[PM-21357] Migrate ModifierExtensions to ui module (#5215)

Co-authored-by: bitwarden-devops-bot <106330231+bitwarden-devops-bot@users.noreply.github.com>

.github/workflows/build-authenticator.yml

@@ -39,10 +39,10 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
+        uses: gradle/actions/wrapper-validation@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
 
       - name: Cache Gradle files
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ~/.gradle/caches
@@ -52,7 +52,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -61,13 +61,13 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure JDK
-        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
+        uses: ruby/setup-ruby@ca041f971d66735f3e5ff1e21cc13e2d51e7e535 # v1.233.0
         with:
           bundler-cache: true
 
@@ -98,7 +98,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
+        uses: ruby/setup-ruby@ca041f971d66735f3e5ff1e21cc13e2d51e7e535 # v1.233.0
         with:
           bundler-cache: true
 
@@ -162,10 +162,10 @@ jobs:
           json_key:${{ github.workspace }}/secrets/authenticator_play_store-creds.json }}
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
+        uses: gradle/actions/wrapper-validation@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
 
       - name: Cache Gradle files
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ~/.gradle/caches
@@ -175,7 +175,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -184,7 +184,7 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure JDK
-        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
@@ -224,7 +224,7 @@ jobs:
 
       - name: Upload release Play Store .aab artifact
         if: ${{ matrix.variant == 'aab' }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: com.bitwarden.authenticator.aab
           path: authenticator/build/outputs/bundle/release/com.bitwarden.authenticator.aab
@@ -232,7 +232,7 @@ jobs:
 
       - name: Upload release .apk artifact
         if: ${{ matrix.variant == 'apk' }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: com.bitwarden.authenticator.apk
           path: authenticator/build/outputs/apk/release/com.bitwarden.authenticator.apk
@@ -252,7 +252,7 @@ jobs:
 
       - name: Upload .apk SHA file for release
         if: ${{ matrix.variant == 'apk' }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: authenticator-android-apk-sha256.txt
           path: ./authenticator-android-apk-sha256.txt
@@ -260,7 +260,7 @@ jobs:
 
       - name: Upload .aab SHA file for release
         if: ${{ matrix.variant == 'aab' }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: authenticator-android-aab-sha256.txt
           path: ./authenticator-android-aab-sha256.txt

.github/workflows/build.yml

@@ -40,10 +40,10 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
+        uses: gradle/actions/wrapper-validation@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
 
       - name: Cache Gradle files
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ~/.gradle/caches
@@ -53,7 +53,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -62,13 +62,13 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure JDK
-        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
+        uses: ruby/setup-ruby@ca041f971d66735f3e5ff1e21cc13e2d51e7e535 # v1.233.0
         with:
           bundler-cache: true
 
@@ -85,7 +85,7 @@ jobs:
         run: bundle exec fastlane assembleDebugApks
 
       - name: Upload test reports on failure
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: failure()
         with:
           name: test-reports
@@ -106,7 +106,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
+        uses: ruby/setup-ruby@ca041f971d66735f3e5ff1e21cc13e2d51e7e535 # v1.233.0
         with:
           bundler-cache: true
 
@@ -157,10 +157,10 @@ jobs:
           --name app_play_prod_firebase-creds.json --file ${{ github.workspace }}/secrets/app_play_prod_firebase-creds.json --output none
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
+        uses: gradle/actions/wrapper-validation@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
 
       - name: Cache Gradle files
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ~/.gradle/caches
@@ -170,7 +170,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -179,7 +179,7 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure JDK
-        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
@@ -253,7 +253,7 @@ jobs:
 
       - name: Upload release Play Store .aab artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: com.x8bit.bitwarden.aab
           path: app/build/outputs/bundle/standardRelease/com.x8bit.bitwarden.aab
@@ -261,7 +261,7 @@ jobs:
 
       - name: Upload beta Play Store .aab artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: com.x8bit.bitwarden.beta.aab
           path: app/build/outputs/bundle/standardBeta/com.x8bit.bitwarden.beta.aab
@@ -269,7 +269,7 @@ jobs:
 
       - name: Upload release .apk artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: com.x8bit.bitwarden.apk
           path: app/build/outputs/apk/standard/release/com.x8bit.bitwarden.apk
@@ -277,7 +277,7 @@ jobs:
 
       - name: Upload beta .apk artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: com.x8bit.bitwarden.beta.apk
           path: app/build/outputs/apk/standard/beta/com.x8bit.bitwarden.beta.apk
@@ -286,7 +286,7 @@ jobs:
       # When building variants other than 'prod'
       - name: Upload debug .apk artifact
         if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: com.x8bit.bitwarden.${{ matrix.variant }}.apk
           path: app/build/outputs/apk/standard/debug/com.x8bit.bitwarden.dev.apk
@@ -324,7 +324,7 @@ jobs:
 
       - name: Upload .apk SHA file for release
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: com.x8bit.bitwarden.apk-sha256.txt
           path: ./com.x8bit.bitwarden.apk-sha256.txt
@@ -332,7 +332,7 @@ jobs:
 
       - name: Upload .apk SHA file for beta
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: com.x8bit.bitwarden.beta.apk-sha256.txt
           path: ./com.x8bit.bitwarden.beta.apk-sha256.txt
@@ -340,7 +340,7 @@ jobs:
 
       - name: Upload .aab SHA file for release
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: com.x8bit.bitwarden.aab-sha256.txt
           path: ./com.x8bit.bitwarden.aab-sha256.txt
@@ -348,7 +348,7 @@ jobs:
 
       - name: Upload .aab SHA file for beta
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: com.x8bit.bitwarden.beta.aab-sha256.txt
           path: ./com.x8bit.bitwarden.beta.aab-sha256.txt
@@ -356,7 +356,7 @@ jobs:
 
       - name: Upload .apk SHA file for debug
         if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: com.x8bit.bitwarden.${{ matrix.variant }}.apk-sha256.txt
           path: ./com.x8bit.bitwarden.${{ matrix.variant }}.apk-sha256.txt
@@ -405,7 +405,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
+        uses: ruby/setup-ruby@ca041f971d66735f3e5ff1e21cc13e2d51e7e535 # v1.233.0
         with:
           bundler-cache: true
 
@@ -442,10 +442,10 @@ jobs:
           --name app_fdroid_firebase-creds.json --file ${{ github.workspace }}/secrets/app_fdroid_firebase-creds.json --output none
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
+        uses: gradle/actions/wrapper-validation@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
 
       - name: Cache Gradle files
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ~/.gradle/caches
@@ -455,7 +455,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -464,7 +464,7 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure JDK
-        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
@@ -515,7 +515,7 @@ jobs:
           keyPassword:"${{ env.FDROID_BETA_KEY_PASSWORD }}"
 
       - name: Upload F-Droid .apk artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: com.x8bit.bitwarden-fdroid.apk
           path: app/build/outputs/apk/fdroid/release/com.x8bit.bitwarden-fdroid.apk
@@ -527,14 +527,14 @@ jobs:
           > ./com.x8bit.bitwarden-fdroid.apk-sha256.txt
 
       - name: Upload F-Droid SHA file
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: com.x8bit.bitwarden-fdroid.apk-sha256.txt
           path: ./com.x8bit.bitwarden-fdroid.apk-sha256.txt
           if-no-files-found: error
 
       - name: Upload F-Droid Beta .apk artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: com.x8bit.bitwarden.beta-fdroid.apk
           path: app/build/outputs/apk/fdroid/beta/com.x8bit.bitwarden.beta-fdroid.apk
@@ -546,7 +546,7 @@ jobs:
           > ./com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt
 
       - name: Upload F-Droid Beta SHA file
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt
           path: ./com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt

.github/workflows/crowdin-pull-authenticator.yml

@@ -29,14 +29,14 @@ jobs:
           secrets: "github-gpg-private-key, github-gpg-private-key-passphrase"
 
       - name: Generate GH App token
-        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
         id: app-token
         with:
           app-id: ${{ secrets.BW_GHAPP_ID }}
           private-key: ${{ secrets.BW_GHAPP_KEY }}
 
       - name: Download translations
-        uses: crowdin/github-action@d1632879d4d4da358f2d040f79fa094571c9a649 # v2.5.1
+        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2 # v2.7.0
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           CROWDIN_API_TOKEN: ${{ secrets.CROWDIN_API_TOKEN }}

.github/workflows/crowdin-pull.yml

@@ -29,14 +29,14 @@ jobs:
           secrets: "crowdin-api-token, github-gpg-private-key, github-gpg-private-key-passphrase"
 
       - name: Generate GH App token
-        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
         id: app-token
         with:
           app-id: ${{ secrets.BW_GHAPP_ID }}
           private-key: ${{ secrets.BW_GHAPP_KEY }}
 
       - name: Download translations
-        uses: crowdin/github-action@d1632879d4d4da358f2d040f79fa094571c9a649 # v2.5.1
+        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2 # v2.7.0
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}

.github/workflows/crowdin-push-authenticator.yml

@@ -20,7 +20,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Upload sources
-        uses: crowdin/github-action@d1632879d4d4da358f2d040f79fa094571c9a649 # v2.5.1
+        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2 # v2.7.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CROWDIN_API_TOKEN: ${{ secrets.CROWDIN_API_TOKEN }}

.github/workflows/crowdin-push.yml

@@ -29,7 +29,7 @@ jobs:
           secrets: "crowdin-api-token"
 
       - name: Upload sources
-        uses: crowdin/github-action@d1632879d4d4da358f2d040f79fa094571c9a649 # v2.5.1
+        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2 # v2.7.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}

.github/workflows/github-release.yml

@@ -95,7 +95,7 @@ jobs:
 
       - name: Create Release
         id: create_release
-        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         with:
           tag_name: "v${{ inputs.version-name }}"
           name: "${{ inputs.version-name }} (${{ inputs.version-number }})"

.github/workflows/scan-ci.yml

@@ -21,7 +21,7 @@ jobs:
           fetch-depth: 0
 
       - name: Scan with Checkmarx
-        uses: checkmarx/ast-github-action@184bf2f64f55d1c93fd6636d539edf274703e434 # 2.0.41
+        uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc # 2.3.19
         with:
           project_name: ${{ github.repository }}
           cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
@@ -34,7 +34,7 @@ jobs:
             --output-path .
 
       - name: Upload Checkmarx results to GitHub
-        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
         with:
           sarif_file: cx_result.sarif
 
@@ -51,7 +51,7 @@ jobs:
           fetch-depth: 0
 
       - name: Scan with SonarCloud
-        uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1
+        uses: sonarsource/sonarqube-scan-action@aa494459d7c39c106cc77b166de8b4250a32bb97 # v5.1.0
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         with:

.github/workflows/scan.yml

@@ -2,8 +2,14 @@ name: Scan Pull Requests
 
 on:
   workflow_dispatch:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches-ignore:
+      - main
   pull_request_target:
-    types: [opened, synchronize]
+    types: [opened, synchronize, reopened]
+    branches:
+      - main
 
 jobs:
   check-run:
@@ -26,7 +32,7 @@ jobs:
           ref: ${{  github.event.pull_request.head.sha }}
 
       - name: Scan with Checkmarx
-        uses: checkmarx/ast-github-action@184bf2f64f55d1c93fd6636d539edf274703e434 # 2.0.41
+        uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc # 2.3.19
         env:
           INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
         with:
@@ -41,7 +47,7 @@ jobs:
             --output-path . ${{ env.INCREMENTAL }}
 
       - name: Upload Checkmarx results to GitHub
-        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
         with:
           sarif_file: cx_result.sarif
           sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
@@ -63,7 +69,7 @@ jobs:
           ref: ${{  github.event.pull_request.head.sha }}
 
       - name: Scan with SonarCloud
-        uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1
+        uses: sonarsource/sonarqube-scan-action@aa494459d7c39c106cc77b166de8b4250a32bb97 # v5.1.0
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         with:

.github/workflows/test.yml

@@ -30,10 +30,10 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
+        uses: gradle/actions/wrapper-validation@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
 
       - name: Cache Gradle files
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ~/.gradle/caches
@@ -43,7 +43,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -52,12 +52,12 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
+        uses: ruby/setup-ruby@ca041f971d66735f3e5ff1e21cc13e2d51e7e535 # v1.233.0
         with:
           bundler-cache: true
 
       - name: Configure JDK
-        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: "temurin"
           java-version: ${{ env._JAVA_VERSION }}
@@ -75,7 +75,7 @@ jobs:
           bundle exec fastlane check
 
       - name: Upload test reports
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: always()
         with:
           name: test-reports
@@ -91,7 +91,7 @@ jobs:
 
       - name: Upload to codecov.io
         id: upload-to-codecov
-        uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
+        uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
         if: github.event_name == 'push' || github.event_name == 'pull_request'
         continue-on-error: true
         with:

Gemfile.lock

@@ -10,18 +10,18 @@ GEM
     artifactory (3.0.17)
     atomos (0.1.3)
     aws-eventstream (1.3.2)
-    aws-partitions (1.1084.0)
-    aws-sdk-core (3.222.1)
+    aws-partitions (1.1102.0)
+    aws-sdk-core (3.223.0)
       aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.992.0)
       aws-sigv4 (~> 1.9)
       base64
       jmespath (~> 1, >= 1.6.1)
       logger
-    aws-sdk-kms (1.99.0)
+    aws-sdk-kms (1.100.0)
       aws-sdk-core (~> 3, >= 3.216.0)
       aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.183.0)
+    aws-sdk-s3 (1.185.0)
       aws-sdk-core (~> 3, >= 3.216.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
@@ -71,7 +71,7 @@ GEM
     faraday_middleware (1.2.1)
       faraday (~> 1.0)
     fastimage (2.4.0)
-    fastlane (2.227.1)
+    fastlane (2.227.2)
       CFPropertyList (>= 2.3, < 4.0.0)
       addressable (>= 2.8, < 3.0.0)
       artifactory (~> 3.0)
@@ -113,7 +113,7 @@ GEM
       xcodeproj (>= 1.13.0, < 2.0.0)
       xcpretty (~> 0.4.1)
       xcpretty-travis-formatter (>= 0.0.3, < 2.0.0)
-    fastlane-plugin-firebase_app_distribution (0.10.0)
+    fastlane-plugin-firebase_app_distribution (0.10.1)
       google-apis-firebaseappdistribution_v1 (~> 0.3.0)
       google-apis-firebaseappdistribution_v1alpha (~> 0.2.0)
     fastlane-sirp (1.0.0)
@@ -165,7 +165,7 @@ GEM
     httpclient (2.9.0)
       mutex_m
     jmespath (1.6.2)
-    json (2.10.2)
+    json (2.11.3)
     jwt (2.10.1)
       base64
     logger (1.7.0)
@@ -180,7 +180,7 @@ GEM
     optparse (0.6.0)
     os (1.1.4)
     plist (3.7.2)
-    public_suffix (6.0.1)
+    public_suffix (6.0.2)
     rake (13.2.1)
     representable (3.2.0)
       declarative (< 0.1.0)
@@ -192,7 +192,7 @@ GEM
     ruby2_keywords (0.0.5)
     rubyzip (2.4.1)
     security (0.1.5)
-    signet (0.19.0)
+    signet (0.20.0)
       addressable (~> 2.8)
       faraday (>= 0.17.5, < 3.a)
       jwt (>= 1.5, < 3.0)

README.md

@@ -4,6 +4,7 @@
 
 - [Compatibility](#compatibility)
 - [Setup](#setup)
+- [Theme](#theme)
 - [Dependencies](#dependencies)
 
 ## Compatibility
@@ -15,7 +16,6 @@
 
 ## Setup
 
-
 1. Clone the repository:
 
     ```sh
@@ -52,6 +52,25 @@
 
     Please avoid mixing formatting and logical changes in the same commit/PR. When possible, fix any large formatting issues in a separate PR before opening one to make logical changes to the same code. This helps others focus on the meaningful code changes when reviewing the code.
 
+## Theme
+
+### Icons & Illustrations
+
+The app supports light mode, dark mode and dynamic colors. Most icons in the app will display correctly using tinting but multi-tonal icons and illustrations require extra processing in order to be displayed properly with dynamic colors.
+
+All illustrations and multi-tonal icons require the svg paths to be tagged with the `name` attribute in order for each individual path to be tinted the appropriate color. Any untagged path will not be tinted and the resulting image will be incorrect.
+
+The supported tags are as follows:
+
+* outline
+* primary
+* secondary
+* tertiary
+* accent
+* logo
+* navigation
+* navigationActiveAccent
+
 ## Dependencies
 
 ### Application Dependencies

annotation/.gitignore

@@ -0,0 +1 @@
+/build

annotation/build.gradle.kts

@@ -0,0 +1,42 @@
+import org.jetbrains.kotlin.gradle.dsl.JvmTarget
+
+plugins {
+    alias(libs.plugins.android.library)
+    alias(libs.plugins.kotlin.android)
+}
+
+android {
+    namespace = "com.bitwarden.annotation"
+    compileSdk = libs.versions.compileSdk.get().toInt()
+
+    defaultConfig {
+        minSdk = libs.versions.minSdkBwa.get().toInt()
+
+        testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner"
+        consumerProguardFiles("consumer-rules.pro")
+    }
+
+    buildTypes {
+        release {
+            isMinifyEnabled = false
+            proguardFiles(
+                getDefaultProguardFile("proguard-android-optimize.txt"),
+                "proguard-rules.pro",
+            )
+        }
+    }
+    compileOptions {
+        sourceCompatibility(libs.versions.jvmTarget.get())
+        targetCompatibility(libs.versions.jvmTarget.get())
+    }
+    @Suppress("UnstableApiUsage")
+    testFixtures {
+        enable = true
+    }
+}
+
+kotlin {
+    compilerOptions {
+        jvmTarget.set(JvmTarget.fromTarget(libs.versions.jvmTarget.get()))
+    }
+}

annotation/src/main/kotlin/com/bitwarden/annotation/OmitFromCoverage.kt

@@ -1,4 +1,4 @@
-package com.bitwarden.core.annotation
+package com.bitwarden.annotation
 
 /**
  * Used to omit the annotated class from test coverage reporting. This should be used sparingly and

app/build.gradle.kts

@@ -213,6 +213,7 @@ dependencies {
 
     implementation(files("libs/authenticatorbridge-1.0.0-release.aar"))
 
+    implementation(project(":annotation"))
     implementation(project(":core"))
     implementation(project(":data"))
     implementation(project(":network"))
@@ -275,6 +276,7 @@ dependencies {
     // Pull in test fixtures from other modules
     testImplementation(testFixtures(project(":data")))
     testImplementation(testFixtures(project(":network")))
+    testImplementation(testFixtures(project(":ui")))
 
     testImplementation(libs.androidx.compose.ui.test)
     testImplementation(libs.google.hilt.android.testing)

app/src/fdroid/java/com/x8bit/bitwarden/data/platform/manager/LogsManagerImpl.kt

@@ -1,9 +1,9 @@
 package com.x8bit.bitwarden.data.platform.manager
 
+import com.bitwarden.data.repository.model.Environment
 import com.x8bit.bitwarden.BuildConfig
 import com.x8bit.bitwarden.data.platform.datasource.disk.legacy.LegacyAppCenterMigrator
 import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
-import com.x8bit.bitwarden.data.platform.repository.model.Environment
 import timber.log.Timber
 
 /**

app/src/main/AndroidManifest.xml

@@ -15,7 +15,7 @@
     <uses-permission android:name="android.permission.CAMERA" />
     <uses-permission android:name="android.permission.INTERNET" />
     <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
-    <uses-permission android:name="android.permission.READ_USER_DICTIONARY"/>
+    <uses-permission android:name="android.permission.READ_USER_DICTIONARY" />
     <!-- Protect access to AuthenticatorBridgeService using this custom permission.
 
     Note that each build type uses a different value for knownCerts.
@@ -76,16 +76,15 @@
                 <category android:name="android.intent.category.BROWSABLE" />
 
                 <data android:scheme="https" />
-
-                <data android:host="vault.bitwarden.com" />
-                <data android:host="vault.bitwarden.eu" />
+                <data android:host="*.bitwarden.com" />
+                <data android:host="*.bitwarden.eu" />
                 <data android:host="*.bitwarden.pw" />
                 <data android:pathPattern="/redirect-connector.*" />
             </intent-filter>
             <intent-filter>
-                <action android:name="com.x8bit.bitwarden.fido2.ACTION_CREATE_PASSKEY" />
-                <action android:name="com.x8bit.bitwarden.fido2.ACTION_GET_PASSKEY" />
-                <action android:name="com.x8bit.bitwarden.fido2.ACTION_UNLOCK_ACCOUNT" />
+                <action android:name="com.x8bit.bitwarden.credentials.ACTION_CREATE_PASSKEY" />
+                <action android:name="com.x8bit.bitwarden.credentials.ACTION_GET_PASSKEY" />
+                <action android:name="com.x8bit.bitwarden.credentials.ACTION_UNLOCK_ACCOUNT" />
 
                 <category android:name="android.intent.category.DEFAULT" />
             </intent-filter>
@@ -310,6 +309,14 @@
             android:exported="true"
             android:permission="${applicationId}.permission.AUTHENTICATOR_BRIDGE_SERVICE" />
 
+        <!-- Firebase SDK initOrder is 100. We use a higher order to initialize first -->
+        <provider
+            android:name=".data.platform.contentprovider.UncaughtErrorLoggingContentProvider"
+            android:authorities="${applicationId}"
+            android:exported="false"
+            android:grantUriPermissions="false"
+            android:initOrder="101" />
+
     </application>
 
     <queries>

app/src/main/java/com/x8bit/bitwarden/AccessibilityActivity.kt

@@ -2,7 +2,7 @@ package com.x8bit.bitwarden
 
 import android.os.Bundle
 import androidx.appcompat.app.AppCompatActivity
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
 
 /**
  * An activity to be launched and then immediately closed so that the OS Shade can be collapsed

app/src/main/java/com/x8bit/bitwarden/AuthCallbackActivity.kt

@@ -4,7 +4,7 @@ import android.content.Intent
 import android.os.Bundle
 import androidx.activity.viewModels
 import androidx.appcompat.app.AppCompatActivity
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
 import dagger.hilt.android.AndroidEntryPoint
 
 /**

app/src/main/java/com/x8bit/bitwarden/AuthCallbackViewModel.kt

@@ -1,13 +1,13 @@
 package com.x8bit.bitwarden
 
 import android.content.Intent
+import com.bitwarden.ui.platform.base.BaseViewModel
 import com.x8bit.bitwarden.data.auth.repository.AuthRepository
 import com.x8bit.bitwarden.data.auth.repository.util.getCaptchaCallbackTokenResult
 import com.x8bit.bitwarden.data.auth.repository.util.getDuoCallbackTokenResult
 import com.x8bit.bitwarden.data.auth.repository.util.getSsoCallbackResult
 import com.x8bit.bitwarden.data.auth.repository.util.getWebAuthResultOrNull
 import com.x8bit.bitwarden.data.auth.util.getYubiKeyResultOrNull
-import com.x8bit.bitwarden.ui.platform.base.BaseViewModel
 import dagger.hilt.android.lifecycle.HiltViewModel
 import javax.inject.Inject
 

app/src/main/java/com/x8bit/bitwarden/AutofillTotpCopyActivity.kt

@@ -4,7 +4,7 @@ import android.os.Bundle
 import androidx.activity.viewModels
 import androidx.appcompat.app.AppCompatActivity
 import androidx.lifecycle.lifecycleScope
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
 import com.x8bit.bitwarden.data.autofill.manager.AutofillCompletionManager
 import dagger.hilt.android.AndroidEntryPoint
 import kotlinx.coroutines.flow.launchIn

app/src/main/java/com/x8bit/bitwarden/AutofillTotpCopyViewModel.kt

@@ -2,6 +2,7 @@ package com.x8bit.bitwarden
 
 import android.content.Intent
 import androidx.lifecycle.viewModelScope
+import com.bitwarden.ui.platform.base.BaseViewModel
 import com.bitwarden.vault.CipherView
 import com.x8bit.bitwarden.data.auth.repository.AuthRepository
 import com.x8bit.bitwarden.data.autofill.util.getTotpCopyIntentOrNull
@@ -9,7 +10,6 @@ import com.x8bit.bitwarden.data.platform.util.launchWithTimeout
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
 import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockData
 import com.x8bit.bitwarden.data.vault.repository.util.statusFor
-import com.x8bit.bitwarden.ui.platform.base.BaseViewModel
 import dagger.hilt.android.lifecycle.HiltViewModel
 import kotlinx.coroutines.flow.first
 import kotlinx.coroutines.flow.mapNotNull

app/src/main/java/com/x8bit/bitwarden/BitwardenAppComponentFactory.kt

@@ -5,10 +5,10 @@ import android.content.Intent
 import android.os.Build
 import androidx.annotation.Keep
 import androidx.core.app.AppComponentFactory
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
 import com.x8bit.bitwarden.data.autofill.BitwardenAutofillService
 import com.x8bit.bitwarden.data.autofill.accessibility.BitwardenAccessibilityService
-import com.x8bit.bitwarden.data.autofill.fido2.BitwardenFido2ProviderService
+import com.x8bit.bitwarden.data.credentials.BitwardenCredentialProviderService
 import com.x8bit.bitwarden.data.tiles.BitwardenAutofillTileService
 import com.x8bit.bitwarden.data.tiles.BitwardenGeneratorTileService
 import com.x8bit.bitwarden.data.tiles.BitwardenVaultTileService
@@ -30,7 +30,7 @@ class BitwardenAppComponentFactory : AppComponentFactory() {
      * * [BitwardenAccessibilityService]
      * * [BitwardenAutofillService]
      * * [BitwardenAutofillTileService]
-     * * [BitwardenFido2ProviderService]
+     * * [BitwardenCredentialProviderService]
      * * [BitwardenVaultTileService]
      * * [BitwardenGeneratorTileService]
      */
@@ -63,7 +63,7 @@ class BitwardenAppComponentFactory : AppComponentFactory() {
             if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
                 super.instantiateServiceCompat(
                     cl,
-                    BitwardenFido2ProviderService::class.java.name,
+                    BitwardenCredentialProviderService::class.java.name,
                     intent,
                 )
             } else {

app/src/main/java/com/x8bit/bitwarden/BitwardenApplication.kt

@@ -1,13 +1,15 @@
 package com.x8bit.bitwarden
 
 import android.app.Application
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
 import com.x8bit.bitwarden.data.auth.manager.AuthRequestNotificationManager
 import com.x8bit.bitwarden.data.platform.manager.LogsManager
 import com.x8bit.bitwarden.data.platform.manager.event.OrganizationEventManager
 import com.x8bit.bitwarden.data.platform.manager.network.NetworkConfigManager
+import com.x8bit.bitwarden.data.platform.manager.network.NetworkConnectionManager
 import com.x8bit.bitwarden.data.platform.manager.restriction.RestrictionManager
 import dagger.hilt.android.HiltAndroidApp
+import timber.log.Timber
 import javax.inject.Inject
 
 /**
@@ -21,6 +23,9 @@ class BitwardenApplication : Application() {
     @Inject
     lateinit var logsManager: LogsManager
 
+    @Inject
+    lateinit var networkConnectionManager: NetworkConnectionManager
+
     @Inject
     lateinit var networkConfigManager: NetworkConfigManager
 
@@ -32,4 +37,9 @@ class BitwardenApplication : Application() {
 
     @Inject
     lateinit var restrictionManager: RestrictionManager
+
+    override fun onLowMemory() {
+        super.onLowMemory()
+        Timber.w("onLowMemory")
+    }
 }

app/src/main/java/com/x8bit/bitwarden/MainActivity.kt

@@ -17,14 +17,15 @@ import androidx.core.os.LocaleListCompat
 import androidx.core.splashscreen.SplashScreen.Companion.installSplashScreen
 import androidx.lifecycle.compose.collectAsStateWithLifecycle
 import androidx.navigation.compose.NavHost
-import androidx.navigation.compose.rememberNavController
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
+import com.bitwarden.ui.platform.base.util.EventsEffect
+import com.bitwarden.ui.platform.theme.BitwardenTheme
 import com.x8bit.bitwarden.data.autofill.accessibility.manager.AccessibilityCompletionManager
 import com.x8bit.bitwarden.data.autofill.manager.AutofillActivityManager
 import com.x8bit.bitwarden.data.autofill.manager.AutofillCompletionManager
 import com.x8bit.bitwarden.data.platform.manager.util.ObserveScreenDataEffect
 import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
-import com.x8bit.bitwarden.ui.platform.base.util.EventsEffect
+import com.x8bit.bitwarden.ui.platform.components.util.rememberBitwardenNavController
 import com.x8bit.bitwarden.ui.platform.composition.LocalManagerProvider
 import com.x8bit.bitwarden.ui.platform.feature.debugmenu.debugMenuDestination
 import com.x8bit.bitwarden.ui.platform.feature.debugmenu.manager.DebugMenuLaunchManager
@@ -32,7 +33,6 @@ import com.x8bit.bitwarden.ui.platform.feature.debugmenu.navigateToDebugMenuScre
 import com.x8bit.bitwarden.ui.platform.feature.rootnav.ROOT_ROUTE
 import com.x8bit.bitwarden.ui.platform.feature.rootnav.rootNavDestination
 import com.x8bit.bitwarden.ui.platform.feature.settings.appearance.model.AppLanguage
-import com.x8bit.bitwarden.ui.platform.theme.BitwardenTheme
 import com.x8bit.bitwarden.ui.platform.util.appLanguage
 import dagger.hilt.android.AndroidEntryPoint
 import javax.inject.Inject
@@ -82,7 +82,7 @@ class MainActivity : AppCompatActivity() {
         AppCompatDelegate.setDefaultNightMode(settingsRepository.appTheme.osValue)
         setContent {
             val state by mainViewModel.stateFlow.collectAsStateWithLifecycle()
-            val navController = rememberNavController()
+            val navController = rememberBitwardenNavController(name = "MainActivity")
             EventsEffect(viewModel = mainViewModel) { event ->
                 when (event) {
                     is MainEvent.CompleteAccessibilityAutofill -> {
@@ -124,7 +124,10 @@ class MainActivity : AppCompatActivity() {
                         }
                     },
                 )
-                BitwardenTheme(theme = state.theme) {
+                BitwardenTheme(
+                    theme = state.theme,
+                    dynamicColor = state.isDynamicColorsEnabled,
+                ) {
                     NavHost(
                         navController = navController,
                         startDestination = ROOT_ROUTE,

app/src/main/java/com/x8bit/bitwarden/MainViewModel.kt

@@ -4,6 +4,8 @@ import android.content.Intent
 import android.os.Parcelable
 import androidx.lifecycle.SavedStateHandle
 import androidx.lifecycle.viewModelScope
+import com.bitwarden.ui.platform.base.BaseViewModel
+import com.bitwarden.ui.platform.feature.settings.appearance.model.AppTheme
 import com.bitwarden.ui.util.Text
 import com.bitwarden.ui.util.asText
 import com.bitwarden.vault.CipherView
@@ -13,13 +15,13 @@ import com.x8bit.bitwarden.data.auth.repository.model.EmailTokenResult
 import com.x8bit.bitwarden.data.auth.util.getCompleteRegistrationDataIntentOrNull
 import com.x8bit.bitwarden.data.auth.util.getPasswordlessRequestDataIntentOrNull
 import com.x8bit.bitwarden.data.autofill.accessibility.manager.AccessibilitySelectionManager
-import com.x8bit.bitwarden.data.autofill.fido2.manager.Fido2CredentialManager
-import com.x8bit.bitwarden.data.autofill.fido2.util.getFido2AssertionRequestOrNull
-import com.x8bit.bitwarden.data.autofill.fido2.util.getFido2CreateCredentialRequestOrNull
-import com.x8bit.bitwarden.data.autofill.fido2.util.getFido2GetCredentialsRequestOrNull
 import com.x8bit.bitwarden.data.autofill.manager.AutofillSelectionManager
 import com.x8bit.bitwarden.data.autofill.util.getAutofillSaveItemOrNull
 import com.x8bit.bitwarden.data.autofill.util.getAutofillSelectionDataOrNull
+import com.x8bit.bitwarden.data.credentials.manager.BitwardenCredentialManager
+import com.x8bit.bitwarden.data.credentials.util.getCreateCredentialRequestOrNull
+import com.x8bit.bitwarden.data.credentials.util.getFido2AssertionRequestOrNull
+import com.x8bit.bitwarden.data.credentials.util.getGetCredentialsRequestOrNull
 import com.x8bit.bitwarden.data.platform.manager.AppResumeManager
 import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
 import com.x8bit.bitwarden.data.platform.manager.SpecialCircumstanceManager
@@ -33,9 +35,7 @@ import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
 import com.x8bit.bitwarden.data.platform.util.isAddTotpLoginItemFromAuthenticator
 import com.x8bit.bitwarden.data.vault.manager.model.VaultStateEvent
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
-import com.x8bit.bitwarden.ui.platform.base.BaseViewModel
 import com.x8bit.bitwarden.ui.platform.feature.settings.appearance.model.AppLanguage
-import com.x8bit.bitwarden.ui.platform.feature.settings.appearance.model.AppTheme
 import com.x8bit.bitwarden.ui.platform.manager.intent.IntentManager
 import com.x8bit.bitwarden.ui.platform.model.FeatureFlagsState
 import com.x8bit.bitwarden.ui.platform.util.isAccountSecurityShortcut
@@ -72,7 +72,7 @@ class MainViewModel @Inject constructor(
     private val addTotpItemFromAuthenticatorManager: AddTotpItemFromAuthenticatorManager,
     private val specialCircumstanceManager: SpecialCircumstanceManager,
     private val garbageCollectionManager: GarbageCollectionManager,
-    private val fido2CredentialManager: Fido2CredentialManager,
+    private val bitwardenCredentialManager: BitwardenCredentialManager,
     private val intentManager: IntentManager,
     private val settingsRepository: SettingsRepository,
     private val vaultRepository: VaultRepository,
@@ -88,6 +88,7 @@ class MainViewModel @Inject constructor(
         isErrorReportingDialogEnabled = featureFlagManager.getFeatureFlag(
             key = FlagKey.MobileErrorReporting,
         ),
+        isDynamicColorsEnabled = settingsRepository.isDynamicColorsEnabled,
     ),
 ) {
     private var specialCircumstance: SpecialCircumstance?
@@ -138,6 +139,12 @@ class MainViewModel @Inject constructor(
             .onEach(::trySendAction)
             .launchIn(viewModelScope)
 
+        settingsRepository
+            .isDynamicColorsEnabledFlow
+            .map { MainAction.Internal.DynamicColorsUpdate(it) }
+            .onEach(::trySendAction)
+            .launchIn(viewModelScope)
+
         authRepository
             .userStateFlow
             .drop(count = 1)
@@ -209,6 +216,7 @@ class MainViewModel @Inject constructor(
             is MainAction.Internal.ScreenCaptureUpdate -> handleScreenCaptureUpdate(action)
             is MainAction.Internal.ThemeUpdate -> handleAppThemeUpdated(action)
             is MainAction.Internal.VaultUnlockStateChange -> handleVaultUnlockStateChange()
+            is MainAction.Internal.DynamicColorsUpdate -> handleDynamicColorsUpdate(action)
             is MainAction.Internal.OnMobileErrorReportingReceive -> {
                 handleOnMobileErrorReportingReceive(action)
             }
@@ -269,6 +277,10 @@ class MainViewModel @Inject constructor(
         recreateUiAndGarbageCollect()
     }
 
+    private fun handleDynamicColorsUpdate(action: MainAction.Internal.DynamicColorsUpdate) {
+        mutableStateFlow.update { it.copy(isDynamicColorsEnabled = action.isDynamicColorsEnabled) }
+    }
+
     private fun handleFirstIntentReceived(action: MainAction.ReceiveFirstIntent) {
         handleIntent(
             intent = action.intent,
@@ -310,8 +322,8 @@ class MainViewModel @Inject constructor(
         val hasVaultShortcut = intent.isMyVaultShortcut
         val hasAccountSecurityShortcut = intent.isAccountSecurityShortcut
         val completeRegistrationData = intent.getCompleteRegistrationDataIntentOrNull()
-        val fido2CreateCredentialRequest = intent.getFido2CreateCredentialRequestOrNull()
-        val fido2GetCredentialsRequest = intent.getFido2GetCredentialsRequestOrNull()
+        val createCredentialRequest = intent.getCreateCredentialRequestOrNull()
+        val getCredentialsRequest = intent.getGetCredentialsRequestOrNull()
         val fido2AssertCredentialRequest = intent.getFido2AssertionRequestOrNull()
         when {
             passwordlessRequestData != null -> {
@@ -370,35 +382,32 @@ class MainViewModel @Inject constructor(
                     )
             }
 
-            fido2CreateCredentialRequest != null -> {
+            createCredentialRequest != null -> {
                 // Set the user's verification status when a new FIDO 2 request is received to force
                 // explicit verification if the user's vault is unlocked when the request is
                 // received.
-                fido2CreateCredentialRequest.providerRequest
-                    .biometricPromptResult
-                    ?.isSuccessful
-                    ?.let { isVerified -> fido2CredentialManager.isUserVerified = isVerified }
+                bitwardenCredentialManager.isUserVerified =
+                    createCredentialRequest.isUserPreVerified
 
                 specialCircumstanceManager.specialCircumstance =
-                    SpecialCircumstance.Fido2Save(
-                        fido2CreateCredentialRequest = fido2CreateCredentialRequest,
+                    SpecialCircumstance.ProviderCreateCredential(
+                        createCredentialRequest = createCredentialRequest,
                     )
 
                 // Switch accounts if the selected user is not the active user.
                 if (authRepository.activeUserId != null &&
-                    authRepository.activeUserId != fido2CreateCredentialRequest.userId
+                    authRepository.activeUserId != createCredentialRequest.userId
                 ) {
-                    authRepository.switchAccount(fido2CreateCredentialRequest.userId)
+                    authRepository.switchAccount(createCredentialRequest.userId)
                 }
             }
 
             fido2AssertCredentialRequest != null -> {
-                // If device biometric verification was performed as part of single-tap
-                // authentication, set the user's verification state to the device result.
-                // Otherwise, retain the verification state as-is.
-                fido2AssertCredentialRequest.providerRequest.biometricPromptResult
-                    ?.isSuccessful
-                    ?.let { isVerified -> fido2CredentialManager.isUserVerified = isVerified }
+                // Set the user's verification status when a new FIDO 2 request is received to force
+                // explicit verification if the user's vault is unlocked when the request is
+                // received.
+                bitwardenCredentialManager.isUserVerified =
+                    fido2AssertCredentialRequest.isUserPreVerified
 
                 specialCircumstanceManager.specialCircumstance =
                     SpecialCircumstance.Fido2Assertion(
@@ -406,10 +415,10 @@ class MainViewModel @Inject constructor(
                     )
             }
 
-            fido2GetCredentialsRequest != null -> {
+            getCredentialsRequest != null -> {
                 specialCircumstanceManager.specialCircumstance =
-                    SpecialCircumstance.Fido2GetCredentials(
-                        fido2GetCredentialsRequest = fido2GetCredentialsRequest,
+                    SpecialCircumstance.ProviderGetCredentials(
+                        getCredentialsRequest = getCredentialsRequest,
                     )
             }
 
@@ -485,6 +494,7 @@ class MainViewModel @Inject constructor(
 data class MainState(
     val theme: AppTheme,
     val isScreenCaptureAllowed: Boolean,
+    val isDynamicColorsEnabled: Boolean,
     private val isErrorReportingDialogEnabled: Boolean,
 ) : Parcelable {
     /**
@@ -575,6 +585,13 @@ sealed class MainAction {
          * Indicates a relevant change in the current vault lock state.
          */
         data object VaultUnlockStateChange : Internal()
+
+        /**
+         * Indicates that the dynamic colors state has changed.
+         */
+        data class DynamicColorsUpdate(
+            val isDynamicColorsEnabled: Boolean,
+        ) : Internal()
     }
 }
 

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSource.kt

@@ -1,6 +1,7 @@
 package com.x8bit.bitwarden.data.auth.datasource.disk
 
 import com.bitwarden.network.model.SyncResponseJson
+import com.bitwarden.network.provider.AppIdProvider
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountTokensJson
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.PendingAuthRequestJson
@@ -12,7 +13,7 @@ import java.time.Instant
  * Primary access point for disk information.
  */
 @Suppress("TooManyFunctions")
-interface AuthDiskSource {
+interface AuthDiskSource : AppIdProvider {
 
     /**
      * The currently persisted authenticator sync symmetric key. This key is used for
@@ -20,13 +21,6 @@ interface AuthDiskSource {
      */
     var authenticatorSyncSymmetricKey: ByteArray?
 
-    /**
-     * Retrieves a unique ID for the application that is stored locally. This will generate a new
-     * one if it does not yet exist and it will only be reset for new installs or when clearing
-     * application data.
-     */
-    val uniqueAppId: String
-
     /**
      * The currently persisted saved email address (or `null` if not set).
      */

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/model/AccountJson.kt

@@ -1,5 +1,6 @@
 package com.x8bit.bitwarden.data.auth.datasource.disk.model
 
+import com.bitwarden.data.datasource.disk.model.EnvironmentUrlDataJson
 import com.bitwarden.network.model.KdfTypeJson
 import com.bitwarden.network.model.UserDecryptionOptionsJson
 import kotlinx.serialization.Contextual

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/di/AuthNetworkModule.kt

@@ -1,26 +1,17 @@
 package com.x8bit.bitwarden.data.auth.datasource.network.di
 
+import com.bitwarden.network.BitwardenServiceClient
 import com.bitwarden.network.service.AccountsService
-import com.bitwarden.network.service.AccountsServiceImpl
 import com.bitwarden.network.service.AuthRequestsService
-import com.bitwarden.network.service.AuthRequestsServiceImpl
 import com.bitwarden.network.service.DevicesService
-import com.bitwarden.network.service.DevicesServiceImpl
 import com.bitwarden.network.service.HaveIBeenPwnedService
-import com.bitwarden.network.service.HaveIBeenPwnedServiceImpl
-import com.x8bit.bitwarden.data.auth.datasource.network.service.IdentityService
-import com.x8bit.bitwarden.data.auth.datasource.network.service.IdentityServiceImpl
-import com.x8bit.bitwarden.data.auth.datasource.network.service.NewAuthRequestService
-import com.x8bit.bitwarden.data.auth.datasource.network.service.NewAuthRequestServiceImpl
-import com.x8bit.bitwarden.data.auth.datasource.network.service.OrganizationService
-import com.x8bit.bitwarden.data.auth.datasource.network.service.OrganizationServiceImpl
-import com.x8bit.bitwarden.data.platform.datasource.network.retrofit.Retrofits
+import com.bitwarden.network.service.IdentityService
+import com.bitwarden.network.service.NewAuthRequestService
+import com.bitwarden.network.service.OrganizationService
 import dagger.Module
 import dagger.Provides
 import dagger.hilt.InstallIn
 import dagger.hilt.components.SingletonComponent
-import kotlinx.serialization.json.Json
-import retrofit2.create
 import javax.inject.Singleton
 
 /**
@@ -33,70 +24,42 @@ object AuthNetworkModule {
     @Provides
     @Singleton
     fun providesAccountService(
-        retrofits: Retrofits,
-        json: Json,
-    ): AccountsService = AccountsServiceImpl(
-        unauthenticatedAccountsApi = retrofits.unauthenticatedApiRetrofit.create(),
-        authenticatedAccountsApi = retrofits.authenticatedApiRetrofit.create(),
-        unauthenticatedKeyConnectorApi = retrofits.createStaticRetrofit().create(),
-        authenticatedKeyConnectorApi = retrofits
-            .createStaticRetrofit(isAuthenticated = true)
-            .create(),
-        json = json,
-    )
+        bitwardenServiceClient: BitwardenServiceClient,
+    ): AccountsService = bitwardenServiceClient.accountsService
 
     @Provides
     @Singleton
     fun providesAuthRequestsService(
-        retrofits: Retrofits,
-    ): AuthRequestsService = AuthRequestsServiceImpl(
-        authenticatedAuthRequestsApi = retrofits.authenticatedApiRetrofit.create(),
-    )
+        bitwardenServiceClient: BitwardenServiceClient,
+    ): AuthRequestsService = bitwardenServiceClient.authRequestsService
 
     @Provides
     @Singleton
     fun providesDevicesService(
-        retrofits: Retrofits,
-    ): DevicesService = DevicesServiceImpl(
-        authenticatedDevicesApi = retrofits.authenticatedApiRetrofit.create(),
-        unauthenticatedDevicesApi = retrofits.unauthenticatedApiRetrofit.create(),
-    )
+        bitwardenServiceClient: BitwardenServiceClient,
+    ): DevicesService = bitwardenServiceClient.devicesService
 
     @Provides
     @Singleton
     fun providesIdentityService(
-        retrofits: Retrofits,
-        json: Json,
-    ): IdentityService = IdentityServiceImpl(
-        unauthenticatedIdentityApi = retrofits.unauthenticatedIdentityRetrofit.create(),
-        json = json,
-    )
+        bitwardenServiceClient: BitwardenServiceClient,
+    ): IdentityService = bitwardenServiceClient.identityService
 
     @Provides
     @Singleton
     fun providesHaveIBeenPwnedService(
-        retrofits: Retrofits,
-    ): HaveIBeenPwnedService = HaveIBeenPwnedServiceImpl(
-        api = retrofits
-            .createStaticRetrofit(baseUrl = "https://api.pwnedpasswords.com")
-            .create(),
-    )
+        bitwardenServiceClient: BitwardenServiceClient,
+    ): HaveIBeenPwnedService = bitwardenServiceClient.haveIBeenPwnedService
 
     @Provides
     @Singleton
     fun providesNewAuthRequestService(
-        retrofits: Retrofits,
-    ): NewAuthRequestService = NewAuthRequestServiceImpl(
-        authenticatedAuthRequestsApi = retrofits.authenticatedApiRetrofit.create(),
-        unauthenticatedAuthRequestsApi = retrofits.unauthenticatedApiRetrofit.create(),
-    )
+        bitwardenServiceClient: BitwardenServiceClient,
+    ): NewAuthRequestService = bitwardenServiceClient.newAuthRequestService
 
     @Provides
     @Singleton
     fun providesOrganizationService(
-        retrofits: Retrofits,
-    ): OrganizationService = OrganizationServiceImpl(
-        authenticatedOrganizationApi = retrofits.authenticatedApiRetrofit.create(),
-        unauthenticatedOrganizationApi = retrofits.unauthenticatedApiRetrofit.create(),
-    )
+        bitwardenServiceClient: BitwardenServiceClient,
+    ): OrganizationService = bitwardenServiceClient.organizationService
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/manager/AuthRequestManagerImpl.kt

@@ -6,9 +6,9 @@ import com.bitwarden.core.data.util.asSuccess
 import com.bitwarden.core.data.util.flatMap
 import com.bitwarden.network.model.AuthRequestTypeJson
 import com.bitwarden.network.service.AuthRequestsService
+import com.bitwarden.network.service.NewAuthRequestService
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.PendingAuthRequestJson
-import com.x8bit.bitwarden.data.auth.datasource.network.service.NewAuthRequestService
 import com.x8bit.bitwarden.data.auth.datasource.sdk.AuthSdkSource
 import com.x8bit.bitwarden.data.auth.manager.model.AuthRequest
 import com.x8bit.bitwarden.data.auth.manager.model.AuthRequestResult

app/src/main/java/com/x8bit/bitwarden/data/auth/manager/AuthRequestNotificationManagerImpl.kt

@@ -7,7 +7,7 @@ import androidx.compose.ui.graphics.Color
 import androidx.core.app.NotificationChannelCompat
 import androidx.core.app.NotificationCompat
 import androidx.core.app.NotificationManagerCompat
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
 import com.bitwarden.data.manager.DispatcherManager
 import com.x8bit.bitwarden.R
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource

app/src/main/java/com/x8bit/bitwarden/data/auth/manager/AuthTokenManager.kt

@@ -0,0 +1,8 @@
+package com.x8bit.bitwarden.data.auth.manager
+
+import com.bitwarden.network.interceptor.AuthTokenProvider
+
+/**
+ * A manager class for handling authentication tokens.
+ */
+interface AuthTokenManager : AuthTokenProvider

app/src/main/java/com/x8bit/bitwarden/data/auth/manager/AuthTokenManagerImpl.kt

@@ -0,0 +1,17 @@
+package com.x8bit.bitwarden.data.auth.manager
+
+import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
+
+/**
+ * Default implementation of [AuthTokenManager].
+ */
+class AuthTokenManagerImpl(
+    private val authDiskSource: AuthDiskSource,
+) : AuthTokenManager {
+
+    override fun getActiveAccessTokenOrNull(): String? = authDiskSource
+        .userState
+        ?.activeUserId
+        ?.let { authDiskSource.getAccountTokens(it) }
+        ?.accessToken
+}

app/src/main/java/com/x8bit/bitwarden/data/auth/manager/KeyConnectorManager.kt

@@ -4,6 +4,7 @@ import com.bitwarden.core.KeyConnectorResponse
 import com.bitwarden.crypto.Kdf
 import com.bitwarden.network.model.KdfTypeJson
 import com.bitwarden.network.model.KeyConnectorMasterKeyResponseJson
+import com.x8bit.bitwarden.data.auth.manager.model.MigrateExistingUserToKeyConnectorResult
 
 /**
  * Manager used to interface with a key connector.
@@ -28,7 +29,7 @@ interface KeyConnectorManager {
         email: String,
         masterPassword: String,
         kdf: Kdf,
-    ): Result<Unit>
+    ): Result<MigrateExistingUserToKeyConnectorResult>
 
     /**
      * Migrates a new user to use the key connector.

app/src/main/java/com/x8bit/bitwarden/data/auth/manager/KeyConnectorManagerImpl.kt

@@ -8,7 +8,9 @@ import com.bitwarden.network.model.KeyConnectorKeyRequestJson
 import com.bitwarden.network.model.KeyConnectorMasterKeyResponseJson
 import com.bitwarden.network.service.AccountsService
 import com.x8bit.bitwarden.data.auth.datasource.sdk.AuthSdkSource
+import com.x8bit.bitwarden.data.auth.manager.model.MigrateExistingUserToKeyConnectorResult
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
+import com.x8bit.bitwarden.data.vault.datasource.sdk.model.DeriveKeyConnectorResult
 
 /**
  * The default implementation of the [KeyConnectorManager].
@@ -34,7 +36,7 @@ class KeyConnectorManagerImpl(
         email: String,
         masterPassword: String,
         kdf: Kdf,
-    ): Result<Unit> =
+    ): Result<MigrateExistingUserToKeyConnectorResult> =
         vaultSdkSource
             .deriveKeyConnector(
                 userId = userId,
@@ -43,10 +45,36 @@ class KeyConnectorManagerImpl(
                 password = masterPassword,
                 kdf = kdf,
             )
-            .flatMap { masterKey ->
-                accountsService.storeMasterKeyToKeyConnector(url = url, masterKey = masterKey)
+            .map { result: DeriveKeyConnectorResult ->
+                when (result) {
+                    is DeriveKeyConnectorResult.Error -> {
+                        MigrateExistingUserToKeyConnectorResult.Error(result.error)
+                    }
+
+                    is DeriveKeyConnectorResult.Success -> {
+                        accountsService
+                            .storeMasterKeyToKeyConnector(
+                                url = url,
+                                masterKey = result.derivedKey,
+                            )
+                            .flatMap {
+                                accountsService.convertToKeyConnector()
+                            }
+                            .fold(
+                                onSuccess = {
+                                    MigrateExistingUserToKeyConnectorResult.Success
+                                },
+                                onFailure = {
+                                    MigrateExistingUserToKeyConnectorResult.Error(it)
+                                },
+                            )
+                    }
+
+                    is DeriveKeyConnectorResult.WrongPasswordError -> {
+                        MigrateExistingUserToKeyConnectorResult.WrongPasswordError
+                    }
+                }
             }
-            .flatMap { accountsService.convertToKeyConnector() }
 
     override suspend fun migrateNewUserToKeyConnector(
         url: String,

app/src/main/java/com/x8bit/bitwarden/data/auth/manager/UserLogoutManagerImpl.kt

@@ -46,7 +46,7 @@ class UserLogoutManagerImpl(
 
     override fun logout(userId: String, reason: LogoutReason) {
         authDiskSource.userState ?: return
-        Timber.i("logout reason=$reason")
+        Timber.d("logout reason=$reason")
         val isExpired = reason == LogoutReason.SecurityStamp
         if (isExpired) {
             showToast(message = R.string.login_expired)
@@ -68,7 +68,7 @@ class UserLogoutManagerImpl(
     }
 
     override fun softLogout(userId: String, reason: LogoutReason) {
-        Timber.i("softLogout reason=$reason")
+        Timber.d("softLogout reason=$reason")
         val isExpired = reason == LogoutReason.SecurityStamp
         if (isExpired) {
             showToast(message = R.string.login_expired)

app/src/main/java/com/x8bit/bitwarden/data/auth/manager/di/AuthManagerModule.kt

@@ -5,8 +5,8 @@ import com.bitwarden.data.manager.DispatcherManager
 import com.bitwarden.network.service.AccountsService
 import com.bitwarden.network.service.AuthRequestsService
 import com.bitwarden.network.service.DevicesService
+import com.bitwarden.network.service.NewAuthRequestService
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
-import com.x8bit.bitwarden.data.auth.datasource.network.service.NewAuthRequestService
 import com.x8bit.bitwarden.data.auth.datasource.sdk.AuthSdkSource
 import com.x8bit.bitwarden.data.auth.manager.AddTotpItemFromAuthenticatorManager
 import com.x8bit.bitwarden.data.auth.manager.AddTotpItemFromAuthenticatorManagerImpl
@@ -14,6 +14,8 @@ import com.x8bit.bitwarden.data.auth.manager.AuthRequestManager
 import com.x8bit.bitwarden.data.auth.manager.AuthRequestManagerImpl
 import com.x8bit.bitwarden.data.auth.manager.AuthRequestNotificationManager
 import com.x8bit.bitwarden.data.auth.manager.AuthRequestNotificationManagerImpl
+import com.x8bit.bitwarden.data.auth.manager.AuthTokenManager
+import com.x8bit.bitwarden.data.auth.manager.AuthTokenManagerImpl
 import com.x8bit.bitwarden.data.auth.manager.KeyConnectorManager
 import com.x8bit.bitwarden.data.auth.manager.KeyConnectorManagerImpl
 import com.x8bit.bitwarden.data.auth.manager.TrustedDeviceManager
@@ -131,4 +133,10 @@ object AuthManagerModule {
     @Singleton
     fun providesAddTotpItemFromAuthenticatorManager(): AddTotpItemFromAuthenticatorManager =
         AddTotpItemFromAuthenticatorManagerImpl()
+
+    @Provides
+    @Singleton
+    fun providesAuthTokenManager(
+        authDiskSource: AuthDiskSource,
+    ): AuthTokenManager = AuthTokenManagerImpl(authDiskSource = authDiskSource)
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/manager/model/MigrateExistingUserToKeyConnectorResult.kt

@@ -0,0 +1,23 @@
+package com.x8bit.bitwarden.data.auth.manager.model
+
+/**
+ * Models result of migrating existing user to key connector.
+ * */
+sealed class MigrateExistingUserToKeyConnectorResult {
+    /**
+     * Operation succeeded.
+     */
+    data object Success : MigrateExistingUserToKeyConnectorResult()
+
+    /**
+     * There was an error.
+     */
+    data class Error(
+        val error: Throwable,
+    ) : MigrateExistingUserToKeyConnectorResult()
+
+    /**
+     * Incorrect password provided.
+     */
+    data object WrongPasswordError : MigrateExistingUserToKeyConnectorResult()
+}

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/AuthRepository.kt

@@ -2,15 +2,16 @@ package com.x8bit.bitwarden.data.auth.repository
 
 import com.bitwarden.network.model.GetTokenResponseJson
 import com.bitwarden.network.model.SyncResponseJson
+import com.bitwarden.network.model.TwoFactorDataModel
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.ForcePasswordResetReason
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
-import com.x8bit.bitwarden.data.auth.datasource.network.model.TwoFactorDataModel
 import com.x8bit.bitwarden.data.auth.manager.AuthRequestManager
 import com.x8bit.bitwarden.data.auth.repository.model.AuthState
 import com.x8bit.bitwarden.data.auth.repository.model.BreachCountResult
 import com.x8bit.bitwarden.data.auth.repository.model.DeleteAccountResult
 import com.x8bit.bitwarden.data.auth.repository.model.EmailTokenResult
 import com.x8bit.bitwarden.data.auth.repository.model.KnownDeviceResult
+import com.x8bit.bitwarden.data.auth.repository.model.LeaveOrganizationResult
 import com.x8bit.bitwarden.data.auth.repository.model.LoginResult
 import com.x8bit.bitwarden.data.auth.repository.model.LogoutReason
 import com.x8bit.bitwarden.data.auth.repository.model.NewSsoUserResult
@@ -243,6 +244,16 @@ interface AuthRepository : AuthenticatorProvider, AuthRequestManager {
         orgIdentifier: String?,
     ): LoginResult
 
+    /**
+     * Continue the previously halted login attempt.
+     */
+    suspend fun continueKeyConnectorLogin(): LoginResult
+
+    /**
+     * Cancel the previously halted login attempt.
+     */
+    fun cancelKeyConnectorLogin()
+
     /**
      * Log out the current user.
      */
@@ -422,4 +433,11 @@ interface AuthRepository : AuthenticatorProvider, AuthRequestManager {
      * Update the value of the onboarding status for the user.
      */
     fun setOnboardingStatus(status: OnboardingStatus)
+
+    /**
+     * Leaves the organization that matches the given [organizationId]
+     */
+    suspend fun leaveOrganization(
+        organizationId: String,
+    ): LeaveOrganizationResult
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryImpl.kt

@@ -10,8 +10,11 @@ import com.bitwarden.crypto.HashPurpose
 import com.bitwarden.crypto.Kdf
 import com.bitwarden.data.datasource.disk.ConfigDiskSource
 import com.bitwarden.data.manager.DispatcherManager
+import com.bitwarden.data.repository.util.toEnvironmentUrls
+import com.bitwarden.data.repository.util.toEnvironmentUrlsOrDefault
 import com.bitwarden.network.model.DeleteAccountResponseJson
 import com.bitwarden.network.model.GetTokenResponseJson
+import com.bitwarden.network.model.IdentityTokenAuthModel
 import com.bitwarden.network.model.OrganizationType
 import com.bitwarden.network.model.PasswordHintResponseJson
 import com.bitwarden.network.model.PolicyTypeJson
@@ -24,14 +27,19 @@ import com.bitwarden.network.model.ResendEmailRequestJson
 import com.bitwarden.network.model.ResendNewDeviceOtpRequestJson
 import com.bitwarden.network.model.ResetPasswordRequestJson
 import com.bitwarden.network.model.SendVerificationEmailRequestJson
+import com.bitwarden.network.model.SendVerificationEmailResponseJson
 import com.bitwarden.network.model.SetPasswordRequestJson
 import com.bitwarden.network.model.SyncResponseJson
 import com.bitwarden.network.model.TrustedDeviceUserDecryptionOptionsJson
 import com.bitwarden.network.model.TwoFactorAuthMethod
+import com.bitwarden.network.model.TwoFactorDataModel
 import com.bitwarden.network.model.VerifyEmailTokenRequestJson
+import com.bitwarden.network.model.VerifyEmailTokenResponseJson
 import com.bitwarden.network.service.AccountsService
 import com.bitwarden.network.service.DevicesService
 import com.bitwarden.network.service.HaveIBeenPwnedService
+import com.bitwarden.network.service.IdentityService
+import com.bitwarden.network.service.OrganizationService
 import com.bitwarden.network.util.isSslHandShakeError
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountJson
@@ -40,12 +48,6 @@ import com.x8bit.bitwarden.data.auth.datasource.disk.model.ForcePasswordResetRea
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.DeviceDataModel
-import com.x8bit.bitwarden.data.auth.datasource.network.model.IdentityTokenAuthModel
-import com.x8bit.bitwarden.data.auth.datasource.network.model.SendVerificationEmailResponseJson
-import com.x8bit.bitwarden.data.auth.datasource.network.model.TwoFactorDataModel
-import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifyEmailTokenResponseJson
-import com.x8bit.bitwarden.data.auth.datasource.network.service.IdentityService
-import com.x8bit.bitwarden.data.auth.datasource.network.service.OrganizationService
 import com.x8bit.bitwarden.data.auth.datasource.sdk.AuthSdkSource
 import com.x8bit.bitwarden.data.auth.datasource.sdk.util.toInt
 import com.x8bit.bitwarden.data.auth.datasource.sdk.util.toKdfTypeJson
@@ -53,11 +55,13 @@ import com.x8bit.bitwarden.data.auth.manager.AuthRequestManager
 import com.x8bit.bitwarden.data.auth.manager.KeyConnectorManager
 import com.x8bit.bitwarden.data.auth.manager.TrustedDeviceManager
 import com.x8bit.bitwarden.data.auth.manager.UserLogoutManager
+import com.x8bit.bitwarden.data.auth.manager.model.MigrateExistingUserToKeyConnectorResult
 import com.x8bit.bitwarden.data.auth.repository.model.AuthState
 import com.x8bit.bitwarden.data.auth.repository.model.BreachCountResult
 import com.x8bit.bitwarden.data.auth.repository.model.DeleteAccountResult
 import com.x8bit.bitwarden.data.auth.repository.model.EmailTokenResult
 import com.x8bit.bitwarden.data.auth.repository.model.KnownDeviceResult
+import com.x8bit.bitwarden.data.auth.repository.model.LeaveOrganizationResult
 import com.x8bit.bitwarden.data.auth.repository.model.LoginResult
 import com.x8bit.bitwarden.data.auth.repository.model.LogoutReason
 import com.x8bit.bitwarden.data.auth.repository.model.NewSsoUserResult
@@ -114,11 +118,9 @@ import com.x8bit.bitwarden.data.platform.manager.LogsManager
 import com.x8bit.bitwarden.data.platform.manager.PolicyManager
 import com.x8bit.bitwarden.data.platform.manager.PushManager
 import com.x8bit.bitwarden.data.platform.manager.model.FirstTimeState
-import com.x8bit.bitwarden.data.platform.manager.model.FlagKey
 import com.x8bit.bitwarden.data.platform.manager.util.getActivePolicies
 import com.x8bit.bitwarden.data.platform.repository.EnvironmentRepository
 import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
-import com.x8bit.bitwarden.data.platform.repository.util.toEnvironmentUrls
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
 import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockData
@@ -238,6 +240,8 @@ class AuthRepositoryImpl(
      */
     private var passwordsToCheckMap = mutableMapOf<String, String>()
 
+    private var keyConnectorResponse: GetTokenResponseJson.Success? = null
+
     override var twoFactorResponse: GetTokenResponseJson.TwoFactorRequired? = null
 
     override val ssoOrganizationIdentifier: String? get() = organizationIdentifier
@@ -280,6 +284,7 @@ class AuthRepositoryImpl(
         merge(
             mutableHasPendingAccountDeletionStateFlow,
             mutableUserStateTransactionCountStateFlow,
+            vaultRepository.isActiveUserUnlockingFlow,
         ),
     ) { array ->
         val userStateJson = array[0] as UserStateJson?
@@ -303,8 +308,11 @@ class AuthRepositoryImpl(
             firstTimeState = firstTimeState,
         )
     }
-        .filterNot { mutableHasPendingAccountDeletionStateFlow.value }
-        .filterNot { mutableUserStateTransactionCountStateFlow.value > 0 }
+        .filterNot {
+            mutableHasPendingAccountDeletionStateFlow.value ||
+                mutableUserStateTransactionCountStateFlow.value > 0 ||
+                vaultRepository.isActiveUserUnlockingFlow.value
+        }
         .stateIn(
             scope = unconfinedScope,
             started = SharingStarted.Eagerly,
@@ -349,7 +357,7 @@ class AuthRepositoryImpl(
         get() = activeUserId?.let { authDiskSource.getIsTdeLoginComplete(userId = it) }
 
     override var shouldTrustDevice: Boolean
-        get() = activeUserId?.let { authDiskSource.getShouldTrustDevice(userId = it) } ?: false
+        get() = activeUserId?.let { authDiskSource.getShouldTrustDevice(userId = it) } == true
         set(value) {
             activeUserId?.let {
                 authDiskSource.storeShouldTrustDevice(userId = it, shouldTrustDevice = value)
@@ -373,8 +381,7 @@ class AuthRepositoryImpl(
         get() = activeUserId?.let { authDiskSource.getOrganizations(it) }.orEmpty()
 
     override val showWelcomeCarousel: Boolean
-        get() = !settingsRepository.hasUserLoggedInOrCreatedAccount &&
-            featureFlagManager.getFeatureFlag(FlagKey.OnboardingCarousel)
+        get() = !settingsRepository.hasUserLoggedInOrCreatedAccount
 
     init {
         combine(
@@ -399,8 +406,12 @@ class AuthRepositoryImpl(
             .syncOrgKeysFlow
             .onEach {
                 val userId = activeUserId ?: return@onEach
-                refreshAccessTokenSynchronously(userId)
-                vaultRepository.sync()
+                // TODO: [PM-20593] Investigate why tokens are explicitly refreshed.
+                refreshAccessTokenSynchronouslyInternal(
+                    userId = userId,
+                    logOutOnFailure = false,
+                )
+                vaultRepository.sync(forced = true)
             }
             // This requires the ioScope to ensure that refreshAccessTokenSynchronously
             // happens on a background thread
@@ -715,6 +726,25 @@ class AuthRepositoryImpl(
             error = MissingPropertyException("Identity Token Auth Model"),
         )
 
+    override suspend fun continueKeyConnectorLogin(): LoginResult {
+        val response = keyConnectorResponse ?: return LoginResult.Error(
+            errorMessage = null,
+            error = MissingPropertyException("Key Connector Response"),
+        )
+        return handleLoginCommonSuccess(
+            loginResponse = response,
+            email = rememberedEmailAddress.orEmpty(),
+            orgIdentifier = rememberedOrgIdentifier,
+            password = null,
+            deviceData = null,
+            userConfirmedKeyConnector = true,
+        )
+    }
+
+    override fun cancelKeyConnectorLogin() {
+        keyConnectorResponse = null
+    }
+
     override suspend fun login(
         email: String,
         ssoCode: String,
@@ -733,33 +763,11 @@ class AuthRepositoryImpl(
         orgIdentifier = organizationIdentifier,
     )
 
-    override fun refreshAccessTokenSynchronously(userId: String): Result<RefreshTokenResponseJson> {
-        val refreshToken = authDiskSource
-            .getAccountTokens(userId = userId)
-            ?.refreshToken
-            ?: return IllegalStateException("Must be logged in.").asFailure()
-        return identityService
-            .refreshTokenSynchronously(refreshToken)
-            .flatMap { refreshTokenResponse ->
-                // Check to make sure the user is still logged in after making the request
-                authDiskSource
-                    .userState
-                    ?.accounts
-                    ?.get(userId)
-                    ?.let { refreshTokenResponse.asSuccess() }
-                    ?: IllegalStateException("Must be logged in.").asFailure()
-            }
-            .onSuccess { refreshTokenResponse ->
-                // Update the existing UserState with updated token information
-                authDiskSource.storeAccountTokens(
-                    userId = userId,
-                    accountTokens = AccountTokensJson(
-                        accessToken = refreshTokenResponse.accessToken,
-                        refreshToken = refreshTokenResponse.refreshToken,
-                    ),
-                )
-            }
-    }
+    override fun refreshAccessTokenSynchronously(userId: String): Result<RefreshTokenResponseJson> =
+        refreshAccessTokenSynchronouslyInternal(
+            userId = userId,
+            logOutOnFailure = true,
+        )
 
     override fun logout(reason: LogoutReason) {
         activeUserId?.let { userId -> logout(userId = userId, reason = reason) }
@@ -815,14 +823,25 @@ class AuthRepositoryImpl(
     override fun switchAccount(userId: String): SwitchAccountResult {
         val currentUserState = authDiskSource.userState ?: return SwitchAccountResult.NoChange
         val previousActiveUserId = currentUserState.activeUserId
+        val updateEnvironment: () -> Unit = {
+            environmentRepository.environment = currentUserState
+                .activeAccount
+                .settings
+                .environmentUrlData
+                .toEnvironmentUrlsOrDefault()
+        }
 
         if (userId == previousActiveUserId) {
+            // We need to make sure that the environment is set back to the correct spot.
+            updateEnvironment()
             // No switching to do but clear any pending account additions
             hasPendingAccountAddition = false
             return SwitchAccountResult.NoChange
         }
 
         if (userId !in currentUserState.accounts.keys) {
+            // We need to make sure that the environment is set back to the correct spot.
+            updateEnvironment()
             // The requested user is not currently stored
             return SwitchAccountResult.NoChange
         }
@@ -977,17 +996,29 @@ class AuthRepositoryImpl(
                 masterPassword = masterPassword,
                 kdf = profile.toSdkParams(),
             )
-            .onSuccess {
-                authDiskSource.userState = authDiskSource
-                    .userState
-                    ?.toRemovedPasswordUserStateJson(userId = userId)
-                vaultRepository.sync()
-                settingsRepository.setDefaultsIfNecessary(userId = userId)
+            .map { migrateResult: MigrateExistingUserToKeyConnectorResult ->
+                when (migrateResult) {
+                    is MigrateExistingUserToKeyConnectorResult.Error -> {
+                        RemovePasswordResult.Error(error = migrateResult.error)
+                    }
+
+                    MigrateExistingUserToKeyConnectorResult.Success -> {
+                        authDiskSource.userState = authDiskSource
+                            .userState
+                            ?.toRemovedPasswordUserStateJson(userId = userId)
+                        vaultRepository.sync()
+                        settingsRepository.setDefaultsIfNecessary(userId = userId)
+                        RemovePasswordResult.Success
+                    }
+
+                    MigrateExistingUserToKeyConnectorResult.WrongPasswordError -> {
+                        RemovePasswordResult.WrongPasswordError
+                    }
+                }
+            }
+            .getOrElse {
+                RemovePasswordResult.Error(error = it)
             }
-            .fold(
-                onFailure = { RemovePasswordResult.Error(error = it) },
-                onSuccess = { RemovePasswordResult.Success },
-            )
     }
 
     override suspend fun resetPassword(
@@ -1405,6 +1436,48 @@ class AuthRepositoryImpl(
         }
     }
 
+    override suspend fun leaveOrganization(organizationId: String): LeaveOrganizationResult =
+        organizationService.leaveOrganization(organizationId).fold(
+            onSuccess = { LeaveOrganizationResult.Success },
+            onFailure = { LeaveOrganizationResult.Error(error = it) },
+        )
+
+    private fun refreshAccessTokenSynchronouslyInternal(
+        userId: String,
+        logOutOnFailure: Boolean,
+    ): Result<RefreshTokenResponseJson> {
+        val refreshToken = authDiskSource
+            .getAccountTokens(userId = userId)
+            ?.refreshToken
+            ?: return IllegalStateException("Must be logged in.").asFailure()
+        return identityService
+            .refreshTokenSynchronously(refreshToken)
+            .flatMap { refreshTokenResponse ->
+                // Check to make sure the user is still logged in after making the request
+                authDiskSource
+                    .userState
+                    ?.accounts
+                    ?.get(userId)
+                    ?.let { refreshTokenResponse.asSuccess() }
+                    ?: IllegalStateException("Must be logged in.").asFailure()
+            }
+            .onFailure {
+                if (logOutOnFailure) {
+                    logout(userId = userId, reason = LogoutReason.TokenRefreshFail)
+                }
+            }
+            .onSuccess { refreshTokenResponse ->
+                // Update the existing UserState with updated token information
+                authDiskSource.storeAccountTokens(
+                    userId = userId,
+                    accountTokens = AccountTokensJson(
+                        accessToken = refreshTokenResponse.accessToken,
+                        refreshToken = refreshTokenResponse.refreshToken,
+                    ),
+                )
+            }
+    }
+
     @Suppress("CyclomaticComplexMethod")
     private suspend fun validatePasswordAgainstPolicy(
         password: String,
@@ -1552,6 +1625,7 @@ class AuthRepositoryImpl(
      * A helper function to extract the common logic of logging in through
      * any of the available methods.
      */
+    @Suppress("LongMethod", "MaxLineLength")
     private suspend fun loginCommon(
         email: String,
         password: String? = null,
@@ -1603,6 +1677,7 @@ class AuthRepositoryImpl(
                         password = password,
                         deviceData = deviceData,
                         orgIdentifier = orgIdentifier,
+                        userConfirmedKeyConnector = false,
                     )
 
                     is GetTokenResponseJson.Invalid -> {
@@ -1614,6 +1689,10 @@ class AuthRepositoryImpl(
                                     error = loginResponse.errorMessage,
                                 )
 
+                            is GetTokenResponseJson.Invalid.InvalidType.EncryptionKeyMigrationRequired -> {
+                                LoginResult.EncryptionKeyMigrationRequired
+                            }
+
                             is GetTokenResponseJson.Invalid.InvalidType.GenericInvalid -> {
                                 LoginResult.Error(
                                     errorMessage = loginResponse.errorMessage,
@@ -1636,6 +1715,7 @@ class AuthRepositoryImpl(
         password: String?,
         deviceData: DeviceDataModel?,
         orgIdentifier: String?,
+        userConfirmedKeyConnector: Boolean,
     ): LoginResult = userStateTransaction {
         val userStateJson = loginResponse.toUserState(
             previousUserState = authDiskSource.userState,
@@ -1665,6 +1745,21 @@ class AuthRepositoryImpl(
                     deviceData = deviceData,
                 )
             } else if (keyConnectorUrl != null && orgIdentifier != null) {
+                val isNewKeyConnectorUser =
+                    loginResponse.userDecryptionOptions?.hasMasterPassword == false &&
+                        loginResponse.key == null &&
+                        loginResponse.privateKey == null
+                val isNotConfirmed = !userConfirmedKeyConnector
+
+                // If a new KeyConnector user is logging in for the first time,
+                // we should ask him to confirm the domain
+                if (isNewKeyConnectorUser && isNotConfirmed) {
+                    keyConnectorResponse = loginResponse
+                    return LoginResult.ConfirmKeyConnectorDomain(
+                        domain = keyConnectorUrl,
+                    )
+                }
+
                 unlockVaultWithKeyConnectorOnLoginSuccess(
                     profile = profile,
                     keyConnectorUrl = keyConnectorUrl,
@@ -1738,6 +1833,7 @@ class AuthRepositoryImpl(
         resendEmailRequestJson = null
         twoFactorDeviceData = null
         resendNewDeviceOtpRequestJson = null
+        keyConnectorResponse = null
         settingsRepository.setDefaultsIfNecessary(userId = userId)
         settingsRepository.storeUserHasLoggedInValue(userId)
         vaultRepository.syncIfNecessary()

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/di/AuthRepositoryModule.kt

@@ -5,9 +5,9 @@ import com.bitwarden.data.manager.DispatcherManager
 import com.bitwarden.network.service.AccountsService
 import com.bitwarden.network.service.DevicesService
 import com.bitwarden.network.service.HaveIBeenPwnedService
+import com.bitwarden.network.service.IdentityService
+import com.bitwarden.network.service.OrganizationService
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
-import com.x8bit.bitwarden.data.auth.datasource.network.service.IdentityService
-import com.x8bit.bitwarden.data.auth.datasource.network.service.OrganizationService
 import com.x8bit.bitwarden.data.auth.datasource.sdk.AuthSdkSource
 import com.x8bit.bitwarden.data.auth.manager.AuthRequestManager
 import com.x8bit.bitwarden.data.auth.manager.KeyConnectorManager

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/model/LeaveOrganizationResult.kt

@@ -0,0 +1,18 @@
+package com.x8bit.bitwarden.data.auth.repository.model
+
+/**
+ * Models result of deleting an account.
+ */
+sealed class LeaveOrganizationResult {
+    /**
+     * Leave organization succeeded.
+     */
+    data object Success : LeaveOrganizationResult()
+
+    /**
+     * There was an error leaving the organization.
+     */
+    data class Error(
+        val error: Throwable?,
+    ) : LeaveOrganizationResult()
+}

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/model/LoginResult.kt

@@ -14,11 +14,23 @@ sealed class LoginResult {
      */
     data class CaptchaRequired(val captchaId: String) : LoginResult()
 
+    /**
+     * Encryption key migration is required.
+     */
+    data object EncryptionKeyMigrationRequired : LoginResult()
+
     /**
      * Two-factor verification is required.
      */
     data object TwoFactorRequired : LoginResult()
 
+    /**
+     * User should confirm KeyConnector domain
+     */
+    data class ConfirmKeyConnectorDomain(
+        val domain: String,
+    ) : LoginResult()
+
     /**
      * There was an error logging in.
      */

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/model/LogoutReason.kt

@@ -68,4 +68,9 @@ sealed class LogoutReason {
      * unsuccessfully too many times.
      */
     data object TooManyUnlockAttempts : LogoutReason()
+
+    /**
+     * Indicates that the logout is happening because the left the organization.
+     */
+    data object LeftOrganization : LogoutReason()
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/model/Organization.kt

@@ -11,6 +11,7 @@ import com.bitwarden.network.model.OrganizationType
  * own password.
  * @property shouldUseKeyConnector Indicates that the organization uses a key connector.
  * @property role The user's role in the organization.
+ * @property keyConnectorUrl The key connector domain (if applicable).
  */
 data class Organization(
     val id: String,
@@ -18,4 +19,6 @@ data class Organization(
     val shouldManageResetPassword: Boolean,
     val shouldUseKeyConnector: Boolean,
     val role: OrganizationType,
+    val keyConnectorUrl: String?,
+    val userIsClaimedByOrganization: Boolean,
 )

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/model/RegisterResult.kt

@@ -9,7 +9,7 @@ sealed class RegisterResult {
      *
      * @param captchaToken the captcha bypass token to bypass future captcha verifications.
      */
-    data class Success(val captchaToken: String) : RegisterResult()
+    data class Success(val captchaToken: String?) : RegisterResult()
 
     /**
      * Captcha verification is required.

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/model/RemovePasswordResult.kt

@@ -15,4 +15,9 @@ sealed class RemovePasswordResult {
     data class Error(
         val error: Throwable,
     ) : RemovePasswordResult()
+
+    /**
+     * There was wrong password error removing the password.
+     */
+    data object WrongPasswordError : RemovePasswordResult()
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/model/UserState.kt

@@ -1,9 +1,8 @@
 package com.x8bit.bitwarden.data.auth.repository.model
 
+import com.bitwarden.data.repository.model.Environment
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
-import com.x8bit.bitwarden.data.auth.repository.model.UserState.Account
 import com.x8bit.bitwarden.data.platform.manager.model.FirstTimeState
-import com.x8bit.bitwarden.data.platform.repository.model.Environment
 
 /**
  * Represents the overall "user state" of the current active user as well as any users that may be

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/util/GetTokenResponseExtensions.kt

@@ -1,8 +1,9 @@
 package com.x8bit.bitwarden.data.auth.repository.util
 
+import com.bitwarden.data.datasource.disk.model.EnvironmentUrlDataJson
 import com.bitwarden.network.model.GetTokenResponseJson
+import com.bitwarden.network.util.parseJwtTokenDataOrNull
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountJson
-import com.x8bit.bitwarden.data.auth.datasource.disk.model.EnvironmentUrlDataJson
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.ForcePasswordResetReason
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
 

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/util/SyncResponseJsonExtensions.kt

@@ -22,6 +22,8 @@ fun SyncResponseJson.Profile.Organization.toOrganization(): Organization =
         shouldUseKeyConnector = this.shouldUseKeyConnector,
         role = this.type,
         shouldManageResetPassword = this.permissions.shouldManageResetPassword,
+        keyConnectorUrl = this.keyConnectorUrl,
+        userIsClaimedByOrganization = this.userIsClaimedByOrganization,
     )
 
 /**

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/util/UserStateJsonExtensions.kt

@@ -1,8 +1,10 @@
 package com.x8bit.bitwarden.data.auth.repository.util
 
+import com.bitwarden.data.repository.util.toEnvironmentUrlsOrDefault
 import com.bitwarden.network.model.OrganizationType
 import com.bitwarden.network.model.SyncResponseJson
 import com.bitwarden.network.model.UserDecryptionOptionsJson
+import com.bitwarden.ui.platform.base.util.toHexColorRepresentation
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
 import com.x8bit.bitwarden.data.auth.repository.model.UserAccountTokens
@@ -11,10 +13,8 @@ import com.x8bit.bitwarden.data.auth.repository.model.UserOrganizations
 import com.x8bit.bitwarden.data.auth.repository.model.UserState
 import com.x8bit.bitwarden.data.auth.repository.model.VaultUnlockType
 import com.x8bit.bitwarden.data.platform.manager.model.FirstTimeState
-import com.x8bit.bitwarden.data.platform.repository.util.toEnvironmentUrlsOrDefault
 import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockData
 import com.x8bit.bitwarden.data.vault.repository.util.statusFor
-import com.x8bit.bitwarden.ui.platform.base.util.toHexColorRepresentation
 
 /**
  * Updates the given [UserStateJson] with the data to indicate that the password has been removed.

app/src/main/java/com/x8bit/bitwarden/data/auth/util/KdfParamsConstants.kt

@@ -1,6 +1,6 @@
 package com.x8bit.bitwarden.data.auth.util
 
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
 import com.bitwarden.crypto.Kdf
 
 /**

app/src/main/java/com/x8bit/bitwarden/data/autofill/BitwardenAutofillService.kt

@@ -8,7 +8,7 @@ import android.service.autofill.FillRequest
 import android.service.autofill.SaveCallback
 import android.service.autofill.SaveRequest
 import androidx.annotation.Keep
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
 import com.x8bit.bitwarden.data.autofill.model.AutofillAppInfo
 import com.x8bit.bitwarden.data.autofill.processor.AutofillProcessor
 import dagger.hilt.android.AndroidEntryPoint

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/BitwardenAccessibilityService.kt

@@ -4,7 +4,7 @@ import android.accessibilityservice.AccessibilityService
 import android.content.Intent
 import android.view.accessibility.AccessibilityEvent
 import androidx.annotation.Keep
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
 import com.x8bit.bitwarden.data.autofill.accessibility.manager.AccessibilityEnabledManager
 import com.x8bit.bitwarden.data.autofill.accessibility.processor.BitwardenAccessibilityProcessor
 import com.x8bit.bitwarden.data.tiles.BitwardenAutofillTileService

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/manager/AccessibilityNodeInfoManagerImpl.kt

@@ -89,6 +89,6 @@ class AccessibilityNodeInfoManagerImpl : AccessibilityNodeInfoManager {
             ?.let { allNodes.getOrNull(index = allNodes.indexOf(element = it) - 1) }
 
     private fun log(message: String) {
-        Timber.i(message)
+        Timber.d(message)
     }
 }

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/processor/BitwardenAccessibilityProcessorImpl.kt

@@ -15,6 +15,7 @@ import com.x8bit.bitwarden.data.autofill.accessibility.util.isSystemPackage
 import com.x8bit.bitwarden.data.autofill.accessibility.util.shouldSkipPackage
 import com.x8bit.bitwarden.data.autofill.model.AutofillSelectionData
 import com.x8bit.bitwarden.data.autofill.util.createAutofillSelectionIntent
+import timber.log.Timber
 
 /**
  * The default implementation of the [BitwardenAccessibilityProcessor].
@@ -30,27 +31,19 @@ class BitwardenAccessibilityProcessorImpl(
         event: AccessibilityEvent,
         rootAccessibilityNodeInfoProvider: () -> AccessibilityNodeInfo?,
     ) {
+        // Only process the event if the tile was clicked
+        val accessibilityAction = accessibilityAutofillManager.accessibilityAction ?: return
         val eventNode = event.source ?: return
-        // Ignore the event when the phone is inactive
-        if (!powerManager.isInteractive) return
-        // We skip if the system package
-        if (eventNode.isSystemPackage) return
-        // We skip any package that is unsupported
-        if (eventNode.shouldSkipPackage) return
-        // We skip any package that is a launcher
-        if (launcherPackageNameManager.launcherPackages.any { it == eventNode.packageName }) {
+
+        // Prevent clearing the action until we receive a processable event in case unprocessable
+        // events are still being received from the device. This can happen on slower devices or if
+        // screen transitions are still being performed.
+        if (!eventNode.shouldProcessEvent(rootAccessibilityNodeInfoProvider)) {
             return
         }
 
-        // Only process the event if the tile was clicked
-        val accessibilityAction = accessibilityAutofillManager.accessibilityAction ?: return
-        // We only call for the root node once after all other checks
-        // have passed because it is significant performance hit
-        if (rootAccessibilityNodeInfoProvider()?.packageName != event.packageName) return
-
-        // Clear the action since we are now acting on it
+        // Clear the action since we are now acting on a supported node.
         accessibilityAutofillManager.accessibilityAction = null
-
         when (accessibilityAction) {
             is AccessibilityAction.AttemptFill -> {
                 handleAttemptFill(rootNode = eventNode, attemptFill = accessibilityAction)
@@ -60,6 +53,37 @@ class BitwardenAccessibilityProcessorImpl(
         }
     }
 
+    private fun AccessibilityNodeInfo.shouldProcessEvent(
+        rootAccessibilityNodeInfoProvider: () -> AccessibilityNodeInfo?,
+    ): Boolean {
+        // Ignore the event when the phone is inactive.
+        if (!powerManager.isInteractive) return false
+        // We skip if the system package.
+        if (this.isSystemPackage) {
+            Timber.d("Skipping autofill for system package $packageName.")
+            return false
+        }
+        // We skip any package that is explicitly blocked.
+        if (this.shouldSkipPackage) {
+            Timber.d("Skipping autofill on block-listed package $packageName.")
+            return false
+        }
+        // We skip any package that is a launcher.
+        if (launcherPackageNameManager.launcherPackages.any { it == this.packageName }) {
+            Timber.d("Skipping autofill on launcher package $packageName.")
+            return false
+        }
+
+        // We only call for the root node once, after all other checks have passed, because it is a
+        // significant performance hit.
+        if (rootAccessibilityNodeInfoProvider()?.packageName != this.packageName) {
+            Timber.d("Skipping autofill due to package name mismatch.")
+            return false
+        }
+
+        return true
+    }
+
     private fun handleAttemptParseUri(rootNode: AccessibilityNodeInfo) {
         accessibilityParser
             .parseForUriOrPackageName(rootNode = rootNode)

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/util/AccessibilityNodeInfoExtensions.kt

@@ -3,7 +3,7 @@ package com.x8bit.bitwarden.data.autofill.accessibility.util
 import android.view.accessibility.AccessibilityNodeInfo
 import android.widget.EditText
 import androidx.core.os.bundleOf
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
 import com.x8bit.bitwarden.data.autofill.accessibility.model.KnownUsernameField
 
 private const val PACKAGE_NAME_BITWARDEN_PREFIX: String = "com.x8bit.bitwarden"

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/util/UriExtensions.kt

@@ -1,7 +1,7 @@
 package com.x8bit.bitwarden.data.autofill.accessibility.util
 
 import android.net.Uri
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
 import java.net.URISyntaxException
 
 /**

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/datasource/network/api/DigitalAssetLinkApi.kt

@@ -1,20 +0,0 @@
-package com.x8bit.bitwarden.data.autofill.fido2.datasource.network.api
-
-import com.bitwarden.network.model.NetworkResult
-import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.model.DigitalAssetLinkResponseJson
-import retrofit2.http.GET
-import retrofit2.http.Url
-
-/**
- * Defines calls to an RP digital asset link file.
- */
-interface DigitalAssetLinkApi {
-
-    /**
-     * Attempts to download the asset links file from the RP.
-     */
-    @GET
-    suspend fun getDigitalAssetLinks(
-        @Url url: String,
-    ): NetworkResult<List<DigitalAssetLinkResponseJson>>
-}

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/datasource/network/di/Fido2NetworkModule.kt

@@ -1,30 +0,0 @@
-package com.x8bit.bitwarden.data.autofill.fido2.datasource.network.di
-
-import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.service.DigitalAssetLinkService
-import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.service.DigitalAssetLinkServiceImpl
-import com.x8bit.bitwarden.data.platform.datasource.network.retrofit.Retrofits
-import dagger.Module
-import dagger.Provides
-import dagger.hilt.InstallIn
-import dagger.hilt.components.SingletonComponent
-import retrofit2.create
-import javax.inject.Singleton
-
-/**
- * Provides network dependencies in the fido2 package.
- */
-@Module
-@InstallIn(SingletonComponent::class)
-object Fido2NetworkModule {
-
-    @Provides
-    @Singleton
-    fun provideDigitalAssetLinkService(
-        retrofits: Retrofits,
-    ): DigitalAssetLinkService =
-        DigitalAssetLinkServiceImpl(
-            digitalAssetLinkApi = retrofits
-                .createStaticRetrofit()
-                .create(),
-        )
-}

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/datasource/network/model/DigitalAssetLinkResponseJson.kt

@@ -1,32 +0,0 @@
-package com.x8bit.bitwarden.data.autofill.fido2.datasource.network.model
-
-import kotlinx.serialization.SerialName
-import kotlinx.serialization.Serializable
-
-/**
- * Models a response from an RP digital asset link request.
- */
-@Serializable
-data class DigitalAssetLinkResponseJson(
-    @SerialName("relation")
-    val relation: List<String>,
-
-    @SerialName("target")
-    val target: Target,
-) {
-
-    /**
-     * Represents targets for an asset link statement.
-     */
-    @Serializable
-    data class Target(
-        @SerialName("namespace")
-        val namespace: String,
-
-        @SerialName("package_name")
-        val packageName: String?,
-
-        @SerialName("sha256_cert_fingerprints")
-        val sha256CertFingerprints: List<String>?,
-    )
-}

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/datasource/network/service/DigitalAssetLinkService.kt

@@ -1,17 +0,0 @@
-package com.x8bit.bitwarden.data.autofill.fido2.datasource.network.service
-
-import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.model.DigitalAssetLinkResponseJson
-
-/**
- * Provides an API for querying digital asset links.
- */
-interface DigitalAssetLinkService {
-
-    /**
-     * Attempt to retrieve the asset links file from the provided [relyingParty].
-     */
-    suspend fun getDigitalAssetLinkForRp(
-        scheme: String = "https://",
-        relyingParty: String,
-    ): Result<List<DigitalAssetLinkResponseJson>>
-}

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/datasource/network/service/DigitalAssetLinkServiceImpl.kt

@@ -1,23 +0,0 @@
-package com.x8bit.bitwarden.data.autofill.fido2.datasource.network.service
-
-import com.bitwarden.network.util.toResult
-import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.api.DigitalAssetLinkApi
-import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.model.DigitalAssetLinkResponseJson
-
-/**
- * Primary implementation of [DigitalAssetLinkService].
- */
-class DigitalAssetLinkServiceImpl(
-    private val digitalAssetLinkApi: DigitalAssetLinkApi,
-) : DigitalAssetLinkService {
-
-    override suspend fun getDigitalAssetLinkForRp(
-        scheme: String,
-        relyingParty: String,
-    ): Result<List<DigitalAssetLinkResponseJson>> =
-        digitalAssetLinkApi
-            .getDigitalAssetLinks(
-                url = "$scheme$relyingParty/.well-known/assetlinks.json",
-            )
-            .toResult()
-}

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/manager/Fido2OriginManagerImpl.kt

@@ -1,155 +0,0 @@
-package com.x8bit.bitwarden.data.autofill.fido2.manager
-
-import androidx.credentials.provider.CallingAppInfo
-import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.model.DigitalAssetLinkResponseJson
-import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.service.DigitalAssetLinkService
-import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2ValidateOriginResult
-import com.x8bit.bitwarden.data.platform.manager.AssetManager
-import com.x8bit.bitwarden.data.platform.util.getSignatureFingerprintAsHexString
-import com.x8bit.bitwarden.data.platform.util.validatePrivilegedApp
-import timber.log.Timber
-
-private const val GOOGLE_ALLOW_LIST_FILE_NAME = "fido2_privileged_google.json"
-private const val COMMUNITY_ALLOW_LIST_FILE_NAME = "fido2_privileged_community.json"
-
-/**
- * Primary implementation of [Fido2OriginManager].
- */
-@Suppress("TooManyFunctions")
-class Fido2OriginManagerImpl(
-    private val assetManager: AssetManager,
-    private val digitalAssetLinkService: DigitalAssetLinkService,
-) : Fido2OriginManager {
-
-    override suspend fun validateOrigin(
-        callingAppInfo: CallingAppInfo,
-        relyingPartyId: String,
-    ): Fido2ValidateOriginResult {
-        return if (callingAppInfo.isOriginPopulated()) {
-            validatePrivilegedAppOrigin(callingAppInfo)
-        } else {
-            validateCallingApplicationAssetLinks(callingAppInfo, relyingPartyId)
-        }
-    }
-
-    private suspend fun validateCallingApplicationAssetLinks(
-        callingAppInfo: CallingAppInfo,
-        relyingPartyId: String,
-    ): Fido2ValidateOriginResult = digitalAssetLinkService
-        .getDigitalAssetLinkForRp(relyingParty = relyingPartyId)
-        .onFailure {
-            return Fido2ValidateOriginResult.Error.AssetLinkNotFound
-        }
-        .mapCatching { statements ->
-            statements
-                .filterMatchingAppStatementsOrNull(
-                    rpPackageName = callingAppInfo.packageName,
-                )
-                ?: return Fido2ValidateOriginResult.Error.ApplicationNotFound
-        }
-        .mapCatching { matchingStatements ->
-            callingAppInfo
-                .getSignatureFingerprintAsHexString()
-                ?.let { certificateFingerprint ->
-                    matchingStatements
-                        .filterMatchingAppSignaturesOrNull(
-                            signature = certificateFingerprint,
-                        )
-                }
-                ?: return Fido2ValidateOriginResult.Error.ApplicationFingerprintNotVerified
-        }
-        .fold(
-            onSuccess = {
-                Fido2ValidateOriginResult.Success(null)
-            },
-            onFailure = {
-                Fido2ValidateOriginResult.Error.Unknown
-            },
-        )
-
-    private suspend fun validatePrivilegedAppOrigin(
-        callingAppInfo: CallingAppInfo,
-    ): Fido2ValidateOriginResult {
-        val googleAllowListResult =
-            validatePrivilegedAppSignatureWithGoogleList(callingAppInfo)
-        return when (googleAllowListResult) {
-            is Fido2ValidateOriginResult.Success -> {
-                // Application was found and successfully validated against the Google allow list so
-                // we can return the result as the final validation result.
-                googleAllowListResult
-            }
-
-            is Fido2ValidateOriginResult.Error -> {
-                // Check the community allow list if the Google allow list failed, and return the
-                // result as the final validation result.
-                validatePrivilegedAppSignatureWithCommunityList(callingAppInfo)
-            }
-        }
-    }
-
-    private suspend fun validatePrivilegedAppSignatureWithGoogleList(
-        callingAppInfo: CallingAppInfo,
-    ): Fido2ValidateOriginResult =
-        validatePrivilegedAppSignatureWithAllowList(
-            callingAppInfo = callingAppInfo,
-            fileName = GOOGLE_ALLOW_LIST_FILE_NAME,
-        )
-
-    private suspend fun validatePrivilegedAppSignatureWithCommunityList(
-        callingAppInfo: CallingAppInfo,
-    ): Fido2ValidateOriginResult =
-        validatePrivilegedAppSignatureWithAllowList(
-            callingAppInfo = callingAppInfo,
-            fileName = COMMUNITY_ALLOW_LIST_FILE_NAME,
-        )
-
-    private suspend fun validatePrivilegedAppSignatureWithAllowList(
-        callingAppInfo: CallingAppInfo,
-        fileName: String,
-    ): Fido2ValidateOriginResult =
-        assetManager
-            .readAsset(fileName)
-            .mapCatching { allowList ->
-                callingAppInfo.validatePrivilegedApp(
-                    allowList = allowList,
-                )
-            }
-            .fold(
-                onSuccess = { it },
-                onFailure = {
-                    Timber.e(it, "Failed to validate privileged app: ${callingAppInfo.packageName}")
-                    Fido2ValidateOriginResult.Error.Unknown
-                },
-            )
-
-    /**
-     * Returns statements targeting the calling Android application, or null.
-     */
-    private fun List<DigitalAssetLinkResponseJson>.filterMatchingAppStatementsOrNull(
-        rpPackageName: String,
-    ): List<DigitalAssetLinkResponseJson>? =
-        filter { statement ->
-            val target = statement.target
-            target.namespace == "android_app" &&
-                target.packageName == rpPackageName &&
-                statement.relation.containsAll(
-                    listOf(
-                        "delegate_permission/common.handle_all_urls",
-                    ),
-                )
-        }
-            .takeUnless { it.isEmpty() }
-
-    /**
-     * Returns statements that match the given [signature], or null.
-     */
-    private fun List<DigitalAssetLinkResponseJson>.filterMatchingAppSignaturesOrNull(
-        signature: String,
-    ): List<DigitalAssetLinkResponseJson>? =
-        filter { statement ->
-            statement.target.sha256CertFingerprints
-                ?.contains(signature)
-                ?: false
-        }
-            .takeUnless { it.isEmpty() }
-}

app/src/main/java/com/x8bit/bitwarden/data/autofill/manager/chrome/ChromeThirdPartyAutofillManagerImpl.kt

@@ -3,7 +3,7 @@ package com.x8bit.bitwarden.data.autofill.manager.chrome
 import android.content.ContentResolver
 import android.content.Context
 import android.net.Uri
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
 import com.x8bit.bitwarden.data.autofill.model.chrome.ChromeReleaseChannel
 import com.x8bit.bitwarden.data.autofill.model.chrome.ChromeThirdPartyAutoFillData
 

app/src/main/java/com/x8bit/bitwarden/data/autofill/util/ActivityExtensions.kt

@@ -4,7 +4,7 @@ package com.x8bit.bitwarden.data.autofill.util
 
 import android.app.Activity
 import android.os.Build
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
 import com.x8bit.bitwarden.data.autofill.model.AutofillAppInfo
 
 /**

app/src/main/java/com/x8bit/bitwarden/data/autofill/util/AutofillIntentUtils.kt

@@ -11,7 +11,7 @@ import android.content.IntentSender
 import android.service.autofill.Dataset
 import android.view.autofill.AutofillManager
 import androidx.core.os.bundleOf
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
 import com.x8bit.bitwarden.AutofillTotpCopyActivity
 import com.x8bit.bitwarden.MainActivity
 import com.x8bit.bitwarden.data.autofill.model.AutofillAppInfo

app/src/main/java/com/x8bit/bitwarden/data/autofill/util/HtmlInfoExtensions.kt

@@ -1,7 +1,7 @@
 package com.x8bit.bitwarden.data.autofill.util
 
 import android.view.ViewStructure.HtmlInfo
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
 
 /**
  * Whether this [HtmlInfo] represents a password field.

app/src/main/java/com/x8bit/bitwarden/data/autofill/util/IntExtensions.kt

@@ -3,7 +3,7 @@ package com.x8bit.bitwarden.data.autofill.util
 import android.app.PendingIntent
 import android.os.Build
 import android.text.InputType
-import com.bitwarden.core.annotation.OmitFromCoverage
+import com.bitwarden.annotation.OmitFromCoverage
 
 /**
  * Whether this [Int] is a password [InputType].

app/src/main/java/com/x8bit/bitwarden/data/autofill/util/ViewNodeExtensions.kt

@@ -3,8 +3,8 @@ package com.x8bit.bitwarden.data.autofill.util
 import android.app.assist.AssistStructure
 import android.view.View
 import android.widget.EditText
+import com.bitwarden.ui.platform.base.util.orNullIfBlank
 import com.x8bit.bitwarden.data.autofill.model.AutofillView
-import com.x8bit.bitwarden.ui.platform.base.util.orNullIfBlank
 
 /**
  * The default web URI scheme.

app/src/main/java/com/x8bit/bitwarden/data/autofill/util/ViewNodeTraversalDataExtensions.kt

@@ -1,8 +1,8 @@
 package com.x8bit.bitwarden.data.autofill.util
 
 import android.app.assist.AssistStructure
+import com.bitwarden.ui.platform.base.util.orNullIfBlank
 import com.x8bit.bitwarden.data.autofill.model.ViewNodeTraversalData
-import com.x8bit.bitwarden.ui.platform.base.util.orNullIfBlank
 
 /**
  * The android app URI scheme. Example: androidapp://com.x8bit.bitwarden

app/src/main/java/com/x8bit/bitwarden/data/credentials/BitwardenCredentialProviderService.kt

@@ -1,4 +1,4 @@
-package com.x8bit.bitwarden.data.autofill.fido2
+package com.x8bit.bitwarden.data.credentials
 
 import android.os.Build
 import android.os.CancellationSignal
@@ -14,27 +14,27 @@ import androidx.credentials.provider.BeginGetCredentialRequest
 import androidx.credentials.provider.BeginGetCredentialResponse
 import androidx.credentials.provider.CredentialProviderService
 import androidx.credentials.provider.ProviderClearCredentialStateRequest
-import com.bitwarden.core.annotation.OmitFromCoverage
-import com.x8bit.bitwarden.data.autofill.fido2.processor.Fido2ProviderProcessor
+import com.bitwarden.annotation.OmitFromCoverage
+import com.x8bit.bitwarden.data.credentials.processor.CredentialProviderProcessor
 import dagger.hilt.android.AndroidEntryPoint
 import javax.inject.Inject
 
 /**
- * The [CredentialProviderService] for the app. This fulfills FIDO2 credential requests from other
+ * The [CredentialProviderService] for the app. This fulfills credential requests from other
  * applications.
  */
 @OmitFromCoverage
 @RequiresApi(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)
 @Keep
 @AndroidEntryPoint
-class BitwardenFido2ProviderService : CredentialProviderService() {
+class BitwardenCredentialProviderService : CredentialProviderService() {
 
     /**
      * A processor to handle the FIDO2 credential fulfillment. We keep the service light because it
      * isn't easily testable.
      */
     @Inject
-    lateinit var processor: Fido2ProviderProcessor
+    lateinit var processor: CredentialProviderProcessor
 
     override fun onBeginCreateCredentialRequest(
         request: BeginCreateCredentialRequest,

app/src/main/java/com/x8bit/bitwarden/data/credentials/builder/CredentialEntryBuilder.kt

@@ -0,0 +1,21 @@
+package com.x8bit.bitwarden.data.credentials.builder
+
+import androidx.credentials.provider.BeginGetPublicKeyCredentialOption
+import androidx.credentials.provider.PublicKeyCredentialEntry
+import com.bitwarden.fido.Fido2CredentialAutofillView
+
+/**
+ * Builder for credential entries.
+ */
+interface CredentialEntryBuilder {
+
+    /**
+     * Build public key credential entries from the given cipher views and options.
+     */
+    fun buildPublicKeyCredentialEntries(
+        userId: String,
+        fido2CredentialAutofillViews: List<Fido2CredentialAutofillView>,
+        beginGetPublicKeyCredentialOptions: List<BeginGetPublicKeyCredentialOption>,
+        isUserVerified: Boolean,
+    ): List<PublicKeyCredentialEntry>
+}

app/src/main/java/com/x8bit/bitwarden/data/credentials/builder/CredentialEntryBuilderImpl.kt

@@ -0,0 +1,96 @@
+package com.x8bit.bitwarden.data.credentials.builder
+
+import android.content.Context
+import android.graphics.drawable.Icon
+import androidx.core.graphics.drawable.IconCompat
+import androidx.credentials.provider.BeginGetPublicKeyCredentialOption
+import androidx.credentials.provider.PublicKeyCredentialEntry
+import com.bitwarden.fido.Fido2CredentialAutofillView
+import com.x8bit.bitwarden.R
+import com.x8bit.bitwarden.data.credentials.processor.GET_PASSKEY_INTENT
+import com.x8bit.bitwarden.data.credentials.util.setBiometricPromptDataIfSupported
+import com.x8bit.bitwarden.data.platform.manager.BiometricsEncryptionManager
+import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
+import com.x8bit.bitwarden.data.platform.manager.model.FlagKey
+import com.x8bit.bitwarden.ui.platform.manager.intent.IntentManager
+import kotlin.random.Random
+
+/**
+ * Primary implementation of [CredentialEntryBuilder].
+ */
+class CredentialEntryBuilderImpl(
+    private val context: Context,
+    private val intentManager: IntentManager,
+    private val featureFlagManager: FeatureFlagManager,
+    private val biometricsEncryptionManager: BiometricsEncryptionManager,
+) : CredentialEntryBuilder {
+
+    override fun buildPublicKeyCredentialEntries(
+        userId: String,
+        fido2CredentialAutofillViews: List<Fido2CredentialAutofillView>,
+        beginGetPublicKeyCredentialOptions: List<BeginGetPublicKeyCredentialOption>,
+        isUserVerified: Boolean,
+    ): List<PublicKeyCredentialEntry> = beginGetPublicKeyCredentialOptions
+        .flatMap { option ->
+            fido2CredentialAutofillViews
+                .toPublicKeyCredentialEntryList(
+                    userId = userId,
+                    option = option,
+                    isUserVerified = isUserVerified,
+                )
+        }
+
+    private fun List<Fido2CredentialAutofillView>.toPublicKeyCredentialEntryList(
+        userId: String,
+        option: BeginGetPublicKeyCredentialOption,
+        isUserVerified: Boolean,
+    ): List<PublicKeyCredentialEntry> = this
+        .map { fido2AutofillView ->
+            PublicKeyCredentialEntry
+                .Builder(
+                    context = context,
+                    username = fido2AutofillView.userNameForUi
+                        ?: context.getString(R.string.no_username),
+                    pendingIntent = intentManager
+                        .createFido2GetCredentialPendingIntent(
+                            action = GET_PASSKEY_INTENT,
+                            userId = userId,
+                            credentialId = fido2AutofillView.credentialId.toString(),
+                            cipherId = fido2AutofillView.cipherId,
+                            isUserVerified = isUserVerified,
+                            requestCode = Random.nextInt(),
+                        ),
+                    beginGetPublicKeyCredentialOption = option,
+                )
+                .setIcon(
+                    getCredentialEntryIcon(
+                        isPasskey = true,
+                    ),
+                )
+                .also { builder ->
+                    if (!isUserVerified) {
+                        builder.setBiometricPromptDataIfSupported(
+                            cipher = biometricsEncryptionManager
+                                .getOrCreateCipher(userId),
+                            isSingleTapAuthEnabled = featureFlagManager
+                                .getFeatureFlag(FlagKey.SingleTapPasskeyAuthentication),
+                        )
+                    }
+                }
+                .build()
+        }
+
+    // TODO: [PM-20176] Enable web icons in credential entries
+    // Leave web icons disabled until CredentialManager TransactionTooLargeExceptions
+    // are addressed. See https://issuetracker.google.com/issues/355141766 for details.
+    private fun getCredentialEntryIcon(isPasskey: Boolean): Icon = IconCompat
+        .createWithResource(
+            context,
+            if (isPasskey) {
+                R.drawable.ic_bw_passkey
+            } else {
+                R.drawable.ic_globe
+            },
+        )
+        .toIcon(context)
+}

app/src/main/java/com/x8bit/bitwarden/data/credentials/datasource/network/di/CredentialProviderNetworkModule.kt

@@ -0,0 +1,24 @@
+package com.x8bit.bitwarden.data.credentials.datasource.network.di
+
+import com.bitwarden.network.BitwardenServiceClient
+import com.bitwarden.network.service.DigitalAssetLinkService
+import dagger.Module
+import dagger.Provides
+import dagger.hilt.InstallIn
+import dagger.hilt.components.SingletonComponent
+import javax.inject.Singleton
+
+/**
+ * Provides network dependencies in the fido2 package.
+ */
+@Module
+@InstallIn(SingletonComponent::class)
+object CredentialProviderNetworkModule {
+
+    @Provides
+    @Singleton
+    fun provideDigitalAssetLinkService(
+        bitwardenServiceClient: BitwardenServiceClient,
+    ): DigitalAssetLinkService =
+        bitwardenServiceClient.digitalAssetLinkService
+}

app/src/main/java/com/x8bit/bitwarden/data/credentials/di/CredentialProviderModule.kt

@@ -1,18 +1,20 @@
-package com.x8bit.bitwarden.data.autofill.fido2.di
+package com.x8bit.bitwarden.data.credentials.di
 
 import android.content.Context
 import android.os.Build
 import androidx.annotation.RequiresApi
 import com.bitwarden.data.manager.DispatcherManager
+import com.bitwarden.network.service.DigitalAssetLinkService
 import com.bitwarden.sdk.Fido2CredentialStore
 import com.x8bit.bitwarden.data.auth.repository.AuthRepository
-import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.service.DigitalAssetLinkService
-import com.x8bit.bitwarden.data.autofill.fido2.manager.Fido2CredentialManager
-import com.x8bit.bitwarden.data.autofill.fido2.manager.Fido2CredentialManagerImpl
-import com.x8bit.bitwarden.data.autofill.fido2.manager.Fido2OriginManager
-import com.x8bit.bitwarden.data.autofill.fido2.manager.Fido2OriginManagerImpl
-import com.x8bit.bitwarden.data.autofill.fido2.processor.Fido2ProviderProcessor
-import com.x8bit.bitwarden.data.autofill.fido2.processor.Fido2ProviderProcessorImpl
+import com.x8bit.bitwarden.data.credentials.builder.CredentialEntryBuilder
+import com.x8bit.bitwarden.data.credentials.builder.CredentialEntryBuilderImpl
+import com.x8bit.bitwarden.data.credentials.manager.BitwardenCredentialManager
+import com.x8bit.bitwarden.data.credentials.manager.BitwardenCredentialManagerImpl
+import com.x8bit.bitwarden.data.credentials.manager.OriginManager
+import com.x8bit.bitwarden.data.credentials.manager.OriginManagerImpl
+import com.x8bit.bitwarden.data.credentials.processor.CredentialProviderProcessor
+import com.x8bit.bitwarden.data.credentials.processor.CredentialProviderProcessorImpl
 import com.x8bit.bitwarden.data.platform.manager.AssetManager
 import com.x8bit.bitwarden.data.platform.manager.BiometricsEncryptionManager
 import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
@@ -33,7 +35,7 @@ import javax.inject.Singleton
  */
 @Module
 @InstallIn(SingletonComponent::class)
-object Fido2ProviderModule {
+object CredentialProviderModule {
 
     @RequiresApi(Build.VERSION_CODES.S)
     @Provides
@@ -41,21 +43,17 @@ object Fido2ProviderModule {
     fun provideCredentialProviderProcessor(
         @ApplicationContext context: Context,
         authRepository: AuthRepository,
-        vaultRepository: VaultRepository,
-        fido2CredentialStore: Fido2CredentialStore,
-        fido2CredentialManager: Fido2CredentialManager,
+        bitwardenCredentialManager: BitwardenCredentialManager,
         dispatcherManager: DispatcherManager,
         intentManager: IntentManager,
         biometricsEncryptionManager: BiometricsEncryptionManager,
         featureFlagManager: FeatureFlagManager,
         clock: Clock,
-    ): Fido2ProviderProcessor =
-        Fido2ProviderProcessorImpl(
+    ): CredentialProviderProcessor =
+        CredentialProviderProcessorImpl(
             context,
             authRepository,
-            vaultRepository,
-            fido2CredentialStore,
-            fido2CredentialManager,
+            bitwardenCredentialManager,
             intentManager,
             clock,
             biometricsEncryptionManager,
@@ -65,25 +63,45 @@ object Fido2ProviderModule {
 
     @Provides
     @Singleton
-    fun provideFido2CredentialManager(
+    fun provideBitwardenCredentialManager(
         vaultSdkSource: VaultSdkSource,
         fido2CredentialStore: Fido2CredentialStore,
         json: Json,
-    ): Fido2CredentialManager =
-        Fido2CredentialManagerImpl(
+        vaultRepository: VaultRepository,
+        dispatcherManager: DispatcherManager,
+        credentialEntryBuilder: CredentialEntryBuilder,
+    ): BitwardenCredentialManager =
+        BitwardenCredentialManagerImpl(
             vaultSdkSource = vaultSdkSource,
             fido2CredentialStore = fido2CredentialStore,
             json = json,
+            vaultRepository = vaultRepository,
+            dispatcherManager = dispatcherManager,
+            credentialEntryBuilder = credentialEntryBuilder,
         )
 
     @Provides
     @Singleton
-    fun provideFido2OriginManager(
+    fun provideOriginManager(
         assetManager: AssetManager,
         digitalAssetLinkService: DigitalAssetLinkService,
-    ): Fido2OriginManager =
-        Fido2OriginManagerImpl(
+    ): OriginManager =
+        OriginManagerImpl(
             assetManager = assetManager,
             digitalAssetLinkService = digitalAssetLinkService,
         )
+
+    @Provides
+    @Singleton
+    fun provideCredentialEntryBuilder(
+        @ApplicationContext context: Context,
+        intentManager: IntentManager,
+        featureFlagManager: FeatureFlagManager,
+        biometricsEncryptionManager: BiometricsEncryptionManager,
+    ): CredentialEntryBuilder = CredentialEntryBuilderImpl(
+        context = context,
+        intentManager = intentManager,
+        featureFlagManager = featureFlagManager,
+        biometricsEncryptionManager = biometricsEncryptionManager,
+    )
 }

app/src/main/java/com/x8bit/bitwarden/data/credentials/manager/BitwardenCredentialManager.kt

@@ -1,20 +1,21 @@
-package com.x8bit.bitwarden.data.autofill.fido2.manager
+package com.x8bit.bitwarden.data.credentials.manager
 
 import androidx.credentials.CreatePublicKeyCredentialRequest
 import androidx.credentials.GetPublicKeyCredentialOption
 import androidx.credentials.provider.CallingAppInfo
+import androidx.credentials.provider.CredentialEntry
 import androidx.credentials.provider.ProviderGetCredentialRequest
 import com.bitwarden.vault.CipherView
-import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CredentialAssertionResult
-import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2RegisterCredentialResult
-import com.x8bit.bitwarden.data.autofill.fido2.model.PasskeyAssertionOptions
-import com.x8bit.bitwarden.data.autofill.fido2.model.PasskeyAttestationOptions
-import com.x8bit.bitwarden.data.autofill.fido2.model.UserVerificationRequirement
+import com.x8bit.bitwarden.data.credentials.model.Fido2CredentialAssertionResult
+import com.x8bit.bitwarden.data.credentials.model.Fido2RegisterCredentialResult
+import com.x8bit.bitwarden.data.credentials.model.GetCredentialsRequest
+import com.x8bit.bitwarden.data.credentials.model.PasskeyAttestationOptions
+import com.x8bit.bitwarden.data.credentials.model.UserVerificationRequirement
 
 /**
- * Responsible for managing FIDO 2 credential registration and authentication.
+ * Responsible for managing credential registration and authentication requests from other apps.
  */
-interface Fido2CredentialManager {
+interface BitwardenCredentialManager {
     /**
      * Returns true when the user has performed an explicit verification action. E.g., biometric
      * verification, device credential verification, or vault unlock.
@@ -34,13 +35,6 @@ interface Fido2CredentialManager {
         requestJson: String,
     ): PasskeyAttestationOptions?
 
-    /**
-     * Attempt to extract FIDO 2 passkey assertion options from the system [requestJson], or null.
-     */
-    fun getPasskeyAssertionOptionsOrNull(
-        requestJson: String,
-    ): PasskeyAssertionOptions?
-
     /**
      * Register a new FIDO 2 credential to a users vault.
      */
@@ -94,4 +88,12 @@ interface Fido2CredentialManager {
         request: CreatePublicKeyCredentialRequest,
         fallbackRequirement: UserVerificationRequirement = UserVerificationRequirement.REQUIRED,
     ): UserVerificationRequirement
+
+    /**
+     * Retrieve a list of [CredentialEntry] objects representing vault items matching the given
+     * [getCredentialsRequest].
+     */
+    suspend fun getCredentialEntries(
+        getCredentialsRequest: GetCredentialsRequest,
+    ): Result<List<CredentialEntry>>
 }

app/src/main/java/com/x8bit/bitwarden/data/credentials/manager/BitwardenCredentialManagerImpl.kt

@@ -1,19 +1,32 @@
-package com.x8bit.bitwarden.data.autofill.fido2.manager
+package com.x8bit.bitwarden.data.credentials.manager
 
 import androidx.credentials.CreatePublicKeyCredentialRequest
 import androidx.credentials.GetPublicKeyCredentialOption
+import androidx.credentials.exceptions.GetCredentialUnknownException
+import androidx.credentials.provider.BeginGetPublicKeyCredentialOption
 import androidx.credentials.provider.CallingAppInfo
+import androidx.credentials.provider.CredentialEntry
 import androidx.credentials.provider.ProviderGetCredentialRequest
+import com.bitwarden.core.data.repository.model.DataState
+import com.bitwarden.core.data.repository.util.takeUntilLoaded
+import com.bitwarden.core.data.util.asFailure
+import com.bitwarden.core.data.util.asSuccess
+import com.bitwarden.core.data.util.decodeFromStringOrNull
+import com.bitwarden.data.manager.DispatcherManager
 import com.bitwarden.fido.ClientData
 import com.bitwarden.fido.Origin
 import com.bitwarden.fido.UnverifiedAssetLink
 import com.bitwarden.sdk.Fido2CredentialStore
+import com.bitwarden.ui.platform.base.util.prefixHttpsIfNecessaryOrNull
 import com.bitwarden.vault.CipherView
-import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CredentialAssertionResult
-import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2RegisterCredentialResult
-import com.x8bit.bitwarden.data.autofill.fido2.model.PasskeyAssertionOptions
-import com.x8bit.bitwarden.data.autofill.fido2.model.PasskeyAttestationOptions
-import com.x8bit.bitwarden.data.autofill.fido2.model.UserVerificationRequirement
+import com.x8bit.bitwarden.data.autofill.util.isActiveWithFido2Credentials
+import com.x8bit.bitwarden.data.credentials.builder.CredentialEntryBuilder
+import com.x8bit.bitwarden.data.credentials.model.Fido2CredentialAssertionResult
+import com.x8bit.bitwarden.data.credentials.model.Fido2RegisterCredentialResult
+import com.x8bit.bitwarden.data.credentials.model.GetCredentialsRequest
+import com.x8bit.bitwarden.data.credentials.model.PasskeyAssertionOptions
+import com.x8bit.bitwarden.data.credentials.model.PasskeyAttestationOptions
+import com.x8bit.bitwarden.data.credentials.model.UserVerificationRequirement
 import com.x8bit.bitwarden.data.platform.util.getAppOrigin
 import com.x8bit.bitwarden.data.platform.util.getAppSigningSignatureFingerprint
 import com.x8bit.bitwarden.data.platform.util.getSignatureFingerprintAsHexString
@@ -22,22 +35,30 @@ import com.x8bit.bitwarden.data.vault.datasource.sdk.model.AuthenticateFido2Cred
 import com.x8bit.bitwarden.data.vault.datasource.sdk.model.RegisterFido2CredentialRequest
 import com.x8bit.bitwarden.data.vault.datasource.sdk.util.toAndroidAttestationResponse
 import com.x8bit.bitwarden.data.vault.datasource.sdk.util.toAndroidFido2PublicKeyCredential
-import com.x8bit.bitwarden.ui.platform.base.util.prefixHttpsIfNecessaryOrNull
-import kotlinx.serialization.SerializationException
+import com.x8bit.bitwarden.data.vault.repository.VaultRepository
+import com.x8bit.bitwarden.data.vault.repository.model.DecryptFido2CredentialAutofillViewResult
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.flow.fold
+import kotlinx.coroutines.withContext
 import kotlinx.serialization.json.Json
 import timber.log.Timber
 
 /**
- * Primary implementation of [Fido2CredentialManager].
+ * Primary implementation of [BitwardenCredentialManager].
  */
-@Suppress("TooManyFunctions")
-class Fido2CredentialManagerImpl(
+@Suppress("TooManyFunctions", "LongParameterList")
+class BitwardenCredentialManagerImpl(
     private val vaultSdkSource: VaultSdkSource,
     private val fido2CredentialStore: Fido2CredentialStore,
+    private val credentialEntryBuilder: CredentialEntryBuilder,
     private val json: Json,
-) : Fido2CredentialManager,
+    private val vaultRepository: VaultRepository,
+    dispatcherManager: DispatcherManager,
+) : BitwardenCredentialManager,
     Fido2CredentialStore by fido2CredentialStore {
 
+    private val ioScope = CoroutineScope(dispatcherManager.io)
+
     override var isUserVerified: Boolean = false
 
     override var authenticationAttempts: Int = 0
@@ -65,6 +86,152 @@ class Fido2CredentialManagerImpl(
         }
     }
 
+    override fun getPasskeyAttestationOptionsOrNull(
+        requestJson: String,
+    ): PasskeyAttestationOptions? = json.decodeFromStringOrNull(requestJson)
+
+    @Suppress("LongMethod")
+    override suspend fun authenticateFido2Credential(
+        userId: String,
+        callingAppInfo: CallingAppInfo,
+        request: GetPublicKeyCredentialOption,
+        selectedCipherView: CipherView,
+        origin: String?,
+    ): Fido2CredentialAssertionResult {
+        val clientData = request.clientDataHash
+            ?.let { ClientData.DefaultWithCustomHash(hash = it) }
+            ?: ClientData.DefaultWithExtraData(androidPackageName = callingAppInfo.getAppOrigin())
+
+        val sdkOrigin = if (!origin.isNullOrEmpty()) {
+            Origin.Web(origin)
+        } else {
+            val hostUrl = getOriginUrlFromAssertionOptionsOrNull(request.requestJson)
+                ?: return Fido2CredentialAssertionResult.Error.MissingHostUrl
+            Origin.Android(
+                UnverifiedAssetLink(
+                    packageName = callingAppInfo.packageName,
+                    sha256CertFingerprint = callingAppInfo
+                        .getSignatureFingerprintAsHexString()
+                        .orEmpty(),
+                    host = hostUrl,
+                    assetLinkUrl = hostUrl,
+                ),
+            )
+        }
+        return vaultSdkSource
+            .authenticateFido2Credential(
+                request = AuthenticateFido2CredentialRequest(
+                    userId = userId,
+                    origin = sdkOrigin,
+                    requestJson = """{"publicKey": ${request.requestJson}}""",
+                    clientData = clientData,
+                    selectedCipherView = selectedCipherView,
+                    isUserVerificationSupported = true,
+                ),
+                fido2CredentialStore = this,
+            )
+            .map { it.toAndroidFido2PublicKeyCredential() }
+            .mapCatching { json.encodeToString(it) }
+            .fold(
+                onSuccess = { Fido2CredentialAssertionResult.Success(it) },
+                onFailure = {
+                    Timber.e(it, "Failed to authenticate FIDO2 credential.")
+                    Fido2CredentialAssertionResult.Error.InternalError
+                },
+            )
+    }
+
+    override fun hasAuthenticationAttemptsRemaining(): Boolean =
+        authenticationAttempts < MAX_AUTHENTICATION_ATTEMPTS
+
+    override fun getUserVerificationRequirement(
+        request: ProviderGetCredentialRequest,
+        fallbackRequirement: UserVerificationRequirement,
+    ): UserVerificationRequirement = request
+        .credentialOptions
+        .filterIsInstance<GetPublicKeyCredentialOption>()
+        .firstOrNull()
+        ?.let { option ->
+            getPasskeyAssertionOptionsOrNull(option.requestJson)
+                ?.userVerification
+        }
+        ?: fallbackRequirement
+
+    override fun getUserVerificationRequirement(
+        request: CreatePublicKeyCredentialRequest,
+        fallbackRequirement: UserVerificationRequirement,
+    ): UserVerificationRequirement = getPasskeyAttestationOptionsOrNull(request.requestJson)
+        ?.authenticatorSelection
+        ?.userVerification
+        ?: fallbackRequirement
+
+    override suspend fun getCredentialEntries(
+        getCredentialsRequest: GetCredentialsRequest,
+    ): Result<List<CredentialEntry>> = withContext(ioScope.coroutineContext) {
+        val cipherViews = vaultRepository
+            .ciphersStateFlow
+            .takeUntilLoaded()
+            .fold(initial = emptyList<CipherView>()) { _, dataState ->
+                when (dataState) {
+                    is DataState.Loaded -> {
+                        dataState.data
+                    }
+
+                    else -> emptyList()
+                }
+            }
+            .filter { it.isActiveWithFido2Credentials }
+            .ifEmpty {
+                return@withContext emptyList<CredentialEntry>().asSuccess()
+            }
+
+        getCredentialsRequest
+            .beginGetPublicKeyCredentialOptions
+            .toPublicKeyCredentialEntries(
+                userId = getCredentialsRequest.userId,
+                cipherViewsWithPublicKeyCredentials = cipherViews,
+            )
+            .onFailure { Timber.e(it, "Failed to get FIDO 2 credential entries.") }
+    }
+
+    private fun getPasskeyAssertionOptionsOrNull(
+        requestJson: String,
+    ): PasskeyAssertionOptions? = json.decodeFromStringOrNull(requestJson)
+
+    private suspend fun List<BeginGetPublicKeyCredentialOption>.toPublicKeyCredentialEntries(
+        userId: String,
+        cipherViewsWithPublicKeyCredentials: List<CipherView>,
+    ): Result<List<CredentialEntry>> {
+        val relyingPartyIds = this
+            .mapNotNull { getPasskeyAssertionOptionsOrNull(it.requestJson)?.relyingPartyId }
+            .distinct()
+            .ifEmpty {
+                return GetCredentialUnknownException("Relying party id required.").asFailure()
+            }
+
+        val decryptResult = vaultRepository
+            .getDecryptedFido2CredentialAutofillViews(cipherViewsWithPublicKeyCredentials)
+
+        return when (decryptResult) {
+            is DecryptFido2CredentialAutofillViewResult.Error -> {
+                GetCredentialUnknownException("Error decrypting credentials.").asFailure()
+            }
+
+            is DecryptFido2CredentialAutofillViewResult.Success -> {
+                credentialEntryBuilder
+                    .buildPublicKeyCredentialEntries(
+                        userId = userId,
+                        fido2CredentialAutofillViews = decryptResult
+                            .fido2CredentialAutofillViews
+                            .filter { it.rpId in relyingPartyIds },
+                        beginGetPublicKeyCredentialOptions = this,
+                        isUserVerified = isUserVerified,
+                    )
+                    .asSuccess()
+            }
+        }
+    }
+
     private suspend fun registerFido2CredentialForUnprivilegedApp(
         userId: String,
         callingAppInfo: CallingAppInfo,
@@ -80,7 +247,7 @@ class Fido2CredentialManagerImpl(
 
         val signatureFingerprint = callingAppInfo
             .getSignatureFingerprintAsHexString()
-            ?: return Fido2RegisterCredentialResult.Error.InvalidAppSignature
+            .orEmpty()
 
         val sdkOrigin = Origin.Android(
             UnverifiedAssetLink(
@@ -148,112 +315,12 @@ class Fido2CredentialManagerImpl(
         .mapCatching { json.encodeToString(it) }
         .fold(
             onSuccess = { Fido2RegisterCredentialResult.Success(it) },
-            onFailure = { Fido2RegisterCredentialResult.Error.InternalError },
+            onFailure = {
+                Timber.e(it, "Failed to register FIDO2 credential.")
+                Fido2RegisterCredentialResult.Error.InternalError
+            },
         )
 
-    override fun getPasskeyAttestationOptionsOrNull(
-        requestJson: String,
-    ): PasskeyAttestationOptions? =
-        try {
-            json.decodeFromString<PasskeyAttestationOptions>(requestJson)
-        } catch (e: SerializationException) {
-            Timber.e(e, "Failed to decode passkey attestation options.")
-            null
-        } catch (e: IllegalArgumentException) {
-            Timber.e(e, "Failed to decode passkey attestation options.")
-            null
-        }
-
-    override fun getPasskeyAssertionOptionsOrNull(
-        requestJson: String,
-    ): PasskeyAssertionOptions? =
-        try {
-            json.decodeFromString<PasskeyAssertionOptions>(requestJson)
-        } catch (e: SerializationException) {
-            Timber.e(e, "Failed to decode passkey assertion options: $e")
-            null
-        } catch (e: IllegalArgumentException) {
-            Timber.e(e, "Failed to decode passkey assertion options: $e")
-            null
-        }
-
-    @Suppress("LongMethod")
-    override suspend fun authenticateFido2Credential(
-        userId: String,
-        callingAppInfo: CallingAppInfo,
-        request: GetPublicKeyCredentialOption,
-        selectedCipherView: CipherView,
-        origin: String?,
-    ): Fido2CredentialAssertionResult {
-        val clientData = request.clientDataHash
-            ?.let { ClientData.DefaultWithCustomHash(hash = it) }
-            ?: ClientData.DefaultWithExtraData(androidPackageName = callingAppInfo.getAppOrigin())
-
-        val sdkOrigin = if (!origin.isNullOrEmpty()) {
-            Origin.Web(origin)
-        } else {
-            val hostUrl = getOriginUrlFromAssertionOptionsOrNull(request.requestJson)
-                ?: return Fido2CredentialAssertionResult.Error.MissingHostUrl
-            Origin.Android(
-                UnverifiedAssetLink(
-                    packageName = callingAppInfo.packageName,
-                    sha256CertFingerprint = callingAppInfo
-                        .getSignatureFingerprintAsHexString()
-                        ?: return Fido2CredentialAssertionResult
-                            .Error
-                            .InvalidAppSignature,
-                    host = hostUrl,
-                    assetLinkUrl = hostUrl,
-                ),
-            )
-        }
-        return vaultSdkSource
-            .authenticateFido2Credential(
-                request = AuthenticateFido2CredentialRequest(
-                    userId = userId,
-                    origin = sdkOrigin,
-                    requestJson = """{"publicKey": ${request.requestJson}}""",
-                    clientData = clientData,
-                    selectedCipherView = selectedCipherView,
-                    isUserVerificationSupported = true,
-                ),
-                fido2CredentialStore = this,
-            )
-            .map { it.toAndroidFido2PublicKeyCredential() }
-            .mapCatching { json.encodeToString(it) }
-            .fold(
-                onSuccess = { Fido2CredentialAssertionResult.Success(it) },
-                onFailure = {
-                    Timber.e(it, "Failed to authenticate FIDO2 credential.")
-                    Fido2CredentialAssertionResult.Error.InternalError
-                },
-            )
-    }
-
-    override fun hasAuthenticationAttemptsRemaining(): Boolean =
-        authenticationAttempts < MAX_AUTHENTICATION_ATTEMPTS
-
-    override fun getUserVerificationRequirement(
-        request: ProviderGetCredentialRequest,
-        fallbackRequirement: UserVerificationRequirement,
-    ): UserVerificationRequirement = request
-        .credentialOptions
-        .filterIsInstance<GetPublicKeyCredentialOption>()
-        .firstOrNull()
-        ?.let { option ->
-            getPasskeyAssertionOptionsOrNull(option.requestJson)
-                ?.userVerification
-        }
-        ?: fallbackRequirement
-
-    override fun getUserVerificationRequirement(
-        request: CreatePublicKeyCredentialRequest,
-        fallbackRequirement: UserVerificationRequirement,
-    ): UserVerificationRequirement = getPasskeyAttestationOptionsOrNull(request.requestJson)
-        ?.authenticatorSelection
-        ?.userVerification
-        ?: fallbackRequirement
-
     private fun getOriginUrlFromAssertionOptionsOrNull(requestJson: String) =
         getPasskeyAssertionOptionsOrNull(requestJson)
             ?.relyingPartyId

app/src/main/java/com/x8bit/bitwarden/data/credentials/manager/OriginManager.kt

@@ -1,23 +1,21 @@
-package com.x8bit.bitwarden.data.autofill.fido2.manager
+package com.x8bit.bitwarden.data.credentials.manager
 
 import androidx.credentials.provider.CallingAppInfo
-import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2ValidateOriginResult
+import com.x8bit.bitwarden.data.credentials.model.ValidateOriginResult
 
 /**
  * Responsible for managing FIDO2 origin validation.
  */
-interface Fido2OriginManager {
+interface OriginManager {
 
     /**
      * Validates the origin of a calling app.
      *
      * @param callingAppInfo The calling app info.
-     * @param relyingPartyId The relying party ID.
      *
      * @return The result of the validation.
      */
     suspend fun validateOrigin(
         callingAppInfo: CallingAppInfo,
-        relyingPartyId: String,
-    ): Fido2ValidateOriginResult
+    ): ValidateOriginResult
 }

app/src/main/java/com/x8bit/bitwarden/data/credentials/manager/OriginManagerImpl.kt

@@ -0,0 +1,112 @@
+package com.x8bit.bitwarden.data.credentials.manager
+
+import androidx.credentials.provider.CallingAppInfo
+import com.bitwarden.network.service.DigitalAssetLinkService
+import com.x8bit.bitwarden.data.credentials.model.ValidateOriginResult
+import com.x8bit.bitwarden.data.platform.manager.AssetManager
+import com.x8bit.bitwarden.data.platform.util.getSignatureFingerprintAsHexString
+import com.x8bit.bitwarden.data.platform.util.validatePrivilegedApp
+import timber.log.Timber
+
+private const val GOOGLE_ALLOW_LIST_FILE_NAME = "fido2_privileged_google.json"
+private const val COMMUNITY_ALLOW_LIST_FILE_NAME = "fido2_privileged_community.json"
+private const val DELEGATE_PERMISSION_HANDLE_ALL_URLS = "delegate_permission/common.handle_all_urls"
+
+/**
+ * Primary implementation of [OriginManager].
+ */
+class OriginManagerImpl(
+    private val assetManager: AssetManager,
+    private val digitalAssetLinkService: DigitalAssetLinkService,
+) : OriginManager {
+
+    override suspend fun validateOrigin(
+        callingAppInfo: CallingAppInfo,
+    ): ValidateOriginResult {
+        return if (callingAppInfo.isOriginPopulated()) {
+            validatePrivilegedAppOrigin(callingAppInfo)
+        } else {
+            validateCallingApplicationAssetLinks(callingAppInfo)
+        }
+    }
+
+    private suspend fun validateCallingApplicationAssetLinks(
+        callingAppInfo: CallingAppInfo,
+    ): ValidateOriginResult {
+        return digitalAssetLinkService
+            .checkDigitalAssetLinksRelations(
+                packageName = callingAppInfo.packageName,
+                certificateFingerprint = callingAppInfo
+                    .getSignatureFingerprintAsHexString()
+                    .orEmpty(),
+                relation = DELEGATE_PERMISSION_HANDLE_ALL_URLS,
+            )
+            .fold(
+                onSuccess = {
+                    if (it.linked) {
+                        ValidateOriginResult.Success(null)
+                    } else {
+                        ValidateOriginResult.Error.PasskeyNotSupportedForApp
+                    }
+                },
+                onFailure = {
+                    ValidateOriginResult.Error.AssetLinkNotFound
+                },
+            )
+    }
+
+    private suspend fun validatePrivilegedAppOrigin(
+        callingAppInfo: CallingAppInfo,
+    ): ValidateOriginResult {
+        val googleAllowListResult =
+            validatePrivilegedAppSignatureWithGoogleList(callingAppInfo)
+        return when (googleAllowListResult) {
+            is ValidateOriginResult.Success -> {
+                // Application was found and successfully validated against the Google allow list so
+                // we can return the result as the final validation result.
+                googleAllowListResult
+            }
+
+            is ValidateOriginResult.Error -> {
+                // Check the community allow list if the Google allow list failed, and return the
+                // result as the final validation result.
+                validatePrivilegedAppSignatureWithCommunityList(callingAppInfo)
+            }
+        }
+    }
+
+    private suspend fun validatePrivilegedAppSignatureWithGoogleList(
+        callingAppInfo: CallingAppInfo,
+    ): ValidateOriginResult =
+        validatePrivilegedAppSignatureWithAllowList(
+            callingAppInfo = callingAppInfo,
+            fileName = GOOGLE_ALLOW_LIST_FILE_NAME,
+        )
+
+    private suspend fun validatePrivilegedAppSignatureWithCommunityList(
+        callingAppInfo: CallingAppInfo,
+    ): ValidateOriginResult =
+        validatePrivilegedAppSignatureWithAllowList(
+            callingAppInfo = callingAppInfo,
+            fileName = COMMUNITY_ALLOW_LIST_FILE_NAME,
+        )
+
+    private suspend fun validatePrivilegedAppSignatureWithAllowList(
+        callingAppInfo: CallingAppInfo,
+        fileName: String,
+    ): ValidateOriginResult =
+        assetManager
+            .readAsset(fileName)
+            .mapCatching { allowList ->
+                callingAppInfo.validatePrivilegedApp(
+                    allowList = allowList,
+                )
+            }
+            .fold(
+                onSuccess = { it },
+                onFailure = {
+                    Timber.e(it, "Failed to validate privileged app: ${callingAppInfo.packageName}")
+                    ValidateOriginResult.Error.Unknown
+                },
+            )
+}

app/src/main/java/com/x8bit/bitwarden/data/credentials/model/CreateCredentialRequest.kt

@@ -1,11 +1,11 @@
-package com.x8bit.bitwarden.data.autofill.fido2.model
+package com.x8bit.bitwarden.data.credentials.model
 
 import android.os.Bundle
 import android.os.Parcelable
 import androidx.credentials.CreatePublicKeyCredentialRequest
 import androidx.credentials.provider.CallingAppInfo
 import androidx.credentials.provider.ProviderCreateCredentialRequest
-import com.x8bit.bitwarden.ui.platform.base.util.toHostOrPathOrNull
+import com.bitwarden.ui.platform.base.util.toHostOrPathOrNull
 import kotlinx.parcelize.IgnoredOnParcel
 import kotlinx.parcelize.Parcelize
 
@@ -14,16 +14,19 @@ import kotlinx.parcelize.Parcelize
  * credential manager framework.
  *
  * @property userId The ID of the user creating the passkey.
+ * @property isUserPreVerified Whether the user has already been verified by the OS biometric
+ * prompt.
  * @property requestData Provider request data in the form of a [Bundle].
  */
 @Parcelize
-data class Fido2CreateCredentialRequest(
+data class CreateCredentialRequest(
     val userId: String,
     val requestData: Bundle,
+    val isUserPreVerified: Boolean,
 ) : Parcelable {
 
     /**
-     * The [ProviderCreateCredentialRequest] from the [requestData].
+     * The [CreateCredentialRequest] from the [requestData].
      */
     @IgnoredOnParcel
     val providerRequest: ProviderCreateCredentialRequest by lazy {

app/src/main/java/com/x8bit/bitwarden/data/credentials/model/Fido2AttestationResponse.kt

@@ -1,4 +1,4 @@
-package com.x8bit.bitwarden.data.autofill.fido2.model
+package com.x8bit.bitwarden.data.credentials.model
 
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable

app/src/main/java/com/x8bit/bitwarden/data/credentials/model/Fido2CredentialAssertionRequest.kt

@@ -1,4 +1,4 @@
-package com.x8bit.bitwarden.data.autofill.fido2.model
+package com.x8bit.bitwarden.data.credentials.model
 
 import android.os.Bundle
 import android.os.Parcelable
@@ -11,16 +11,19 @@ import kotlinx.parcelize.Parcelize
 /**
  * Models a FIDO 2 credential authentication request parsed from the launching intent.
  *
- * @param userId ID of the user requesting credential authentication.
- * @param cipherId ID of the cipher to be authenticated against.
- * @param credentialId ID of the credential to authenticate.
- * @param requestData Provider request data in the form of a [Bundle].
+ * @property userId ID of the user requesting credential authentication.
+ * @property cipherId ID of the cipher to be authenticated against.
+ * @property credentialId ID of the credential to authenticate.
+ * @property isUserPreVerified Whether the user has already been verified by the OS biometric
+ * prompt.
+ * @property requestData Provider request data in the form of a [Bundle].
  */
 @Parcelize
 data class Fido2CredentialAssertionRequest(
     val userId: String,
     val cipherId: String,
     val credentialId: String,
+    val isUserPreVerified: Boolean,
     private val requestData: Bundle,
 ) : Parcelable {
 

app/src/main/java/com/x8bit/bitwarden/data/credentials/model/Fido2CredentialAssertionResult.kt

@@ -1,4 +1,4 @@
-package com.x8bit.bitwarden.data.autofill.fido2.model
+package com.x8bit.bitwarden.data.credentials.model
 
 /**
  * Represents possible outcomes of a FIDO 2 credential assertion request.
@@ -24,21 +24,6 @@ sealed class Fido2CredentialAssertionResult {
          */
         data object MissingHostUrl : Error()
 
-        /**
-         * Indicates the calling application signature was invalid.
-         */
-        data object InvalidAppSignature : Error()
-
-        /**
-         * Indicates origin validation failed.
-         *
-         * @property originValidationError The specific error that caused the origin validation to
-         * fail.
-         */
-        data class OriginValidationFailed(
-            val originValidationError: Fido2ValidateOriginResult.Error,
-        ) : Error()
-
         /**
          * Indicates an internal error occurred.
          */

app/src/main/java/com/x8bit/bitwarden/data/credentials/model/Fido2PublicKeyCredential.kt

@@ -1,4 +1,4 @@
-package com.x8bit.bitwarden.data.autofill.fido2.model
+package com.x8bit.bitwarden.data.credentials.model
 
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable

app/src/main/java/com/x8bit/bitwarden/data/credentials/model/Fido2RegisterCredentialResult.kt

@@ -1,4 +1,4 @@
-package com.x8bit.bitwarden.data.autofill.fido2.model
+package com.x8bit.bitwarden.data.credentials.model
 
 /**
  * Models the data returned from creating a FIDO 2 credential.

app/src/main/java/com/x8bit/bitwarden/data/credentials/model/GetCredentialsRequest.kt

@@ -1,8 +1,9 @@
-package com.x8bit.bitwarden.data.autofill.fido2.model
+package com.x8bit.bitwarden.data.credentials.model
 
 import android.os.Bundle
 import android.os.Parcelable
 import androidx.credentials.provider.BeginGetCredentialRequest
+import androidx.credentials.provider.BeginGetPasswordOption
 import androidx.credentials.provider.BeginGetPublicKeyCredentialOption
 import androidx.credentials.provider.CallingAppInfo
 import kotlinx.parcelize.IgnoredOnParcel
@@ -15,7 +16,7 @@ import kotlinx.parcelize.Parcelize
  * @param requestData Provider request data in the form of a [Bundle].
  */
 @Parcelize
-data class Fido2GetCredentialsRequest(
+data class GetCredentialsRequest(
     val userId: String,
     private val requestData: Bundle,
 ) : Parcelable {
@@ -29,16 +30,27 @@ data class Fido2GetCredentialsRequest(
     }
 
     /**
-     * The first [BeginGetPublicKeyCredentialOption] of the [providerRequest], or null if the
-     * [providerRequest] is not a [BeginGetCredentialRequest] or does not contain a
-     * [BeginGetPublicKeyCredentialOption].
+     * The [BeginGetPublicKeyCredentialOption]s of the [providerRequest], or an empty list if no
+     * public key options are present.
      */
     @IgnoredOnParcel
-    val beginGetPublicKeyCredentialOption: BeginGetPublicKeyCredentialOption? by lazy {
+    val beginGetPublicKeyCredentialOptions: List<BeginGetPublicKeyCredentialOption> by lazy {
         providerRequest
             ?.beginGetCredentialOptions
             ?.filterIsInstance<BeginGetPublicKeyCredentialOption>()
-            ?.firstOrNull()
+            .orEmpty()
+    }
+
+    /**
+     * The [BeginGetPasswordOption]s of the [providerRequest], or an empty list if no password
+     * options are present.
+     */
+    @IgnoredOnParcel
+    val beginGetPasswordOptions: List<BeginGetPasswordOption> by lazy {
+        providerRequest
+            ?.beginGetCredentialOptions
+            ?.filterIsInstance<BeginGetPasswordOption>()
+            .orEmpty()
     }
 
     /**
@@ -47,16 +59,4 @@ data class Fido2GetCredentialsRequest(
      */
     @IgnoredOnParcel
     val callingAppInfo: CallingAppInfo? by lazy { providerRequest?.callingAppInfo }
-
-    /**
-     * The first [BeginGetPublicKeyCredentialOption] of the [providerRequest], or null if the
-     * [providerRequest] does not contain a [BeginGetPublicKeyCredentialOption].
-     */
-    @IgnoredOnParcel
-    val option: BeginGetPublicKeyCredentialOption? by lazy {
-        providerRequest?.beginGetCredentialOptions
-            ?.firstNotNullOfOrNull {
-                it as? BeginGetPublicKeyCredentialOption
-            }
-    }
 }

app/src/main/java/com/x8bit/bitwarden/data/credentials/model/GetCredentialsResult.kt

@@ -1,4 +1,4 @@
-package com.x8bit.bitwarden.data.autofill.fido2.model
+package com.x8bit.bitwarden.data.credentials.model
 
 import androidx.credentials.provider.BeginGetPublicKeyCredentialOption
 import com.bitwarden.fido.Fido2CredentialAutofillView
@@ -7,7 +7,7 @@ import com.bitwarden.ui.util.Text
 /**
  * Represents the result of a FIDO 2 Get Credentials request.
  */
-sealed class Fido2GetCredentialsResult {
+sealed class GetCredentialsResult {
     /**
      * Indicates credentials were successfully queried.
      *
@@ -20,12 +20,12 @@ sealed class Fido2GetCredentialsResult {
         val userId: String,
         val options: BeginGetPublicKeyCredentialOption,
         val credentials: List<Fido2CredentialAutofillView>,
-    ) : Fido2GetCredentialsResult()
+    ) : GetCredentialsResult()
 
     /**
      * Indicates an error was encountered when querying for matching credentials.
      */
     data class Error(
         val message: Text,
-    ) : Fido2GetCredentialsResult()
+    ) : GetCredentialsResult()
 }

app/src/main/java/com/x8bit/bitwarden/data/credentials/model/PasskeyAssertionOptions.kt

@@ -1,4 +1,4 @@
-package com.x8bit.bitwarden.data.autofill.fido2.model
+package com.x8bit.bitwarden.data.credentials.model
 
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable

app/src/main/java/com/x8bit/bitwarden/data/credentials/model/PasskeyAttestationOptions.kt

@@ -1,4 +1,4 @@
-package com.x8bit.bitwarden.data.autofill.fido2.model
+package com.x8bit.bitwarden.data.credentials.model
 
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable

app/src/main/java/com/x8bit/bitwarden/data/credentials/model/ProviderGetPasswordCredentialRequest.kt

@@ -0,0 +1,23 @@
+package com.x8bit.bitwarden.data.credentials.model
+
+import android.os.Bundle
+import android.os.Parcelable
+import androidx.credentials.provider.ProviderGetCredentialRequest
+import kotlinx.parcelize.Parcelize
+
+/**
+ * A wrapper around [ProviderGetCredentialRequest] that includes additional information needed to
+ * fulfill the request.
+ *
+ * @param userId The ID of the user that owns the credential being requested.
+ * @param cipherId The ID of the cipher containing the password to be retrieved.
+ * @param isUserVerified Whether the user has been verified prior to this request.
+ * @param requestData The original request data from the system.
+ */
+@Parcelize
+data class ProviderGetPasswordCredentialRequest(
+    val userId: String,
+    val cipherId: String,
+    val isUserVerified: Boolean,
+    val requestData: Bundle,
+) : Parcelable

app/src/main/java/com/x8bit/bitwarden/data/credentials/model/PublicKeyCredentialDescriptor.kt

@@ -1,4 +1,4 @@
-package com.x8bit.bitwarden.data.autofill.fido2.model
+package com.x8bit.bitwarden.data.credentials.model
 
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable

app/src/main/java/com/x8bit/bitwarden/data/credentials/model/UserVerificationRequirement.kt

@@ -1,4 +1,4 @@
-package com.x8bit.bitwarden.data.autofill.fido2.model
+package com.x8bit.bitwarden.data.credentials.model
 
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable

app/src/main/java/com/x8bit/bitwarden/data/credentials/model/ValidateOriginResult.kt

@@ -1,37 +1,29 @@
-package com.x8bit.bitwarden.data.autofill.fido2.model
+package com.x8bit.bitwarden.data.credentials.model
+
+import androidx.credentials.CredentialManager
 
 /**
- * Models the result of validating the origin of a FIDO2 request.
+ * Models the result of validating the origin of a [CredentialManager] request.
  */
-sealed class Fido2ValidateOriginResult {
+sealed class ValidateOriginResult {
 
     /**
      * Represents a successful origin validation.
      *
      * @param origin The origin of the calling app, or null if the calling app is not privileged.
      */
-    data class Success(val origin: String?) : Fido2ValidateOriginResult()
+    data class Success(val origin: String?) : ValidateOriginResult()
 
     /**
      * Represents a validation error.
      */
-    sealed class Error : Fido2ValidateOriginResult() {
+    sealed class Error : ValidateOriginResult() {
 
         /**
          * Indicates the digital asset links file could not be located.
          */
         data object AssetLinkNotFound : Error()
 
-        /**
-         * Indicates the application package name was not found in the digital asset links file.
-         */
-        data object ApplicationNotFound : Error()
-
-        /**
-         * Indicates the application fingerprint was not found the digital asset links file.
-         */
-        data object ApplicationFingerprintNotVerified : Error()
-
         /**
          * Indicates the calling application is privileged but its package name is not found within
          * the privileged app allow list.

app/src/main/java/com/x8bit/bitwarden/data/credentials/processor/CredentialProviderProcessor.kt

@@ -1,7 +1,8 @@
-package com.x8bit.bitwarden.data.autofill.fido2.processor
+package com.x8bit.bitwarden.data.credentials.processor
 
 import android.os.CancellationSignal
 import android.os.OutcomeReceiver
+import androidx.credentials.CredentialManager
 import androidx.credentials.exceptions.ClearCredentialException
 import androidx.credentials.exceptions.CreateCredentialException
 import androidx.credentials.exceptions.GetCredentialException
@@ -12,9 +13,10 @@ import androidx.credentials.provider.BeginGetCredentialResponse
 import androidx.credentials.provider.ProviderClearCredentialStateRequest
 
 /**
- * A class to handle FIDO2 credential request processing. This includes save and autofill requests.
+ * A class to handle [CredentialManager] request processing. This includes save and autofill
+ * requests.
  */
-interface Fido2ProviderProcessor {
+interface CredentialProviderProcessor {
 
     /**
      * Process the [BeginCreateCredentialRequest] and invoke the [callback] with the result.

app/src/main/java/com/x8bit/bitwarden/data/credentials/processor/CredentialProviderProcessorImpl.kt

@@ -1,13 +1,13 @@
-package com.x8bit.bitwarden.data.autofill.fido2.processor
+package com.x8bit.bitwarden.data.credentials.processor
 
 import android.content.Context
-import android.graphics.drawable.Icon
 import android.os.Build
 import android.os.CancellationSignal
 import android.os.OutcomeReceiver
 import androidx.annotation.RequiresApi
 import androidx.biometric.BiometricManager
 import androidx.biometric.BiometricPrompt
+import androidx.credentials.CredentialManager
 import androidx.credentials.exceptions.ClearCredentialException
 import androidx.credentials.exceptions.ClearCredentialUnsupportedException
 import androidx.credentials.exceptions.CreateCredentialCancellationException
@@ -16,69 +16,55 @@ import androidx.credentials.exceptions.CreateCredentialUnknownException
 import androidx.credentials.exceptions.GetCredentialCancellationException
 import androidx.credentials.exceptions.GetCredentialException
 import androidx.credentials.exceptions.GetCredentialUnknownException
-import androidx.credentials.exceptions.GetCredentialUnsupportedException
 import androidx.credentials.provider.AuthenticationAction
 import androidx.credentials.provider.BeginCreateCredentialRequest
 import androidx.credentials.provider.BeginCreateCredentialResponse
 import androidx.credentials.provider.BeginCreatePublicKeyCredentialRequest
 import androidx.credentials.provider.BeginGetCredentialRequest
 import androidx.credentials.provider.BeginGetCredentialResponse
-import androidx.credentials.provider.BeginGetPublicKeyCredentialOption
 import androidx.credentials.provider.BiometricPromptData
 import androidx.credentials.provider.CreateEntry
-import androidx.credentials.provider.CredentialEntry
 import androidx.credentials.provider.ProviderClearCredentialStateRequest
-import androidx.credentials.provider.PublicKeyCredentialEntry
-import com.bitwarden.core.data.repository.model.DataState
-import com.bitwarden.core.data.repository.util.takeUntilLoaded
 import com.bitwarden.data.manager.DispatcherManager
-import com.bitwarden.fido.Fido2CredentialAutofillView
-import com.bitwarden.sdk.Fido2CredentialStore
-import com.bitwarden.vault.CipherView
 import com.x8bit.bitwarden.R
 import com.x8bit.bitwarden.data.auth.repository.AuthRepository
 import com.x8bit.bitwarden.data.auth.repository.model.UserState
-import com.x8bit.bitwarden.data.autofill.fido2.manager.Fido2CredentialManager
-import com.x8bit.bitwarden.data.autofill.util.isActiveWithFido2Credentials
+import com.x8bit.bitwarden.data.credentials.manager.BitwardenCredentialManager
+import com.x8bit.bitwarden.data.credentials.model.GetCredentialsRequest
 import com.x8bit.bitwarden.data.platform.manager.BiometricsEncryptionManager
 import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
 import com.x8bit.bitwarden.data.platform.manager.model.FlagKey
 import com.x8bit.bitwarden.data.platform.util.isBuildVersionBelow
-import com.x8bit.bitwarden.data.vault.repository.VaultRepository
-import com.x8bit.bitwarden.data.vault.repository.model.DecryptFido2CredentialAutofillViewResult
 import com.x8bit.bitwarden.ui.platform.manager.intent.IntentManager
 import kotlinx.coroutines.CoroutineScope
-import kotlinx.coroutines.flow.fold
 import kotlinx.coroutines.launch
 import java.time.Clock
 import java.util.concurrent.atomic.AtomicInteger
 import javax.crypto.Cipher
 
-private const val CREATE_PASSKEY_INTENT = "com.x8bit.bitwarden.fido2.ACTION_CREATE_PASSKEY"
-const val GET_PASSKEY_INTENT = "com.x8bit.bitwarden.fido2.ACTION_GET_PASSKEY"
-const val UNLOCK_ACCOUNT_INTENT = "com.x8bit.bitwarden.fido2.ACTION_UNLOCK_ACCOUNT"
+private const val CREATE_PASSKEY_INTENT = "com.x8bit.bitwarden.credentials.ACTION_CREATE_PASSKEY"
+const val GET_PASSKEY_INTENT = "com.x8bit.bitwarden.credentials.ACTION_GET_PASSKEY"
+const val UNLOCK_ACCOUNT_INTENT = "com.x8bit.bitwarden.credentials.ACTION_UNLOCK_ACCOUNT"
 
 /**
- * The default implementation of [Fido2ProviderProcessor]. Its purpose is to handle FIDO2 related
- * processing.
+ * The default implementation of [CredentialProviderProcessor]. Its purpose is to handle
+ * [CredentialManager] requests from other applications.
  */
 @Suppress("LongParameterList", "TooManyFunctions")
 @RequiresApi(Build.VERSION_CODES.S)
-class Fido2ProviderProcessorImpl(
+class CredentialProviderProcessorImpl(
     private val context: Context,
     private val authRepository: AuthRepository,
-    private val vaultRepository: VaultRepository,
-    private val fido2CredentialStore: Fido2CredentialStore,
-    private val fido2CredentialManager: Fido2CredentialManager,
+    private val bitwardenCredentialManager: BitwardenCredentialManager,
     private val intentManager: IntentManager,
     private val clock: Clock,
     private val biometricsEncryptionManager: BiometricsEncryptionManager,
     private val featureFlagManager: FeatureFlagManager,
     dispatcherManager: DispatcherManager,
-) : Fido2ProviderProcessor {
+) : CredentialProviderProcessor {
 
     private val requestCode = AtomicInteger()
-    private val scope = CoroutineScope(dispatcherManager.unconfined)
+    private val ioScope = CoroutineScope(dispatcherManager.io)
 
     override fun processCreateCredentialRequest(
         request: BeginCreateCredentialRequest,
@@ -91,7 +77,7 @@ class Fido2ProviderProcessorImpl(
             return
         }
 
-        val createCredentialJob = scope.launch {
+        val createCredentialJob = ioScope.launch {
             processCreateCredentialRequest(request = request)
                 ?.let { callback.onResult(it) }
                 ?: callback.onError(CreateCredentialUnknownException())
@@ -136,21 +122,16 @@ class Fido2ProviderProcessorImpl(
         }
 
         // Otherwise, find all matching credentials from the current vault.
-        val getCredentialJob = scope.launch {
-            try {
-                val credentialEntries = getMatchingFido2CredentialEntries(
-                    userId = userState.activeUserId,
-                    request = request,
-                )
-
-                callback.onResult(
-                    BeginGetCredentialResponse(
-                        credentialEntries = credentialEntries,
+        val getCredentialJob = ioScope.launch {
+            bitwardenCredentialManager
+                .getCredentialEntries(
+                    getCredentialsRequest = GetCredentialsRequest(
+                        userId = userState.activeUserId,
+                        BeginGetCredentialRequest.asBundle(request),
                     ),
                 )
-            } catch (e: GetCredentialException) {
-                callback.onError(e)
-            }
+                .onSuccess { callback.onResult(BeginGetCredentialResponse(credentialEntries = it)) }
+                .onFailure { callback.onError(GetCredentialUnknownException(it.message)) }
         }
         cancellationSignal.setOnCancelListener {
             callback.onError(GetCredentialCancellationException())
@@ -230,110 +211,6 @@ class Fido2ProviderProcessorImpl(
         return entryBuilder.build()
     }
 
-    @Throws(GetCredentialUnsupportedException::class)
-    private suspend fun getMatchingFido2CredentialEntries(
-        userId: String,
-        request: BeginGetCredentialRequest,
-    ): List<CredentialEntry> =
-        request
-            .beginGetCredentialOptions
-            .flatMap { option ->
-                if (option is BeginGetPublicKeyCredentialOption) {
-                    val relyingPartyId = fido2CredentialManager
-                        .getPasskeyAssertionOptionsOrNull(requestJson = option.requestJson)
-                        ?.relyingPartyId
-                        ?: throw GetCredentialUnknownException("Invalid data.")
-                    buildCredentialEntries(userId, relyingPartyId, option)
-                } else {
-                    throw GetCredentialUnsupportedException("Unsupported option.")
-                }
-            }
-
-    private suspend fun buildCredentialEntries(
-        userId: String,
-        relyingPartyId: String,
-        option: BeginGetPublicKeyCredentialOption,
-    ): List<CredentialEntry> {
-        val cipherViews = vaultRepository
-            .ciphersStateFlow
-            .takeUntilLoaded()
-            .fold(emptyList<CipherView>()) { _, dataState ->
-                when (dataState) {
-                    is DataState.Loaded -> dataState.data.filter { it.isActiveWithFido2Credentials }
-
-                    else -> emptyList()
-                }
-            }
-        val result = vaultRepository
-            .getDecryptedFido2CredentialAutofillViews(cipherViews)
-        return when (result) {
-            is DecryptFido2CredentialAutofillViewResult.Error -> {
-                throw GetCredentialUnknownException("Error decrypting credentials.")
-            }
-
-            is DecryptFido2CredentialAutofillViewResult.Success -> {
-                result
-                    .fido2CredentialAutofillViews
-                    .filter { it.rpId == relyingPartyId }
-                    .toCredentialEntries(
-                        userId = userId,
-                        option = option,
-                    )
-            }
-        }
-    }
-
-    private fun List<Fido2CredentialAutofillView>.toCredentialEntries(
-        userId: String,
-        option: BeginGetPublicKeyCredentialOption,
-    ): List<CredentialEntry> =
-        this
-            .map {
-                val publicKeyEntryBuilder = PublicKeyCredentialEntry
-                    .Builder(
-                        context = context,
-                        username = it.userNameForUi ?: context.getString(R.string.no_username),
-                        pendingIntent = intentManager.createFido2GetCredentialPendingIntent(
-                            action = GET_PASSKEY_INTENT,
-                            userId = userId,
-                            credentialId = it.credentialId.toString(),
-                            cipherId = it.cipherId,
-                            requestCode = requestCode.getAndIncrement(),
-                        ),
-                        beginGetPublicKeyCredentialOption = option,
-                    )
-                    .setIcon(
-                        Icon.createWithResource(
-                            context,
-                            R.drawable.ic_bw_passkey,
-                        ),
-                    )
-
-                if (featureFlagManager.getFeatureFlag(FlagKey.SingleTapPasskeyAuthentication)) {
-                    biometricsEncryptionManager
-                        .getOrCreateCipher(userId)
-                        ?.let {
-                            publicKeyEntryBuilder
-                                .setBiometricPromptDataIfSupported(cipher = it)
-                        }
-                }
-                publicKeyEntryBuilder.build()
-            }
-
-    private fun PublicKeyCredentialEntry.Builder.setBiometricPromptDataIfSupported(
-        cipher: Cipher,
-    ): PublicKeyCredentialEntry.Builder {
-        return if (isBuildVersionBelow(Build.VERSION_CODES.VANILLA_ICE_CREAM)) {
-            this
-        } else {
-            setBiometricPromptData(
-                biometricPromptData = BiometricPromptData
-                    .Builder()
-                    .buildPromptDataWithCipher(cipher),
-            )
-        }
-    }
-
     private fun CreateEntry.Builder.setBiometricPromptDataIfSupported(
         cipher: Cipher,
     ): CreateEntry.Builder {
@@ -341,15 +218,13 @@ class Fido2ProviderProcessorImpl(
             this
         } else {
             setBiometricPromptData(
-                biometricPromptData = BiometricPromptData
-                    .Builder()
-                    .buildPromptDataWithCipher(cipher),
+                biometricPromptData = buildPromptDataWithCipher(cipher),
             )
         }
     }
 
     @RequiresApi(Build.VERSION_CODES.VANILLA_ICE_CREAM)
-    private fun BiometricPromptData.Builder.buildPromptDataWithCipher(
+    private fun buildPromptDataWithCipher(
         cipher: Cipher,
     ): BiometricPromptData = BiometricPromptData.Builder()
         .setAllowedAuthenticators(BiometricManager.Authenticators.BIOMETRIC_STRONG)

app/src/main/java/com/x8bit/bitwarden/data/credentials/util/BiometricPromptDataUtils.kt

@@ -0,0 +1,22 @@
+@file:OmitFromCoverage
+
+package com.x8bit.bitwarden.data.credentials.util
+
+import android.os.Build
+import androidx.annotation.RequiresApi
+import androidx.biometric.BiometricManager
+import androidx.biometric.BiometricPrompt
+import androidx.credentials.provider.BiometricPromptData
+import com.bitwarden.annotation.OmitFromCoverage
+import javax.crypto.Cipher
+
+/**
+ * Builds a [BiometricPromptData] instance with the provided [Cipher].
+ */
+@RequiresApi(Build.VERSION_CODES.VANILLA_ICE_CREAM)
+fun buildPromptDataWithCipher(
+    cipher: Cipher,
+): BiometricPromptData = BiometricPromptData.Builder()
+    .setAllowedAuthenticators(BiometricManager.Authenticators.BIOMETRIC_STRONG)
+    .setCryptoObject(BiometricPrompt.CryptoObject(cipher))
+    .build()

app/src/main/java/com/x8bit/bitwarden/data/credentials/util/CredentialProviderIntentUtils.kt

@@ -1,24 +1,26 @@
-package com.x8bit.bitwarden.data.autofill.fido2.util
+package com.x8bit.bitwarden.data.credentials.util
 
 import android.content.Intent
 import android.os.Build
+import androidx.credentials.CredentialManager
 import androidx.credentials.provider.BeginGetCredentialRequest
 import androidx.credentials.provider.PendingIntentHandler
 import androidx.credentials.provider.ProviderCreateCredentialRequest
 import androidx.credentials.provider.ProviderGetCredentialRequest
-import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CreateCredentialRequest
-import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CredentialAssertionRequest
-import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2GetCredentialsRequest
+import com.x8bit.bitwarden.data.credentials.model.CreateCredentialRequest
+import com.x8bit.bitwarden.data.credentials.model.Fido2CredentialAssertionRequest
+import com.x8bit.bitwarden.data.credentials.model.GetCredentialsRequest
 import com.x8bit.bitwarden.data.platform.util.isBuildVersionBelow
 import com.x8bit.bitwarden.ui.platform.manager.intent.EXTRA_KEY_CIPHER_ID
 import com.x8bit.bitwarden.ui.platform.manager.intent.EXTRA_KEY_CREDENTIAL_ID
 import com.x8bit.bitwarden.ui.platform.manager.intent.EXTRA_KEY_USER_ID
+import com.x8bit.bitwarden.ui.platform.manager.intent.EXTRA_KEY_UV_PERFORMED_DURING_UNLOCK
 
 /**
- * Checks if this [Intent] contains a [Fido2CreateCredentialRequest] related to an ongoing FIDO 2
- * credential creation process.
+ * Checks if this [Intent] contains a [CreateCredentialRequest] related to an ongoing
+ * [CredentialManager] creation process.
  */
-fun Intent.getFido2CreateCredentialRequestOrNull(): Fido2CreateCredentialRequest? {
+fun Intent.getCreateCredentialRequestOrNull(): CreateCredentialRequest? {
     if (isBuildVersionBelow(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)) return null
 
     val systemRequest = PendingIntentHandler.retrieveProviderCreateCredentialRequest(this)
@@ -27,8 +29,16 @@ fun Intent.getFido2CreateCredentialRequestOrNull(): Fido2CreateCredentialRequest
     val userId = getStringExtra(EXTRA_KEY_USER_ID)
         ?: return null
 
-    return Fido2CreateCredentialRequest(
+    // Extract the OS biometric prompt result from the request data because it is not included in
+    // the bundle returned by `ProviderCreateCredentialRequest.asBundle()`.
+    val isUserPreVerified = systemRequest
+        .biometricPromptResult
+        ?.isSuccessful
+        ?: getBooleanExtra(EXTRA_KEY_UV_PERFORMED_DURING_UNLOCK, false)
+
+    return CreateCredentialRequest(
         userId = userId,
+        isUserPreVerified = isUserPreVerified,
         requestData = ProviderCreateCredentialRequest.asBundle(systemRequest),
     )
 }
@@ -53,19 +63,27 @@ fun Intent.getFido2AssertionRequestOrNull(): Fido2CredentialAssertionRequest? {
     val userId: String = getStringExtra(EXTRA_KEY_USER_ID)
         ?: return null
 
+    // Extract the OS biometric prompt result from the request data because it is not included in
+    // the bundle returned by `ProviderGetCredentialRequest.asBundle()`.
+    val isUserPreVerified = systemRequest
+        .biometricPromptResult
+        ?.isSuccessful
+        ?: getBooleanExtra(EXTRA_KEY_UV_PERFORMED_DURING_UNLOCK, false)
+
     return Fido2CredentialAssertionRequest(
         userId = userId,
         cipherId = cipherId,
         credentialId = credentialId,
+        isUserPreVerified = isUserPreVerified,
         requestData = ProviderGetCredentialRequest.asBundle(systemRequest),
     )
 }
 
 /**
- * Checks if this [Intent] contains a [Fido2GetCredentialsRequest] related to an ongoing FIDO 2
- * credential lookup process.
+ * Checks if this [Intent] contains a [GetCredentialsRequest] related to an ongoing
+ * [CredentialManager] credential lookup process.
  */
-fun Intent.getFido2GetCredentialsRequestOrNull(): Fido2GetCredentialsRequest? {
+fun Intent.getGetCredentialsRequestOrNull(): GetCredentialsRequest? {
     if (isBuildVersionBelow(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)) return null
 
     val systemRequest = PendingIntentHandler
@@ -75,7 +93,7 @@ fun Intent.getFido2GetCredentialsRequestOrNull(): Fido2GetCredentialsRequest? {
     val userId: String = getStringExtra(EXTRA_KEY_USER_ID)
         ?: return null
 
-    return Fido2GetCredentialsRequest(
+    return GetCredentialsRequest(
         userId = userId,
         requestData = BeginGetCredentialRequest.asBundle(systemRequest),
     )

app/src/main/java/com/x8bit/bitwarden/data/credentials/util/ProviderCreateCredentialRequestExtensions.kt

@@ -1,4 +1,4 @@
-package com.x8bit.bitwarden.data.autofill.fido2.util
+package com.x8bit.bitwarden.data.credentials.util
 
 import androidx.credentials.CreatePublicKeyCredentialRequest
 import androidx.credentials.provider.ProviderCreateCredentialRequest