@bitwarden/cli 2023.9.1 → 2023.12.0

package/build/bw.js

@@ -20,7 +20,7 @@ module.exports = require("url");
 /***/ 147:
 /***/ ((module) => {
 
-module.exports = JSON.parse('{"name":"@bitwarden/cli","description":"A secure and free password manager for all of your devices.","version":"2023.9.1","keywords":["bitwarden","password","vault","password manager","cli"],"author":"Bitwarden Inc. <hello@bitwarden.com> (https://bitwarden.com)","homepage":"https://bitwarden.com","repository":{"type":"git","url":"https://github.com/bitwarden/clients"},"license":"GPL-3.0-only","scripts":{"clean":"rimraf dist","build":"webpack","build:debug":"npm run build && node --inspect ./build/bw.js","build:watch":"webpack --watch","build:prod":"cross-env NODE_ENV=production webpack","build:prod:watch":"cross-env NODE_ENV=production webpack --watch","package":"npm run package:win && npm run package:mac && npm run package:lin","package:win":"pkg . --targets win-x64 --output ./dist/windows/bw.exe","package:mac":"pkg . --targets macos-x64 --output ./dist/macos/bw","package:lin":"pkg . --targets linux-x64 --output ./dist/linux/bw","debug":"node --inspect ./build/bw.js","dist":"npm run build:prod && npm run clean && npm run package","dist:win":"npm run build:prod && npm run clean && npm run package:win","dist:mac":"npm run build:prod && npm run clean && npm run package:mac","dist:lin":"npm run build:prod && npm run clean && npm run package:lin","publish:npm":"npm run build:prod && npm publish --access public","test":"jest","test:watch":"jest --watch","test:watch:all":"jest --watchAll"},"bin":{"bw":"build/bw.js"},"pkg":{"assets":["./build/**/*","../../node_modules/argon2/**/*"]},"dependencies":{"@koa/multer":"3.0.2","@koa/router":"12.0.0","argon2":"0.31.0","big-integer":"1.6.51","browser-hrtime":"1.1.8","chalk":"4.1.2","commander":"7.2.0","form-data":"4.0.0","https-proxy-agent":"5.0.1","inquirer":"8.2.6","jsdom":"22.1.0","jszip":"3.10.1","koa":"2.14.2","koa-bodyparser":"4.4.1","koa-json":"2.0.2","lowdb":"1.0.0","lunr":"2.3.9","multer":"1.4.5-lts.1","node-fetch":"2.6.12","node-forge":"1.3.1","open":"8.4.2","papaparse":"5.4.1","proper-lockfile":"4.1.2","rxjs":"7.8.1","tldts":"6.0.14","zxcvbn":"4.4.2"}}');
+module.exports = JSON.parse('{"name":"@bitwarden/cli","description":"A secure and free password manager for all of your devices.","version":"2023.12.0","keywords":["bitwarden","password","vault","password manager","cli"],"author":"Bitwarden Inc. <hello@bitwarden.com> (https://bitwarden.com)","homepage":"https://bitwarden.com","repository":{"type":"git","url":"https://github.com/bitwarden/clients"},"license":"GPL-3.0-only","scripts":{"clean":"rimraf dist","build":"webpack","build:debug":"npm run build && node --inspect ./build/bw.js","build:watch":"webpack --watch","build:prod":"cross-env NODE_ENV=production webpack","build:prod:watch":"cross-env NODE_ENV=production webpack --watch","package":"npm run package:win && npm run package:mac && npm run package:lin","package:win":"pkg . --targets win-x64 --output ./dist/windows/bw.exe","package:mac":"pkg . --targets macos-x64 --output ./dist/macos/bw","package:lin":"pkg . --targets linux-x64 --output ./dist/linux/bw","debug":"node --inspect ./build/bw.js","dist":"npm run build:prod && npm run clean && npm run package","dist:win":"npm run build:prod && npm run clean && npm run package:win","dist:mac":"npm run build:prod && npm run clean && npm run package:mac","dist:lin":"npm run build:prod && npm run clean && npm run package:lin","publish:npm":"npm run build:prod && npm publish --access public","test":"jest","test:watch":"jest --watch","test:watch:all":"jest --watchAll"},"bin":{"bw":"build/bw.js"},"pkg":{"assets":["./build/**/*","../../node_modules/argon2/**/*"]},"dependencies":{"@koa/multer":"3.0.2","@koa/router":"12.0.0","argon2":"0.31.0","big-integer":"1.6.51","browser-hrtime":"1.1.8","chalk":"4.1.2","commander":"7.2.0","form-data":"4.0.0","https-proxy-agent":"5.0.1","inquirer":"8.2.6","jsdom":"22.1.0","jszip":"3.10.1","koa":"2.14.2","koa-bodyparser":"4.4.1","koa-json":"2.0.2","lowdb":"1.0.0","lunr":"2.3.9","multer":"1.4.5-lts.1","node-fetch":"2.6.12","node-forge":"1.3.1","open":"8.4.2","papaparse":"5.4.1","proper-lockfile":"4.1.2","rxjs":"7.8.1","tldts":"6.0.14","zxcvbn":"4.4.2"}}');
 
 /***/ })
 
@@ -360,15 +360,6 @@ class PlanResponse extends BaseResponse {
         this.nameLocalizationKey = this.getResponseProperty("NameLocalizationKey");
         this.descriptionLocalizationKey = this.getResponseProperty("DescriptionLocalizationKey");
         this.canBeUsedByBusiness = this.getResponseProperty("CanBeUsedByBusiness");
-        this.baseSeats = this.getResponseProperty("BaseSeats");
-        this.baseStorageGb = this.getResponseProperty("BaseStorageGb");
-        this.maxCollections = this.getResponseProperty("MaxCollections");
-        this.maxUsers = this.getResponseProperty("MaxUsers");
-        this.hasAdditionalSeatsOption = this.getResponseProperty("HasAdditionalSeatsOption");
-        this.maxAdditionalSeats = this.getResponseProperty("MaxAdditionalSeats");
-        this.hasAdditionalStorageOption = this.getResponseProperty("HasAdditionalStorageOption");
-        this.maxAdditionalStorage = this.getResponseProperty("MaxAdditionalStorage");
-        this.hasPremiumAccessOption = this.getResponseProperty("HasPremiumAccessOption");
         this.trialPeriodDays = this.getResponseProperty("TrialPeriodDays");
         this.hasSelfHost = this.getResponseProperty("HasSelfHost");
         this.hasPolicies = this.getResponseProperty("HasPolicies");
@@ -382,25 +373,56 @@ class PlanResponse extends BaseResponse {
         this.hasResetPassword = this.getResponseProperty("HasResetPassword");
         this.usersGetPremium = this.getResponseProperty("UsersGetPremium");
         this.upgradeSortOrder = this.getResponseProperty("UpgradeSortOrder");
-        this.displaySortOrder = this.getResponseProperty("SortOrder");
+        this.displaySortOrder = this.getResponseProperty("DisplaySortOrder");
         this.legacyYear = this.getResponseProperty("LegacyYear");
         this.disabled = this.getResponseProperty("Disabled");
-        this.stripePlanId = this.getResponseProperty("StripePlanId");
+        const passwordManager = this.getResponseProperty("PasswordManager");
+        const secretsManager = this.getResponseProperty("SecretsManager");
+        this.PasswordManager =
+            passwordManager == null ? null : new PasswordManagerPlanFeaturesResponse(passwordManager);
+        this.SecretsManager =
+            secretsManager == null ? null : new SecretsManagerPlanFeaturesResponse(secretsManager);
+    }
+}
+class SecretsManagerPlanFeaturesResponse extends BaseResponse {
+    constructor(response) {
+        super(response);
         this.stripeSeatPlanId = this.getResponseProperty("StripeSeatPlanId");
-        this.stripeStoragePlanId = this.getResponseProperty("StripeStoragePlanId");
-        this.stripePremiumAccessPlanId = this.getResponseProperty("StripePremiumAccessPlanId");
+        this.baseSeats = this.getResponseProperty("BaseSeats");
         this.basePrice = this.getResponseProperty("BasePrice");
         this.seatPrice = this.getResponseProperty("SeatPrice");
-        this.additionalStoragePricePerGb = this.getResponseProperty("AdditionalStoragePricePerGb");
-        this.premiumAccessOptionPrice = this.getResponseProperty("PremiumAccessOptionPrice");
-        this.bitwardenProduct = this.getResponseProperty("BitwardenProduct");
+        this.hasAdditionalSeatsOption = this.getResponseProperty("HasAdditionalSeatsOption");
+        this.maxAdditionalSeats = this.getResponseProperty("MaxAdditionalSeats");
+        this.maxSeats = this.getResponseProperty("MaxSeats");
+        this.stripeServiceAccountPlanId = this.getResponseProperty("StripeServiceAccountPlanId");
         this.additionalPricePerServiceAccount = this.getResponseProperty("AdditionalPricePerServiceAccount");
         this.baseServiceAccount = this.getResponseProperty("BaseServiceAccount");
         this.maxServiceAccount = this.getResponseProperty("MaxServiceAccount");
         this.hasAdditionalServiceAccountOption = this.getResponseProperty("HasAdditionalServiceAccountOption");
-        this.maxProjects = this.getResponseProperty("MaxProjects");
         this.maxAdditionalServiceAccounts = this.getResponseProperty("MaxAdditionalServiceAccounts");
-        this.stripeServiceAccountPlanId = this.getResponseProperty("StripeServiceAccountPlanId");
+        this.maxProjects = this.getResponseProperty("MaxProjects");
+    }
+}
+class PasswordManagerPlanFeaturesResponse extends BaseResponse {
+    constructor(response) {
+        super(response);
+        this.stripePlanId = this.getResponseProperty("StripePlanId");
+        this.stripeSeatPlanId = this.getResponseProperty("StripeSeatPlanId");
+        this.stripeStoragePlanId = this.getResponseProperty("StripeStoragePlanId");
+        this.stripePremiumAccessPlanId = this.getResponseProperty("StripePremiumAccessPlanId");
+        this.basePrice = this.getResponseProperty("BasePrice");
+        this.seatPrice = this.getResponseProperty("SeatPrice");
+        this.baseSeats = this.getResponseProperty("BaseSeats");
+        this.maxAdditionalSeats = this.getResponseProperty("MaxAdditionalSeats");
+        this.premiumAccessOptionPrice = this.getResponseProperty("PremiumAccessOptionPrice");
+        this.maxSeats = this.getResponseProperty("MaxSeats");
+        this.additionalStoragePricePerGb = this.getResponseProperty("AdditionalStoragePricePerGb");
+        this.hasAdditionalSeatsOption = this.getResponseProperty("HasAdditionalSeatsOption");
+        this.baseStorageGb = this.getResponseProperty("BaseStorageGb");
+        this.maxCollections = this.getResponseProperty("MaxCollections");
+        this.hasAdditionalStorageOption = this.getResponseProperty("HasAdditionalStorageOption");
+        this.maxAdditionalStorage = this.getResponseProperty("MaxAdditionalStorage");
+        this.hasPremiumAccessOption = this.getResponseProperty("HasPremiumAccessOption");
     }
 }
 
@@ -421,9 +443,6 @@ class OrganizationResponse extends BaseResponse {
         this.billingEmail = this.getResponseProperty("BillingEmail");
         const plan = this.getResponseProperty("Plan");
         this.plan = plan == null ? null : new PlanResponse(plan);
-        const secretsManagerPlan = this.getResponseProperty("SecretsManagerPlan");
-        this.secretsManagerPlan =
-            secretsManagerPlan == null ? null : new PlanResponse(secretsManagerPlan);
         this.planType = this.getResponseProperty("PlanType");
         this.seats = this.getResponseProperty("Seats");
         this.maxAutoscaleSeats = this.getResponseProperty("MaxAutoscaleSeats");
@@ -443,6 +462,7 @@ class OrganizationResponse extends BaseResponse {
         this.smServiceAccounts = this.getResponseProperty("SmServiceAccounts");
         this.maxAutoscaleSmSeats = this.getResponseProperty("MaxAutoscaleSmSeats");
         this.maxAutoscaleSmServiceAccounts = this.getResponseProperty("MaxAutoscaleSmServiceAccounts");
+        this.limitCollectionCreationDeletion = this.getResponseProperty("LimitCollectionCreationDeletion");
     }
 }
 
@@ -493,7 +513,6 @@ class BillingSubscriptionItemResponse extends BaseResponse {
         this.interval = this.getResponseProperty("Interval");
         this.sponsoredSubscriptionItem = this.getResponseProperty("SponsoredSubscriptionItem");
         this.addonSubscriptionItem = this.getResponseProperty("AddonSubscriptionItem");
-        this.bitwardenProduct = this.getResponseProperty("BitwardenProduct");
     }
 }
 class BillingSubscriptionUpcomingInvoiceResponse extends BaseResponse {
@@ -507,6 +526,7 @@ class BillingSubscriptionUpcomingInvoiceResponse extends BaseResponse {
 ;// CONCATENATED MODULE: ../../libs/common/src/billing/models/response/organization-subscription.response.ts
 
 
+
 class OrganizationSubscriptionResponse extends OrganizationResponse {
     constructor(response) {
         super(response);
@@ -519,11 +539,26 @@ class OrganizationSubscriptionResponse extends OrganizationResponse {
             upcomingInvoice == null
                 ? null
                 : new BillingSubscriptionUpcomingInvoiceResponse(upcomingInvoice);
+        const customerDiscount = this.getResponseProperty("CustomerDiscount");
+        this.customerDiscount =
+            customerDiscount == null ? null : new BillingCustomerDiscount(customerDiscount);
         this.expiration = this.getResponseProperty("Expiration");
         this.expirationWithoutGracePeriod = this.getResponseProperty("ExpirationWithoutGracePeriod");
         this.secretsManagerBeta = this.getResponseProperty("SecretsManagerBeta");
     }
 }
+class BillingCustomerDiscount extends BaseResponse {
+    constructor(response) {
+        super(response);
+        this.discountPrice = (price) => {
+            const discount = this !== null && this.active ? price * (this.percentOff / 100) : 0;
+            return price - discount;
+        };
+        this.id = this.getResponseProperty("Id");
+        this.active = this.getResponseProperty("Active");
+        this.percentOff = this.getResponseProperty("PercentOff");
+    }
+}
 
 ;// CONCATENATED MODULE: ../../libs/common/src/admin-console/models/api/permissions.api.ts
 
@@ -608,6 +643,7 @@ class ProfileOrganizationResponse extends BaseResponse {
         }
         this.familySponsorshipToDelete = this.getResponseProperty("FamilySponsorshipToDelete");
         this.accessSecretsManager = this.getResponseProperty("AccessSecretsManager");
+        this.limitCollectionCreationDeletion = this.getResponseProperty("LimitCollectionCreationDeletion");
     }
 }
 
@@ -977,6 +1013,14 @@ class OrganizationApiService {
             return new ProfileOrganizationResponse(r);
         });
     }
+    updateCollectionManagement(id, request) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const r = yield this.apiService.send("PUT", "/organizations/" + id + "/collection-management", request, true, true);
+            const data = new OrganizationResponse(r);
+            yield this.syncService.fullSync(true);
+            return data;
+        });
+    }
 }
 
 ;// CONCATENATED MODULE: external "rxjs"
@@ -1114,6 +1158,36 @@ class utils_Utils {
                 .join("");
         }
     }
+    /**
+     * Converts a hex string to an ArrayBuffer.
+     * Note: this doesn't need any Node specific code as parseInt() / ArrayBuffer / Uint8Array
+     * work the same in Node and the browser.
+     * @param {string} hexString - A string of hexadecimal characters.
+     * @returns {ArrayBuffer} The ArrayBuffer representation of the hex string.
+     */
+    static hexStringToArrayBuffer(hexString) {
+        // Check if the hexString has an even length, as each hex digit represents half a byte (4 bits),
+        // and it takes two hex digits to represent a full byte (8 bits).
+        if (hexString.length % 2 !== 0) {
+            throw "HexString has to be an even length";
+        }
+        // Create an ArrayBuffer with a length that is half the length of the hex string,
+        // because each pair of hex digits will become a single byte.
+        const arrayBuffer = new ArrayBuffer(hexString.length / 2);
+        // Create a Uint8Array view on top of the ArrayBuffer (each position represents a byte)
+        // as ArrayBuffers cannot be edited directly.
+        const uint8Array = new Uint8Array(arrayBuffer);
+        // Loop through the bytes
+        for (let i = 0; i < uint8Array.length; i++) {
+            // Extract two hex characters (1 byte)
+            const hexByte = hexString.substr(i * 2, 2);
+            // Convert hexByte into a decimal value from base 16. (ex: ff --> 255)
+            const byteValue = parseInt(hexByte, 16);
+            // Place the byte value into the uint8Array
+            uint8Array[i] = byteValue;
+        }
+        return arrayBuffer;
+    }
     static fromUrlB64ToB64(urlB64Str) {
         let output = urlB64Str.replace(/-/g, "+").replace(/_/g, "/");
         switch (output.length % 4) {
@@ -1214,7 +1288,10 @@ class utils_Utils {
             return null;
         }
         try {
-            const parseResult = (0,external_tldts_namespaceObject.parse)(uriString, { validHosts: this.validHosts });
+            const parseResult = (0,external_tldts_namespaceObject.parse)(uriString, {
+                validHosts: this.validHosts,
+                allowPrivateDomains: true,
+            });
             if (parseResult != null && parseResult.hostname != null) {
                 if (parseResult.hostname === "localhost" || parseResult.isIp) {
                     return parseResult.hostname;
@@ -1530,9 +1607,9 @@ var ClientType;
     ClientType["Web"] = "web";
     ClientType["Browser"] = "browser";
     ClientType["Desktop"] = "desktop";
-    ClientType["Mobile"] = "mobile";
+    // Mobile = "mobile",
     ClientType["Cli"] = "cli";
-    ClientType["DirectoryConnector"] = "connector";
+    // DirectoryConnector = "connector",
 })(ClientType || (ClientType = {}));
 
 ;// CONCATENATED MODULE: ../../libs/common/src/enums/device-type.enum.ts
@@ -1561,6 +1638,9 @@ var DeviceType;
     DeviceType[DeviceType["SafariExtension"] = 20] = "SafariExtension";
     DeviceType[DeviceType["SDK"] = 21] = "SDK";
     DeviceType[DeviceType["Server"] = 22] = "Server";
+    DeviceType[DeviceType["WindowsCLI"] = 23] = "WindowsCLI";
+    DeviceType[DeviceType["MacOsCLI"] = 24] = "MacOsCLI";
+    DeviceType[DeviceType["LinuxCLI"] = 25] = "LinuxCLI";
 })(DeviceType || (DeviceType = {}));
 const MobileDeviceTypes = new Set([
     DeviceType.Android,
@@ -1572,6 +1652,9 @@ const DesktopDeviceTypes = new Set([
     DeviceType.MacOsDesktop,
     DeviceType.LinuxDesktop,
     DeviceType.UWP,
+    DeviceType.WindowsCLI,
+    DeviceType.MacOsCLI,
+    DeviceType.LinuxCLI,
 ]);
 
 ;// CONCATENATED MODULE: ../../libs/common/src/enums/encrypted-export-type.enum.ts
@@ -2188,6 +2271,7 @@ var ProductType;
     ProductType[ProductType["Families"] = 1] = "Families";
     ProductType[ProductType["Teams"] = 2] = "Teams";
     ProductType[ProductType["Enterprise"] = 3] = "Enterprise";
+    ProductType[ProductType["TeamsStarter"] = 4] = "TeamsStarter";
 })(ProductType || (ProductType = {}));
 
 ;// CONCATENATED MODULE: ../../libs/common/src/enums/provider-type.enum.ts
@@ -2399,6 +2483,7 @@ class Organization {
         this.familySponsorshipValidUntil = obj.familySponsorshipValidUntil;
         this.familySponsorshipToDelete = obj.familySponsorshipToDelete;
         this.accessSecretsManager = obj.accessSecretsManager;
+        this.limitCollectionCreationDeletion = obj.limitCollectionCreationDeletion;
     }
     get canAccess() {
         if (this.isOwner) {
@@ -2434,7 +2519,9 @@ class Organization {
         return this.isAdmin || this.permissions.accessReports;
     }
     get canCreateNewCollections() {
-        return this.isManager || this.permissions.createNewCollections;
+        return (!this.limitCollectionCreationDeletion ||
+            this.isManager ||
+            this.permissions.createNewCollections);
     }
     get canEditAnyCollection() {
         return this.isAdmin || this.permissions.editAnyCollection;
@@ -2504,6 +2591,9 @@ class Organization {
     get hasProvider() {
         return this.providerId != null || this.providerName != null;
     }
+    get hasReseller() {
+        return this.hasProvider && this.providerType === ProviderType.Reseller;
+    }
     get canAccessSecretsManager() {
         return this.useSecretsManager && this.accessSecretsManager;
     }
@@ -2628,6 +2718,300 @@ class organization_service_OrganizationService {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/admin-console/models/response/selection-read-only.response.ts
+
+class SelectionReadOnlyResponse extends BaseResponse {
+    constructor(response) {
+        super(response);
+        this.id = this.getResponseProperty("Id");
+        this.readOnly = this.getResponseProperty("ReadOnly");
+        this.hidePasswords = this.getResponseProperty("HidePasswords");
+        this.manage = this.getResponseProperty("Manage");
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/admin-console/abstractions/organization-user/responses/organization-user.response.ts
+
+
+
+class OrganizationUserResponse extends BaseResponse {
+    constructor(response) {
+        super(response);
+        this.collections = [];
+        this.groups = [];
+        this.id = this.getResponseProperty("Id");
+        this.userId = this.getResponseProperty("UserId");
+        this.type = this.getResponseProperty("Type");
+        this.status = this.getResponseProperty("Status");
+        this.permissions = new PermissionsApi(this.getResponseProperty("Permissions"));
+        this.externalId = this.getResponseProperty("ExternalId");
+        this.accessAll = this.getResponseProperty("AccessAll");
+        this.accessSecretsManager = this.getResponseProperty("AccessSecretsManager");
+        this.resetPasswordEnrolled = this.getResponseProperty("ResetPasswordEnrolled");
+        this.hasMasterPassword = this.getResponseProperty("HasMasterPassword");
+        const collections = this.getResponseProperty("Collections");
+        if (collections != null) {
+            this.collections = collections.map((c) => new SelectionReadOnlyResponse(c));
+        }
+        const groups = this.getResponseProperty("Groups");
+        if (groups != null) {
+            this.groups = groups;
+        }
+    }
+}
+class OrganizationUserUserDetailsResponse extends OrganizationUserResponse {
+    constructor(response) {
+        var _a;
+        super(response);
+        this.name = this.getResponseProperty("Name");
+        this.email = this.getResponseProperty("Email");
+        this.avatarColor = this.getResponseProperty("AvatarColor");
+        this.twoFactorEnabled = this.getResponseProperty("TwoFactorEnabled");
+        this.usesKeyConnector = (_a = this.getResponseProperty("UsesKeyConnector")) !== null && _a !== void 0 ? _a : false;
+    }
+}
+class OrganizationUserDetailsResponse extends OrganizationUserResponse {
+    constructor(response) {
+        super(response);
+    }
+}
+class OrganizationUserResetPasswordDetailsResponse extends BaseResponse {
+    constructor(response) {
+        super(response);
+        this.kdf = this.getResponseProperty("Kdf");
+        this.kdfIterations = this.getResponseProperty("KdfIterations");
+        this.kdfMemory = this.getResponseProperty("KdfMemory");
+        this.kdfParallelism = this.getResponseProperty("KdfParallelism");
+        this.resetPasswordKey = this.getResponseProperty("ResetPasswordKey");
+        this.encryptedPrivateKey = this.getResponseProperty("EncryptedPrivateKey");
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/admin-console/abstractions/organization-user/responses/organization-user-bulk.response.ts
+
+class OrganizationUserBulkResponse extends BaseResponse {
+    constructor(response) {
+        super(response);
+        this.id = this.getResponseProperty("Id");
+        this.error = this.getResponseProperty("Error");
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/admin-console/abstractions/organization-user/responses/organization-user-bulk-public-key.response.ts
+
+class OrganizationUserBulkPublicKeyResponse extends BaseResponse {
+    constructor(response) {
+        super(response);
+        this.id = this.getResponseProperty("Id");
+        this.userId = this.getResponseProperty("UserId");
+        this.key = this.getResponseProperty("Key");
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/admin-console/services/organization-user/requests/organization-user-bulk.request.ts
+class OrganizationUserBulkRequest {
+    constructor(ids) {
+        this.ids = ids == null ? [] : ids;
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/admin-console/services/organization-user/organization-user.service.implementation.ts
+var organization_user_service_implementation_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+
+
+class OrganizationUserServiceImplementation {
+    constructor(apiService) {
+        this.apiService = apiService;
+    }
+    getOrganizationUser(organizationId, id, options) {
+        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
+            const params = new URLSearchParams();
+            if (options === null || options === void 0 ? void 0 : options.includeGroups) {
+                params.set("includeGroups", "true");
+            }
+            const r = yield this.apiService.send("GET", `/organizations/${organizationId}/users/${id}?${params.toString()}`, null, true, true);
+            return new OrganizationUserDetailsResponse(r);
+        });
+    }
+    getOrganizationUserGroups(organizationId, id) {
+        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
+            const r = yield this.apiService.send("GET", "/organizations/" + organizationId + "/users/" + id + "/groups", null, true, true);
+            return r;
+        });
+    }
+    getAllUsers(organizationId, options) {
+        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
+            const params = new URLSearchParams();
+            if (options === null || options === void 0 ? void 0 : options.includeCollections) {
+                params.set("includeCollections", "true");
+            }
+            if (options === null || options === void 0 ? void 0 : options.includeGroups) {
+                params.set("includeGroups", "true");
+            }
+            const r = yield this.apiService.send("GET", `/organizations/${organizationId}/users?${params.toString()}`, null, true, true);
+            return new ListResponse(r, OrganizationUserUserDetailsResponse);
+        });
+    }
+    getOrganizationUserResetPasswordDetails(organizationId, id) {
+        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
+            const r = yield this.apiService.send("GET", "/organizations/" + organizationId + "/users/" + id + "/reset-password-details", null, true, true);
+            return new OrganizationUserResetPasswordDetailsResponse(r);
+        });
+    }
+    postOrganizationUserInvite(organizationId, request) {
+        return this.apiService.send("POST", "/organizations/" + organizationId + "/users/invite", request, true, false);
+    }
+    postOrganizationUserReinvite(organizationId, id) {
+        return this.apiService.send("POST", "/organizations/" + organizationId + "/users/" + id + "/reinvite", null, true, false);
+    }
+    postManyOrganizationUserReinvite(organizationId, ids) {
+        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
+            const r = yield this.apiService.send("POST", "/organizations/" + organizationId + "/users/reinvite", new OrganizationUserBulkRequest(ids), true, true);
+            return new ListResponse(r, OrganizationUserBulkResponse);
+        });
+    }
+    postOrganizationUserAcceptInit(organizationId, id, request) {
+        return this.apiService.send("POST", "/organizations/" + organizationId + "/users/" + id + "/accept-init", request, true, false);
+    }
+    postOrganizationUserAccept(organizationId, id, request) {
+        return this.apiService.send("POST", "/organizations/" + organizationId + "/users/" + id + "/accept", request, true, false);
+    }
+    postOrganizationUserConfirm(organizationId, id, request) {
+        return this.apiService.send("POST", "/organizations/" + organizationId + "/users/" + id + "/confirm", request, true, false);
+    }
+    postOrganizationUsersPublicKey(organizationId, ids) {
+        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
+            const r = yield this.apiService.send("POST", "/organizations/" + organizationId + "/users/public-keys", new OrganizationUserBulkRequest(ids), true, true);
+            return new ListResponse(r, OrganizationUserBulkPublicKeyResponse);
+        });
+    }
+    postOrganizationUserBulkConfirm(organizationId, request) {
+        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
+            const r = yield this.apiService.send("POST", "/organizations/" + organizationId + "/users/confirm", request, true, true);
+            return new ListResponse(r, OrganizationUserBulkResponse);
+        });
+    }
+    putOrganizationUserBulkEnableSecretsManager(organizationId, ids) {
+        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
+            yield this.apiService.send("PUT", "/organizations/" + organizationId + "/users/enable-secrets-manager", new OrganizationUserBulkRequest(ids), true, false);
+        });
+    }
+    putOrganizationUser(organizationId, id, request) {
+        return this.apiService.send("PUT", "/organizations/" + organizationId + "/users/" + id, request, true, false);
+    }
+    putOrganizationUserGroups(organizationId, id, request) {
+        return this.apiService.send("PUT", "/organizations/" + organizationId + "/users/" + id + "/groups", request, true, false);
+    }
+    putOrganizationUserResetPasswordEnrollment(organizationId, userId, request) {
+        return this.apiService.send("PUT", "/organizations/" + organizationId + "/users/" + userId + "/reset-password-enrollment", request, true, false);
+    }
+    putOrganizationUserResetPassword(organizationId, id, request) {
+        return this.apiService.send("PUT", "/organizations/" + organizationId + "/users/" + id + "/reset-password", request, true, false);
+    }
+    deleteOrganizationUser(organizationId, id) {
+        return this.apiService.send("DELETE", "/organizations/" + organizationId + "/users/" + id, null, true, false);
+    }
+    deleteManyOrganizationUsers(organizationId, ids) {
+        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
+            const r = yield this.apiService.send("DELETE", "/organizations/" + organizationId + "/users", new OrganizationUserBulkRequest(ids), true, true);
+            return new ListResponse(r, OrganizationUserBulkResponse);
+        });
+    }
+    revokeOrganizationUser(organizationId, id) {
+        return this.apiService.send("PUT", "/organizations/" + organizationId + "/users/" + id + "/revoke", null, true, false);
+    }
+    revokeManyOrganizationUsers(organizationId, ids) {
+        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
+            const r = yield this.apiService.send("PUT", "/organizations/" + organizationId + "/users/revoke", new OrganizationUserBulkRequest(ids), true, true);
+            return new ListResponse(r, OrganizationUserBulkResponse);
+        });
+    }
+    restoreOrganizationUser(organizationId, id) {
+        return this.apiService.send("PUT", "/organizations/" + organizationId + "/users/" + id + "/restore", null, true, false);
+    }
+    restoreManyOrganizationUsers(organizationId, ids) {
+        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
+            const r = yield this.apiService.send("PUT", "/organizations/" + organizationId + "/users/restore", new OrganizationUserBulkRequest(ids), true, true);
+            return new ListResponse(r, OrganizationUserBulkResponse);
+        });
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/models/response/error.response.ts
+
+
+class ErrorResponse extends BaseResponse {
+    constructor(response, status, identityResponse) {
+        var _a, _b;
+        super(response);
+        let errorModel = null;
+        if (response != null) {
+            const responseErrorModel = this.getResponseProperty("ErrorModel");
+            if (responseErrorModel && identityResponse) {
+                errorModel = responseErrorModel;
+            }
+            else {
+                errorModel = response;
+            }
+        }
+        if (status === 429) {
+            this.message = "Rate limit exceeded. Try again later.";
+        }
+        else if (errorModel) {
+            this.message = this.getResponseProperty("Message", errorModel);
+            this.validationErrors = this.getResponseProperty("ValidationErrors", errorModel);
+            this.captchaSiteKey = (_b = (_a = this.validationErrors) === null || _a === void 0 ? void 0 : _a.HCaptcha_SiteKey) === null || _b === void 0 ? void 0 : _b[0];
+            this.captchaRequired = !utils_Utils.isNullOrWhitespace(this.captchaSiteKey);
+        }
+        this.statusCode = status;
+    }
+    getSingleMessage() {
+        if (this.validationErrors == null) {
+            return this.message;
+        }
+        for (const key in this.validationErrors) {
+            // eslint-disable-next-line
+            if (!this.validationErrors.hasOwnProperty(key)) {
+                continue;
+            }
+            if (this.validationErrors[key].length) {
+                return this.validationErrors[key][0];
+            }
+        }
+        return this.message;
+    }
+    getAllMessages() {
+        const messages = [];
+        if (this.validationErrors == null) {
+            return messages;
+        }
+        for (const key in this.validationErrors) {
+            // eslint-disable-next-line
+            if (!this.validationErrors.hasOwnProperty(key)) {
+                continue;
+            }
+            this.validationErrors[key].forEach((item) => {
+                let prefix = "";
+                if (key.indexOf("[") > -1 && key.indexOf("]") > -1) {
+                    const lastSep = key.lastIndexOf(".");
+                    prefix = key.substr(0, lastSep > -1 ? lastSep : key.length) + ": ";
+                }
+                messages.push(prefix + item);
+            });
+        }
+        return messages;
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/admin-console/models/data/policy.data.ts
 class PolicyData {
     constructor(response) {
@@ -2667,6 +3051,8 @@ var policy_api_service_awaiter = (undefined && undefined.__awaiter) || function
 
 
 
+
+
 class PolicyApiService {
     constructor(policyService, apiService, stateService) {
         this.policyService = policyService;
@@ -2699,18 +3085,30 @@ class PolicyApiService {
             return new ListResponse(r, PolicyResponse);
         });
     }
-    getPoliciesByInvitedUser(organizationId, userId) {
+    getMasterPasswordPolicyResponseForOrgUser(organizationId) {
         return policy_api_service_awaiter(this, void 0, void 0, function* () {
-            const r = yield this.apiService.send("GET", "/organizations/" + organizationId + "/policies/invited-user?" + "userId=" + userId, null, false, true);
-            return new ListResponse(r, PolicyResponse);
+            const response = yield this.apiService.send("GET", "/organizations/" + organizationId + "/policies/master-password", null, true, true);
+            return new PolicyResponse(response);
         });
     }
-    getMasterPasswordPoliciesForInvitedUsers(orgId) {
+    getMasterPasswordPolicyOptsForOrgUser(orgId) {
         return policy_api_service_awaiter(this, void 0, void 0, function* () {
-            const userId = yield this.stateService.getUserId();
-            const response = yield this.getPoliciesByInvitedUser(orgId, userId);
-            const policies = yield this.policyService.mapPoliciesFromToken(response);
-            return yield (0,external_rxjs_namespaceObject.firstValueFrom)(this.policyService.masterPasswordPolicyOptions$(policies));
+            try {
+                const masterPasswordPolicyResponse = yield this.getMasterPasswordPolicyResponseForOrgUser(orgId);
+                const masterPasswordPolicy = this.policyService.mapPolicyFromResponse(masterPasswordPolicyResponse);
+                if (!masterPasswordPolicy) {
+                    return null;
+                }
+                return yield (0,external_rxjs_namespaceObject.firstValueFrom)(this.policyService.masterPasswordPolicyOptions$([masterPasswordPolicy]));
+            }
+            catch (error) {
+                // If policy not found, return null
+                if (error instanceof ErrorResponse && error.statusCode === HttpStatusCode.NotFound) {
+                    return null;
+                }
+                // otherwise rethrow error
+                throw error;
+            }
         });
     }
     putPolicy(organizationId, type, request) {
@@ -3036,11 +3434,6 @@ class PolicyService {
         })))
             .subscribe();
     }
-    /**
-     * Returns the first policy found that applies to the active user
-     * @param policyType Policy type to search for
-     * @param policyFilter Additional filter to apply to the policy
-     */
     get$(policyType, policyFilter) {
         return this.policies$.pipe((0,external_rxjs_namespaceObject.concatMap)((policies) => policy_service_awaiter(this, void 0, void 0, function* () {
             const userId = yield this.stateService.getUserId();
@@ -3050,9 +3443,6 @@ class PolicyService {
             }
         })));
     }
-    /**
-     * @deprecated Do not call this, use the policies$ observable collection
-     */
     getAll(type, userId) {
         return policy_service_awaiter(this, void 0, void 0, function* () {
             let response = [];
@@ -3162,12 +3552,15 @@ class PolicyService {
         resetPasswordPolicyOptions.autoEnrollEnabled = (_b = (_a = policy === null || policy === void 0 ? void 0 : policy.data) === null || _a === void 0 ? void 0 : _a.autoEnrollEnabled) !== null && _b !== void 0 ? _b : false;
         return [resetPasswordPolicyOptions, (_c = policy === null || policy === void 0 ? void 0 : policy.enabled) !== null && _c !== void 0 ? _c : false];
     }
+    mapPolicyFromResponse(policyResponse) {
+        const policyData = new PolicyData(policyResponse);
+        return new Policy(policyData);
+    }
     mapPoliciesFromToken(policiesResponse) {
-        if (policiesResponse == null || policiesResponse.data == null) {
+        if ((policiesResponse === null || policiesResponse === void 0 ? void 0 : policiesResponse.data) == null) {
             return null;
         }
-        const policiesData = policiesResponse.data.map((p) => new PolicyData(p));
-        return policiesData.map((p) => new Policy(p));
+        return policiesResponse.data.map((response) => this.mapPolicyFromResponse(response));
     }
     policyAppliesToUser(policyType, policyFilter, userId) {
         return policy_service_awaiter(this, void 0, void 0, function* () {
@@ -3308,6 +3701,276 @@ class ProviderService {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/auth/abstractions/account.service.ts
+function accountInfoEqual(a, b) {
+    return a.status == b.status && a.email == b.email && a.name == b.name;
+}
+class AccountService {
+}
+class InternalAccountService extends (/* unused pure expression or super */ null && (AccountService)) {
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/platform/state/key-definition.ts
+
+/**
+ * KeyDefinitions describe the precise location to store data for a given piece of state.
+ * The StateDefinition is used to describe the domain of the state, and the KeyDefinition
+ * sub-divides that domain into specific keys.
+ */
+class KeyDefinition {
+    /**
+     * Creates a new instance of a KeyDefinition
+     * @param stateDefinition The state definition for which this key belongs to.
+     * @param key The name of the key, this should be unique per domain.
+     * @param options A set of options to customize the behavior of {@link KeyDefinition}. All options are required.
+     * @param options.deserializer A function to use to safely convert your type from json to your expected type.
+     *   Your data may be serialized/deserialized at any time and this needs callback needs to be able to faithfully re-initialize
+     *   from the JSON object representation of your type.
+     */
+    constructor(stateDefinition, key, options) {
+        this.stateDefinition = stateDefinition;
+        this.key = key;
+        this.options = options;
+        if (options.deserializer == null) {
+            throw new Error(`'deserializer' is a required property on key ${stateDefinition.name} > ${key}`);
+        }
+    }
+    /**
+     * Gets the deserializer configured for this {@link KeyDefinition}
+     */
+    get deserializer() {
+        return this.options.deserializer;
+    }
+    /**
+     * Creates a {@link KeyDefinition} for state that is an array.
+     * @param stateDefinition The state definition to be added to the KeyDefinition
+     * @param key The key to be added to the KeyDefinition
+     * @param options The options to customize the final {@link KeyDefinition}.
+     * @returns A {@link KeyDefinition} initialized for arrays, the options run
+     * the deserializer on the provided options for each element of an array
+     * **unless that array is null, in which case it will return an empty list.**
+     *
+     * @example
+     * ```typescript
+     * const MY_KEY = KeyDefinition.array<MyArrayElement>(MY_STATE, "key", {
+     *   deserializer: (myJsonElement) => convertToElement(myJsonElement),
+     * });
+     * ```
+     */
+    static array(stateDefinition, key, 
+    // We have them provide options for the element of the array, depending on future options we add, this could get a little weird.
+    options // The array helper forces  an initialValue of an empty array
+    ) {
+        return new KeyDefinition(stateDefinition, key, Object.assign(Object.assign({}, options), { deserializer: (jsonValue) => {
+                if (jsonValue == null) {
+                    return null;
+                }
+                return jsonValue.map((v) => options.deserializer(v));
+            } }));
+    }
+    /**
+     * Creates a {@link KeyDefinition} for state that is a record.
+     * @param stateDefinition The state definition to be added to the KeyDefinition
+     * @param key The key to be added to the KeyDefinition
+     * @param options The options to customize the final {@link KeyDefinition}.
+     * @returns A {@link KeyDefinition} that contains a serializer that will run the provided deserializer for each
+     * value in a record and returns every key as a string **unless that record is null, in which case it will return an record.**
+     *
+     * @example
+     * ```typescript
+     * const MY_KEY = KeyDefinition.record<MyRecordValue>(MY_STATE, "key", {
+     *   deserializer: (myJsonValue) => convertToValue(myJsonValue),
+     * });
+     * ```
+     */
+    static record(stateDefinition, key, 
+    // We have them provide options for the value of the record, depending on future options we add, this could get a little weird.
+    options // The array helper forces an initialValue of an empty record
+    ) {
+        return new KeyDefinition(stateDefinition, key, Object.assign(Object.assign({}, options), { deserializer: (jsonValue) => {
+                if (jsonValue == null) {
+                    return null;
+                }
+                const output = {};
+                for (const key in jsonValue) {
+                    output[key] = options.deserializer(jsonValue[key]);
+                }
+                return output;
+            } }));
+    }
+    /**
+     * Create a string that should be unique across the entire application.
+     * @returns A string that can be used to cache instances created via this key.
+     */
+    buildCacheKey() {
+        return `${this.stateDefinition.storageLocation}_${this.stateDefinition.name}_${this.key}`;
+    }
+}
+/**
+ * Creates a {@link StorageKey} that points to the data at the given key definition for the specified user.
+ * @param userId The userId of the user you want the key to be for.
+ * @param keyDefinition The key definition of which data the key should point to.
+ * @returns A key that is ready to be used in a storage service to get data.
+ */
+function userKeyBuilder(userId, keyDefinition) {
+    if (!Utils.isGuid(userId)) {
+        throw new Error("You cannot build a user key without a valid UserId");
+    }
+    return `user_${userId}_${keyDefinition.stateDefinition.name}_${keyDefinition.key}`;
+}
+/**
+ * Creates a {@link StorageKey}
+ * @param keyDefinition The key definition of which data the key should point to.
+ * @returns A key that is ready to be used in a storage service to get data.
+ */
+function globalKeyBuilder(keyDefinition) {
+    return `global_${keyDefinition.stateDefinition.name}_${keyDefinition.key}`;
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/platform/state/state-definition.ts
+/**
+ * Defines the base location and instruction of where this state is expected to be located.
+ */
+class StateDefinition {
+    /**
+     * Creates a new instance of {@link StateDefinition}, the creation of which is owned by the platform team.
+     * @param name The name of the state, this needs to be unique from all other {@link StateDefinition}'s.
+     * @param storageLocation The location of where this state should be stored.
+     */
+    constructor(name, storageLocation) {
+        this.name = name;
+        this.storageLocation = storageLocation;
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/platform/state/key-definitions.ts
+
+
+
+const ACCOUNT_MEMORY = new StateDefinition("account", "memory");
+const ACCOUNT_ACCOUNTS = new KeyDefinition(ACCOUNT_MEMORY, "accounts", {
+    deserializer: (obj) => AccountsDeserializer(obj),
+});
+const ACCOUNT_ACTIVE_ACCOUNT_ID = new KeyDefinition(ACCOUNT_MEMORY, "activeAccountId", {
+    deserializer: (id) => id,
+});
+
+;// CONCATENATED MODULE: ../../libs/common/src/platform/state/index.ts
+
+
+
+
+;// CONCATENATED MODULE: ../../libs/common/src/auth/enums/authentication-status.ts
+var AuthenticationStatus;
+(function (AuthenticationStatus) {
+    AuthenticationStatus[AuthenticationStatus["LoggedOut"] = 0] = "LoggedOut";
+    AuthenticationStatus[AuthenticationStatus["Locked"] = 1] = "Locked";
+    AuthenticationStatus[AuthenticationStatus["Unlocked"] = 2] = "Unlocked";
+})(AuthenticationStatus || (AuthenticationStatus = {}));
+
+;// CONCATENATED MODULE: ../../libs/common/src/auth/services/account.service.ts
+var account_service_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+
+
+
+function AccountsDeserializer(accounts) {
+    if (accounts == null) {
+        return {};
+    }
+    return accounts;
+}
+class AccountServiceImplementation {
+    constructor(messagingService, logService, globalStateProvider) {
+        this.messagingService = messagingService;
+        this.logService = logService;
+        this.globalStateProvider = globalStateProvider;
+        this.lock = new external_rxjs_namespaceObject.Subject();
+        this.logout = new external_rxjs_namespaceObject.Subject();
+        this.accountLock$ = this.lock.asObservable();
+        this.accountLogout$ = this.logout.asObservable();
+        this.accountsState = this.globalStateProvider.get(ACCOUNT_ACCOUNTS);
+        this.activeAccountIdState = this.globalStateProvider.get(ACCOUNT_ACTIVE_ACCOUNT_ID);
+        this.accounts$ = this.accountsState.state$.pipe((0,external_rxjs_namespaceObject.map)((accounts) => (accounts == null ? {} : accounts)));
+        this.activeAccount$ = this.activeAccountIdState.state$.pipe((0,external_rxjs_namespaceObject.combineLatestWith)(this.accounts$), (0,external_rxjs_namespaceObject.map)(([id, accounts]) => (id ? Object.assign({ id }, accounts[id]) : undefined)), (0,external_rxjs_namespaceObject.distinctUntilChanged)(), (0,external_rxjs_namespaceObject.shareReplay)({ bufferSize: 1, refCount: false }));
+    }
+    addAccount(userId, accountData) {
+        this.accountsState.update((accounts) => {
+            accounts || (accounts = {});
+            accounts[userId] = accountData;
+            return accounts;
+        });
+    }
+    setAccountName(userId, name) {
+        this.setAccountInfo(userId, { name });
+    }
+    setAccountEmail(userId, email) {
+        this.setAccountInfo(userId, { email });
+    }
+    setAccountStatus(userId, status) {
+        this.setAccountInfo(userId, { status });
+        if (status === AuthenticationStatus.LoggedOut) {
+            this.logout.next(userId);
+        }
+        else if (status === AuthenticationStatus.Locked) {
+            this.lock.next(userId);
+        }
+    }
+    switchAccount(userId) {
+        this.activeAccountIdState.update((_, accounts) => {
+            if (userId == null) {
+                // indicates no account is active
+                return undefined;
+            }
+            if ((accounts === null || accounts === void 0 ? void 0 : accounts[userId]) == null) {
+                throw new Error("Account does not exist");
+            }
+            return userId;
+        }, {
+            combineLatestWith: this.accounts$,
+        });
+    }
+    // TODO: update to use our own account status settings. Requires inverting direction of state service accounts flow
+    delete() {
+        var _a;
+        return account_service_awaiter(this, void 0, void 0, function* () {
+            try {
+                (_a = this.messagingService) === null || _a === void 0 ? void 0 : _a.send("logout");
+            }
+            catch (e) {
+                this.logService.error(e);
+                throw e;
+            }
+        });
+    }
+    setAccountInfo(userId, update) {
+        function newAccountInfo(oldAccountInfo) {
+            return Object.assign(Object.assign({}, oldAccountInfo), update);
+        }
+        this.accountsState.update((accounts) => {
+            accounts[userId] = newAccountInfo(accounts[userId]);
+            return accounts;
+        }, {
+            // Avoid unnecessary updates
+            // TODO: Faster comparison, maybe include a hash on the objects?
+            shouldUpdate: (accounts) => {
+                if ((accounts === null || accounts === void 0 ? void 0 : accounts[userId]) == null) {
+                    throw new Error("Account does not exist");
+                }
+                return !accountInfoEqual(accounts[userId], newAccountInfo(accounts[userId]));
+            },
+        });
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/platform/models/domain/symmetric-crypto-key.ts
 
 
@@ -3431,107 +4094,16 @@ class PreloginRequest {
     }
 }
 
-;// CONCATENATED MODULE: ../../libs/common/src/models/response/error.response.ts
-
-
-class ErrorResponse extends BaseResponse {
-    constructor(response, status, identityResponse) {
-        var _a, _b;
-        super(response);
-        let errorModel = null;
-        if (response != null) {
-            const responseErrorModel = this.getResponseProperty("ErrorModel");
-            if (responseErrorModel && identityResponse) {
-                errorModel = responseErrorModel;
-            }
-            else {
-                errorModel = response;
-            }
-        }
-        if (status === 429) {
-            this.message = "Rate limit exceeded. Try again later.";
-        }
-        else if (errorModel) {
-            this.message = this.getResponseProperty("Message", errorModel);
-            this.validationErrors = this.getResponseProperty("ValidationErrors", errorModel);
-            this.captchaSiteKey = (_b = (_a = this.validationErrors) === null || _a === void 0 ? void 0 : _a.HCaptcha_SiteKey) === null || _b === void 0 ? void 0 : _b[0];
-            this.captchaRequired = !utils_Utils.isNullOrWhitespace(this.captchaSiteKey);
-        }
-        this.statusCode = status;
-    }
-    getSingleMessage() {
-        if (this.validationErrors == null) {
-            return this.message;
-        }
-        for (const key in this.validationErrors) {
-            // eslint-disable-next-line
-            if (!this.validationErrors.hasOwnProperty(key)) {
-                continue;
-            }
-            if (this.validationErrors[key].length) {
-                return this.validationErrors[key][0];
-            }
-        }
-        return this.message;
-    }
-    getAllMessages() {
-        const messages = [];
-        if (this.validationErrors == null) {
-            return messages;
-        }
-        for (const key in this.validationErrors) {
-            // eslint-disable-next-line
-            if (!this.validationErrors.hasOwnProperty(key)) {
-                continue;
-            }
-            this.validationErrors[key].forEach((item) => {
-                let prefix = "";
-                if (key.indexOf("[") > -1 && key.indexOf("]") > -1) {
-                    const lastSep = key.lastIndexOf(".");
-                    prefix = key.substr(0, lastSep > -1 ? lastSep : key.length) + ": ";
-                }
-                messages.push(prefix + item);
-            });
-        }
-        return messages;
-    }
-}
-
-;// CONCATENATED MODULE: ../../libs/common/src/auth/enums/authentication-status.ts
-var AuthenticationStatus;
-(function (AuthenticationStatus) {
-    AuthenticationStatus[AuthenticationStatus["LoggedOut"] = 0] = "LoggedOut";
-    AuthenticationStatus[AuthenticationStatus["Locked"] = 1] = "Locked";
-    AuthenticationStatus[AuthenticationStatus["Unlocked"] = 2] = "Unlocked";
-})(AuthenticationStatus || (AuthenticationStatus = {}));
-
 ;// CONCATENATED MODULE: ../../libs/common/src/auth/enums/authentication-type.ts
 var authentication_type_AuthenticationType;
 (function (AuthenticationType) {
     AuthenticationType[AuthenticationType["Password"] = 0] = "Password";
     AuthenticationType[AuthenticationType["Sso"] = 1] = "Sso";
     AuthenticationType[AuthenticationType["UserApi"] = 2] = "UserApi";
-    AuthenticationType[AuthenticationType["Passwordless"] = 3] = "Passwordless";
+    AuthenticationType[AuthenticationType["AuthRequest"] = 3] = "AuthRequest";
+    AuthenticationType[AuthenticationType["WebAuthn"] = 4] = "WebAuthn";
 })(authentication_type_AuthenticationType || (authentication_type_AuthenticationType = {}));
 
-;// CONCATENATED MODULE: ../../libs/common/src/auth/models/domain/force-reset-password-reason.ts
-var ForceResetPasswordReason;
-(function (ForceResetPasswordReason) {
-    /**
-     * A password reset should not be forced.
-     */
-    ForceResetPasswordReason[ForceResetPasswordReason["None"] = 0] = "None";
-    /**
-     * Occurs when an organization admin forces a user to reset their password.
-     */
-    ForceResetPasswordReason[ForceResetPasswordReason["AdminForcePasswordReset"] = 1] = "AdminForcePasswordReset";
-    /**
-     * Occurs when a user logs in / unlocks their vault with a master password that does not meet an organization's
-     * master password policy that is enforced on login/unlock.
-     */
-    ForceResetPasswordReason[ForceResetPasswordReason["WeakMasterPassword"] = 2] = "WeakMasterPassword";
-})(ForceResetPasswordReason || (ForceResetPasswordReason = {}));
-
 ;// CONCATENATED MODULE: ../../libs/common/src/auth/models/request/identity-token/token.request.ts
 class TokenRequest {
     constructor(twoFactor, device) {
@@ -3545,8 +4117,8 @@ class TokenRequest {
     setTwoFactor(twoFactor) {
         this.twoFactor = twoFactor;
     }
-    setPasswordlessAccessCode(accessCode) {
-        this.passwordlessAuthRequest = accessCode;
+    setAuthRequestAccessCode(accessCode) {
+        this.authRequest = accessCode;
     }
     toIdentityToken(clientId) {
         const obj = {
@@ -3561,8 +4133,8 @@ class TokenRequest {
             // obj.devicePushToken = this.device.pushToken;
         }
         //passswordless login
-        if (this.passwordlessAuthRequest) {
-            obj.authRequest = this.passwordlessAuthRequest;
+        if (this.authRequest) {
+            obj.authRequest = this.authRequest;
         }
         if (this.twoFactor) {
             if (this.twoFactor.token && this.twoFactor.provider != null) {
@@ -3601,15 +4173,6 @@ class PasswordTokenRequest extends TokenRequest {
     }
 }
 
-;// CONCATENATED MODULE: ../../libs/common/src/auth/models/response/identity-captcha.response.ts
-
-class IdentityCaptchaResponse extends BaseResponse {
-    constructor(response) {
-        super(response);
-        this.siteKey = this.getResponseProperty("HCaptcha_SiteKey");
-    }
-}
-
 ;// CONCATENATED MODULE: ../../libs/common/src/models/request/keys.request.ts
 class KeysRequest {
     constructor(publicKey, encryptedPrivateKey) {
@@ -3793,8 +4356,11 @@ class AccountKeys {
         this.cryptoSymmetricKey = new EncryptionPair();
     }
     toJSON() {
+        // If you pass undefined into fromBufferToByteString, you will get an empty string back
+        // which will cause all sorts of headaches down the line when you try to getPublicKey
+        // and expect a Uint8Array and get an empty string instead.
         return utils_Utils.merge(this, {
-            publicKey: utils_Utils.fromBufferToByteString(this.publicKey),
+            publicKey: this.publicKey ? utils_Utils.fromBufferToByteString(this.publicKey) : undefined,
         });
     }
     static fromJSON(obj) {
@@ -3984,6 +4550,35 @@ var TwoFactorProviderType;
     TwoFactorProviderType[TwoFactorProviderType["WebAuthn"] = 7] = "WebAuthn";
 })(TwoFactorProviderType || (TwoFactorProviderType = {}));
 
+;// CONCATENATED MODULE: ../../libs/common/src/auth/models/domain/force-set-password-reason.ts
+/*
+ * This enum is used to determine if a user should be forced to initially set or reset their password
+ * on login (server flag) or unlock via MP (client evaluation).
+ */
+var ForceSetPasswordReason;
+(function (ForceSetPasswordReason) {
+    /**
+     * A password reset should not be forced.
+     */
+    ForceSetPasswordReason[ForceSetPasswordReason["None"] = 0] = "None";
+    /**
+     * Occurs when an organization admin forces a user to reset their password.
+     * Communicated via server flag.
+     */
+    ForceSetPasswordReason[ForceSetPasswordReason["AdminForcePasswordReset"] = 1] = "AdminForcePasswordReset";
+    /**
+     * Occurs when a user logs in / unlocks their vault with a master password that does not meet an organization's
+     * master password policy that is enforced on login/unlock.
+     * Only set client side b/c server can't evaluate MP.
+     */
+    ForceSetPasswordReason[ForceSetPasswordReason["WeakMasterPassword"] = 2] = "WeakMasterPassword";
+    /**
+     * Occurs when a TDE user without a password obtains the password reset permission.
+     * Set post login & decryption client side and by server in sync (to catch logged in users).
+     */
+    ForceSetPasswordReason[ForceSetPasswordReason["TdeUserWithoutPasswordHasPasswordResetPermission"] = 3] = "TdeUserWithoutPasswordHasPasswordResetPermission";
+})(ForceSetPasswordReason || (ForceSetPasswordReason = {}));
+
 ;// CONCATENATED MODULE: ../../libs/common/src/auth/models/domain/auth-result.ts
 
 
@@ -3997,7 +4592,7 @@ class AuthResult {
          * not have a master password and is not using Key Connector.
          * */
         this.resetMasterPassword = false;
-        this.forcePasswordReset = ForceResetPasswordReason.None;
+        this.forcePasswordReset = ForceSetPasswordReason.None;
         this.twoFactorProviders = null;
     }
     get requiresCaptcha() {
@@ -4027,6 +4622,15 @@ class TokenTwoFactorRequest {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/auth/models/response/identity-captcha.response.ts
+
+class IdentityCaptchaResponse extends BaseResponse {
+    constructor(response) {
+        super(response);
+        this.siteKey = this.getResponseProperty("HCaptcha_SiteKey");
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/auth/models/response/master-password-policy.response.ts
 
 class MasterPasswordPolicyResponse extends BaseResponse {
@@ -4069,10 +4673,26 @@ class TrustedDeviceUserDecryptionOptionResponse extends BaseResponse {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/auth/models/response/user-decryption-options/webauthn-prf-decryption-option.response.ts
+
+
+class WebAuthnPrfDecryptionOptionResponse extends BaseResponse {
+    constructor(response) {
+        super(response);
+        if (response.EncryptedPrivateKey) {
+            this.encryptedPrivateKey = new EncString(this.getResponseProperty("EncryptedPrivateKey"));
+        }
+        if (response.EncryptedUserKey) {
+            this.encryptedUserKey = new EncString(this.getResponseProperty("EncryptedUserKey"));
+        }
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/auth/models/response/user-decryption-options/user-decryption-options.response.ts
 
 
 
+
 class UserDecryptionOptionsResponse extends BaseResponse {
     constructor(response) {
         super(response);
@@ -4083,6 +4703,9 @@ class UserDecryptionOptionsResponse extends BaseResponse {
         if (response.KeyConnectorOption) {
             this.keyConnectorOption = new KeyConnectorUserDecryptionOptionResponse(this.getResponseProperty("KeyConnectorOption"));
         }
+        if (response.WebAuthnPrfOption) {
+            this.webAuthnPrfOption = new WebAuthnPrfDecryptionOptionResponse(this.getResponseProperty("WebAuthnPrfOption"));
+        }
     }
 }
 
@@ -4159,7 +4782,8 @@ var login_strategy_awaiter = (undefined && undefined.__awaiter) || function (thi
 
 
 
-class LogInStrategy {
+
+class LoginStrategy {
     constructor(cryptoService, apiService, tokenService, appIdService, platformUtilsService, messagingService, logService, stateService, twoFactorService) {
         this.cryptoService = cryptoService;
         this.apiService = apiService;
@@ -4252,9 +4876,18 @@ class LogInStrategy {
     processTokenResponse(response) {
         return login_strategy_awaiter(this, void 0, void 0, function* () {
             const result = new AuthResult();
+            // Old encryption keys must be migrated, but is currently only available on web.
+            // Other clients shouldn't continue the login process.
+            if (this.encryptionKeyMigrationRequired(response)) {
+                result.requiresEncryptionKeyMigration = true;
+                if (this.platformUtilsService.getClientType() !== ClientType.Web) {
+                    return result;
+                }
+            }
             result.resetMasterPassword = response.resetMasterPassword;
+            // Convert boolean to enum
             if (response.forcePasswordReset) {
-                result.forcePasswordReset = ForceResetPasswordReason.AdminForcePasswordReset;
+                result.forcePasswordReset = ForceSetPasswordReason.AdminForcePasswordReset;
             }
             // Must come before setting keys, user key needs email to update additional keys
             yield this.saveAccountInformation(response);
@@ -4268,6 +4901,11 @@ class LogInStrategy {
             return result;
         });
     }
+    // Old accounts used master key for encryption. We are forcing migrations but only need to
+    // check on password logins
+    encryptionKeyMigrationRequired(response) {
+        return false;
+    }
     createKeyPairForOldAccount() {
         return login_strategy_awaiter(this, void 0, void 0, function* () {
             try {
@@ -4301,6 +4939,93 @@ class LogInStrategy {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/auth/login-strategies/auth-request-login.strategy.ts
+var auth_request_login_strategy_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+
+class AuthRequestLoginStrategy extends LoginStrategy {
+    get email() {
+        return this.tokenRequest.email;
+    }
+    get accessCode() {
+        return this.authRequestCredentials.accessCode;
+    }
+    get authRequestId() {
+        return this.authRequestCredentials.authRequestId;
+    }
+    constructor(cryptoService, apiService, tokenService, appIdService, platformUtilsService, messagingService, logService, stateService, twoFactorService, deviceTrustCryptoService) {
+        super(cryptoService, apiService, tokenService, appIdService, platformUtilsService, messagingService, logService, stateService, twoFactorService);
+        this.deviceTrustCryptoService = deviceTrustCryptoService;
+    }
+    logIn(credentials) {
+        return auth_request_login_strategy_awaiter(this, void 0, void 0, function* () {
+            // NOTE: To avoid DeadObject references on Firefox, do not set the credentials object directly
+            // Use deep copy in future if objects are added that were created in popup
+            this.authRequestCredentials = Object.assign({}, credentials);
+            this.tokenRequest = new PasswordTokenRequest(credentials.email, credentials.accessCode, null, yield this.buildTwoFactor(credentials.twoFactor), yield this.buildDeviceRequest());
+            this.tokenRequest.setAuthRequestAccessCode(credentials.authRequestId);
+            const [authResult] = yield this.startLogIn();
+            return authResult;
+        });
+    }
+    logInTwoFactor(twoFactor, captchaResponse) {
+        const _super = Object.create(null, {
+            logInTwoFactor: { get: () => super.logInTwoFactor }
+        });
+        return auth_request_login_strategy_awaiter(this, void 0, void 0, function* () {
+            this.tokenRequest.captchaResponse = captchaResponse !== null && captchaResponse !== void 0 ? captchaResponse : this.captchaBypassToken;
+            return _super.logInTwoFactor.call(this, twoFactor);
+        });
+    }
+    setMasterKey(response) {
+        return auth_request_login_strategy_awaiter(this, void 0, void 0, function* () {
+            if (this.authRequestCredentials.decryptedMasterKey &&
+                this.authRequestCredentials.decryptedMasterKeyHash) {
+                yield this.cryptoService.setMasterKey(this.authRequestCredentials.decryptedMasterKey);
+                yield this.cryptoService.setMasterKeyHash(this.authRequestCredentials.decryptedMasterKeyHash);
+            }
+        });
+    }
+    setUserKey(response) {
+        return auth_request_login_strategy_awaiter(this, void 0, void 0, function* () {
+            // User now may or may not have a master password
+            // but set the master key encrypted user key if it exists regardless
+            yield this.cryptoService.setMasterKeyEncryptedUserKey(response.key);
+            if (this.authRequestCredentials.decryptedUserKey) {
+                yield this.cryptoService.setUserKey(this.authRequestCredentials.decryptedUserKey);
+            }
+            else {
+                yield this.trySetUserKeyWithMasterKey();
+                // Establish trust if required after setting user key
+                yield this.deviceTrustCryptoService.trustDeviceIfRequired();
+            }
+        });
+    }
+    trySetUserKeyWithMasterKey() {
+        return auth_request_login_strategy_awaiter(this, void 0, void 0, function* () {
+            const masterKey = yield this.cryptoService.getMasterKey();
+            if (masterKey) {
+                const userKey = yield this.cryptoService.decryptUserKeyWithMasterKey(masterKey);
+                yield this.cryptoService.setUserKey(userKey);
+            }
+        });
+    }
+    setPrivateKey(response) {
+        var _a;
+        return auth_request_login_strategy_awaiter(this, void 0, void 0, function* () {
+            yield this.cryptoService.setPrivateKey((_a = response.privateKey) !== null && _a !== void 0 ? _a : (yield this.createKeyPairForOldAccount()));
+        });
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/auth/login-strategies/password-login.strategy.ts
 var password_login_strategy_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@@ -4317,7 +5042,7 @@ var password_login_strategy_awaiter = (undefined && undefined.__awaiter) || func
 
 
 
-class PasswordLogInStrategy extends LogInStrategy {
+class PasswordLoginStrategy extends LoginStrategy {
     get email() {
         return this.tokenRequest.email;
     }
@@ -4334,7 +5059,7 @@ class PasswordLogInStrategy extends LogInStrategy {
          * Options to track if the user needs to update their password due to a password that does not meet an organization's
          * master password policy.
          */
-        this.forcePasswordResetReason = ForceResetPasswordReason.None;
+        this.forcePasswordResetReason = ForceSetPasswordReason.None;
     }
     logInTwoFactor(twoFactor, captchaResponse) {
         const _super = Object.create(null, {
@@ -4346,8 +5071,8 @@ class PasswordLogInStrategy extends LogInStrategy {
             // 2FA was successful, save the force update password options with the state service if defined
             if (!result.requiresTwoFactor &&
                 !result.requiresCaptcha &&
-                this.forcePasswordResetReason != ForceResetPasswordReason.None) {
-                yield this.stateService.setForcePasswordResetReason(this.forcePasswordResetReason);
+                this.forcePasswordResetReason != ForceSetPasswordReason.None) {
+                yield this.stateService.setForceSetPasswordReason(this.forcePasswordResetReason);
                 result.forcePasswordReset = this.forcePasswordResetReason;
             }
             return result;
@@ -4370,12 +5095,12 @@ class PasswordLogInStrategy extends LogInStrategy {
                 if (!meetsRequirements) {
                     if (authResult.requiresCaptcha || authResult.requiresTwoFactor) {
                         // Save the flag to this strategy for later use as the master password is about to pass out of scope
-                        this.forcePasswordResetReason = ForceResetPasswordReason.WeakMasterPassword;
+                        this.forcePasswordResetReason = ForceSetPasswordReason.WeakMasterPassword;
                     }
                     else {
                         // Authentication was successful, save the force update password options with the state service
-                        yield this.stateService.setForcePasswordResetReason(ForceResetPasswordReason.WeakMasterPassword);
-                        authResult.forcePasswordReset = ForceResetPasswordReason.WeakMasterPassword;
+                        yield this.stateService.setForceSetPasswordReason(ForceSetPasswordReason.WeakMasterPassword);
+                        authResult.forcePasswordReset = ForceSetPasswordReason.WeakMasterPassword;
                     }
                 }
             }
@@ -4390,6 +5115,10 @@ class PasswordLogInStrategy extends LogInStrategy {
     }
     setUserKey(response) {
         return password_login_strategy_awaiter(this, void 0, void 0, function* () {
+            // If migration is required, we won't have a user key to set yet.
+            if (this.encryptionKeyMigrationRequired(response)) {
+                return;
+            }
             yield this.cryptoService.setMasterKeyEncryptedUserKey(response.key);
             const masterKey = yield this.cryptoService.getMasterKey();
             if (masterKey) {
@@ -4404,6 +5133,9 @@ class PasswordLogInStrategy extends LogInStrategy {
             yield this.cryptoService.setPrivateKey((_a = response.privateKey) !== null && _a !== void 0 ? _a : (yield this.createKeyPairForOldAccount()));
         });
     }
+    encryptionKeyMigrationRequired(response) {
+        return !response.key;
+    }
     getMasterPasswordPolicyOptionsFromResponse(response) {
         if (response == null || response instanceof IdentityCaptchaResponse) {
             return null;
@@ -4417,91 +5149,6 @@ class PasswordLogInStrategy extends LogInStrategy {
     }
 }
 
-;// CONCATENATED MODULE: ../../libs/common/src/auth/login-strategies/passwordless-login.strategy.ts
-var passwordless_login_strategy_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-
-
-class PasswordlessLogInStrategy extends LogInStrategy {
-    get email() {
-        return this.tokenRequest.email;
-    }
-    get accessCode() {
-        return this.passwordlessCredentials.accessCode;
-    }
-    get authRequestId() {
-        return this.passwordlessCredentials.authRequestId;
-    }
-    constructor(cryptoService, apiService, tokenService, appIdService, platformUtilsService, messagingService, logService, stateService, twoFactorService, deviceTrustCryptoService) {
-        super(cryptoService, apiService, tokenService, appIdService, platformUtilsService, messagingService, logService, stateService, twoFactorService);
-        this.deviceTrustCryptoService = deviceTrustCryptoService;
-    }
-    logIn(credentials) {
-        return passwordless_login_strategy_awaiter(this, void 0, void 0, function* () {
-            this.passwordlessCredentials = credentials;
-            this.tokenRequest = new PasswordTokenRequest(credentials.email, credentials.accessCode, null, yield this.buildTwoFactor(credentials.twoFactor), yield this.buildDeviceRequest());
-            this.tokenRequest.setPasswordlessAccessCode(credentials.authRequestId);
-            const [authResult] = yield this.startLogIn();
-            return authResult;
-        });
-    }
-    logInTwoFactor(twoFactor, captchaResponse) {
-        const _super = Object.create(null, {
-            logInTwoFactor: { get: () => super.logInTwoFactor }
-        });
-        return passwordless_login_strategy_awaiter(this, void 0, void 0, function* () {
-            this.tokenRequest.captchaResponse = captchaResponse !== null && captchaResponse !== void 0 ? captchaResponse : this.captchaBypassToken;
-            return _super.logInTwoFactor.call(this, twoFactor);
-        });
-    }
-    setMasterKey(response) {
-        return passwordless_login_strategy_awaiter(this, void 0, void 0, function* () {
-            if (this.passwordlessCredentials.decryptedMasterKey &&
-                this.passwordlessCredentials.decryptedMasterKeyHash) {
-                yield this.cryptoService.setMasterKey(this.passwordlessCredentials.decryptedMasterKey);
-                yield this.cryptoService.setMasterKeyHash(this.passwordlessCredentials.decryptedMasterKeyHash);
-            }
-        });
-    }
-    setUserKey(response) {
-        return passwordless_login_strategy_awaiter(this, void 0, void 0, function* () {
-            // User now may or may not have a master password
-            // but set the master key encrypted user key if it exists regardless
-            yield this.cryptoService.setMasterKeyEncryptedUserKey(response.key);
-            if (this.passwordlessCredentials.decryptedUserKey) {
-                yield this.cryptoService.setUserKey(this.passwordlessCredentials.decryptedUserKey);
-            }
-            else {
-                yield this.trySetUserKeyWithMasterKey();
-                // Establish trust if required after setting user key
-                yield this.deviceTrustCryptoService.trustDeviceIfRequired();
-            }
-        });
-    }
-    trySetUserKeyWithMasterKey() {
-        return passwordless_login_strategy_awaiter(this, void 0, void 0, function* () {
-            const masterKey = yield this.cryptoService.getMasterKey();
-            if (masterKey) {
-                const userKey = yield this.cryptoService.decryptUserKeyWithMasterKey(masterKey);
-                yield this.cryptoService.setUserKey(userKey);
-            }
-        });
-    }
-    setPrivateKey(response) {
-        var _a;
-        return passwordless_login_strategy_awaiter(this, void 0, void 0, function* () {
-            yield this.cryptoService.setPrivateKey((_a = response.privateKey) !== null && _a !== void 0 ? _a : (yield this.createKeyPairForOldAccount()));
-        });
-    }
-}
-
 ;// CONCATENATED MODULE: ../../libs/common/src/auth/models/request/identity-token/sso-token.request.ts
 
 class SsoTokenRequest extends TokenRequest {
@@ -4536,7 +5183,8 @@ var sso_login_strategy_awaiter = (undefined && undefined.__awaiter) || function
 
 
 
-class SsoLogInStrategy extends LogInStrategy {
+
+class SsoLoginStrategy extends LoginStrategy {
     constructor(cryptoService, apiService, tokenService, appIdService, platformUtilsService, messagingService, logService, stateService, twoFactorService, keyConnectorService, deviceTrustCryptoService, authReqCryptoService, i18nService) {
         super(cryptoService, apiService, tokenService, appIdService, platformUtilsService, messagingService, logService, stateService, twoFactorService);
         this.keyConnectorService = keyConnectorService;
@@ -4551,6 +5199,10 @@ class SsoLogInStrategy extends LogInStrategy {
             const [ssoAuthResult] = yield this.startLogIn();
             this.email = ssoAuthResult.email;
             this.ssoEmail2FaSessionToken = ssoAuthResult.ssoEmail2FaSessionToken;
+            // Auth guard currently handles redirects for this.
+            if (ssoAuthResult.forcePasswordReset == ForceSetPasswordReason.AdminForcePasswordReset) {
+                yield this.stateService.setForceSetPasswordReason(ssoAuthResult.forcePasswordReset);
+            }
             return ssoAuthResult;
         });
     }
@@ -4748,7 +5400,7 @@ var user_api_login_strategy_awaiter = (undefined && undefined.__awaiter) || func
 };
 
 
-class UserApiLogInStrategy extends LogInStrategy {
+class UserApiLoginStrategy extends LoginStrategy {
     constructor(cryptoService, apiService, tokenService, appIdService, platformUtilsService, messagingService, logService, stateService, twoFactorService, environmentService, keyConnectorService) {
         super(cryptoService, apiService, tokenService, appIdService, platformUtilsService, messagingService, logService, stateService, twoFactorService);
         this.environmentService = environmentService;
@@ -4799,6 +5451,86 @@ class UserApiLogInStrategy extends LogInStrategy {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/auth/models/request/identity-token/webauthn-login-token.request.ts
+
+class WebAuthnLoginTokenRequest extends TokenRequest {
+    constructor(token, deviceResponse, device) {
+        super(undefined, device);
+        this.token = token;
+        this.deviceResponse = deviceResponse;
+    }
+    toIdentityToken(clientId) {
+        const obj = super.toIdentityToken(clientId);
+        obj.grant_type = "webauthn";
+        obj.token = this.token;
+        // must be a string b/c sending as form encoded data
+        obj.deviceResponse = JSON.stringify(this.deviceResponse);
+        return obj;
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/auth/login-strategies/webauthn-login.strategy.ts
+var webauthn_login_strategy_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+
+
+class WebAuthnLoginStrategy extends LoginStrategy {
+    setMasterKey() {
+        return webauthn_login_strategy_awaiter(this, void 0, void 0, function* () {
+            return Promise.resolve();
+        });
+    }
+    setUserKey(idTokenResponse) {
+        var _a;
+        return webauthn_login_strategy_awaiter(this, void 0, void 0, function* () {
+            const userDecryptionOptions = idTokenResponse === null || idTokenResponse === void 0 ? void 0 : idTokenResponse.userDecryptionOptions;
+            if (userDecryptionOptions === null || userDecryptionOptions === void 0 ? void 0 : userDecryptionOptions.webAuthnPrfOption) {
+                const webAuthnPrfOption = (_a = idTokenResponse.userDecryptionOptions) === null || _a === void 0 ? void 0 : _a.webAuthnPrfOption;
+                // confirm we still have the prf key
+                if (!this.credentials.prfKey) {
+                    return;
+                }
+                // decrypt prf encrypted private key
+                const privateKey = yield this.cryptoService.decryptToBytes(webAuthnPrfOption.encryptedPrivateKey, this.credentials.prfKey);
+                // decrypt user key with private key
+                const userKey = yield this.cryptoService.rsaDecrypt(webAuthnPrfOption.encryptedUserKey.encryptedString, privateKey);
+                if (userKey) {
+                    yield this.cryptoService.setUserKey(new SymmetricCryptoKey(userKey));
+                }
+            }
+        });
+    }
+    setPrivateKey(response) {
+        var _a;
+        return webauthn_login_strategy_awaiter(this, void 0, void 0, function* () {
+            yield this.cryptoService.setPrivateKey((_a = response.privateKey) !== null && _a !== void 0 ? _a : (yield this.createKeyPairForOldAccount()));
+        });
+    }
+    logInTwoFactor() {
+        return webauthn_login_strategy_awaiter(this, void 0, void 0, function* () {
+            throw new Error("2FA not supported yet for WebAuthn Login.");
+        });
+    }
+    logIn(credentials) {
+        return webauthn_login_strategy_awaiter(this, void 0, void 0, function* () {
+            // NOTE: To avoid DeadObject references on Firefox, do not set the credentials object directly
+            // Use deep copy in future if objects are added that were created in popup
+            this.credentials = Object.assign({}, credentials);
+            this.tokenRequest = new WebAuthnLoginTokenRequest(credentials.token, credentials.deviceResponse, yield this.buildDeviceRequest());
+            const [authResult] = yield this.startLogIn();
+            return authResult;
+        });
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/auth/models/request/passwordless-auth.request.ts
 class PasswordlessAuthRequest {
     constructor(key, masterPasswordHash, deviceIdentifier, requestApproved) {
@@ -4832,33 +5564,34 @@ var auth_service_awaiter = (undefined && undefined.__awaiter) || function (thisA
 
 
 
+
 const sessionTimeoutLength = 2 * 60 * 1000; // 2 minutes
 class AuthService {
     get email() {
-        if (this.logInStrategy instanceof PasswordLogInStrategy ||
-            this.logInStrategy instanceof PasswordlessLogInStrategy ||
-            this.logInStrategy instanceof SsoLogInStrategy) {
+        if (this.logInStrategy instanceof PasswordLoginStrategy ||
+            this.logInStrategy instanceof AuthRequestLoginStrategy ||
+            this.logInStrategy instanceof SsoLoginStrategy) {
             return this.logInStrategy.email;
         }
         return null;
     }
     get masterPasswordHash() {
-        return this.logInStrategy instanceof PasswordLogInStrategy
+        return this.logInStrategy instanceof PasswordLoginStrategy
             ? this.logInStrategy.masterPasswordHash
             : null;
     }
     get accessCode() {
-        return this.logInStrategy instanceof PasswordlessLogInStrategy
+        return this.logInStrategy instanceof AuthRequestLoginStrategy
             ? this.logInStrategy.accessCode
             : null;
     }
     get authRequestId() {
-        return this.logInStrategy instanceof PasswordlessLogInStrategy
+        return this.logInStrategy instanceof AuthRequestLoginStrategy
             ? this.logInStrategy.authRequestId
             : null;
     }
     get ssoEmail2FaSessionToken() {
-        return this.logInStrategy instanceof SsoLogInStrategy
+        return this.logInStrategy instanceof SsoLoginStrategy
             ? this.logInStrategy.ssoEmail2FaSessionToken
             : null;
     }
@@ -4888,18 +5621,23 @@ class AuthService {
             let strategy;
             switch (credentials.type) {
                 case authentication_type_AuthenticationType.Password:
-                    strategy = new PasswordLogInStrategy(this.cryptoService, this.apiService, this.tokenService, this.appIdService, this.platformUtilsService, this.messagingService, this.logService, this.stateService, this.twoFactorService, this.passwordStrengthService, this.policyService, this);
+                    strategy = new PasswordLoginStrategy(this.cryptoService, this.apiService, this.tokenService, this.appIdService, this.platformUtilsService, this.messagingService, this.logService, this.stateService, this.twoFactorService, this.passwordStrengthService, this.policyService, this);
                     break;
                 case authentication_type_AuthenticationType.Sso:
-                    strategy = new SsoLogInStrategy(this.cryptoService, this.apiService, this.tokenService, this.appIdService, this.platformUtilsService, this.messagingService, this.logService, this.stateService, this.twoFactorService, this.keyConnectorService, this.deviceTrustCryptoService, this.authReqCryptoService, this.i18nService);
+                    strategy = new SsoLoginStrategy(this.cryptoService, this.apiService, this.tokenService, this.appIdService, this.platformUtilsService, this.messagingService, this.logService, this.stateService, this.twoFactorService, this.keyConnectorService, this.deviceTrustCryptoService, this.authReqCryptoService, this.i18nService);
                     break;
                 case authentication_type_AuthenticationType.UserApi:
-                    strategy = new UserApiLogInStrategy(this.cryptoService, this.apiService, this.tokenService, this.appIdService, this.platformUtilsService, this.messagingService, this.logService, this.stateService, this.twoFactorService, this.environmentService, this.keyConnectorService);
+                    strategy = new UserApiLoginStrategy(this.cryptoService, this.apiService, this.tokenService, this.appIdService, this.platformUtilsService, this.messagingService, this.logService, this.stateService, this.twoFactorService, this.environmentService, this.keyConnectorService);
+                    break;
+                case authentication_type_AuthenticationType.AuthRequest:
+                    strategy = new AuthRequestLoginStrategy(this.cryptoService, this.apiService, this.tokenService, this.appIdService, this.platformUtilsService, this.messagingService, this.logService, this.stateService, this.twoFactorService, this.deviceTrustCryptoService);
                     break;
-                case authentication_type_AuthenticationType.Passwordless:
-                    strategy = new PasswordlessLogInStrategy(this.cryptoService, this.apiService, this.tokenService, this.appIdService, this.platformUtilsService, this.messagingService, this.logService, this.stateService, this.twoFactorService, this.deviceTrustCryptoService);
+                case authentication_type_AuthenticationType.WebAuthn:
+                    strategy = new WebAuthnLoginStrategy(this.cryptoService, this.apiService, this.tokenService, this.appIdService, this.platformUtilsService, this.messagingService, this.logService, this.stateService, this.twoFactorService);
                     break;
             }
+            // Note: Do not set the credentials object directly on the strategy. They are
+            // created in the popup and can cause DeadObject references on Firefox.
             const result = yield strategy.logIn(credentials);
             if (result === null || result === void 0 ? void 0 : result.requiresTwoFactor) {
                 this.saveState(strategy);
@@ -4934,16 +5672,16 @@ class AuthService {
         this.messagingService.send("loggedOut");
     }
     authingWithUserApiKey() {
-        return this.logInStrategy instanceof UserApiLogInStrategy;
+        return this.logInStrategy instanceof UserApiLoginStrategy;
     }
     authingWithSso() {
-        return this.logInStrategy instanceof SsoLogInStrategy;
+        return this.logInStrategy instanceof SsoLoginStrategy;
     }
     authingWithPassword() {
-        return this.logInStrategy instanceof PasswordLogInStrategy;
+        return this.logInStrategy instanceof PasswordLoginStrategy;
     }
     authingWithPasswordless() {
-        return this.logInStrategy instanceof PasswordlessLogInStrategy;
+        return this.logInStrategy instanceof AuthRequestLoginStrategy;
     }
     getAuthStatus(userId) {
         return auth_service_awaiter(this, void 0, void 0, function* () {
@@ -5214,7 +5952,7 @@ class DeviceTrustCryptoService {
     }
 }
 
-;// CONCATENATED MODULE: ../../libs/common/src/abstractions/devices/responses/device.response.ts
+;// CONCATENATED MODULE: ../../libs/common/src/auth/abstractions/devices/responses/device.response.ts
 
 class DeviceResponse extends BaseResponse {
     constructor(response) {
@@ -5229,15 +5967,6 @@ class DeviceResponse extends BaseResponse {
     }
 }
 
-;// CONCATENATED MODULE: ../../libs/common/src/services/devices/requests/trusted-device-keys.request.ts
-class TrustedDeviceKeysRequest {
-    constructor(encryptedUserKey, encryptedPublicKey, encryptedPrivateKey) {
-        this.encryptedUserKey = encryptedUserKey;
-        this.encryptedPublicKey = encryptedPublicKey;
-        this.encryptedPrivateKey = encryptedPrivateKey;
-    }
-}
-
 ;// CONCATENATED MODULE: ../../libs/common/src/auth/models/response/protected-device.response.ts
 
 
@@ -5258,6 +5987,15 @@ class ProtectedDeviceResponse extends BaseResponse {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/auth/services/devices/requests/trusted-device-keys.request.ts
+class TrustedDeviceKeysRequest {
+    constructor(encryptedUserKey, encryptedPublicKey, encryptedPrivateKey) {
+        this.encryptedUserKey = encryptedUserKey;
+        this.encryptedPublicKey = encryptedPublicKey;
+        this.encryptedPrivateKey = encryptedPrivateKey;
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/auth/services/devices-api.service.implementation.ts
 var devices_api_service_implementation_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@@ -14159,6 +14897,11 @@ class CryptoService {
             }
         });
     }
+    isLegacyUser(masterKey, userId) {
+        return crypto_service_awaiter(this, void 0, void 0, function* () {
+            return yield this.validateUserKey((masterKey !== null && masterKey !== void 0 ? masterKey : (yield this.getMasterKey(userId))));
+        });
+    }
     getUserKeyWithLegacySupport(userId) {
         return crypto_service_awaiter(this, void 0, void 0, function* () {
             const userKey = yield this.getUserKey(userId);
@@ -14546,7 +15289,8 @@ class CryptoService {
     }
     makeKeyPair(key) {
         return crypto_service_awaiter(this, void 0, void 0, function* () {
-            key || (key = yield this.getUserKey());
+            // Default to user key
+            key || (key = yield this.getUserKeyWithLegacySupport());
             const keyPair = yield this.cryptoFunctionService.rsaGenerateKeyPair(2048);
             const publicB64 = utils_Utils.fromBufferToB64(keyPair[0]);
             const privateEnc = yield this.encryptService.encrypt(keyPair[1], key);
@@ -14949,19 +15693,26 @@ class CryptoService {
     migrateAutoKeyIfNeeded(userId) {
         return crypto_service_awaiter(this, void 0, void 0, function* () {
             const oldAutoKey = yield this.stateService.getCryptoMasterKeyAuto({ userId: userId });
-            if (oldAutoKey) {
-                // decrypt
-                const masterKey = new SymmetricCryptoKey(utils_Utils.fromB64ToArray(oldAutoKey));
-                const encryptedUserKey = yield this.stateService.getEncryptedCryptoSymmetricKey({
-                    userId: userId,
-                });
-                const userKey = yield this.decryptUserKeyWithMasterKey(masterKey, new EncString(encryptedUserKey), userId);
-                // migrate
-                yield this.stateService.setUserKeyAutoUnlock(userKey.keyB64, { userId: userId });
-                yield this.stateService.setCryptoMasterKeyAuto(null, { userId: userId });
-                // set encrypted user key in case user immediately locks without syncing
-                yield this.setMasterKeyEncryptedUserKey(encryptedUserKey);
+            if (!oldAutoKey) {
+                return;
+            }
+            // Decrypt
+            const masterKey = new SymmetricCryptoKey(utils_Utils.fromB64ToArray(oldAutoKey));
+            if (yield this.isLegacyUser(masterKey, userId)) {
+                // Legacy users don't have a user key, so no need to migrate.
+                // Instead, set the master key for additional isLegacyUser checks that will log the user out.
+                yield this.setMasterKey(masterKey, userId);
+                return;
             }
+            const encryptedUserKey = yield this.stateService.getEncryptedCryptoSymmetricKey({
+                userId: userId,
+            });
+            const userKey = yield this.decryptUserKeyWithMasterKey(masterKey, new EncString(encryptedUserKey), userId);
+            // Migrate
+            yield this.stateService.setUserKeyAutoUnlock(userKey.keyB64, { userId: userId });
+            yield this.stateService.setCryptoMasterKeyAuto(null, { userId: userId });
+            // Set encrypted user key in case user immediately locks without syncing
+            yield this.setMasterKeyEncryptedUserKey(encryptedUserKey);
         });
     }
     decryptAndMigrateOldPinKey(masterPasswordOnRestart, pin, email, kdf, kdfConfig, oldPinKey) {
@@ -15219,7 +15970,7 @@ class EncryptServiceImplementation {
                     return null;
                 }
             }
-            return yield this.cryptoFunctionService.aesDecryptFast(fastParams);
+            return yield this.cryptoFunctionService.aesDecryptFast(fastParams, "cbc");
         });
     }
     decryptToBytes(encThing, key) {
@@ -15251,7 +16002,7 @@ class EncryptServiceImplementation {
                     return null;
                 }
             }
-            const result = yield this.cryptoFunctionService.aesDecrypt(encThing.dataBytes, encThing.ivBytes, key.encKey);
+            const result = yield this.cryptoFunctionService.aesDecrypt(encThing.dataBytes, encThing.ivBytes, key.encKey, "cbc");
             return result !== null && result !== void 0 ? result : null;
         });
     }
@@ -15328,6 +16079,7 @@ var environment_service_awaiter = (undefined && undefined.__awaiter) || function
 
 
 
+
 class environment_service_EnvironmentService {
     constructor(stateService) {
         this.stateService = stateService;
@@ -15553,6 +16305,27 @@ class environment_service_EnvironmentService {
             this.notificationsUrl == null &&
             this.eventsUrl == null);
     }
+    getHost(userId) {
+        return environment_service_awaiter(this, void 0, void 0, function* () {
+            const region = yield this.getRegion(userId ? userId : null);
+            switch (region) {
+                case Region.US:
+                    return RegionDomain.US;
+                case Region.EU:
+                    return RegionDomain.EU;
+                default: {
+                    // Environment is self-hosted
+                    const envUrls = yield this.stateService.getEnvironmentUrls(userId ? { userId: userId } : null);
+                    return utils_Utils.getHost(envUrls.webVault || envUrls.base);
+                }
+            }
+        });
+    }
+    getRegion(userId) {
+        return environment_service_awaiter(this, void 0, void 0, function* () {
+            return this.stateService.getRegion(userId ? { userId: userId } : null);
+        });
+    }
     setRegion(region) {
         return environment_service_awaiter(this, void 0, void 0, function* () {
             this.selectedRegion = region;
@@ -15911,10 +16684,18 @@ var memory_storage_service_awaiter = (undefined && undefined.__awaiter) || funct
     });
 };
 
+
 class MemoryStorageService extends AbstractMemoryStorageService {
     constructor() {
         super(...arguments);
         this.store = new Map();
+        this.updatesSubject = new external_rxjs_namespaceObject.Subject();
+    }
+    get valuesRequireDeserialization() {
+        return false;
+    }
+    get updates$() {
+        return this.updatesSubject.asObservable();
     }
     get(key) {
         if (this.store.has(key)) {
@@ -15933,10 +16714,12 @@ class MemoryStorageService extends AbstractMemoryStorageService {
             return this.remove(key);
         }
         this.store.set(key, obj);
+        this.updatesSubject.next({ key, updateType: "save" });
         return Promise.resolve();
     }
     remove(key) {
         this.store.delete(key);
+        this.updatesSubject.next({ key, updateType: "remove" });
         return Promise.resolve();
     }
     getBypassCache(key) {
@@ -15951,6 +16734,27 @@ class NoopMessagingService {
     }
 }
 
+;// CONCATENATED MODULE: ../browser/src/autofill/utils/autofill-overlay.enum.ts
+const AutofillOverlayElement = {
+    Button: "autofill-overlay-button",
+    List: "autofill-overlay-list",
+};
+const AutofillOverlayPort = {
+    Button: "autofill-overlay-button-port",
+    List: "autofill-overlay-list-port",
+};
+const RedirectFocusDirection = {
+    Current: "current",
+    Previous: "previous",
+    Next: "next",
+};
+const AutofillOverlayVisibility = {
+    Off: 0,
+    OnButtonClick: 1,
+    OnFieldFocus: 2,
+};
+
+
 ;// CONCATENATED MODULE: ../../libs/common/src/admin-console/models/data/provider.data.ts
 class ProviderData {
     constructor(response) {
@@ -16041,7 +16845,7 @@ class MigrationBuilder {
             helper.info(`Migrator ${migrator.constructor.name} (to version ${migrator.toVersion}) should migrate: ${shouldMigrate} - ${direction}`);
             if (shouldMigrate) {
                 const method = direction === "up" ? migrator.migrate : migrator.rollback;
-                yield method(helper);
+                yield method.bind(migrator)(helper);
                 helper.info(`Migrator ${migrator.constructor.name} (to version ${migrator.toVersion}) migrated - ${direction}`);
                 yield migrator.updateVersion(helper, direction);
                 helper.info(`Migrator ${migrator.constructor.name} (to version ${migrator.toVersion}) updated version - ${direction}`);
@@ -16440,6 +17244,70 @@ class MoveStateVersionMigrator extends Migrator {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/state-migrations/migrations/9-move-browser-settings-to-global.ts
+var _9_move_browser_settings_to_global_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+class MoveBrowserSettingsToGlobal extends Migrator {
+    // Will first check if any of the accounts have a value from the given accountSelector
+    // if they do have a value it will set that value into global state but if multiple
+    // users have differing values it will prefer the false setting,
+    // if all users have true then it will take true.
+    tryAddSetting(accounts, accountSelector, globalSetter) {
+        const hasValue = accounts.some(({ account }) => {
+            return accountSelector(account) !== undefined;
+        });
+        if (hasValue) {
+            const value = !accounts.some(({ account }) => {
+                var _a;
+                return ((_a = accountSelector(account)) !== null && _a !== void 0 ? _a : false) === false;
+            });
+            globalSetter(value);
+        }
+    }
+    migrate(helper) {
+        return _9_move_browser_settings_to_global_awaiter(this, void 0, void 0, function* () {
+            const global = yield helper.get("global");
+            const accounts = yield helper.getAccounts();
+            const globalNeverDomainsValue = accounts.reduce((accumulator, { account }) => {
+                var _a, _b;
+                const normalizedNeverDomains = (_b = (_a = account.settings) === null || _a === void 0 ? void 0 : _a.neverDomains) !== null && _b !== void 0 ? _b : {};
+                for (const [id, value] of Object.entries(normalizedNeverDomains)) {
+                    accumulator !== null && accumulator !== void 0 ? accumulator : (accumulator = {});
+                    accumulator[id] = value;
+                }
+                return accumulator;
+            }, undefined);
+            const targetGlobalState = {};
+            if (globalNeverDomainsValue != null) {
+                targetGlobalState.neverDomains = globalNeverDomainsValue;
+            }
+            this.tryAddSetting(accounts, (a) => { var _a; return (_a = a.settings) === null || _a === void 0 ? void 0 : _a.disableAddLoginNotification; }, (v) => (targetGlobalState.disableAddLoginNotification = v));
+            this.tryAddSetting(accounts, (a) => { var _a; return (_a = a.settings) === null || _a === void 0 ? void 0 : _a.disableChangedPasswordNotification; }, (v) => (targetGlobalState.disableChangedPasswordNotification = v));
+            this.tryAddSetting(accounts, (a) => { var _a; return (_a = a.settings) === null || _a === void 0 ? void 0 : _a.disableContextMenuItem; }, (v) => (targetGlobalState.disableContextMenuItem = v));
+            yield helper.set("global", Object.assign(Object.assign({}, global), targetGlobalState));
+            yield Promise.all(accounts.map(({ userId, account }) => _9_move_browser_settings_to_global_awaiter(this, void 0, void 0, function* () {
+                var _a, _b, _c, _d;
+                (_a = account.settings) === null || _a === void 0 ? true : delete _a.disableAddLoginNotification;
+                (_b = account.settings) === null || _b === void 0 ? true : delete _b.disableChangedPasswordNotification;
+                (_c = account.settings) === null || _c === void 0 ? true : delete _c.disableContextMenuItem;
+                (_d = account.settings) === null || _d === void 0 ? true : delete _d.neverDomains;
+                yield helper.set(userId, account);
+            })));
+        });
+    }
+    rollback(helper) {
+        throw new Error("Method not implemented.");
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/state-migrations/migrations/min-version.ts
 var min_version_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@@ -16496,8 +17364,9 @@ var migrate_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
 
 
 
+
 const MIN_VERSION = 2;
-const CURRENT_VERSION = 8;
+const CURRENT_VERSION = 9;
 function migrate(storageService, logService) {
     return migrate_awaiter(this, void 0, void 0, function* () {
         const migrationHelper = new MigrationHelper(yield currentVersion(storageService, logService), storageService, logService);
@@ -16513,7 +17382,8 @@ function migrate(storageService, logService) {
             .with(AddKeyTypeToOrgKeysMigrator, 4, 5)
             .with(RemoveLegacyEtmKeyMigrator, 5, 6)
             .with(MoveBiometricAutoPromptToAccount, 6, 7)
-            .with(MoveStateVersionMigrator, 7, CURRENT_VERSION)
+            .with(MoveStateVersionMigrator, 7, 8)
+            .with(MoveBrowserSettingsToGlobal, 8, CURRENT_VERSION)
             .migrate(migrationHelper);
     });
 }
@@ -17348,6 +18218,28 @@ class IdentityData {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/vault/models/data/fido2-credential.data.ts
+class Fido2CredentialData {
+    constructor(data) {
+        if (data == null) {
+            return;
+        }
+        this.credentialId = data.credentialId;
+        this.keyType = data.keyType;
+        this.keyAlgorithm = data.keyAlgorithm;
+        this.keyCurve = data.keyCurve;
+        this.keyValue = data.keyValue;
+        this.rpId = data.rpId;
+        this.userHandle = data.userHandle;
+        this.userName = data.userName;
+        this.counter = data.counter;
+        this.rpName = data.rpName;
+        this.userDisplayName = data.userDisplayName;
+        this.discoverable = data.discoverable;
+        this.creationDate = data.creationDate;
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/vault/models/data/login-uri.data.ts
 class LoginUriData {
     constructor(data) {
@@ -17362,8 +18254,10 @@ class LoginUriData {
 
 ;// CONCATENATED MODULE: ../../libs/common/src/vault/models/data/login.data.ts
 
+
 class LoginData {
     constructor(data) {
+        var _a;
         if (data == null) {
             return;
         }
@@ -17375,6 +18269,9 @@ class LoginData {
         if (data.uris) {
             this.uris = data.uris.map((u) => new LoginUriData(u));
         }
+        if (data.fido2Credentials) {
+            this.fido2Credentials = (_a = data.fido2Credentials) === null || _a === void 0 ? void 0 : _a.map((key) => new Fido2CredentialData(key));
+        }
     }
 }
 
@@ -17465,6 +18362,8 @@ class CollectionData {
         this.name = response.name;
         this.externalId = response.externalId;
         this.readOnly = response.readOnly;
+        this.manage = response.manage;
+        this.hidePasswords = response.hidePasswords;
     }
 }
 
@@ -17933,8 +18832,25 @@ identity_view_decorate([
     identity_view_metadata("design:paramtypes", [])
 ], IdentityView.prototype, "fullName", null);
 
-;// CONCATENATED MODULE: ../../libs/common/src/vault/models/view/login-uri.view.ts
+;// CONCATENATED MODULE: ../../libs/common/src/vault/models/view/fido2-credential.view.ts
 
+class Fido2CredentialView extends ItemView {
+    constructor() {
+        super(...arguments);
+        this.creationDate = null;
+    }
+    get subTitle() {
+        return this.userDisplayName;
+    }
+    static fromJSON(obj) {
+        const creationDate = obj.creationDate != null ? new Date(obj.creationDate) : null;
+        return Object.assign(new Fido2CredentialView(), obj, {
+            creationDate,
+        });
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/platform/misc/safe-urls.ts
 
 const CanLaunchWhitelist = [
     "https://",
@@ -17951,6 +18867,24 @@ const CanLaunchWhitelist = [
     "iosapp://",
     "androidapp://",
 ];
+class SafeUrls {
+    static canLaunch(uri) {
+        if (utils_Utils.isNullOrWhitespace(uri)) {
+            return false;
+        }
+        for (let i = 0; i < CanLaunchWhitelist.length; i++) {
+            if (uri.indexOf(CanLaunchWhitelist[i]) === 0) {
+                return true;
+            }
+        }
+        return false;
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/vault/models/view/login-uri.view.ts
+
+
+
 class LoginUriView {
     constructor(u) {
         this.match = null;
@@ -18022,15 +18956,11 @@ class LoginUriView {
             return this._canLaunch;
         }
         if (this.uri != null && this.match !== UriMatchType.RegularExpression) {
-            const uri = this.launchUri;
-            for (let i = 0; i < CanLaunchWhitelist.length; i++) {
-                if (uri.indexOf(CanLaunchWhitelist[i]) === 0) {
-                    this._canLaunch = true;
-                    return this._canLaunch;
-                }
-            }
+            this._canLaunch = SafeUrls.canLaunch(this.launchUri);
+        }
+        else {
+            this._canLaunch = false;
         }
-        this._canLaunch = false;
         return this._canLaunch;
     }
     get launchUri() {
@@ -18104,6 +19034,7 @@ var login_view_metadata = (undefined && undefined.__metadata) || function (k, v)
 
 
 
+
 class LoginView extends ItemView {
     constructor(l) {
         super();
@@ -18113,6 +19044,7 @@ class LoginView extends ItemView {
         this.totp = null;
         this.uris = null;
         this.autofillOnPageLoad = null;
+        this.fido2Credentials = null;
         if (!l) {
             return;
         }
@@ -18146,6 +19078,9 @@ class LoginView extends ItemView {
     get hasUris() {
         return this.uris != null && this.uris.length > 0;
     }
+    get hasFido2Credentials() {
+        return this.fido2Credentials != null && this.fido2Credentials.length > 0;
+    }
     matchesUri(targetUri, equivalentDomains, defaultUriMatch = null) {
         if (this.uris == null) {
             return false;
@@ -18153,12 +19088,14 @@ class LoginView extends ItemView {
         return this.uris.some((uri) => uri.matchesUri(targetUri, equivalentDomains, defaultUriMatch));
     }
     static fromJSON(obj) {
-        var _a;
+        var _a, _b;
         const passwordRevisionDate = obj.passwordRevisionDate == null ? null : new Date(obj.passwordRevisionDate);
         const uris = (_a = obj.uris) === null || _a === void 0 ? void 0 : _a.map((uri) => LoginUriView.fromJSON(uri));
+        const fido2Credentials = (_b = obj.fido2Credentials) === null || _b === void 0 ? void 0 : _b.map((key) => Fido2CredentialView.fromJSON(key));
         return Object.assign(new LoginView(), obj, {
-            passwordRevisionDate: passwordRevisionDate,
-            uris: uris,
+            passwordRevisionDate,
+            uris,
+            fido2Credentials,
         });
     }
 }
@@ -18280,7 +19217,8 @@ class CipherView {
         return null;
     }
     get subTitle() {
-        return this.item.subTitle;
+        var _a;
+        return (_a = this.item) === null || _a === void 0 ? void 0 : _a.subTitle;
     }
     get hasPasswordHistory() {
         return this.passwordHistory && this.passwordHistory.length > 0;
@@ -18314,7 +19252,8 @@ class CipherView {
         return this.deletedDate != null;
     }
     get linkedFieldOptions() {
-        return this.item.linkedFieldOptions;
+        var _a;
+        return (_a = this.item) === null || _a === void 0 ? void 0 : _a.linkedFieldOptions;
     }
     linkedFieldValue(id) {
         var _a;
@@ -18380,7 +19319,8 @@ class Collection extends Domain {
             externalId: null,
             readOnly: null,
             hidePasswords: null,
-        }, ["id", "organizationId", "externalId", "readOnly", "hidePasswords"]);
+            manage: null,
+        }, ["id", "organizationId", "externalId", "readOnly", "hidePasswords", "manage"]);
     }
     decrypt() {
         return this.decryptObj(new CollectionView(this), {
@@ -18398,8 +19338,10 @@ class CollectionView {
         this.organizationId = null;
         this.name = null;
         this.externalId = null;
+        // readOnly applies to the items within a collection
         this.readOnly = null;
         this.hidePasswords = null;
+        this.manage = null;
         if (!c) {
             return;
         }
@@ -18409,6 +19351,26 @@ class CollectionView {
         if (c instanceof Collection) {
             this.readOnly = c.readOnly;
             this.hidePasswords = c.hidePasswords;
+            this.manage = c.manage;
+        }
+    }
+    // For editing collection details, not the items within it.
+    canEdit(org) {
+        if (org.id !== this.organizationId) {
+            throw new Error("Id of the organization provided does not match the org id of the collection.");
+        }
+        return (org === null || org === void 0 ? void 0 : org.canEditAnyCollection) || (org === null || org === void 0 ? void 0 : org.canEditAssignedCollections);
+    }
+    // For deleting a collection, not the items within it.
+    canDelete(org, flexibleCollectionsEnabled) {
+        if (org.id !== this.organizationId) {
+            throw new Error("Id of the organization provided does not match the org id of the collection.");
+        }
+        if (flexibleCollectionsEnabled) {
+            return (org === null || org === void 0 ? void 0 : org.canDeleteAnyCollection) || (!(org === null || org === void 0 ? void 0 : org.limitCollectionCreationDeletion) && this.manage);
+        }
+        else {
+            return (org === null || org === void 0 ? void 0 : org.canDeleteAnyCollection) || (org === null || org === void 0 ? void 0 : org.canDeleteAssignedCollections);
         }
     }
 }
@@ -18484,6 +19446,8 @@ var state_service_awaiter = (undefined && undefined.__awaiter) || function (this
 
 
 
+
+
 
 
 
@@ -18505,12 +19469,13 @@ const partialKeys = {
 };
 const DDG_SHARED_KEY = "DuckDuckGoSharedKey";
 class StateService {
-    constructor(storageService, secureStorageService, memoryStorageService, logService, stateFactory, useAccountCache = true) {
+    constructor(storageService, secureStorageService, memoryStorageService, logService, stateFactory, accountService, useAccountCache = true) {
         this.storageService = storageService;
         this.secureStorageService = secureStorageService;
         this.memoryStorageService = memoryStorageService;
         this.logService = logService;
         this.stateFactory = stateFactory;
+        this.accountService = accountService;
         this.useAccountCache = useAccountCache;
         this.accountsSubject = new external_rxjs_namespaceObject.BehaviorSubject({});
         this.accounts$ = this.accountsSubject.asObservable();
@@ -18577,6 +19542,19 @@ class StateService {
                 }
                 yield this.pushAccounts();
                 this.activeAccountSubject.next(state.activeUserId);
+                // TODO: Temporary update to avoid routing all account status changes through account service for now.
+                // account service tracks logged out accounts, but State service does not, so we need to add the active account
+                // if it's not in the accounts list.
+                if (state.activeUserId != null && this.accountsSubject.value[state.activeUserId] == null) {
+                    const activeDiskAccount = yield this.getAccountFromDisk({ userId: state.activeUserId });
+                    this.accountService.addAccount(state.activeUserId, {
+                        name: activeDiskAccount.profile.name,
+                        email: activeDiskAccount.profile.email,
+                        status: AuthenticationStatus.LoggedOut,
+                    });
+                }
+                this.accountService.switchAccount(state.activeUserId);
+                // End TODO
                 return state;
             }));
         });
@@ -18593,6 +19571,12 @@ class StateService {
                 state.accounts[userId] = this.createAccount();
                 const diskAccount = yield this.getAccountFromDisk({ userId: userId });
                 state.accounts[userId].profile = diskAccount.profile;
+                // TODO: Temporary update to avoid routing all account status changes through account service for now.
+                this.accountService.addAccount(userId, {
+                    status: AuthenticationStatus.Locked,
+                    name: diskAccount.profile.name,
+                    email: diskAccount.profile.email,
+                });
                 return state;
             }));
         });
@@ -18608,6 +19592,12 @@ class StateService {
             }));
             yield this.scaffoldNewAccountStorage(account);
             yield this.setLastActive(new Date().getTime(), { userId: account.profile.userId });
+            // TODO: Temporary update to avoid routing all account status changes through account service for now.
+            this.accountService.addAccount(account.profile.userId, {
+                status: AuthenticationStatus.Locked,
+                name: account.profile.name,
+                email: account.profile.email,
+            });
             yield this.setActiveUser(account.profile.userId);
             this.activeAccountSubject.next(account.profile.userId);
         });
@@ -18619,6 +19609,8 @@ class StateService {
                 state.activeUserId = userId;
                 yield this.storageService.save(keys.activeUserId, userId);
                 this.activeAccountSubject.next(state.activeUserId);
+                // TODO: temporary update to avoid routing all account status changes through account service for now.
+                this.accountService.switchAccount(userId);
                 return state;
             }));
             yield this.pushAccounts();
@@ -18895,6 +19887,8 @@ class StateService {
             const account = yield this.getAccount(this.reconcileOptions(options, yield this.defaultInMemoryOptions()));
             account.keys.cryptoMasterKey = value;
             yield this.saveAccount(account, this.reconcileOptions(options, yield this.defaultInMemoryOptions()));
+            const nextStatus = value != null ? AuthenticationStatus.Unlocked : AuthenticationStatus.Locked;
+            this.accountService.setAccountStatus(options.userId, nextStatus);
             if (options.userId == this.activeAccountSubject.getValue()) {
                 const nextValue = value != null;
                 // Avoid emitting if we are already unlocked
@@ -18922,6 +19916,8 @@ class StateService {
             const account = yield this.getAccount(this.reconcileOptions(options, yield this.defaultInMemoryOptions()));
             account.keys.userKey = value;
             yield this.saveAccount(account, this.reconcileOptions(options, yield this.defaultInMemoryOptions()));
+            const nextStatus = value != null ? AuthenticationStatus.Unlocked : AuthenticationStatus.Locked;
+            this.accountService.setAccountStatus(options.userId, nextStatus);
             if ((options === null || options === void 0 ? void 0 : options.userId) == this.activeAccountSubject.getValue()) {
                 const nextValue = value != null;
                 // Avoid emitting if we are already unlocked
@@ -19295,16 +20291,16 @@ class StateService {
         });
     }
     getDisableAddLoginNotification(options) {
-        var _a, _b, _c;
+        var _a, _b;
         return state_service_awaiter(this, void 0, void 0, function* () {
-            return ((_c = (_b = (_a = (yield this.getAccount(this.reconcileOptions(options, yield this.defaultOnDiskOptions())))) === null || _a === void 0 ? void 0 : _a.settings) === null || _b === void 0 ? void 0 : _b.disableAddLoginNotification) !== null && _c !== void 0 ? _c : false);
+            return ((_b = (_a = (yield this.getGlobals(this.reconcileOptions(options, yield this.defaultOnDiskOptions())))) === null || _a === void 0 ? void 0 : _a.disableAddLoginNotification) !== null && _b !== void 0 ? _b : false);
         });
     }
     setDisableAddLoginNotification(value, options) {
         return state_service_awaiter(this, void 0, void 0, function* () {
-            const account = yield this.getAccount(this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
-            account.settings.disableAddLoginNotification = value;
-            yield this.saveAccount(account, this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
+            const globals = yield this.getGlobals(this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
+            globals.disableAddLoginNotification = value;
+            yield this.saveGlobals(globals, this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
         });
     }
     getDisableAutoBiometricsPrompt(options) {
@@ -19347,29 +20343,42 @@ class StateService {
         });
     }
     getDisableChangedPasswordNotification(options) {
-        var _a, _b, _c;
+        var _a, _b;
         return state_service_awaiter(this, void 0, void 0, function* () {
-            return ((_c = (_b = (_a = (yield this.getAccount(this.reconcileOptions(options, yield this.defaultOnDiskOptions())))) === null || _a === void 0 ? void 0 : _a.settings) === null || _b === void 0 ? void 0 : _b.disableChangedPasswordNotification) !== null && _c !== void 0 ? _c : false);
+            return ((_b = (_a = (yield this.getGlobals(this.reconcileOptions(options, yield this.defaultOnDiskOptions())))) === null || _a === void 0 ? void 0 : _a.disableChangedPasswordNotification) !== null && _b !== void 0 ? _b : false);
         });
     }
     setDisableChangedPasswordNotification(value, options) {
         return state_service_awaiter(this, void 0, void 0, function* () {
-            const account = yield this.getAccount(this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
-            account.settings.disableChangedPasswordNotification = value;
-            yield this.saveAccount(account, this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
+            const globals = yield this.getGlobals(this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
+            globals.disableChangedPasswordNotification = value;
+            yield this.saveGlobals(globals, this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
+        });
+    }
+    getEnablePasskeys(options) {
+        var _a, _b;
+        return state_service_awaiter(this, void 0, void 0, function* () {
+            return ((_b = (_a = (yield this.getGlobals(this.reconcileOptions(options, yield this.defaultOnDiskOptions())))) === null || _a === void 0 ? void 0 : _a.enablePasskeys) !== null && _b !== void 0 ? _b : true);
+        });
+    }
+    setEnablePasskeys(value, options) {
+        return state_service_awaiter(this, void 0, void 0, function* () {
+            const globals = yield this.getGlobals(this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
+            globals.enablePasskeys = value;
+            yield this.saveGlobals(globals, this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
         });
     }
     getDisableContextMenuItem(options) {
-        var _a, _b, _c;
+        var _a, _b;
         return state_service_awaiter(this, void 0, void 0, function* () {
-            return ((_c = (_b = (_a = (yield this.getAccount(this.reconcileOptions(options, yield this.defaultOnDiskOptions())))) === null || _a === void 0 ? void 0 : _a.settings) === null || _b === void 0 ? void 0 : _b.disableContextMenuItem) !== null && _c !== void 0 ? _c : false);
+            return ((_b = (_a = (yield this.getGlobals(this.reconcileOptions(options, yield this.defaultOnDiskOptions())))) === null || _a === void 0 ? void 0 : _a.disableContextMenuItem) !== null && _b !== void 0 ? _b : false);
         });
     }
     setDisableContextMenuItem(value, options) {
         return state_service_awaiter(this, void 0, void 0, function* () {
-            const account = yield this.getAccount(this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
-            account.settings.disableContextMenuItem = value;
-            yield this.saveAccount(account, this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
+            const globals = yield this.getGlobals(this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
+            globals.disableContextMenuItem = value;
+            yield this.saveGlobals(globals, this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
         });
     }
     getDisableFavicon(options) {
@@ -19597,6 +20606,19 @@ class StateService {
             yield this.saveGlobals(globals, this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
         });
     }
+    getAutoFillOverlayVisibility(options) {
+        var _a, _b;
+        return state_service_awaiter(this, void 0, void 0, function* () {
+            return ((_b = (_a = (yield this.getGlobals(this.reconcileOptions(options, yield this.defaultOnDiskLocalOptions())))) === null || _a === void 0 ? void 0 : _a.autoFillOverlayVisibility) !== null && _b !== void 0 ? _b : AutofillOverlayVisibility.OnFieldFocus);
+        });
+    }
+    setAutoFillOverlayVisibility(value, options) {
+        return state_service_awaiter(this, void 0, void 0, function* () {
+            const globals = yield this.getGlobals(this.reconcileOptions(options, yield this.defaultOnDiskLocalOptions()));
+            globals.autoFillOverlayVisibility = value;
+            yield this.saveGlobals(globals, this.reconcileOptions(options, yield this.defaultOnDiskLocalOptions()));
+        });
+    }
     getEnableAutoFillOnPageLoad(options) {
         var _a, _b, _c;
         return state_service_awaiter(this, void 0, void 0, function* () {
@@ -19981,16 +21003,16 @@ class StateService {
             yield this.saveAccount(account, this.reconcileOptions(options, yield this.defaultInMemoryOptions()));
         });
     }
-    getForcePasswordResetReason(options) {
+    getForceSetPasswordReason(options) {
         var _a, _b, _c;
         return state_service_awaiter(this, void 0, void 0, function* () {
-            return ((_c = (_b = (_a = (yield this.getAccount(this.reconcileOptions(options, yield this.defaultOnDiskMemoryOptions())))) === null || _a === void 0 ? void 0 : _a.profile) === null || _b === void 0 ? void 0 : _b.forcePasswordResetReason) !== null && _c !== void 0 ? _c : ForceResetPasswordReason.None);
+            return ((_c = (_b = (_a = (yield this.getAccount(this.reconcileOptions(options, yield this.defaultOnDiskMemoryOptions())))) === null || _a === void 0 ? void 0 : _a.profile) === null || _b === void 0 ? void 0 : _b.forceSetPasswordReason) !== null && _c !== void 0 ? _c : ForceSetPasswordReason.None);
         });
     }
-    setForcePasswordResetReason(value, options) {
+    setForceSetPasswordReason(value, options) {
         return state_service_awaiter(this, void 0, void 0, function* () {
             const account = yield this.getAccount(this.reconcileOptions(options, yield this.defaultOnDiskMemoryOptions()));
-            account.profile.forcePasswordResetReason = value;
+            account.profile.forceSetPasswordReason = value;
             yield this.saveAccount(account, this.reconcileOptions(options, yield this.defaultOnDiskMemoryOptions()));
         });
     }
@@ -20144,16 +21166,16 @@ class StateService {
         });
     }
     getNeverDomains(options) {
-        var _a, _b;
+        var _a;
         return state_service_awaiter(this, void 0, void 0, function* () {
-            return (_b = (_a = (yield this.getAccount(this.reconcileOptions(options, yield this.defaultOnDiskOptions())))) === null || _a === void 0 ? void 0 : _a.settings) === null || _b === void 0 ? void 0 : _b.neverDomains;
+            return (_a = (yield this.getGlobals(this.reconcileOptions(options, yield this.defaultOnDiskOptions())))) === null || _a === void 0 ? void 0 : _a.neverDomains;
         });
     }
     setNeverDomains(value, options) {
         return state_service_awaiter(this, void 0, void 0, function* () {
-            const account = yield this.getAccount(this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
-            account.settings.neverDomains = value;
-            yield this.saveAccount(account, this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
+            const globals = yield this.getGlobals(this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
+            globals.neverDomains = value;
+            yield this.saveGlobals(globals, this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
         });
     }
     getNoAutoPromptBiometricsText(options) {
@@ -20195,19 +21217,6 @@ class StateService {
             yield this.saveGlobals(globals, this.reconcileOptions(options, yield this.defaultInMemoryOptions()));
         });
     }
-    getEmergencyAccessInvitation(options) {
-        var _a;
-        return state_service_awaiter(this, void 0, void 0, function* () {
-            return (_a = (yield this.getGlobals(this.reconcileOptions(options, yield this.defaultOnDiskOptions())))) === null || _a === void 0 ? void 0 : _a.emergencyAccessInvitation;
-        });
-    }
-    setEmergencyAccessInvitation(value, options) {
-        return state_service_awaiter(this, void 0, void 0, function* () {
-            const globals = yield this.getGlobals(this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
-            globals.emergencyAccessInvitation = value;
-            yield this.saveGlobals(globals, this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
-        });
-    }
     /**
      * @deprecated Do not call this directly, use OrganizationService
      */
@@ -20567,6 +21576,19 @@ class StateService {
             return yield this.saveAccount(account, this.reconcileOptions(options, yield this.defaultOnDiskLocalOptions()));
         });
     }
+    getDeepLinkRedirectUrl(options) {
+        var _a;
+        return state_service_awaiter(this, void 0, void 0, function* () {
+            return (_a = (yield this.getGlobals(this.reconcileOptions(options, yield this.defaultOnDiskOptions())))) === null || _a === void 0 ? void 0 : _a.deepLinkRedirectUrl;
+        });
+    }
+    setDeepLinkRedirectUrl(url, options) {
+        return state_service_awaiter(this, void 0, void 0, function* () {
+            const globals = yield this.getGlobals(this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
+            globals.deepLinkRedirectUrl = url;
+            yield this.saveGlobals(globals, this.reconcileOptions(options, yield this.defaultOnDiskOptions()));
+        });
+    }
     getGlobals(options) {
         return state_service_awaiter(this, void 0, void 0, function* () {
             let globals;
@@ -20771,7 +21793,6 @@ class StateService {
             yield this.saveAccount(account, this.reconcileOptions({ userId: account.profile.userId }, yield this.defaultOnDiskOptions()));
         });
     }
-    //
     pushAccounts() {
         return state_service_awaiter(this, void 0, void 0, function* () {
             yield this.pruneInMemoryAccounts();
@@ -20890,6 +21911,8 @@ class StateService {
                 this.deleteDiskCache(userId);
                 return state;
             }));
+            // TODO: Invert this logic, we should remove accounts based on logged out emit
+            this.accountService.setAccountStatus(userId, AuthenticationStatus.LoggedOut);
         });
     }
     pruneInMemoryAccounts() {
@@ -21179,6 +22202,139 @@ function withPrototypeForObjectValues(valuesConstructor, valuesConverter = (i) =
     };
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/platform/state/state-update-options.ts
+const DEFAULT_OPTIONS = {
+    shouldUpdate: () => true,
+    combineLatestWith: null,
+    msTimeout: 1000,
+};
+function populateOptionsWithDefault(options) {
+    return Object.assign(Object.assign({}, DEFAULT_OPTIONS), options);
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/platform/state/implementations/util.ts
+var util_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+function getStoredValue(key, storage, deserializer) {
+    return util_awaiter(this, void 0, void 0, function* () {
+        if (storage.valuesRequireDeserialization) {
+            const jsonValue = yield storage.get(key);
+            const value = deserializer(jsonValue);
+            return value;
+        }
+        else {
+            const value = yield storage.get(key);
+            return value !== null && value !== void 0 ? value : null;
+        }
+    });
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/platform/state/implementations/default-global-state.ts
+var default_global_state_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+
+
+
+const FAKE_DEFAULT = Symbol("fakeDefault");
+class DefaultGlobalState {
+    constructor(keyDefinition, chosenLocation) {
+        this.keyDefinition = keyDefinition;
+        this.chosenLocation = chosenLocation;
+        this.stateSubject = new external_rxjs_namespaceObject.BehaviorSubject(FAKE_DEFAULT);
+        this.storageKey = globalKeyBuilder(this.keyDefinition);
+        const storageUpdates$ = this.chosenLocation.updates$.pipe((0,external_rxjs_namespaceObject.filter)((update) => update.key === this.storageKey), (0,external_rxjs_namespaceObject.switchMap)((update) => default_global_state_awaiter(this, void 0, void 0, function* () {
+            if (update.updateType === "remove") {
+                return null;
+            }
+            return yield getStoredValue(this.storageKey, this.chosenLocation, this.keyDefinition.deserializer);
+        })), (0,external_rxjs_namespaceObject.shareReplay)({ bufferSize: 1, refCount: false }));
+        this.state$ = (0,external_rxjs_namespaceObject.defer)(() => {
+            const storageUpdateSubscription = storageUpdates$.subscribe((value) => {
+                this.stateSubject.next(value);
+            });
+            this.getFromState().then((s) => {
+                this.stateSubject.next(s);
+            });
+            return this.stateSubject.pipe((0,external_rxjs_namespaceObject.tap)({
+                complete: () => {
+                    storageUpdateSubscription.unsubscribe();
+                },
+            }));
+        }).pipe((0,external_rxjs_namespaceObject.shareReplay)({ refCount: false, bufferSize: 1 }), (0,external_rxjs_namespaceObject.filter)((i) => i != FAKE_DEFAULT));
+    }
+    update(configureState, options = {}) {
+        return default_global_state_awaiter(this, void 0, void 0, function* () {
+            options = populateOptionsWithDefault(options);
+            const currentState = yield this.getGuaranteedState();
+            const combinedDependencies = options.combineLatestWith != null
+                ? yield (0,external_rxjs_namespaceObject.firstValueFrom)(options.combineLatestWith.pipe((0,external_rxjs_namespaceObject.timeout)(options.msTimeout)))
+                : null;
+            if (!options.shouldUpdate(currentState, combinedDependencies)) {
+                return;
+            }
+            const newState = configureState(currentState, combinedDependencies);
+            yield this.chosenLocation.save(this.storageKey, newState);
+            return newState;
+        });
+    }
+    getGuaranteedState() {
+        return default_global_state_awaiter(this, void 0, void 0, function* () {
+            const currentValue = this.stateSubject.getValue();
+            return currentValue === FAKE_DEFAULT ? yield this.getFromState() : currentValue;
+        });
+    }
+    getFromState() {
+        return default_global_state_awaiter(this, void 0, void 0, function* () {
+            return yield getStoredValue(this.storageKey, this.chosenLocation, this.keyDefinition.deserializer);
+        });
+    }
+}
+
+;// CONCATENATED MODULE: ../../libs/common/src/platform/state/implementations/default-global-state.provider.ts
+
+class DefaultGlobalStateProvider {
+    constructor(memoryStorage, diskStorage) {
+        this.memoryStorage = memoryStorage;
+        this.diskStorage = diskStorage;
+        this.globalStateCache = {};
+    }
+    get(keyDefinition) {
+        const cacheKey = keyDefinition.buildCacheKey();
+        const existingGlobalState = this.globalStateCache[cacheKey];
+        if (existingGlobalState != null) {
+            // The cast into the actual generic is safe because of rules around key definitions
+            // being unique.
+            return existingGlobalState;
+        }
+        const newGlobalState = new DefaultGlobalState(keyDefinition, this.getLocation(keyDefinition.stateDefinition.storageLocation));
+        this.globalStateCache[cacheKey] = newGlobalState;
+        return newGlobalState;
+    }
+    getLocation(location) {
+        switch (location) {
+            case "disk":
+                return this.diskStorage;
+            case "memory":
+                return this.memoryStorage;
+        }
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/platform/misc/throttle.ts
 /**
  * Use as a Decorator on async functions, it will limit how many times the function can be
@@ -21307,104 +22463,73 @@ audit_service_decorate([
     audit_service_metadata("design:returntype", Promise)
 ], AuditService.prototype, "passwordLeaked", null);
 
-;// CONCATENATED MODULE: ../../libs/common/src/admin-console/models/response/selection-read-only.response.ts
-
-class SelectionReadOnlyResponse extends BaseResponse {
-    constructor(response) {
-        super(response);
-        this.id = this.getResponseProperty("Id");
-        this.readOnly = this.getResponseProperty("ReadOnly");
-        this.hidePasswords = this.getResponseProperty("HidePasswords");
-    }
-}
-
-;// CONCATENATED MODULE: ../../libs/common/src/abstractions/organization-user/responses/organization-user.response.ts
-
-
-
-class OrganizationUserResponse extends BaseResponse {
-    constructor(response) {
-        super(response);
-        this.collections = [];
-        this.groups = [];
-        this.id = this.getResponseProperty("Id");
-        this.userId = this.getResponseProperty("UserId");
-        this.type = this.getResponseProperty("Type");
-        this.status = this.getResponseProperty("Status");
-        this.permissions = new PermissionsApi(this.getResponseProperty("Permissions"));
-        this.externalId = this.getResponseProperty("ExternalId");
-        this.accessAll = this.getResponseProperty("AccessAll");
-        this.accessSecretsManager = this.getResponseProperty("AccessSecretsManager");
-        this.resetPasswordEnrolled = this.getResponseProperty("ResetPasswordEnrolled");
-        this.hasMasterPassword = this.getResponseProperty("HasMasterPassword");
-        const collections = this.getResponseProperty("Collections");
-        if (collections != null) {
-            this.collections = collections.map((c) => new SelectionReadOnlyResponse(c));
-        }
-        const groups = this.getResponseProperty("Groups");
-        if (groups != null) {
-            this.groups = groups;
-        }
-    }
-}
-class OrganizationUserUserDetailsResponse extends OrganizationUserResponse {
-    constructor(response) {
-        var _a;
-        super(response);
-        this.name = this.getResponseProperty("Name");
-        this.email = this.getResponseProperty("Email");
-        this.avatarColor = this.getResponseProperty("AvatarColor");
-        this.twoFactorEnabled = this.getResponseProperty("TwoFactorEnabled");
-        this.usesKeyConnector = (_a = this.getResponseProperty("UsesKeyConnector")) !== null && _a !== void 0 ? _a : false;
-    }
-}
-class OrganizationUserDetailsResponse extends OrganizationUserResponse {
-    constructor(response) {
-        super(response);
-    }
-}
-class OrganizationUserResetPasswordDetailsResponse extends BaseResponse {
-    constructor(response) {
-        super(response);
-        this.kdf = this.getResponseProperty("Kdf");
-        this.kdfIterations = this.getResponseProperty("KdfIterations");
-        this.kdfMemory = this.getResponseProperty("KdfMemory");
-        this.kdfParallelism = this.getResponseProperty("KdfParallelism");
-        this.resetPasswordKey = this.getResponseProperty("ResetPasswordKey");
-        this.encryptedPrivateKey = this.getResponseProperty("EncryptedPrivateKey");
-    }
-}
-
-;// CONCATENATED MODULE: ../../libs/common/src/abstractions/organization-user/responses/organization-user-bulk.response.ts
+;// CONCATENATED MODULE: ../../libs/common/src/services/event/event-collection.service.ts
+var event_collection_service_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
 
-class OrganizationUserBulkResponse extends BaseResponse {
-    constructor(response) {
-        super(response);
-        this.id = this.getResponseProperty("Id");
-        this.error = this.getResponseProperty("Error");
+class EventCollectionService {
+    constructor(cipherService, stateService, organizationService, eventUploadService) {
+        this.cipherService = cipherService;
+        this.stateService = stateService;
+        this.organizationService = organizationService;
+        this.eventUploadService = eventUploadService;
     }
-}
-
-;// CONCATENATED MODULE: ../../libs/common/src/abstractions/organization-user/responses/organization-user-bulk-public-key.response.ts
-
-class OrganizationUserBulkPublicKeyResponse extends BaseResponse {
-    constructor(response) {
-        super(response);
-        this.id = this.getResponseProperty("Id");
-        this.userId = this.getResponseProperty("UserId");
-        this.key = this.getResponseProperty("Key");
+    collect(eventType, cipherId = null, uploadImmediately = false, organizationId = null) {
+        return event_collection_service_awaiter(this, void 0, void 0, function* () {
+            const authed = yield this.stateService.getIsAuthenticated();
+            if (!authed) {
+                return;
+            }
+            const organizations = yield this.organizationService.getAll();
+            if (organizations == null) {
+                return;
+            }
+            const orgIds = new Set(organizations.filter((o) => o.useEvents).map((o) => o.id));
+            if (orgIds.size === 0) {
+                return;
+            }
+            if (cipherId != null) {
+                const cipher = yield this.cipherService.get(cipherId);
+                if (cipher == null || cipher.organizationId == null || !orgIds.has(cipher.organizationId)) {
+                    return;
+                }
+            }
+            if (organizationId != null) {
+                if (!orgIds.has(organizationId)) {
+                    return;
+                }
+            }
+            let eventCollection = yield this.stateService.getEventCollection();
+            if (eventCollection == null) {
+                eventCollection = [];
+            }
+            const event = new EventData();
+            event.type = eventType;
+            event.cipherId = cipherId;
+            event.date = new Date().toISOString();
+            event.organizationId = organizationId;
+            eventCollection.push(event);
+            yield this.stateService.setEventCollection(eventCollection);
+            if (uploadImmediately) {
+                yield this.eventUploadService.uploadEvents();
+            }
+        });
     }
 }
 
-;// CONCATENATED MODULE: ../../libs/common/src/services/organization-user/requests/organization-user-bulk.request.ts
-class OrganizationUserBulkRequest {
-    constructor(ids) {
-        this.ids = ids == null ? [] : ids;
-    }
+;// CONCATENATED MODULE: ../../libs/common/src/models/request/event.request.ts
+class EventRequest {
 }
 
-;// CONCATENATED MODULE: ../../libs/common/src/services/organization-user/organization-user.service.implementation.ts
-var organization_user_service_implementation_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+;// CONCATENATED MODULE: ../../libs/common/src/services/event/event-upload.service.ts
+var event_upload_service_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
         function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
@@ -21414,122 +22539,53 @@ var organization_user_service_implementation_awaiter = (undefined && undefined._
     });
 };
 
-
-
-class OrganizationUserServiceImplementation {
-    constructor(apiService) {
+class EventUploadService {
+    constructor(apiService, stateService, logService) {
         this.apiService = apiService;
+        this.stateService = stateService;
+        this.logService = logService;
+        this.inited = false;
     }
-    getOrganizationUser(organizationId, id, options) {
-        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
-            const params = new URLSearchParams();
-            if (options === null || options === void 0 ? void 0 : options.includeGroups) {
-                params.set("includeGroups", "true");
-            }
-            const r = yield this.apiService.send("GET", `/organizations/${organizationId}/users/${id}?${params.toString()}`, null, true, true);
-            return new OrganizationUserDetailsResponse(r);
-        });
-    }
-    getOrganizationUserGroups(organizationId, id) {
-        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
-            const r = yield this.apiService.send("GET", "/organizations/" + organizationId + "/users/" + id + "/groups", null, true, true);
-            return r;
-        });
+    init(checkOnInterval) {
+        if (this.inited) {
+            return;
+        }
+        this.inited = true;
+        if (checkOnInterval) {
+            this.uploadEvents();
+            setInterval(() => this.uploadEvents(), 60 * 1000); // check every 60 seconds
+        }
     }
-    getAllUsers(organizationId, options) {
-        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
-            const params = new URLSearchParams();
-            if (options === null || options === void 0 ? void 0 : options.includeCollections) {
-                params.set("includeCollections", "true");
+    uploadEvents(userId) {
+        return event_upload_service_awaiter(this, void 0, void 0, function* () {
+            const authed = yield this.stateService.getIsAuthenticated({ userId: userId });
+            if (!authed) {
+                return;
             }
-            if (options === null || options === void 0 ? void 0 : options.includeGroups) {
-                params.set("includeGroups", "true");
+            const eventCollection = yield this.stateService.getEventCollection({ userId: userId });
+            if (eventCollection == null || eventCollection.length === 0) {
+                return;
+            }
+            const request = eventCollection.map((e) => {
+                const req = new EventRequest();
+                req.type = e.type;
+                req.cipherId = e.cipherId;
+                req.date = e.date;
+                req.organizationId = e.organizationId;
+                return req;
+            });
+            try {
+                yield this.apiService.postEventsCollect(request);
+                this.clearEvents(userId);
+            }
+            catch (e) {
+                this.logService.error(e);
             }
-            const r = yield this.apiService.send("GET", `/organizations/${organizationId}/users?${params.toString()}`, null, true, true);
-            return new ListResponse(r, OrganizationUserUserDetailsResponse);
-        });
-    }
-    getOrganizationUserResetPasswordDetails(organizationId, id) {
-        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
-            const r = yield this.apiService.send("GET", "/organizations/" + organizationId + "/users/" + id + "/reset-password-details", null, true, true);
-            return new OrganizationUserResetPasswordDetailsResponse(r);
-        });
-    }
-    postOrganizationUserInvite(organizationId, request) {
-        return this.apiService.send("POST", "/organizations/" + organizationId + "/users/invite", request, true, false);
-    }
-    postOrganizationUserReinvite(organizationId, id) {
-        return this.apiService.send("POST", "/organizations/" + organizationId + "/users/" + id + "/reinvite", null, true, false);
-    }
-    postManyOrganizationUserReinvite(organizationId, ids) {
-        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
-            const r = yield this.apiService.send("POST", "/organizations/" + organizationId + "/users/reinvite", new OrganizationUserBulkRequest(ids), true, true);
-            return new ListResponse(r, OrganizationUserBulkResponse);
-        });
-    }
-    postOrganizationUserAcceptInit(organizationId, id, request) {
-        return this.apiService.send("POST", "/organizations/" + organizationId + "/users/" + id + "/accept-init", request, true, false);
-    }
-    postOrganizationUserAccept(organizationId, id, request) {
-        return this.apiService.send("POST", "/organizations/" + organizationId + "/users/" + id + "/accept", request, true, false);
-    }
-    postOrganizationUserConfirm(organizationId, id, request) {
-        return this.apiService.send("POST", "/organizations/" + organizationId + "/users/" + id + "/confirm", request, true, false);
-    }
-    postOrganizationUsersPublicKey(organizationId, ids) {
-        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
-            const r = yield this.apiService.send("POST", "/organizations/" + organizationId + "/users/public-keys", new OrganizationUserBulkRequest(ids), true, true);
-            return new ListResponse(r, OrganizationUserBulkPublicKeyResponse);
-        });
-    }
-    postOrganizationUserBulkConfirm(organizationId, request) {
-        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
-            const r = yield this.apiService.send("POST", "/organizations/" + organizationId + "/users/confirm", request, true, true);
-            return new ListResponse(r, OrganizationUserBulkResponse);
-        });
-    }
-    putOrganizationUserBulkEnableSecretsManager(organizationId, ids) {
-        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
-            yield this.apiService.send("PUT", "/organizations/" + organizationId + "/users/enable-secrets-manager", new OrganizationUserBulkRequest(ids), true, false);
-        });
-    }
-    putOrganizationUser(organizationId, id, request) {
-        return this.apiService.send("PUT", "/organizations/" + organizationId + "/users/" + id, request, true, false);
-    }
-    putOrganizationUserGroups(organizationId, id, request) {
-        return this.apiService.send("PUT", "/organizations/" + organizationId + "/users/" + id + "/groups", request, true, false);
-    }
-    putOrganizationUserResetPasswordEnrollment(organizationId, userId, request) {
-        return this.apiService.send("PUT", "/organizations/" + organizationId + "/users/" + userId + "/reset-password-enrollment", request, true, false);
-    }
-    putOrganizationUserResetPassword(organizationId, id, request) {
-        return this.apiService.send("PUT", "/organizations/" + organizationId + "/users/" + id + "/reset-password", request, true, false);
-    }
-    deleteOrganizationUser(organizationId, id) {
-        return this.apiService.send("DELETE", "/organizations/" + organizationId + "/users/" + id, null, true, false);
-    }
-    deleteManyOrganizationUsers(organizationId, ids) {
-        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
-            const r = yield this.apiService.send("DELETE", "/organizations/" + organizationId + "/users", new OrganizationUserBulkRequest(ids), true, true);
-            return new ListResponse(r, OrganizationUserBulkResponse);
         });
     }
-    revokeOrganizationUser(organizationId, id) {
-        return this.apiService.send("PUT", "/organizations/" + organizationId + "/users/" + id + "/revoke", null, true, false);
-    }
-    revokeManyOrganizationUsers(organizationId, ids) {
-        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
-            const r = yield this.apiService.send("PUT", "/organizations/" + organizationId + "/users/revoke", new OrganizationUserBulkRequest(ids), true, true);
-            return new ListResponse(r, OrganizationUserBulkResponse);
-        });
-    }
-    restoreOrganizationUser(organizationId, id) {
-        return this.apiService.send("PUT", "/organizations/" + organizationId + "/users/" + id + "/restore", null, true, false);
-    }
-    restoreManyOrganizationUsers(organizationId, ids) {
-        return organization_user_service_implementation_awaiter(this, void 0, void 0, function* () {
-            const r = yield this.apiService.send("PUT", "/organizations/" + organizationId + "/users/restore", new OrganizationUserBulkRequest(ids), true, true);
-            return new ListResponse(r, OrganizationUserBulkResponse);
+    clearEvents(userId) {
+        return event_upload_service_awaiter(this, void 0, void 0, function* () {
+            yield this.stateService.setEventCollection(null, { userId: userId });
         });
     }
 }
@@ -21904,6 +22960,16 @@ class SettingsService {
     getDisableFavicon() {
         return this._disableFavicon.getValue();
     }
+    setAutoFillOverlayVisibility(value) {
+        return settings_service_awaiter(this, void 0, void 0, function* () {
+            return yield this.stateService.setAutoFillOverlayVisibility(value);
+        });
+    }
+    getAutoFillOverlayVisibility() {
+        return settings_service_awaiter(this, void 0, void 0, function* () {
+            return yield this.stateService.getAutoFillOverlayVisibility();
+        });
+    }
     clear(userId) {
         return settings_service_awaiter(this, void 0, void 0, function* () {
             if (userId == null || userId == (yield this.stateService.getUserId())) {
@@ -22099,13 +23165,13 @@ class VaultTimeoutSettingsService {
     }
     setVaultTimeoutOptions(timeout, action) {
         return vault_timeout_settings_service_awaiter(this, void 0, void 0, function* () {
-            yield this.stateService.setVaultTimeout(timeout);
             // We swap these tokens from being on disk for lock actions, and in memory for logout actions
             // Get them here to set them to their new location after changing the timeout action and clearing if needed
             const token = yield this.tokenService.getToken();
             const refreshToken = yield this.tokenService.getRefreshToken();
             const clientId = yield this.tokenService.getClientId();
             const clientSecret = yield this.tokenService.getClientSecret();
+            yield this.stateService.setVaultTimeout(timeout);
             const currentAction = yield this.stateService.getVaultTimeoutAction();
             if ((timeout != null || timeout === 0) &&
                 action === VaultTimeoutAction.LogOut &&
@@ -22236,6 +23302,7 @@ var vault_timeout_service_awaiter = (undefined && undefined.__awaiter) || functi
 
 
 
+
 class VaultTimeoutService {
     constructor(cipherService, folderService, collectionService, cryptoService, platformUtilsService, messagingService, searchService, stateService, authService, vaultTimeoutSettingsService, lockedCallback = null, loggedOutCallback = null) {
         this.cipherService = cipherService;
@@ -22349,10 +23416,18 @@ class VaultTimeoutService {
     }
     migrateKeyForNeverLockIfNeeded() {
         return vault_timeout_service_awaiter(this, void 0, void 0, function* () {
+            // Web can't set vault timeout to never
+            if (this.platformUtilsService.getClientType() == ClientType.Web) {
+                return;
+            }
             const accounts = yield (0,external_rxjs_namespaceObject.firstValueFrom)(this.stateService.accounts$);
             for (const userId in accounts) {
                 if (userId != null) {
                     yield this.cryptoService.migrateAutoKeyIfNeeded(userId);
+                    // Legacy users should be logged out since we're not on the web vault and can't migrate.
+                    if (yield this.cryptoService.isLegacyUser(null, userId)) {
+                        yield this.logOut(userId);
+                    }
                 }
             }
         });
@@ -23208,7 +24283,7 @@ function devFlagEnabled(flag) {
         return false;
     }
     const devFlags = getFlags(process.env.DEV_FLAGS);
-    return devFlags[flag] == null || !!devFlags[flag];
+    return (devFlags === null || devFlags === void 0 ? void 0 : devFlags[flag]) == null ? false : !!devFlags[flag];
 }
 /**
  * Gets the value of a dev flag from environment.
@@ -23548,6 +24623,125 @@ class Identity extends Domain {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/vault/models/domain/fido2-credential.ts
+var fido2_credential_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+
+
+
+class Fido2Credential extends Domain {
+    constructor(obj) {
+        super();
+        this.credentialId = null;
+        if (obj == null) {
+            return;
+        }
+        this.buildDomainModel(this, obj, {
+            credentialId: null,
+            keyType: null,
+            keyAlgorithm: null,
+            keyCurve: null,
+            keyValue: null,
+            rpId: null,
+            userHandle: null,
+            userName: null,
+            counter: null,
+            rpName: null,
+            userDisplayName: null,
+            discoverable: null,
+        }, []);
+        this.creationDate = obj.creationDate != null ? new Date(obj.creationDate) : null;
+    }
+    decrypt(orgId, encKey) {
+        return fido2_credential_awaiter(this, void 0, void 0, function* () {
+            const view = yield this.decryptObj(new Fido2CredentialView(), {
+                credentialId: null,
+                keyType: null,
+                keyAlgorithm: null,
+                keyCurve: null,
+                keyValue: null,
+                rpId: null,
+                userHandle: null,
+                userName: null,
+                rpName: null,
+                userDisplayName: null,
+                discoverable: null,
+            }, orgId, encKey);
+            const { counter } = yield this.decryptObj({ counter: "" }, {
+                counter: null,
+            }, orgId, encKey);
+            // Counter will end up as NaN if this fails
+            view.counter = parseInt(counter);
+            const { discoverable } = yield this.decryptObj({ discoverable: "" }, {
+                discoverable: null,
+            }, orgId, encKey);
+            view.discoverable = discoverable === "true";
+            view.creationDate = this.creationDate;
+            return view;
+        });
+    }
+    toFido2CredentialData() {
+        const i = new Fido2CredentialData();
+        i.creationDate = this.creationDate.toISOString();
+        this.buildDataModel(this, i, {
+            credentialId: null,
+            keyType: null,
+            keyAlgorithm: null,
+            keyCurve: null,
+            keyValue: null,
+            rpId: null,
+            userHandle: null,
+            userName: null,
+            counter: null,
+            rpName: null,
+            userDisplayName: null,
+            discoverable: null,
+        });
+        return i;
+    }
+    static fromJSON(obj) {
+        if (obj == null) {
+            return null;
+        }
+        const credentialId = EncString.fromJSON(obj.credentialId);
+        const keyType = EncString.fromJSON(obj.keyType);
+        const keyAlgorithm = EncString.fromJSON(obj.keyAlgorithm);
+        const keyCurve = EncString.fromJSON(obj.keyCurve);
+        const keyValue = EncString.fromJSON(obj.keyValue);
+        const rpId = EncString.fromJSON(obj.rpId);
+        const userHandle = EncString.fromJSON(obj.userHandle);
+        const userName = EncString.fromJSON(obj.userName);
+        const counter = EncString.fromJSON(obj.counter);
+        const rpName = EncString.fromJSON(obj.rpName);
+        const userDisplayName = EncString.fromJSON(obj.userDisplayName);
+        const discoverable = EncString.fromJSON(obj.discoverable);
+        const creationDate = obj.creationDate != null ? new Date(obj.creationDate) : null;
+        return Object.assign(new Fido2Credential(), obj, {
+            credentialId,
+            keyType,
+            keyAlgorithm,
+            keyCurve,
+            keyValue,
+            rpId,
+            userHandle,
+            userName,
+            counter,
+            rpName,
+            userDisplayName,
+            discoverable,
+            creationDate,
+        });
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/vault/models/domain/login-uri.ts
 
 
@@ -23603,6 +24797,7 @@ var login_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
 
 
 
+
 class Login extends Domain {
     constructor(obj) {
         super();
@@ -23623,6 +24818,9 @@ class Login extends Domain {
                 this.uris.push(new LoginUri(u));
             });
         }
+        if (obj.fido2Credentials) {
+            this.fido2Credentials = obj.fido2Credentials.map((key) => new Fido2Credential(key));
+        }
     }
     decrypt(orgId, encKey) {
         return login_awaiter(this, void 0, void 0, function* () {
@@ -23638,6 +24836,9 @@ class Login extends Domain {
                     view.uris.push(uri);
                 }
             }
+            if (this.fido2Credentials != null) {
+                view.fido2Credentials = yield Promise.all(this.fido2Credentials.map((key) => key.decrypt(orgId, encKey)));
+            }
             return view;
         });
     }
@@ -23657,10 +24858,13 @@ class Login extends Domain {
                 l.uris.push(u.toLoginUriData());
             });
         }
+        if (this.fido2Credentials != null && this.fido2Credentials.length > 0) {
+            l.fido2Credentials = this.fido2Credentials.map((key) => key.toFido2CredentialData());
+        }
         return l;
     }
     static fromJSON(obj) {
-        var _a;
+        var _a, _b, _c;
         if (obj == null) {
             return null;
         }
@@ -23669,12 +24873,14 @@ class Login extends Domain {
         const totp = EncString.fromJSON(obj.totp);
         const passwordRevisionDate = obj.passwordRevisionDate == null ? null : new Date(obj.passwordRevisionDate);
         const uris = (_a = obj.uris) === null || _a === void 0 ? void 0 : _a.map((uri) => LoginUri.fromJSON(uri));
+        const fido2Credentials = (_c = (_b = obj.fido2Credentials) === null || _b === void 0 ? void 0 : _b.map((key) => Fido2Credential.fromJSON(key))) !== null && _c !== void 0 ? _c : [];
         return Object.assign(new Login(), obj, {
             username,
             password,
             totp,
-            passwordRevisionDate: passwordRevisionDate,
-            uris: uris,
+            passwordRevisionDate,
+            uris,
+            fido2Credentials,
         });
     }
 }
@@ -24173,9 +25379,34 @@ class LoginUriApi extends BaseResponse {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/vault/api/fido2-credential.api.ts
+
+class Fido2CredentialApi extends BaseResponse {
+    constructor(data = null) {
+        super(data);
+        if (data == null) {
+            return;
+        }
+        this.credentialId = this.getResponseProperty("CredentialId");
+        this.keyType = this.getResponseProperty("KeyType");
+        this.keyAlgorithm = this.getResponseProperty("KeyAlgorithm");
+        this.keyCurve = this.getResponseProperty("KeyCurve");
+        this.keyValue = this.getResponseProperty("keyValue");
+        this.rpId = this.getResponseProperty("RpId");
+        this.userHandle = this.getResponseProperty("UserHandle");
+        this.userName = this.getResponseProperty("UserName");
+        this.counter = this.getResponseProperty("Counter");
+        this.rpName = this.getResponseProperty("RpName");
+        this.userDisplayName = this.getResponseProperty("UserDisplayName");
+        this.discoverable = this.getResponseProperty("Discoverable");
+        this.creationDate = this.getResponseProperty("CreationDate");
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/models/api/login.api.ts
 
 
+
 class LoginApi extends BaseResponse {
     constructor(data = null) {
         super(data);
@@ -24191,6 +25422,10 @@ class LoginApi extends BaseResponse {
         if (uris != null) {
             this.uris = uris.map((u) => new LoginUriApi(u));
         }
+        const fido2Credentials = this.getResponseProperty("Fido2Credentials");
+        if (fido2Credentials != null) {
+            this.fido2Credentials = fido2Credentials.map((key) => new Fido2CredentialApi(key));
+        }
     }
 }
 
@@ -24219,6 +25454,7 @@ class AttachmentRequest {
 
 
 
+
 class CipherRequest {
     constructor(cipher) {
         var _a;
@@ -24251,6 +25487,31 @@ class CipherRequest {
                         return uri;
                     });
                 }
+                if (cipher.login.fido2Credentials != null) {
+                    this.login.fido2Credentials = cipher.login.fido2Credentials.map((key) => {
+                        const keyApi = new Fido2CredentialApi();
+                        keyApi.credentialId =
+                            key.credentialId != null ? key.credentialId.encryptedString : null;
+                        keyApi.keyType =
+                            key.keyType != null ? key.keyType.encryptedString : null;
+                        keyApi.keyAlgorithm =
+                            key.keyAlgorithm != null ? key.keyAlgorithm.encryptedString : null;
+                        keyApi.keyCurve =
+                            key.keyCurve != null ? key.keyCurve.encryptedString : null;
+                        keyApi.keyValue = key.keyValue != null ? key.keyValue.encryptedString : null;
+                        keyApi.rpId = key.rpId != null ? key.rpId.encryptedString : null;
+                        keyApi.rpName = key.rpName != null ? key.rpName.encryptedString : null;
+                        keyApi.counter = key.counter != null ? key.counter.encryptedString : null;
+                        keyApi.userHandle = key.userHandle != null ? key.userHandle.encryptedString : null;
+                        keyApi.userName = key.userName != null ? key.userName.encryptedString : null;
+                        keyApi.userDisplayName =
+                            key.userDisplayName != null ? key.userDisplayName.encryptedString : null;
+                        keyApi.discoverable =
+                            key.discoverable != null ? key.discoverable.encryptedString : null;
+                        keyApi.creationDate = key.creationDate != null ? key.creationDate.toISOString() : null;
+                        return keyApi;
+                    });
+                }
                 break;
             case CipherType.SecureNote:
                 this.secureNote = new SecureNoteApi();
@@ -24453,6 +25714,7 @@ var cipher_service_awaiter = (undefined && undefined.__awaiter) || function (thi
 
 
 
+
 
 
 const CIPHER_KEY_ENC_MIN_SERVER_VER = new external_semver_namespaceObject.SemVer("2023.9.1");
@@ -24653,13 +25915,13 @@ class CipherService {
                 yield this.reindexCiphers();
                 return yield this.getDecryptedCipherCache();
             }
-            const hasKey = yield this.cryptoService.hasUserKey();
-            if (!hasKey) {
-                throw new Error("No user key found.");
-            }
             const ciphers = yield this.getAll();
             const orgKeys = yield this.cryptoService.getOrgKeys();
             const userKey = yield this.cryptoService.getUserKeyWithLegacySupport();
+            if ((orgKeys === null || orgKeys === void 0 ? void 0 : orgKeys.size) === 0 && userKey == null) {
+                // return early if there are no keys to decrypt with
+                return;
+            }
             // Group ciphers by orgId or under 'null' for the user's ciphers
             const grouped = ciphers.reduce((agg, c) => {
                 var _a;
@@ -24713,13 +25975,16 @@ class CipherService {
             const ciphers = yield this.getAllDecrypted();
             defaultMatch !== null && defaultMatch !== void 0 ? defaultMatch : (defaultMatch = yield this.stateService.getDefaultUriMatch());
             return ciphers.filter((cipher) => {
-                if (cipher.deletedDate != null) {
+                const cipherIsLogin = cipher.type === CipherType.Login && cipher.login !== null;
+                if (cipher.deletedDate !== null) {
                     return false;
                 }
-                if (includeOtherTypes != null && includeOtherTypes.indexOf(cipher.type) > -1) {
+                if (Array.isArray(includeOtherTypes) &&
+                    includeOtherTypes.includes(cipher.type) &&
+                    !cipherIsLogin) {
                     return true;
                 }
-                if (cipher.type === CipherType.Login && cipher.login !== null) {
+                if (cipherIsLogin) {
                     return cipher.login.matchesUri(url, equivalentDomains, defaultMatch);
                 }
                 return false;
@@ -25388,6 +26653,28 @@ class CipherService {
                             cipher.login.uris.push(loginUri);
                         }
                     }
+                    if (model.login.fido2Credentials != null) {
+                        cipher.login.fido2Credentials = yield Promise.all(model.login.fido2Credentials.map((viewKey) => cipher_service_awaiter(this, void 0, void 0, function* () {
+                            const domainKey = new Fido2Credential();
+                            yield this.encryptObjProperty(viewKey, domainKey, {
+                                credentialId: null,
+                                keyType: null,
+                                keyAlgorithm: null,
+                                keyCurve: null,
+                                keyValue: null,
+                                rpId: null,
+                                rpName: null,
+                                userHandle: null,
+                                userName: null,
+                                userDisplayName: null,
+                                origin: null,
+                            }, key);
+                            domainKey.counter = yield this.cryptoService.encrypt(String(viewKey.counter), key);
+                            domainKey.discoverable = yield this.cryptoService.encrypt(String(viewKey.discoverable), key);
+                            domainKey.creationDate = viewKey.creationDate;
+                            return domainKey;
+                        })));
+                    }
                     return;
                 case CipherType.SecureNote:
                     cipher.secureNote = new SecureNote();
@@ -26291,6 +27578,7 @@ class OrganizationData {
         this.familySponsorshipValidUntil = response.familySponsorshipValidUntil;
         this.familySponsorshipToDelete = response.familySponsorshipToDelete;
         this.accessSecretsManager = response.accessSecretsManager;
+        this.limitCollectionCreationDeletion = response.limitCollectionCreationDeletion;
         this.isMember = options.isMember;
         this.isProviderUser = options.isProviderUser;
     }
@@ -26324,6 +27612,7 @@ var sync_service_awaiter = (undefined && undefined.__awaiter) || function (thisA
 
 
 
+
 class SyncService {
     constructor(apiService, settingsService, folderService, cipherService, cryptoService, collectionService, messagingService, policyService, sendService, logService, keyConnectorService, stateService, providerService, folderApiService, organizationService, sendApiService, logoutCallback) {
         this.apiService = apiService;
@@ -26593,10 +27882,7 @@ class SyncService {
             yield this.stateService.setHasPremiumPersonally(response.premiumPersonally);
             yield this.stateService.setHasPremiumFromOrganization(response.premiumFromOrganization);
             yield this.keyConnectorService.setUsesKeyConnector(response.usesKeyConnector);
-            // The `forcePasswordReset` flag indicates an admin has reset the user's password and must be updated
-            if (response.forcePasswordReset) {
-                yield this.stateService.setForcePasswordResetReason(ForceResetPasswordReason.AdminForcePasswordReset);
-            }
+            yield this.setForceSetPasswordReasonIfNeeded(response);
             yield this.syncProfileOrganizations(response);
             const providers = {};
             response.providers.forEach((p) => {
@@ -26612,6 +27898,35 @@ class SyncService {
             }
         });
     }
+    setForceSetPasswordReasonIfNeeded(profileResponse) {
+        return sync_service_awaiter(this, void 0, void 0, function* () {
+            // The `forcePasswordReset` flag indicates an admin has reset the user's password and must be updated
+            if (profileResponse.forcePasswordReset) {
+                yield this.stateService.setForceSetPasswordReason(ForceSetPasswordReason.AdminForcePasswordReset);
+            }
+            const acctDecryptionOpts = yield this.stateService.getAccountDecryptionOptions();
+            // Even though TDE users should only be in a single org (per single org policy), check
+            // through all orgs for the manageResetPassword permission. If they have it in any org,
+            // they should be forced to set a password.
+            let hasManageResetPasswordPermission = false;
+            for (const org of profileResponse.organizations) {
+                const isAdmin = org.type === OrganizationUserType.Admin;
+                const isOwner = org.type === OrganizationUserType.Owner;
+                // Note: apparently permissions only come down populated for custom roles.
+                if (isAdmin || isOwner || (org.permissions && org.permissions.manageResetPassword)) {
+                    hasManageResetPasswordPermission = true;
+                    break;
+                }
+            }
+            if (acctDecryptionOpts.trustedDeviceOption !== undefined &&
+                !acctDecryptionOpts.hasMasterPassword &&
+                hasManageResetPasswordPermission) {
+                // TDE user w/out MP went from having no password reset permission to having it.
+                // Must set the force password reset reason so the auth guard will redirect to the set password page.
+                yield this.stateService.setForceSetPasswordReason(ForceSetPasswordReason.TdeUserWithoutPasswordHasPasswordResetPermission);
+            }
+        });
+    }
     syncProfileOrganizations(response) {
         return sync_service_awaiter(this, void 0, void 0, function* () {
             const organizations = {};
@@ -26932,6 +28247,122 @@ class IdentityExport {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/models/export/fido2-credential.export.ts
+
+
+
+/**
+ * Represents format of Fido2 Credentials in JSON exports.
+ */
+class Fido2CredentialExport {
+    /**
+     * Generates a template for Fido2CredentialExport
+     * @returns Instance of Fido2CredentialExport with predefined values.
+     */
+    static template() {
+        const req = new Fido2CredentialExport();
+        req.credentialId = "keyId";
+        req.keyType = "keyType";
+        req.keyAlgorithm = "keyAlgorithm";
+        req.keyCurve = "keyCurve";
+        req.keyValue = "keyValue";
+        req.rpId = "rpId";
+        req.userHandle = "userHandle";
+        req.userName = "userName";
+        req.counter = "counter";
+        req.rpName = "rpName";
+        req.userDisplayName = "userDisplayName";
+        req.discoverable = "false";
+        req.creationDate = null;
+        return req;
+    }
+    /**
+     * Converts a Fido2CredentialExport object to its view representation.
+     * @param req - The Fido2CredentialExport object to be converted.
+     * @param view - (Optional) The Fido2CredentialView object to popualte with Fido2CredentialExport data
+     * @returns Fido2CredentialView - The populated view, or a new instance if none was provided.
+     */
+    static toView(req, view = new Fido2CredentialView()) {
+        view.credentialId = req.credentialId;
+        view.keyType = req.keyType;
+        view.keyAlgorithm = req.keyAlgorithm;
+        view.keyCurve = req.keyCurve;
+        view.keyValue = req.keyValue;
+        view.rpId = req.rpId;
+        view.userHandle = req.userHandle;
+        view.userName = req.userName;
+        view.counter = parseInt(req.counter);
+        view.rpName = req.rpName;
+        view.userDisplayName = req.userDisplayName;
+        view.discoverable = req.discoverable === "true";
+        view.creationDate = new Date(req.creationDate);
+        return view;
+    }
+    /**
+     * Converts a Fido2CredentialExport object to its domain representation.
+     * @param req - The Fido2CredentialExport object to be converted.
+     * @param domain - (Optional) The Fido2Credential object to popualte with Fido2CredentialExport data
+     * @returns Fido2Credential - The populated domain, or a new instance if none was provided.
+     */
+    static toDomain(req, domain = new Fido2Credential()) {
+        domain.credentialId = req.credentialId != null ? new EncString(req.credentialId) : null;
+        domain.keyType = req.keyType != null ? new EncString(req.keyType) : null;
+        domain.keyAlgorithm = req.keyAlgorithm != null ? new EncString(req.keyAlgorithm) : null;
+        domain.keyCurve = req.keyCurve != null ? new EncString(req.keyCurve) : null;
+        domain.keyValue = req.keyValue != null ? new EncString(req.keyValue) : null;
+        domain.rpId = req.rpId != null ? new EncString(req.rpId) : null;
+        domain.userHandle = req.userHandle != null ? new EncString(req.userHandle) : null;
+        domain.userName = req.userName != null ? new EncString(req.userName) : null;
+        domain.counter = req.counter != null ? new EncString(req.counter) : null;
+        domain.rpName = req.rpName != null ? new EncString(req.rpName) : null;
+        domain.userDisplayName =
+            req.userDisplayName != null ? new EncString(req.userDisplayName) : null;
+        domain.discoverable = req.discoverable != null ? new EncString(req.discoverable) : null;
+        domain.creationDate = req.creationDate;
+        return domain;
+    }
+    /**
+     * Constructs a new Fid2CredentialExport instance.
+     *
+     * @param o - The credential storing the data being exported. When not provided, an empty export is created instead.
+     */
+    constructor(o) {
+        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m;
+        if (o == null) {
+            return;
+        }
+        if (o instanceof Fido2CredentialView) {
+            this.credentialId = o.credentialId;
+            this.keyType = o.keyType;
+            this.keyAlgorithm = o.keyAlgorithm;
+            this.keyCurve = o.keyCurve;
+            this.keyValue = o.keyValue;
+            this.rpId = o.rpId;
+            this.userHandle = o.userHandle;
+            this.userName = o.userName;
+            this.counter = String(o.counter);
+            this.rpName = o.rpName;
+            this.userDisplayName = o.userDisplayName;
+            this.discoverable = String(o.discoverable);
+        }
+        else {
+            this.credentialId = (_a = o.credentialId) === null || _a === void 0 ? void 0 : _a.encryptedString;
+            this.keyType = (_b = o.keyType) === null || _b === void 0 ? void 0 : _b.encryptedString;
+            this.keyAlgorithm = (_c = o.keyAlgorithm) === null || _c === void 0 ? void 0 : _c.encryptedString;
+            this.keyCurve = (_d = o.keyCurve) === null || _d === void 0 ? void 0 : _d.encryptedString;
+            this.keyValue = (_e = o.keyValue) === null || _e === void 0 ? void 0 : _e.encryptedString;
+            this.rpId = (_f = o.rpId) === null || _f === void 0 ? void 0 : _f.encryptedString;
+            this.userHandle = (_g = o.userHandle) === null || _g === void 0 ? void 0 : _g.encryptedString;
+            this.userName = (_h = o.userName) === null || _h === void 0 ? void 0 : _h.encryptedString;
+            this.counter = (_j = o.counter) === null || _j === void 0 ? void 0 : _j.encryptedString;
+            this.rpName = (_k = o.rpName) === null || _k === void 0 ? void 0 : _k.encryptedString;
+            this.userDisplayName = (_l = o.userDisplayName) === null || _l === void 0 ? void 0 : _l.encryptedString;
+            this.discoverable = (_m = o.discoverable) === null || _m === void 0 ? void 0 : _m.encryptedString;
+        }
+        this.creationDate = o.creationDate;
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/models/export/login-uri.export.ts
 
 
@@ -26974,6 +28405,7 @@ class LoginUriExport {
 
 
 
+
 class LoginExport {
     static template() {
         const req = new LoginExport();
@@ -26981,6 +28413,7 @@ class LoginExport {
         req.username = "jdoe";
         req.password = "myp@ssword123";
         req.totp = "JBSWY3DPEHPK3PXP";
+        req.fido2Credentials = [Fido2CredentialExport.template()];
         return req;
     }
     static toView(req, view = new LoginView()) {
@@ -26990,6 +28423,9 @@ class LoginExport {
         view.username = req.username;
         view.password = req.password;
         view.totp = req.totp;
+        if (req.fido2Credentials != null) {
+            view.fido2Credentials = req.fido2Credentials.map((key) => Fido2CredentialExport.toView(key));
+        }
         return view;
     }
     static toDomain(req, domain = new Login()) {
@@ -26999,10 +28435,12 @@ class LoginExport {
         domain.username = req.username != null ? new EncString(req.username) : null;
         domain.password = req.password != null ? new EncString(req.password) : null;
         domain.totp = req.totp != null ? new EncString(req.totp) : null;
+        // Fido2credentials are currently not supported for exports.
         return domain;
     }
     constructor(o) {
         var _a, _b, _c;
+        this.fido2Credentials = [];
         if (o == null) {
             return;
         }
@@ -27014,6 +28452,9 @@ class LoginExport {
                 this.uris = o.uris.map((u) => new LoginUriExport(u));
             }
         }
+        if (o.fido2Credentials != null) {
+            this.fido2Credentials = o.fido2Credentials.map((key) => new Fido2CredentialExport(key));
+        }
         if (o instanceof LoginView) {
             this.username = o.username;
             this.password = o.password;
@@ -27395,6 +28836,7 @@ class FolderWithIdExport extends FolderExport {
 
 
 
+
 
 ;// CONCATENATED MODULE: ../../libs/exporter/src/export-helper.ts
 class ExportHelper {
@@ -32817,17 +34259,15 @@ class ProtonPassJsonImporter extends base_importer_BaseImporter {
                 }
                 this.processFolder(result, vault.name);
                 const cipher = this.initLoginCipher();
-                cipher.name = item.data.metadata.name;
-                cipher.notes = item.data.metadata.note;
+                cipher.name = this.getValueOrDefault(item.data.metadata.name, "--");
+                cipher.notes = this.getValueOrDefault(item.data.metadata.note);
                 switch (item.data.type) {
                     case "login": {
                         const loginContent = item.data.content;
                         cipher.login.uris = this.makeUriArray(loginContent.urls);
-                        cipher.login.username = loginContent.username;
-                        cipher.login.password = loginContent.password;
-                        if (loginContent.totpUri != "") {
-                            cipher.login.totp = new URL(loginContent.totpUri).searchParams.get("secret");
-                        }
+                        cipher.login.username = this.getValueOrDefault(loginContent.username);
+                        cipher.login.password = this.getValueOrDefault(loginContent.password);
+                        cipher.login.totp = this.getValueOrDefault(loginContent.totpUri);
                         for (const extraField of item.data.extraFields) {
                             this.processKvp(cipher, extraField.fieldName, extraField.type == "totp" ? extraField.data.totpUri : extraField.data.content, extraField.type == "text" ? FieldType.Text : FieldType.Hidden);
                         }
@@ -32842,10 +34282,10 @@ class ProtonPassJsonImporter extends base_importer_BaseImporter {
                         const creditCardContent = item.data.content;
                         cipher.type = CipherType.Card;
                         cipher.card = new CardView();
-                        cipher.card.cardholderName = creditCardContent.cardholderName;
-                        cipher.card.number = creditCardContent.number;
+                        cipher.card.cardholderName = this.getValueOrDefault(creditCardContent.cardholderName);
+                        cipher.card.number = this.getValueOrDefault(creditCardContent.number);
                         cipher.card.brand = CardView.getCardBrandByPatterns(creditCardContent.number);
-                        cipher.card.code = creditCardContent.verificationNumber;
+                        cipher.card.code = this.getValueOrDefault(creditCardContent.verificationNumber);
                         if (!this.isNullOrWhitespace(creditCardContent.expirationDate)) {
                             cipher.card.expMonth = creditCardContent.expirationDate.substring(0, 2);
                             cipher.card.expMonth = cipher.card.expMonth.replace(/^0+/, "");
@@ -33395,11 +34835,13 @@ class SecureSafeCsvImporter extends base_importer_BaseImporter {
             result.success = false;
             return Promise.resolve(result);
         }
+        // The url field can be in different case formats.
+        const urlField = Object.keys(results[0]).find((k) => /url/i.test(k));
         results.forEach((value) => {
             const cipher = this.initLoginCipher();
             cipher.name = this.getValueOrDefault(value.Title);
             cipher.notes = this.getValueOrDefault(value.Comment);
-            cipher.login.uris = this.makeUriArray(value.Url);
+            cipher.login.uris = this.makeUriArray(value[urlField]);
             cipher.login.password = this.getValueOrDefault(value.Password);
             cipher.login.username = this.getValueOrDefault(value.Username);
             this.cleanupCipher(cipher);
@@ -33792,9 +35234,9 @@ const featuredImportOptions = [
     { id: "dashlanecsv", name: "Dashlane (csv)" },
     { id: "firefoxcsv", name: "Firefox (csv)" },
     { id: "keepass2xml", name: "KeePass 2 (xml)" },
-    { id: "lastpasscsv", name: "LastPass (csv)" },
+    { id: "lastpasscsv", name: "LastPass" },
     { id: "safaricsv", name: "Safari and macOS (csv)" },
-    { id: "1password1pux", name: "1Password (1pux)" },
+    { id: "1password1pux", name: "1Password (1pux/json)" },
 ];
 const regularImportOptions = [
     { id: "keepassxcsv", name: "KeePassX (csv)" },
@@ -33890,7 +35332,7 @@ class ImportService {
     getImportOptions() {
         return this.featuredImportOptions.concat(this.regularImportOptions);
     }
-    import(importer, fileContents, organizationId = null, selectedImportTarget = null, isUserAdmin) {
+    import(importer, fileContents, organizationId = null, selectedImportTarget = null, canAccessImportExport) {
         return import_service_awaiter(this, void 0, void 0, function* () {
             let importResult;
             try {
@@ -33920,7 +35362,9 @@ class ImportService {
                     throw new Error(this.i18nService.t("importFormatError"));
                 }
             }
-            if (organizationId && utils_Utils.isNullOrWhitespace(selectedImportTarget) && !isUserAdmin) {
+            if (organizationId &&
+                utils_Utils.isNullOrWhitespace(selectedImportTarget) &&
+                !canAccessImportExport) {
                 const hasUnassignedCollections = importResult.ciphers.some((c) => !Array.isArray(c.collectionIds) || c.collectionIds.length == 0);
                 if (hasUnassignedCollections) {
                     throw new Error(this.i18nService.t("importUnassignedItemsError"));
@@ -34220,10 +35664,13 @@ class ImportService {
     }
 }
 
-;// CONCATENATED MODULE: ../../libs/importer/src/index.ts
+;// CONCATENATED MODULE: ../../libs/importer/src/services/index.ts
+
 
 
 
+
+;// CONCATENATED MODULE: ../../libs/importer/src/index.ts
 
 
 
@@ -34386,17 +35833,17 @@ class NodeCryptoFunctionService {
         }
         return p;
     }
-    aesDecryptFast(parameters) {
+    aesDecryptFast(parameters, mode) {
         return node_crypto_function_service_awaiter(this, void 0, void 0, function* () {
-            const decBuf = yield this.aesDecrypt(parameters.data, parameters.iv, parameters.encKey);
+            const decBuf = yield this.aesDecrypt(parameters.data, parameters.iv, parameters.encKey, mode);
             return utils_Utils.fromBufferToUtf8(decBuf);
         });
     }
-    aesDecrypt(data, iv, key) {
+    aesDecrypt(data, iv, key, mode) {
         const nodeData = this.toNodeBuffer(data);
-        const nodeIv = this.toNodeBuffer(iv);
+        const nodeIv = mode === "ecb" ? null : this.toNodeBuffer(iv);
         const nodeKey = this.toNodeBuffer(key);
-        const decipher = external_crypto_namespaceObject.createDecipheriv("aes-256-cbc", nodeKey, nodeIv);
+        const decipher = external_crypto_namespaceObject.createDecipheriv(this.toNodeCryptoAesMode(mode), nodeKey, nodeIv);
         const decBuf = Buffer.concat([decipher.update(nodeData), decipher.final()]);
         return Promise.resolve(this.toUint8Buffer(decBuf));
     }
@@ -34502,6 +35949,9 @@ class NodeCryptoFunctionService {
         const publicKey = external_node_forge_namespaceObject.pki.publicKeyFromAsn1(asn1);
         return external_node_forge_namespaceObject.pki.publicKeyToPem(publicKey);
     }
+    toNodeCryptoAesMode(mode) {
+        return mode === "cbc" ? "aes-256-cbc" : "aes-256-ecb";
+    }
 }
 
 ;// CONCATENATED MODULE: ../../libs/common/src/platform/abstractions/config/server-config.ts
@@ -34671,14 +36121,14 @@ class CliPlatformUtilsService {
         if (!this.deviceCache) {
             switch (process.platform) {
                 case "win32":
-                    this.deviceCache = DeviceType.WindowsDesktop;
+                    this.deviceCache = DeviceType.WindowsCLI;
                     break;
                 case "darwin":
-                    this.deviceCache = DeviceType.MacOsDesktop;
+                    this.deviceCache = DeviceType.MacOsCLI;
                     break;
                 case "linux":
                 default:
-                    this.deviceCache = DeviceType.LinuxDesktop;
+                    this.deviceCache = DeviceType.LinuxCLI;
                     break;
             }
         }
@@ -34686,7 +36136,7 @@ class CliPlatformUtilsService {
     }
     getDeviceString() {
         const device = DeviceType[this.getDevice()].toLowerCase();
-        return device.replace("desktop", "");
+        return device.replace("cli", "");
     }
     getClientType() {
         return this.clientType;
@@ -35066,6 +36516,7 @@ var lowdb_storage_service_awaiter = (undefined && undefined.__awaiter) || functi
 
 
 
+
 const retries = {
     retries: 50,
     minTimeout: 100,
@@ -35079,7 +36530,9 @@ class LowdbStorageService {
         this.allowCache = allowCache;
         this.requireLock = requireLock;
         this.ready = false;
+        this.updatesSubject = new external_rxjs_namespaceObject.Subject();
         this.defaults = defaults;
+        this.updates$ = this.updatesSubject.asObservable();
     }
     init() {
         return lowdb_storage_service_awaiter(this, void 0, void 0, function* () {
@@ -35142,6 +36595,9 @@ class LowdbStorageService {
             this.ready = true;
         });
     }
+    get valuesRequireDeserialization() {
+        return true;
+    }
     get(key) {
         return lowdb_storage_service_awaiter(this, void 0, void 0, function* () {
             yield this.waitForReady();
@@ -35165,6 +36621,7 @@ class LowdbStorageService {
             return this.lockDbFile(() => {
                 this.readForNoCache();
                 this.db.set(key, obj).write();
+                this.updatesSubject.next({ key, updateType: "save" });
                 this.logService.debug(`Successfully wrote ${key} to db`);
                 return;
             });
@@ -35176,6 +36633,7 @@ class LowdbStorageService {
             return this.lockDbFile(() => {
                 this.readForNoCache();
                 this.db.unset(key).write();
+                this.updatesSubject.next({ key, updateType: "remove" });
                 this.logService.debug(`Successfully removed ${key} from db`);
                 return;
             });
@@ -35345,6 +36803,8 @@ class CollectionDetailsResponse extends CollectionResponse {
     constructor(response) {
         super(response);
         this.readOnly = this.getResponseProperty("ReadOnly") || false;
+        this.manage = this.getResponseProperty("Manage") || false;
+        this.hidePasswords = this.getResponseProperty("HidePasswords") || false;
     }
 }
 class CollectionAccessDetailsResponse extends CollectionResponse {
@@ -35500,59 +36960,6 @@ class DeviceVerificationResponse extends BaseResponse {
     }
 }
 
-;// CONCATENATED MODULE: ../../libs/common/src/auth/models/response/emergency-access.response.ts
-
-
-class EmergencyAccessGranteeDetailsResponse extends BaseResponse {
-    constructor(response) {
-        super(response);
-        this.id = this.getResponseProperty("Id");
-        this.granteeId = this.getResponseProperty("GranteeId");
-        this.name = this.getResponseProperty("Name");
-        this.email = this.getResponseProperty("Email");
-        this.type = this.getResponseProperty("Type");
-        this.status = this.getResponseProperty("Status");
-        this.waitTimeDays = this.getResponseProperty("WaitTimeDays");
-        this.creationDate = this.getResponseProperty("CreationDate");
-        this.avatarColor = this.getResponseProperty("AvatarColor");
-    }
-}
-class EmergencyAccessGrantorDetailsResponse extends BaseResponse {
-    constructor(response) {
-        super(response);
-        this.id = this.getResponseProperty("Id");
-        this.grantorId = this.getResponseProperty("GrantorId");
-        this.name = this.getResponseProperty("Name");
-        this.email = this.getResponseProperty("Email");
-        this.type = this.getResponseProperty("Type");
-        this.status = this.getResponseProperty("Status");
-        this.waitTimeDays = this.getResponseProperty("WaitTimeDays");
-        this.creationDate = this.getResponseProperty("CreationDate");
-        this.avatarColor = this.getResponseProperty("AvatarColor");
-    }
-}
-class EmergencyAccessTakeoverResponse extends BaseResponse {
-    constructor(response) {
-        super(response);
-        this.keyEncrypted = this.getResponseProperty("KeyEncrypted");
-        this.kdf = this.getResponseProperty("Kdf");
-        this.kdfIterations = this.getResponseProperty("KdfIterations");
-        this.kdfMemory = this.getResponseProperty("KdfMemory");
-        this.kdfParallelism = this.getResponseProperty("KdfParallelism");
-    }
-}
-class EmergencyAccessViewResponse extends BaseResponse {
-    constructor(response) {
-        super(response);
-        this.ciphers = [];
-        this.keyEncrypted = this.getResponseProperty("KeyEncrypted");
-        const ciphers = this.getResponseProperty("Ciphers");
-        if (ciphers != null) {
-            this.ciphers = ciphers.map((c) => new CipherResponse(c));
-        }
-    }
-}
-
 ;// CONCATENATED MODULE: ../../libs/common/src/auth/models/response/key-connector-user-key.response.ts
 
 class KeyConnectorUserKeyResponse extends BaseResponse {
@@ -35744,6 +37151,13 @@ class TaxRateResponse extends BaseResponse {
     }
 }
 
+;// CONCATENATED MODULE: ../../libs/common/src/models/request/collection-bulk-delete.request.ts
+class CollectionBulkDeleteRequest {
+    constructor(ids) {
+        this.ids = ids == null ? [] : ids;
+    }
+}
+
 ;// CONCATENATED MODULE: ../../libs/common/src/models/response/breach-account.response.ts
 
 class BreachAccountResponse extends BaseResponse {
@@ -35956,7 +37370,6 @@ var api_service_awaiter = (undefined && undefined.__awaiter) || function (thisAr
 
 
 
-
 
 
 /**
@@ -35988,7 +37401,10 @@ class ApiService {
         this.isDesktopClient =
             this.device === DeviceType.WindowsDesktop ||
                 this.device === DeviceType.MacOsDesktop ||
-                this.device === DeviceType.LinuxDesktop;
+                this.device === DeviceType.LinuxDesktop ||
+                this.device === DeviceType.WindowsCLI ||
+                this.device === DeviceType.MacOsCLI ||
+                this.device === DeviceType.LinuxCLI;
     }
     // Auth APIs
     postIdentityToken(request) {
@@ -36501,8 +37917,8 @@ class ApiService {
     deleteCollection(organizationId, id) {
         return this.send("DELETE", "/organizations/" + organizationId + "/collections/" + id, null, true, false);
     }
-    deleteManyCollections(request) {
-        return this.send("DELETE", "/organizations/" + request.organizationId + "/collections", request, true, false);
+    deleteManyCollections(organizationId, collectionIds) {
+        return this.send("DELETE", "/organizations/" + organizationId + "/collections", new CollectionBulkDeleteRequest(collectionIds), true, false);
     }
     deleteCollectionUser(organizationId, id, organizationUserId) {
         return this.send("DELETE", "/organizations/" + organizationId + "/collections/" + id + "/user/" + organizationUserId, null, true, false);
@@ -36525,7 +37941,7 @@ class ApiService {
     // Plan APIs
     getPlans() {
         return api_service_awaiter(this, void 0, void 0, function* () {
-            const r = yield this.send("GET", "/plans/all", null, false, true);
+            const r = yield this.send("GET", "/plans", null, false, true);
             return new ListResponse(r, PlanResponse);
         });
     }
@@ -36709,75 +38125,6 @@ class ApiService {
             return new DeviceVerificationResponse(r);
         });
     }
-    // Emergency Access APIs
-    getEmergencyAccessTrusted() {
-        return api_service_awaiter(this, void 0, void 0, function* () {
-            const r = yield this.send("GET", "/emergency-access/trusted", null, true, true);
-            return new ListResponse(r, EmergencyAccessGranteeDetailsResponse);
-        });
-    }
-    getEmergencyAccessGranted() {
-        return api_service_awaiter(this, void 0, void 0, function* () {
-            const r = yield this.send("GET", "/emergency-access/granted", null, true, true);
-            return new ListResponse(r, EmergencyAccessGrantorDetailsResponse);
-        });
-    }
-    getEmergencyAccess(id) {
-        return api_service_awaiter(this, void 0, void 0, function* () {
-            const r = yield this.send("GET", "/emergency-access/" + id, null, true, true);
-            return new EmergencyAccessGranteeDetailsResponse(r);
-        });
-    }
-    getEmergencyGrantorPolicies(id) {
-        return api_service_awaiter(this, void 0, void 0, function* () {
-            const r = yield this.send("GET", "/emergency-access/" + id + "/policies", null, true, true);
-            return new ListResponse(r, PolicyResponse);
-        });
-    }
-    putEmergencyAccess(id, request) {
-        return this.send("PUT", "/emergency-access/" + id, request, true, false);
-    }
-    deleteEmergencyAccess(id) {
-        return this.send("DELETE", "/emergency-access/" + id, null, true, false);
-    }
-    postEmergencyAccessInvite(request) {
-        return this.send("POST", "/emergency-access/invite", request, true, false);
-    }
-    postEmergencyAccessReinvite(id) {
-        return this.send("POST", "/emergency-access/" + id + "/reinvite", null, true, false);
-    }
-    postEmergencyAccessAccept(id, request) {
-        return this.send("POST", "/emergency-access/" + id + "/accept", request, true, false);
-    }
-    postEmergencyAccessConfirm(id, request) {
-        return this.send("POST", "/emergency-access/" + id + "/confirm", request, true, false);
-    }
-    postEmergencyAccessInitiate(id) {
-        return this.send("POST", "/emergency-access/" + id + "/initiate", null, true, false);
-    }
-    postEmergencyAccessApprove(id) {
-        return this.send("POST", "/emergency-access/" + id + "/approve", null, true, false);
-    }
-    postEmergencyAccessReject(id) {
-        return this.send("POST", "/emergency-access/" + id + "/reject", null, true, false);
-    }
-    postEmergencyAccessTakeover(id) {
-        return api_service_awaiter(this, void 0, void 0, function* () {
-            const r = yield this.send("POST", "/emergency-access/" + id + "/takeover", null, true, true);
-            return new EmergencyAccessTakeoverResponse(r);
-        });
-    }
-    postEmergencyAccessPassword(id, request) {
-        return api_service_awaiter(this, void 0, void 0, function* () {
-            yield this.send("POST", "/emergency-access/" + id + "/password", request, true, true);
-        });
-    }
-    postEmergencyAccessView(id) {
-        return api_service_awaiter(this, void 0, void 0, function* () {
-            const r = yield this.send("POST", "/emergency-access/" + id + "/view", null, true, true);
-            return new EmergencyAccessViewResponse(r);
-        });
-    }
     // Organization APIs
     getCloudCommunicationsEnabled() {
         return api_service_awaiter(this, void 0, void 0, function* () {
@@ -37362,12 +38709,19 @@ var node_env_secure_storage_service_awaiter = (undefined && undefined.__awaiter)
 
 
 
+
 class NodeEnvSecureStorageService {
     constructor(storageService, logService, cryptoService) {
         this.storageService = storageService;
         this.logService = logService;
         this.cryptoService = cryptoService;
     }
+    get valuesRequireDeserialization() {
+        return true;
+    }
+    get updates$() {
+        return (0,external_rxjs_namespaceObject.throwError)(() => new Error("Secure storage implementations cannot have their updates subscribed to."));
+    }
     get(key) {
         return node_env_secure_storage_service_awaiter(this, void 0, void 0, function* () {
             const value = yield this.storageService.get(this.makeProtectedStorageKey(key));
@@ -37396,7 +38750,10 @@ class NodeEnvSecureStorageService {
         });
     }
     remove(key) {
-        return this.storageService.remove(this.makeProtectedStorageKey(key));
+        return node_env_secure_storage_service_awaiter(this, void 0, void 0, function* () {
+            yield this.storageService.remove(this.makeProtectedStorageKey(key));
+            return;
+        });
     }
     encrypt(plainValue) {
         return node_env_secure_storage_service_awaiter(this, void 0, void 0, function* () {
@@ -37537,9 +38894,9 @@ class LockCommand {
 const external_http_namespaceObject = require("http");
 ;// CONCATENATED MODULE: external "inquirer"
 const external_inquirer_namespaceObject = require("inquirer");
-;// CONCATENATED MODULE: ../../libs/common/src/auth/models/domain/log-in-credentials.ts
+;// CONCATENATED MODULE: ../../libs/common/src/auth/models/domain/login-credentials.ts
 
-class PasswordLogInCredentials {
+class PasswordLoginCredentials {
     constructor(email, masterPassword, captchaToken, twoFactor) {
         this.email = email;
         this.masterPassword = masterPassword;
@@ -37548,7 +38905,7 @@ class PasswordLogInCredentials {
         this.type = authentication_type_AuthenticationType.Password;
     }
 }
-class SsoLogInCredentials {
+class SsoLoginCredentials {
     constructor(code, codeVerifier, redirectUrl, orgId, twoFactor) {
         this.code = code;
         this.codeVerifier = codeVerifier;
@@ -37558,14 +38915,14 @@ class SsoLogInCredentials {
         this.type = authentication_type_AuthenticationType.Sso;
     }
 }
-class UserApiLogInCredentials {
+class UserApiLoginCredentials {
     constructor(clientId, clientSecret) {
         this.clientId = clientId;
         this.clientSecret = clientSecret;
         this.type = authentication_type_AuthenticationType.UserApi;
     }
 }
-class PasswordlessLogInCredentials {
+class AuthRequestLoginCredentials {
     constructor(email, accessCode, authRequestId, decryptedUserKey, decryptedMasterKey, decryptedMasterKeyHash, twoFactor) {
         this.email = email;
         this.accessCode = accessCode;
@@ -37574,7 +38931,15 @@ class PasswordlessLogInCredentials {
         this.decryptedMasterKey = decryptedMasterKey;
         this.decryptedMasterKeyHash = decryptedMasterKeyHash;
         this.twoFactor = twoFactor;
-        this.type = AuthenticationType.Passwordless;
+        this.type = AuthenticationType.AuthRequest;
+    }
+}
+class WebAuthnLoginCredentials {
+    constructor(token, deviceResponse, prfKey) {
+        this.token = token;
+        this.deviceResponse = deviceResponse;
+        this.prfKey = prfKey;
+        this.type = AuthenticationType.WebAuthn;
     }
 }
 
@@ -37588,7 +38953,7 @@ class PasswordRequest extends SecretVerificationRequest {
 class TwoFactorEmailRequest extends SecretVerificationRequest {
 }
 
-;// CONCATENATED MODULE: ../../libs/common/src/abstractions/organization-user/requests/organization-user-reset-password.request.ts
+;// CONCATENATED MODULE: ../../libs/common/src/admin-console/abstractions/organization-user/requests/organization-user-reset-password.request.ts
 class OrganizationUserResetPasswordRequest {
 }
 
@@ -37748,7 +39113,7 @@ class LoginCommand {
                         return Response.error("Invalid API Key; Organization API Key currently not supported");
                     }
                     try {
-                        response = yield this.authService.logIn(new UserApiLogInCredentials(clientId, clientSecret));
+                        response = yield this.authService.logIn(new UserApiLoginCredentials(clientId, clientSecret));
                     }
                     catch (e) {
                         // handle API key login failures
@@ -37763,13 +39128,16 @@ class LoginCommand {
                     }
                 }
                 else if (ssoCode != null && ssoCodeVerifier != null) {
-                    response = yield this.authService.logIn(new SsoLogInCredentials(ssoCode, ssoCodeVerifier, this.ssoRedirectUri, orgIdentifier, twoFactor));
+                    response = yield this.authService.logIn(new SsoLoginCredentials(ssoCode, ssoCodeVerifier, this.ssoRedirectUri, orgIdentifier, twoFactor));
                 }
                 else {
-                    response = yield this.authService.logIn(new PasswordLogInCredentials(email, password, null, twoFactor));
+                    response = yield this.authService.logIn(new PasswordLoginCredentials(email, password, null, twoFactor));
+                }
+                if (response.requiresEncryptionKeyMigration) {
+                    return Response.error("Encryption key migration required. Please login through the web vault to update your encryption key.");
                 }
                 if (response.captchaSiteKey) {
-                    const credentials = new PasswordLogInCredentials(email, password);
+                    const credentials = new PasswordLoginCredentials(email, password);
                     const handledResponse = yield this.handleCaptchaRequired(twoFactor, credentials);
                     // Error Response
                     if (handledResponse instanceof Response) {
@@ -37864,13 +39232,13 @@ class LoginCommand {
                 // Run full sync before handling success response or password reset flows (to get Master Password Policies)
                 yield this.syncService.fullSync(true);
                 // Handle updating passwords if NOT using an API Key for authentication
-                if (response.forcePasswordReset != ForceResetPasswordReason.None &&
+                if (response.forcePasswordReset != ForceSetPasswordReason.None &&
                     clientId == null &&
                     clientSecret == null) {
-                    if (response.forcePasswordReset === ForceResetPasswordReason.AdminForcePasswordReset) {
+                    if (response.forcePasswordReset === ForceSetPasswordReason.AdminForcePasswordReset) {
                         return yield this.updateTempPassword();
                     }
-                    else if (response.forcePasswordReset === ForceResetPasswordReason.WeakMasterPassword) {
+                    else if (response.forcePasswordReset === ForceSetPasswordReason.WeakMasterPassword) {
                         return yield this.updateWeakPassword(password);
                     }
                 }
@@ -38905,7 +40273,7 @@ const external_koa_namespaceObject = require("koa");
 const external_koa_bodyparser_namespaceObject = require("koa-bodyparser");
 ;// CONCATENATED MODULE: external "koa-json"
 const external_koa_json_namespaceObject = require("koa-json");
-;// CONCATENATED MODULE: ../../libs/common/src/abstractions/organization-user/requests/organization-user-confirm.request.ts
+;// CONCATENATED MODULE: ../../libs/common/src/admin-console/abstractions/organization-user/requests/organization-user-confirm.request.ts
 class OrganizationUserConfirmRequest {
 }
 
@@ -40079,10 +41447,11 @@ class SendRemovePasswordCommand {
 
 ;// CONCATENATED MODULE: ../../libs/common/src/admin-console/models/request/selection-read-only.request.ts
 class SelectionReadOnlyRequest {
-    constructor(id, readOnly, hidePasswords) {
+    constructor(id, readOnly, hidePasswords, manage) {
         this.id = id;
         this.readOnly = readOnly;
         this.hidePasswords = hidePasswords;
+        this.manage = manage;
     }
 }
 
@@ -40286,7 +41655,7 @@ class CreateCommand {
                 }
                 const groups = req.groups == null
                     ? null
-                    : req.groups.map((g) => new SelectionReadOnlyRequest(g.id, g.readOnly, g.hidePasswords));
+                    : req.groups.map((g) => new SelectionReadOnlyRequest(g.id, g.readOnly, g.hidePasswords, g.manage));
                 const request = new CollectionRequest();
                 request.name = (yield this.cryptoService.encrypt(req.name, orgKey)).encryptedString;
                 request.externalId = req.externalId;
@@ -40650,7 +42019,7 @@ class EditCommand {
                 }
                 const groups = req.groups == null
                     ? null
-                    : req.groups.map((g) => new SelectionReadOnlyRequest(g.id, g.readOnly, g.hidePasswords));
+                    : req.groups.map((g) => new SelectionReadOnlyRequest(g.id, g.readOnly, g.hidePasswords, g.manage));
                 const request = new CollectionRequest();
                 request.name = (yield this.cryptoService.encrypt(req.name, orgKey)).encryptedString;
                 request.externalId = req.externalId;
@@ -40676,12 +42045,13 @@ class commands_edit_command_Options {
 ;// CONCATENATED MODULE: ./src/admin-console/models/selection-read-only.ts
 class SelectionReadOnly {
     static template() {
-        return new SelectionReadOnly("00000000-0000-0000-0000-000000000000", false, false);
+        return new SelectionReadOnly("00000000-0000-0000-0000-000000000000", false, false, false);
     }
-    constructor(id, readOnly, hidePasswords) {
+    constructor(id, readOnly, hidePasswords, manage) {
         this.id = id;
         this.readOnly = readOnly;
         this.hidePasswords = hidePasswords || false;
+        this.manage = manage;
     }
 }
 
@@ -40755,10 +42125,11 @@ var commands_get_command_awaiter = (undefined && undefined.__awaiter) || functio
 
 
 
+
 
 
 class GetCommand extends DownloadCommand {
-    constructor(cipherService, folderService, collectionService, totpService, auditService, cryptoService, stateService, searchService, apiService, organizationService) {
+    constructor(cipherService, folderService, collectionService, totpService, auditService, cryptoService, stateService, searchService, apiService, organizationService, eventCollectionService) {
         super(cryptoService);
         this.cipherService = cipherService;
         this.folderService = folderService;
@@ -40769,6 +42140,7 @@ class GetCommand extends DownloadCommand {
         this.searchService = searchService;
         this.apiService = apiService;
         this.organizationService = organizationService;
+        this.eventCollectionService = eventCollectionService;
     }
     run(object, id, cmdOptions) {
         return commands_get_command_awaiter(this, void 0, void 0, function* () {
@@ -40849,6 +42221,7 @@ class GetCommand extends DownloadCommand {
                     return Response.multipleResults(decCipher.map((c) => c.id));
                 }
             }
+            this.eventCollectionService.collect(EventType.Cipher_ClientViewed, id, true, decCipher.organizationId);
             const res = new cipher_response_CipherResponse(decCipher);
             return Response.success(res);
         });
@@ -41094,7 +42467,7 @@ class GetCommand extends DownloadCommand {
                 decCollection.name = yield this.cryptoService.decryptToUtf8(new EncString(response.name), orgKey);
                 const groups = response.groups == null
                     ? null
-                    : response.groups.map((g) => new SelectionReadOnly(g.id, g.readOnly, g.hidePasswords));
+                    : response.groups.map((g) => new SelectionReadOnly(g.id, g.readOnly, g.hidePasswords, g.manage));
                 const res = new OrganizationCollectionResponse(decCollection, groups);
                 return Response.success(res);
             }
@@ -41236,8 +42609,9 @@ var commands_list_command_awaiter = (undefined && undefined.__awaiter) || functi
 
 
 
+
 class ListCommand {
-    constructor(cipherService, folderService, collectionService, organizationService, searchService, organizationUserService, apiService) {
+    constructor(cipherService, folderService, collectionService, organizationService, searchService, organizationUserService, apiService, eventCollectionService) {
         this.cipherService = cipherService;
         this.folderService = folderService;
         this.collectionService = collectionService;
@@ -41245,6 +42619,7 @@ class ListCommand {
         this.searchService = searchService;
         this.organizationUserService = organizationUserService;
         this.apiService = apiService;
+        this.eventCollectionService = eventCollectionService;
     }
     run(object, cmdOptions) {
         return commands_list_command_awaiter(this, void 0, void 0, function* () {
@@ -41327,6 +42702,11 @@ class ListCommand {
             if (options.search != null && options.search.trim() !== "") {
                 ciphers = this.searchService.searchCiphersBasic(ciphers, options.search, options.trash);
             }
+            ciphers.forEach((c, index) => {
+                // Set upload immediately on the last item in the ciphers collection to avoid the event collection
+                // service from uploading each time.
+                this.eventCollectionService.collect(EventType.Cipher_ClientViewed, c.id, index === ciphers.length - 1, c.organizationId);
+            });
             const res = new list_response_ListResponse(ciphers.map((o) => new cipher_response_CipherResponse(o)));
             return Response.success(res);
         });
@@ -41590,8 +42970,8 @@ var serve_command_awaiter = (undefined && undefined.__awaiter) || function (this
 class ServeCommand {
     constructor(main) {
         this.main = main;
-        this.getCommand = new GetCommand(this.main.cipherService, this.main.folderService, this.main.collectionService, this.main.totpService, this.main.auditService, this.main.cryptoService, this.main.stateService, this.main.searchService, this.main.apiService, this.main.organizationService);
-        this.listCommand = new ListCommand(this.main.cipherService, this.main.folderService, this.main.collectionService, this.main.organizationService, this.main.searchService, this.main.organizationUserService, this.main.apiService);
+        this.getCommand = new GetCommand(this.main.cipherService, this.main.folderService, this.main.collectionService, this.main.totpService, this.main.auditService, this.main.cryptoService, this.main.stateService, this.main.searchService, this.main.apiService, this.main.organizationService, this.main.eventCollectionService);
+        this.listCommand = new ListCommand(this.main.cipherService, this.main.folderService, this.main.collectionService, this.main.organizationService, this.main.searchService, this.main.organizationUserService, this.main.apiService, this.main.eventCollectionService);
         this.createCommand = new CreateCommand(this.main.cipherService, this.main.folderService, this.main.stateService, this.main.cryptoService, this.main.apiService, this.main.folderApiService);
         this.editCommand = new EditCommand(this.main.cipherService, this.main.folderService, this.main.cryptoService, this.main.apiService, this.main.folderApiService);
         this.generateCommand = new GenerateCommand(this.main.passwordGenerationService, this.main.stateService);
@@ -42569,7 +43949,7 @@ class SendProgram extends Program {
             object: "Valid objects are: send.text, send.file",
         })
             .action((object) => send_program_awaiter(this, void 0, void 0, function* () {
-            const cmd = new GetCommand(this.main.cipherService, this.main.folderService, this.main.collectionService, this.main.totpService, this.main.auditService, this.main.cryptoService, this.main.stateService, this.main.searchService, this.main.apiService, this.main.organizationService);
+            const cmd = new GetCommand(this.main.cipherService, this.main.folderService, this.main.collectionService, this.main.totpService, this.main.auditService, this.main.cryptoService, this.main.stateService, this.main.searchService, this.main.apiService, this.main.organizationService, this.main.eventCollectionService);
             const response = yield cmd.run("template", object, null);
             this.processResponse(response);
         }));
@@ -42731,10 +44111,12 @@ var export_command_awaiter = (undefined && undefined.__awaiter) || function (thi
 
 
 
+
 class ExportCommand {
-    constructor(exportService, policyService) {
+    constructor(exportService, policyService, eventCollectionService) {
         this.exportService = exportService;
         this.policyService = policyService;
+        this.eventCollectionService = eventCollectionService;
     }
     run(options) {
         var _a;
@@ -42756,6 +44138,10 @@ class ExportCommand {
                     format === "encrypted_json"
                         ? yield this.getProtectedExport(options.password, options.organizationid)
                         : yield this.getUnprotectedExport(format, options.organizationid);
+                const eventType = options.organizationid
+                    ? EventType.Organization_ClientExportedVault
+                    : EventType.User_ClientExportedVault;
+                this.eventCollectionService.collect(eventType, null, true, options.organizationid);
             }
             catch (e) {
                 return Response.error(e);
@@ -42882,7 +44268,7 @@ class ImportCommand {
             }
             try {
                 let contents;
-                if (format === "1password1pux") {
+                if (format === "1password1pux" && filepath.endsWith(".1pux")) {
                     contents = yield CliUtils.extractZipContent(filepath, "export.data");
                 }
                 else if (format === "protonpass" && filepath.endsWith(".zip")) {
@@ -43039,7 +44425,7 @@ class VaultProgram extends Program {
                 return;
             }
             yield this.exitIfLocked();
-            const command = new ListCommand(this.main.cipherService, this.main.folderService, this.main.collectionService, this.main.organizationService, this.main.searchService, this.main.organizationUserService, this.main.apiService);
+            const command = new ListCommand(this.main.cipherService, this.main.folderService, this.main.collectionService, this.main.organizationService, this.main.searchService, this.main.organizationUserService, this.main.apiService, this.main.eventCollectionService);
             const response = yield command.run(object, cmd);
             this.processResponse(response);
         }));
@@ -43094,7 +44480,7 @@ class VaultProgram extends Program {
                 return;
             }
             yield this.exitIfLocked();
-            const command = new GetCommand(this.main.cipherService, this.main.folderService, this.main.collectionService, this.main.totpService, this.main.auditService, this.main.cryptoService, this.main.stateService, this.main.searchService, this.main.apiService, this.main.organizationService);
+            const command = new GetCommand(this.main.cipherService, this.main.folderService, this.main.collectionService, this.main.totpService, this.main.auditService, this.main.cryptoService, this.main.stateService, this.main.searchService, this.main.apiService, this.main.organizationService, this.main.eventCollectionService);
             const response = yield command.run(object, id, cmd);
             this.processResponse(response);
         }));
@@ -43323,7 +44709,7 @@ class VaultProgram extends Program {
         })
             .action((options) => vault_program_awaiter(this, void 0, void 0, function* () {
             yield this.exitIfLocked();
-            const command = new ExportCommand(this.main.exportService, this.main.policyService);
+            const command = new ExportCommand(this.main.exportService, this.main.policyService, this.main.eventCollectionService);
             const response = yield command.run(options);
             this.processResponse(response);
         }));
@@ -43375,6 +44761,11 @@ var bw_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argum
 
 
 
+// eslint-disable-next-line import/no-restricted-paths -- We need the implementation to inject, but generally this should not be accessed
+
+
+
+
 
 
 
@@ -43438,11 +44829,13 @@ class Main {
         this.storageService = new LowdbStorageService(this.logService, null, p, false, true);
         this.secureStorageService = new NodeEnvSecureStorageService(this.storageService, this.logService, () => this.cryptoService);
         this.memoryStorageService = new MemoryStorageService();
-        this.stateService = new StateService(this.storageService, this.secureStorageService, this.memoryStorageService, this.logService, new StateFactory(GlobalState, Account));
+        this.globalStateProvider = new DefaultGlobalStateProvider(this.memoryStorageService, this.storageService);
+        this.messagingService = new NoopMessagingService();
+        this.accountService = new AccountServiceImplementation(this.messagingService, this.logService, this.globalStateProvider);
+        this.stateService = new StateService(this.storageService, this.secureStorageService, this.memoryStorageService, this.logService, new StateFactory(GlobalState, Account), this.accountService);
         this.cryptoService = new CryptoService(this.cryptoFunctionService, this.encryptService, this.platformUtilsService, this.logService, this.stateService);
         this.appIdService = new AppIdService(this.storageService);
         this.tokenService = new TokenService(this.stateService);
-        this.messagingService = new NoopMessagingService();
         this.environmentService = new environment_service_EnvironmentService(this.stateService);
         const customUserAgent = "Bitwarden_CLI/" +
             this.platformUtilsService.getApplicationVersionSync() +
@@ -43493,6 +44886,8 @@ class Main {
         this.vaultProgram = new VaultProgram(this);
         this.sendProgram = new SendProgram(this);
         this.userVerificationApiService = new UserVerificationApiService(this.apiService);
+        this.eventUploadService = new EventUploadService(this.apiService, this.stateService, this.logService);
+        this.eventCollectionService = new EventCollectionService(this.cipherService, this.stateService, this.organizationService, this.eventUploadService);
     }
     run() {
         return bw_awaiter(this, void 0, void 0, function* () {