@bitwarden/sdk-internal 0.2.0-main.544 → 0.2.0-main.545

package/VERSION

@@ -1 +1 @@
-4ffddfe5fb69d3e93d110b4dda9db4ccd017b203
+598bd479f7f15321b103bd8bae193b6f7cc03cd2

package/bitwarden_wasm_internal.d.ts

@@ -180,11 +180,6 @@ export interface TokenProvider {
   get_access_token(): Promise<string | undefined>;
 }
 
-/**
- * Active feature flags for the SDK.
- */
-export interface FeatureFlags extends Map<string, boolean> {}
-
 export interface IndexedDbConfiguration {
   db_name: string;
 }
@@ -195,12 +190,9 @@ export interface Repositories {
 }
 
 /**
- * The credentials used for send access requests.
+ * Active feature flags for the SDK.
  */
-export type SendAccessCredentials =
-  | SendPasswordCredentials
-  | SendEmailOtpCredentials
-  | SendEmailCredentials;
+export interface FeatureFlags extends Map<string, boolean> {}
 
 /**
  * Credentials for getting a send access token using an email and OTP.
@@ -217,26 +209,26 @@ export interface SendEmailOtpCredentials {
 }
 
 /**
- * Credentials for sending password secured access requests.
- * Clone auto implements the standard lib\'s Clone trait, allowing us to create copies of this
- * struct.
+ * Credentials for sending an OTP to the user\'s email address.
+ * This is used when the send requires email verification with an OTP.
  */
-export interface SendPasswordCredentials {
+export interface SendEmailCredentials {
   /**
-   * A Base64-encoded hash of the password protecting the send.
+   * The email address to which the OTP will be sent.
    */
-  passwordHashB64: string;
+  email: string;
 }
 
 /**
- * Credentials for sending an OTP to the user\'s email address.
- * This is used when the send requires email verification with an OTP.
+ * Credentials for sending password secured access requests.
+ * Clone auto implements the standard lib\'s Clone trait, allowing us to create copies of this
+ * struct.
  */
-export interface SendEmailCredentials {
+export interface SendPasswordCredentials {
   /**
-   * The email address to which the OTP will be sent.
+   * A Base64-encoded hash of the password protecting the send.
    */
-  email: string;
+  passwordHashB64: string;
 }
 
 /**
@@ -254,12 +246,12 @@ export interface SendAccessTokenRequest {
 }
 
 /**
- * Represents errors that can occur when requesting a send access token.
- * It includes expected and unexpected API errors.
+ * The credentials used for send access requests.
  */
-export type SendAccessTokenError =
-  | { kind: "unexpected"; data: UnexpectedIdentityError }
-  | { kind: "expected"; data: SendAccessTokenApiErrorResponse };
+export type SendAccessCredentials =
+  | SendPasswordCredentials
+  | SendEmailOtpCredentials
+  | SendEmailCredentials;
 
 /**
  * Any unexpected error that occurs when making requests to identity. This could be
@@ -285,6 +277,14 @@ export interface SendAccessTokenResponse {
   expiresAt: number;
 }
 
+/**
+ * Represents errors that can occur when requesting a send access token.
+ * It includes expected and unexpected API errors.
+ */
+export type SendAccessTokenError =
+  | { kind: "unexpected"; data: UnexpectedIdentityError }
+  | { kind: "expected"; data: SendAccessTokenApiErrorResponse };
+
 /**
  * Invalid request errors - typically due to missing parameters.
  */
@@ -325,31 +325,6 @@ export type SendAccessTokenInvalidGrantError =
   | "otp_generation_failed"
   | "unknown";
 
-/**
- * Result of TDE registration process.
- */
-export interface TdeRegistrationResponse {
-  /**
-   * The account cryptographic state of the user
-   */
-  account_cryptographic_state: WrappedAccountCryptographicState;
-  /**
-   * The device key
-   */
-  device_key: B64;
-  /**
-   * The decrypted user key. This can be used to get the consuming client to an unlocked state.
-   */
-  user_key: B64;
-}
-
-export interface RegistrationError extends Error {
-  name: "RegistrationError";
-  variant: "KeyConnectorApi" | "Api" | "Crypto";
-}
-
-export function isRegistrationError(error: any): error is RegistrationError;
-
 /**
  * Request parameters for SSO JIT master password registration.
  */
@@ -389,6 +364,33 @@ export interface JitMasterPasswordRegistrationRequest {
   reset_password_enroll: boolean;
 }
 
+/**
+ * Request parameters for TDE (Trusted Device Encryption) registration.
+ */
+export interface TdeRegistrationRequest {
+  /**
+   * Organization ID to enroll in
+   */
+  org_id: OrganizationId;
+  /**
+   * Organization\'s public key for encrypting the reset password key. This should be verified by
+   * the client and not verifying may compromise the security of the user\'s account.
+   */
+  org_public_key: B64;
+  /**
+   * User ID for the account being initialized
+   */
+  user_id: UserId;
+  /**
+   * Device identifier for TDE enrollment
+   */
+  device_identifier: string;
+  /**
+   * Whether to trust this device for TDE
+   */
+  trust_device: boolean;
+}
+
 /**
  * Result of Key Connector registration process.
  */
@@ -412,30 +414,21 @@ export interface KeyConnectorRegistrationResult {
 }
 
 /**
- * Request parameters for TDE (Trusted Device Encryption) registration.
+ * Result of TDE registration process.
  */
-export interface TdeRegistrationRequest {
-  /**
-   * Organization ID to enroll in
-   */
-  org_id: OrganizationId;
-  /**
-   * Organization\'s public key for encrypting the reset password key. This should be verified by
-   * the client and not verifying may compromise the security of the user\'s account.
-   */
-  org_public_key: B64;
+export interface TdeRegistrationResponse {
   /**
-   * User ID for the account being initialized
+   * The account cryptographic state of the user
    */
-  user_id: UserId;
+  account_cryptographic_state: WrappedAccountCryptographicState;
   /**
-   * Device identifier for TDE enrollment
+   * The device key
    */
-  device_identifier: string;
+  device_key: B64;
   /**
-   * Whether to trust this device for TDE
+   * The decrypted user key. This can be used to get the consuming client to an unlocked state.
    */
-  trust_device: boolean;
+  user_key: B64;
 }
 
 /**
@@ -456,6 +449,269 @@ export interface JitMasterPasswordRegistrationResponse {
   user_key: B64;
 }
 
+export interface RegistrationError extends Error {
+  name: "RegistrationError";
+  variant: "KeyConnectorApi" | "Api" | "Crypto";
+}
+
+export function isRegistrationError(error: any): error is RegistrationError;
+
+export interface PasswordPreloginError extends Error {
+  name: "PasswordPreloginError";
+  variant: "Api" | "Unknown";
+}
+
+export function isPasswordPreloginError(error: any): error is PasswordPreloginError;
+
+export interface PasswordLoginError extends Error {
+  name: "PasswordLoginError";
+  variant: "InvalidUsernameOrPassword" | "PasswordAuthenticationDataDerivation" | "Unknown";
+}
+
+export function isPasswordLoginError(error: any): error is PasswordLoginError;
+
+/**
+ * Public SDK request model for logging in via password
+ */
+export interface PasswordLoginRequest {
+  /**
+   * Common login request fields
+   */
+  loginRequest: LoginRequest;
+  /**
+   * User\'s email address
+   */
+  email: string;
+  /**
+   * User\'s master password
+   */
+  password: string;
+  /**
+   * Prelogin data required for password authentication
+   * (e.g., KDF configuration for deriving the master key)
+   */
+  preloginResponse: PasswordPreloginResponse;
+}
+
+/**
+ * Response containing the data required before password-based authentication
+ */
+export interface PasswordPreloginResponse {
+  /**
+   * The Key Derivation Function (KDF) configuration for the user
+   */
+  kdf: Kdf;
+  /**
+   * The salt used in the KDF process
+   */
+  salt: string;
+}
+
+/**
+ * The common bucket of login fields to be re-used across all login mechanisms
+ * (e.g., password, SSO, etc.). This will include handling client_id and 2FA.
+ */
+export interface LoginRequest {
+  /**
+   * OAuth client identifier
+   */
+  clientId: string;
+  /**
+   * Device information for this login request
+   */
+  device: LoginDeviceRequest;
+}
+
+/**
+ * Common login response model used across different login methods.
+ */
+export type LoginResponse = { Authenticated: LoginSuccessResponse };
+
+/**
+ * Device information for login requests.
+ * This is common across all login mechanisms and describes the device
+ * making the authentication request.
+ */
+export interface LoginDeviceRequest {
+  /**
+   * The type of device making the login request
+   * Note: today, we already have the DeviceType on the ApiConfigurations
+   * but we do not have the other device fields so we will accept the device data at login time
+   * for now. In the future, we might refactor the unauthN client to instantiate with full
+   * device info which would deprecate this struct. However, using the device_type here
+   * allows us to avoid any timing issues in scenarios where the device type could change
+   * between client instantiation and login (unlikely but possible).
+   */
+  deviceType: DeviceType;
+  /**
+   * Unique identifier for the device
+   */
+  deviceIdentifier: string;
+  /**
+   * Human-readable name of the device
+   */
+  deviceName: string;
+  /**
+   * Push notification token for the device (only for mobile devices)
+   */
+  devicePushToken: string | undefined;
+}
+
+/**
+ * SDK response model for a successful login.
+ * This is the model that will be exposed to consuming applications.
+ */
+export interface LoginSuccessResponse {
+  /**
+   * The access token string.
+   */
+  accessToken: string;
+  /**
+   * The duration in seconds until the token expires.
+   */
+  expiresIn: number;
+  /**
+   * The timestamp in milliseconds when the token expires.
+   * We calculate this for more convenient token expiration handling.
+   */
+  expiresAt: number;
+  /**
+   * The scope of the access token.
+   * OAuth 2.0 RFC reference: <https://datatracker.ietf.org/doc/html/rfc6749#section-3.3>
+   */
+  scope: string;
+  /**
+   * The type of the token.
+   * This will be \"Bearer\" for send access tokens.
+   * OAuth 2.0 RFC reference: <https://datatracker.ietf.org/doc/html/rfc6749#section-7.1>
+   */
+  tokenType: string;
+  /**
+   * The optional refresh token string.
+   * This token can be used to obtain new access tokens when the current one expires.
+   */
+  refreshToken: string | undefined;
+  /**
+   * The user key wrapped user private key.
+   * Note: previously known as \"private_key\".
+   */
+  userKeyWrappedUserPrivateKey: string | undefined;
+  /**
+   * Two-factor authentication token for future requests.
+   */
+  twoFactorToken: string | undefined;
+  /**
+   * Indicates whether an admin has reset the user\'s master password,
+   * requiring them to set a new password upon next login.
+   */
+  forcePasswordReset: boolean | undefined;
+  /**
+   * Indicates whether the user uses Key Connector and if the client should have a locally
+   * configured Key Connector URL in their environment.
+   * Note: This is currently only applicable for client_credential grant type logins and
+   * is only expected to be relevant for the CLI
+   */
+  apiUseKeyConnector: boolean | undefined;
+  /**
+   * The user\'s decryption options for unlocking their vault.
+   */
+  userDecryptionOptions: UserDecryptionOptionsResponse;
+  /**
+   * If the user is subject to an organization master password policy,
+   * this field contains the requirements of that policy.
+   */
+  masterPasswordPolicy: MasterPasswordPolicyResponse | undefined;
+}
+
+/**
+ * SDK domain model for user decryption options.
+ * Provides the various methods available to unlock a user\'s vault.
+ */
+export interface UserDecryptionOptionsResponse {
+  /**
+   * Master password unlock option. None if user doesn\'t have a master password.
+   */
+  masterPasswordUnlock?: MasterPasswordUnlockData;
+  /**
+   * Trusted Device decryption option.
+   */
+  trustedDeviceOption?: TrustedDeviceUserDecryptionOption;
+  /**
+   * Key Connector decryption option.
+   * Mutually exclusive with Trusted Device option.
+   */
+  keyConnectorOption?: KeyConnectorUserDecryptionOption;
+  /**
+   * WebAuthn PRF decryption option.
+   */
+  webauthnPrfOption?: WebAuthnPrfUserDecryptionOption;
+}
+
+/**
+ * SDK domain model for WebAuthn PRF user decryption option.
+ */
+export interface WebAuthnPrfUserDecryptionOption {
+  /**
+   * PRF key encrypted private key
+   */
+  encryptedPrivateKey: EncString;
+  /**
+   * Public Key encrypted user key
+   */
+  encryptedUserKey: UnsignedSharedKey;
+  /**
+   * Credential ID for this WebAuthn PRF credential.
+   * TODO: PM-32163 - can remove `Option<T>` after 3 releases from server v2026.1.1
+   */
+  credentialId: string | undefined;
+  /**
+   * Transport methods available for this credential (e.g., \"usb\", \"nfc\", \"ble\", \"internal\",
+   * \"hybrid\").
+   * TODO: PM-32163 - can remove `Option<T>` after 3 releases from server v2026.1.1
+   */
+  transports: string[] | undefined;
+}
+
+/**
+ * SDK domain model for Key Connector user decryption option.
+ */
+export interface KeyConnectorUserDecryptionOption {
+  /**
+   * URL of the Key Connector server to use for decryption.
+   */
+  keyConnectorUrl: string;
+}
+
+/**
+ * SDK domain model for Trusted Device user decryption option.
+ */
+export interface TrustedDeviceUserDecryptionOption {
+  /**
+   * Whether the user has admin approval for device login.
+   */
+  hasAdminApproval: boolean;
+  /**
+   * Whether the user has a device that can approve logins.
+   */
+  hasLoginApprovingDevice: boolean;
+  /**
+   * Whether the user has permission to manage password reset for other users.
+   */
+  hasManageResetPasswordPermission: boolean;
+  /**
+   * Whether the user is in TDE offboarding.
+   */
+  isTdeOffboarding: boolean;
+  /**
+   * The device key encrypted device private key. Only present if the device is trusted.
+   */
+  encryptedPrivateKey?: EncString;
+  /**
+   * The device private key encrypted user key. Only present if the device is trusted.
+   */
+  encryptedUserKey?: UnsignedSharedKey;
+}
+
 export interface Collection {
   id: CollectionId | undefined;
   organizationId: OrganizationId;
@@ -1263,6 +1519,45 @@ export type Endpoint =
   | "DesktopRenderer"
   | "DesktopMain";
 
+/**
+ * SDK domain model for master password policy requirements.
+ * Defines the complexity requirements for a user\'s master password
+ * when enforced by an organization policy.
+ */
+export interface MasterPasswordPolicyResponse {
+  /**
+   * The minimum complexity score required for the master password.
+   * Complexity is calculated based on password strength metrics.
+   */
+  minComplexity?: number;
+  /**
+   * The minimum length required for the master password.
+   */
+  minLength?: number;
+  /**
+   * Whether the master password must contain at least one lowercase letter.
+   */
+  requireLower?: boolean;
+  /**
+   * Whether the master password must contain at least one uppercase letter.
+   */
+  requireUpper?: boolean;
+  /**
+   * Whether the master password must contain at least one numeric digit.
+   */
+  requireNumbers?: boolean;
+  /**
+   * Whether the master password must contain at least one special character.
+   */
+  requireSpecial?: boolean;
+  /**
+   * Whether this policy should be enforced when the user logs in.
+   * If true, the user will be required to update their master password
+   * if it doesn\'t meet the policy requirements.
+   */
+  enforceOnLogin?: boolean;
+}
+
 export interface ServerCommunicationConfigRepositoryError extends Error {
   name: "ServerCommunicationConfigRepositoryError";
   variant: "GetError" | "SaveError";
@@ -2350,9 +2645,9 @@ export class AuthClient {
    */
   registration(): RegistrationClient;
   /**
-   * Client for identity functionality
+   * Client for login functionality
    */
-  identity(): IdentityClient;
+  login(client_settings: ClientSettings): LoginClient;
 }
 /**
  * Client for performing admin operations on ciphers. Unlike the regular CiphersClient,
@@ -2789,14 +3084,6 @@ export class GeneratorClient {
    */
   password(input: PasswordGeneratorRequest): string;
 }
-/**
- * The IdentityClient is used to obtain identity / access tokens from the Bitwarden Identity API.
- */
-export class IdentityClient {
-  private constructor();
-  free(): void;
-  [Symbol.dispose](): void;
-}
 export class IncomingMessage {
   free(): void;
   [Symbol.dispose](): void;
@@ -2863,6 +3150,88 @@ export class IpcCommunicationBackend {
    */
   receive(message: IncomingMessage): void;
 }
+/**
+ * Client for authenticating Bitwarden users.
+ *
+ * Handles unauthenticated operations to obtain access tokens from the Identity API.
+ * After successful authentication, use the returned tokens to create an authenticated core client.
+ *
+ * # Lifecycle
+ *
+ * 1. Create `LoginClient` via `AuthClient`
+ * 2. Call login method
+ * 3. Use returned tokens with authenticated core client
+ *
+ * # Password Login Example
+ *
+ * ```rust,no_run
+ * # use bitwarden_auth::{AuthClient, login::login_via_password::PasswordLoginRequest};
+ * # use bitwarden_auth::login::models::{LoginRequest, LoginDeviceRequest, LoginResponse};
+ * # use bitwarden_core::{Client, ClientSettings, DeviceType};
+ * # async fn example(email: String, password: String) -> Result<(), Box<dyn std::error::Error>> {
+ * // Create auth client
+ * let client = Client::new(None);
+ * let auth_client = AuthClient::new(client);
+ *
+ * // Configure client settings and create login client
+ * let settings = ClientSettings {
+ *     identity_url: "https://identity.bitwarden.com".to_string(),
+ *     api_url: "https://api.bitwarden.com".to_string(),
+ *     user_agent: "MyApp/1.0".to_string(),
+ *     device_type: DeviceType::SDK,
+ *     device_identifier: None,
+ *     bitwarden_client_version: None,
+ *     bitwarden_package_type: None,
+ * };
+ * let login_client = auth_client.login(settings);
+ *
+ * // Get user's KDF config
+ * let prelogin = login_client.get_password_prelogin(email.clone()).await?;
+ *
+ * // Login with credentials
+ * let response = login_client.login_via_password(PasswordLoginRequest {
+ *     login_request: LoginRequest {
+ *         client_id: "connector".to_string(),
+ *         device: LoginDeviceRequest {
+ *             device_type: DeviceType::SDK,
+ *             device_identifier: "device-id".to_string(),
+ *             device_name: "My Device".to_string(),
+ *             device_push_token: None,
+ *         },
+ *     },
+ *     email,
+ *     password,
+ *     prelogin_response: prelogin,
+ * }).await?;
+ *
+ * // Use tokens from response for authenticated requests
+ * match response {
+ *     LoginResponse::Authenticated(success) => {
+ *         let access_token = success.access_token;
+ *         // Use access_token for authenticated requests
+ *     }
+ * }
+ * # Ok(())
+ * # }
+ * ```
+ */
+export class LoginClient {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Retrieves the data required before authenticating with a password.
+   * This includes the user's KDF configuration needed to properly derive the master key.
+   */
+  get_password_prelogin(email: string): Promise<PasswordPreloginResponse>;
+  /**
+   * Authenticates a user via email and master password.
+   *
+   * Derives the master password hash using KDF settings from prelogin, then sends
+   * the authentication request to obtain access tokens and vault keys.
+   */
+  login_via_password(request: PasswordLoginRequest): Promise<LoginResponse>;
+}
 export class OutgoingMessage {
   free(): void;
   [Symbol.dispose](): void;