/billing/shared/payment.component.ts# L68)
LOW Client_Hardcoded_Domain /apps/web/src/connectors/captcha.ts: [57](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/captcha.ts# L57)
LOW Client_JQuery_Deprecated_Symbols /apps/cli/src/base-program.ts: [115](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/cli/src/base-program.ts# L115)
LOW Client_JQuery_Deprecated_Symbols /apps/cli/src/auth/commands/login.command.ts: [575](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/cli/src/auth/commands/login.command.ts# L575)
LOW Client_JQuery_Deprecated_Symbols /libs/angular/src/auth/components/update-temp-password.component.ts: [132](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//libs/angular/src/auth/components/update-temp-password.component.ts# L132)
LOW Client_JQuery_Deprecated_Symbols /libs/angular/src/auth/components/change-password.component.ts: [91](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//libs/angular/src/auth/components/change-password.component.ts# L91)
LOW Client_Use_Of_Iframe_Without_Sandbox /apps/browser/src/autofill/content/notification-bar.ts: [868](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/autofill/content/notification-bar.ts# L868)
LOW Client_Use_Of_Iframe_Without_Sandbox /apps/browser/src/autofill/overlay/iframe-content/autofill-overlay-iframe.service.ts: [90](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/browser/src/autofill/overlay/iframe-content/autofill-overlay-iframe.service.ts# L90)
LOW Client_Use_Of_Iframe_Without_Sandbox /apps/web/src/connectors/duo.ts: [8](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/duo.ts# L8)
LOW Client_Use_Of_Iframe_Without_Sandbox /apps/web/src/connectors/duo.ts: [8](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/duo.ts# L8)
LOW Client_Weak_Cryptographic_Hash /libs/common/src/platform/services/web-crypto-function.service.ts: [142](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//libs/common/src/platform/services/web-crypto-function.service.ts# L142)
LOW Client_Weak_Cryptographic_Hash /apps/desktop/src/proxy/ipc.ts: [24](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/desktop/src/proxy/ipc.ts# L24)
LOW Missing_CSP_Header /apps/cli/src/auth/commands/login.command.ts: [707](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/cli/src/auth/commands/login.command.ts# L707)
LOW Unprotected_Cookie /apps/web/src/app/auth/sso.component.ts: [147](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/app/auth/sso.component.ts# L147)
LOW Unprotected_Cookie /apps/web/src/app/auth/two-factor.component.ts: [159](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/app/auth/two-factor.component.ts# L159)
LOW Unprotected_Cookie /apps/web/src/connectors/duo-redirect.ts: [57](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/duo-redirect.ts# L57)
LOW Unprotected_Cookie /apps/web/src/connectors/duo-redirect.ts: [112](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/duo-redirect.ts# L112)
LOW Unprotected_Cookie /apps/web/src/connectors/sso.ts: [33](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/connectors/sso.ts# L33)
LOW Unsafe_Use_Of_Target_blank /apps/web/src/app/auth/settings/two-factor-recovery.component.ts: [32](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/web/src/app/auth/settings/two-factor-recovery.component.ts# L32)
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/cli/src/vault/create.command.ts: [70](https://github.com/bitwarden/clients/blob/auth/pm-7879/add-server-verification-for-mp-to-uv//apps/cli/src/vault/create.command.ts# L70)

JaredSnider-Bitwarden
JaredSnider-Bitwarden reviewed Jun 5, 2024
View reviewed changes
Copy link
Contributor

@JaredSnider-Bitwarden JaredSnider-Bitwarden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really excellent work on this! A few nits and we are good to go!

libs/common/src/auth/abstractions/user-verification/user-verification.service.abstraction.ts Show resolved Hide resolved
libs/common/src/auth/abstractions/user-verification/user-verification.service.abstraction.ts Outdated Show resolved Hide resolved
libs/common/src/auth/abstractions/user-verification/user-verification.service.abstraction.ts Outdated Show resolved Hide resolved
libs/common/src/auth/types/verification.ts Show resolved Hide resolved
libs/common/src/auth/services/user-verification/user-verification.service.spec.ts Outdated Show resolved Hide resolved
@jlf0dev jlf0dev changed the title [PM-7879] Add server verification for master password to user verification [PM-7879, PM-7635] Add server verification for master password to user verification Jun 7, 2024
@jlf0dev jlf0dev enabled auto-merge (squash) June 14, 2024 20:04
@jlf0dev jlf0dev merged commit 1043a58 into main Jun 14, 2024
60 of 62 checks passed
@jlf0dev jlf0dev deleted the auth/pm-7879/add-server-verification-for-mp-to-uv branch June 14, 2024 20:06
@djsmith85 djsmith85 mentioned this pull request Jun 21, 2024
Closed
1 task
This was referenced Jul 28, 2024
Closed
Closed
@stefan0xC stefan0xC mentioned this pull request Aug 30, 2024
Merged
stefan0xC pushed a commit to stefan0xC/bitwarden_clients that referenced this pull request Aug 30, 2024
@jlf0dev @stefan0xC
[PM-7879, PM-7635] Add server verification for master password to use…
6d40dba 
…r verification (bitwarden#9523)

* add MP server verification

* add tests and minor service enhancements

* fix tests

* fix initializations for cli and browser

* fix CLI

* pr feedback
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JaredSnider-Bitwarden JaredSnider-Bitwarden JaredSnider-Bitwarden approved these changes

Assignees
No one assigned
Labels
needs-qa Marks a PR as requiring QA approval
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Web vault backup export isn't working with "Login with Device"
2 participants
@jlf0dev @JaredSnider-Bitwarden