Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PM-14995 Hide TOTP for non premium org items even if individual user has premium account #4390

Merged
merged 2 commits into from
Dec 2, 2024
Merged

PM-14995 Hide TOTP for non premium org items even if individual user has premium account #4390

merged 2 commits into from
Dec 2, 2024

Conversation

dseverns-livefront
Copy link
Collaborator

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-14995

📔 Objective

  • A user with premium should not be able to use TOTP codes on items held by a non premium organization.

⏰ Reminders before review

  • Contributor guidelines followed
  • All formatters and local linters executed and passed
  • Written new unit and / or integration tests where applicable
  • Used internationalization (i18n) for all UI strings
  • CI builds passed
  • Communicated to DevOps any deployment requirements
  • Updated any necessary documentation or informed the documentation team

🦮 Reviewer guidelines

  • 👍 (:+1:) or similar for great changes
  • 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
  • ❓ (:question:) for questions
  • 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed
    issue and could potentially benefit from discussion
  • 🎨 (:art:) for suggestions / improvements
  • ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
  • 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
  • ⛏ (:pick:) for minor or nitpick changes

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 26, 2024
edited
Loading

Logo
Checkmarx One – Scan Summary & Detailsc23c3bd5-6bd8-43c0-b145-e9bba406d01b

New Issues

Severity Issue Source File / Package Checkmarx Insight
MEDIUM Privacy_Violation /app/src/main/java/com/x8bit/bitwarden/ui/auth/feature/completeregistration/CompleteRegistrationViewModel.kt: 346 Attack Vector
MEDIUM Privacy_Violation /app/src/main/java/com/x8bit/bitwarden/ui/auth/feature/completeregistration/CompleteRegistrationViewModel.kt: 346 Attack Vector
MEDIUM Privacy_Violation /app/src/main/java/com/x8bit/bitwarden/ui/auth/feature/createaccount/CreateAccountViewModel.kt: 321 Attack Vector
MEDIUM Privacy_Violation /app/src/main/java/com/x8bit/bitwarden/ui/auth/feature/createaccount/CreateAccountViewModel.kt: 321 Attack Vector
MEDIUM Privacy_Violation /app/src/main/java/com/x8bit/bitwarden/ui/vault/feature/item/VaultItemViewModel.kt: 876 Attack Vector

Fixed Issues

Severity Issue Source File / Package
MEDIUM Privacy_Violation /app/src/main/java/com/x8bit/bitwarden/data/autofill/manager/AutofillTotpManagerImpl.kt: 29
MEDIUM Privacy_Violation /app/src/main/java/com/x8bit/bitwarden/ui/auth/feature/completeregistration/CompleteRegistrationViewModel.kt: 341
MEDIUM Privacy_Violation /app/src/main/java/com/x8bit/bitwarden/ui/auth/feature/completeregistration/CompleteRegistrationViewModel.kt: 341
MEDIUM Unpinned Actions Full Length Commit SHA /crowdin-pull.yml: 26

@dseverns-livefront dseverns-livefront force-pushed the PM-14995-premium-org-hide-totp branch from f9b3b31 to f311a8f Compare November 26, 2024 22:29
@codecov Codecov
Copy link

codecov bot commented Nov 26, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 71.21212% with 19 lines in your changes missing coverage. Please review.

Project coverage is 89.00%. Comparing base (05aa52b) to head (129fa27).
Report is 10 commits behind head on main.

Files with missing lines Patch % Lines
...warden/ui/vault/feature/item/VaultItemViewModel.kt 45.45% 1 Missing and 5 partials ⚠️
...ui/vault/feature/vault/util/VaultDataExtensions.kt 70.58% 2 Missing and 3 partials ⚠️
...n/data/autofill/manager/AutofillTotpManagerImpl.kt 50.00% 0 Missing and 4 partials ⚠️
...ture/verificationcode/VerificationCodeViewModel.kt 50.00% 0 Missing and 2 partials ⚠️
...rm/feature/search/util/SearchTypeDataExtensions.kt 66.66% 0 Missing and 1 partial ⚠️
...itemlisting/util/VaultItemListingDataExtensions.kt 66.66% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4390      +/-   ##
==========================================
- Coverage   89.01%   89.00%   -0.02%     
==========================================
  Files         451      451              
  Lines       39123    39172      +49     
  Branches     5532     5550      +18     
==========================================
+ Hits        34827    34864      +37     
- Misses       2368     2370       +2     
- Partials     1928     1938      +10

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

david-livefront
david-livefront reviewed Dec 2, 2024
View reviewed changes
app/src/main/java/com/x8bit/bitwarden/data/autofill/manager/AutofillTotpManagerImpl.kt Outdated
.value
?.activeAccount
?.getOrganizationPremiumStatusMap()
?: emptyMap()
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we just do orEmpty()

david-livefront
david-livefront reviewed Dec 2, 2024
View reviewed changes
app/src/main/java/com/x8bit/bitwarden/ui/vault/feature/vault/util/VaultDataExtensions.kt Outdated
val organizationOwnedTotpItems = totpItemsGroupedByOwnership[true]
?.filter {
it.login?.totp != null &&
(organizationPremiumStatusMap[it.id] == true || it.organizationUseTotp)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Formatting here

david-livefront
david-livefront reviewed Dec 2, 2024
View reviewed changes
app/src/main/java/com/x8bit/bitwarden/ui/vault/feature/vault/util/VaultDataExtensions.kt Outdated
it.login?.totp != null &&
(organizationPremiumStatusMap[it.id] == true || it.organizationUseTotp)
}
?: emptyList()
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we do more orEmpty()s

@dseverns-livefront dseverns-livefront added this pull request to the merge queue Dec 2, 2024
Merged via the queue into main with commit 819cc62 Dec 2, 2024
9 checks passed
@dseverns-livefront dseverns-livefront deleted the PM-14995-premium-org-hide-totp branch December 2, 2024 20:30
@cksapp cksapp mentioned this pull request Jan 24, 2025
Closed
1 task
@bsteimel
Copy link

This feature is in direct violation to the outline of your user agreements and feature list.

"Storage of keys is available to all accounts, however TOTP code generation requires Premium or membership to a paid organization (Families, Teams, or Enterprise)." https://bitwarden.com/help/integrated-authenticator/

OR not AND

@JaggedJax
Copy link

JaggedJax commented Jan 27, 2025
edited
Loading

@dseverns-livefront @SaintPatrck this PR goes against all of the copy on the Bitwarden website[1][2] and removes access to TOTP codes for paid customers with ZERO notice. This needs to be reverted.

image

[1]https://bitwarden.com/help/about-organizations/#comparing-organizations-with-premium
[2]https://bitwarden.com/help/integrated-authenticator/

dseverns-livefront added a commit that referenced this pull request Jan 27, 2025
@dseverns-livefront
Revert "PM-14995 Hide TOTP for non premium org items even if individu…
c5dcc9b 
…al user has premium account (#4390)"

This reverts commit 819cc62
dseverns-livefront added a commit that referenced this pull request Jan 27, 2025
@dseverns-livefront
Revert "PM-14995 Hide TOTP for non premium org items even if individu…
afd5fa9 
…al user has premium account (#4390)"

This reverts commit 819cc62

fix after revert

formatting
@dseverns-livefront dseverns-livefront mentioned this pull request Jan 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SaintPatrck SaintPatrck SaintPatrck approved these changes

@brian-livefront brian-livefront Awaiting requested review from brian-livefront brian-livefront is a code owner

@ahaisting-livefront ahaisting-livefront Awaiting requested review from ahaisting-livefront ahaisting-livefront is a code owner

@phil-livefront phil-livefront Awaiting requested review from phil-livefront phil-livefront is a code owner

@david-livefront david-livefront Awaiting requested review from david-livefront david-livefront is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dseverns-livefront @bsteimel @JaggedJax @SaintPatrck @david-livefront