Auth/pm 17111/add browser to list of approving clients (#5792)

* feat(update-auth-approving-clients): [PM-17111] Add Browser to List of Approving Clients - Initial changes. * feat(update-auth-approving-clients): [PM-17111] Add Browser to List of Approving Clients - Updated tests. * test(update-auth-approving-clients): [PM-17111] Add Browser to List of Approving Clients - Strengthened tests.
2025-07-01 16:12:49 -05:00 · 2025-05-13 15:43:11 -04:00
parent 5700347e08
commit dd2ea41b74
4 changed files with 74 additions and 28 deletions
--- a/src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs
+++ b/src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs
@ -6,6 +6,7 @@ using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
+using Bit.Core.Utilities;
 using Bit.Identity.Utilities;

 namespace Bit.Identity.IdentityServer;
@ -24,7 +25,7 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder

    private UserDecryptionOptions _options = new UserDecryptionOptions();
    private User? _user;
-    private Core.Auth.Entities.SsoConfig? _ssoConfig;
+    private SsoConfig? _ssoConfig;
    private Device? _device;

    public UserDecryptionOptionsBuilder(
@ -45,7 +46,7 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
        return this;
    }

-    public IUserDecryptionOptionsBuilder WithSso(Core.Auth.Entities.SsoConfig ssoConfig)
+    public IUserDecryptionOptionsBuilder WithSso(SsoConfig ssoConfig)
    {
        _ssoConfig = ssoConfig;
        return this;
@ -119,8 +120,7 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
            // their current device.
            // NOTE: this doesn't check for if the users have configured the devices to be capable of approving requests as that is a client side setting.
            hasLoginApprovingDevice = allDevices
-                .Where(d => d.Identifier != _device.Identifier && LoginApprovingDeviceTypes.Types.Contains(d.Type))
-                .Any();
+                .Any(d => d.Identifier != _device.Identifier && LoginApprovingClientTypes.TypesThatCanApprove.Contains(DeviceTypes.ToClientType(d.Type)));
        }

        // Determine if user has manage reset password permission as post sso logic requires it for forcing users with this permission to set a MP
--- a/src/Identity/Utilities/LoginApprovingClientTypes.cs
+++ b/src/Identity/Utilities/LoginApprovingClientTypes.cs
@ -0,0 +1,22 @@
+using Bit.Core.Enums;
+
+namespace Bit.Identity.Utilities;
+
+public static class LoginApprovingClientTypes
+{
+    private static readonly IReadOnlyCollection<ClientType> _clientTypesThatCanApprove;
+
+    static LoginApprovingClientTypes()
+    {
+        var clientTypes = new List<ClientType>
+        {
+            ClientType.Desktop,
+            ClientType.Mobile,
+            ClientType.Web,
+            ClientType.Browser,
+        };
+        _clientTypesThatCanApprove = clientTypes.AsReadOnly();
+    }
+
+    public static IReadOnlyCollection<ClientType> TypesThatCanApprove => _clientTypesThatCanApprove;
+}
--- a/src/Identity/Utilities/LoginApprovingDeviceTypes.cs
+++ b/src/Identity/Utilities/LoginApprovingDeviceTypes.cs
@ -1,20 +0,0 @@
-using Bit.Core.Enums;
-using Bit.Core.Utilities;
-
-namespace Bit.Identity.Utilities;
-
-public static class LoginApprovingDeviceTypes
-{
-    private static readonly IReadOnlyCollection<DeviceType> _deviceTypes;
-
-    static LoginApprovingDeviceTypes()
-    {
-        var deviceTypes = new List<DeviceType>();
-        deviceTypes.AddRange(DeviceTypes.DesktopTypes);
-        deviceTypes.AddRange(DeviceTypes.MobileTypes);
-        deviceTypes.AddRange(DeviceTypes.BrowserTypes);
-        _deviceTypes = deviceTypes.AsReadOnly();
-    }
-
-    public static IReadOnlyCollection<DeviceType> Types => _deviceTypes;
-}