Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[PM-7879, PM-7635] Add server verification for master password to user verification #9523

Merged
merged 7 commits into from
Jun 14, 2024
Merged

[PM-7879, PM-7635] Add server verification for master password to user verification #9523

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0e45baa
add MP server verification
jlf0dev Jun 4, 2024
e11ff92
add tests and minor service enhancements
jlf0dev Jun 5, 2024
8f32a12
fix tests
jlf0dev Jun 5, 2024
56cba18
fix initializations for cli and browser
jlf0dev Jun 5, 2024
7f2982e
fix CLI
jlf0dev Jun 6, 2024
33db5da
pr feedback
jlf0dev Jun 6, 2024
52eb01b
Merge branch 'main' into auth/pm-7879/add-server-verification-for-mp-โ€ฆ
jlf0dev Jun 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion apps/browser/src/background/main.background.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -745,7 +745,6 @@ export default class MainBackground {
this.folderApiService = new FolderApiService(this.folderService, this.apiService);

this.userVerificationService = new UserVerificationService(
this.stateService,
this.cryptoService,
this.accountService,
this.masterPasswordService,
Expand Down
94 changes: 36 additions & 58 deletions apps/cli/src/auth/commands/unlock.command.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,18 @@
import { firstValueFrom, map } from "rxjs";

import { ApiService } from "@bitwarden/common/abstractions/api.service";
import { OrganizationApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization/organization-api.service.abstraction";
import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
import { KdfConfigService } from "@bitwarden/common/auth/abstractions/kdf-config.service";
import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/auth/abstractions/master-password.service.abstraction";
import { SecretVerificationRequest } from "@bitwarden/common/auth/models/request/secret-verification.request";
import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
import { VerificationType } from "@bitwarden/common/auth/enums/verification-type";

Check warning on line 8 in apps/cli/src/auth/commands/unlock.command.ts

View check run for this annotation

Codecov / codecov/patch

apps/cli/src/auth/commands/unlock.command.ts#L8 

Added line #L8 was not covered by tests
import { MasterPasswordVerification } from "@bitwarden/common/auth/types/verification";
import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
import { HashPurpose } from "@bitwarden/common/platform/enums";
import { Utils } from "@bitwarden/common/platform/misc/utils";
import { ConsoleLogService } from "@bitwarden/common/platform/services/console-log.service";
import { MasterKey } from "@bitwarden/common/types/key";
import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";

import { ConvertToKeyConnectorCommand } from "../../commands/convert-to-key-connector.command";
Expand All @@ -26,16 +25,14 @@
private accountService: AccountService,
private masterPasswordService: InternalMasterPasswordServiceAbstraction,
private cryptoService: CryptoService,
private stateService: StateService,
private userVerificationService: UserVerificationService,

Check warning on line 28 in apps/cli/src/auth/commands/unlock.command.ts

View check run for this annotation

Codecov / codecov/patch

apps/cli/src/auth/commands/unlock.command.ts#L28 

Added line #L28 was not covered by tests
private cryptoFunctionService: CryptoFunctionService,
private apiService: ApiService,
private logService: ConsoleLogService,
private keyConnectorService: KeyConnectorService,
private environmentService: EnvironmentService,
private syncService: SyncService,
private organizationApiService: OrganizationApiServiceAbstraction,
private logout: () => Promise<void>,
private kdfConfigService: KdfConfigService,
) {}

async run(password: string, cmdOptions: Record<string, any>) {
Expand All @@ -51,63 +48,44 @@
await this.setNewSessionKey();
const [userId, email] = await firstValueFrom(
this.accountService.activeAccount$.pipe(map((a) => [a?.id, a?.email])),
);
const kdfConfig = await this.kdfConfigService.getKdfConfig();
const masterKey = await this.cryptoService.makeMasterKey(password, email, kdfConfig);
const storedMasterKeyHash = await firstValueFrom(
this.masterPasswordService.masterKeyHash$(userId),
);

let passwordValid = false;
if (masterKey != null) {
if (storedMasterKeyHash != null) {
passwordValid = await this.cryptoService.compareAndUpdateKeyHash(password, masterKey);
} else {
const serverKeyHash = await this.cryptoService.hashMasterKey(
password,
masterKey,
HashPurpose.ServerAuthorization,
);
const request = new SecretVerificationRequest();
request.masterPasswordHash = serverKeyHash;
try {
await this.apiService.postAccountVerifyPassword(request);
passwordValid = true;
const localKeyHash = await this.cryptoService.hashMasterKey(
password,
masterKey,
HashPurpose.LocalAuthorization,
);
await this.masterPasswordService.setMasterKeyHash(localKeyHash, userId);
} catch {
// Ignore
}
}
const verification = {

Check warning on line 53 in apps/cli/src/auth/commands/unlock.command.ts

View check run for this annotation

Codecov / codecov/patch

apps/cli/src/auth/commands/unlock.command.ts#L53 

Added line #L53 was not covered by tests
type: VerificationType.MasterPassword,
secret: password,
} as MasterPasswordVerification;

let masterKey: MasterKey;
try {
const response = await this.userVerificationService.verifyUserByMasterPassword(

Check warning on line 60 in apps/cli/src/auth/commands/unlock.command.ts

View check run for this annotation

Codecov / codecov/patch

apps/cli/src/auth/commands/unlock.command.ts#L59-L60 

Added lines #L59 - L60 were not covered by tests
verification,
userId,
email,
);
masterKey = response.masterKey;

Check warning on line 65 in apps/cli/src/auth/commands/unlock.command.ts

View check run for this annotation

Codecov / codecov/patch

apps/cli/src/auth/commands/unlock.command.ts#L65 

Added line #L65 was not covered by tests
} catch (e) {
// verification failure throws
return Response.error(e.message);

Check warning on line 68 in apps/cli/src/auth/commands/unlock.command.ts

View check run for this annotation

Codecov / codecov/patch

apps/cli/src/auth/commands/unlock.command.ts#L68 

Added line #L68 was not covered by tests
}

if (passwordValid) {
await this.masterPasswordService.setMasterKey(masterKey, userId);
const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey);
await this.cryptoService.setUserKey(userKey);
const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey);
await this.cryptoService.setUserKey(userKey);

Check warning on line 72 in apps/cli/src/auth/commands/unlock.command.ts

View check run for this annotation

Codecov / codecov/patch

apps/cli/src/auth/commands/unlock.command.ts#L71-L72 

Added lines #L71 - L72 were not covered by tests

if (await this.keyConnectorService.getConvertAccountRequired()) {
const convertToKeyConnectorCommand = new ConvertToKeyConnectorCommand(
this.keyConnectorService,
this.environmentService,
this.syncService,
this.organizationApiService,
this.logout,
);
const convertResponse = await convertToKeyConnectorCommand.run();
if (!convertResponse.success) {
return convertResponse;
}
if (await this.keyConnectorService.getConvertAccountRequired()) {
const convertToKeyConnectorCommand = new ConvertToKeyConnectorCommand(

Check warning on line 75 in apps/cli/src/auth/commands/unlock.command.ts

View check run for this annotation

Codecov / codecov/patch

apps/cli/src/auth/commands/unlock.command.ts#L75 

Added line #L75 was not covered by tests
this.keyConnectorService,
this.environmentService,
this.syncService,
this.organizationApiService,
this.logout,
);
const convertResponse = await convertToKeyConnectorCommand.run();

Check warning on line 82 in apps/cli/src/auth/commands/unlock.command.ts

View check run for this annotation

Codecov / codecov/patch

apps/cli/src/auth/commands/unlock.command.ts#L82 

Added line #L82 was not covered by tests
if (!convertResponse.success) {
return convertResponse;

Check warning on line 84 in apps/cli/src/auth/commands/unlock.command.ts

View check run for this annotation

Codecov / codecov/patch

apps/cli/src/auth/commands/unlock.command.ts#L84 

Added line #L84 was not covered by tests
}

return this.successResponse();
} else {
return Response.error("Invalid master password.");
}

return this.successResponse();

Check notice on line 88 in apps/cli/src/auth/commands/unlock.command.ts

View check run for this annotation

CodeScene Delta Analysis / CodeScene Cloud Delta Analysis (main)

โœ… No longer an issue: Complex Method 

UnlockCommand.run is no longer above the threshold for cyclomatic complexity

Check notice on line 88 in apps/cli/src/auth/commands/unlock.command.ts

View check run for this annotation

CodeScene Delta Analysis / CodeScene Cloud Delta Analysis (main)

โœ… No longer an issue: Bumpy Road Ahead 

UnlockCommand.run is no longer above the threshold for logical blocks with deeply nested code

Check warning on line 88 in apps/cli/src/auth/commands/unlock.command.ts

View check run for this annotation

Codecov / codecov/patch

apps/cli/src/auth/commands/unlock.command.ts#L88 

Added line #L88 was not covered by tests
}

private async setNewSessionKey() {
Expand Down
4 changes: 1 addition & 3 deletions apps/cli/src/base-program.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,16 +140,14 @@ export abstract class BaseProgram {
this.serviceContainer.accountService,
this.serviceContainer.masterPasswordService,
this.serviceContainer.cryptoService,
this.serviceContainer.stateService,
this.serviceContainer.userVerificationService,
this.serviceContainer.cryptoFunctionService,
this.serviceContainer.apiService,
this.serviceContainer.logService,
this.serviceContainer.keyConnectorService,
this.serviceContainer.environmentService,
this.serviceContainer.syncService,
this.serviceContainer.organizationApiService,
this.serviceContainer.logout,
this.serviceContainer.kdfConfigService,
);
const response = await command.run(null, null);
if (!response.success) {
Expand Down
4 changes: 1 addition & 3 deletions apps/cli/src/oss-serve-configurator.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,16 +120,14 @@ export class OssServeConfigurator {
this.serviceContainer.accountService,
this.serviceContainer.masterPasswordService,
this.serviceContainer.cryptoService,
this.serviceContainer.stateService,
this.serviceContainer.userVerificationService,
this.serviceContainer.cryptoFunctionService,
this.serviceContainer.apiService,
this.serviceContainer.logService,
this.serviceContainer.keyConnectorService,
this.serviceContainer.environmentService,
this.serviceContainer.syncService,
this.serviceContainer.organizationApiService,
async () => await this.serviceContainer.logout(),
this.serviceContainer.kdfConfigService,
);

this.sendCreateCommand = new SendCreateCommand(
Expand Down
4 changes: 1 addition & 3 deletions apps/cli/src/program.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -270,16 +270,14 @@
this.serviceContainer.accountService,
this.serviceContainer.masterPasswordService,
this.serviceContainer.cryptoService,
this.serviceContainer.stateService,
this.serviceContainer.userVerificationService,
this.serviceContainer.cryptoFunctionService,
this.serviceContainer.apiService,
this.serviceContainer.logService,
this.serviceContainer.keyConnectorService,
this.serviceContainer.environmentService,
this.serviceContainer.syncService,
this.serviceContainer.organizationApiService,
async () => await this.serviceContainer.logout(),

Check notice on line 280 in apps/cli/src/program.ts

View check run for this annotation

CodeScene Delta Analysis / CodeScene Cloud Delta Analysis (main)

โœ… Getting better: Large Method 

Program.register decreases from 439 to 437 lines of code, threshold = 70. Large functions with many lines of code are generally harder to understand and lower the code health. Avoid adding more lines to this function.
this.serviceContainer.kdfConfigService,
);
const response = await command.run(password, cmd);
this.processResponse(response);
Expand Down
1 change: 0 additions & 1 deletion apps/cli/src/service-container.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -612,8 +612,7 @@
const lockedCallback = async (userId?: string) =>
await this.cryptoService.clearStoredUserKey(KeySuffixOptions.Auto);

this.userVerificationService = new UserVerificationService(

Check notice on line 615 in apps/cli/src/service-container.ts

View check run for this annotation

CodeScene Delta Analysis / CodeScene Cloud Delta Analysis (main)

โœ… Getting better: Large Method 

ServiceContainer.constructor decreases from 422 to 421 lines of code, threshold = 70. Large functions with many lines of code are generally harder to understand and lower the code health. Avoid adding more lines to this function.
this.stateService,
this.cryptoService,
this.accountService,
this.masterPasswordService,
Expand Down
73 changes: 28 additions & 45 deletions libs/angular/src/auth/components/lock.component.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,12 @@
import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/auth/abstractions/master-password.service.abstraction";
import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
import { VerificationType } from "@bitwarden/common/auth/enums/verification-type";

Check warning on line 20 in libs/angular/src/auth/components/lock.component.ts

View check run for this annotation

Codecov / codecov/patch

libs/angular/src/auth/components/lock.component.ts#L20 

Added line #L20 was not covered by tests
import { ForceSetPasswordReason } from "@bitwarden/common/auth/models/domain/force-set-password-reason";
import { SecretVerificationRequest } from "@bitwarden/common/auth/models/request/secret-verification.request";
import { MasterPasswordPolicyResponse } from "@bitwarden/common/auth/models/response/master-password-policy.response";
import {
MasterPasswordVerification,
MasterPasswordVerificationResponse,
} from "@bitwarden/common/auth/types/verification";
import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
Expand All @@ -29,7 +32,7 @@
import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
import { BiometricStateService } from "@bitwarden/common/platform/biometrics/biometric-state.service";
import { HashPurpose, KeySuffixOptions } from "@bitwarden/common/platform/enums";
import { KeySuffixOptions } from "@bitwarden/common/platform/enums";

Check warning on line 35 in libs/angular/src/auth/components/lock.component.ts

View check run for this annotation

Codecov / codecov/patch

libs/angular/src/auth/components/lock.component.ts#L35 

Added line #L35 was not covered by tests
import { PasswordStrengthServiceAbstraction } from "@bitwarden/common/tools/password-strength";
import { UserId } from "@bitwarden/common/types/guid";
import { UserKey } from "@bitwarden/common/types/key";
Expand All @@ -45,7 +48,7 @@
pinEnabled = false;
masterPasswordEnabled = false;
webVaultHostname = "";
formPromise: Promise<MasterPasswordPolicyResponse>;
formPromise: Promise<MasterPasswordVerificationResponse>;
supportsBiometric: boolean;
biometricLock: boolean;

Expand Down Expand Up @@ -218,51 +221,30 @@
}

private async doUnlockWithMasterPassword() {
const kdfConfig = await this.kdfConfigService.getKdfConfig();
const userId = (await firstValueFrom(this.accountService.activeAccount$))?.id;

const masterKey = await this.cryptoService.makeMasterKey(
this.masterPassword,
this.email,
kdfConfig,
);
const storedMasterKeyHash = await firstValueFrom(
this.masterPasswordService.masterKeyHash$(userId),
);
const verification = {

Check warning on line 226 in libs/angular/src/auth/components/lock.component.ts

View check run for this annotation

Codecov / codecov/patch

libs/angular/src/auth/components/lock.component.ts#L226 

Added line #L226 was not covered by tests
type: VerificationType.MasterPassword,
secret: this.masterPassword,
} as MasterPasswordVerification;

let passwordValid = false;

if (storedMasterKeyHash != null) {
// Offline unlock possible
passwordValid = await this.cryptoService.compareAndUpdateKeyHash(
this.masterPassword,
masterKey,
let response: MasterPasswordVerificationResponse;
try {
this.formPromise = this.userVerificationService.verifyUserByMasterPassword(

Check warning on line 234 in libs/angular/src/auth/components/lock.component.ts

View check run for this annotation

Codecov / codecov/patch

libs/angular/src/auth/components/lock.component.ts#L233-L234 

Added lines #L233 - L234 were not covered by tests
verification,
userId,
this.email,
);
} else {
// Online only
const request = new SecretVerificationRequest();
const serverKeyHash = await this.cryptoService.hashMasterKey(
this.masterPassword,
masterKey,
HashPurpose.ServerAuthorization,
response = await this.formPromise;
this.enforcedMasterPasswordOptions = MasterPasswordPolicyOptions.fromResponse(

Check warning on line 240 in libs/angular/src/auth/components/lock.component.ts

View check run for this annotation

Codecov / codecov/patch

libs/angular/src/auth/components/lock.component.ts#L239-L240 

Added lines #L239 - L240 were not covered by tests
response.policyOptions,
);
request.masterPasswordHash = serverKeyHash;
try {
this.formPromise = this.apiService.postAccountVerifyPassword(request);
const response = await this.formPromise;
this.enforcedMasterPasswordOptions = MasterPasswordPolicyOptions.fromResponse(response);
passwordValid = true;
const localKeyHash = await this.cryptoService.hashMasterKey(
this.masterPassword,
masterKey,
HashPurpose.LocalAuthorization,
);
await this.masterPasswordService.setMasterKeyHash(localKeyHash, userId);
} catch (e) {
this.logService.error(e);
} finally {
this.formPromise = null;
}
passwordValid = true;

Check warning on line 243 in libs/angular/src/auth/components/lock.component.ts

View check run for this annotation

Codecov / codecov/patch

libs/angular/src/auth/components/lock.component.ts#L243 

Added line #L243 was not covered by tests
} catch (e) {
this.logService.error(e);

Check warning on line 245 in libs/angular/src/auth/components/lock.component.ts

View check run for this annotation

Codecov / codecov/patch

libs/angular/src/auth/components/lock.component.ts#L245 

Added line #L245 was not covered by tests
} finally {
this.formPromise = null;

Check warning on line 247 in libs/angular/src/auth/components/lock.component.ts

View check run for this annotation

Codecov / codecov/patch

libs/angular/src/auth/components/lock.component.ts#L247 

Added line #L247 was not covered by tests
}

if (!passwordValid) {
Expand All @@ -274,8 +256,9 @@
return;
}

const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(masterKey);
await this.masterPasswordService.setMasterKey(masterKey, userId);
const userKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(

Check warning on line 259 in libs/angular/src/auth/components/lock.component.ts

View check run for this annotation

Codecov / codecov/patch

libs/angular/src/auth/components/lock.component.ts#L259 

Added line #L259 was not covered by tests
response.masterKey,
);
await this.setUserKeyAndContinue(userKey, true);
}

Expand Down
1 change: 0 additions & 1 deletion libs/angular/src/services/jslib-services.module.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -874,7 +874,6 @@ const safeProviders: SafeProvider[] = [
provide: UserVerificationServiceAbstraction,
useClass: UserVerificationService,
deps: [
StateServiceAbstraction,
CryptoServiceAbstraction,
AccountServiceAbstraction,
InternalMasterPasswordServiceAbstraction,
Expand Down
4 changes: 0 additions & 4 deletions libs/common/src/abstractions/api.service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,6 @@ import { IdentityCaptchaResponse } from "../auth/models/response/identity-captch
import { IdentityTokenResponse } from "../auth/models/response/identity-token.response";
import { IdentityTwoFactorResponse } from "../auth/models/response/identity-two-factor.response";
import { KeyConnectorUserKeyResponse } from "../auth/models/response/key-connector-user-key.response";
import { MasterPasswordPolicyResponse } from "../auth/models/response/master-password-policy.response";
import { PreloginResponse } from "../auth/models/response/prelogin.response";
import { RegisterResponse } from "../auth/models/response/register.response";
import { SsoPreValidateResponse } from "../auth/models/response/sso-pre-validate.response";
Expand Down Expand Up @@ -175,9 +174,6 @@ export abstract class ApiService {
postAccountKeys: (request: KeysRequest) => Promise<any>;
postAccountVerifyEmail: () => Promise<any>;
postAccountVerifyEmailToken: (request: VerifyEmailRequest) => Promise<any>;
postAccountVerifyPassword: (
request: SecretVerificationRequest,
) => Promise<MasterPasswordPolicyResponse>;
postAccountRecoverDelete: (request: DeleteRecoverRequest) => Promise<any>;
postAccountRecoverDeleteToken: (request: VerifyDeleteRecoverRequest) => Promise<any>;
postAccountKdf: (request: KdfRequest) => Promise<any>;
Expand Down
5 changes: 5 additions & 0 deletions ...mmon/src/auth/abstractions/user-verification/user-verification-api.service.abstraction.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
import { SecretVerificationRequest } from "../../models/request/secret-verification.request";
import { VerifyOTPRequest } from "../../models/request/verify-otp.request";
import { MasterPasswordPolicyResponse } from "../../models/response/master-password-policy.response";

export abstract class UserVerificationApiServiceAbstraction {
postAccountVerifyOTP: (request: VerifyOTPRequest) => Promise<void>;
postAccountRequestOTP: () => Promise<void>;
postAccountVerifyPassword: (
request: SecretVerificationRequest,
) => Promise<MasterPasswordPolicyResponse>;
}
Loading
Loading