[PM-11462] [Defect] Getting MP re-prompt on edit

[alec-livefront]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-11462?atlOrigin=eyJpIjoiYmJiMDhjNzQyNjk0NGEyY2ExYzNlYTMwMjI3YjFjNmMiLCJwIjoiaiJ9

📔 Objective

• Prevent MP re-prompt when an item is edited from the view dialog
• Maintains MP re-prompt when an item is edited directly from URL (action="edit" in URL when page is loaded)
• Adds MP re-prompt protection for when a user clones an item (otherwise the accessible clone copied to sensitive info and you could bypass the MP re-prompt)

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 43 lines in your changes missing coverage. Please review.

Project coverage is 35.04%. Comparing base (5f25bd9) to head (3557e46).
Report is 13 commits behind head on main.

✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...pps/web/src/app/vault/org-vault/vault.component.ts	0.00%	23 Missing ⚠️
.../src/app/vault/individual-vault/vault.component.ts	0.00%	20 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #10836      +/-   ##
==========================================
- Coverage   35.05%   35.04%   -0.01%     
==========================================
  Files        2711     2711              
  Lines       84576    84595      +19     
  Branches    16069    16075       +6     
==========================================
  Hits        29649    29649              
- Misses      53956    53975      +19     
  Partials      971      971              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

Checkmarx One – Scan Summary & Details – 8ed43dcc-1db1-433c-acf2-09df68709ece

New Issues

Severity	Issue	Source File / Package	Checkmarx Insight
	Client_Privacy_Violation	/libs/tools/send/send-ui/src/send-form/components/options/send-options.component.ts: 51	Attack Vector
	Client_Privacy_Violation	/libs/tools/send/send-ui/src/send-form/components/options/send-options.component.ts: 51	Attack Vector

[shane-melton]

I think we could simplify this a bit to make things easier to understand, especially when we have to come back in an remove the extension-refresh feature flag . Let me know what you think!

[shane-melton]

🎨 Instead of having to check this feature flag multiple times and track the reason for the negation, could we instead pass in an argument to skip the password re-prompt (e.g. skipReprompt: boolean = false). Then, the viewCipherById callback can pass in true while the queryParams subscription above can remain unchanged (default to always re-prompting). What do you think?

[shane-melton]

🎨 Same here, if we add a skipReprompt argument that defaults to false we should be able to leave everything else alone except the viewCipherById() edit action where we would pass in true (since we know they already passed the re-prompt)

[shane-melton]

❓ Why do we need this in the org vault and not the individual vault?

[alec-livefront]

I was able to eliminate this in the rewrite.

[alec-livefront]

@shane-melton I've reworked this based on your suggestion of adding a skipMPReprompt argument.

I noticed an issue that was present in the original work as well: if you were to close the re-prompt dialog the edit dialog would still open. I believe this is because the editCipher is called an additional time when the URL changes. I was able to avoid this by setting a passwordRePromptCancelled flag, but I'm not sure if that's the appropriate approach. Let me know what you think.

[alec-livefront]

Will be handled by the changes in PM-12389