Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PM-4882] Passkeys: funnel rp name or id to the cipher name on save #7969

Merged
merged 3 commits into from
Mar 6, 2024
Merged

[PM-4882] Passkeys: funnel rp name or id to the cipher name on save #7969

merged 3 commits into from
Mar 6, 2024

Conversation

merissaacosta
Copy link
Contributor

@merissaacosta merissaacosta commented Feb 15, 2024
edited
Loading

Type of change

- [ ] Bug fix
- [x] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

When creating a passkey and a new vault item, we want to set name to be rp's name value (rp.name). If the rp does not provide a name then we save rp.id which is the url

Code changes

  • file.ext: Description of what was changed and why

Screenshots

(see the "target" name in the extension)

Client Before After
Safari Screenshot 2024-02-15 at 2 42 18 PM Screenshot 2024-02-16 at 12 34 27 PM
Firefox Screenshot 2024-02-16 at 12 06 11 PM
Safari Screenshot 2024-02-16 at 12 31 20 PM
Adding a new cipher (in chrome) Screenshot 2024-02-28 at 3 01 59 PM Screenshot 2024-02-28 at 3 01 36 PM

Before you submit

  • Please add unit tests where it makes sense to do so (encouraged but not required)
  • If this change requires a documentation update - notify the documentation team
  • If this change has particular deployment requirements - notify the DevOps team
  • Ensure that all UI additions follow WCAG AA requirements

@merissaacosta merissaacosta self-assigned this Feb 15, 2024
@merissaacosta merissaacosta requested a review from a team as a code owner February 15, 2024 19:43
@github-actions github-actions bot added the needs-qa Marks a PR as requiring QA approval label Feb 15, 2024
@merissaacosta merissaacosta marked this pull request as draft February 15, 2024 19:43
@codecov Codecov
Copy link

codecov bot commented Feb 15, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 5 lines in your changes are missing coverage. Please review.

Project coverage is 24.91%. Comparing base (b46eb27) to head (ff9a2a7).
Report is 113 commits behind head on main.

Files Patch % Lines
...rc/vault/popup/components/fido2/fido2.component.ts 0.00% 5 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #7969       +/-   ##
===========================================
- Coverage   59.32%   24.91%   -34.41%     
===========================================
  Files        1057     2239     +1182     
  Lines       27253    65598    +38345     
  Branches     5453    12378     +6925     
===========================================
+ Hits        16167    16347      +180     
- Misses       9756    47918    +38162     
- Partials     1330     1333        +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@bitwarden-bot
Copy link

bitwarden-bot commented Feb 15, 2024
edited
Loading

Logo
Checkmarx One – Scan Summary & Detailsd686cfd9-c857-47dc-83b8-ac9f621ff547

New Issues

Severity Issue Source File / Package Checkmarx Insight
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/accounts/trial-initiation/billing.component.html: 41 Attack Vector
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/accounts/trial-initiation/billing.component.html: 41 Attack Vector
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/accounts/trial-initiation/billing.component.html: 41 Attack Vector
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/accounts/trial-initiation/billing.component.html: 41 Attack Vector
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/accounts/trial-initiation/billing.component.html: 19 Attack Vector
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/accounts/trial-initiation/billing.component.html: 19 Attack Vector
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/accounts/trial-initiation/billing.component.html: 19 Attack Vector
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/accounts/trial-initiation/billing.component.html: 19 Attack Vector
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/reports/pages/breach-report.component.html: 14 Attack Vector
MEDIUM Unpinned Actions Full Length Commit SHA /build-desktop.yml: 1224 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /build-browser.yml: 354 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /build-web.yml: 357 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /build-web.yml: 263 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /build-web.yml: 293 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /build-browser.yml: 412 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /build-desktop.yml: 1149 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /build-web.yml: 187 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Client_Use_Of_Iframe_Without_Sandbox /apps/browser/src/autofill/content/notification-bar.ts: 874 Attack Vector
LOW Client_Weak_Cryptographic_Hash /libs/common/src/platform/services/web-crypto-function.service.ts: 142 Attack Vector
LOW Client_Weak_Cryptographic_Hash /libs/common/src/platform/services/web-crypto-function.service.ts: 142 Attack Vector
LOW Unsafe_Use_Of_Target_blank /apps/web/src/app/tools/send/access.component.html: 81 Attack Vector
LOW Unsafe_Use_Of_Target_blank /apps/web/src/app/admin-console/organizations/members/components/member-dialog/member-dialog.component.html: 126 Attack Vector
LOW Unsafe_Use_Of_Target_blank /apps/web/src/app/vault/components/vault-items/vault-cipher-row.component.html: 93 Attack Vector
LOW Unsafe_Use_Of_Target_blank /apps/web/src/app/core/web-file-download.service.ts: 23 Attack Vector
LOW Unsafe_Use_Of_Target_blank /bitwarden_license/bit-web/src/app/secrets-manager/overview/overview.component.html: 15 Attack Vector
LOW Unsafe_Use_Of_Target_blank /apps/browser/src/autofill/notification/bar.html: 11 Attack Vector
LOW Use_Of_Hardcoded_Password /libs/importer/src/importers/lastpass/access/services/rest-client.ts: 12 Attack Vector
LOW Use_Of_Hardcoded_Password /libs/importer/src/importers/lastpass/access/services/client.ts: 432 Attack Vector
LOW Use_Of_Hardcoded_Password /libs/importer/src/importers/lastpass/access/services/rest-client.ts: 11 Attack Vector
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/auth/background/service-factories/auth-request-crypto-service.factory.ts: 27 Attack Vector
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/background/service-factories/send-service.factory.ts: 42 Attack Vector
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/auth/background/service-factories/key-connector-service.factory.ts: 67 Attack Vector

Fixed Issues

Severity Issue Source File / Package
HIGH Client_DOM_XSS /apps/web/src/app/auth/settings/two-factor-verify.component.html: 3
HIGH Client_DOM_XSS /bitwarden_license/bit-web/src/app/admin-console/providers/settings/account.component.html: 27
HIGH Client_DOM_XSS /bitwarden_license/bit-web/src/app/admin-console/providers/settings/account.component.html: 27
MEDIUM Angular_Improper_Type_Pipe_Usage /apps/browser/src/vault/popup/components/fido2/fido2-use-browser-link.component.html: 1
MEDIUM Angular_Improper_Type_Pipe_Usage /apps/web/src/app/billing/shared/adjust-storage.component.html: 27
MEDIUM Angular_Improper_Type_Pipe_Usage /apps/web/src/app/billing/organizations/adjust-subscription.component.html: 54
MEDIUM Angular_Improper_Type_Pipe_Usage /apps/web/src/app/billing/organizations/adjust-subscription.component.html: 18
MEDIUM Client_Potential_XSS /apps/desktop/src/app/components/avatar.component.ts: 45
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/reports/pages/breach-report.component.html: 14
MEDIUM Client_Privacy_Violation /apps/browser/src/auth/popup/account-switching/account.component.ts: 12
MEDIUM Client_Privacy_Violation /apps/browser/src/auth/popup/account-switching/account.component.ts: 12
MEDIUM Client_Privacy_Violation /apps/web/src/app/auth/settings/two-factor-verify.component.html: 3
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/shared/add-credit.component.ts: 131
MEDIUM Client_Privacy_Violation /libs/components/src/color-password/color-password.component.ts: 25
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/shared/add-credit.component.ts: 76
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/shared/add-credit.component.ts: 66
MEDIUM Client_Privacy_Violation /libs/components/src/color-password/color-password.component.ts: 26
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/shared/add-credit.component.ts: 142
MEDIUM Client_Privacy_Violation /apps/desktop/src/auth/lock.component.html: 32
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/shared/add-credit.component.ts: 26
MEDIUM Client_Privacy_Violation /apps/web/src/app/auth/lock.component.html: 18
MEDIUM Unpinned Actions Full Length Commit SHA /build-browser.yml: 368
MEDIUM Unpinned Actions Full Length Commit SHA /build-web.yml: 361
MEDIUM Unpinned Actions Full Length Commit SHA /build-web.yml: 297
MEDIUM Unpinned Actions Full Length Commit SHA /build-web.yml: 191
MEDIUM Unpinned Actions Full Length Commit SHA /build-desktop.yml: 1280
MEDIUM Unpinned Actions Full Length Commit SHA /build-browser.yml: 426
MEDIUM Unpinned Actions Full Length Commit SHA /build-web.yml: 267
MEDIUM Unpinned Actions Full Length Commit SHA /build-desktop.yml: 1205
LOW Client_DOM_Open_Redirect /apps/browser/src/tools/popup/generator/password-generator-history.component.ts: 18
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/account-switching/current-account.component.ts: 15
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/login-via-auth-request.component.ts: 55
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/login-via-auth-request.component.ts: 55
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/login/login-via-auth-request.component.ts: 63
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/login/login-via-auth-request.component.ts: 63
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/account-switching/account.component.ts: 25
LOW Client_DOM_Open_Redirect /apps/browser/src/vault/popup/components/vault/attachments.component.ts: 31
LOW Client_DOM_Open_Redirect /apps/browser/src/popup/settings/premium.component.ts: 26
LOW Client_DOM_Open_Redirect /apps/browser/src/vault/popup/components/vault/password-history.component.ts: 21
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/accessibility-cookie.component.html: 18
LOW Client_Hardcoded_Domain /apps/web/src/app/billing/shared/payment.component.ts: 56
LOW Client_Hardcoded_Domain /apps/web/src/app/billing/shared/payment.component.ts: 56
LOW Client_Password_In_Comment /apps/browser/src/autofill/background/notification.background.ts: 535
LOW Client_Use_Of_Iframe_Without_Sandbox /apps/browser/src/autofill/content/notification-bar.ts: 888
LOW Client_Weak_Cryptographic_Hash /libs/common/src/platform/services/web-crypto-function.service.ts: 142
LOW Use_Of_Hardcoded_Password /libs/common/src/tools/send/services/send.service.ts: 26
LOW Use_Of_Hardcoded_Password /libs/common/src/tools/send/services/send.service.ts: 25
LOW Use_Of_Hardcoded_Password /apps/web/src/app/layouts/password-manager-logo.ts: 3
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 56
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 51
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 30
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 58
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 37
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 51
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 57
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 26
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 13
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 38
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 65
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 15
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 30
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 16
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 44
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 54
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 50
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 32
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 45
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 38
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 17
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 17
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 42
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 46
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 62
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 27
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 24
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 39
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 55
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 40
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 22
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 14
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 27
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 63
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 55
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 23
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 14
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 58
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 29
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 53
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 41
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 49
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 40
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 41
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 52
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 43
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 25
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 23
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 46
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 64
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 16
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 66
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 31
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 52
LOW Use_Of_Hardcoded_Password /apps/browser/src/platform/services/i18n.service.ts: 51
LOW

More results are available on AST platform

@merissaacosta merissaacosta marked this pull request as ready for review February 16, 2024 18:35
@merissaacosta merissaacosta changed the title [PM-4882] | Passkeys: funnel rp name or id to the cipher name on save [PM-4882] Passkeys: funnel rp name or id to the cipher name on save Feb 16, 2024
coroiu
coroiu previously approved these changes Feb 21, 2024
View reviewed changes
gbubemismith
gbubemismith previously approved these changes Feb 26, 2024
View reviewed changes
Copy link
Member

@gbubemismith gbubemismith left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this @merissaacosta

merissaacosta
merissaacosta commented Feb 28, 2024
View reviewed changes
apps/browser/src/vault/popup/components/fido2/fido2.component.ts
@@ -296,7 +296,7 @@ export class Fido2Component implements OnInit, OnDestroy {
// eslint-disable-next-line @typescript-eslint/no-floating-promises
this.router.navigate(["/add-cipher"], {
queryParams: {
name: Utils.getHostname(this.url),
name: data.credentialName || data.rpId,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

update: had to funnel in the credentialName and rpId here as well for when creating a new cipher (see last screenshot)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was gonna suggest using ?? instead, but realized that || is actually better because it also covers an empty string "" 👍

gbubemismith
gbubemismith approved these changes Feb 28, 2024
View reviewed changes
Copy link
Member

@gbubemismith gbubemismith left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

coroiu
coroiu approved these changes Feb 29, 2024
View reviewed changes
Copy link
Contributor

@coroiu coroiu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

apps/browser/src/vault/popup/components/fido2/fido2.component.ts
@@ -296,7 +296,7 @@ export class Fido2Component implements OnInit, OnDestroy {
// eslint-disable-next-line @typescript-eslint/no-floating-promises
this.router.navigate(["/add-cipher"], {
queryParams: {
name: Utils.getHostname(this.url),
name: data.credentialName || data.rpId,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was gonna suggest using ?? instead, but realized that || is actually better because it also covers an empty string "" 👍

@merissaacosta merissaacosta removed the needs-qa Marks a PR as requiring QA approval label Mar 6, 2024
@merissaacosta merissaacosta merged commit 5dcc035 into main Mar 6, 2024
59 of 62 checks passed
@merissaacosta merissaacosta deleted the vault/pm-4882-passkey-name-item-name branch March 6, 2024 17:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gbubemismith gbubemismith gbubemismith approved these changes

@coroiu coroiu coroiu approved these changes

Assignees

@merissaacosta merissaacosta

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@merissaacosta @bitwarden-bot @coroiu @gbubemismith