[PM-3169] Login decryption options in extension popup

apps/browser/src/_locales/en/messages.json

@@ -2254,6 +2254,9 @@
   "approveWithMasterPassword": {
     "message": "Approve with master password"
   },
+  "ssoIdentifierRequired": {
+    "message": "Organization SSO identifier is required."
+  },
   "eu": {
     "message": "EU",
     "description": "European Union"

apps/browser/src/auth/popup/services/index.ts

@@ -1,2 +1 @@
-export { LockGuardService } from "./lock-guard.service";
 export { UnauthGuardService } from "./unauth-guard.service";

apps/browser/src/auth/popup/sso.component.ts

@@ -1,9 +1,9 @@
-import { Component } from "@angular/core";
+import { Component, Inject } from "@angular/core";
 import { ActivatedRoute, Router } from "@angular/router";
 
 import { SsoComponent as BaseSsoComponent } from "@bitwarden/angular/auth/components/sso.component";
+import { WINDOW } from "@bitwarden/angular/services/injection-tokens";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
-import { VaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
 import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
@@ -37,7 +37,7 @@ export class SsoComponent extends BaseSsoComponent {
     environmentService: EnvironmentService,
     logService: LogService,
     configService: ConfigServiceAbstraction,
-    private vaultTimeoutService: VaultTimeoutService
+    @Inject(WINDOW) private win: Window
   ) {
     super(
       authService,
@@ -67,8 +67,11 @@ export class SsoComponent extends BaseSsoComponent {
         BrowserApi.reloadOpenWindows();
       }
 
-      const thisWindow = window.open("", "_self");
-      thisWindow.close();
+      this.win.close();
+    };
+
+    super.onSuccessfulLoginTdeNavigate = async () => {
+      this.win.close();
     };
   }
 }

apps/browser/src/auth/popup/two-factor.component.ts

@@ -74,6 +74,10 @@ export class TwoFactorComponent extends BaseTwoFactorComponent {
       this.loginService.clearValues();
       return syncService.fullSync(true);
     };
+
+    super.onSuccessfulLoginTdeNavigate = async () => {
+      this.win.close();
+    };
     super.successRoute = "/tabs/vault";
     // FIXME: Chromium 110 has broken WebAuthn support in extensions via an iframe
     this.webAuthnNewTab = true;

apps/browser/src/popup/app-routing.module.ts

@@ -2,11 +2,13 @@ import { Injectable, NgModule } from "@angular/core";
 import { ActivatedRouteSnapshot, RouteReuseStrategy, RouterModule, Routes } from "@angular/router";
 
 import { AuthGuard } from "@bitwarden/angular/auth/guards/auth.guard";
-import { LockGuard } from "@bitwarden/angular/auth/guards/lock.guard";
+import { lockGuard } from "@bitwarden/angular/auth/guards/lock.guard";
+import { tdeDecryptionRequiredGuard } from "@bitwarden/angular/auth/guards/tde-decryption-required.guard";
 import { UnauthGuard } from "@bitwarden/angular/auth/guards/unauth.guard";
 import { canAccessFeature } from "@bitwarden/angular/guard/feature-flag.guard";
 import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 
+import { redirectGuard } from "../../../../libs/angular/src/auth/guards/redirect.guard";
 import { EnvironmentComponent } from "../auth/popup/environment.component";
 import { HintComponent } from "../auth/popup/hint.component";
 import { HomeComponent } from "../auth/popup/home.component";
@@ -52,8 +54,9 @@ import { TabsComponent } from "./tabs.component";
 const routes: Routes = [
   {
     path: "",
-    redirectTo: "home",
     pathMatch: "full",
+    children: [], // Children lets us have an empty component.
+    canActivate: [redirectGuard({ loggedIn: "/tabs/vault", loggedOut: "/home", locked: "/lock" })],
   },
   {
     path: "vault",
@@ -87,7 +90,7 @@ const routes: Routes = [
   {
     path: "lock",
     component: LockComponent,
-    canActivate: [LockGuard],
+    canActivate: [lockGuard()],
     data: { state: "lock" },
   },
   {
@@ -105,7 +108,10 @@ const routes: Routes = [
   {
     path: "login-initiated",
     component: LoginDecryptionOptionsComponent,
-    canActivate: [LockGuard, canAccessFeature(FeatureFlag.TrustedDeviceEncryption)],
+    canActivate: [
+      tdeDecryptionRequiredGuard(),
+      canAccessFeature(FeatureFlag.TrustedDeviceEncryption),
+    ],
   },
   {
     path: "sso",

apps/browser/src/popup/services/services.module.ts

@@ -1,6 +1,5 @@
 import { APP_INITIALIZER, LOCALE_ID, NgModule } from "@angular/core";
 
-import { LockGuard as BaseLockGuardService } from "@bitwarden/angular/auth/guards/lock.guard";
 import { UnauthGuard as BaseUnauthGuardService } from "@bitwarden/angular/auth/guards/unauth.guard";
 import { DialogServiceAbstraction } from "@bitwarden/angular/services/dialog";
 import { MEMORY_STORAGE, SECURE_STORAGE } from "@bitwarden/angular/services/injection-tokens";
@@ -84,7 +83,7 @@ import { VaultExportServiceAbstraction } from "@bitwarden/exporter/vault-export"
 
 import { BrowserOrganizationService } from "../../admin-console/services/browser-organization.service";
 import { BrowserPolicyService } from "../../admin-console/services/browser-policy.service";
-import { LockGuardService, UnauthGuardService } from "../../auth/popup/services";
+import { UnauthGuardService } from "../../auth/popup/services";
 import { AutofillService } from "../../autofill/services/abstractions/autofill.service";
 import MainBackground from "../../background/main.background";
 import { Account } from "../../models/account";
@@ -144,7 +143,6 @@ function getBgService<T>(service: keyof MainBackground) {
       deps: [InitService],
       multi: true,
     },
-    { provide: BaseLockGuardService, useClass: LockGuardService },
     { provide: BaseUnauthGuardService, useClass: UnauthGuardService },
     { provide: PopupUtilsService, useFactory: () => new PopupUtilsService(isPrivateMode) },
     {

apps/desktop/src/app/app-routing.module.ts

@@ -2,7 +2,9 @@ import { NgModule } from "@angular/core";
 import { RouterModule, Routes } from "@angular/router";
 
 import { AuthGuard } from "@bitwarden/angular/auth/guards/auth.guard";
-import { LockGuard } from "@bitwarden/angular/auth/guards/lock.guard";
+import { lockGuard } from "@bitwarden/angular/auth/guards/lock.guard";
+import { redirectGuard } from "@bitwarden/angular/auth/guards/redirect.guard";
+import { tdeDecryptionRequiredGuard } from "@bitwarden/angular/auth/guards/tde-decryption-required.guard";
 import { canAccessFeature } from "@bitwarden/angular/guard/feature-flag.guard";
 import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 
@@ -24,11 +26,16 @@ import { VaultComponent } from "../vault/app/vault/vault.component";
 import { SendComponent } from "./tools/send/send.component";
 
 const routes: Routes = [
-  { path: "", redirectTo: "/vault", pathMatch: "full" },
+  {
+    path: "",
+    pathMatch: "full",
+    children: [], // Children lets us have an empty component.
+    canActivate: [redirectGuard({ loggedIn: "/vault", loggedOut: "/login", locked: "/lock" })],
+  },
   {
     path: "lock",
     component: LockComponent,
-    canActivate: [LockGuard],
+    canActivate: [lockGuard()],
   },
   {
     path: "login",
@@ -47,7 +54,10 @@ const routes: Routes = [
   {
     path: "login-initiated",
     component: LoginDecryptionOptionsComponent,
-    canActivate: [LockGuard, canAccessFeature(FeatureFlag.TrustedDeviceEncryption)],
+    canActivate: [
+      tdeDecryptionRequiredGuard(),
+      canAccessFeature(FeatureFlag.TrustedDeviceEncryption),
+    ],
   },
   { path: "register", component: RegisterComponent },
   {

apps/desktop/src/locales/en/messages.json

@@ -2276,6 +2276,9 @@
   "region": {
     "message": "Region"
   },
+  "ssoIdentifierRequired": {
+    "message": "Organization SSO identifier is required."
+  },
   "eu": {
     "message": "EU",
     "description": "European Union"

apps/web/src/app/oss-routing.module.ts

@@ -2,7 +2,9 @@ import { NgModule } from "@angular/core";
 import { Route, RouterModule, Routes } from "@angular/router";
 
 import { AuthGuard } from "@bitwarden/angular/auth/guards/auth.guard";
-import { LockGuard } from "@bitwarden/angular/auth/guards/lock.guard";
+import { lockGuard } from "@bitwarden/angular/auth/guards/lock.guard";
+import { redirectGuard } from "@bitwarden/angular/auth/guards/redirect.guard";
+import { tdeDecryptionRequiredGuard } from "@bitwarden/angular/auth/guards/tde-decryption-required.guard";
 import { UnauthGuard } from "@bitwarden/angular/auth/guards/unauth.guard";
 import { canAccessFeature } from "@bitwarden/angular/guard/feature-flag.guard";
 import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
@@ -34,7 +36,6 @@ import { UpdatePasswordComponent } from "./auth/update-password.component";
 import { UpdateTempPasswordComponent } from "./auth/update-temp-password.component";
 import { VerifyEmailTokenComponent } from "./auth/verify-email-token.component";
 import { VerifyRecoverDeleteComponent } from "./auth/verify-recover-delete.component";
-import { HomeGuard } from "./guards/home.guard";
 import { FrontendLayoutComponent } from "./layouts/frontend-layout.component";
 import { UserLayoutComponent } from "./layouts/user-layout.component";
 import { ReportsModule } from "./reports";
@@ -59,7 +60,7 @@ const routes: Routes = [
         path: "",
         pathMatch: "full",
         children: [], // Children lets us have an empty component.
-        canActivate: [HomeGuard], // Redirects either to vault, login or lock page.
+        canActivate: [redirectGuard({ loggedIn: "/vault", loggedOut: "/login", locked: "/lock" })],
       },
       { path: "login", component: LoginComponent, canActivate: [UnauthGuard] },
       {
@@ -76,7 +77,10 @@ const routes: Routes = [
       {
         path: "login-initiated",
         component: LoginDecryptionOptionsComponent,
-        canActivate: [LockGuard, canAccessFeature(FeatureFlag.TrustedDeviceEncryption)],
+        canActivate: [
+          tdeDecryptionRequiredGuard(),
+          canAccessFeature(FeatureFlag.TrustedDeviceEncryption),
+        ],
       },
       {
         path: "register",
@@ -109,7 +113,7 @@ const routes: Routes = [
       {
         path: "lock",
         component: LockComponent,
-        canActivate: [LockGuard],
+        canActivate: [lockGuard()],
       },
       { path: "verify-email", component: VerifyEmailTokenComponent },
       {

libs/angular/src/auth/components/base-login-decryption-options.component.ts

@@ -3,14 +3,15 @@ import { FormBuilder, FormControl } from "@angular/forms";
 import { ActivatedRoute, Router } from "@angular/router";
 import {
   firstValueFrom,
-  map,
   switchMap,
   Subject,
   catchError,
   from,
   of,
   finalize,
   takeUntil,
+  defer,
+  throwError,
 } from "rxjs";
 
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
@@ -106,11 +107,9 @@ export class BaseLoginDecryptionOptionsComponent implements OnInit, OnDestroy {
         // We are dealing with a new account if:
         //  - User does not have admin approval (i.e. has not enrolled into admin reset)
         //  - AND does not have a master password
-        this.platformUtilsService.showToast(
-          "success",
-          null,
-          this.i18nService.t("accountSuccessfullyCreated")
-        );
+
+        // TODO: discuss how this doesn't make any sense to show here
+
         this.loadNewUserData();
       } else {
         this.loadUntrustedDeviceData(accountDecryptionOptions);
@@ -140,14 +139,19 @@ export class BaseLoginDecryptionOptionsComponent implements OnInit, OnDestroy {
   }
 
   async loadNewUserData() {
-    const autoEnrollStatus$ = this.activatedRoute.queryParamMap.pipe(
-      map((params) => params.get("identifier")),
-      switchMap((identifier) => {
-        if (identifier == null) {
-          return of(null);
+    const autoEnrollStatus$ = defer(() =>
+      this.stateService.getUserSsoOrganizationIdentifier()
+    ).pipe(
+      switchMap((organizationIdentifier) => {
+        if (organizationIdentifier == undefined) {
+          return throwError(() => new Error(this.i18nService.t("ssoIdentifierRequired")));
         }
 
-        return from(this.organizationApiService.getAutoEnrollStatus(identifier));
+        return from(this.organizationApiService.getAutoEnrollStatus(organizationIdentifier));
+      }),
+      catchError((err: unknown) => {
+        this.validationService.showError(err);
+        return of(undefined);
       })
     );
 
@@ -225,7 +229,7 @@ export class BaseLoginDecryptionOptionsComponent implements OnInit, OnDestroy {
 
   async approveWithMasterPassword() {
     await this.deviceTrustCryptoService.setShouldTrustDevice(this.rememberDevice.value);
-    this.router.navigate(["/lock"]);
+    this.router.navigate(["/lock"], { queryParams: { from: "login-initiated" } });
   }
 
   async createUser() {
@@ -240,6 +244,12 @@ export class BaseLoginDecryptionOptionsComponent implements OnInit, OnDestroy {
       const keysRequest = new KeysRequest(publicKey, privateKey.encryptedString);
       await this.apiService.postAccountKeys(keysRequest);
 
+      this.platformUtilsService.showToast(
+        "success",
+        null,
+        this.i18nService.t("accountSuccessfullyCreated")
+      );
+
       await this.passwordResetEnrollmentService.enroll(this.data.organizationId);
 
       if (this.rememberDeviceForm.value.rememberDevice) {

libs/angular/src/auth/components/sso.component.spec.ts

@@ -1,4 +1,4 @@
 import { Component } from "@angular/core";
 import { ComponentFixture, TestBed } from "@angular/core/testing";
 import { ActivatedRoute, Router } from "@angular/router";
 import { MockProxy, mock } from "jest-mock-extended";
@@ -73,6 +73,7 @@
   let mockOnSuccessfulLoginTwoFactorNavigate: jest.Mock;
   let mockOnSuccessfulLoginChangePasswordNavigate: jest.Mock;
   let mockOnSuccessfulLoginForceResetNavigate: jest.Mock;
+  let mockOnSuccessfulLoginTdeNavigate: jest.Mock;
 
   let mockAcctDecryptionOpts: {
     noMasterPassword: AccountDecryptionOptions;
@@ -118,6 +119,7 @@
     mockOnSuccessfulLoginTwoFactorNavigate = jest.fn();
     mockOnSuccessfulLoginChangePasswordNavigate = jest.fn();
     mockOnSuccessfulLoginForceResetNavigate = jest.fn();
+    mockOnSuccessfulLoginTdeNavigate = jest.fn();
 
     mockAcctDecryptionOpts = {
       noMasterPassword: new AccountDecryptionOptions({
@@ -381,16 +383,29 @@
           mockAuthService.logIn.mockResolvedValue(authResult);
         });
 
-        it("navigates to the component's defined trusted device encryption route when login is successful", async () => {
+        it("navigates to the component's defined trusted device encryption route when login is successful and no callback is defined", async () => {
           await _component.logIn(code, codeVerifier, orgIdFromState);
 
           expect(mockAuthService.logIn).toHaveBeenCalledTimes(1);
           expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
-          expect(mockRouter.navigate).toHaveBeenCalledWith([_component.trustedDeviceEncRoute], {
-            queryParams: {
-              identifier: orgIdFromState,
-            },
-          });
+          expect(mockRouter.navigate).toHaveBeenCalledWith(
+            [_component.trustedDeviceEncRoute],
+            undefined
+          );
+          expect(mockLogService.error).not.toHaveBeenCalled();
+        });
+
+        it("calls onSuccessfulLoginTdeNavigate instead of router.navigate when the callback is defined", async () => {
+          mockOnSuccessfulLoginTdeNavigate = jest.fn().mockResolvedValue(null);
+          component.onSuccessfulLoginTdeNavigate = mockOnSuccessfulLoginTdeNavigate;
+
+          await _component.logIn(code, codeVerifier, orgIdFromState);
+
+          expect(mockAuthService.logIn).toHaveBeenCalledTimes(1);
+
+          expect(mockOnSuccessfulLoginTdeNavigate).toHaveBeenCalledTimes(1);
+
+          expect(mockRouter.navigate).not.toHaveBeenCalled();
           expect(mockLogService.error).not.toHaveBeenCalled();
         });
       });