[PM-18993] Opaque enrollment #13782

eliykat · 2025-03-11T04:02:33Z

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-18993

📔 Objective

Add client-side support for opaque enrollment.

📸 Screenshots

⏰ Reminders before review

Contributor guidelines followed
All formatters and local linters executed and passed
Written new unit and / or integration tests where applicable
Protected functional changes with optionality (feature flags)
Used internationalization (i18n) for all UI strings
CI builds passed
Communicated to DevOps any deployment requirements
Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

👍 (:+1:) or similar for great changes
📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
❓ (:question:) for questions
🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
🎨 (:art:) for suggestions / improvements
❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
⛏ (:pick:) for minor or nitpick changes

codecov · 2025-03-11T04:04:43Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 6.00%. Comparing base (992be1d) to head (09df264).

❗ There is a different number of reports uploaded between BASE (992be1d) and HEAD (09df264). Click for more details.

HEAD has 1 upload less than BASE

Flag BASE (992be1d) HEAD (09df264)

2 1

Additional details and impacted files

@@                  Coverage Diff                   @@
##           innovation/opaque   #13782       +/-   ##
======================================================
- Coverage              35.96%    6.00%   -29.97%     
======================================================
  Files                   3177       27     -3150     
  Lines                  93153     1665    -91488     
  Branches               16975        0    -16975     
======================================================
- Hits                   33506      100    -33406     
+ Misses                 57050     1565    -55485     
+ Partials                2597        0     -2597

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

github-actions · 2025-03-11T04:13:33Z

Checkmarx One – Scan Summary & Details – eb189a43-5acb-4c3d-87ad-a61a4b538c4f

New Issues (66)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
CVE-2025-0611	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-0998	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-0451	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-0612	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-0762	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-0995	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-0997	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-0999	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-1426	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-1914	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-1916	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-1917	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-1919	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-1920	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-2135	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-2136	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-2137	Npm-electron-34.0.0	Vulnerable Package
Client_DOM_XSS	/apps/web/src/connectors/redirect.ts: 6	details The method Lambda embeds untrusted data in generated output with href, at line 16 of /apps/web/src/connectors/redirect.ts. This untrusted data is e... Attack Vector
Cxdca8e59f-8bfe	Npm-inflight-1.0.6	Vulnerable Package
Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 328	details Method Lambda at line 328 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro... Attack Vector
Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 328	details Method Lambda at line 328 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro... Attack Vector
Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 296	details Method Lambda at line 296 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro... Attack Vector
Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 296	details Method Lambda at line 296 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro... Attack Vector
CVE-2024-53382	Npm-prismjs-1.29.0	Vulnerable Package
CVE-2024-6531	Npm-bootstrap-4.6.0	Vulnerable Package
CVE-2025-0444	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-0445	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-0996	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-1915	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-1918	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-1921	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-1922	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-1923	Npm-electron-34.0.0	Vulnerable Package
CVE-2025-24010	Npm-vite-5.4.6	Vulnerable Package
Cxbb85e86c-2fac	Npm-esbuild-0.21.5	Vulnerable Package
Cxbb85e86c-2fac	Npm-esbuild-wasm-0.23.0	Vulnerable Package
Cxbb85e86c-2fac	Npm-esbuild-0.23.0	Vulnerable Package
Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 365	details The application takes sensitive, personal data cipher, found at line 365 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotected ... Attack Vector
Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 332	details The application takes sensitive, personal data cipher, found at line 332 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotected ... Attack Vector
Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 382	details The application takes sensitive, personal data cipher, found at line 382 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotected ... Attack Vector
Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 69	details The application takes sensitive, personal data password, found at line 69 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotected... Attack Vector
Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 65	details The application takes sensitive, personal data password, found at line 65 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotected... Attack Vector
Missing_HSTS_Header	/apps/cli/src/auth/commands/login.command.ts: 735	details The web-application does not define an HSTS header, leaving it vulnerable to attack. Attack Vector
Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 365	details Method Lambda at line 365 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro... Attack Vector
Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 365	details Method Lambda at line 365 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro... Attack Vector
Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/icon/icon.component.ts: 21	details Usage of an unsafe class bypassSecurityTrustHtml, which overrides output sanitization, was found at /libs/components/src/icon/icon.component.ts in ... Attack Vector
Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/avatar/avatar.component.ts: 87	details Usage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /libs/components/src/avatar/avatar.compo... Attack Vector
Angular_Usage_of_Unsafe_DOM_Sanitizer	/apps/desktop/src/app/components/avatar.component.ts: 77	details Usage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /apps/desktop/src/app/components/avatar.... Attack Vector
Client_DOM_Open_Redirect	/apps/web/src/connectors/redirect.ts: 6	details The potentially tainted value provided by href in /apps/web/src/connectors/redirect.ts at line 6 is used as a destination URL by href in /apps/web/... Attack Vector
Client_DOM_Open_Redirect	/apps/desktop/src/auth/accessibility-cookie.component.html: 18	details The potentially tainted value provided by link in /apps/desktop/src/auth/accessibility-cookie.component.html at line 18 is used as a destination UR... Attack Vector
Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277	details The potentially tainted value provided by substring in /apps/desktop/src/auth/scripts/duo.js at line 277 is used as a destination URL by open in /a... Attack Vector
Client_JQuery_Deprecated_Symbols	/apps/cli/src/commands/get.command.ts: 149	details Method getCipher in /apps/cli/src/commands/get.command.ts, at line 149, calls an obsolete API, isArray. This has been deprecated, and should not be... Attack Vector
Client_JQuery_Deprecated_Symbols	/apps/cli/src/commands/get.command.ts: 142	details Method getCipher in /apps/cli/src/commands/get.command.ts, at line 142, calls an obsolete API, isArray. This has been deprecated, and should not be... Attack Vector
Client_JQuery_Deprecated_Symbols	/libs/importer/src/services/import.service.ts: 471	details Method Lambda in /libs/importer/src/services/import.service.ts, at line 471, calls an obsolete API, isArray. This has been deprecated, and should n... Attack Vector
Client_JQuery_Deprecated_Symbols	/apps/cli/src/commands/get.command.ts: 325	details Method getAttachment in /apps/cli/src/commands/get.command.ts, at line 325, calls an obsolete API, isArray. This has been deprecated, and should no... Attack Vector
Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/deprecated/overlay/iframe-content/autofill-overlay-iframe.service.deprecated.ts: 92	details The application employs an HTML iframe at whose contents are not properly sandboxed Attack Vector
Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/overlay/inline-menu/pages/menu-container/autofill-inline-menu-container.ts: 68	details The application employs an HTML iframe at whose contents are not properly sandboxed Attack Vector
Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/overlay/inline-menu/iframe-content/autofill-inline-menu-iframe.service.ts: 87	details The application employs an HTML iframe at whose contents are not properly sandboxed Attack Vector
Cx8bc4df28-fcf5	Npm-debug-2.6.9	Vulnerable Package
Cx8bc4df28-fcf5	Npm-debug-3.2.7	Vulnerable Package
Cxda14f253-4e52	Npm-bluebird-3.7.2	Vulnerable Package
HttpOnly_Cookie_Flag_Not_Set	/apps/web/src/app/auth/core/services/login/web-sso-component.service.ts: 19	details The web application's setDocumentCookies method creates a cookie cookie, at line 19 of /apps/web/src/app/auth/core/services/login/web-sso-component... Attack Vector
HttpOnly_Cookie_Flag_Not_Set	/apps/web/src/app/auth/sso-v1.component.ts: 174	details The web application's Lambda method creates a cookie cookie, at line 174 of /apps/web/src/app/auth/sso-v1.component.ts, and returns it in the respo... Attack Vector
HttpOnly_Cookie_Flag_Not_Set	/apps/web/src/connectors/sso.ts: 41	details The web application's initiateBrowserSso method creates a cookie cookie, at line 41 of /apps/web/src/connectors/sso.ts, and returns it in the respo... Attack Vector
Missing_CSP_Header	/apps/cli/src/auth/commands/login.command.ts: 735	details A Content Security Policy is not explicitly defined within the web-application. Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/libs/node/src/services/node-crypto-function.service.ts: 352	details In toNodeCryptoAesMode, the application protects sensitive data using a cryptographic algorithm, "aes-256-ecb", that is considered weak or even tri... Attack Vector

eliykat · 2025-03-11T04:45:46Z

libs/common/src/auth/opaque/opaque.service.ts

+  /**
+   * Authenticate using the Opaque login method.
+   * @returns The UserKey obtained during the Opaque login flow.
+   */
+  abstract Login(masterPassword: string): Promise<UserKey>;


This could be called from a new OpaqueLoginStrategy, so that the strategy itself can focus on the high level process and bootstrapping the environment, without needing to know about the opaque implementation.