PM-26577: Support multiple schemes for Duo, WebAuthn, and SSO callbacks

Author: david-livefront

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/DuoUtils.kt

@@ -3,6 +3,7 @@ package com.x8bit.bitwarden.data.auth.repository.util
 import android.content.Intent
 import android.net.Uri
 import androidx.browser.auth.AuthTabIntent
+import androidx.core.net.toUri
 import com.bitwarden.annotation.OmitFromCoverage
 
 private const val BITWARDEN_EU_HOST: String = "bitwarden.eu"
@@ -78,6 +79,14 @@ private fun Uri?.getDuoCallbackTokenResult(): DuoCallbackTokenResult {
     }
 }
 
+/**
+ * Generates a [Uri] to display a duo challenge for Bitwarden authentication.
+ */
+fun generateUriForDuo(
+    authUrl: String,
+    appLinksScheme: String,
+): Uri = "$authUrl&deeplinkScheme=$appLinksScheme".toUri()
+
 /**
  * Sealed class representing the result of Duo callback token extraction.
  */

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/SsoUtils.kt

@@ -17,25 +17,26 @@ private const val APP_LINK_SCHEME: String = "https"
 private const val DEEPLINK_SCHEME: String = "bitwarden"
 private const val CALLBACK: String = "sso-callback"
 
-const val SSO_URI: String = "bitwarden://$CALLBACK"
-
 /**
  * Generates a URI for the SSO custom tab.
  *
  * @param identityBaseUrl The base URl for the identity service.
+ * @param redirectUrl The redirect URI used in the SSO request.
  * @param organizationIdentifier The SSO organization identifier.
  * @param token The prevalidated SSO token.
  * @param state Random state used to verify the validity of the response.
  * @param codeVerifier A random string used to generate the code challenge.
  */
+@Suppress("LongParameterList")
 fun generateUriForSso(
     identityBaseUrl: String,
+    redirectUrl: String,
     organizationIdentifier: String,
     token: String,
     state: String,
     codeVerifier: String,
 ): Uri {
-    val redirectUri = URLEncoder.encode(SSO_URI, "UTF-8")
+    val redirectUri = URLEncoder.encode(redirectUrl, "UTF-8")
     val encodedOrganizationIdentifier = URLEncoder.encode(organizationIdentifier, "UTF-8")
     val encodedToken = URLEncoder.encode(token, "UTF-8")
 

app/src/main/kotlin/com/x8bit/bitwarden/data/auth/repository/util/WebAuthUtils.kt

@@ -8,7 +8,6 @@ import com.bitwarden.annotation.OmitFromCoverage
 import kotlinx.serialization.json.JsonObject
 import kotlinx.serialization.json.buildJsonObject
 import kotlinx.serialization.json.put
-import java.net.URLEncoder
 import java.util.Base64
 
 private const val BITWARDEN_EU_HOST: String = "bitwarden.eu"
@@ -17,8 +16,6 @@ private const val APP_LINK_SCHEME: String = "https"
 private const val DEEPLINK_SCHEME: String = "bitwarden"
 private const val CALLBACK: String = "webauthn-callback"
 
-private const val CALLBACK_URI = "bitwarden://$CALLBACK"
-
 /**
  * Retrieves an [WebAuthResult] from an [Intent]. There are three possible cases.
  *
@@ -79,29 +76,31 @@ private fun Uri?.getWebAuthResult(): WebAuthResult =
 /**
  * Generates a [Uri] to display a web authn challenge for Bitwarden authentication.
  */
+@Suppress("LongParameterList")
 fun generateUriForWebAuth(
     baseUrl: String,
+    callbackScheme: String,
     data: JsonObject,
     headerText: String,
     buttonText: String,
     returnButtonText: String,
 ): Uri {
     val json = buildJsonObject {
-        put(key = "callbackUri", value = CALLBACK_URI)
         put(key = "data", value = data.toString())
         put(key = "headerText", value = headerText)
         put(key = "btnText", value = buttonText)
         put(key = "btnReturnText", value = returnButtonText)
+        put(key = "mobile", value = true)
     }
     val base64Data = Base64
         .getEncoder()
         .encodeToString(json.toString().toByteArray(Charsets.UTF_8))
-    val parentParam = URLEncoder.encode(CALLBACK_URI, "UTF-8")
     val url = baseUrl +
         "/webauthn-mobile-connector.html" +
         "?data=$base64Data" +
-        "&parent=$parentParam" +
-        "&v=2"
+        "&client=mobile" +
+        "&v=2" +
+        "&deeplinkScheme=$callbackScheme"
     return url.toUri()
 }
 

app/src/main/kotlin/com/x8bit/bitwarden/ui/auth/feature/enterprisesignon/EnterpriseSignOnViewModel.kt

@@ -4,8 +4,10 @@ import android.net.Uri
 import android.os.Parcelable
 import androidx.lifecycle.SavedStateHandle
 import androidx.lifecycle.viewModelScope
+import com.bitwarden.data.repository.util.appLinksScheme
 import com.bitwarden.data.repository.util.baseIdentityUrl
 import com.bitwarden.data.repository.util.baseWebVaultUrlOrDefault
+import com.bitwarden.data.repository.util.ssoAppLinksRedirectUrl
 import com.bitwarden.ui.platform.base.BaseViewModel
 import com.bitwarden.ui.platform.resource.BitwardenString
 import com.bitwarden.ui.util.Text
@@ -14,7 +16,6 @@ import com.x8bit.bitwarden.data.auth.repository.AuthRepository
 import com.x8bit.bitwarden.data.auth.repository.model.LoginResult
 import com.x8bit.bitwarden.data.auth.repository.model.PrevalidateSsoResult
 import com.x8bit.bitwarden.data.auth.repository.model.VerifiedOrganizationDomainSsoDetailsResult
-import com.x8bit.bitwarden.data.auth.repository.util.SSO_URI
 import com.x8bit.bitwarden.data.auth.repository.util.SsoCallbackResult
 import com.x8bit.bitwarden.data.auth.repository.util.generateUriForSso
 import com.x8bit.bitwarden.data.platform.manager.network.NetworkConnectionManager
@@ -342,14 +343,13 @@ class EnterpriseSignOnViewModel @Inject constructor(
                 if (ssoCallbackResult.state == ssoData.state) {
                     showLoading()
                     viewModelScope.launch {
-                        val result = authRepository
-                            .login(
-                                email = savedStateHandle.toEnterpriseSignOnArgs().emailAddress,
-                                ssoCode = ssoCallbackResult.code,
-                                ssoCodeVerifier = ssoData.codeVerifier,
-                                ssoRedirectUri = SSO_URI,
-                                organizationIdentifier = state.orgIdentifierInput,
-                            )
+                        val result = authRepository.login(
+                            email = savedStateHandle.toEnterpriseSignOnArgs().emailAddress,
+                            ssoCode = ssoCallbackResult.code,
+                            ssoCodeVerifier = ssoData.codeVerifier,
+                            ssoRedirectUri = ssoData.redirectUri,
+                            organizationIdentifier = state.orgIdentifierInput,
+                        )
                         sendAction(EnterpriseSignOnAction.Internal.OnLoginResult(result))
                     }
                 } else {
@@ -385,18 +385,22 @@ class EnterpriseSignOnViewModel @Inject constructor(
     ) {
         val codeVerifier = generatorRepository.generateRandomString(RANDOM_STRING_LENGTH)
 
+        val environmentData = environmentRepository.environment.environmentUrlData
+        val redirectUrl = environmentData.ssoAppLinksRedirectUrl
         // Save this for later so that we can validate the SSO callback response
         val generatedSsoState = generatorRepository
             .generateRandomString(RANDOM_STRING_LENGTH)
             .also {
                 ssoResponseData = SsoResponseData(
+                    redirectUri = redirectUrl,
                     codeVerifier = codeVerifier,
                     state = it,
                 )
             }
 
         val uri = generateUriForSso(
-            identityBaseUrl = environmentRepository.environment.environmentUrlData.baseIdentityUrl,
+            identityBaseUrl = environmentData.baseIdentityUrl,
+            redirectUrl = redirectUrl,
             organizationIdentifier = organizationIdentifier,
             token = prevalidateSsoResult.token,
             state = generatedSsoState,
@@ -408,7 +412,7 @@ class EnterpriseSignOnViewModel @Inject constructor(
         sendAction(
             EnterpriseSignOnAction.Internal.OnGenerateUriForSsoResult(
                 uri = uri,
-                scheme = "bitwarden",
+                scheme = environmentData.appLinksScheme,
             ),
         )
     }
@@ -612,13 +616,15 @@ sealed class EnterpriseSignOnAction {
 /**
  * Data needed by the SSO flow to verify and continue the process after receiving a response.
  *
+ * @property redirectUri The redirect URI used in the SSO request.
  * @property state A "state" maintained throughout the SSO process to verify that the response from
  * the server is valid and matches what was originally sent in the request.
  * @property codeVerifier A random string used to generate the code challenge for the initial SSO
  * request.
  */
 @Parcelize
 data class SsoResponseData(
+    val redirectUri: String,
     val state: String,
     val codeVerifier: String,
 ) : Parcelable

app/src/main/kotlin/com/x8bit/bitwarden/ui/auth/feature/twofactorlogin/TwoFactorLoginViewModel.kt

@@ -6,6 +6,7 @@ import androidx.annotation.DrawableRes
 import androidx.core.net.toUri
 import androidx.lifecycle.SavedStateHandle
 import androidx.lifecycle.viewModelScope
+import com.bitwarden.data.repository.util.appLinksScheme
 import com.bitwarden.data.repository.util.baseWebVaultUrlOrDefault
 import com.bitwarden.network.model.TwoFactorAuthMethod
 import com.bitwarden.network.model.TwoFactorDataModel
@@ -23,6 +24,7 @@ import com.x8bit.bitwarden.data.auth.repository.model.LoginResult
 import com.x8bit.bitwarden.data.auth.repository.model.ResendEmailResult
 import com.x8bit.bitwarden.data.auth.repository.util.DuoCallbackTokenResult
 import com.x8bit.bitwarden.data.auth.repository.util.WebAuthResult
+import com.x8bit.bitwarden.data.auth.repository.util.generateUriForDuo
 import com.x8bit.bitwarden.data.auth.repository.util.generateUriForWebAuth
 import com.x8bit.bitwarden.data.auth.util.YubiKeyResult
 import com.x8bit.bitwarden.data.platform.repository.EnvironmentRepository
@@ -173,71 +175,15 @@ class TwoFactorLoginViewModel @Inject constructor(
     }
 
     /**
-     * Navigates to the Duo webpage if appropriate, else processes the login.
+     * Navigates to the two-factor auth webpage if appropriate, else processes the login.
      */
-    @Suppress("LongMethod")
     private fun handleContinueButtonClick() {
         when (state.authMethod) {
             TwoFactorAuthMethod.DUO,
             TwoFactorAuthMethod.DUO_ORGANIZATION,
-                -> {
-                val authUrl = authRepository.twoFactorResponse.twoFactorDuoAuthUrl
-                // The url should not be empty unless the environment is somehow not supported.
-                authUrl
-                    ?.let {
-                        sendEvent(
-                            event = TwoFactorLoginEvent.NavigateToDuo(
-                                uri = it.toUri(),
-                                scheme = "bitwarden",
-                            ),
-                        )
-                    }
-                    ?: mutableStateFlow.update {
-                        @Suppress("MaxLineLength")
-                        it.copy(
-                            dialogState = TwoFactorLoginState.DialogState.Error(
-                                title = BitwardenString.an_error_has_occurred.asText(),
-                                message = BitwardenString
-                                    .error_connecting_with_the_duo_service_use_a_different_two_step_login_method_or_contact_duo_for_assistance
-                                    .asText(),
-                            ),
-                        )
-                    }
-            }
-
-            TwoFactorAuthMethod.WEB_AUTH -> {
-                sendEvent(
-                    event = authRepository
-                        .twoFactorResponse
-                        ?.authMethodsData
-                        ?.get(TwoFactorAuthMethod.WEB_AUTH)
-                        ?.let {
-                            val uri = generateUriForWebAuth(
-                                baseUrl = environmentRepository
-                                    .environment
-                                    .environmentUrlData
-                                    .baseWebVaultUrlOrDefault,
-                                data = it,
-                                headerText = resourceManager.getString(
-                                    resId = BitwardenString.fido2_title,
-                                ),
-                                buttonText = resourceManager.getString(
-                                    resId = BitwardenString.fido2_authenticate_web_authn,
-                                ),
-                                returnButtonText = resourceManager.getString(
-                                    resId = BitwardenString.fido2_return_to_app,
-                                ),
-                            )
-                            TwoFactorLoginEvent.NavigateToWebAuth(uri = uri, scheme = "bitwarden")
-                        }
-                        ?: TwoFactorLoginEvent.ShowSnackbar(
-                            message = BitwardenString
-                                .there_was_an_error_starting_web_authn_two_factor_authentication
-                                .asText(),
-                        ),
-                )
-            }
+                -> handleDuoContinueButtonClick()
 
+            TwoFactorAuthMethod.WEB_AUTH -> handleWebAuthnContinueButtonClick()
             TwoFactorAuthMethod.AUTHENTICATOR_APP,
             TwoFactorAuthMethod.EMAIL,
             TwoFactorAuthMethod.YUBI_KEY,
@@ -248,6 +194,73 @@ class TwoFactorLoginViewModel @Inject constructor(
         }
     }
 
+    /**
+     * Navigates to the Duo webpage if appropriate, or displays the error dialog.
+     */
+    private fun handleDuoContinueButtonClick() {
+        // The url should not be empty unless the environment is somehow not supported.
+        authRepository
+            .twoFactorResponse
+            .twoFactorDuoAuthUrl
+            ?.let {
+                val environmentData = environmentRepository.environment.environmentUrlData
+                val appLinksScheme = environmentData.appLinksScheme
+                sendEvent(
+                    event = TwoFactorLoginEvent.NavigateToDuo(
+                        uri = generateUriForDuo(authUrl = it, appLinksScheme = appLinksScheme),
+                        scheme = appLinksScheme,
+                    ),
+                )
+            }
+            ?: mutableStateFlow.update {
+                @Suppress("MaxLineLength")
+                it.copy(
+                    dialogState = TwoFactorLoginState.DialogState.Error(
+                        title = BitwardenString.an_error_has_occurred.asText(),
+                        message = BitwardenString
+                            .error_connecting_with_the_duo_service_use_a_different_two_step_login_method_or_contact_duo_for_assistance
+                            .asText(),
+                    ),
+                )
+            }
+    }
+
+    /**
+     * Navigates to the Web Authn webpage if appropriate, or displays the error snackbar.
+     */
+    private fun handleWebAuthnContinueButtonClick() {
+        sendEvent(
+            event = authRepository
+                .twoFactorResponse
+                ?.authMethodsData
+                ?.get(TwoFactorAuthMethod.WEB_AUTH)
+                ?.let {
+                    val environmentData = environmentRepository.environment.environmentUrlData
+                    val appLinksScheme = environmentData.appLinksScheme
+                    val uri = generateUriForWebAuth(
+                        baseUrl = environmentData.baseWebVaultUrlOrDefault,
+                        callbackScheme = appLinksScheme,
+                        data = it,
+                        headerText = resourceManager.getString(
+                            resId = BitwardenString.fido2_title,
+                        ),
+                        buttonText = resourceManager.getString(
+                            resId = BitwardenString.fido2_authenticate_web_authn,
+                        ),
+                        returnButtonText = resourceManager.getString(
+                            resId = BitwardenString.fido2_return_to_app,
+                        ),
+                    )
+                    TwoFactorLoginEvent.NavigateToWebAuth(uri = uri, scheme = appLinksScheme)
+                }
+                ?: TwoFactorLoginEvent.ShowSnackbar(
+                    message = BitwardenString
+                        .there_was_an_error_starting_web_authn_two_factor_authentication
+                        .asText(),
+                ),
+        )
+    }
+
     /**
      * Dismiss the view.
      */

app/src/test/kotlin/com/x8bit/bitwarden/data/auth/repository/util/DuoUtilsTest.kt

@@ -1,6 +1,7 @@
 package com.x8bit.bitwarden.data.auth.repository.util
 
 import android.content.Intent
+import android.net.Uri
 import io.mockk.every
 import io.mockk.mockk
 import org.junit.jupiter.api.Assertions.assertEquals
@@ -9,6 +10,14 @@ import org.junit.jupiter.api.assertNull
 
 class DuoUtilsTest {
 
+    @Test
+    fun `generateUriForDuo should return a valid URI`() {
+        val authUrl = "https://vault.bitwarden.com"
+        val appLinksScheme = "https"
+        val actualUri = generateUriForDuo(authUrl = authUrl, appLinksScheme = appLinksScheme)
+        assertEquals(Uri.parse("$authUrl&deeplinkScheme=$appLinksScheme"), actualUri)
+    }
+
     @Test
     fun `getDuoCallbackTokenResult should return null when action is not VIEW`() {
         val intent = mockk<Intent> {