[PM-8361] Added whether the vault has been unlocked interactively (#743)

Author: fedemkr

BitwardenShared/Core/Auth/Repositories/AuthRepository.swift

@@ -742,7 +742,7 @@ extension DefaultAuthRepository: AuthRepository {
         let id = try await stateService.getActiveAccountId()
         let key = KeychainItem.neverLock(userId: id)
         let neverlockKey = try await keychainService.getUserAuthKeyValue(for: key)
-        try await unlockVault(method: .decryptedKey(decryptedUserKey: neverlockKey))
+        try await unlockVault(method: .decryptedKey(decryptedUserKey: neverlockKey), hadUserInteraction: false)
     }
 
     func unlockVaultWithPassword(password: String) async throws {
@@ -862,9 +862,11 @@ extension DefaultAuthRepository: AuthRepository {
 
     /// Attempts to unlock the vault with a given method.
     ///
-    /// - Parameter method: The unlocking `InitUserCryptoMethod` method.
-    ///
-    private func unlockVault(method: InitUserCryptoMethod) async throws {
+    /// - Parameters:
+    ///   - method: The unlocking `InitUserCryptoMethod` method
+    ///   - hadUserInteraction: If the user interacted with the app to unlock the vault
+    ///   or was unlocked using the never lock key.
+    private func unlockVault(method: InitUserCryptoMethod, hadUserInteraction: Bool = true) async throws {
         let account = try await stateService.getActiveAccount()
         let encryptionKeys = try await stateService.getAccountEncryptionKeys()
 
@@ -920,7 +922,10 @@ extension DefaultAuthRepository: AuthRepository {
         }
 
         _ = try await trustDeviceService.trustDeviceIfNeeded()
-        try await vaultTimeoutService.unlockVault(userId: account.profile.userId)
+        try await vaultTimeoutService.unlockVault(
+            userId: account.profile.userId,
+            hadUserInteraction: hadUserInteraction
+        )
         try await organizationService.initializeOrganizationCrypto()
     }
 

BitwardenShared/Core/Auth/Repositories/AuthRepositoryTests.swift

@@ -922,6 +922,7 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
         await assertAsyncDoesNotThrow {
             try await subject.unlockVaultWithNeverlockKey()
         }
+        XCTAssertFalse(vaultTimeoutService.unlockVaultHadUserInteraction)
     }
 
     /// `test_unlockVaultWithDeviceKey` attempts to unlock the vault using the device key from the keychain.
@@ -947,6 +948,7 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
         await assertAsyncDoesNotThrow {
             try await subject.unlockVaultWithDeviceKey()
         }
+        XCTAssertTrue(vaultTimeoutService.unlockVaultHadUserInteraction)
     }
 
     /// `test_unlockVaultWithDeviceKey` attempts to unlock the vault using the device key from the keychain.
@@ -1182,6 +1184,7 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
         XCTAssertEqual(authService.hashPasswordPassword, "password")
         XCTAssertEqual(stateService.masterPasswordHashes["1"], "hashed")
         XCTAssertFalse(biometricsRepository.didConfigureBiometricIntegrity)
+        XCTAssertTrue(vaultTimeoutService.unlockVaultHadUserInteraction)
     }
 
     /// `unlockVaultWithPassword(password:)` configures biometric integrity refreshes.
@@ -1309,6 +1312,7 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
         await assertAsyncDoesNotThrow {
             try await subject.unlockVaultWithBiometrics()
         }
+        XCTAssertTrue(vaultTimeoutService.unlockVaultHadUserInteraction)
     }
 
     /// `logout` throws an error with no accounts.
@@ -1381,6 +1385,7 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
                 )
             )
         )
+        XCTAssertTrue(vaultTimeoutService.unlockVaultHadUserInteraction)
     }
 
     /// `unlockVaultFromLoginWithDevice()` unlocks the vault using the key returned by an approved
@@ -1409,6 +1414,7 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
                 )
             )
         )
+        XCTAssertTrue(vaultTimeoutService.unlockVaultHadUserInteraction)
     }
 
     /// `unlockVaultWithPIN(_:)` unlocks the vault with the user's PIN.
@@ -1437,6 +1443,7 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
             )
         )
         XCTAssertFalse(vaultTimeoutService.isLocked(userId: "1"))
+        XCTAssertTrue(vaultTimeoutService.unlockVaultHadUserInteraction)
     }
 
     /// `unlockVaultWithPIN(_:)` throws an error if there's no pin.

BitwardenShared/Core/Platform/Services/ServiceContainer.swift

@@ -542,6 +542,7 @@ public class ServiceContainer: Services { // swiftlint:disable:this type_body_le
         let fido2UserInterfaceHelper = DefaultFido2UserInterfaceHelper(
             fido2UserVerificationMediator: DefaultFido2UserVerificationMediator(
                 authRepository: authRepository,
+                stateService: stateService,
                 userVerificationHelper: DefaultUserVerificationHelper(
                     authRepository: authRepository,
                     errorReporter: errorReporter,

BitwardenShared/Core/Platform/Services/StateService.swift

@@ -49,6 +49,10 @@ protocol StateService: AnyObject {
     ///
     func getAccountEncryptionKeys(userId: String?) async throws -> AccountEncryptionKeys
 
+    /// Gets whether the user has unlocked their account in the current session interactively.
+    /// - Parameter userId: The user ID of the account. Defaults to the active account if `nil`.
+    func getAccountHasBeenUnlockedInteractively(userId: String?) async throws -> Bool
+
     /// Gets all accounts.
     ///
     /// - Returns: The known user accounts.
@@ -312,6 +316,12 @@ protocol StateService: AnyObject {
     ///
     func setAccountEncryptionKeys(_ encryptionKeys: AccountEncryptionKeys, userId: String?) async throws
 
+    /// Sets whether the user has unlocked their account in the current session  interactively.
+    /// - Parameters:
+    ///   - userId: The user ID of the account. Defaults to the active account if `nil`.
+    ///   - value: Whether the user has unlocked their account in the current session.
+    func setAccountHasBeenUnlockedInteractively(userId: String?, value: Bool) async throws
+
     /// Sets the active account.
     ///
     /// - Parameter userId: The user Id of the account to set as active.
@@ -593,6 +603,11 @@ extension StateService {
         try await getAccountEncryptionKeys(userId: nil)
     }
 
+    /// Gets whether the user has unlocked their account in the current session  interactively.
+    func getAccountHasBeenUnlockedInteractively() async throws -> Bool {
+        try await getAccountHasBeenUnlockedInteractively(userId: nil)
+    }
+
     /// Gets either a valid account id or the active account id.
     ///
     /// - Parameter userId: The possible user id.
@@ -804,6 +819,12 @@ extension StateService {
         try await setAccountEncryptionKeys(encryptionKeys, userId: nil)
     }
 
+    /// Sets whether the user has unlocked their account in the current session  interactively.
+    /// - Parameter value: Whether the user has unlocked their account in the current session
+    func setAccountHasBeenUnlockedInteractively(value: Bool) async throws {
+        try await setAccountHasBeenUnlockedInteractively(userId: nil, value: value)
+    }
+
     /// Sets the allow sync on refresh value for the active account.
     ///
     /// - Parameter allowSyncOnRefresh: The allow sync on refresh value.
@@ -1030,7 +1051,7 @@ actor DefaultStateService: StateService { // swiftlint:disable:this type_body_le
 
     func clearPins() async throws {
         let userId = try getActiveAccountUserId()
-        accountVolatileData.removeValue(forKey: userId)
+        accountVolatileData[userId]?.pinProtectedUserKey = nil
         appSettingsStore.setEncryptedPin(nil, userId: userId)
         appSettingsStore.setPinProtectedUserKey(key: nil, userId: userId)
     }
@@ -1075,6 +1096,11 @@ actor DefaultStateService: StateService { // swiftlint:disable:this type_body_le
         )
     }
 
+    func getAccountHasBeenUnlockedInteractively(userId: String?) async throws -> Bool {
+        let userId = try userId ?? getActiveAccountUserId()
+        return accountVolatileData[userId]?.hasBeenUnlockedInteractively == true
+    }
+
     func getAccounts() throws -> [Account] {
         guard let accounts = appSettingsStore.state?.accounts else {
             throw StateServiceError.noAccounts
@@ -1269,6 +1295,14 @@ actor DefaultStateService: StateService { // swiftlint:disable:this type_body_le
         appSettingsStore.setEncryptedUserKey(key: encryptionKeys.encryptedUserKey, userId: userId)
     }
 
+    func setAccountHasBeenUnlockedInteractively(userId: String?, value: Bool) async throws {
+        let userId = try userId ?? getActiveAccountUserId()
+        accountVolatileData[
+            userId,
+            default: AccountVolatileData()
+        ].hasBeenUnlockedInteractively = value
+    }
+
     func setActiveAccount(userId: String) async throws {
         guard var state = appSettingsStore.state else { return }
         defer { appSettingsStore.state = state }
@@ -1513,7 +1547,10 @@ actor DefaultStateService: StateService { // swiftlint:disable:this type_body_le
 ///
 struct AccountVolatileData {
     /// The pin protected user key.
-    var pinProtectedUserKey: String = ""
+    var pinProtectedUserKey: String?
+
+    /// Whether the account has been unlocked with user interaction.
+    var hasBeenUnlockedInteractively = false
 }
 
 // MARK: Biometrics

BitwardenShared/Core/Platform/Services/StateServiceTests.swift

@@ -253,6 +253,46 @@ class StateServiceTests: BitwardenTestCase { // swiftlint:disable:this type_body
         }
     }
 
+    /// `getAccountHasBeenUnlockedInteractively()` gets the default value from the active user.
+    func test_getAccountHasBeenUnlockedInteractively_default() async throws {
+        appSettingsStore.state = State.fixture(
+            accounts: [
+                "1": Account.fixture(),
+            ],
+            activeUserId: "1"
+        )
+        let result = try await subject.getAccountHasBeenUnlockedInteractively()
+        XCTAssertFalse(result)
+    }
+
+    /// `getAccountHasBeenUnlockedInteractively()` gets the value from the active user.
+    func test_getAccountHasBeenUnlockedInteractively() async throws {
+        appSettingsStore.state = State.fixture(
+            accounts: [
+                "1": Account.fixture(),
+            ],
+            activeUserId: "1"
+        )
+        try await subject.setAccountHasBeenUnlockedInteractively(value: true)
+        let result = try await subject.getAccountHasBeenUnlockedInteractively()
+        XCTAssertTrue(result)
+    }
+
+    /// `getAccountHasBeenUnlockedInteractively(userId:)` gets the value from the given user.
+    func test_getAccountHasBeenUnlockedInteractively_givenUser() async throws {
+        try await subject.setAccountHasBeenUnlockedInteractively(userId: "2", value: true)
+        let result = try await subject.getAccountHasBeenUnlockedInteractively(userId: "2")
+        XCTAssertTrue(result)
+    }
+
+    /// `getAccountHasBeenUnlockedInteractively()` gets the value from the given user.
+    func test_getAccountHasBeenUnlockedInteractively_throwsGettingTheUser() async throws {
+        appSettingsStore.state?.activeUserId = nil
+        await assertAsyncThrows(error: StateServiceError.noActiveAccount) {
+            _ = try await subject.getAccountHasBeenUnlockedInteractively()
+        }
+    }
+
     /// `getActiveAccount()` returns the active account.
     func test_getActiveAccount() async throws {
         let account = Account.fixture(profile: .fixture(userId: "2"))
@@ -1312,6 +1352,42 @@ class StateServiceTests: BitwardenTestCase { // swiftlint:disable:this type_body
         XCTAssertEqual(appSettingsStore.disableAutoTotpCopyByUserId["1"], false)
     }
 
+    /// `setAccountHasBeenUnlockedInteractively(userId:value:)` updates volatile data
+    func test_setAccountHasBeenUnlockedInteractively() async throws {
+        try await subject.setAccountHasBeenUnlockedInteractively(userId: "1", value: true)
+        let result = await subject.accountVolatileData["1"]?.hasBeenUnlockedInteractively ?? false
+        XCTAssertTrue(result)
+    }
+
+    /// `setAccountHasBeenUnlockedInteractively(userId:value:)` updates volatile data for existing user.
+    func test_setAccountHasBeenUnlockedInteractively_updateExisting() async throws {
+        try await subject.setAccountHasBeenUnlockedInteractively(userId: "1", value: true)
+        try await subject.setAccountHasBeenUnlockedInteractively(userId: "1", value: false)
+        let result = await subject.accountVolatileData["1"]?.hasBeenUnlockedInteractively ?? false
+        XCTAssertFalse(result)
+    }
+
+    /// `setAccountHasBeenUnlockedInteractively(value:)` updates volatile data for current user.
+    func test_setAccountHasBeenUnlockedInteractively_updateByCurrentUser() async throws {
+        appSettingsStore.state = State.fixture(
+            accounts: [
+                "1": Account.fixture(),
+            ],
+            activeUserId: "1"
+        )
+        try await subject.setAccountHasBeenUnlockedInteractively(value: true)
+        let result = await subject.accountVolatileData["1"]?.hasBeenUnlockedInteractively ?? false
+        XCTAssertTrue(result)
+    }
+
+    /// `setAccountHasBeenUnlockedInteractively(value:)` throws if it throws when getting the user id.
+    func test_setAccountHasBeenUnlockedInteractively_throwsWhenGettingUserId() async throws {
+        appSettingsStore.state?.activeUserId = nil
+        await assertAsyncThrows(error: StateServiceError.noActiveAccount) {
+            _ = try await subject.setAccountHasBeenUnlockedInteractively(value: true)
+        }
+    }
+
     /// `setActiveAccount(userId: )` succeeds if there is a matching account
     func test_setActiveAccount_match_multi() async throws {
         let account1 = Account.fixture(profile: .fixture(userId: "1"))

BitwardenShared/Core/Platform/Services/TestHelpers/MockStateService.swift

@@ -37,6 +37,8 @@ class MockStateService: StateService { // swiftlint:disable:this type_body_lengt
     var lastActiveTime = [String: Date]()
     var loginRequest: LoginRequestNotification?
     var getAccountEncryptionKeysError: Error?
+    // swiftlint:disable:next identifier_name
+    var getAccountHasBeenUnlockedInteractivelyResult: Result<Bool, Error> = .success(false)
     var getBiometricAuthenticationEnabledResult: Result<Void, Error> = .success(())
     var getBiometricIntegrityStateError: Error?
     var lastSyncTimeByUserId = [String: Date]()
@@ -53,6 +55,9 @@ class MockStateService: StateService { // swiftlint:disable:this type_body_lengt
     var showWebIconsSubject = CurrentValueSubject<Bool, Never>(true)
     var timeoutAction = [String: SessionTimeoutAction]()
     var serverConfig = [String: ServerConfig]()
+    var setAccountHasBeenUnlockedInteractivelyHasBeenCalled = false // swiftlint:disable:this identifier_name
+    // swiftlint:disable:next identifier_name
+    var setAccountHasBeenUnlockedInteractivelyResult: Result<Void, Error> = .success(())
     var setBiometricAuthenticationEnabledResult: Result<Void, Error> = .success(())
     var setBiometricIntegrityStateError: Error?
     var shouldCheckOrganizationUnassignedItems = [String: Bool?]()
@@ -109,6 +114,10 @@ class MockStateService: StateService { // swiftlint:disable:this type_body_lengt
         return encryptionKeys
     }
 
+    func getAccountHasBeenUnlockedInteractively(userId: String?) async throws -> Bool {
+        try getAccountHasBeenUnlockedInteractivelyResult.get()
+    }
+
     func getAccount(userId: String?) async throws -> BitwardenShared.Account {
         let id = try await getAccountIdOrActiveId(userId: userId)
         if let activeAccount,
@@ -297,6 +306,11 @@ class MockStateService: StateService { // swiftlint:disable:this type_body_lengt
         accountEncryptionKeys[userId] = encryptionKeys
     }
 
+    func setAccountHasBeenUnlockedInteractively(userId: String?, value: Bool) async throws {
+        setAccountHasBeenUnlockedInteractivelyHasBeenCalled = true
+        try setAccountHasBeenUnlockedInteractivelyResult.get()
+    }
+
     func setActiveAccount(userId: String) async throws {
         guard let accounts,
               let match = accounts.first(where: { account in

BitwardenShared/Core/Vault/Services/TestHelpers/MockVaultTimeoutService.swift

@@ -11,6 +11,7 @@ class MockVaultTimeoutService: VaultTimeoutService {
     var shouldSessionTimeoutError: Error?
     var timeProvider = MockTimeProvider(.currentTime)
     var sessionTimeoutValueError: Error?
+    var unlockVaultHadUserInteraction = false
     var vaultTimeout = [String: SessionTimeoutValue]()
     var vaultLockStatusSubject = CurrentValueSubject<VaultLockStatus?, Never>(nil)
 
@@ -47,9 +48,10 @@ class MockVaultTimeoutService: VaultTimeoutService {
         return shouldSessionTimeout[userId] ?? false
     }
 
-    func unlockVault(userId: String?) async throws {
+    func unlockVault(userId: String?, hadUserInteraction: Bool) async throws {
         guard let userId else { return }
         isClientLocked[userId] = false
+        unlockVaultHadUserInteraction = hadUserInteraction
     }
 
     func remove(userId: String?) async {

BitwardenShared/Core/Vault/Services/VaultTimeoutService.swift

@@ -59,10 +59,12 @@ protocol VaultTimeoutService: AnyObject {
 
     /// Unlocks the user's vault
     ///
-    /// - Parameter userId: The userId of the account to unlock.
+    /// - Parameters:
+    ///   - userId: The userId of the account to unlock.
     ///     Defaults to the active account if nil
-    ///
-    func unlockVault(userId: String?) async throws
+    ///   - hadUserInteraction: Whether the user had any interaction with the app to unlock the vault
+    ///   or the never lock key was used.
+    func unlockVault(userId: String?, hadUserInteraction: Bool) async throws
 
     /// Gets the `SessionTimeoutValue` for a user.
     ///
@@ -143,12 +145,14 @@ class DefaultVaultTimeoutService: VaultTimeoutService {
         guard let id = try? await stateService.getAccountIdOrActiveId(userId: userId) else { return }
         try? await clientService.removeClient(for: id)
         vaultLockStatusSubject.value[id] = true
+        try? await stateService.setAccountHasBeenUnlockedInteractively(userId: id, value: false)
     }
 
     func remove(userId: String?) async {
         guard let id = try? await stateService.getAccountIdOrActiveId(userId: userId) else { return }
         try? await clientService.removeClient(for: id)
         vaultLockStatusSubject.value.removeValue(forKey: id)
+        try? await stateService.setAccountHasBeenUnlockedInteractively(userId: id, value: false)
     }
 
     func setLastActiveTime(userId: String) async throws {
@@ -159,9 +163,10 @@ class DefaultVaultTimeoutService: VaultTimeoutService {
         try await stateService.setVaultTimeout(value: value, userId: userId)
     }
 
-    func unlockVault(userId: String?) async throws {
+    func unlockVault(userId: String?, hadUserInteraction: Bool) async throws {
         guard let id = try? await stateService.getAccountIdOrActiveId(userId: userId) else { return }
         vaultLockStatusSubject.value[id] = false
+        try await stateService.setAccountHasBeenUnlockedInteractively(userId: id, value: hadUserInteraction)
     }
 
     func sessionTimeoutValue(userId: String?) async throws -> SessionTimeoutValue {