[PM-18721][PM-21272] Integrate InputPasswordComponent in AccountRecoveryDialogComponent

[rr-bw]

🎟️ Tracking

PM-18721
PM-21272

This PR stacks on top of these two PRs:

• [PM-18721][PM-21271] Integrate InputPasswordComponent in EmergencyAccessTakeoverDialogComponent #14636
• [PM-18458] Create new ChangePasswordComponent #14226

📔 Objective

This PR integrates the InputPasswordComponent within the AccountRecoveryDialogComponent (formerly called ResetPasswordComponent).

The result is that:

• The InputPasswordComponent will now handle form field UI display and validation that is common to all of our set/change password flows
• The AccountRecoveryDialogComponent will now just be responsible for displaying the dialog and calling resetPasswordService.resetMasterPassword() to perform the password reset operation.

The showing of the new dialog component is behind the PM16117_ChangeExistingPasswordRefactor feature flag.

📸 Screenshots

PM16117_ChangeExistingPasswordRefactor flag ON ✅

account-recovery-flag-on.mov

PM16117_ChangeExistingPasswordRefactor flag OFF ❌

account-recovery-flag-off.mov

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 61 lines in your changes missing coverage. Please review.

Project coverage is 36.79%. Comparing base (18b7d46) to head (d562acc).
Report is 34 commits behind head on auth/pm-18721/integrate-input-password-component-in-dialogs.

✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...ount-recovery/account-recovery-dialog.component.ts	0.00%	47 Missing ⚠️
...console/organizations/members/members.component.ts	0.00%	12 Missing ⚠️
...app/admin-console/common/base-members.component.ts	0.00%	1 Missing ⚠️
...tions/members/components/account-recovery/index.ts	0.00%	1 Missing ⚠️

Additional details and impacted files

@@                                       Coverage Diff                                       @@
##           auth/pm-18721/integrate-input-password-component-in-dialogs   #14662      +/-   ##
===============================================================================================
+ Coverage                                                        36.26%   36.79%   +0.52%     
===============================================================================================
  Files                                                             3203     3202       -1     
  Lines                                                            93461    92906     -555     
  Branches                                                         16864    13950    -2914     
===============================================================================================
+ Hits                                                             33897    34184     +287     
- Misses                                                           57115    57316     +201     
+ Partials                                                          2449     1406    -1043     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Checkmarx One – Scan Summary & Details – bf9609a8-db1b-4021-9bab-cbf6a84a3036

New Issues (3)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	Cxbb85e86c-2fac	Npm-esbuild-0.23.0	details Recommended version: 0.25.0 Description: esbuild is an extremely fast bundler for the web, allowing any website to send any request to the development server and read the response due to d... Attack Vector: NETWORK Attack Complexity: HIGH ID: F%2Fgr9uMAqxJyLibeUtBDNowYER4I%2B3OAMHUxeFYuTvI%3D Vulnerable Package
	Cxbb85e86c-2fac	Npm-esbuild-0.21.5	details Recommended version: 0.25.0 Description: esbuild is an extremely fast bundler for the web, allowing any website to send any request to the development server and read the response due to d... Attack Vector: NETWORK Attack Complexity: HIGH ID: GA1sDg9c%2B7CNB%2BshyjM1MqbpTP6R5aa%2Fjurbt6HYTzU%3D Vulnerable Package
	Cxbb85e86c-2fac	Npm-esbuild-wasm-0.23.0	details Recommended version: 0.25.0 Description: esbuild is an extremely fast bundler for the web, allowing any website to send any request to the development server and read the response due to d... Attack Vector: NETWORK Attack Complexity: HIGH ID: Xw%2FLg2nMZISvbniEoXOWe5IvnyW%2BNqqWzgrq2DQfkZE%3D Vulnerable Package

[pamperer562580892423]

Mere mortal user here again. - I don't know if it's intentional, but the password generator component in the "Recover account" dialog (shown in the first 20 seconds of the video) doesn't contain a "Check for Data breaches"-button, like it is shown and available in the browser extension after a password was generated:

[eliykat]

What's the plan for managing your branches - are they being merged into main one-at-a-time in order, or are they all getting merged down into a single feature branch? I ask because usually feature flags remove the need for large feature branches.

EDIT: also, please review CI failures.

[eliykat]

masterPasswordPolicyOptions is now unused.

[rr-bw]

5d7ceac

[eliykat]

There is a potential race condition here: inputPasswordComponent.submit() ends by emitting an event that calls handlePasswordFormSubmit, not by calling it directly. That's good design, but it means that await this.inputPasswordComponent.submit() is not going to await the execution of handlePasswordFormSubmit as well. The race condition is whether or not receivedPasswordInputResult is updated by handlePasswordFormSubmit before it's read by handlePrimaryButtonClick.

This also means that this.submitting is not going to be accurate, although it's possible that it's near enough at the moment (especially running locally with zero latency) that it's not noticeable.

This all seems to be in service of the this.submitting behaviour, but we avoid this pattern these days in favour of the Async Actions tools in the component library. So I actually think you can avoid this problem altogether by using the CL.

Your parent-child situation is slightly unusual so if the CL isn't helping, I recommend reaching out to the UI Foundations team to see how to adapt it to your situation.

[rr-bw]

I posted on the UIF team channel and it looks like Async Actions won't handle this. You can see that thread here if you'd like.

So our solution is to handle parent/child submit state reactively, like so: 1fccdde

[eliykat]

Similarly, I think the CL should replace all of this manual handling around the loading spinner.

[rr-bw]

See my comment above: #14662 (comment)

[eliykat]

Nit: please use an early return rather than nesting with else.

[rr-bw]

53d4a14?diff=split&w=1 (whitespace hidden)

[rr-bw]

@eliykat

What's the plan for managing your branches - are they being merged into main one-at-a-time in order, or are they all getting merged down into a single feature branch? I ask because usually feature flags remove the need for large feature branches.

• [PM-18721][PM-21272] Integrate InputPasswordComponent in AccountRecoveryDialogComponent #14662 (This PR)
  • Will be merged to main directly, after PM-14636 has been merged, because it doesn't have meaningful changes outside of the feature flag
• [PM-18721][PM-21271] Integrate InputPasswordComponent in EmergencyAccessTakeoverDialogComponent #14636
  • Will be tested on a feature branch because it has meaningful changes that leak outside the feature flag
• [PM-18458] Create new ChangePasswordComponent #14226
  • Has been merged to main and fully tested

[eliykat]

You've fixed the race condition, but I think this is still a lot of boilerplate just to handle a form submission. I assume this would have to be repeated in every parent component that wants to use this child component.

Does the child need to know about the form submit state at all? The submission process starts when handlePrimaryButtonClick is called, and it ends when handlePasswordFormSubmit is finished, or if the child emits an error. If that's the case, the parent should be able to handle all of that by itself, which is also better design because the parent owns the form.

---

💭 I also like the suggestion in Slack:

Directly referencing a component is highly discouraged. Could you instead invert the relationship so that the action happens in the parent?

It does feel a bit unusual that the child is handling the parent's submit action. There's quite a bit of logic in that child component, what if it were extracted to a service that the parent could call (thereby handling its own form submission), and the child is more presentational, simply emitting form values? That's a fairly large change so it doesn't need to be done in this PR (if at all), just mentioning it as feedback.

[rr-bw]

The submission process starts when handlePrimaryButtonClick is called, and it ends when handlePasswordFormSubmit is finished, or if the child emits an error. If that's the case, the parent should be able to handle all of that by itself

The submit process can also end if the child returns early, without emitting. That means handlePasswordFormSubmit would never get called in the parent, leaving is in a perpetual "submitting" state.

That is, if we merely set submitting to true in handlePrimaryButtonClick, and then set it to false in handlePasswordFormSubmit, then that false set would never get called in a case where InputPasswordComponent.submit() returns early without emitting. That's the case I was trying to solve in my previous implementation here (but had the race condition).

cc: @JaredSnider-Bitwarden let me know if you have any other thoughts on this.

[rr-bw]

There's quite a bit of logic in that child component, what if it were extracted to a service that the parent could call (thereby handling its own form submission), and the child is more presentational, simply emitting form values? That's a fairly large change so it doesn't need to be done in this PR (if at all), just mentioning it as feedback.

Yea the InputPasswordComponent has grown in scope over time. I will do a retro soon to investigate if/how we could potentially refactor things.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[rr-bw]

Mere mortal user here again. - I don't know if it's intentional, but the password generator component in the "Recover account" dialog (shown in the first 20 seconds of the video) doesn't contain a "Check for Data breaches"-button, like it is shown and available in the browser extension after a password was generated:

Thanks again! @pamperer562580892423

I've raised the question to our Product team.

[rr-bw]

@eliykat

When I updated the organizationId property type from string to OrganizationId in the new AccountRecoveryDialogComponent (here), it meant I have to update the param type here in the resetPassword() method as well. Since that method is also used by the old ResetPasswordComponent, it means I had to make some changes to the old code (here and here).

Since I'd rather changes not leak outside the feature flag, would it be better for me to set the param type in resetPassword() to be orgId: string | OrganizationId -- and then cleanup when the flag is removed?

[pamperer562580892423]

Mere mortal user here again. - I don't know if it's intentional, but the password generator component in the "Recover account" dialog (shown in the first 20 seconds of the video) doesn't contain a "Check for Data breaches"-button, like it is shown and available in the browser extension after a password was generated:

Thanks again! @pamperer562580892423

I've raised the question to our Product team.

Thanks for that "update"! - And I think you have also seen by now, that the "Data breach checker" is also missing in the "Update Master Password" dialog (second part of the video).