PM-19061 - Innovation Sprint - OPAQUE Login Strategy

[JaredSnider-Bitwarden]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-19061

📔 Objective

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 6.00%. Comparing base (28079df) to head (ed180dd).
Report is 5 commits behind head on innovation/opaque.

Additional details and impacted files

@@                Coverage Diff                 @@
##           innovation/opaque   #13832   +/-   ##
==================================================
  Coverage               6.00%    6.00%           
==================================================
  Files                     27       27           
  Lines                   1665     1665           
==================================================
  Hits                     100      100           
  Misses                  1565     1565           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Checkmarx One – Scan Summary & Details – 0aa3cec1-0317-40f5-b9fa-c9802d25e905

New Issues (60)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2025-0611	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-0998	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-0451	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-0612	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-0762	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-0995	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-0997	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-0999	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-1426	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-1914	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-1915	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-1916	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-1918	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-1919	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-1920	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-2135	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-2136	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-2137	Npm-electron-34.0.0	Vulnerable Package
	Client_DOM_XSS	/apps/web/src/connectors/redirect.ts: 6	details The method Lambda embeds untrusted data in generated output with href, at line 16 of /apps/web/src/connectors/redirect.ts. This untrusted data is e... Attack Vector
	Cxdca8e59f-8bfe	Npm-inflight-1.0.6	Vulnerable Package
	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 296	details Method Lambda at line 296 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro... Attack Vector
	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 328	details Method Lambda at line 328 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro... Attack Vector
	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 328	details Method Lambda at line 328 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro... Attack Vector
	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 296	details Method Lambda at line 296 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro... Attack Vector
	CVE-2024-53382	Npm-prismjs-1.29.0	Vulnerable Package
	CVE-2024-6531	Npm-bootstrap-4.6.0	Vulnerable Package
	CVE-2025-0444	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-0445	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-0996	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-1917	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-1921	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-1922	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-1923	Npm-electron-34.0.0	Vulnerable Package
	CVE-2025-24010	Npm-vite-5.4.6	Vulnerable Package
	Cxbb85e86c-2fac	Npm-esbuild-0.21.5	Vulnerable Package
	Cxbb85e86c-2fac	Npm-esbuild-wasm-0.23.0	Vulnerable Package
	Cxbb85e86c-2fac	Npm-esbuild-0.23.0	Vulnerable Package
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 365	details The application takes sensitive, personal data cipher, found at line 365 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotected ... Attack Vector
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 332	details The application takes sensitive, personal data cipher, found at line 332 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotected ... Attack Vector
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 382	details The application takes sensitive, personal data cipher, found at line 382 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotected ... Attack Vector
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 69	details The application takes sensitive, personal data password, found at line 69 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotected... Attack Vector
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 65	details The application takes sensitive, personal data password, found at line 65 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotected... Attack Vector
	Missing_HSTS_Header	/apps/cli/src/auth/commands/login.command.ts: 737	details The web-application does not define an HSTS header, leaving it vulnerable to attack. Attack Vector
	Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 365	details Method Lambda at line 365 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro... Attack Vector
	Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 365	details Method Lambda at line 365 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro... Attack Vector
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/apps/desktop/src/app/components/avatar.component.ts: 77	details Usage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /apps/desktop/src/app/components/avatar.... Attack Vector
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/icon/icon.component.ts: 21	details Usage of an unsafe class bypassSecurityTrustHtml, which overrides output sanitization, was found at /libs/components/src/icon/icon.component.ts in ... Attack Vector
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/avatar/avatar.component.ts: 87	details Usage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /libs/components/src/avatar/avatar.compo... Attack Vector
	Client_DOM_Open_Redirect	/apps/web/src/connectors/redirect.ts: 6	details The potentially tainted value provided by href in /apps/web/src/connectors/redirect.ts at line 6 is used as a destination URL by href in /apps/web/... Attack Vector
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/accessibility-cookie.component.html: 18	details The potentially tainted value provided by link in /apps/desktop/src/auth/accessibility-cookie.component.html at line 18 is used as a destination UR... Attack Vector
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277	details The potentially tainted value provided by substring in /apps/desktop/src/auth/scripts/duo.js at line 277 is used as a destination URL by open in /a... Attack Vector
	Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/deprecated/overlay/iframe-content/autofill-overlay-iframe.service.deprecated.ts: 92	details The application employs an HTML iframe at whose contents are not properly sandboxed Attack Vector
	Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/overlay/inline-menu/pages/menu-container/autofill-inline-menu-container.ts: 68	details The application employs an HTML iframe at whose contents are not properly sandboxed Attack Vector
	Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/overlay/inline-menu/iframe-content/autofill-inline-menu-iframe.service.ts: 87	details The application employs an HTML iframe at whose contents are not properly sandboxed Attack Vector
	Cx8bc4df28-fcf5	Npm-debug-2.6.9	Vulnerable Package
	Cx8bc4df28-fcf5	Npm-debug-3.2.7	Vulnerable Package
	Cxda14f253-4e52	Npm-bluebird-3.7.2	Vulnerable Package
	HttpOnly_Cookie_Flag_Not_Set	/apps/web/src/connectors/sso.ts: 41	details The web application's initiateBrowserSso method creates a cookie cookie, at line 41 of /apps/web/src/connectors/sso.ts, and returns it in the respo... Attack Vector
	Missing_CSP_Header	/apps/cli/src/auth/commands/login.command.ts: 737	details A Content Security Policy is not explicitly defined within the web-application. Attack Vector
	Use_of_Broken_or_Risky_Cryptographic_Algorithm	/libs/node/src/services/node-crypto-function.service.ts: 352	details In toNodeCryptoAesMode, the application protects sensitive data using a cryptographic algorithm, "aes-256-ecb", that is considered weak or even tri... Attack Vector

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
6.7% Duplication on New Code

See analysis details on SonarQube Cloud

[eliykat]

Merging into feature as requested by @JaredSnider-Bitwarden . The failing builds relate to the SDK only and are expected because we can't make CI pull the sdk from a feature branch.