Add support for setting password

bitwarden · Apr 12, 2024 · b38f25e · b38f25e
1 parent b611974
commit b38f25e
Show file tree

Hide file tree

Showing 6 changed files with 73 additions and 5 deletions.
diff --git a/crates/bitwarden-uniffi/src/auth/mod.rs b/crates/bitwarden-uniffi/src/auth/mod.rs
@@ -1,8 +1,8 @@
 use std::sync::Arc;
 
 use bitwarden::auth::{
-    password::MasterPasswordPolicyOptions, AuthRequestResponse, RegisterKeyResponse,
-    RegisterTdeKeyResponse,
+    password::{MasterPasswordPolicyOptions, SetPasswordResponse},
+    AuthRequestResponse, RegisterKeyResponse, RegisterTdeKeyResponse,
 };
 use bitwarden_crypto::{AsymmetricEncString, HashPurpose, Kdf, TrustDeviceResponse};
 
@@ -149,4 +149,18 @@ impl ClientAuth {
     pub async fn trust_device(&self) -> Result<TrustDeviceResponse> {
         Ok(self.0 .0.write().await.auth().trust_device()?)
     }
+
+    /// Set a new password for the user.
+    ///
+    /// Presumes that the user is logged in using a username, and has crypto initialized.
+    pub async fn set_password(&self, new_password: String) -> Result<SetPasswordResponse> {
+        Ok(self
+            .0
+             .0
+            .write()
+            .await
+            .auth()
+            .set_password(new_password)
+            .await?)
+    }
 }
diff --git a/crates/bitwarden/src/auth/client_auth.rs b/crates/bitwarden/src/auth/client_auth.rs
@@ -1,6 +1,7 @@
 #[cfg(feature = "internal")]
 use bitwarden_crypto::{AsymmetricEncString, DeviceKey, TrustDeviceResponse};
 
+use super::password::{set_password, SetPasswordResponse};
 #[cfg(feature = "mobile")]
 use crate::auth::login::NewAuthRequestResponse;
 #[cfg(feature = "secrets")]
@@ -134,6 +135,10 @@ impl<'a> ClientAuth<'a> {
     pub fn trust_device(&self) -> Result<TrustDeviceResponse> {
         trust_device(self.client)
     }
+
+    pub async fn set_password(&self, password: String) -> Result<SetPasswordResponse> {
+        set_password(self.client, password).await
+    }
 }
 
 #[cfg(feature = "mobile")]

diff --git a/crates/bitwarden/src/auth/password/mod.rs b/crates/bitwarden/src/auth/password/mod.rs
@@ -7,3 +7,9 @@ pub(crate) use validate::validate_password;
 pub(crate) use validate::validate_password_user_key;
 mod strength;
 pub(crate) use strength::password_strength;
+#[cfg(feature = "internal")]
+mod set;
+#[cfg(feature = "internal")]
+pub(crate) use set::set_password;
+#[cfg(feature = "internal")]
+pub use set::SetPasswordResponse;
diff --git a/crates/bitwarden/src/auth/password/set.rs b/crates/bitwarden/src/auth/password/set.rs
@@ -0,0 +1,43 @@
+use bitwarden_crypto::{EncString, HashPurpose, MasterKey};
+
+use crate::{
+    client::{LoginMethod, UserLoginMethod},
+    error::{Error, Result},
+    Client,
+};
+
+#[cfg_attr(feature = "mobile", derive(uniffi::Record))]
+pub struct SetPasswordResponse {
+    // Password hash for server authentication
+    password_hash: String,
+    // MasterKey (password) protected user key
+    protected_user_key: EncString,
+}
+
+pub(crate) async fn set_password(client: &Client, password: String) -> Result<SetPasswordResponse> {
+    let user_key = client
+        .get_encryption_settings()?
+        .get_key(&None)
+        .ok_or(Error::VaultLocked)?;
+
+    let login_method = client
+        .get_login_method()
+        .as_ref()
+        .ok_or(Error::NotAuthenticated)?;
+
+    let (email, kdf) = match login_method {
+        LoginMethod::User(
+            UserLoginMethod::Username { email, kdf, .. }
+            | UserLoginMethod::ApiKey { email, kdf, .. },
+        ) => (email, kdf),
+        _ => return Err(Error::NotAuthenticated),
+    };
+
+    let master_key = MasterKey::derive(password.as_bytes(), email.as_bytes(), kdf)?;
+
+    Ok(SetPasswordResponse {
+        password_hash: master_key
+            .derive_master_key_hash(password.as_bytes(), HashPurpose::ServerAuthorization)?,
+        protected_user_key: master_key.encrypt_user_key(user_key)?,
+    })
+}
diff --git a/crates/bitwarden/src/mobile/client_kdf.rs b/crates/bitwarden/src/mobile/client_kdf.rs
@@ -14,7 +14,7 @@ impl<'a> ClientKdf<'a> {
         kdf_params: Kdf,
         purpose: HashPurpose,
     ) -> Result<String> {
-        hash_password(self.client, email, password, kdf_params, purpose).await
+        hash_password(self.client, email, password, &kdf_params, purpose).await
     }
 }
 

diff --git a/crates/bitwarden/src/mobile/kdf.rs b/crates/bitwarden/src/mobile/kdf.rs
@@ -6,10 +6,10 @@ pub async fn hash_password(
     _client: &Client,
     email: String,
     password: String,
-    kdf_params: Kdf,
+    kdf_params: &Kdf,
     purpose: HashPurpose,
 ) -> Result<String> {
-    let master_key = MasterKey::derive(password.as_bytes(), email.as_bytes(), &kdf_params)?;
+    let master_key = MasterKey::derive(password.as_bytes(), email.as_bytes(), kdf_params)?;
 
     Ok(master_key.derive_master_key_hash(password.as_bytes(), purpose)?)
 }