Skip to content

[PM-32424] Send Access Enumeration protection#19422

Merged
ike-kottlowski merged 8 commits intomainfrom
auth/pm-32424/send-enumeration-protection
Mar 11, 2026
Merged

[PM-32424] Send Access Enumeration protection#19422
ike-kottlowski merged 8 commits intomainfrom
auth/pm-32424/send-enumeration-protection

Conversation

@ike-kottlowski
Copy link
Copy Markdown
Contributor

@ike-kottlowski ike-kottlowski commented Mar 6, 2026
edited
Loading

🎟️ Tracking

PM-32424

Server PR: bitwarden/server#7166
SDK PR: bitwarden/sdk-internal#821

📔 Objective

Improve enumeration protection of Sends

📸 Screenshots

@ike-kottlowski ike-kottlowski changed the title feat: remove reference to otp_invalid response since it is not used a… [PM-32424] Send Access Enumeration protection Mar 6, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 6, 2026
edited
Loading

Logo
Checkmarx One – Scan Summary & Details8fccfffe-2a59-4b37-8bb1-f093d1a0cea6

Fixed Issues (1) Great job! The following issues were fixed in this Pull Request
Severity Issue Source File / Package
LOW Angular_Usage_of_Unsafe_DOM_Sanitizer /libs/components/src/svg/svg.component.ts: 29

@codecov
Copy link
Copy Markdown

codecov bot commented Mar 6, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 45.38%. Comparing base (25dda0c) to head (645b80c).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #19422   +/-   ##
=======================================
  Coverage   45.38%   45.38%           
=======================================
  Files        3764     3764           
  Lines      110717   110709    -8     
  Branches    16864    16860    -4     
=======================================
- Hits        50249    50247    -2     
+ Misses      58250    58244    -6     
  Partials     2218     2218

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

This was referenced Mar 6, 2026
Merged
Merged
@ike-kottlowski ike-kottlowski marked this pull request as ready for review March 6, 2026 19:29
@ike-kottlowski ike-kottlowski requested review from a team as code owners March 6, 2026 19:29
harr1424
harr1424 previously approved these changes Mar 6, 2026
View reviewed changes
@ike-kottlowski ike-kottlowski added ai-review Request a Claude code review labels Mar 6, 2026
JaredSnider-Bitwarden
JaredSnider-Bitwarden requested changes Mar 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@JaredSnider-Bitwarden JaredSnider-Bitwarden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good, but a few more items to clean up 👇

@claude
Copy link
Copy Markdown
Contributor

claude bot commented Mar 9, 2026
edited
Loading

Claude finished @ike-kottlowski's task in 3m 5s —— View job

Code Review: PM-32424 Send Access Enumeration Protection

Reviewed commit: 645b80c (Merge branch 'main' into auth/pm-32424/send-enumeration-protection)
Previous review: March 9, 2026 -- this is a re-review after SDK update and test fix commits.

Summary

This PR improves Send access enumeration protection by removing client-side handling for otp_invalid and otp_generation_failed error types that the server no longer returns. Instead of sending a distinct "OTP invalid" response (which could leak whether an email was valid), the server now responds uniformly with email_and_otp_required, and the existing emailAndOtpRequired code paths already handle this correctly.

Changes reviewed:

  • libs/common/src/auth/send-access/types/invalid-grant-errors.type.ts -- Removed OtpInvalid, OtpGenerationFailed types and their type guard functions
  • apps/cli/src/tools/send/commands/receive.command.ts -- Removed otpInvalid error branch (which returned the same message as the emailAndOtpRequired branch)
  • apps/web/src/app/tools/send/send-access/send-auth.component.ts -- Removed otpInvalid error branch; the emailAndOtpRequired path correctly uses the otpSubmitted flag to show the error toast on re-submissions
  • libs/common/src/auth/send-access/services/default-send-token.service.spec.ts -- Removed "otp_invalid" and "otp_generation_failed" from test data
  • package.json / package-lock.json -- SDK bump from 0.2.0-main.589 to 0.2.0-main.590

Assessment

No critical or important issues found. The removal is clean and behavior is preserved:

  • In the web component, the emailAndOtpRequired handler at line 196 already shows the "invalidEmailOrVerificationCode" toast when otpSubmitted is true, matching the previous otpInvalid behavior exactly.
  • In the CLI, both the removed otpInvalid branch and the remaining emailAndOtpRequired branch returned the identical "Invalid email or verification code" message, so the consolidation is correct.
  • The type definitions and spec file were properly updated to remove the obsolete types.

Previously flagged (still outstanding): apps/cli/src/tools/send/commands/receive.command.spec.ts line 373-386 still contains a test referencing "otp_invalid" with as any. This test does not exercise any meaningful behavior (it only asserts isDefined). This was noted in the previous review.

Verdict: Approved ✅

JaredSnider-Bitwarden
JaredSnider-Bitwarden previously approved these changes Mar 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@JaredSnider-Bitwarden JaredSnider-Bitwarden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

harr1424
harr1424 previously approved these changes Mar 9, 2026
View reviewed changes
mcamirault
mcamirault previously approved these changes Mar 10, 2026
View reviewed changes
@ike-kottlowski
Copy link
Copy Markdown
Contributor Author

ike-kottlowski commented Mar 10, 2026

Breaking changes from this SDK PR bitwarden/sdk-internal#829 blocks this from merging until this Clients PR is merged #19433.

@mzieniukbw mzieniukbw mentioned this pull request Mar 10, 2026
Merged
@mzieniukbw
Copy link
Copy Markdown
Contributor

mzieniukbw commented Mar 11, 2026

#19471 has been merged, should unblock now.

@quexten quexten mentioned this pull request Mar 11, 2026
Open
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 11, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@ike-kottlowski ike-kottlowski merged commit c8c66a8 into main Mar 11, 2026
159 of 160 checks passed
@ike-kottlowski ike-kottlowski deleted the auth/pm-32424/send-enumeration-protection branch March 11, 2026 15:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcamirault mcamirault mcamirault approved these changes

@harr1424 harr1424 harr1424 approved these changes

@JaredSnider-Bitwarden JaredSnider-Bitwarden JaredSnider-Bitwarden approved these changes

Assignees

No one assigned

Labels

ai-review Request a Claude code review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ike-kottlowski @mzieniukbw @mcamirault @harr1424 @JaredSnider-Bitwarden