PM-9660: Improve autofill extension flow with never lock (#757)

Author: matt-livefront

BitwardenShared/Core/Autofill/Services/AutofillCredentialService.swift

@@ -2,6 +2,8 @@ import AuthenticationServices
 import BitwardenSdk
 import OSLog
 
+// swiftlint:disable file_length
+
 /// A delegate to handle autofill credential service operations.
 protocol AutofillCredentialServiceDelegate: AnyObject {
     /// Attempts to unlock the user's vault with the stored neverlock key
@@ -16,12 +18,17 @@ protocol AutofillCredentialService: AnyObject {
     ///
     /// - Parameters:
     ///   - id: The identifier of the user-requested credential to return.
+    ///   - autofillCredentialServiceDelegate: Delegate for autofill credential operations.
     ///   - repromptPasswordValidated: `true` if master password reprompt was required for the
     ///     cipher and the user's master password was validated.
     /// - Returns: A `ASPasswordCredential` that matches the user-requested credential which can be
     ///     used for autofill.
     ///
-    func provideCredential(for id: String, repromptPasswordValidated: Bool) async throws -> ASPasswordCredential
+    func provideCredential(
+        for id: String,
+        autofillCredentialServiceDelegate: AutofillCredentialServiceDelegate,
+        repromptPasswordValidated: Bool
+    ) async throws -> ASPasswordCredential
 
     /// Provides a Fido2 credential for a passkey request
     /// - Parameters:
@@ -203,10 +210,28 @@ class DefaultAutofillCredentialService {
             errorReporter.log(error: error)
         }
     }
+
+    /// Attempts to unlock the user's vault if it can be done without user interaction (e.g. if
+    /// the user uses never lock).
+    ///
+    /// - Parameter delegate: The delegate used for autofill credential operations.
+    ///
+    private func tryUnlockVaultWithoutUserInteraction(delegate: AutofillCredentialServiceDelegate) async throws {
+        let userId = try await stateService.getActiveAccountId()
+        let isLocked = vaultTimeoutService.isLocked(userId: userId)
+        let vaultTimeout = try? await vaultTimeoutService.sessionTimeoutValue(userId: nil)
+        guard vaultTimeout == .never, isLocked else { return }
+        try await delegate.unlockVaultWithNeverlockKey()
+    }
 }
 
 extension DefaultAutofillCredentialService: AutofillCredentialService {
-    func provideCredential(for id: String, repromptPasswordValidated: Bool) async throws -> ASPasswordCredential {
+    func provideCredential(
+        for id: String,
+        autofillCredentialServiceDelegate: AutofillCredentialServiceDelegate,
+        repromptPasswordValidated: Bool
+    ) async throws -> ASPasswordCredential {
+        try await tryUnlockVaultWithoutUserInteraction(delegate: autofillCredentialServiceDelegate)
         guard try await !vaultTimeoutService.isLocked(userId: stateService.getActiveAccountId()) else {
             throw ASExtensionError(.userInteractionRequired)
         }
@@ -255,18 +280,8 @@ extension DefaultAutofillCredentialService: AutofillCredentialService {
             throw AppProcessorError.invalidOperation
         }
 
-        let userId = try await stateService.getActiveAccountId()
-        let isLocked = vaultTimeoutService.isLocked(userId: userId)
-        let vaultTimeout = try? await vaultTimeoutService.sessionTimeoutValue(userId: nil)
-
-        switch (vaultTimeout, isLocked) {
-        case (.never, true):
-            // If the user has enabled Never Lock, but the vault is locked,
-            // unlock the vault before continuing.
-            try await autofillCredentialServiceDelegate.unlockVaultWithNeverlockKey()
-        case (_, false):
-            break
-        default:
+        try await tryUnlockVaultWithoutUserInteraction(delegate: autofillCredentialServiceDelegate)
+        guard try await !vaultTimeoutService.isLocked(userId: stateService.getActiveAccountId()) else {
             throw Fido2Error.userInteractionRequired
         }
 

BitwardenShared/Core/Autofill/Services/AutofillCredentialServiceTests.swift

@@ -82,7 +82,11 @@ class AutofillCredentialServiceTests: BitwardenTestCase { // swiftlint:disable:t
         stateService.activeAccount = .fixture()
         vaultTimeoutService.isClientLocked["1"] = false
 
-        let credential = try await subject.provideCredential(for: "1", repromptPasswordValidated: false)
+        let credential = try await subject.provideCredential(
+            for: "1",
+            autofillCredentialServiceDelegate: autofillCredentialServiceDelegate,
+            repromptPasswordValidated: false
+        )
 
         XCTAssertEqual(credential.password, "password123")
         XCTAssertEqual(credential.user, "[email protected]")
@@ -97,17 +101,29 @@ class AutofillCredentialServiceTests: BitwardenTestCase { // swiftlint:disable:t
 
         cipherService.fetchCipherResult = .success(.fixture(type: .identity))
         await assertAsyncThrows(error: ASExtensionError(.credentialIdentityNotFound)) {
-            _ = try await subject.provideCredential(for: "1", repromptPasswordValidated: false)
+            _ = try await subject.provideCredential(
+                for: "1",
+                autofillCredentialServiceDelegate: autofillCredentialServiceDelegate,
+                repromptPasswordValidated: false
+            )
         }
 
         cipherService.fetchCipherResult = .success(.fixture(login: .fixture(password: nil, username: "user@bitwarden")))
         await assertAsyncThrows(error: ASExtensionError(.credentialIdentityNotFound)) {
-            _ = try await subject.provideCredential(for: "1", repromptPasswordValidated: false)
+            _ = try await subject.provideCredential(
+                for: "1",
+                autofillCredentialServiceDelegate: autofillCredentialServiceDelegate,
+                repromptPasswordValidated: false
+            )
         }
 
         cipherService.fetchCipherResult = .success(.fixture(login: .fixture(password: "test", username: nil)))
         await assertAsyncThrows(error: ASExtensionError(.credentialIdentityNotFound)) {
-            _ = try await subject.provideCredential(for: "1", repromptPasswordValidated: false)
+            _ = try await subject.provideCredential(
+                for: "1",
+                autofillCredentialServiceDelegate: autofillCredentialServiceDelegate,
+                repromptPasswordValidated: false
+            )
         }
     }
 
@@ -117,10 +133,38 @@ class AutofillCredentialServiceTests: BitwardenTestCase { // swiftlint:disable:t
         vaultTimeoutService.isClientLocked["1"] = false
 
         await assertAsyncThrows(error: ASExtensionError(.credentialIdentityNotFound)) {
-            _ = try await subject.provideCredential(for: "1", repromptPasswordValidated: false)
+            _ = try await subject.provideCredential(
+                for: "1",
+                autofillCredentialServiceDelegate: autofillCredentialServiceDelegate,
+                repromptPasswordValidated: false
+            )
         }
     }
 
+    /// `provideCredential(for:)` unlocks the user's vault if they use never lock.
+    func test_provideCredential_neverLock() async throws {
+        autofillCredentialServiceDelegate.unlockVaultWithNaverlockHandler = { [weak self] in
+            self?.vaultTimeoutService.isClientLocked["1"] = false
+        }
+        cipherService.fetchCipherResult = .success(
+            .fixture(login: .fixture(password: "password123", username: "[email protected]"))
+        )
+        stateService.activeAccount = .fixture()
+        vaultTimeoutService.isClientLocked["1"] = true
+        vaultTimeoutService.vaultTimeout["1"] = .never
+
+        let credential = try await subject.provideCredential(
+            for: "1",
+            autofillCredentialServiceDelegate: autofillCredentialServiceDelegate,
+            repromptPasswordValidated: false
+        )
+
+        XCTAssertTrue(autofillCredentialServiceDelegate.unlockVaultWithNeverlockKeyCalled)
+        XCTAssertEqual(credential.password, "password123")
+        XCTAssertEqual(credential.user, "[email protected]")
+        XCTAssertNil(pasteboardService.copiedString)
+    }
+
     /// `provideCredential(for:)` throws an error if reprompt is required.
     func test_provideCredential_repromptRequired() async throws {
         stateService.activeAccount = .fixture()
@@ -136,7 +180,11 @@ class AutofillCredentialServiceTests: BitwardenTestCase { // swiftlint:disable:t
             )
         )
         await assertAsyncThrows(error: ASExtensionError(.userInteractionRequired)) {
-            _ = try await subject.provideCredential(for: "1", repromptPasswordValidated: false)
+            _ = try await subject.provideCredential(
+                for: "1",
+                autofillCredentialServiceDelegate: autofillCredentialServiceDelegate,
+                repromptPasswordValidated: false
+            )
         }
     }
 
@@ -152,7 +200,11 @@ class AutofillCredentialServiceTests: BitwardenTestCase { // swiftlint:disable:t
         stateService.activeAccount = .fixture()
         vaultTimeoutService.isClientLocked["1"] = false
 
-        let credential = try await subject.provideCredential(for: "1", repromptPasswordValidated: false)
+        let credential = try await subject.provideCredential(
+            for: "1",
+            autofillCredentialServiceDelegate: autofillCredentialServiceDelegate,
+            repromptPasswordValidated: false
+        )
 
         XCTAssertEqual(credential.password, "password123")
         XCTAssertEqual(credential.user, "[email protected]")
@@ -173,7 +225,11 @@ class AutofillCredentialServiceTests: BitwardenTestCase { // swiftlint:disable:t
         stateService.disableAutoTotpCopyByUserId["1"] = true
         vaultTimeoutService.isClientLocked["1"] = false
 
-        let credential = try await subject.provideCredential(for: "1", repromptPasswordValidated: false)
+        let credential = try await subject.provideCredential(
+            for: "1",
+            autofillCredentialServiceDelegate: autofillCredentialServiceDelegate,
+            repromptPasswordValidated: false
+        )
 
         XCTAssertEqual(credential.password, "password123")
         XCTAssertEqual(credential.user, "[email protected]")
@@ -193,7 +249,11 @@ class AutofillCredentialServiceTests: BitwardenTestCase { // swiftlint:disable:t
         stateService.doesActiveAccountHavePremiumResult = .success(false)
         vaultTimeoutService.isClientLocked["1"] = false
 
-        let credential = try await subject.provideCredential(for: "1", repromptPasswordValidated: false)
+        let credential = try await subject.provideCredential(
+            for: "1",
+            autofillCredentialServiceDelegate: autofillCredentialServiceDelegate,
+            repromptPasswordValidated: false
+        )
 
         XCTAssertEqual(credential.password, "password123")
         XCTAssertEqual(credential.user, "[email protected]")
@@ -217,7 +277,11 @@ class AutofillCredentialServiceTests: BitwardenTestCase { // swiftlint:disable:t
         stateService.doesActiveAccountHavePremiumResult = .success(false)
         vaultTimeoutService.isClientLocked["1"] = false
 
-        let credential = try await subject.provideCredential(for: "1", repromptPasswordValidated: false)
+        let credential = try await subject.provideCredential(
+            for: "1",
+            autofillCredentialServiceDelegate: autofillCredentialServiceDelegate,
+            repromptPasswordValidated: false
+        )
 
         XCTAssertEqual(credential.password, "password123")
         XCTAssertEqual(credential.user, "[email protected]")
@@ -230,7 +294,11 @@ class AutofillCredentialServiceTests: BitwardenTestCase { // swiftlint:disable:t
         vaultTimeoutService.isClientLocked["1"] = true
 
         await assertAsyncThrows(error: ASExtensionError(.userInteractionRequired)) {
-            _ = try await subject.provideCredential(for: "1", repromptPasswordValidated: false)
+            _ = try await subject.provideCredential(
+                for: "1",
+                autofillCredentialServiceDelegate: autofillCredentialServiceDelegate,
+                repromptPasswordValidated: false
+            )
         }
     }
 
@@ -279,6 +347,9 @@ class AutofillCredentialServiceTests: BitwardenTestCase { // swiftlint:disable:t
     /// succeeds when unlocking with never key.
     @available(iOS 17.0, *)
     func test_provideFido2Credential_succeedsWithUnlockingNeverKey() async throws {
+        autofillCredentialServiceDelegate.unlockVaultWithNaverlockHandler = { [weak self] in
+            self?.vaultTimeoutService.isClientLocked["1"] = false
+        }
         stateService.activeAccount = .fixture()
         vaultTimeoutService.isClientLocked["1"] = true
         vaultTimeoutService.vaultTimeout["1"] = .never

BitwardenShared/Core/Autofill/Services/TestHelpers/MockAutofillCredentialService.swift

@@ -10,7 +10,11 @@ class MockAutofillCredentialService: AutofillCredentialService {
     var provideCredentialError: Error?
     var provideFido2CredentialResult: Result<PasskeyAssertionCredential, Error> = .failure(BitwardenTestError.example)
 
-    func provideCredential(for id: String, repromptPasswordValidated: Bool) async throws -> ASPasswordCredential {
+    func provideCredential(
+        for id: String,
+        autofillCredentialServiceDelegate: AutofillCredentialServiceDelegate,
+        repromptPasswordValidated: Bool
+    ) async throws -> ASPasswordCredential {
         guard let provideCredentialPasswordCredential else {
             throw provideCredentialError ?? ASExtensionError(.failed)
         }

BitwardenShared/Core/Autofill/Services/TestHelpers/MockAutofillCredentialServiceDelegate.swift

@@ -3,9 +3,11 @@
 class MockAutofillCredentialServiceDelegate: AutofillCredentialServiceDelegate {
     var unlockVaultWithNeverlockKeyCalled = false
     var unlockVaultWithNeverlockKeyError: Error?
+    var unlockVaultWithNaverlockHandler: (() -> Void)?
 
     func unlockVaultWithNeverlockKey() async throws {
         unlockVaultWithNeverlockKeyCalled = true
+        unlockVaultWithNaverlockHandler?()
         if let unlockVaultWithNeverlockKeyError {
             throw unlockVaultWithNeverlockKeyError
         }

BitwardenShared/UI/Platform/Application/AppProcessor.swift

@@ -155,6 +155,7 @@ public class AppProcessor {
     ) async throws -> ASPasswordCredential {
         try await services.autofillCredentialService.provideCredential(
             for: id,
+            autofillCredentialServiceDelegate: self,
             repromptPasswordValidated: repromptPasswordValidated
         )
     }