Project build and release

Author: Timshel

Diff for: .github/workflows/release.yml

@@ -0,0 +1,73 @@
+name: build-and-release
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  build:
+    name: Build and create a release
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.ref }}
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Set TAG variables
+        id: tags_variables
+        run: |
+          set -x
+
+          TAG_CURRENT=$(git describe --abbrev=0 --tags ${{ github.ref }})
+          echo "TAG_CURRENT=$TAG_CURRENT" >> "$GITHUB_ENV"
+
+          echo "CHANGELOG_MESSAGE<<EOF" >> $GITHUB_ENV
+          sed -nzE "s/^.*## $TAG_CURRENT([^#]*).*$/\1/p" CHANGELOG.md  | sed -e '/./,$!d' -e :a -e '/^\n*$/{$d;N;ba' -e '}' >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
+
+      - name: Build
+        run: |
+          ./scripts/build_webvaults.sh
+
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ env.TAG_CURRENT }}
+          release_name: ${{ env.TAG_CURRENT }}
+          body: |
+            ${{ env.CHANGELOG_MESSAGE }}
+
+            :robot: Built by [release.yml](.github/workflows/release.yml) :robot:
+          draft: false
+          prerelease: false
+
+      - name: Upload Release Asset
+        id: upload-release-button
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./oidc_button_web_vault.tar.gz
+          asset_name: oidc_button_web_vault.tar.gz
+          asset_content_type: application/gzip
+
+      - name: Upload Release Asset
+        id: upload-release-override
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./oidc_override_web_vault.tar.gz
+          asset_name: oidc_override_web_vault.tar.gz
+          asset_content_type: application/gzip

Diff for: CHANGELOG.md

@@ -0,0 +1,67 @@
+# Changelog
+
+## v2025.2.2-1
+
+- Released based on `web-v2025.2.2`
+
+## v2025.1.2-4
+
+- Move the dummy `identifier` to the `override` patch.
+- During enrollment override the `idendifier` with the one returned by `auto-enroll-status`.
+
+## v2025.1.2-3
+
+- Fix the dummy `identifier` used.
+
+## v2025.1.2-2
+
+- Remove the now unecessary org invite fix.
+
+## v2025.1.2-1
+
+- Released based on `web-v2025.1.2`
+
+## v2025.1.1-1
+
+- Released based on `web-v2025.1.1`
+
+## v2025.1.0-2
+
+- Add css class to 2FA providers
+
+## v2025.1.0-1
+
+- Released based on `web-v2025.1.0`
+
+## v2024.12.1-3
+
+- On login error redirect to the `loggedOut` default page
+
+## v2024.12.1-2
+
+- Add css class to easily hide the password field
+
+## v2024.12.1-1
+
+- Released based on `web-v2024.12.1`
+
+## v2024.10.2-1
+
+- Released based on `web-v2024.10.2`
+
+## v2024.8.3-4
+
+- Fix sso redirection to keep clean url
+
+## v2024.8.3-3
+
+- Fix confirm error message
+
+## v2024.8.3-2
+
+- Remove `Bitwarden Inc.` from footer
+
+## v2024.8.3-1
+
+- Switching `web-vaults` are now built, now rebased on top of https://github.com/bitwarden/clients
+- Released based on `web-v2024.8.3`

Diff for: README.md

@@ -1,35 +1,59 @@
-<p align="center">
-  <img src="https://raw.githubusercontent.com/bitwarden/brand/main/screenshots/apps-combo-logo.png" alt="Bitwarden" />
-</p>
-<p align="center">
-  <a href="https://github.com/bitwarden/clients/actions/workflows/build-browser.yml?query=branch:main" target="_blank"><img src="https://github.com/bitwarden/clients/actions/workflows/build-browser.yml/badge.svg?branch=main" alt="GitHub Workflow browser build on main" /></a>
-  <a href="https://github.com/bitwarden/clients/actions/workflows/build-cli.yml?query=branch:main" target="_blank"><img src="https://github.com/bitwarden/clients/actions/workflows/build-cli.yml/badge.svg?branch=main" alt="GitHub Workflow CLI build on main" /></a>
-  <a href="https://github.com/bitwarden/clients/actions/workflows/build-desktop.yml?query=branch:main" target="_blank"><img src="https://github.com/bitwarden/clients/actions/workflows/build-desktop.yml/badge.svg?branch=main" alt="GitHub Workflow desktop build on main" /></a>
-  <a href="https://github.com/bitwarden/clients/actions/workflows/build-web.yml?query=branch:main" target="_blank"><img src="https://github.com/bitwarden/clients/actions/workflows/build-web.yml/badge.svg?branch=main" alt="GitHub Workflow web build on main" /></a>
-  <a href="https://gitter.im/bitwarden/Lobby" target="_blank"><img src="https://badges.gitter.im/bitwarden/Lobby.svg" alt="gitter chat" /></a>
-</p>
+# Web Vault OIDC builds for Vaultwarden
+
+**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor Bitwarden, Inc.**
 
 ---
 
-# Bitwarden Client Applications
+<br>
+
+This is a repository to store custom builds of the [Bitwarden web vault](https://github.com/bitwarden/clients/tree/master/apps/web) patched to work with [vaultwarden](https://github.com/dani-garcia/vaultwarden) and patched again to obtain a cleaner flow when using an SSO.
+
+This generate three different versions :
+
+- `button` closest to what is expected to be merge into [bw_web_builds](https://github.com/dani-garcia/bw_web_builds))
+  - restore the SSO login button ([patch](oidc_button.patch)) (
+  - allow organization invitation to survive sso account creation ([patch](oidc_invite.patch))
+- `override` add additionally :
+  - set `#sso` as the default redirect url
+  - remove some unnecessary logic ([patch](oidc_override.patch))
+  - display SSO errors and redirect to start of the flow ([patch](oidc_sso_errors.patch))
+- `experimental` which stop sending the Master password hash to the server ([patch](oidc_experimental.patch))
+
+## Building the web-vault
+
+To build the web-vault you need node and npm installed.
 
-This repository houses all Bitwarden client applications except the [Mobile application](https://github.com/bitwarden/mobile).
+### Using node 18 and npm
 
-Please refer to the [Clients section](https://contributing.bitwarden.com/getting-started/clients/) of the [Contributing Documentation](https://contributing.bitwarden.com/) for build instructions, recommended tooling, code style tips, and lots of other great information to get you started.
+For a quick and easy local build you can run:
 
-## Related projects:
+```bash
+./build_webvault.sh
+```
 
-- [bitwarden/server](https://github.com/bitwarden/server): The core infrastructure backend (API, database, Docker, etc).
-- [bitwarden/ios](https://github.com/bitwarden/ios): Bitwarden mobile app for iOS.
-- [bitwarden/android](https://github.com/bitwarden/android): Bitwarden mobile app for Android.
-- [bitwarden/directory-connector](https://github.com/bitwarden/directory-connector): A tool for syncing a directory (AD, LDAP, Azure, G Suite, Okta) to an organization.
+This will :
 
-# We're Hiring!
+- Clone a specific version of the [Bitwarden web vault](https://github.com/bitwarden/clients/tree/master/apps/web)
+- Clone a specific version of the [VaultWarden web vault builds](https://github.com/dani-garcia/bw_web_builds)
+- Copy ressources from the VaultWarden web vault project
+- Apply the VaultWarden web vault patch
+- Apply the button [patch](oidc_button.patch)
+- Apply the invite [patch](oidc_invite.patch)
+- Build the web vault application
+- Package it as `oidc_button_web_vault.tar.gz`.
+- Apply the override [patch](oidc_override.patch) to improve SSO flow
+- Apply the override [patch](oidc_sso_errors.patch) to improve SSO errors handling
+- Apply the messages [patch](oidc_messages.patch)
+- Build the web vault application
+- Package it as `oidc_override_web_vault.tar.gz`.
+- Apply the experimental [patch](oidc_experimental.patch) to improve SSO errors handling
+- Build the web vault application
+- Package it as `oidc_experimental_web_vault.tar.gz`.
 
-Interested in contributing in a big way? Consider joining our team! We're hiring for many positions. Please take a look at our [Careers page](https://bitwarden.com/careers/) to see what opportunities are [currently open](https://bitwarden.com/careers/#open-positions) as well as what it's like to work at Bitwarden.
+### More information
 
-# Contribute
+For more information see: [Install the web-vault](https://github.com/dani-garcia/vaultwarden/wiki/Building-binary#install-the-web-vault)
 
-Code contributions are welcome! Please commit any pull requests against the `main` branch. Learn more about how to contribute by reading the [Contributing Guidelines](https://contributing.bitwarden.com/contributing/). Check out the [Contributing Documentation](https://contributing.bitwarden.com/) for how to get started with your first contribution.
+### Pre-build
 
-Security audits and feedback are welcome. Please open an issue or email us privately if the report is sensitive in nature. You can read our security policy in the [`SECURITY.md`](SECURITY.md) file.
+The builds are available in the [releases page](https://github.com/Timshel/oidc_web_builds/releases), and can be replicated with the scripts in this repo.

Diff for: apps/web/webpack.config.js

@@ -203,7 +203,7 @@ const devServer =
     ? {}
     : {
         server: {
-          type: "https",
+          type: envConfig.dev?.protocol ?? "https",
           options: {
             key: fs.readFileSync("dev-server" + certSuffix + ".pem"),
             cert: fs.readFileSync("dev-server" + certSuffix + ".pem"),
@@ -247,6 +247,13 @@ const devServer =
             secure: false,
             changeOrigin: true,
           },
+          {
+            context: ["/css"],
+            target: envConfig.dev?.proxyCss,
+            pathRewrite: { "^/css": "" },
+            secure: false,
+            changeOrigin: true,
+          },
         ],
         headers: (req) => {
           if (!req.originalUrl.includes("connector.html")) {

Diff for: scripts/build_webvaults.sh

@@ -0,0 +1,44 @@
+# !/bin/bash
+
+set -x
+set -e
+
+NO_SETUP=false
+if [[ "$@" == *"--only-build"* ]] ; then
+  NO_SETUP=true
+fi
+
+ONLY_OVERRIDE=false
+if [[ "$@" == *"--only-override"* ]] ; then
+  ONLY_OVERRIDE=true
+fi
+
+rm -f oidc_button_web_vault.tar.gz oidc_override_web_vault.tar.gz
+
+# Prepare build
+if [ "$NO_SETUP" = false ] ; then
+    npm ci
+    npm audit fix || true
+fi
+
+### Build button version ###
+if [ "$ONLY_OVERRIDE" = false ] ; then
+    cd apps/web
+    npm run dist:oss:selfhost
+    printf '{"version": "oidc_button-%s"}' $TAG_CURRENT > build/vw-version.json
+    mv build web-vault
+    tar -czvf ../../"oidc_button_web_vault.tar.gz" web-vault --owner=0 --group=0
+    rm -rf web-vault
+    cd ../..
+fi
+
+### Build Override version ###
+git apply ./scripts/oidc_override.patch
+
+cd apps/web
+npm run dist:oss:selfhost
+printf '{"version": "oidc_override-%s"}' $TAG_CURRENT > build/vw-version.json
+mv build web-vault
+tar -czvf ../../"oidc_override_web_vault.tar.gz" web-vault --owner=0 --group=0
+rm -rf web-vault
+cd ../..

Diff for: scripts/oidc_override.patch

@@ -0,0 +1,94 @@
+Subject: [PATCH] SSO login as default, hide sso identifier and use dummy value
+
+---
+ apps/web/src/app/auth/sso-v1.component.html                | 7 -------
+ apps/web/src/app/auth/sso-v1.component.ts                  | 2 +-
+ libs/angular/src/auth/guards/redirect.guard.ts             | 2 +-
+ .../angular/set-password-jit/set-password-jit.component.ts | 2 ++
+ .../response/organization-auto-enroll-status.response.ts   | 2 ++
+ 5 files changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/apps/web/src/app/auth/sso-v1.component.html b/apps/web/src/app/auth/sso-v1.component.html
+index 59abc92e87..0a136f5a4f 100644
+--- a/apps/web/src/app/auth/sso-v1.component.html
++++ b/apps/web/src/app/auth/sso-v1.component.html
+@@ -5,18 +5,11 @@
+   </div>
+   <div *ngIf="!loggingIn">
+     <p bitTypography="body1">{{ "ssoLogInWithOrgIdentifier" | i18n }}</p>
+-    <bit-form-field>
+-      <bit-label>{{ "ssoIdentifier" | i18n }}</bit-label>
+-      <input bitInput type="text" formControlName="identifier" appAutofocus />
+-    </bit-form-field>
+     <hr />
+     <div class="tw-flex tw-gap-2">
+       <button type="submit" bitButton bitFormButton buttonType="primary" [block]="true">
+         {{ "logIn" | i18n }}
+       </button>
+-      <a bitButton buttonType="secondary" routerLink="/login" [block]="true">
+-        {{ "cancel" | i18n }}
+-      </a>
+     </div>
+   </div>
+ </form>
+diff --git a/apps/web/src/app/auth/sso-v1.component.ts b/apps/web/src/app/auth/sso-v1.component.ts
+index 8699ecf7b2..f257ea80bb 100644
+--- a/apps/web/src/app/auth/sso-v1.component.ts
++++ b/apps/web/src/app/auth/sso-v1.component.ts
+@@ -40,7 +40,7 @@ import { PasswordGenerationServiceAbstraction } from "@bitwarden/generator-legac
+ // eslint-disable-next-line rxjs-angular/prefer-takeuntil
+ export class SsoComponentV1 extends BaseSsoComponent implements OnInit {
+   protected formGroup = new FormGroup({
+-    identifier: new FormControl(null, [Validators.required]),
++    identifier: new FormControl("OIDCWarden", [Validators.required]),
+   });
+ 
+   get identifierFormControl() {
+diff --git a/libs/angular/src/auth/guards/redirect.guard.ts b/libs/angular/src/auth/guards/redirect.guard.ts
+index 7717d325a6..8161adda75 100644
+--- a/libs/angular/src/auth/guards/redirect.guard.ts
++++ b/libs/angular/src/auth/guards/redirect.guard.ts
+@@ -17,7 +17,7 @@ export interface RedirectRoutes {
+ 
+ export const defaultRoutes: RedirectRoutes = {
+   loggedIn: "/vault",
+-  loggedOut: "/login",
++  loggedOut: "/sso",
+   locked: "/lock",
+   notDecrypted: "/login-initiated",
+ };
+diff --git a/libs/auth/src/angular/set-password-jit/set-password-jit.component.ts b/libs/auth/src/angular/set-password-jit/set-password-jit.component.ts
+index b54529f6a2..eae6146232 100644
+--- a/libs/auth/src/angular/set-password-jit/set-password-jit.component.ts
++++ b/libs/auth/src/angular/set-password-jit/set-password-jit.component.ts
+@@ -76,7 +76,9 @@ export class SetPasswordJitComponent implements OnInit {
+         const autoEnrollStatus = await this.organizationApiService.getAutoEnrollStatus(
+           this.orgSsoIdentifier,
+         );
++
+         this.orgId = autoEnrollStatus.id;
++        this.orgSsoIdentifier = autoEnrollStatus.identifier;
+         this.resetPasswordAutoEnroll = autoEnrollStatus.resetPasswordEnabled;
+         this.masterPasswordPolicyOptions =
+           await this.policyApiService.getMasterPasswordPolicyOptsForOrgUser(autoEnrollStatus.id);
+diff --git a/libs/common/src/admin-console/models/response/organization-auto-enroll-status.response.ts b/libs/common/src/admin-console/models/response/organization-auto-enroll-status.response.ts
+index f2d22fafcd..b27e3f0e25 100644
+--- a/libs/common/src/admin-console/models/response/organization-auto-enroll-status.response.ts
++++ b/libs/common/src/admin-console/models/response/organization-auto-enroll-status.response.ts
+@@ -2,11 +2,13 @@ import { BaseResponse } from "../../../models/response/base.response";
+ 
+ export class OrganizationAutoEnrollStatusResponse extends BaseResponse {
+   id: string;
++  identifier: string;
+   resetPasswordEnabled: boolean;
+ 
+   constructor(response: any) {
+     super(response);
+     this.id = this.getResponseProperty("Id");
++    this.identifier = this.getResponseProperty("Identifier");
+     this.resetPasswordEnabled = this.getResponseProperty("ResetPasswordEnabled");
+   }
+ }
+-- 
+2.39.5
+

Diff for: scripts/test_changelog.sh

@@ -0,0 +1,8 @@
+# !/bin/bash
+
+LAST_TAG=$(git describe --abbrev=0 --tags HEAD)
+
+echo "Test changelog output for latest tag:"
+echo "------------------------------------"
+sed -nzE "s/^.*## $LAST_TAG([^#]*).*$/\1/p" CHANGELOG.md  | sed -e '/./,$!d' -e :a -e '/^\n*$/{$d;N;ba' -e '}'
+echo "------------------------------------"