Update SingleTapPasskeyAuthentication and SingleTapPassskeyCreation to be remote flags (#4639)

Co-authored-by: bitwarden-devops-bot <106330231+bitwarden-devops-bot@users.noreply.github.com>

.github/CODEOWNERS

@@ -5,10 +5,10 @@
 # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
 
 # Default file owners.
-* @bitwarden/team-android @brian-livefront @david-livefront @dseverns-livefront @ahaisting-livefront
+* @bitwarden/team-android @brian-livefront @david-livefront @dseverns-livefront @ahaisting-livefront @phil-livefront
 
 # Actions and workflow changes.
-.github/workflows @bitwarden/dept-development-mobile
+.github/ @bitwarden/dept-development-mobile
 
 # Auth
 # app/src/main/java/com/x8bit/bitwarden/data/auth @bitwarden/team-auth-dev

.github/ISSUE_TEMPLATE/bug.yml

@@ -1,4 +1,4 @@
-name: Android Beta Bug Report
+name: Android Bug Report
 description: File a bug report
 labels: [ bug ]
 body:
@@ -7,19 +7,7 @@ body:
       value: |
         Thanks for taking the time to fill out this bug report!
 
-        > [!WARNING]
-        > This is the new native Bitwarden Beta app repository. For the publicly available apps in App Store / Play Store, submit your report in [bitwarden/mobile](https://github.com/bitwarden/mobile)
-
-
         Please do not submit feature requests. The [Community Forums](https://community.bitwarden.com) has a section for submitting, voting for, and discussing product feature requests.
-  - type: checkboxes
-    id: beta
-    attributes:
-      label: Bitwarden Beta
-      options:
-        - label: "I'm using the new native Bitwarden Beta app and I'm aware that legacy .NET app bugs should be reported in [bitwarden/mobile](https://github.com/bitwarden/mobile)"
-    validations:
-      required: true
   - type: textarea
     id: reproduce
     attributes:
@@ -63,6 +51,22 @@ body:
       description: What version of our software are you running?
     validations:
       required: true
+  - type: dropdown
+    id: server-region
+    attributes:
+      label: What server are you connecting to?
+      options:
+        - US
+        - EU
+        - Self-host
+        - N/A
+    validations:
+      required: true
+  - type: input
+    id: server-version
+    attributes:
+      label: Self-host Server Version
+      description: If self-hosting, what version of Bitwarden Server are you running?
   - type: textarea
     id: environment-details
     attributes:

.github/ISSUE_TEMPLATE/config.yml

@@ -15,3 +15,5 @@ contact_links:
   - name: Security Issues
     url: https://hackerone.com/bitwarden
     about: We use HackerOne to manage security disclosures.
+  - name: Report mobile autofill failure
+    url: https://docs.google.com/forms/d/e/1FAIpQLScMopHyN7KGJs8hW562VTzbIGL4KcFnx0wJcsW0GYE1BnPiGA/viewform

.github/workflows/build.yml

@@ -37,13 +37,13 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0
+        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
 
       - name: Cache Gradle files
-        uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ~/.gradle/caches
@@ -53,7 +53,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -62,13 +62,13 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure JDK
-        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4.4.0
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
         with:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@f26937343756480a8cb3ae1f623b9c8d89ed6984 # v1.196.0
+        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
         with:
           bundler-cache: true
 
@@ -85,7 +85,7 @@ jobs:
         run: bundle exec fastlane assembleDebugApks
 
       - name: Upload test reports on failure
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         if: failure()
         with:
           name: test-reports
@@ -103,10 +103,10 @@ jobs:
         artifact: ["apk", "aab"]
     steps:
       - name: Check out repo
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@f26937343756480a8cb3ae1f623b9c8d89ed6984 # v1.196.0
+        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
         with:
           bundler-cache: true
 
@@ -157,10 +157,10 @@ jobs:
           --name app_play_prod_firebase-creds.json --file ${{ github.workspace }}/secrets/app_play_prod_firebase-creds.json --output none
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0
+        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
 
       - name: Cache Gradle files
-        uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ~/.gradle/caches
@@ -170,7 +170,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -179,11 +179,20 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure JDK
-        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4.4.0
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
         with:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
 
+      - name: Update app CI Build info
+        run: |
+          ./scripts/update_app_ci_build_info.sh \
+          $GITHUB_REPOSITORY \
+          $GITHUB_REF_NAME \
+          $GITHUB_SHA \
+          $GITHUB_RUN_ID \
+          $GITHUB_RUN_ATTEMPT
+
       - name: Increment version
         run: |
           DEFAULT_VERSION_CODE=$((11000+$GITHUB_RUN_NUMBER))
@@ -244,78 +253,78 @@ jobs:
 
       - name: Upload release Play Store .aab artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden.aab
-          path: app/build/outputs/bundle/standardRelease/com.x8bit.bitwarden-standard-release.aab
+          path: app/build/outputs/bundle/standardRelease/com.x8bit.bitwarden.aab
           if-no-files-found: error
 
       - name: Upload beta Play Store .aab artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden.beta.aab
-          path: app/build/outputs/bundle/standardBeta/com.x8bit.bitwarden-standard-beta.aab
+          path: app/build/outputs/bundle/standardBeta/com.x8bit.bitwarden.beta.aab
           if-no-files-found: error
 
       - name: Upload release .apk artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden.apk
-          path: app/build/outputs/apk/standard/release/com.x8bit.bitwarden-standard-release.apk
+          path: app/build/outputs/apk/standard/release/com.x8bit.bitwarden.apk
           if-no-files-found: error
 
       - name: Upload beta .apk artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden.beta.apk
-          path: app/build/outputs/apk/standard/beta/com.x8bit.bitwarden-standard-beta.apk
+          path: app/build/outputs/apk/standard/beta/com.x8bit.bitwarden.beta.apk
           if-no-files-found: error
 
       # When building variants other than 'prod'
       - name: Upload debug .apk artifact
         if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden.${{ matrix.variant }}.apk
-          path: app/build/outputs/apk/standard/debug/com.x8bit.bitwarden-standard-debug.apk
+          path: app/build/outputs/apk/standard/debug/com.x8bit.bitwarden.dev.apk
           if-no-files-found: error
 
       - name: Create checksum for release .apk artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
         run: |
-          sha256sum "app/build/outputs/apk/standard/release/com.x8bit.bitwarden-standard-release.apk" \
+          sha256sum "app/build/outputs/apk/standard/release/com.x8bit.bitwarden.apk" \
             > ./com.x8bit.bitwarden.apk-sha256.txt
 
       - name: Create checksum for beta .apk artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
         run: |
-          sha256sum "app/build/outputs/apk/standard/beta/com.x8bit.bitwarden-standard-beta.apk" \
+          sha256sum "app/build/outputs/apk/standard/beta/com.x8bit.bitwarden.beta.apk" \
             > ./com.x8bit.bitwarden.beta.apk-sha256.txt
 
       - name: Create checksum for release .aab artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
         run: |
-          sha256sum "app/build/outputs/bundle/standardRelease/com.x8bit.bitwarden-standard-release.aab" \
+          sha256sum "app/build/outputs/bundle/standardRelease/com.x8bit.bitwarden.aab" \
             > ./com.x8bit.bitwarden.aab-sha256.txt
 
       - name: Create checksum for beta .aab artifact
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
         run: |
-          sha256sum "app/build/outputs/bundle/standardBeta/com.x8bit.bitwarden-standard-beta.aab" \
+          sha256sum "app/build/outputs/bundle/standardBeta/com.x8bit.bitwarden.beta.aab" \
             > ./com.x8bit.bitwarden.beta.aab-sha256.txt
 
       - name: Create checksum for Debug .apk artifact
         if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }}
         run: |
-          sha256sum "app/build/outputs/apk/standard/debug/com.x8bit.bitwarden-standard-debug.apk" \
+          sha256sum "app/build/outputs/apk/standard/debug/com.x8bit.bitwarden.dev.apk" \
            > ./com.x8bit.bitwarden.${{ matrix.variant }}.apk-sha256.txt
 
       - name: Upload .apk SHA file for release
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden.apk-sha256.txt
           path: ./com.x8bit.bitwarden.apk-sha256.txt
@@ -323,7 +332,7 @@ jobs:
 
       - name: Upload .apk SHA file for beta
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden.beta.apk-sha256.txt
           path: ./com.x8bit.bitwarden.beta.apk-sha256.txt
@@ -331,7 +340,7 @@ jobs:
 
       - name: Upload .aab SHA file for release
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden.aab-sha256.txt
           path: ./com.x8bit.bitwarden.aab-sha256.txt
@@ -339,7 +348,7 @@ jobs:
 
       - name: Upload .aab SHA file for beta
         if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }}
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden.beta.aab-sha256.txt
           path: ./com.x8bit.bitwarden.beta.aab-sha256.txt
@@ -347,7 +356,7 @@ jobs:
 
       - name: Upload .apk SHA file for debug
         if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }}
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden.${{ matrix.variant }}.apk-sha256.txt
           path: ./com.x8bit.bitwarden.${{ matrix.variant }}.apk-sha256.txt
@@ -382,7 +391,9 @@ jobs:
 
       - name: Publish Play Store bundle
         if: ${{ matrix.variant == 'prod' && matrix.artifact == 'aab' && (inputs.publish-to-play-store || github.ref_name == 'main') }}
-        run: bundle exec fastlane publishBetaToPlayStore
+        run: |
+          bundle exec fastlane publishProdToPlayStore
+          bundle exec fastlane publishBetaToPlayStore
 
   publish_fdroid:
     name: Publish F-Droid artifacts
@@ -391,10 +402,10 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Check out repo
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@f26937343756480a8cb3ae1f623b9c8d89ed6984 # v1.196.0
+        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
         with:
           bundler-cache: true
 
@@ -431,10 +442,10 @@ jobs:
           --name app_fdroid_firebase-creds.json --file ${{ github.workspace }}/secrets/app_fdroid_firebase-creds.json --output none
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0
+        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
 
       - name: Cache Gradle files
-        uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ~/.gradle/caches
@@ -444,7 +455,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -453,19 +464,35 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure JDK
-        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4.4.0
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
         with:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
 
+      - name: Update app CI Build info
+        run: |
+          ./scripts/update_app_ci_build_info.sh \
+          $GITHUB_REPOSITORY \
+          $GITHUB_REF_NAME \
+          $GITHUB_SHA \
+          $GITHUB_RUN_ID \
+          $GITHUB_RUN_ATTEMPT
+
       # Start from 11000 to prevent collisions with mobile build version codes
       - name: Increment version
         run: |
           DEFAULT_VERSION_CODE=$((11000+$GITHUB_RUN_NUMBER))
+          VERSION_CODE="${{ inputs.version-code || '$DEFAULT_VERSION_CODE' }}"
           bundle exec fastlane setBuildVersionInfo \
-          versionCode:${{ inputs.version-code || '$DEFAULT_VERSION_CODE' }} \
+          versionCode:$VERSION_CODE \
           versionName:${{ inputs.version-name || '' }}
 
+          regex='versionName = "([^"]+)"'
+          if [[ "$(cat app/build.gradle.kts)" =~ $regex ]]; then
+            VERSION_NAME="${BASH_REMATCH[1]}"
+          fi
+          echo "Version Name: ${VERSION_NAME}" >> $GITHUB_STEP_SUMMARY
+          echo "Version Number: $VERSION_CODE" >> $GITHUB_STEP_SUMMARY
       - name: Generate F-Droid artifacts
         env:
           FDROID_STORE_PASSWORD: ${{ secrets.FDROID_KEYSTORE_PASSWORD }}
@@ -488,49 +515,49 @@ jobs:
           keyPassword:"${{ env.FDROID_BETA_KEY_PASSWORD }}"
 
       - name: Upload F-Droid .apk artifact
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden-fdroid.apk
-          path: app/build/outputs/apk/fdroid/release/com.x8bit.bitwarden-fdroid-release.apk
+          path: app/build/outputs/apk/fdroid/release/com.x8bit.bitwarden-fdroid.apk
           if-no-files-found: error
 
       - name: Create checksum for F-Droid artifact
         run: |
-          sha256sum "app/build/outputs/apk/fdroid/release/com.x8bit.bitwarden-fdroid-release.apk" \
+          sha256sum "app/build/outputs/apk/fdroid/release/com.x8bit.bitwarden-fdroid.apk" \
           > ./com.x8bit.bitwarden-fdroid.apk-sha256.txt
 
       - name: Upload F-Droid SHA file
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden-fdroid.apk-sha256.txt
           path: ./com.x8bit.bitwarden-fdroid.apk-sha256.txt
           if-no-files-found: error
 
       - name: Upload F-Droid Beta .apk artifact
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden.beta-fdroid.apk
-          path: app/build/outputs/apk/fdroid/beta/com.x8bit.bitwarden-fdroid-beta.apk
+          path: app/build/outputs/apk/fdroid/beta/com.x8bit.bitwarden.beta-fdroid.apk
           if-no-files-found: error
 
       - name: Create checksum for F-Droid Beta artifact
         run: |
-          sha256sum "app/build/outputs/apk/fdroid/beta/com.x8bit.bitwarden-fdroid-beta.apk" \
+          sha256sum "app/build/outputs/apk/fdroid/beta/com.x8bit.bitwarden.beta-fdroid.apk" \
           > ./com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt
 
       - name: Upload F-Droid Beta SHA file
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt
           path: ./com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt
           if-no-files-found: error
 
       - name: Install Firebase app distribution plugin
-        if: ${{ inputs.distribute_to_firebase || github.event_name == 'push' }}
+        if: ${{ inputs.distribute-to-firebase || github.event_name == 'push' }}
         run: bundle exec fastlane add_plugin firebase_app_distribution
 
       - name: Publish release F-Droid artifacts to Firebase
-        if: ${{ inputs.distribute_to_firebase || github.event_name == 'push' }}
+        if: ${{ inputs.distribute-to-firebase || github.event_name == 'push' }}
         env:
           APP_FDROID_FIREBASE_CREDS_PATH: ${{ github.workspace }}/secrets/app_fdroid_firebase-creds.json
         run: |

.github/workflows/crowdin-pull.yml

@@ -2,7 +2,7 @@ name: Crowdin Sync
 
 on:
   workflow_dispatch:
-    inputs: { }
+    inputs: {}
   schedule:
     - cron: '0 0 * * 5'
 
@@ -14,7 +14,7 @@ jobs:
       _CROWDIN_PROJECT_ID: "269690"
     steps:
       - name: Checkout repo
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Login to Azure - CI Subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -28,10 +28,17 @@ jobs:
           keyvault: "bitwarden-ci"
           secrets: "crowdin-api-token, github-gpg-private-key, github-gpg-private-key-passphrase"
 
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
+        with:
+          app-id: ${{ secrets.BW_GHAPP_ID }}
+          private-key: ${{ secrets.BW_GHAPP_KEY }}
+
       - name: Download translations
-        uses: crowdin/github-action@95d6e895e871c3c7acf0cfb962f296baa41e63c6 # v2.2.0
+        uses: crowdin/github-action@d1632879d4d4da358f2d040f79fa094571c9a649 # v2.5.1
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}
         with:
           config: crowdin.yml

.github/workflows/crowdin-push.yml

@@ -14,7 +14,7 @@ jobs:
       _CROWDIN_PROJECT_ID: "269690"
     steps:
       - name: Check out repo
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Log in to Azure
         uses: Azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
@@ -23,13 +23,13 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@2bd1450c2cdb2a8ac886232b8589696f22794229 # v0.2.0
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
           keyvault: "bitwarden-ci"
           secrets: "crowdin-api-token"
 
       - name: Upload sources
-        uses: crowdin/github-action@95d6e895e871c3c7acf0cfb962f296baa41e63c6 # v2.2.0
+        uses: crowdin/github-action@d1632879d4d4da358f2d040f79fa094571c9a649 # v2.5.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}

.github/workflows/github-release.yml

@@ -0,0 +1,129 @@
+name: Create GitHub Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version-name:
+        description: 'Version Name - E.g. "2024.11.1"'
+        required: true
+        type: string
+      version-number:
+        description: 'Version Number - E.g. "123456"'
+        required: true
+        type: string
+      artifact-run-id:
+        description: 'GitHub Action Run ID containing artifacts'
+        required: true
+        type: string
+      draft:
+        description: 'Create as draft release'
+        type: boolean
+        default: true
+      prerelease:
+        description: 'Mark as pre-release'
+        type: boolean
+        default: true
+      make-latest:
+        description: 'Set as the latest release'
+        type: boolean
+      branch-protection-type:
+        description: 'Branch protection type'
+        type: choice
+        options:
+          - Branch Name
+          - GitHub API
+        default: Branch Name
+env:
+    ARTIFACTS_PATH: artifacts
+jobs:
+  create-release:
+    name: Create GitHub Release
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      actions: read
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Get branch from workflow run
+        id: get_release_branch
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ARTIFACT_RUN_ID: ${{ inputs.artifact-run-id }}
+          BRANCH_PROTECTION_TYPE: ${{ inputs.branch-protection-type }}
+        run: |
+          release_branch=$(gh run view $ARTIFACT_RUN_ID --json headBranch -q .headBranch)
+
+          case "$BRANCH_PROTECTION_TYPE" in
+            "Branch Name")
+              if [[ "$release_branch" != "main" && ! "$release_branch" =~ ^release/ ]]; then
+                echo "::error::Branch '$release_branch' is not 'main' or a release branch starting with 'release/'. Releases must be created from protected branches."
+                exit 1
+              fi
+              ;;
+            "GitHub API")
+              #NOTE requires token with "administration:read" scope
+              if ! gh api "repos/${{ github.repository }}/branches/$release_branch/protection" | grep -q "required_status_checks"; then
+                echo "::error::Branch '$release_branch' is not protected. Releases must be created from protected branches. If that's not correct, confirm if the github token user has the 'administration:read' scope."
+                exit 1
+              fi
+              ;;
+            *)
+              echo "::error::Unsupported branch protection type: $BRANCH_PROTECTION_TYPE"
+              exit 1
+              ;;
+          esac
+
+          echo "release_branch=$release_branch" >> $GITHUB_OUTPUT
+
+      - name: Download artifacts
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ARTIFACT_RUN_ID: ${{ inputs.artifact-run-id }}
+        run: |
+          gh run download $ARTIFACT_RUN_ID -D $ARTIFACTS_PATH
+          file_count=$(find $ARTIFACTS_PATH -type f | wc -l)
+          echo "Downloaded $file_count file(s)."
+          if [ "$file_count" -gt 0 ]; then
+            echo "Downloaded files:"
+            find $ARTIFACTS_PATH -type f
+          fi
+
+      - name: Create Release
+        id: create_release
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
+        with:
+          tag_name: "v${{ inputs.version-name }}"
+          name: "${{ inputs.version-name }} (${{ inputs.version-number }})"
+          prerelease: ${{ inputs.prerelease }}
+          draft: ${{ inputs.draft }}
+          make_latest: ${{ inputs.make-latest }}
+          target_commitish: ${{ steps.get_release_branch.outputs.release_branch }}
+          generate_release_notes: true
+          files: |
+            artifacts/**/*
+
+      - name: Update Release Description
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_ID: ${{ steps.create_release.outputs.id }}
+          RELEASE_URL: ${{ steps.create_release.outputs.url }}
+          ARTIFACT_RUN_ID: ${{ inputs.artifact-run-id }}
+        run: |
+          # Get current release body
+          current_body=$(gh api /repos/${{ github.repository }}/releases/$RELEASE_ID --jq .body)
+
+          # Append build source to the end
+          updated_body="${current_body}
+          **Builds Source:** https://github.com/${{ github.repository }}/actions/runs/$ARTIFACT_RUN_ID"
+
+          # Update release
+          gh api --method PATCH /repos/${{ github.repository }}/releases/$RELEASE_ID \
+            -f body="$updated_body"
+
+          echo "# :rocket: Release ready at:" >> $GITHUB_STEP_SUMMARY
+          echo "$RELEASE_URL" >> $GITHUB_STEP_SUMMARY

.github/workflows/release-branch.yml

@@ -0,0 +1,58 @@
+name: Cut Release Branch
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_type:
+        description: 'Release Type'
+        required: true
+        type: choice
+        options:
+          - RC
+          - Hotfix
+
+jobs:
+  create-release-branch:
+    name: Create Release Branch
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Create RC Branch
+        if: inputs.release_type == 'RC'
+        env:
+          RC_PREFIX_DATE: "true" # replace with input if needed
+        run: |
+          if [ "$RC_PREFIX_DATE" = "true" ]; then
+            current_date=$(date +'%Y.%m')
+            branch_name="release/${current_date}-rc${{ github.run_number }}"
+          else
+            branch_name="release/rc${{ github.run_number }}"
+          fi
+          git switch main
+          git switch -c $branch_name
+          git push origin $branch_name
+          echo "# :cherry_blossom: RC branch: ${branch_name}" >> $GITHUB_STEP_SUMMARY
+
+      - name: Create Hotfix Branch
+        if: inputs.release_type == 'Hotfix'
+        run: |
+          latest_tag=$(git tag -l --sort=-creatordate | head -n 1)
+          if [ -z "$latest_tag" ]; then
+            echo "::error::No tags found in the repository"
+            exit 1
+          fi
+          branch_name="release/hotfix-${latest_tag}"
+          echo "🌿 branch name: $branch_name"
+          if git show-ref --verify --quiet "refs/remotes/origin/$branch_name"; then
+            echo "# :fire: :warning: Hotfix branch already exists: ${branch_name}" >> $GITHUB_STEP_SUMMARY
+            exit 0
+          fi
+          git switch -c $branch_name $latest_tag
+          git push origin $branch_name
+          echo "# :fire: Hotfix branch: ${branch_name}" >> $GITHUB_STEP_SUMMARY

.github/workflows/scan-ci.yml

@@ -0,0 +1,60 @@
+name: Scan Protected Branches On Push
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+
+jobs:
+  sast:
+    name: SAST scan
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Scan with Checkmarx
+        uses: checkmarx/ast-github-action@184bf2f64f55d1c93fd6636d539edf274703e434 # 2.0.41
+        with:
+          project_name: ${{ github.repository }}
+          cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
+          base_uri: https://ast.checkmarx.net/
+          cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
+          cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
+          additional_params: |
+            --report-format sarif \
+            --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
+            --output-path .
+
+      - name: Upload Checkmarx results to GitHub
+        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
+        with:
+          sarif_file: cx_result.sarif
+
+  quality:
+    name: Quality scan
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Scan with SonarCloud
+        uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          args: >
+            -Dsonar.organization=${{ github.repository_owner }}
+            -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}

.github/workflows/scan.yml

@@ -1,12 +1,7 @@
-name: Scan
+name: Scan Pull Requests
 
 on:
   workflow_dispatch:
-  push:
-    branches:
-      - "main"
-      - "rc"
-      - "hotfix-rc"
   pull_request_target:
     types: [opened, synchronize]
   merge_group:
@@ -28,12 +23,12 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{  github.event.pull_request.head.sha }}
 
       - name: Scan with Checkmarx
-        uses: checkmarx/ast-github-action@f0869bd1a37fddc06499a096101e6c900e815d81 # 2.0.36
+        uses: checkmarx/ast-github-action@184bf2f64f55d1c93fd6636d539edf274703e434 # 2.0.41
         env:
           INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
         with:
@@ -48,7 +43,7 @@ jobs:
             --output-path . ${{ env.INCREMENTAL }}
 
       - name: Upload Checkmarx results to GitHub
-        uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
+        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         with:
           sarif_file: cx_result.sarif
 
@@ -62,16 +57,15 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{  github.event.pull_request.head.sha }}
 
       - name: Scan with SonarCloud
-        uses: sonarsource/sonarcloud-github-action@383f7e52eae3ab0510c3cb0e7d9d150bbaeab838 # v3.1.0
+        uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           args: >
             -Dsonar.organization=${{ github.repository_owner }}

.github/workflows/test.yml

@@ -6,42 +6,33 @@ on:
       - "main"
       - "rc"
       - "hotfix-rc"
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize]
   merge_group:
     type: [checks_requested]
   workflow_dispatch:
 
 env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  JAVA_VERSION: 17
+  _JAVA_VERSION: 17
+  _GITHUB_ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}
+
 
 jobs:
-  check-run:
-    name: Check PR run
-    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
-
   test:
     name: Test
     runs-on: ubuntu-24.04
-    needs: check-run
     permissions:
-      contents: read
-      issues: write
       packages: read
-      pull-requests: write
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
-        with:
-          ref: ${{  github.event.pull_request.head.sha }}
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0
+        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
 
       - name: Cache Gradle files
-        uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ~/.gradle/caches
@@ -51,7 +42,7 @@ jobs:
             ${{ runner.os }}-gradle-v2-
 
       - name: Cache build output
-        uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ${{ github.workspace }}/build-cache
@@ -60,15 +51,15 @@ jobs:
             ${{ runner.os }}-build-
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@f26937343756480a8cb3ae1f623b9c8d89ed6984 # v1.196.0
+        uses: ruby/setup-ruby@28c4deda893d5a96a6b2d958c5b47fc18d65c9d3 # v1.213.0
         with:
           bundler-cache: true
 
       - name: Configure JDK
-        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4.4.0
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
         with:
           distribution: "temurin"
-          java-version: ${{ env.JAVA_VERSION }}
+          java-version: ${{ env._JAVA_VERSION }}
 
       - name: Install Fastlane
         run: |
@@ -77,19 +68,56 @@ jobs:
           bundle install --jobs 4 --retry 3
 
       - name: Build and test
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Used in settings.gradle.kts to download the SDK from GitHub Maven Packages
         run: |
           bundle exec fastlane check
 
-      - name: Upload test reports on failure
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
-        if: failure()
+      - name: Upload test reports
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        if: always()
+        with:
+          name: test-reports
+          path: |
+            app/build/reports/tests/
+            app/build/reports/kover/reportStandardDebug.xml
+
+  report:
+    name: Process Test Reports
+    needs: test
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
+    if: success()
+
+    steps:
+      - name: Download test artifacts
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: test-reports
-          path: app/build/reports/tests/
 
       - name: Upload to codecov.io
-        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
+        id: upload-to-codecov
+        uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
+        continue-on-error: true
         with:
-          file: app/build/reports/kover/reportStandardDebug.xml
+          os: linux
+          files: kover/reportStandardDebug.xml
+          fail_ci_if_error: true
+
+      - name: Comment PR if tests failed
+        if: steps.upload-to-codecov.outcome == 'failure'
         env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+            PR_NUMBER: ${{ github.event.number }}
+            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            RUN_ACTOR: ${{ github.triggering_actor }}
+        run: |
+          echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+          echo "> Uploading code coverage report failed. Please check the \"Upload to codecov.io\" step of \"Process Test Reports\" job for more details." >> $GITHUB_STEP_SUMMARY
+
+          if [ ! -z "$PR_NUMBER" ]; then
+            message=$'> [!WARNING]\n> @'$RUN_ACTOR' Uploading code coverage report failed. Please check the "Upload to codecov.io" step of [Process Test Reports job]('$_GITHUB_ACTION_RUN_URL') for more details.'
+            gh pr comment --repo $GITHUB_REPOSITORY $PR_NUMBER --body "$message"
+          fi

Gemfile.lock

@@ -10,20 +10,20 @@ GEM
     artifactory (3.0.17)
     atomos (0.1.3)
     aws-eventstream (1.3.0)
-    aws-partitions (1.989.0)
-    aws-sdk-core (3.209.1)
+    aws-partitions (1.1040.0)
+    aws-sdk-core (3.216.0)
       aws-eventstream (~> 1, >= 1.3.0)
-      aws-partitions (~> 1, >= 1.651.0)
+      aws-partitions (~> 1, >= 1.992.0)
       aws-sigv4 (~> 1.9)
       jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.94.0)
-      aws-sdk-core (~> 3, >= 3.207.0)
+    aws-sdk-kms (1.97.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
       aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.167.0)
-      aws-sdk-core (~> 3, >= 3.207.0)
+    aws-sdk-s3 (1.178.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
-    aws-sigv4 (1.10.0)
+    aws-sigv4 (1.11.0)
       aws-eventstream (~> 1, >= 1.0.2)
     babosa (1.0.4)
     base64 (0.2.0)
@@ -32,7 +32,7 @@ GEM
     colored2 (3.1.2)
     commander (4.6.0)
       highline (~> 2.0.0)
-    date (3.3.4)
+    date (3.4.1)
     declarative (0.0.20)
     digest-crc (0.6.5)
       rake (>= 12.0.0, < 14.0.0)
@@ -59,8 +59,8 @@ GEM
     faraday-em_synchrony (1.0.0)
     faraday-excon (1.1.0)
     faraday-httpclient (1.0.1)
-    faraday-multipart (1.0.4)
-      multipart-post (~> 2)
+    faraday-multipart (1.1.0)
+      multipart-post (~> 2.0)
     faraday-net_http (1.0.2)
     faraday-net_http_persistent (1.2.0)
     faraday-patron (1.0.0)
@@ -68,8 +68,8 @@ GEM
     faraday-retry (1.0.3)
     faraday_middleware (1.2.1)
       faraday (~> 1.0)
-    fastimage (2.3.1)
-    fastlane (2.224.0)
+    fastimage (2.4.0)
+    fastlane (2.226.0)
       CFPropertyList (>= 2.3, < 4.0.0)
       addressable (>= 2.8, < 3.0.0)
       artifactory (~> 3.0)
@@ -85,6 +85,7 @@ GEM
       faraday-cookie_jar (~> 0.0.6)
       faraday_middleware (~> 1.0)
       fastimage (>= 2.1.0, < 3.0.0)
+      fastlane-sirp (>= 1.0.0)
       gh_inspector (>= 1.1.2, < 2.0.0)
       google-apis-androidpublisher_v3 (~> 0.3)
       google-apis-playcustomapp_v1 (~> 0.1)
@@ -108,11 +109,13 @@ GEM
       tty-spinner (>= 0.8.0, < 1.0.0)
       word_wrap (~> 1.0.0)
       xcodeproj (>= 1.13.0, < 2.0.0)
-      xcpretty (~> 0.3.0)
+      xcpretty (~> 0.4.0)
       xcpretty-travis-formatter (>= 0.0.3, < 2.0.0)
-    fastlane-plugin-firebase_app_distribution (0.9.1)
+    fastlane-plugin-firebase_app_distribution (0.10.0)
       google-apis-firebaseappdistribution_v1 (~> 0.3.0)
       google-apis-firebaseappdistribution_v1alpha (~> 0.2.0)
+    fastlane-sirp (1.0.0)
+      sysrandom (~> 1.0)
     gh_inspector (1.1.3)
     google-apis-androidpublisher_v3 (0.54.0)
       google-apis-core (>= 0.11.0, < 2.a)
@@ -155,23 +158,23 @@ GEM
       os (>= 0.9, < 2.0)
       signet (>= 0.16, < 2.a)
     highline (2.0.3)
-    http-cookie (1.0.7)
+    http-cookie (1.0.8)
       domain_name (~> 0.5)
     httpclient (2.8.3)
     jmespath (1.6.2)
-    json (2.7.2)
-    jwt (2.9.3)
+    json (2.9.1)
+    jwt (2.10.1)
       base64
     mini_magick (4.13.2)
     mini_mime (1.1.5)
     multi_json (1.15.0)
     multipart-post (2.4.1)
-    nanaimo (0.3.0)
+    nanaimo (0.4.0)
     naturally (2.2.1)
     nkf (0.2.0)
-    optparse (0.5.0)
+    optparse (0.6.0)
     os (1.1.4)
-    plist (3.7.1)
+    plist (3.7.2)
     public_suffix (6.0.1)
     rake (13.2.1)
     representable (3.2.0)
@@ -179,10 +182,10 @@ GEM
       trailblazer-option (>= 0.1.1, < 0.2.0)
       uber (< 0.2.0)
     retriable (3.1.2)
-    rexml (3.3.8)
-    rouge (2.0.7)
+    rexml (3.4.0)
+    rouge (3.28.0)
     ruby2_keywords (0.0.5)
-    rubyzip (2.3.2)
+    rubyzip (2.4.1)
     security (0.1.5)
     signet (0.19.0)
       addressable (~> 2.8)
@@ -192,10 +195,11 @@ GEM
     simctl (1.6.10)
       CFPropertyList
       naturally
+    sysrandom (1.0.5)
     terminal-notifier (2.0.0)
     terminal-table (3.0.2)
       unicode-display_width (>= 1.1.1, < 3)
-    time (0.4.0)
+    time (0.4.1)
       date
     trailblazer-option (0.1.2)
     tty-cursor (0.7.1)
@@ -205,15 +209,15 @@ GEM
     uber (0.1.0)
     unicode-display_width (2.6.0)
     word_wrap (1.0.0)
-    xcodeproj (1.25.1)
+    xcodeproj (1.27.0)
       CFPropertyList (>= 2.3.3, < 4.0)
       atomos (~> 0.1.3)
       claide (>= 1.0.2, < 2.0)
       colored2 (~> 3.1)
-      nanaimo (~> 0.3.0)
+      nanaimo (~> 0.4.0)
       rexml (>= 3.3.6, < 4.0)
-    xcpretty (0.3.0)
-      rouge (~> 2.0.7)
+    xcpretty (0.4.0)
+      rouge (~> 3.28.0)
     xcpretty-travis-formatter (1.0.1)
       xcpretty (~> 0.2, >= 0.0.7)
 

README.md

@@ -1,7 +1,4 @@
-# Bitwarden Android (BETA)
-
-> [!TIP]
-> This repo has the new native Android app, currently in [Beta](https://community.bitwarden.com/t/about-the-beta-program/39185). Looking for the legacy .NET MAUI apps? Head on over to [bitwarden/mobile](https://github.com/bitwarden/mobile)
+# Bitwarden Android
 
 ## Contents
 
@@ -12,7 +9,7 @@
 ## Compatibility
 
 - **Minimum SDK**: 29
-- **Target SDK**: 34
+- **Target SDK**: 35
 - **Device Types Supported**: Phone and Tablet
 - **Orientations Supported**: Portrait and Landscape
 
@@ -135,6 +132,11 @@ The following is a list of all third-party dependencies included as part of the
     - https://github.com/firebase/firebase-android-sdk
     - Purpose: SDK for crash and non-fatal error reporting. (**NOTE:** This dependency is not included in builds distributed via F-Droid.)
     - License: Apache 2.0
+  
+- **Google Play Reviews**
+  - https://developer.android.com/reference/com/google/android/play/core/release-notes
+  - Purpose: On standard builds provide an interface to add a review for the password manager application in Google Play.
+  - License: Apache 2.0
 
 - **Glide**
     - https://github.com/bumptech/glide

app/build.gradle.kts

@@ -1,6 +1,9 @@
+import com.android.build.gradle.internal.api.BaseVariantOutputImpl
+import com.android.utils.cxx.io.removeExtensionIfPresent
 import com.google.firebase.crashlytics.buildtools.gradle.tasks.InjectMappingFileIdTask
 import com.google.firebase.crashlytics.buildtools.gradle.tasks.UploadMappingFileTask
 import com.google.gms.googleservices.GoogleServicesTask
+import dagger.hilt.android.plugin.util.capitalize
 import org.jetbrains.kotlin.gradle.dsl.JvmTarget
 import java.io.FileInputStream
 import java.util.Properties
@@ -32,6 +35,16 @@ val userProperties = Properties().apply {
     }
 }
 
+/**
+ * Loads CI-specific build properties that are not checked into source control.
+ */
+val ciProperties = Properties().apply {
+    val ciPropsFile = File(rootDir, "ci.properties")
+    if (ciPropsFile.exists()) {
+        FileInputStream(ciPropsFile).use { load(it) }
+    }
+}
+
 android {
     namespace = "com.x8bit.bitwarden"
     compileSdk = libs.versions.compileSdk.get().toInt()
@@ -51,6 +64,12 @@ android {
         }
 
         testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner"
+
+        buildConfigField(
+            type = "String",
+            name = "CI_INFO",
+            value = "${ciProperties.getOrDefault("ci.info", "\"local\"")}"
+        )
     }
 
     androidResources {
@@ -115,6 +134,39 @@ android {
         }
     }
 
+    applicationVariants.all {
+        val bundlesDir = "${layout.buildDirectory.get()}/outputs/bundle"
+        outputs
+            .mapNotNull { it as? BaseVariantOutputImpl }
+            .forEach { output ->
+                val fileNameWithoutExtension = when (flavorName) {
+                    "fdroid" -> "$applicationId-$flavorName"
+                    "standard" -> "$applicationId"
+                    else -> output.outputFileName.removeExtensionIfPresent(".apk")
+                }
+
+                // Set the APK output filename.
+                output.outputFileName = "$fileNameWithoutExtension.apk"
+
+                val variantName = name
+                val renameTaskName = "rename${variantName.capitalize()}AabFiles"
+                tasks.register(renameTaskName) {
+                    group = "build"
+                    description = "Renames the bundle files for $variantName variant"
+                    doLast {
+                        renameFile(
+                            "$bundlesDir/$variantName/$namespace-$flavorName-${buildType.name}.aab",
+                            "$fileNameWithoutExtension.aab",
+                        )
+                    }
+                }
+                // Force renaming task to execute after the variant is built.
+                tasks
+                    .getByName("bundle${variantName.capitalize()}")
+                    .finalizedBy(renameTaskName)
+            }
+    }
+
     compileOptions {
         sourceCompatibility(libs.versions.jvmTarget.get())
         targetCompatibility(libs.versions.jvmTarget.get())
@@ -135,7 +187,10 @@ android {
         unitTests.isReturnDefaultValues = true
     }
     lint {
-        disable.add("MissingTranslation")
+        disable += listOf(
+            "MissingTranslation",
+            "ExtraTranslation",
+        )
     }
 }
 
@@ -159,8 +214,7 @@ dependencies {
         add("standardImplementation", dependencyNotation)
     }
 
-    // TODO: this should use a versioned AAR instead of referencing a local AAR BITAU-94
-    implementation(files("libs/authenticatorbridge-0.1.0-SNAPSHOT-release.aar"))
+    implementation(files("libs/authenticatorbridge-1.0.0-release.aar"))
 
     implementation(libs.androidx.activity.compose)
     implementation(libs.androidx.appcompat)
@@ -214,6 +268,7 @@ dependencies {
     standardImplementation(libs.google.firebase.cloud.messaging)
     standardImplementation(platform(libs.google.firebase.bom))
     standardImplementation(libs.google.firebase.crashlytics)
+    standardImplementation(libs.google.play.review)
 
     testImplementation(libs.androidx.compose.ui.test)
     testImplementation(libs.google.hilt.android.testing)
@@ -296,6 +351,10 @@ tasks {
         dependsOn("detekt")
     }
 
+    getByName("sonar") {
+        dependsOn("check")
+    }
+
     withType<io.gitlab.arturbosch.detekt.Detekt>().configureEach {
         jvmTarget = libs.versions.jvmTarget.get()
     }
@@ -308,15 +367,16 @@ tasks {
         maxHeapSize = "2g"
         maxParallelForks = Runtime.getRuntime().availableProcessors()
         jvmArgs = jvmArgs.orEmpty() + "-XX:+UseParallelGC"
+        android.sourceSets["main"].res.srcDirs("src/test/res")
     }
 }
 
 afterEvaluate {
     // Disable Fdroid-specific tasks that we want to exclude
-    val tasks = tasks.withType<GoogleServicesTask>() +
+    val fdroidTasksToDisable = tasks.withType<GoogleServicesTask>() +
         tasks.withType<InjectMappingFileIdTask>() +
         tasks.withType<UploadMappingFileTask>()
-    tasks
+    fdroidTasksToDisable
         .filter { it.name.contains("Fdroid") }
         .forEach { it.enabled = false }
 }
@@ -333,8 +393,17 @@ sonar {
     }
 }
 
-tasks {
-    getByName("sonar") {
-        dependsOn("check")
+private fun renameFile(path: String, newName: String) {
+    val originalFile = File(path)
+    if (!originalFile.exists()) {
+        println("File $originalFile does not exist!")
+        return
+    }
+
+    val newFile = File(originalFile.parentFile, newName)
+    if (originalFile.renameTo(newFile)) {
+        println("Renamed $originalFile to $newFile")
+    } else {
+        throw RuntimeException("Failed to rename $originalFile to $newFile")
     }
 }

app/proguard-rules.pro

@@ -6,6 +6,10 @@
 # we keep it here.
 -keep class com.bitwarden.** { *; }
 
+# The Android Verifier component must be kept because it looks like dead code. Proguard is unable to
+# see any JNI usage, so our rules must manually opt into keeping it.
+-keep, includedescriptorclasses class org.rustls.platformverifier.** { *; }
+
 ################################################################################
 # Bitwarden Models
 ################################################################################

app/schemas/com.x8bit.bitwarden.data.vault.datasource.disk.database.VaultDatabase/4.json

@@ -0,0 +1,256 @@
+{
+  "formatVersion": 1,
+  "database": {
+    "version": 4,
+    "identityHash": "f7906c69e0a2c065d4d3be140fc721b6",
+    "entities": [
+      {
+        "tableName": "ciphers",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `cipher_type` TEXT NOT NULL, `cipher_json` TEXT NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "cipherType",
+            "columnName": "cipher_type",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "cipherJson",
+            "columnName": "cipher_json",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_ciphers_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_ciphers_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "collections",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `organization_id` TEXT NOT NULL, `should_hide_passwords` INTEGER NOT NULL, `name` TEXT NOT NULL, `external_id` TEXT, `read_only` INTEGER NOT NULL, `manage` INTEGER NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "organizationId",
+            "columnName": "organization_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "shouldHidePasswords",
+            "columnName": "should_hide_passwords",
+            "affinity": "INTEGER",
+            "notNull": true
+          },
+          {
+            "fieldPath": "name",
+            "columnName": "name",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "externalId",
+            "columnName": "external_id",
+            "affinity": "TEXT",
+            "notNull": false
+          },
+          {
+            "fieldPath": "isReadOnly",
+            "columnName": "read_only",
+            "affinity": "INTEGER",
+            "notNull": true
+          },
+          {
+            "fieldPath": "canManage",
+            "columnName": "manage",
+            "affinity": "INTEGER",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_collections_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_collections_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "domains",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`user_id` TEXT NOT NULL, `domains_json` TEXT NOT NULL, PRIMARY KEY(`user_id`))",
+        "fields": [
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "domainsJson",
+            "columnName": "domains_json",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "user_id"
+          ]
+        },
+        "indices": [],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "folders",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `name` TEXT, `revision_date` INTEGER NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "name",
+            "columnName": "name",
+            "affinity": "TEXT",
+            "notNull": false
+          },
+          {
+            "fieldPath": "revisionDate",
+            "columnName": "revision_date",
+            "affinity": "INTEGER",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_folders_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_folders_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "sends",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `send_type` TEXT NOT NULL, `send_json` TEXT NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "sendType",
+            "columnName": "send_type",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "sendJson",
+            "columnName": "send_json",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_sends_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_sends_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      }
+    ],
+    "views": [],
+    "setupQueries": [
+      "CREATE TABLE IF NOT EXISTS room_master_table (id INTEGER PRIMARY KEY,identity_hash TEXT)",
+      "INSERT OR REPLACE INTO room_master_table (id,identity_hash) VALUES(42, 'f7906c69e0a2c065d4d3be140fc721b6')"
+    ]
+  }
+}

app/schemas/com.x8bit.bitwarden.data.vault.datasource.disk.database.VaultDatabase/5.json

@@ -0,0 +1,256 @@
+{
+  "formatVersion": 1,
+  "database": {
+    "version": 5,
+    "identityHash": "ee697e71290c92fe5b607d0b7665481b",
+    "entities": [
+      {
+        "tableName": "ciphers",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `cipher_type` TEXT NOT NULL, `cipher_json` TEXT NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "cipherType",
+            "columnName": "cipher_type",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "cipherJson",
+            "columnName": "cipher_json",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_ciphers_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_ciphers_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "collections",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `organization_id` TEXT NOT NULL, `should_hide_passwords` INTEGER NOT NULL, `name` TEXT NOT NULL, `external_id` TEXT, `read_only` INTEGER NOT NULL, `manage` INTEGER NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "organizationId",
+            "columnName": "organization_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "shouldHidePasswords",
+            "columnName": "should_hide_passwords",
+            "affinity": "INTEGER",
+            "notNull": true
+          },
+          {
+            "fieldPath": "name",
+            "columnName": "name",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "externalId",
+            "columnName": "external_id",
+            "affinity": "TEXT",
+            "notNull": false
+          },
+          {
+            "fieldPath": "isReadOnly",
+            "columnName": "read_only",
+            "affinity": "INTEGER",
+            "notNull": true
+          },
+          {
+            "fieldPath": "canManage",
+            "columnName": "manage",
+            "affinity": "INTEGER",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_collections_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_collections_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "domains",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`user_id` TEXT NOT NULL, `domains_json` TEXT, PRIMARY KEY(`user_id`))",
+        "fields": [
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "domainsJson",
+            "columnName": "domains_json",
+            "affinity": "TEXT",
+            "notNull": false
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "user_id"
+          ]
+        },
+        "indices": [],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "folders",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `name` TEXT, `revision_date` INTEGER NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "name",
+            "columnName": "name",
+            "affinity": "TEXT",
+            "notNull": false
+          },
+          {
+            "fieldPath": "revisionDate",
+            "columnName": "revision_date",
+            "affinity": "INTEGER",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_folders_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_folders_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "sends",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `send_type` TEXT NOT NULL, `send_json` TEXT NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "sendType",
+            "columnName": "send_type",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "sendJson",
+            "columnName": "send_json",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_sends_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_sends_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      }
+    ],
+    "views": [],
+    "setupQueries": [
+      "CREATE TABLE IF NOT EXISTS room_master_table (id INTEGER PRIMARY KEY,identity_hash TEXT)",
+      "INSERT OR REPLACE INTO room_master_table (id,identity_hash) VALUES(42, 'ee697e71290c92fe5b607d0b7665481b')"
+    ]
+  }
+}

app/schemas/com.x8bit.bitwarden.data.vault.datasource.disk.database.VaultDatabase/6.json

@@ -0,0 +1,256 @@
+{
+  "formatVersion": 1,
+  "database": {
+    "version": 6,
+    "identityHash": "ee158c483edfe5102504670f3d9845d4",
+    "entities": [
+      {
+        "tableName": "ciphers",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `cipher_type` TEXT NOT NULL, `cipher_json` TEXT NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "cipherType",
+            "columnName": "cipher_type",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "cipherJson",
+            "columnName": "cipher_json",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_ciphers_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_ciphers_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "collections",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `organization_id` TEXT NOT NULL, `should_hide_passwords` INTEGER NOT NULL, `name` TEXT NOT NULL, `external_id` TEXT, `read_only` INTEGER NOT NULL, `manage` INTEGER, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "organizationId",
+            "columnName": "organization_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "shouldHidePasswords",
+            "columnName": "should_hide_passwords",
+            "affinity": "INTEGER",
+            "notNull": true
+          },
+          {
+            "fieldPath": "name",
+            "columnName": "name",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "externalId",
+            "columnName": "external_id",
+            "affinity": "TEXT",
+            "notNull": false
+          },
+          {
+            "fieldPath": "isReadOnly",
+            "columnName": "read_only",
+            "affinity": "INTEGER",
+            "notNull": true
+          },
+          {
+            "fieldPath": "canManage",
+            "columnName": "manage",
+            "affinity": "INTEGER",
+            "notNull": false
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_collections_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_collections_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "domains",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`user_id` TEXT NOT NULL, `domains_json` TEXT, PRIMARY KEY(`user_id`))",
+        "fields": [
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "domainsJson",
+            "columnName": "domains_json",
+            "affinity": "TEXT",
+            "notNull": false
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "user_id"
+          ]
+        },
+        "indices": [],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "folders",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `name` TEXT, `revision_date` INTEGER NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "name",
+            "columnName": "name",
+            "affinity": "TEXT",
+            "notNull": false
+          },
+          {
+            "fieldPath": "revisionDate",
+            "columnName": "revision_date",
+            "affinity": "INTEGER",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_folders_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_folders_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      },
+      {
+        "tableName": "sends",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `user_id` TEXT NOT NULL, `send_type` TEXT NOT NULL, `send_json` TEXT NOT NULL, PRIMARY KEY(`id`))",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "userId",
+            "columnName": "user_id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "sendType",
+            "columnName": "send_type",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "sendJson",
+            "columnName": "send_json",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "id"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_sends_user_id",
+            "unique": false,
+            "columnNames": [
+              "user_id"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_sends_user_id` ON `${TABLE_NAME}` (`user_id`)"
+          }
+        ],
+        "foreignKeys": []
+      }
+    ],
+    "views": [],
+    "setupQueries": [
+      "CREATE TABLE IF NOT EXISTS room_master_table (id INTEGER PRIMARY KEY,identity_hash TEXT)",
+      "INSERT OR REPLACE INTO room_master_table (id,identity_hash) VALUES(42, 'ee158c483edfe5102504670f3d9845d4')"
+    ]
+  }
+}

app/src/beta/res/xml/shortcuts.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<shortcuts xmlns:android="http://schemas.android.com/apk/res/android">
+    <shortcut
+        android:enabled="true"
+        android:icon="@mipmap/ic_generator_shortcut"
+        android:shortcutId="bitwarden_password_generator"
+        android:shortcutLongLabel="@string/password_generator"
+        android:shortcutShortLabel="@string/password_generator">
+        <intent
+            android:action="android.intent.action.VIEW"
+            android:data="bitwarden://password_generator"
+            android:targetClass="com.x8bit.bitwarden.MainActivity"
+            android:targetPackage="com.x8bit.bitwarden.beta" />
+    </shortcut>
+    <shortcut
+        android:enabled="true"
+        android:icon="@mipmap/ic_vault_shortcut"
+        android:shortcutId="bitwarden_my_vault"
+        android:shortcutLongLabel="@string/my_vault"
+        android:shortcutShortLabel="@string/my_vault">
+        <intent
+            android:action="android.intent.action.VIEW"
+            android:data="bitwarden://my_vault"
+            android:targetClass="com.x8bit.bitwarden.MainActivity"
+            android:targetPackage="com.x8bit.bitwarden.beta" />
+    </shortcut>
+</shortcuts>

app/src/fdroid/java/com/x8bit/bitwarden/ui/platform/manager/review/AppReviewManagerImpl.kt

@@ -0,0 +1,12 @@
+package com.x8bit.bitwarden.ui.platform.manager.review
+
+import android.app.Activity
+
+/**
+ * No-op implementation of [AppReviewManager] for F-Droid builds.
+ */
+class AppReviewManagerImpl(
+    activity: Activity,
+) : AppReviewManager {
+    override fun promptForReview() = Unit
+}

app/src/main/assets/fido2_privileged_community.json

@@ -1,5 +1,31 @@
 {
   "apps": [
+    {
+      "type": "android",
+      "info": {
+        "package_name": "io.github.forkmaintainers.iceraven",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "9C:0D:22:37:9F:48:7B:70:A4:F9:F8:BE:C0:17:3C:F9:1A:16:44:F0:8F:93:38:5B:5B:78:2C:E3:76:60:BA:81"
+          }
+        ]
+      }
+    },
+
+    {
+      "type": "android",
+      "info": {
+        "package_name": "net.quetta.browser",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "BE:FE:E7:31:12:6A:A5:6E:7E:FD:AE:AF:5E:F3:FA:EA:44:1C:19:CC:E0:CA:EC:42:6B:65:BB:F8:2C:59:46:80"
+          }
+        ]
+      }
+    },
+
     {
       "type": "android",
       "info": {
@@ -24,6 +50,30 @@
         ]
       }
     },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "org.ironfoxoss.ironfox",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "C5:E2:91:B5:A5:71:F9:C8:CD:9A:97:99:C2:C9:4E:02:EC:97:03:94:88:93:F2:CA:75:6D:67:B9:42:04:F9:04"
+          }
+        ]
+      }
+    },
+    {
+      "type": "android",
+      "info": {
+        "package_name": "org.mozilla.fenix",
+        "signatures": [
+          {
+            "build": "release",
+            "cert_fingerprint_sha256": "50:04:77:90:88:E7:F9:88:D5:BC:5C:C5:F8:79:8F:EB:F4:F8:CD:08:4A:1B:2A:46:EF:D4:C8:EE:4A:EA:F2:11"
+          }
+        ]
+      }
+    },
     {
       "type": "android",
       "info": {
@@ -63,18 +113,6 @@
           }
         ]
       }
-    },
-    {
-      "type": "android",
-      "info": {
-        "package_name": "io.github.forkmaintainers.iceraven",
-        "signatures": [
-          {
-            "build": "release",
-            "cert_fingerprint_sha256": "9C:0D:22:37:9F:48:7B:70:A4:F9:F8:BE:C0:17:3C:F9:1A:16:44:F0:8F:93:38:5B:5B:78:2C:E3:76:60:BA:81"
-          }
-        ]
-      }
     }
   ]
 }

app/src/main/java/com/x8bit/bitwarden/BitwardenApplication.kt

@@ -4,8 +4,8 @@ import android.app.Application
 import com.x8bit.bitwarden.data.auth.manager.AuthRequestNotificationManager
 import com.x8bit.bitwarden.data.platform.annotation.OmitFromCoverage
 import com.x8bit.bitwarden.data.platform.manager.LogsManager
-import com.x8bit.bitwarden.data.platform.manager.NetworkConfigManager
 import com.x8bit.bitwarden.data.platform.manager.event.OrganizationEventManager
+import com.x8bit.bitwarden.data.platform.manager.network.NetworkConfigManager
 import com.x8bit.bitwarden.data.platform.manager.restriction.RestrictionManager
 import dagger.hilt.android.HiltAndroidApp
 import javax.inject.Inject

app/src/main/java/com/x8bit/bitwarden/MainActivity.kt

@@ -15,7 +15,6 @@ import androidx.core.os.LocaleListCompat
 import androidx.core.splashscreen.SplashScreen.Companion.installSplashScreen
 import androidx.lifecycle.compose.collectAsStateWithLifecycle
 import androidx.navigation.compose.rememberNavController
-import com.x8bit.bitwarden.data.autofill.accessibility.manager.AccessibilityActivityManager
 import com.x8bit.bitwarden.data.autofill.accessibility.manager.AccessibilityCompletionManager
 import com.x8bit.bitwarden.data.autofill.manager.AutofillActivityManager
 import com.x8bit.bitwarden.data.autofill.manager.AutofillCompletionManager
@@ -39,9 +38,6 @@ class MainActivity : AppCompatActivity() {
 
     private val mainViewModel: MainViewModel by viewModels()
 
-    @Inject
-    lateinit var accessibilityActivityManager: AccessibilityActivityManager
-
     @Inject
     lateinit var autofillActivityManager: AutofillActivityManager
 
@@ -70,13 +66,14 @@ class MainActivity : AppCompatActivity() {
             )
         }
 
-        // Within the app the language will change dynamically and will be managed
-        // by the OS, but we need to ensure we properly set the language when
-        // upgrading from older versions that handle this differently.
+        // Within the app the language and theme will change dynamically and will be managed by the
+        // OS, but we need to ensure we properly set the values when upgrading from older versions
+        // that handle this differently or when the activity restarts.
         settingsRepository.appLanguage.localeName?.let { localeName ->
             val localeList = LocaleListCompat.forLanguageTags(localeName)
             AppCompatDelegate.setApplicationLocales(localeList)
         }
+        AppCompatDelegate.setDefaultNightMode(settingsRepository.appTheme.osValue)
         setContent {
             val state by mainViewModel.stateFlow.collectAsStateWithLifecycle()
             val navController = rememberNavController()
@@ -98,6 +95,16 @@ class MainActivity : AppCompatActivity() {
                             )
                             .show()
                     }
+
+                    is MainEvent.UpdateAppLocale -> {
+                        AppCompatDelegate.setApplicationLocales(
+                            LocaleListCompat.forLanguageTags(event.localeName),
+                        )
+                    }
+
+                    is MainEvent.UpdateAppTheme -> {
+                        AppCompatDelegate.setDefaultNightMode(event.osTheme)
+                    }
                 }
             }
             updateScreenCapture(isScreenCaptureAllowed = state.isScreenCaptureAllowed)

app/src/main/java/com/x8bit/bitwarden/MainViewModel.kt

@@ -13,7 +13,7 @@ import com.x8bit.bitwarden.data.auth.util.getPasswordlessRequestDataIntentOrNull
 import com.x8bit.bitwarden.data.autofill.accessibility.manager.AccessibilitySelectionManager
 import com.x8bit.bitwarden.data.autofill.fido2.manager.Fido2CredentialManager
 import com.x8bit.bitwarden.data.autofill.fido2.util.getFido2AssertionRequestOrNull
-import com.x8bit.bitwarden.data.autofill.fido2.util.getFido2CredentialRequestOrNull
+import com.x8bit.bitwarden.data.autofill.fido2.util.getFido2CreateCredentialRequestOrNull
 import com.x8bit.bitwarden.data.autofill.fido2.util.getFido2GetCredentialsRequestOrNull
 import com.x8bit.bitwarden.data.autofill.manager.AutofillSelectionManager
 import com.x8bit.bitwarden.data.autofill.util.getAutofillSaveItemOrNull
@@ -108,6 +108,11 @@ class MainViewModel @Inject constructor(
             .appThemeStateFlow
             .onEach { trySendAction(MainAction.Internal.ThemeUpdate(it)) }
             .launchIn(viewModelScope)
+        settingsRepository
+            .appLanguageStateFlow
+            .map { MainEvent.UpdateAppLocale(it.localeName) }
+            .onEach(::sendEvent)
+            .launchIn(viewModelScope)
 
         settingsRepository
             .isScreenCaptureAllowedStateFlow
@@ -190,12 +195,14 @@ class MainViewModel @Inject constructor(
     private fun handleAccessibilitySelectionReceive(
         action: MainAction.Internal.AccessibilitySelectionReceive,
     ) {
+        specialCircumstanceManager.specialCircumstance = null
         sendEvent(MainEvent.CompleteAccessibilityAutofill(cipherView = action.cipherView))
     }
 
     private fun handleAutofillSelectionReceive(
         action: MainAction.Internal.AutofillSelectionReceive,
     ) {
+        specialCircumstanceManager.specialCircumstance = null
         sendEvent(MainEvent.CompleteAutofill(cipherView = action.cipherView))
     }
 
@@ -209,6 +216,7 @@ class MainViewModel @Inject constructor(
 
     private fun handleAppThemeUpdated(action: MainAction.Internal.ThemeUpdate) {
         mutableStateFlow.update { it.copy(theme = action.theme) }
+        sendEvent(MainEvent.UpdateAppTheme(osTheme = action.theme.osValue))
     }
 
     private fun handleVaultUnlockStateChange() {
@@ -255,7 +263,7 @@ class MainViewModel @Inject constructor(
         val hasGeneratorShortcut = intent.isPasswordGeneratorShortcut
         val hasVaultShortcut = intent.isMyVaultShortcut
         val hasAccountSecurityShortcut = intent.isAccountSecurityShortcut
-        val fido2CredentialRequestData = intent.getFido2CredentialRequestOrNull()
+        val fido2CreateCredentialRequestData = intent.getFido2CreateCredentialRequestOrNull()
         val completeRegistrationData = intent.getCompleteRegistrationDataIntentOrNull()
         val fido2CredentialAssertionRequest = intent.getFido2AssertionRequestOrNull()
         val fido2GetCredentialsRequest = intent.getFido2GetCredentialsRequestOrNull()
@@ -316,25 +324,30 @@ class MainViewModel @Inject constructor(
                     )
             }
 
-            fido2CredentialRequestData != null -> {
+            fido2CreateCredentialRequestData != null -> {
                 // Set the user's verification status when a new FIDO 2 request is received to force
                 // explicit verification if the user's vault is unlocked when the request is
                 // received.
-                fido2CredentialManager.isUserVerified = false
+                fido2CredentialManager.isUserVerified =
+                    fido2CreateCredentialRequestData.isUserVerified
+                        ?: fido2CredentialManager.isUserVerified
                 specialCircumstanceManager.specialCircumstance =
                     SpecialCircumstance.Fido2Save(
-                        fido2CredentialRequest = fido2CredentialRequestData,
+                        fido2CreateCredentialRequest = fido2CreateCredentialRequestData,
                     )
 
                 // Switch accounts if the selected user is not the active user.
                 if (authRepository.activeUserId != null &&
-                    authRepository.activeUserId != fido2CredentialRequestData.userId
+                    authRepository.activeUserId != fido2CreateCredentialRequestData.userId
                 ) {
-                    authRepository.switchAccount(fido2CredentialRequestData.userId)
+                    authRepository.switchAccount(fido2CreateCredentialRequestData.userId)
                 }
             }
 
             fido2CredentialAssertionRequest != null -> {
+                fido2CredentialManager.isUserVerified =
+                    fido2CredentialAssertionRequest.isUserVerified
+                        ?: false
                 specialCircumstanceManager.specialCircumstance =
                     SpecialCircumstance.Fido2Assertion(
                         fido2AssertionRequest = fido2CredentialAssertionRequest,
@@ -516,4 +529,18 @@ sealed class MainEvent {
      * Show a toast with the given [message].
      */
     data class ShowToast(val message: Text) : MainEvent()
+
+    /**
+     * Indicates that the app language has been updated.
+     */
+    data class UpdateAppLocale(
+        val localeName: String?,
+    ) : MainEvent()
+
+    /**
+     * Indicates that the app theme has been updated.
+     */
+    data class UpdateAppTheme(
+        val osTheme: Int,
+    ) : MainEvent()
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSource.kt

@@ -1,6 +1,7 @@
 package com.x8bit.bitwarden.data.auth.datasource.disk
 
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountTokensJson
+import com.x8bit.bitwarden.data.auth.datasource.disk.model.NewDeviceNoticeState
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.PendingAuthRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
@@ -171,6 +172,16 @@ interface AuthDiskSource {
         pendingAuthRequest: PendingAuthRequestJson?,
     )
 
+    /**
+     * Gets the biometrics initialization vector for the given [userId].
+     */
+    fun getUserBiometricInitVector(userId: String): ByteArray?
+
+    /**
+     * Stores the biometrics initialization vector for the given [userId].
+     */
+    fun storeUserBiometricInitVector(userId: String, iv: ByteArray?)
+
     /**
      * Gets the biometrics key for the given [userId].
      */
@@ -181,6 +192,11 @@ interface AuthDiskSource {
      */
     fun storeUserBiometricUnlockKey(userId: String, biometricsKey: String?)
 
+    /**
+     * Gets the flow for the biometrics key for the given [userId].
+     */
+    fun getUserBiometicUnlockKeyFlow(userId: String): Flow<String?>
+
     /**
      * Retrieves a pin-protected user key for the given [userId].
      */
@@ -198,6 +214,11 @@ interface AuthDiskSource {
         inMemoryOnly: Boolean = false,
     )
 
+    /**
+     * Retrieves a flow for the pin-protected user key for the given [userId].
+     */
+    fun getPinProtectedUserKeyFlow(userId: String): Flow<String?>
+
     /**
      * Gets a two-factor auth token using a user's [email].
      */
@@ -318,7 +339,17 @@ interface AuthDiskSource {
     fun storeShowImportLogins(userId: String, showImportLogins: Boolean?)
 
     /**
-     * Emits updates that track [getShowImportLogins]. This will replay the last known value,
+     * Emits updates that track [getShowImportLogins]. This will replay the last known value.
      */
     fun getShowImportLoginsFlow(userId: String): Flow<Boolean?>
+
+    /**
+     * Gets the new device notice state for the given [userId].
+     */
+    fun getNewDeviceNoticeState(userId: String): NewDeviceNoticeState
+
+    /**
+     * Stores the new device notice state for the given [userId].
+     */
+    fun storeNewDeviceNoticeState(userId: String, newState: NewDeviceNoticeState?)
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSourceImpl.kt

@@ -2,6 +2,8 @@ package com.x8bit.bitwarden.data.auth.datasource.disk
 
 import android.content.SharedPreferences
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountTokensJson
+import com.x8bit.bitwarden.data.auth.datasource.disk.model.NewDeviceNoticeDisplayStatus
+import com.x8bit.bitwarden.data.auth.datasource.disk.model.NewDeviceNoticeState
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.PendingAuthRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
@@ -13,7 +15,6 @@ import com.x8bit.bitwarden.data.vault.datasource.network.model.SyncResponseJson
 import kotlinx.coroutines.flow.Flow
 import kotlinx.coroutines.flow.MutableSharedFlow
 import kotlinx.coroutines.flow.onSubscription
-import kotlinx.serialization.encodeToString
 import kotlinx.serialization.json.Json
 import java.util.UUID
 
@@ -21,6 +22,7 @@ import java.util.UUID
 private const val ACCOUNT_TOKENS_KEY = "accountTokens"
 private const val AUTHENTICATOR_SYNC_SYMMETRIC_KEY = "authenticatorSyncSymmetric"
 private const val AUTHENTICATOR_SYNC_UNLOCK_KEY = "authenticatorSyncUnlock"
+private const val BIOMETRICS_INIT_VECTOR_KEY = "biometricInitializationVector"
 private const val BIOMETRICS_UNLOCK_KEY = "userKeyBiometricUnlock"
 private const val USER_AUTO_UNLOCK_KEY_KEY = "userKeyAutoUnlock"
 private const val DEVICE_KEY_KEY = "deviceKey"
@@ -46,6 +48,7 @@ private const val TDE_LOGIN_COMPLETE = "tdeLoginComplete"
 private const val USES_KEY_CONNECTOR = "usesKeyConnector"
 private const val ONBOARDING_STATUS_KEY = "onboardingStatus"
 private const val SHOW_IMPORT_LOGINS_KEY = "showImportLogins"
+private const val NEW_DEVICE_NOTICE_STATE = "newDeviceNoticeState"
 
 /**
  * Primary implementation of [AuthDiskSource].
@@ -74,6 +77,10 @@ class AuthDiskSourceImpl(
     private val mutableOnboardingStatusFlowMap =
         mutableMapOf<String, MutableSharedFlow<OnboardingStatus?>>()
     private val mutableShowImportLoginsFlowMap = mutableMapOf<String, MutableSharedFlow<Boolean?>>()
+    private val mutableBiometricUnlockKeyFlowMap =
+        mutableMapOf<String, MutableSharedFlow<String?>>()
+    private val mutablePinProtectedUserKeyFlowMap =
+        mutableMapOf<String, MutableSharedFlow<String?>>()
     private val mutableUserStateFlow = bufferedMutableSharedFlow<UserStateJson?>(replay = 1)
 
     override var userState: UserStateJson?
@@ -138,6 +145,7 @@ class AuthDiskSourceImpl(
         storePrivateKey(userId = userId, privateKey = null)
         storeOrganizationKeys(userId = userId, organizationKeys = null)
         storeOrganizations(userId = userId, organizations = null)
+        storeUserBiometricInitVector(userId = userId, iv = null)
         storeUserBiometricUnlockKey(userId = userId, biometricsKey = null)
         storeMasterPasswordHash(userId = userId, passwordHash = null)
         storePolicies(userId = userId, policies = null)
@@ -273,6 +281,17 @@ class AuthDiskSourceImpl(
         )
     }
 
+    override fun getUserBiometricInitVector(userId: String): ByteArray? =
+        getEncryptedString(key = BIOMETRICS_INIT_VECTOR_KEY.appendIdentifier(userId))
+            ?.toByteArray(Charsets.ISO_8859_1)
+
+    override fun storeUserBiometricInitVector(userId: String, iv: ByteArray?) {
+        putEncryptedString(
+            key = BIOMETRICS_INIT_VECTOR_KEY.appendIdentifier(userId),
+            value = iv?.toString(Charsets.ISO_8859_1),
+        )
+    }
+
     override fun getUserBiometricUnlockKey(userId: String): String? =
         getEncryptedString(key = BIOMETRICS_UNLOCK_KEY.appendIdentifier(userId))
 
@@ -284,8 +303,13 @@ class AuthDiskSourceImpl(
             key = BIOMETRICS_UNLOCK_KEY.appendIdentifier(userId),
             value = biometricsKey,
         )
+        getMutableBiometricUnlockKeyFlow(userId).tryEmit(biometricsKey)
     }
 
+    override fun getUserBiometicUnlockKeyFlow(userId: String): Flow<String?> =
+        getMutableBiometricUnlockKeyFlow(userId)
+            .onSubscription { emit(getUserBiometricUnlockKey(userId = userId)) }
+
     override fun getPinProtectedUserKey(userId: String): String? =
         inMemoryPinProtectedUserKeys[userId]
             ?: getString(key = PIN_PROTECTED_USER_KEY_KEY.appendIdentifier(userId))
@@ -301,8 +325,13 @@ class AuthDiskSourceImpl(
             key = PIN_PROTECTED_USER_KEY_KEY.appendIdentifier(userId),
             value = pinProtectedUserKey,
         )
+        getMutablePinProtectedUserKeyFlow(userId).tryEmit(pinProtectedUserKey)
     }
 
+    override fun getPinProtectedUserKeyFlow(userId: String): Flow<String?> =
+        getMutablePinProtectedUserKeyFlow(userId)
+            .onSubscription { emit(getPinProtectedUserKey(userId = userId)) }
+
     override fun getTwoFactorToken(email: String): String? =
         getString(key = TWO_FACTOR_TOKEN_KEY.appendIdentifier(email))
 
@@ -457,6 +486,22 @@ class AuthDiskSourceImpl(
         getMutableShowImportLoginsFlow(userId)
             .onSubscription { emit(getShowImportLogins(userId)) }
 
+    override fun getNewDeviceNoticeState(userId: String): NewDeviceNoticeState {
+        return getString(key = NEW_DEVICE_NOTICE_STATE.appendIdentifier(userId))?.let {
+            json.decodeFromStringOrNull(it)
+        } ?: NewDeviceNoticeState(
+            displayStatus = NewDeviceNoticeDisplayStatus.HAS_NOT_SEEN,
+            lastSeenDate = null,
+        )
+    }
+
+    override fun storeNewDeviceNoticeState(userId: String, newState: NewDeviceNoticeState?) {
+        putString(
+            key = NEW_DEVICE_NOTICE_STATE.appendIdentifier(userId),
+            value = newState?.let { json.encodeToString(it) },
+        )
+    }
+
     private fun generateAndStoreUniqueAppId(): String =
         UUID
             .randomUUID()
@@ -506,6 +551,18 @@ class AuthDiskSourceImpl(
         bufferedMutableSharedFlow(replay = 1)
     }
 
+    private fun getMutableBiometricUnlockKeyFlow(
+        userId: String,
+    ): MutableSharedFlow<String?> = mutableBiometricUnlockKeyFlowMap.getOrPut(userId) {
+        bufferedMutableSharedFlow(replay = 1)
+    }
+
+    private fun getMutablePinProtectedUserKeyFlow(
+        userId: String,
+    ): MutableSharedFlow<String?> = mutablePinProtectedUserKeyFlowMap.getOrPut(userId) {
+        bufferedMutableSharedFlow(replay = 1)
+    }
+
     private fun migrateAccountTokens() {
         userState
             ?.accounts

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/model/AccountJson.kt

@@ -2,8 +2,12 @@ package com.x8bit.bitwarden.data.auth.datasource.disk.model
 
 import com.x8bit.bitwarden.data.auth.datasource.network.model.KdfTypeJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.UserDecryptionOptionsJson
+import kotlinx.serialization.Contextual
+import kotlinx.serialization.ExperimentalSerializationApi
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.JsonNames
+import java.time.ZonedDateTime
 
 /**
  * Represents the current account information for a given user.
@@ -33,6 +37,7 @@ data class AccountJson(
      * @property userId The ID of the user.
      * @property email The user's email address.
      * @property isEmailVerified Whether or not the user's email is verified.
+     * @property isTwoFactorEnabled If the profile has two factor authentication enabled.
      * @property name The user's name (if applicable).
      * @property stamp The account's security stamp (if applicable).
      * @property organizationId The ID of the associated organization (if applicable).
@@ -44,7 +49,9 @@ data class AccountJson(
      * @property kdfMemory The amount of memory to use when calculating a password hash (MB).
      * @property kdfParallelism The number of threads to use when calculating a password hash.
      * @property userDecryptionOptions The options available to a user for decryption.
+     * @property creationDate The creation date of the account.
      */
+    @OptIn(ExperimentalSerializationApi::class)
     @Serializable
     data class Profile(
         @SerialName("userId")
@@ -56,6 +63,9 @@ data class AccountJson(
         @SerialName("emailVerified")
         val isEmailVerified: Boolean?,
 
+        @SerialName("isTwoFactorEnabled")
+        val isTwoFactorEnabled: Boolean?,
+
         @SerialName("name")
         val name: String?,
 
@@ -86,8 +96,13 @@ data class AccountJson(
         @SerialName("kdfParallelism")
         val kdfParallelism: Int?,
 
-        @SerialName("accountDecryptionOptions")
+        @SerialName("userDecryptionOptions")
+        @JsonNames("accountDecryptionOptions")
         val userDecryptionOptions: UserDecryptionOptionsJson?,
+
+        @SerialName("creationDate")
+        @Contextual
+        val creationDate: ZonedDateTime?,
     )
 
     /**

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/model/NewDeviceNoticeDisplayStatus.kt

@@ -0,0 +1,60 @@
+package com.x8bit.bitwarden.data.auth.datasource.disk.model
+
+import kotlinx.serialization.Contextual
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+import java.time.ZonedDateTime
+
+/**
+ * Describes the current display status of the new device notice screen.
+ */
+@Serializable
+enum class NewDeviceNoticeDisplayStatus {
+    /**
+     * The user has seen the screen and indicated they can access their email.
+     */
+    @SerialName("canAccessEmail")
+    CAN_ACCESS_EMAIL,
+
+    /**
+     * The user has indicated they can access their email
+     * as specified by the Permanent mode of the notice.
+     */
+    @SerialName("canAccessEmailPermanent")
+    CAN_ACCESS_EMAIL_PERMANENT,
+
+    /**
+     * The user has not seen the screen.
+     */
+    @SerialName("hasNotSeen")
+    HAS_NOT_SEEN,
+
+    /**
+     * The user has seen the screen and selected "remind me later".
+     */
+    @SerialName("hasSeen")
+    HAS_SEEN,
+}
+
+/**
+ * The state of the new device notice screen.
+ */
+@Suppress("MagicNumber")
+@Serializable
+data class NewDeviceNoticeState(
+    @SerialName("displayStatus")
+    val displayStatus: NewDeviceNoticeDisplayStatus,
+
+    @SerialName("lastSeenDate")
+    @Contextual
+    val lastSeenDate: ZonedDateTime?,
+) {
+    /**
+     * Whether the [lastSeenDate] is at least 7 days old.
+     */
+    val shouldDisplayNoticeIfSeen = lastSeenDate
+        ?.isBefore(
+            ZonedDateTime.now().minusDays(7),
+        )
+        ?: false
+}

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/model/PendingAuthRequestJson.kt

@@ -7,13 +7,21 @@ import kotlinx.serialization.Serializable
  * Container for the user's API tokens.
  *
  * @property requestId The ID of the pending Auth Request.
- * @property requestPrivateKey The private of the pending Auth Request.
+ * @property requestPrivateKey The private key of the pending Auth Request.
+ * @property requestAccessCode The access code of the pending Auth Request.
+ * @property requestFingerprint The fingerprint of the pending Auth Request.
  */
 @Serializable
 data class PendingAuthRequestJson(
-    @SerialName("Id")
+    @SerialName("id")
     val requestId: String,
 
-    @SerialName("PrivateKey")
+    @SerialName("privateKey")
     val requestPrivateKey: String,
+
+    @SerialName("accessCode")
+    val requestAccessCode: String,
+
+    @SerialName("fingerprint")
+    val requestFingerprint: String,
 )

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/AuthenticatedAccountsApi.kt

@@ -5,6 +5,7 @@ import com.x8bit.bitwarden.data.auth.datasource.network.model.DeleteAccountReque
 import com.x8bit.bitwarden.data.auth.datasource.network.model.ResetPasswordRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.SetPasswordRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifyOtpRequestJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import retrofit2.http.Body
 import retrofit2.http.HTTP
 import retrofit2.http.POST
@@ -18,43 +19,43 @@ interface AuthenticatedAccountsApi {
      * Converts the currently active account to a key-connector account.
      */
     @POST("/accounts/convert-to-key-connector")
-    suspend fun convertToKeyConnector(): Result<Unit>
+    suspend fun convertToKeyConnector(): NetworkResult<Unit>
 
     /**
      * Creates the keys for the current account.
      */
     @POST("/accounts/keys")
-    suspend fun createAccountKeys(@Body body: CreateAccountKeysRequest): Result<Unit>
+    suspend fun createAccountKeys(@Body body: CreateAccountKeysRequest): NetworkResult<Unit>
 
     /**
      * Deletes the current account.
      */
     @HTTP(method = "DELETE", path = "/accounts", hasBody = true)
-    suspend fun deleteAccount(@Body body: DeleteAccountRequestJson): Result<Unit>
+    suspend fun deleteAccount(@Body body: DeleteAccountRequestJson): NetworkResult<Unit>
 
     @POST("/accounts/request-otp")
-    suspend fun requestOtp(): Result<Unit>
+    suspend fun requestOtp(): NetworkResult<Unit>
 
     @POST("/accounts/verify-otp")
     suspend fun verifyOtp(
         @Body body: VerifyOtpRequestJson,
-    ): Result<Unit>
+    ): NetworkResult<Unit>
 
     /**
      * Resets the temporary password.
      */
     @HTTP(method = "PUT", path = "/accounts/update-temp-password", hasBody = true)
-    suspend fun resetTempPassword(@Body body: ResetPasswordRequestJson): Result<Unit>
+    suspend fun resetTempPassword(@Body body: ResetPasswordRequestJson): NetworkResult<Unit>
 
     /**
      * Resets the password.
      */
     @HTTP(method = "POST", path = "/accounts/password", hasBody = true)
-    suspend fun resetPassword(@Body body: ResetPasswordRequestJson): Result<Unit>
+    suspend fun resetPassword(@Body body: ResetPasswordRequestJson): NetworkResult<Unit>
 
     /**
      * Sets the password.
      */
     @POST("/accounts/set-password")
-    suspend fun setPassword(@Body body: SetPasswordRequestJson): Result<Unit>
+    suspend fun setPassword(@Body body: SetPasswordRequestJson): NetworkResult<Unit>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/AuthenticatedAuthRequestsApi.kt

@@ -3,6 +3,7 @@ package com.x8bit.bitwarden.data.auth.datasource.network.api
 import com.x8bit.bitwarden.data.auth.datasource.network.model.AuthRequestRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.AuthRequestUpdateRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.AuthRequestsResponseJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import retrofit2.http.Body
 import retrofit2.http.GET
 import retrofit2.http.Header
@@ -22,7 +23,7 @@ interface AuthenticatedAuthRequestsApi {
     suspend fun createAdminAuthRequest(
         @Header("Device-Identifier") deviceIdentifier: String,
         @Body body: AuthRequestRequestJson,
-    ): Result<AuthRequestsResponseJson.AuthRequest>
+    ): NetworkResult<AuthRequestsResponseJson.AuthRequest>
 
     /**
      * Updates an authentication request.
@@ -31,13 +32,13 @@ interface AuthenticatedAuthRequestsApi {
     suspend fun updateAuthRequest(
         @Path("id") userId: String,
         @Body body: AuthRequestUpdateRequestJson,
-    ): Result<AuthRequestsResponseJson.AuthRequest>
+    ): NetworkResult<AuthRequestsResponseJson.AuthRequest>
 
     /**
      * Gets a list of auth requests for this device.
      */
     @GET("/auth-requests")
-    suspend fun getAuthRequests(): Result<AuthRequestsResponseJson>
+    suspend fun getAuthRequests(): NetworkResult<AuthRequestsResponseJson>
 
     /**
      * Retrieves an existing authentication request by ID.
@@ -45,5 +46,5 @@ interface AuthenticatedAuthRequestsApi {
     @GET("/auth-requests/{requestId}")
     suspend fun getAuthRequest(
         @Path("requestId") requestId: String,
-    ): Result<AuthRequestsResponseJson.AuthRequest>
+    ): NetworkResult<AuthRequestsResponseJson.AuthRequest>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/AuthenticatedDevicesApi.kt

@@ -3,6 +3,7 @@ package com.x8bit.bitwarden.data.auth.datasource.network.api
 import androidx.annotation.Keep
 import com.x8bit.bitwarden.data.auth.datasource.network.model.TrustedDeviceKeysRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.TrustedDeviceKeysResponseJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import retrofit2.http.Body
 import retrofit2.http.PUT
 import retrofit2.http.Path
@@ -16,5 +17,5 @@ interface AuthenticatedDevicesApi {
     suspend fun updateTrustedDeviceKeys(
         @Path(value = "appId") appId: String,
         @Body request: TrustedDeviceKeysRequestJson,
-    ): Result<TrustedDeviceKeysResponseJson>
+    ): NetworkResult<TrustedDeviceKeysResponseJson>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/AuthenticatedKeyConnectorApi.kt

@@ -2,6 +2,7 @@ package com.x8bit.bitwarden.data.auth.datasource.network.api
 
 import androidx.annotation.Keep
 import com.x8bit.bitwarden.data.auth.datasource.network.model.KeyConnectorMasterKeyRequestJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import retrofit2.http.Body
 import retrofit2.http.POST
 import retrofit2.http.Url
@@ -15,5 +16,5 @@ interface AuthenticatedKeyConnectorApi {
     suspend fun storeMasterKeyToKeyConnector(
         @Url url: String,
         @Body body: KeyConnectorMasterKeyRequestJson,
-    ): Result<Unit>
+    ): NetworkResult<Unit>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/AuthenticatedOrganizationApi.kt

@@ -3,6 +3,7 @@ package com.x8bit.bitwarden.data.auth.datasource.network.api
 import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationAutoEnrollStatusResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationKeysResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationResetPasswordEnrollRequestJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import retrofit2.http.Body
 import retrofit2.http.GET
 import retrofit2.http.PUT
@@ -20,7 +21,7 @@ interface AuthenticatedOrganizationApi {
         @Path("orgId") organizationId: String,
         @Path("userId") userId: String,
         @Body body: OrganizationResetPasswordEnrollRequestJson,
-    ): Result<Unit>
+    ): NetworkResult<Unit>
 
     /**
      * Checks whether this organization auto enrolls users in password reset.
@@ -28,7 +29,7 @@ interface AuthenticatedOrganizationApi {
     @GET("/organizations/{identifier}/auto-enroll-status")
     suspend fun getOrganizationAutoEnrollResponse(
         @Path("identifier") organizationIdentifier: String,
-    ): Result<OrganizationAutoEnrollStatusResponseJson>
+    ): NetworkResult<OrganizationAutoEnrollStatusResponseJson>
 
     /**
      * Gets the public and private keys for this organization.
@@ -36,5 +37,5 @@ interface AuthenticatedOrganizationApi {
     @GET("/organizations/{id}/keys")
     suspend fun getOrganizationKeys(
         @Path("id") organizationId: String,
-    ): Result<OrganizationKeysResponseJson>
+    ): NetworkResult<OrganizationKeysResponseJson>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/HaveIBeenPwnedApi.kt

@@ -1,5 +1,6 @@
 package com.x8bit.bitwarden.data.auth.datasource.network.api
 
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import okhttp3.ResponseBody
 import retrofit2.http.GET
 import retrofit2.http.Path
@@ -14,5 +15,5 @@ interface HaveIBeenPwnedApi {
     suspend fun fetchBreachedPasswords(
         @Path("hashPrefix")
         hashPrefix: String,
-    ): Result<ResponseBody>
+    ): NetworkResult<ResponseBody>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/UnauthenticatedAccountsApi.kt

@@ -3,6 +3,7 @@ package com.x8bit.bitwarden.data.auth.datasource.network.api
 import com.x8bit.bitwarden.data.auth.datasource.network.model.KeyConnectorKeyRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.PasswordHintRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.ResendEmailRequestJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import com.x8bit.bitwarden.data.platform.datasource.network.util.HEADER_KEY_AUTHORIZATION
 import retrofit2.http.Body
 import retrofit2.http.Header
@@ -15,16 +16,16 @@ interface UnauthenticatedAccountsApi {
     @POST("/accounts/password-hint")
     suspend fun passwordHintRequest(
         @Body body: PasswordHintRequestJson,
-    ): Result<Unit>
+    ): NetworkResult<Unit>
 
     @POST("/two-factor/send-email-login")
     suspend fun resendVerificationCodeEmail(
         @Body body: ResendEmailRequestJson,
-    ): Result<Unit>
+    ): NetworkResult<Unit>
 
     @POST("/accounts/set-key-connector-key")
     suspend fun setKeyConnectorKey(
         @Body body: KeyConnectorKeyRequestJson,
         @Header(HEADER_KEY_AUTHORIZATION) bearerToken: String,
-    ): Result<Unit>
+    ): NetworkResult<Unit>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/UnauthenticatedAuthRequestsApi.kt

@@ -2,6 +2,7 @@ package com.x8bit.bitwarden.data.auth.datasource.network.api
 
 import com.x8bit.bitwarden.data.auth.datasource.network.model.AuthRequestRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.AuthRequestsResponseJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import retrofit2.http.Body
 import retrofit2.http.GET
 import retrofit2.http.Header
@@ -21,7 +22,7 @@ interface UnauthenticatedAuthRequestsApi {
     suspend fun createAuthRequest(
         @Header("Device-Identifier") deviceIdentifier: String,
         @Body body: AuthRequestRequestJson,
-    ): Result<AuthRequestsResponseJson.AuthRequest>
+    ): NetworkResult<AuthRequestsResponseJson.AuthRequest>
 
     /**
      * Queries for updates to a given auth request.
@@ -30,5 +31,5 @@ interface UnauthenticatedAuthRequestsApi {
     suspend fun getAuthRequestUpdate(
         @Path("requestId") requestId: String,
         @Query("code") accessCode: String,
-    ): Result<AuthRequestsResponseJson.AuthRequest>
+    ): NetworkResult<AuthRequestsResponseJson.AuthRequest>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/UnauthenticatedDevicesApi.kt

@@ -1,5 +1,6 @@
 package com.x8bit.bitwarden.data.auth.datasource.network.api
 
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import retrofit2.http.GET
 import retrofit2.http.Header
 
@@ -11,5 +12,5 @@ interface UnauthenticatedDevicesApi {
     suspend fun getIsKnownDevice(
         @Header(value = "X-Request-Email") emailAddress: String,
         @Header(value = "X-Device-Identifier") deviceId: String,
-    ): Result<Boolean>
+    ): NetworkResult<Boolean>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/UnauthenticatedIdentityApi.kt

@@ -10,6 +10,7 @@ import com.x8bit.bitwarden.data.auth.datasource.network.model.RegisterRequestJso
 import com.x8bit.bitwarden.data.auth.datasource.network.model.RegisterResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.SendVerificationEmailRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifyEmailTokenRequestJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import kotlinx.serialization.json.JsonPrimitive
 import retrofit2.Call
 import retrofit2.http.Body
@@ -46,12 +47,12 @@ interface UnauthenticatedIdentityApi {
         @Field(value = "twoFactorProvider") twoFactorMethod: String?,
         @Field(value = "twoFactorRemember") twoFactorRemember: String?,
         @Field(value = "authRequest") authRequestId: String?,
-    ): Result<GetTokenResponseJson.Success>
+    ): NetworkResult<GetTokenResponseJson.Success>
 
     @GET("/sso/prevalidate")
     suspend fun prevalidateSso(
         @Query("domainHint") organizationIdentifier: String,
-    ): Result<PrevalidateSsoResponseJson>
+    ): NetworkResult<PrevalidateSsoResponseJson>
 
     /**
      * This call needs to be synchronous so we need it to return a [Call] directly. The identity
@@ -66,23 +67,25 @@ interface UnauthenticatedIdentityApi {
     ): Call<RefreshTokenResponseJson>
 
     @POST("/accounts/prelogin")
-    suspend fun preLogin(@Body body: PreLoginRequestJson): Result<PreLoginResponseJson>
+    suspend fun preLogin(@Body body: PreLoginRequestJson): NetworkResult<PreLoginResponseJson>
 
     @POST("/accounts/register")
-    suspend fun register(@Body body: RegisterRequestJson): Result<RegisterResponseJson.Success>
+    suspend fun register(
+        @Body body: RegisterRequestJson,
+    ): NetworkResult<RegisterResponseJson.Success>
 
     @POST("/accounts/register/finish")
     suspend fun registerFinish(
         @Body body: RegisterFinishRequestJson,
-    ): Result<RegisterResponseJson.Success>
+    ): NetworkResult<RegisterResponseJson.Success>
 
     @POST("/accounts/register/send-verification-email")
     suspend fun sendVerificationEmail(
         @Body body: SendVerificationEmailRequestJson,
-    ): Result<JsonPrimitive?>
+    ): NetworkResult<JsonPrimitive?>
 
     @POST("/accounts/register/verification-email-clicked")
     suspend fun verifyEmailToken(
         @Body body: VerifyEmailTokenRequestJson,
-    ): Result<Unit>
+    ): NetworkResult<Unit>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/UnauthenticatedKeyConnectorApi.kt

@@ -3,6 +3,7 @@ package com.x8bit.bitwarden.data.auth.datasource.network.api
 import androidx.annotation.Keep
 import com.x8bit.bitwarden.data.auth.datasource.network.model.KeyConnectorMasterKeyRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.KeyConnectorMasterKeyResponseJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import com.x8bit.bitwarden.data.platform.datasource.network.util.HEADER_KEY_AUTHORIZATION
 import retrofit2.http.Body
 import retrofit2.http.GET
@@ -20,11 +21,11 @@ interface UnauthenticatedKeyConnectorApi {
         @Url url: String,
         @Header(HEADER_KEY_AUTHORIZATION) bearerToken: String,
         @Body body: KeyConnectorMasterKeyRequestJson,
-    ): Result<Unit>
+    ): NetworkResult<Unit>
 
     @GET
     suspend fun getMasterKeyFromKeyConnector(
         @Url url: String,
         @Header(HEADER_KEY_AUTHORIZATION) bearerToken: String,
-    ): Result<KeyConnectorMasterKeyResponseJson>
+    ): NetworkResult<KeyConnectorMasterKeyResponseJson>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/api/UnauthenticatedOrganizationApi.kt

@@ -2,6 +2,9 @@ package com.x8bit.bitwarden.data.auth.datasource.network.api
 
 import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationDomainSsoDetailsRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationDomainSsoDetailsResponseJson
+import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifiedOrganizationDomainSsoDetailsRequest
+import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifiedOrganizationDomainSsoDetailsResponse
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import retrofit2.http.Body
 import retrofit2.http.POST
 
@@ -15,5 +18,13 @@ interface UnauthenticatedOrganizationApi {
     @POST("/organizations/domain/sso/details")
     suspend fun getClaimedDomainOrganizationDetails(
         @Body body: OrganizationDomainSsoDetailsRequestJson,
-    ): Result<OrganizationDomainSsoDetailsResponseJson>
+    ): NetworkResult<OrganizationDomainSsoDetailsResponseJson>
+
+    /**
+     * Checks for the verfied organization domains of an email for SSO purposes.
+     */
+    @POST("/organizations/domain/sso/verified")
+    suspend fun getVerifiedOrganizationDomainsByEmail(
+        @Body body: VerifiedOrganizationDomainSsoDetailsRequest,
+    ): NetworkResult<VerifiedOrganizationDomainSsoDetailsResponse>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/KeyConnectorUserDecryptionOptionsJson.kt

@@ -1,15 +1,19 @@
 package com.x8bit.bitwarden.data.auth.datasource.network.model
 
+import kotlinx.serialization.ExperimentalSerializationApi
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.JsonNames
 
 /**
  * Decryption options related to a user's key connector.
  *
  * @property keyConnectorUrl URL to the user's key connector.
  */
+@OptIn(ExperimentalSerializationApi::class)
 @Serializable
 data class KeyConnectorUserDecryptionOptionsJson(
-    @SerialName("KeyConnectorUrl")
+    @SerialName("keyConnectorUrl")
+    @JsonNames("KeyConnectorUrl")
     val keyConnectorUrl: String,
 )

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/OrganizationDomainSsoDetailsResponseJson.kt

@@ -1,16 +1,26 @@
 package com.x8bit.bitwarden.data.auth.datasource.network.model
 
+import kotlinx.serialization.Contextual
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
+import java.time.ZonedDateTime
 
 /**
  * Response object returned when requesting organization domain SSO details.
  *
  * @property isSsoAvailable Whether or not SSO is available for this domain.
  * @property organizationIdentifier The organization's identifier.
+ * @property verifiedDate The date the domain was verified.
  */
 @Serializable
 data class OrganizationDomainSsoDetailsResponseJson(
-    @SerialName("ssoAvailable") val isSsoAvailable: Boolean,
-    @SerialName("organizationIdentifier") val organizationIdentifier: String,
+    @SerialName("ssoAvailable")
+    val isSsoAvailable: Boolean,
+
+    @SerialName("organizationIdentifier")
+    val organizationIdentifier: String,
+
+    @SerialName("verifiedDate")
+    @Contextual
+    val verifiedDate: ZonedDateTime?,
 )

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/TrustedDeviceUserDecryptionOptionsJson.kt

@@ -1,7 +1,9 @@
 package com.x8bit.bitwarden.data.auth.datasource.network.model
 
+import kotlinx.serialization.ExperimentalSerializationApi
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.JsonNames
 
 /**
  * Decryption options related to a user's trusted device.
@@ -13,20 +15,26 @@ import kotlinx.serialization.Serializable
  * @property hasManageResetPasswordPermission Whether or not the user has manage reset password
  * permission.
  */
+@OptIn(ExperimentalSerializationApi::class)
 @Serializable
 data class TrustedDeviceUserDecryptionOptionsJson(
-    @SerialName("EncryptedPrivateKey")
+    @SerialName("encryptedPrivateKey")
+    @JsonNames("EncryptedPrivateKey")
     val encryptedPrivateKey: String?,
 
-    @SerialName("EncryptedUserKey")
+    @SerialName("encryptedUserKey")
+    @JsonNames("EncryptedUserKey")
     val encryptedUserKey: String?,
 
-    @SerialName("HasAdminApproval")
+    @SerialName("hasAdminApproval")
+    @JsonNames("HasAdminApproval")
     val hasAdminApproval: Boolean,
 
-    @SerialName("HasLoginApprovingDevice")
+    @SerialName("hasLoginApprovingDevice")
+    @JsonNames("HasLoginApprovingDevice")
     val hasLoginApprovingDevice: Boolean,
 
-    @SerialName("HasManageResetPasswordPermission")
+    @SerialName("hasManageResetPasswordPermission")
+    @JsonNames("HasManageResetPasswordPermission")
     val hasManageResetPasswordPermission: Boolean,
 )

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/UserDecryptionOptionsJson.kt

@@ -1,7 +1,9 @@
 package com.x8bit.bitwarden.data.auth.datasource.network.model
 
+import kotlinx.serialization.ExperimentalSerializationApi
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.JsonNames
 
 /**
  * The options available to a user for decryption.
@@ -12,14 +14,18 @@ import kotlinx.serialization.Serializable
  * device.
  * @property keyConnectorUserDecryptionOptions Decryption options related to a user's key connector.
  */
+@OptIn(ExperimentalSerializationApi::class)
 @Serializable
 data class UserDecryptionOptionsJson(
-    @SerialName("HasMasterPassword")
+    @SerialName("hasMasterPassword")
+    @JsonNames("HasMasterPassword")
     val hasMasterPassword: Boolean,
 
-    @SerialName("TrustedDeviceOption")
+    @SerialName("trustedDeviceOption")
+    @JsonNames("TrustedDeviceOption")
     val trustedDeviceUserDecryptionOptions: TrustedDeviceUserDecryptionOptionsJson?,
 
-    @SerialName("KeyConnectorOption")
+    @SerialName("keyConnectorOption")
+    @JsonNames("KeyConnectorOption")
     val keyConnectorUserDecryptionOptions: KeyConnectorUserDecryptionOptionsJson?,
 )

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/VerifiedOrganizationDomainSsoDetailsRequest.kt

@@ -0,0 +1,14 @@
+package com.x8bit.bitwarden.data.auth.datasource.network.model
+
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+
+/**
+ * Request body object when retrieving organization verified domain SSO info.
+ *
+ * @param email The email address to check against.
+ */
+@Serializable
+data class VerifiedOrganizationDomainSsoDetailsRequest(
+    @SerialName("email") val email: String,
+)

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/model/VerifiedOrganizationDomainSsoDetailsResponse.kt

@@ -0,0 +1,35 @@
+package com.x8bit.bitwarden.data.auth.datasource.network.model
+
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+
+/**
+ * Response object returned when requesting organization verified domain SSO details.
+ *
+ * @property verifiedOrganizationDomainSsoDetails The list of verified organization domain SSO
+ * details.
+ */
+@Serializable
+data class VerifiedOrganizationDomainSsoDetailsResponse(
+    @SerialName("data")
+    val verifiedOrganizationDomainSsoDetails: List<VerifiedOrganizationDomainSsoDetail>,
+) {
+    /**
+     * Response body for an organization verified domain SSO details.
+     *
+     * @property organizationName The name of the organization.
+     * @property organizationIdentifier The identifier of the organization.
+     * @property domainName The name of the domain.
+     */
+    @Serializable
+    data class VerifiedOrganizationDomainSsoDetail(
+        @SerialName("organizationName")
+        val organizationName: String,
+
+        @SerialName("organizationIdentifier")
+        val organizationIdentifier: String,
+
+        @SerialName("domainName")
+        val domainName: String,
+    )
+}

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/service/AccountsServiceImpl.kt

@@ -19,6 +19,7 @@ import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifyOtpRequestJs
 import com.x8bit.bitwarden.data.platform.datasource.network.model.toBitwardenError
 import com.x8bit.bitwarden.data.platform.datasource.network.util.HEADER_VALUE_BEARER_PREFIX
 import com.x8bit.bitwarden.data.platform.datasource.network.util.parseErrorBodyOrNull
+import com.x8bit.bitwarden.data.platform.datasource.network.util.toResult
 import kotlinx.serialization.json.Json
 
 /**
@@ -37,18 +38,22 @@ class AccountsServiceImpl(
      * Converts the currently active account to a key-connector account.
      */
     override suspend fun convertToKeyConnector(): Result<Unit> =
-        authenticatedAccountsApi.convertToKeyConnector()
+        authenticatedAccountsApi
+            .convertToKeyConnector()
+            .toResult()
 
     override suspend fun createAccountKeys(
         publicKey: String,
         encryptedPrivateKey: String,
     ): Result<Unit> =
-        authenticatedAccountsApi.createAccountKeys(
-            body = CreateAccountKeysRequest(
-                publicKey = publicKey,
-                encryptedPrivateKey = encryptedPrivateKey,
-            ),
-        )
+        authenticatedAccountsApi
+            .createAccountKeys(
+                body = CreateAccountKeysRequest(
+                    publicKey = publicKey,
+                    encryptedPrivateKey = encryptedPrivateKey,
+                ),
+            )
+            .toResult()
 
     override suspend fun deleteAccount(
         masterPasswordHash: String?,
@@ -61,9 +66,8 @@ class AccountsServiceImpl(
                     oneTimePassword = oneTimePassword,
                 ),
             )
-            .map {
-                DeleteAccountResponseJson.Success
-            }
+            .toResult()
+            .map { DeleteAccountResponseJson.Success }
             .recoverCatching { throwable ->
                 throwable
                     .toBitwardenError()
@@ -75,20 +79,25 @@ class AccountsServiceImpl(
             }
 
     override suspend fun requestOneTimePasscode(): Result<Unit> =
-        authenticatedAccountsApi.requestOtp()
+        authenticatedAccountsApi
+            .requestOtp()
+            .toResult()
 
     override suspend fun verifyOneTimePasscode(passcode: String): Result<Unit> =
-        authenticatedAccountsApi.verifyOtp(
-            VerifyOtpRequestJson(
-                oneTimePasscode = passcode,
-            ),
-        )
+        authenticatedAccountsApi
+            .verifyOtp(
+                VerifyOtpRequestJson(
+                    oneTimePasscode = passcode,
+                ),
+            )
+            .toResult()
 
     override suspend fun requestPasswordHint(
         email: String,
     ): Result<PasswordHintResponseJson> =
         unauthenticatedAccountsApi
             .passwordHintRequest(PasswordHintRequestJson(email))
+            .toResult()
             .map { PasswordHintResponseJson.Success }
             .recoverCatching { throwable ->
                 throwable
@@ -101,54 +110,70 @@ class AccountsServiceImpl(
             }
 
     override suspend fun resendVerificationCodeEmail(body: ResendEmailRequestJson): Result<Unit> =
-        unauthenticatedAccountsApi.resendVerificationCodeEmail(body = body)
+        unauthenticatedAccountsApi
+            .resendVerificationCodeEmail(body = body)
+            .toResult()
 
-    override suspend fun resetPassword(body: ResetPasswordRequestJson): Result<Unit> {
-        return if (body.currentPasswordHash == null) {
-            authenticatedAccountsApi.resetTempPassword(body = body)
+    override suspend fun resetPassword(body: ResetPasswordRequestJson): Result<Unit> =
+        if (body.currentPasswordHash == null) {
+            authenticatedAccountsApi
+                .resetTempPassword(body = body)
+                .toResult()
         } else {
-            authenticatedAccountsApi.resetPassword(body = body)
+            authenticatedAccountsApi
+                .resetPassword(body = body)
+                .toResult()
         }
-    }
 
     override suspend fun setKeyConnectorKey(
         accessToken: String,
         body: KeyConnectorKeyRequestJson,
-    ): Result<Unit> = unauthenticatedAccountsApi.setKeyConnectorKey(
-        body = body,
-        bearerToken = "$HEADER_VALUE_BEARER_PREFIX$accessToken",
-    )
+    ): Result<Unit> =
+        unauthenticatedAccountsApi
+            .setKeyConnectorKey(
+                body = body,
+                bearerToken = "$HEADER_VALUE_BEARER_PREFIX$accessToken",
+            )
+            .toResult()
 
     override suspend fun setPassword(
         body: SetPasswordRequestJson,
-    ): Result<Unit> = authenticatedAccountsApi.setPassword(body)
+    ): Result<Unit> = authenticatedAccountsApi
+        .setPassword(body)
+        .toResult()
 
     override suspend fun getMasterKeyFromKeyConnector(
         url: String,
         accessToken: String,
     ): Result<KeyConnectorMasterKeyResponseJson> =
-        unauthenticatedKeyConnectorApi.getMasterKeyFromKeyConnector(
-            url = "$url/user-keys",
-            bearerToken = "$HEADER_VALUE_BEARER_PREFIX$accessToken",
-        )
+        unauthenticatedKeyConnectorApi
+            .getMasterKeyFromKeyConnector(
+                url = "$url/user-keys",
+                bearerToken = "$HEADER_VALUE_BEARER_PREFIX$accessToken",
+            )
+            .toResult()
 
     override suspend fun storeMasterKeyToKeyConnector(
         url: String,
         masterKey: String,
     ): Result<Unit> =
-        authenticatedKeyConnectorApi.storeMasterKeyToKeyConnector(
-            url = "$url/user-keys",
-            body = KeyConnectorMasterKeyRequestJson(masterKey = masterKey),
-        )
+        authenticatedKeyConnectorApi
+            .storeMasterKeyToKeyConnector(
+                url = "$url/user-keys",
+                body = KeyConnectorMasterKeyRequestJson(masterKey = masterKey),
+            )
+            .toResult()
 
     override suspend fun storeMasterKeyToKeyConnector(
         url: String,
         accessToken: String,
         masterKey: String,
     ): Result<Unit> =
-        unauthenticatedKeyConnectorApi.storeMasterKeyToKeyConnector(
-            url = "$url/user-keys",
-            bearerToken = "$HEADER_VALUE_BEARER_PREFIX$accessToken",
-            body = KeyConnectorMasterKeyRequestJson(masterKey = masterKey),
-        )
+        unauthenticatedKeyConnectorApi
+            .storeMasterKeyToKeyConnector(
+                url = "$url/user-keys",
+                bearerToken = "$HEADER_VALUE_BEARER_PREFIX$accessToken",
+                body = KeyConnectorMasterKeyRequestJson(masterKey = masterKey),
+            )
+            .toResult()
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/service/AuthRequestsServiceImpl.kt

@@ -3,17 +3,22 @@ package com.x8bit.bitwarden.data.auth.datasource.network.service
 import com.x8bit.bitwarden.data.auth.datasource.network.api.AuthenticatedAuthRequestsApi
 import com.x8bit.bitwarden.data.auth.datasource.network.model.AuthRequestUpdateRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.AuthRequestsResponseJson
+import com.x8bit.bitwarden.data.platform.datasource.network.util.toResult
 
 class AuthRequestsServiceImpl(
     private val authenticatedAuthRequestsApi: AuthenticatedAuthRequestsApi,
 ) : AuthRequestsService {
     override suspend fun getAuthRequests(): Result<AuthRequestsResponseJson> =
-        authenticatedAuthRequestsApi.getAuthRequests()
+        authenticatedAuthRequestsApi
+            .getAuthRequests()
+            .toResult()
 
     override suspend fun getAuthRequest(
         requestId: String,
     ): Result<AuthRequestsResponseJson.AuthRequest> =
-        authenticatedAuthRequestsApi.getAuthRequest(requestId = requestId)
+        authenticatedAuthRequestsApi
+            .getAuthRequest(requestId = requestId)
+            .toResult()
 
     override suspend fun updateAuthRequest(
         requestId: String,
@@ -22,13 +27,15 @@ class AuthRequestsServiceImpl(
         deviceId: String,
         isApproved: Boolean,
     ): Result<AuthRequestsResponseJson.AuthRequest> =
-        authenticatedAuthRequestsApi.updateAuthRequest(
-            userId = requestId,
-            body = AuthRequestUpdateRequestJson(
-                key = key,
-                masterPasswordHash = masterPasswordHash,
-                deviceId = deviceId,
-                isApproved = isApproved,
-            ),
-        )
+        authenticatedAuthRequestsApi
+            .updateAuthRequest(
+                userId = requestId,
+                body = AuthRequestUpdateRequestJson(
+                    key = key,
+                    masterPasswordHash = masterPasswordHash,
+                    deviceId = deviceId,
+                    isApproved = isApproved,
+                ),
+            )
+            .toResult()
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/service/DevicesServiceImpl.kt

@@ -5,6 +5,7 @@ import com.x8bit.bitwarden.data.auth.datasource.network.api.UnauthenticatedDevic
 import com.x8bit.bitwarden.data.auth.datasource.network.model.TrustedDeviceKeysRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.TrustedDeviceKeysResponseJson
 import com.x8bit.bitwarden.data.platform.datasource.network.util.base64UrlEncode
+import com.x8bit.bitwarden.data.platform.datasource.network.util.toResult
 
 class DevicesServiceImpl(
     private val authenticatedDevicesApi: AuthenticatedDevicesApi,
@@ -13,22 +14,26 @@ class DevicesServiceImpl(
     override suspend fun getIsKnownDevice(
         emailAddress: String,
         deviceId: String,
-    ): Result<Boolean> = unauthenticatedDevicesApi.getIsKnownDevice(
-        emailAddress = emailAddress.base64UrlEncode(),
-        deviceId = deviceId,
-    )
+    ): Result<Boolean> = unauthenticatedDevicesApi
+        .getIsKnownDevice(
+            emailAddress = emailAddress.base64UrlEncode(),
+            deviceId = deviceId,
+        )
+        .toResult()
 
     override suspend fun trustDevice(
         appId: String,
         encryptedUserKey: String,
         encryptedDevicePublicKey: String,
         encryptedDevicePrivateKey: String,
-    ): Result<TrustedDeviceKeysResponseJson> = authenticatedDevicesApi.updateTrustedDeviceKeys(
-        appId = appId,
-        request = TrustedDeviceKeysRequestJson(
-            encryptedUserKey = encryptedUserKey,
-            encryptedDevicePublicKey = encryptedDevicePublicKey,
-            encryptedDevicePrivateKey = encryptedDevicePrivateKey,
-        ),
-    )
+    ): Result<TrustedDeviceKeysResponseJson> = authenticatedDevicesApi
+        .updateTrustedDeviceKeys(
+            appId = appId,
+            request = TrustedDeviceKeysRequestJson(
+                encryptedUserKey = encryptedUserKey,
+                encryptedDevicePublicKey = encryptedDevicePublicKey,
+                encryptedDevicePrivateKey = encryptedDevicePrivateKey,
+            ),
+        )
+        .toResult()
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/service/HaveIBeenPwnedServiceImpl.kt

@@ -1,6 +1,7 @@
 package com.x8bit.bitwarden.data.auth.datasource.network.service
 
 import com.x8bit.bitwarden.data.auth.datasource.network.api.HaveIBeenPwnedApi
+import com.x8bit.bitwarden.data.platform.datasource.network.util.toResult
 import java.security.MessageDigest
 
 class HaveIBeenPwnedServiceImpl(private val api: HaveIBeenPwnedApi) : HaveIBeenPwnedService {
@@ -17,6 +18,7 @@ class HaveIBeenPwnedServiceImpl(private val api: HaveIBeenPwnedApi) : HaveIBeenP
 
         return api
             .fetchBreachedPasswords(hashPrefix = hashPrefix)
+            .toResult()
             .mapCatching { responseBody ->
                 responseBody.string()
                     // First split the response by newline: each hashed password is on a new line.

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/service/IdentityService.kt

@@ -9,6 +9,7 @@ import com.x8bit.bitwarden.data.auth.datasource.network.model.RegisterFinishRequ
 import com.x8bit.bitwarden.data.auth.datasource.network.model.RegisterRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.RegisterResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.SendVerificationEmailRequestJson
+import com.x8bit.bitwarden.data.auth.datasource.network.model.SendVerificationEmailResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.TwoFactorDataModel
 import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifyEmailTokenRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifyEmailTokenResponseJson
@@ -68,7 +69,7 @@ interface IdentityService {
      */
     suspend fun sendVerificationEmail(
         body: SendVerificationEmailRequestJson,
-    ): Result<String?>
+    ): Result<SendVerificationEmailResponseJson>
 
     /**
      * Register a new account to Bitwarden using email verification flow.

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/service/IdentityServiceImpl.kt

@@ -11,13 +11,15 @@ import com.x8bit.bitwarden.data.auth.datasource.network.model.RegisterFinishRequ
 import com.x8bit.bitwarden.data.auth.datasource.network.model.RegisterRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.RegisterResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.SendVerificationEmailRequestJson
+import com.x8bit.bitwarden.data.auth.datasource.network.model.SendVerificationEmailResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.TwoFactorDataModel
 import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifyEmailTokenRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifyEmailTokenResponseJson
 import com.x8bit.bitwarden.data.platform.datasource.network.model.toBitwardenError
 import com.x8bit.bitwarden.data.platform.datasource.network.util.base64UrlEncode
-import com.x8bit.bitwarden.data.platform.datasource.network.util.executeForResult
+import com.x8bit.bitwarden.data.platform.datasource.network.util.executeForNetworkResult
 import com.x8bit.bitwarden.data.platform.datasource.network.util.parseErrorBodyOrNull
+import com.x8bit.bitwarden.data.platform.datasource.network.util.toResult
 import com.x8bit.bitwarden.data.platform.util.DeviceModelProvider
 import kotlinx.serialization.json.Json
 
@@ -28,12 +30,15 @@ class IdentityServiceImpl(
 ) : IdentityService {
 
     override suspend fun preLogin(email: String): Result<PreLoginResponseJson> =
-        unauthenticatedIdentityApi.preLogin(PreLoginRequestJson(email = email))
+        unauthenticatedIdentityApi
+            .preLogin(PreLoginRequestJson(email = email))
+            .toResult()
 
     @Suppress("MagicNumber")
     override suspend fun register(body: RegisterRequestJson): Result<RegisterResponseJson> =
         unauthenticatedIdentityApi
             .register(body)
+            .toResult()
             .recoverCatching { throwable ->
                 val bitwardenError = throwable.toBitwardenError()
                 bitwardenError
@@ -75,6 +80,7 @@ class IdentityServiceImpl(
             captchaResponse = captchaToken,
             authRequestId = authModel.authRequestId,
         )
+        .toResult()
         .recoverCatching { throwable ->
             val bitwardenError = throwable.toBitwardenError()
             bitwardenError.parseErrorBodyOrNull<GetTokenResponseJson.CaptchaRequired>(
@@ -95,6 +101,7 @@ class IdentityServiceImpl(
         .prevalidateSso(
             organizationIdentifier = organizationIdentifier,
         )
+        .toResult()
 
     override fun refreshTokenSynchronously(
         refreshToken: String,
@@ -104,7 +111,8 @@ class IdentityServiceImpl(
             grantType = "refresh_token",
             refreshToken = refreshToken,
         )
-        .executeForResult()
+        .executeForNetworkResult()
+        .toResult()
 
     @Suppress("MagicNumber")
     override suspend fun registerFinish(
@@ -112,6 +120,7 @@ class IdentityServiceImpl(
     ): Result<RegisterResponseJson> =
         unauthenticatedIdentityApi
             .registerFinish(body)
+            .toResult()
             .recoverCatching { throwable ->
                 val bitwardenError = throwable.toBitwardenError()
                 bitwardenError
@@ -124,10 +133,20 @@ class IdentityServiceImpl(
 
     override suspend fun sendVerificationEmail(
         body: SendVerificationEmailRequestJson,
-    ): Result<String?> {
+    ): Result<SendVerificationEmailResponseJson> {
         return unauthenticatedIdentityApi
             .sendVerificationEmail(body = body)
-            .map { it?.content }
+            .toResult()
+            .map { SendVerificationEmailResponseJson.Success(it?.content) }
+            .recoverCatching { throwable ->
+                throwable
+                    .toBitwardenError()
+                    .parseErrorBodyOrNull<SendVerificationEmailResponseJson.Invalid>(
+                        code = 400,
+                        json = json,
+                    )
+                    ?: throw throwable
+            }
     }
 
     override suspend fun verifyEmailRegistrationToken(
@@ -136,9 +155,8 @@ class IdentityServiceImpl(
         .verifyEmailToken(
             body = body,
         )
-        .map {
-            VerifyEmailTokenResponseJson.Valid
-        }
+        .toResult()
+        .map { VerifyEmailTokenResponseJson.Valid }
         .recoverCatching { throwable ->
             val bitwardenError = throwable.toBitwardenError()
             bitwardenError

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/service/NewAuthRequestServiceImpl.kt

@@ -5,6 +5,7 @@ import com.x8bit.bitwarden.data.auth.datasource.network.api.UnauthenticatedAuthR
 import com.x8bit.bitwarden.data.auth.datasource.network.model.AuthRequestRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.AuthRequestTypeJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.AuthRequestsResponseJson
+import com.x8bit.bitwarden.data.platform.datasource.network.util.toResult
 import com.x8bit.bitwarden.data.platform.util.asFailure
 
 /**
@@ -24,17 +25,19 @@ class NewAuthRequestServiceImpl(
     ): Result<AuthRequestsResponseJson.AuthRequest> =
         when (authRequestType) {
             AuthRequestTypeJson.LOGIN_WITH_DEVICE -> {
-                unauthenticatedAuthRequestsApi.createAuthRequest(
-                    deviceIdentifier = deviceId,
-                    body = AuthRequestRequestJson(
-                        email = email,
-                        publicKey = publicKey,
-                        deviceId = deviceId,
-                        accessCode = accessCode,
-                        fingerprint = fingerprint,
-                        type = authRequestType,
-                    ),
-                )
+                unauthenticatedAuthRequestsApi
+                    .createAuthRequest(
+                        deviceIdentifier = deviceId,
+                        body = AuthRequestRequestJson(
+                            email = email,
+                            publicKey = publicKey,
+                            deviceId = deviceId,
+                            accessCode = accessCode,
+                            fingerprint = fingerprint,
+                            type = authRequestType,
+                        ),
+                    )
+                    .toResult()
             }
 
             AuthRequestTypeJson.UNLOCK -> {
@@ -43,17 +46,19 @@ class NewAuthRequestServiceImpl(
             }
 
             AuthRequestTypeJson.ADMIN_APPROVAL -> {
-                authenticatedAuthRequestsApi.createAdminAuthRequest(
-                    deviceIdentifier = deviceId,
-                    body = AuthRequestRequestJson(
-                        email = email,
-                        publicKey = publicKey,
-                        deviceId = deviceId,
-                        accessCode = accessCode,
-                        fingerprint = fingerprint,
-                        type = authRequestType,
-                    ),
-                )
+                authenticatedAuthRequestsApi
+                    .createAdminAuthRequest(
+                        deviceIdentifier = deviceId,
+                        body = AuthRequestRequestJson(
+                            email = email,
+                            publicKey = publicKey,
+                            deviceId = deviceId,
+                            accessCode = accessCode,
+                            fingerprint = fingerprint,
+                            type = authRequestType,
+                        ),
+                    )
+                    .toResult()
             }
         }
 
@@ -63,11 +68,15 @@ class NewAuthRequestServiceImpl(
         isSso: Boolean,
     ): Result<AuthRequestsResponseJson.AuthRequest> =
         if (isSso) {
-            authenticatedAuthRequestsApi.getAuthRequest(requestId)
+            authenticatedAuthRequestsApi
+                .getAuthRequest(requestId = requestId)
+                .toResult()
         } else {
-            unauthenticatedAuthRequestsApi.getAuthRequestUpdate(
-                requestId = requestId,
-                accessCode = accessCode,
-            )
+            unauthenticatedAuthRequestsApi
+                .getAuthRequestUpdate(
+                    requestId = requestId,
+                    accessCode = accessCode,
+                )
+                .toResult()
         }
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/service/OrganizationService.kt

@@ -3,6 +3,7 @@ package com.x8bit.bitwarden.data.auth.datasource.network.service
 import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationAutoEnrollStatusResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationDomainSsoDetailsResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationKeysResponseJson
+import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifiedOrganizationDomainSsoDetailsResponse
 
 /**
  * Provides an API for querying organization endpoints.
@@ -38,4 +39,12 @@ interface OrganizationService {
     suspend fun getOrganizationKeys(
         organizationId: String,
     ): Result<OrganizationKeysResponseJson>
+
+    /**
+     * Request organization verified domain details for an [email] needed for SSO
+     * requests.
+     */
+    suspend fun getVerifiedOrganizationDomainSsoDetails(
+        email: String,
+    ): Result<VerifiedOrganizationDomainSsoDetailsResponse>
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/network/service/OrganizationServiceImpl.kt

@@ -7,6 +7,9 @@ import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationDomain
 import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationDomainSsoDetailsResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationKeysResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.OrganizationResetPasswordEnrollRequestJson
+import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifiedOrganizationDomainSsoDetailsRequest
+import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifiedOrganizationDomainSsoDetailsResponse
+import com.x8bit.bitwarden.data.platform.datasource.network.util.toResult
 
 /**
  * Default implementation of [OrganizationService].
@@ -29,6 +32,7 @@ class OrganizationServiceImpl(
                 resetPasswordKey = resetPasswordKey,
             ),
         )
+        .toResult()
 
     override suspend fun getOrganizationDomainSsoDetails(
         email: String,
@@ -38,6 +42,7 @@ class OrganizationServiceImpl(
                 email = email,
             ),
         )
+        .toResult()
 
     override suspend fun getOrganizationAutoEnrollStatus(
         organizationIdentifier: String,
@@ -45,6 +50,7 @@ class OrganizationServiceImpl(
         .getOrganizationAutoEnrollResponse(
             organizationIdentifier = organizationIdentifier,
         )
+        .toResult()
 
     override suspend fun getOrganizationKeys(
         organizationId: String,
@@ -52,4 +58,15 @@ class OrganizationServiceImpl(
         .getOrganizationKeys(
             organizationId = organizationId,
         )
+        .toResult()
+
+    override suspend fun getVerifiedOrganizationDomainSsoDetails(
+        email: String,
+    ): Result<VerifiedOrganizationDomainSsoDetailsResponse> = unauthenticatedOrganizationApi
+        .getVerifiedOrganizationDomainsByEmail(
+            body = VerifiedOrganizationDomainSsoDetailsRequest(
+                email = email,
+            ),
+        )
+        .toResult()
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/sdk/AuthSdkSourceImpl.kt

@@ -8,7 +8,7 @@ import com.bitwarden.core.RegisterKeyResponse
 import com.bitwarden.core.RegisterTdeKeyResponse
 import com.bitwarden.crypto.HashPurpose
 import com.bitwarden.crypto.Kdf
-import com.bitwarden.sdk.ClientAuth
+import com.bitwarden.sdk.AuthClient
 import com.x8bit.bitwarden.data.auth.datasource.sdk.model.PasswordStrength
 import com.x8bit.bitwarden.data.auth.datasource.sdk.util.toPasswordStrengthOrNull
 import com.x8bit.bitwarden.data.auth.datasource.sdk.util.toUByte
@@ -17,7 +17,7 @@ import com.x8bit.bitwarden.data.platform.manager.SdkClientManager
 
 /**
  * Primary implementation of [AuthSdkSource] that serves as a convenience wrapper around a
- * [ClientAuth].
+ * [AuthClient].
  */
 class AuthSdkSourceImpl(
     sdkClientManager: SdkClientManager,

app/src/main/java/com/x8bit/bitwarden/data/auth/manager/AuthRequestManagerImpl.kt

@@ -17,6 +17,7 @@ import com.x8bit.bitwarden.data.auth.manager.model.CreateAuthRequestResult
 import com.x8bit.bitwarden.data.auth.manager.util.isSso
 import com.x8bit.bitwarden.data.auth.manager.util.toAuthRequestTypeJson
 import com.x8bit.bitwarden.data.platform.util.asFailure
+import com.x8bit.bitwarden.data.platform.util.asSuccess
 import com.x8bit.bitwarden.data.platform.util.flatMap
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
 import kotlinx.coroutines.currentCoroutineContext
@@ -65,7 +66,7 @@ class AuthRequestManagerImpl(
         email: String,
         authRequestType: AuthRequestType,
     ): Flow<CreateAuthRequestResult> = flow {
-        val initialResult = createNewAuthRequest(
+        val initialResult = createNewAuthRequestIfNecessary(
             email = email,
             authRequestType = authRequestType.toAuthRequestTypeJson(),
         )
@@ -74,7 +75,6 @@ class AuthRequestManagerImpl(
                 emit(CreateAuthRequestResult.Error)
                 return@flow
             }
-        val authRequestResponse = initialResult.authRequestResponse
         var authRequest = initialResult.authRequest
         emit(CreateAuthRequestResult.Update(authRequest))
 
@@ -84,7 +84,7 @@ class AuthRequestManagerImpl(
             newAuthRequestService
                 .getAuthRequestUpdate(
                     requestId = authRequest.id,
-                    accessCode = authRequestResponse.accessCode,
+                    accessCode = initialResult.accessCode,
                     isSso = authRequestType.isSso,
                 )
                 .map { request ->
@@ -112,7 +112,8 @@ class AuthRequestManagerImpl(
                                 emit(
                                     CreateAuthRequestResult.Success(
                                         authRequest = updateAuthRequest,
-                                        authRequestResponse = authRequestResponse,
+                                        privateKey = initialResult.privateKey,
+                                        accessCode = initialResult.accessCode,
                                     ),
                                 )
                             }
@@ -354,6 +355,52 @@ class AuthRequestManagerImpl(
             )
     }
 
+    /**
+     * Creates a new auth request for the given email and returns a [NewAuthRequestData].
+     * If the auth request type is [AuthRequestTypeJson.ADMIN_APPROVAL], check for a
+     * pending auth request and return it if it exists we should return that request.
+     */
+    private suspend fun createNewAuthRequestIfNecessary(
+        email: String,
+        authRequestType: AuthRequestTypeJson,
+    ): Result<NewAuthRequestData> {
+        return if (authRequestType == AuthRequestTypeJson.ADMIN_APPROVAL) {
+            authDiskSource
+                .getPendingAuthRequest(requireNotNull(activeUserId))
+                ?.let { pendingAuthRequest ->
+                    authRequestsService
+                        .getAuthRequest(pendingAuthRequest.requestId)
+                        .map {
+                            NewAuthRequestData(
+                                authRequest = AuthRequest(
+                                    id = it.id,
+                                    publicKey = it.publicKey,
+                                    platform = it.platform,
+                                    ipAddress = it.ipAddress,
+                                    key = it.key,
+                                    masterPasswordHash = it.masterPasswordHash,
+                                    creationDate = it.creationDate,
+                                    responseDate = it.responseDate,
+                                    requestApproved = it.requestApproved ?: false,
+                                    originUrl = it.originUrl,
+                                    fingerprint = pendingAuthRequest.requestFingerprint,
+                                ),
+                                privateKey = pendingAuthRequest.requestPrivateKey,
+                                accessCode = pendingAuthRequest.requestAccessCode,
+                            )
+                                .asSuccess()
+                        }
+                        .getOrNull()
+                }
+                ?: createNewAuthRequest(email = email, authRequestType = authRequestType)
+        } else {
+            createNewAuthRequest(
+                email = email,
+                authRequestType = authRequestType,
+            )
+        }
+    }
+
     /**
      * Attempts to create a new auth request for the given email and returns a [NewAuthRequestData]
      * with the [AuthRequest] and [AuthRequestResponse].
@@ -381,6 +428,8 @@ class AuthRequestManagerImpl(
                                 pendingAuthRequest = PendingAuthRequestJson(
                                     requestId = it.id,
                                     requestPrivateKey = authRequestResponse.privateKey,
+                                    requestAccessCode = authRequestResponse.accessCode,
+                                    requestFingerprint = authRequestResponse.fingerprint,
                                 ),
                             )
                         }
@@ -400,7 +449,13 @@ class AuthRequestManagerImpl(
                             fingerprint = authRequestResponse.fingerprint,
                         )
                     }
-                    .map { NewAuthRequestData(it, authRequestResponse) }
+                    .map {
+                        NewAuthRequestData(
+                            authRequest = it,
+                            privateKey = authRequestResponse.privateKey,
+                            accessCode = authRequestResponse.accessCode,
+                        )
+                    }
             }
 
     private suspend fun getFingerprintPhrase(
@@ -420,5 +475,6 @@ class AuthRequestManagerImpl(
  */
 private data class NewAuthRequestData(
     val authRequest: AuthRequest,
-    val authRequestResponse: AuthRequestResponse,
+    val privateKey: String,
+    val accessCode: String,
 )

app/src/main/java/com/x8bit/bitwarden/data/auth/manager/TrustedDeviceManagerImpl.kt

@@ -55,5 +55,5 @@ class TrustedDeviceManagerImpl(
             authDiskSource.storeIsTdeLoginComplete(userId = userId, isTdeLoginComplete = true)
         }
         .also { authDiskSource.storeShouldTrustDevice(userId = userId, shouldTrustDevice = null) }
-        .map { Unit }
+        .map { }
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/manager/model/CreateAuthRequestResult.kt

@@ -1,7 +1,5 @@
 package com.x8bit.bitwarden.data.auth.manager.model
 
-import com.bitwarden.core.AuthRequestResponse
-
 /**
  * Models result of creating a new login approval request.
  */
@@ -18,7 +16,8 @@ sealed class CreateAuthRequestResult {
      */
     data class Success(
         val authRequest: AuthRequest,
-        val authRequestResponse: AuthRequestResponse,
+        val privateKey: String,
+        val accessCode: String,
     ) : CreateAuthRequestResult()
 
     /**

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/AuthRepository.kt

@@ -1,6 +1,7 @@
 package com.x8bit.bitwarden.data.auth.repository
 
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.ForcePasswordResetReason
+import com.x8bit.bitwarden.data.auth.datasource.disk.model.NewDeviceNoticeState
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
 import com.x8bit.bitwarden.data.auth.datasource.network.model.GetTokenResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.TwoFactorDataModel
@@ -28,6 +29,7 @@ import com.x8bit.bitwarden.data.auth.repository.model.SwitchAccountResult
 import com.x8bit.bitwarden.data.auth.repository.model.UserState
 import com.x8bit.bitwarden.data.auth.repository.model.ValidatePasswordResult
 import com.x8bit.bitwarden.data.auth.repository.model.ValidatePinResult
+import com.x8bit.bitwarden.data.auth.repository.model.VerifiedOrganizationDomainSsoDetailsResult
 import com.x8bit.bitwarden.data.auth.repository.model.VerifyOtpResult
 import com.x8bit.bitwarden.data.auth.repository.util.CaptchaCallbackTokenResult
 import com.x8bit.bitwarden.data.auth.repository.util.DuoCallbackTokenResult
@@ -329,6 +331,13 @@ interface AuthRepository : AuthenticatorProvider, AuthRequestManager {
         email: String,
     ): OrganizationDomainSsoDetailsResult
 
+    /**
+     * Get the verified organization domain SSO details for the given [email].
+     */
+    suspend fun getVerifiedOrganizationDomainSsoDetails(
+        email: String,
+    ): VerifiedOrganizationDomainSsoDetailsResult
+
     /**
      * Prevalidates the organization identifier used in an SSO request.
      */
@@ -395,7 +404,17 @@ interface AuthRepository : AuthenticatorProvider, AuthRequestManager {
     fun setOnboardingStatus(userId: String, status: OnboardingStatus?)
 
     /**
-     * Update the value of the showImportLogins status for the user.
+     * Checks if a new device notice should be displayed.
      */
-    fun setShowImportLogins(showImportLogins: Boolean)
+    fun checkUserNeedsNewDeviceTwoFactorNotice(): Boolean
+
+    /**
+     * Gets the new device notice state of active user.
+     */
+    fun getNewDeviceNoticeState(): NewDeviceNoticeState?
+
+    /**
+     * Stores the new device notice state for active user.
+     */
+    fun setNewDeviceNoticeState(newState: NewDeviceNoticeState?)
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryImpl.kt

@@ -2,13 +2,14 @@ package com.x8bit.bitwarden.data.auth.repository
 
 import com.bitwarden.core.AuthRequestMethod
 import com.bitwarden.core.InitUserCryptoMethod
-import com.bitwarden.core.InitUserCryptoRequest
 import com.bitwarden.crypto.HashPurpose
 import com.bitwarden.crypto.Kdf
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountJson
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.AccountTokensJson
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.ForcePasswordResetReason
+import com.x8bit.bitwarden.data.auth.datasource.disk.model.NewDeviceNoticeDisplayStatus
+import com.x8bit.bitwarden.data.auth.datasource.disk.model.NewDeviceNoticeState
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.OnboardingStatus
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.DeleteAccountResponseJson
@@ -23,6 +24,7 @@ import com.x8bit.bitwarden.data.auth.datasource.network.model.RegisterResponseJs
 import com.x8bit.bitwarden.data.auth.datasource.network.model.ResendEmailRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.ResetPasswordRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.SendVerificationEmailRequestJson
+import com.x8bit.bitwarden.data.auth.datasource.network.model.SendVerificationEmailResponseJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.SetPasswordRequestJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.TrustedDeviceUserDecryptionOptionsJson
 import com.x8bit.bitwarden.data.auth.datasource.network.model.TwoFactorAuthMethod
@@ -68,6 +70,7 @@ import com.x8bit.bitwarden.data.auth.repository.model.UserState
 import com.x8bit.bitwarden.data.auth.repository.model.ValidatePasswordResult
 import com.x8bit.bitwarden.data.auth.repository.model.ValidatePinResult
 import com.x8bit.bitwarden.data.auth.repository.model.VaultUnlockType
+import com.x8bit.bitwarden.data.auth.repository.model.VerifiedOrganizationDomainSsoDetailsResult
 import com.x8bit.bitwarden.data.auth.repository.model.VerifyOtpResult
 import com.x8bit.bitwarden.data.auth.repository.model.toLoginErrorResult
 import com.x8bit.bitwarden.data.auth.repository.util.CaptchaCallbackTokenResult
@@ -93,6 +96,7 @@ import com.x8bit.bitwarden.data.auth.util.KdfParamsConstants.DEFAULT_PBKDF2_ITER
 import com.x8bit.bitwarden.data.auth.util.YubiKeyResult
 import com.x8bit.bitwarden.data.auth.util.toSdkParams
 import com.x8bit.bitwarden.data.platform.datasource.disk.ConfigDiskSource
+import com.x8bit.bitwarden.data.platform.datasource.network.util.isSslHandShakeError
 import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
 import com.x8bit.bitwarden.data.platform.manager.FirstTimeActionManager
 import com.x8bit.bitwarden.data.platform.manager.LogsManager
@@ -104,6 +108,7 @@ import com.x8bit.bitwarden.data.platform.manager.model.FlagKey
 import com.x8bit.bitwarden.data.platform.manager.util.getActivePolicies
 import com.x8bit.bitwarden.data.platform.repository.EnvironmentRepository
 import com.x8bit.bitwarden.data.platform.repository.SettingsRepository
+import com.x8bit.bitwarden.data.platform.repository.model.Environment
 import com.x8bit.bitwarden.data.platform.repository.util.bufferedMutableSharedFlow
 import com.x8bit.bitwarden.data.platform.repository.util.toEnvironmentUrls
 import com.x8bit.bitwarden.data.platform.util.asFailure
@@ -113,7 +118,6 @@ import com.x8bit.bitwarden.data.vault.datasource.network.model.OrganizationType
 import com.x8bit.bitwarden.data.vault.datasource.network.model.PolicyTypeJson
 import com.x8bit.bitwarden.data.vault.datasource.network.model.SyncResponseJson
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
-import com.x8bit.bitwarden.data.vault.datasource.sdk.model.InitializeCryptoResult
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
 import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockData
 import com.x8bit.bitwarden.data.vault.repository.model.VaultUnlockError
@@ -140,6 +144,7 @@ import kotlinx.coroutines.flow.onEach
 import kotlinx.coroutines.flow.receiveAsFlow
 import kotlinx.coroutines.flow.stateIn
 import kotlinx.coroutines.flow.update
+import java.time.ZonedDateTime
 import javax.inject.Singleton
 
 /**
@@ -624,7 +629,12 @@ class AuthRepositoryImpl(
             )
         }
         .fold(
-            onFailure = { LoginResult.Error(errorMessage = null) },
+            onFailure = { throwable ->
+                when {
+                    throwable.isSslHandShakeError() -> LoginResult.CertificateError
+                    else -> LoginResult.Error(errorMessage = null)
+                }
+            },
             onSuccess = { it },
         )
 
@@ -1123,11 +1133,27 @@ class AuthRepositoryImpl(
                 OrganizationDomainSsoDetailsResult.Success(
                     isSsoAvailable = it.isSsoAvailable,
                     organizationIdentifier = it.organizationIdentifier,
+                    verifiedDate = it.verifiedDate,
                 )
             },
             onFailure = { OrganizationDomainSsoDetailsResult.Failure },
         )
 
+    override suspend fun getVerifiedOrganizationDomainSsoDetails(
+        email: String,
+    ): VerifiedOrganizationDomainSsoDetailsResult = organizationService
+        .getVerifiedOrganizationDomainSsoDetails(
+            email = email,
+        )
+        .fold(
+            onSuccess = {
+                VerifiedOrganizationDomainSsoDetailsResult.Success(
+                    verifiedOrganizationDomainSsoDetails = it.verifiedOrganizationDomainSsoDetails,
+                )
+            },
+            onFailure = { VerifiedOrganizationDomainSsoDetailsResult.Failure },
+        )
+
     override suspend fun prevalidateSso(
         organizationIdentifier: String,
     ): PrevalidateSsoResult = identityService
@@ -1232,41 +1258,17 @@ class AuthRepositoryImpl(
             ?.activeAccount
             ?.profile
             ?: return ValidatePinResult.Error
-        val privateKey = authDiskSource
-            .getPrivateKey(userId = activeAccount.userId)
-            ?: return ValidatePinResult.Error
         val pinProtectedUserKey = authDiskSource
             .getPinProtectedUserKey(userId = activeAccount.userId)
             ?: return ValidatePinResult.Error
-
-        // HACK: As the SDK doesn't provide a way to directly validate the pin yet, we instead
-        // try to initialize the user crypto, and if it succeeds then the PIN is correct, otherwise
-        // the PIN is incorrect.
         return vaultSdkSource
-            .initializeCrypto(
+            .validatePin(
                 userId = activeAccount.userId,
-                request = InitUserCryptoRequest(
-                    kdfParams = activeAccount.toSdkParams(),
-                    email = activeAccount.email,
-                    privateKey = privateKey,
-                    method = InitUserCryptoMethod.Pin(
-                        pin = pin,
-                        pinProtectedUserKey = pinProtectedUserKey,
-                    ),
-                ),
+                pin = pin,
+                pinProtectedUserKey = pinProtectedUserKey,
             )
             .fold(
-                onSuccess = {
-                    when (it) {
-                        InitializeCryptoResult.Success -> {
-                            ValidatePinResult.Success(isValid = true)
-                        }
-
-                        is InitializeCryptoResult.AuthenticationError -> {
-                            ValidatePinResult.Success(isValid = false)
-                        }
-                    }
-                },
+                onSuccess = { ValidatePinResult.Success(isValid = it) },
                 onFailure = { ValidatePinResult.Error },
             )
     }
@@ -1285,13 +1287,21 @@ class AuthRepositoryImpl(
             .sendVerificationEmail(
                 SendVerificationEmailRequestJson(
                     email = email,
-                    name = name,
+                    name = name.takeUnless { it.isBlank() },
                     receiveMarketingEmails = receiveMarketingEmails,
                 ),
             )
             .fold(
                 onSuccess = {
-                    SendVerificationEmailResult.Success(it)
+                    when (it) {
+                        is SendVerificationEmailResponseJson.Invalid -> {
+                            SendVerificationEmailResult.Error(it.message)
+                        }
+
+                        is SendVerificationEmailResponseJson.Success -> {
+                            SendVerificationEmailResult.Success(it.emailVerificationToken)
+                        }
+                    }
                 },
                 onFailure = {
                     SendVerificationEmailResult.Error(null)
@@ -1327,9 +1337,89 @@ class AuthRepositoryImpl(
         authDiskSource.storeOnboardingStatus(userId = userId, onboardingStatus = status)
     }
 
-    override fun setShowImportLogins(showImportLogins: Boolean) {
-        val userId: String = activeUserId ?: return
-        authDiskSource.storeShowImportLogins(userId = userId, showImportLogins = showImportLogins)
+    override fun getNewDeviceNoticeState(): NewDeviceNoticeState? {
+        return activeUserId?.let { userId ->
+            authDiskSource.getNewDeviceNoticeState(userId = userId)
+        }
+    }
+
+    override fun setNewDeviceNoticeState(newState: NewDeviceNoticeState?) {
+        activeUserId?.let { userId ->
+            authDiskSource.storeNewDeviceNoticeState(userId = userId, newState = newState)
+        }
+    }
+
+    override fun checkUserNeedsNewDeviceTwoFactorNotice(): Boolean {
+        return activeUserId?.let { userId ->
+            val temporaryFlag = featureFlagManager.getFeatureFlag(FlagKey.NewDeviceTemporaryDismiss)
+            val permanentFlag = featureFlagManager.getFeatureFlag(FlagKey.NewDevicePermanentDismiss)
+
+            // check if feature flags are disabled
+            if (!temporaryFlag && !permanentFlag) {
+                return false
+            }
+
+            if (!newDeviceNoticePreConditionsValid()) {
+                return false
+            }
+
+            val newDeviceNoticeState = authDiskSource.getNewDeviceNoticeState(userId = userId)
+            return when (newDeviceNoticeState.displayStatus) {
+                // if the user has already attested email access but permanent flag is enabled,
+                // the notice needs to appear again
+                NewDeviceNoticeDisplayStatus.CAN_ACCESS_EMAIL -> permanentFlag
+                // if the user has already seen but 7 days have already passed,
+                // the notice needs to appear again
+                NewDeviceNoticeDisplayStatus.HAS_SEEN ->
+                    newDeviceNoticeState.shouldDisplayNoticeIfSeen
+                NewDeviceNoticeDisplayStatus.HAS_NOT_SEEN -> true
+                // the user never needs to see the notice again
+                NewDeviceNoticeDisplayStatus.CAN_ACCESS_EMAIL_PERMANENT -> false
+            }
+        }
+            ?: false
+    }
+
+    /**
+     * Checks if the preconditions are met for a user to see a new device notice:
+     * - Must be a Bitwarden cloud user.
+     * - The account must be at least one week old.
+     * - Cannot have an active policy requiring SSO to be enabled.
+     * - Cannot have two-factor authentication enabled.
+     */
+    private fun newDeviceNoticePreConditionsValid(): Boolean {
+        val checkEnvironment = !featureFlagManager.getFeatureFlag(FlagKey.IgnoreEnvironmentCheck)
+        val isSelfHosted = environmentRepository.environment.type == Environment.Type.SELF_HOSTED
+        if (checkEnvironment && isSelfHosted) {
+            return false
+        }
+
+        val userProfile = authDiskSource.userState?.activeAccount?.profile
+        val isProfileAtLeastWeekOld = userProfile
+            ?.let {
+                it.creationDate
+                    ?.plusWeeks(1)
+                    ?.isBefore(
+                        ZonedDateTime.now(),
+                    )
+            }
+            ?: false
+        if (!isProfileAtLeastWeekOld) {
+            return false
+        }
+
+        val hasTwoFactorEnabled = userProfile
+            ?.isTwoFactorEnabled
+            ?: false
+        if (hasTwoFactorEnabled) {
+            return false
+        }
+
+        val hasSSOPolicy =
+            policyManager.getActivePolicies(type = PolicyTypeJson.REQUIRE_SSO)
+                .any { p -> p.isEnabled }
+
+        return !hasSSOPolicy
     }
 
     @Suppress("CyclomaticComplexMethod")
@@ -1496,9 +1586,12 @@ class AuthRepositoryImpl(
             captchaToken = captchaToken,
         )
         .fold(
-            onFailure = {
-                when (configDiskSource.serverConfig?.isOfficialBitwardenServer) {
-                    false -> LoginResult.UnofficialServerError
+            onFailure = { throwable ->
+                when {
+                    throwable.isSslHandShakeError() -> LoginResult.CertificateError
+                    configDiskSource.serverConfig?.isOfficialBitwardenServer == false -> {
+                        LoginResult.UnofficialServerError
+                    }
                     else -> LoginResult.Error(errorMessage = null)
                 }
             },

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/model/LoginResult.kt

@@ -28,4 +28,9 @@ sealed class LoginResult {
      * There was an error while logging into an unofficial Bitwarden server.
      */
     data object UnofficialServerError : LoginResult()
+
+    /**
+     * There was an error in validating the certificate chain for the server
+     */
+    data object CertificateError : LoginResult()
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/model/OrganizationDomainSsoDetailsResult.kt

@@ -1,5 +1,7 @@
 package com.x8bit.bitwarden.data.auth.repository.model
 
+import java.time.ZonedDateTime
+
 /**
  * Response types when checking for an email's claimed domain organization.
  */
@@ -9,10 +11,12 @@ sealed class OrganizationDomainSsoDetailsResult {
      *
      * @property isSsoAvailable Indicates if SSO is available for the email address.
      * @property organizationIdentifier The claimed organization identifier for the email address.
+     * @property verifiedDate The date and time when the domain was verified.
      */
     data class Success(
         val isSsoAvailable: Boolean,
         val organizationIdentifier: String,
+        val verifiedDate: ZonedDateTime?,
     ) : OrganizationDomainSsoDetailsResult()
 
     /**

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/model/VerifiedOrganizationDomainSsoDetailsResult.kt

@@ -0,0 +1,22 @@
+package com.x8bit.bitwarden.data.auth.repository.model
+
+import com.x8bit.bitwarden.data.auth.datasource.network.model.VerifiedOrganizationDomainSsoDetailsResponse.VerifiedOrganizationDomainSsoDetail
+
+/**
+ * Response types when checking for an email's claimed domain organization.
+ */
+sealed class VerifiedOrganizationDomainSsoDetailsResult {
+    /**
+     * The request was successful.
+     *
+     * @property verifiedOrganizationDomainSsoDetails The verified organization domain SSO details.
+     */
+    data class Success(
+        val verifiedOrganizationDomainSsoDetails: List<VerifiedOrganizationDomainSsoDetail>,
+    ) : VerifiedOrganizationDomainSsoDetailsResult()
+
+    /**
+     * The request failed.
+     */
+    data object Failure : VerifiedOrganizationDomainSsoDetailsResult()
+}

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/util/GetTokenResponseExtensions.kt

@@ -25,6 +25,7 @@ fun GetTokenResponseJson.Success.toUserState(
             userId = userId,
             email = jwtTokenData.email,
             isEmailVerified = jwtTokenData.isEmailVerified,
+            isTwoFactorEnabled = null,
             name = jwtTokenData.name,
             stamp = null,
             organizationId = null,
@@ -36,6 +37,7 @@ fun GetTokenResponseJson.Success.toUserState(
             kdfMemory = this.kdfMemory,
             kdfParallelism = this.kdfParallelism,
             userDecryptionOptions = this.userDecryptionOptions,
+            creationDate = null,
         ),
         settings = AccountJson.Settings(
             environmentUrlData = environmentUrlData,

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/util/JwtTokenUtils.kt

@@ -3,6 +3,7 @@ package com.x8bit.bitwarden.data.auth.repository.util
 import com.x8bit.bitwarden.data.auth.repository.model.JwtTokenDataJson
 import com.x8bit.bitwarden.data.platform.datasource.network.util.base64UrlDecodeOrNull
 import kotlinx.serialization.json.Json
+import timber.log.Timber
 
 /**
  * Internal, generally basic [Json] instance for JWT parsing purposes.
@@ -17,17 +18,24 @@ private val json: Json by lazy {
 /**
  * Parses a [JwtTokenDataJson] from the given [jwtToken], or `null` if this parsing is not possible.
  */
-@Suppress("MagicNumber")
+@Suppress("MagicNumber", "TooGenericExceptionCaught")
 fun parseJwtTokenDataOrNull(jwtToken: String): JwtTokenDataJson? {
     val parts = jwtToken.split(".")
-    if (parts.size != 3) return null
+    if (parts.size != 3) {
+        Timber.e(IllegalArgumentException("Incorrect number of parts"), "Invalid JWT Token")
+        return null
+    }
 
     val dataJson = parts[1]
-    val decodedDataJson = dataJson.base64UrlDecodeOrNull() ?: return null
+    val decodedDataJson = dataJson.base64UrlDecodeOrNull() ?: run {
+        Timber.e(IllegalArgumentException("Unable to decode"), "Invalid JWT Token")
+        return null
+    }
 
     return try {
         json.decodeFromString<JwtTokenDataJson>(decodedDataJson)
-    } catch (_: Throwable) {
+    } catch (throwable: Throwable) {
+        Timber.e(throwable, "Failed to decode JwtTokenDataJson")
         null
     }
 }

app/src/main/java/com/x8bit/bitwarden/data/auth/repository/util/UserStateJsonExtensions.kt

@@ -59,6 +59,8 @@ fun UserStateJson.toUpdatedUserStateJson(
             avatarColorHex = syncProfile.avatarColor,
             stamp = syncProfile.securityStamp,
             hasPremium = syncProfile.isPremium || syncProfile.isPremiumFromOrganization,
+            isTwoFactorEnabled = syncProfile.isTwoFactorEnabled,
+            creationDate = syncProfile.creationDate,
         )
     val updatedAccount = account.copy(profile = updatedProfile)
     return this

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/BitwardenAccessibilityService.kt

@@ -22,8 +22,7 @@ class BitwardenAccessibilityService : AccessibilityService() {
     lateinit var processor: BitwardenAccessibilityProcessor
 
     override fun onAccessibilityEvent(event: AccessibilityEvent) {
-        if (rootInActiveWindow?.packageName != event.packageName) return
-        processor.processAccessibilityEvent(rootAccessibilityNodeInfo = rootInActiveWindow)
+        processor.processAccessibilityEvent(event = event) { rootInActiveWindow }
     }
 
     override fun onInterrupt() = Unit

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/di/AccessibilityModule.kt

@@ -3,6 +3,7 @@ package com.x8bit.bitwarden.data.autofill.accessibility.di
 import android.content.Context
 import android.content.pm.PackageManager
 import android.os.PowerManager
+import android.view.accessibility.AccessibilityManager
 import com.x8bit.bitwarden.data.autofill.accessibility.manager.AccessibilityAutofillManager
 import com.x8bit.bitwarden.data.autofill.accessibility.manager.AccessibilityAutofillManagerImpl
 import com.x8bit.bitwarden.data.autofill.accessibility.manager.AccessibilityCompletionManager
@@ -55,8 +56,12 @@ object AccessibilityModule {
 
     @Singleton
     @Provides
-    fun providesAccessibilityEnabledManager(): AccessibilityEnabledManager =
-        AccessibilityEnabledManagerImpl()
+    fun providesAccessibilityEnabledManager(
+        accessibilityManager: AccessibilityManager,
+    ): AccessibilityEnabledManager =
+        AccessibilityEnabledManagerImpl(
+            accessibilityManager = accessibilityManager,
+        )
 
     @Singleton
     @Provides
@@ -110,6 +115,12 @@ object AccessibilityModule {
         @ApplicationContext context: Context,
     ): PackageManager = context.packageManager
 
+    @Singleton
+    @Provides
+    fun provideAccessibilityManager(
+        @ApplicationContext context: Context,
+    ): AccessibilityManager = context.getSystemService(AccessibilityManager::class.java)
+
     @Singleton
     @Provides
     fun providesPowerManager(

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/di/ActivityAccessibilityModule.kt

@@ -1,36 +0,0 @@
-package com.x8bit.bitwarden.data.autofill.accessibility.di
-
-import android.content.Context
-import androidx.lifecycle.LifecycleCoroutineScope
-import com.x8bit.bitwarden.data.autofill.accessibility.manager.AccessibilityActivityManager
-import com.x8bit.bitwarden.data.autofill.accessibility.manager.AccessibilityActivityManagerImpl
-import com.x8bit.bitwarden.data.autofill.accessibility.manager.AccessibilityEnabledManager
-import com.x8bit.bitwarden.data.platform.manager.AppForegroundManager
-import dagger.Module
-import dagger.Provides
-import dagger.hilt.InstallIn
-import dagger.hilt.android.components.ActivityComponent
-import dagger.hilt.android.qualifiers.ApplicationContext
-import dagger.hilt.android.scopes.ActivityScoped
-
-/**
- * Provides dependencies within the accessibility package scoped to the activity.
- */
-@Module
-@InstallIn(ActivityComponent::class)
-object ActivityAccessibilityModule {
-    @ActivityScoped
-    @Provides
-    fun providesAccessibilityActivityManager(
-        @ApplicationContext context: Context,
-        accessibilityEnabledManager: AccessibilityEnabledManager,
-        appForegroundManager: AppForegroundManager,
-        lifecycleScope: LifecycleCoroutineScope,
-    ): AccessibilityActivityManager =
-        AccessibilityActivityManagerImpl(
-            context = context,
-            accessibilityEnabledManager = accessibilityEnabledManager,
-            appForegroundManager = appForegroundManager,
-            lifecycleScope = lifecycleScope,
-        )
-}

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/manager/AccessibilityActivityManager.kt

@@ -1,10 +0,0 @@
-package com.x8bit.bitwarden.data.autofill.accessibility.manager
-
-import android.app.Activity
-
-/**
- * A helper for dealing with accessibility configuration that must be scoped to a specific
- * [Activity]. In particular, this should be injected into an [Activity] to ensure that the
- * [AccessibilityEnabledManager] reports correct values.
- */
-interface AccessibilityActivityManager

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/manager/AccessibilityActivityManagerImpl.kt

@@ -1,28 +0,0 @@
-package com.x8bit.bitwarden.data.autofill.accessibility.manager
-
-import android.content.Context
-import androidx.lifecycle.LifecycleCoroutineScope
-import com.x8bit.bitwarden.data.autofill.accessibility.util.isAccessibilityServiceEnabled
-import com.x8bit.bitwarden.data.platform.manager.AppForegroundManager
-import kotlinx.coroutines.flow.launchIn
-import kotlinx.coroutines.flow.onEach
-
-/**
- * The default implementation of the [AccessibilityActivityManager].
- */
-class AccessibilityActivityManagerImpl(
-    private val context: Context,
-    private val accessibilityEnabledManager: AccessibilityEnabledManager,
-    appForegroundManager: AppForegroundManager,
-    lifecycleScope: LifecycleCoroutineScope,
-) : AccessibilityActivityManager {
-    init {
-        appForegroundManager
-            .appForegroundStateFlow
-            .onEach {
-                accessibilityEnabledManager.isAccessibilityEnabled =
-                    context.isAccessibilityServiceEnabled
-            }
-            .launchIn(lifecycleScope)
-    }
-}

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/manager/AccessibilityCompletionManagerImpl.kt

@@ -26,18 +26,18 @@ class AccessibilityCompletionManagerImpl(
             .intent
             ?.getAutofillSelectionDataOrNull()
             ?: run {
-                activity.finish()
+                activity.finishAndRemoveTask()
                 return
             }
         if (autofillSelectionData.framework != AutofillSelectionData.Framework.ACCESSIBILITY) {
-            activity.finish()
+            activity.finishAndRemoveTask()
             return
         }
         val uri = autofillSelectionData
             .uri
             ?.toUriOrNull()
             ?: run {
-                activity.finish()
+                activity.finishAndRemoveTask()
                 return
             }
 
@@ -47,7 +47,7 @@ class AccessibilityCompletionManagerImpl(
         )
         mainScope.launch {
             totpManager.tryCopyTotpToClipboard(cipherView = cipherView)
-            activity.finish()
         }
+        activity.finishAndRemoveTask()
     }
 }

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/manager/AccessibilityEnabledManager.kt

@@ -7,15 +7,7 @@ import kotlinx.coroutines.flow.StateFlow
  */
 interface AccessibilityEnabledManager {
     /**
-     * Whether or not the accessibility service should be considered enabled.
-     *
-     * Note that changing this does not enable or disable autofill; it is only an indicator that
-     * this has occurred elsewhere.
-     */
-    var isAccessibilityEnabled: Boolean
-
-    /**
-     * Emits updates that track [isAccessibilityEnabled] values.
+     * Emits updates that track whether the accessibility autofill service is enabled..
      */
     val isAccessibilityEnabledStateFlow: StateFlow<Boolean>
 }

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/manager/AccessibilityEnabledManagerImpl.kt

@@ -1,5 +1,6 @@
 package com.x8bit.bitwarden.data.autofill.accessibility.manager
 
+import android.view.accessibility.AccessibilityManager
 import kotlinx.coroutines.flow.MutableStateFlow
 import kotlinx.coroutines.flow.StateFlow
 import kotlinx.coroutines.flow.asStateFlow
@@ -7,14 +8,18 @@ import kotlinx.coroutines.flow.asStateFlow
 /**
  * The default implementation of [AccessibilityEnabledManager].
  */
-class AccessibilityEnabledManagerImpl : AccessibilityEnabledManager {
+class AccessibilityEnabledManagerImpl(
+    accessibilityManager: AccessibilityManager,
+) : AccessibilityEnabledManager {
     private val mutableIsAccessibilityEnabledStateFlow = MutableStateFlow(value = false)
 
-    override var isAccessibilityEnabled: Boolean
-        get() = mutableIsAccessibilityEnabledStateFlow.value
-        set(value) {
-            mutableIsAccessibilityEnabledStateFlow.value = value
-        }
+    init {
+        accessibilityManager.addAccessibilityStateChangeListener(
+            AccessibilityManager.AccessibilityStateChangeListener { isEnabled ->
+                mutableIsAccessibilityEnabledStateFlow.value = isEnabled
+            },
+        )
+    }
 
     override val isAccessibilityEnabledStateFlow: StateFlow<Boolean>
         get() = mutableIsAccessibilityEnabledStateFlow.asStateFlow()

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/model/FillableFields.kt

@@ -8,4 +8,6 @@ import android.view.accessibility.AccessibilityNodeInfo
 data class FillableFields(
     val usernameField: AccessibilityNodeInfo?,
     val passwordFields: List<AccessibilityNodeInfo>,
-)
+) {
+    val hasFields: Boolean = usernameField != null || passwordFields.isNotEmpty()
+}

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/processor/BitwardenAccessibilityProcessor.kt

@@ -1,5 +1,6 @@
 package com.x8bit.bitwarden.data.autofill.accessibility.processor
 
+import android.view.accessibility.AccessibilityEvent
 import android.view.accessibility.AccessibilityNodeInfo
 
 /**
@@ -7,7 +8,12 @@ import android.view.accessibility.AccessibilityNodeInfo
  */
 interface BitwardenAccessibilityProcessor {
     /**
-     * Processes the [AccessibilityNodeInfo] for autofill options.
+     * Processes the [AccessibilityEvent] for autofill options and grant access to the current
+     * [AccessibilityNodeInfo] via the [rootAccessibilityNodeInfoProvider] (note that calling the
+     * `rootAccessibilityNodeInfoProvider` is expensive).
      */
-    fun processAccessibilityEvent(rootAccessibilityNodeInfo: AccessibilityNodeInfo?)
+    fun processAccessibilityEvent(
+        event: AccessibilityEvent,
+        rootAccessibilityNodeInfoProvider: () -> AccessibilityNodeInfo?,
+    )
 }

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/processor/BitwardenAccessibilityProcessorImpl.kt

@@ -2,6 +2,7 @@ package com.x8bit.bitwarden.data.autofill.accessibility.processor
 
 import android.content.Context
 import android.os.PowerManager
+import android.view.accessibility.AccessibilityEvent
 import android.view.accessibility.AccessibilityNodeInfo
 import android.widget.Toast
 import com.x8bit.bitwarden.R
@@ -25,37 +26,48 @@ class BitwardenAccessibilityProcessorImpl(
     private val launcherPackageNameManager: LauncherPackageNameManager,
     private val powerManager: PowerManager,
 ) : BitwardenAccessibilityProcessor {
-    override fun processAccessibilityEvent(rootAccessibilityNodeInfo: AccessibilityNodeInfo?) {
-        val rootNode = rootAccessibilityNodeInfo ?: return
+    override fun processAccessibilityEvent(
+        event: AccessibilityEvent,
+        rootAccessibilityNodeInfoProvider: () -> AccessibilityNodeInfo?,
+    ) {
+        val eventNode = event.source ?: return
         // Ignore the event when the phone is inactive
         if (!powerManager.isInteractive) return
         // We skip if the system package
-        if (rootNode.isSystemPackage) return
-        // We skip any package that is a launcher or unsupported
-        if (rootNode.shouldSkipPackage ||
-            launcherPackageNameManager.launcherPackages.any { it == rootNode.packageName }
-        ) {
-            // Clear the action since this event needs to be ignored completely
-            accessibilityAutofillManager.accessibilityAction = null
+        if (eventNode.isSystemPackage) return
+        // We skip any package that is unsupported
+        if (eventNode.shouldSkipPackage) return
+        // We skip any package that is a launcher
+        if (launcherPackageNameManager.launcherPackages.any { it == eventNode.packageName }) {
             return
         }
 
         // Only process the event if the tile was clicked
         val accessibilityAction = accessibilityAutofillManager.accessibilityAction ?: return
+        // We only call for the root node once after all other checks
+        // have passed because it is significant performance hit
+        if (rootAccessibilityNodeInfoProvider()?.packageName != event.packageName) return
+
+        // Clear the action since we are now acting on it
         accessibilityAutofillManager.accessibilityAction = null
 
         when (accessibilityAction) {
             is AccessibilityAction.AttemptFill -> {
-                handleAttemptFill(rootNode = rootNode, attemptFill = accessibilityAction)
+                handleAttemptFill(rootNode = eventNode, attemptFill = accessibilityAction)
             }
 
-            AccessibilityAction.AttemptParseUri -> handleAttemptParseUri(rootNode = rootNode)
+            AccessibilityAction.AttemptParseUri -> handleAttemptParseUri(rootNode = eventNode)
         }
     }
 
     private fun handleAttemptParseUri(rootNode: AccessibilityNodeInfo) {
         accessibilityParser
             .parseForUriOrPackageName(rootNode = rootNode)
+            ?.takeIf {
+                accessibilityParser
+                    .parseForFillableFields(rootNode = rootNode, uri = it)
+                    .hasFields
+            }
             ?.let { uri ->
                 context.startActivity(
                     createAutofillSelectionIntent(

app/src/main/java/com/x8bit/bitwarden/data/autofill/accessibility/util/BrowserUtil.kt

@@ -128,6 +128,11 @@ private val ACCESSIBILITY_SUPPORTED_BROWSERS = listOf(
         // 2nd = Anticipation
         possibleUrlFieldIds = listOf("url_bar_title", "mozac_browser_toolbar_url_view"),
     ),
+    Browser(
+        packageName = "org.ironfoxoss.ironfox",
+        // 2nd = Legacy
+        possibleUrlFieldIds = listOf("mozac_browser_toolbar_url_view", "url_bar_title"),
+    ),
     Browser(packageName = "org.mozilla.fenix", urlFieldId = "mozac_browser_toolbar_url_view"),
     // [DEPRECATED ENTRY]
     Browser(

app/src/main/java/com/x8bit/bitwarden/data/autofill/di/ActivityAutofillModule.kt

@@ -8,7 +8,7 @@ import androidx.lifecycle.lifecycleScope
 import com.x8bit.bitwarden.data.autofill.manager.AutofillActivityManager
 import com.x8bit.bitwarden.data.autofill.manager.AutofillActivityManagerImpl
 import com.x8bit.bitwarden.data.autofill.manager.AutofillEnabledManager
-import com.x8bit.bitwarden.data.platform.manager.AppForegroundManager
+import com.x8bit.bitwarden.data.platform.manager.AppStateManager
 import dagger.Module
 import dagger.Provides
 import dagger.hilt.InstallIn
@@ -27,13 +27,13 @@ object ActivityAutofillModule {
     @Provides
     fun provideAutofillActivityManager(
         @ActivityScopedManager autofillManager: AutofillManager,
-        appForegroundManager: AppForegroundManager,
+        appStateManager: AppStateManager,
         autofillEnabledManager: AutofillEnabledManager,
         lifecycleScope: LifecycleCoroutineScope,
     ): AutofillActivityManager =
         AutofillActivityManagerImpl(
             autofillManager = autofillManager,
-            appForegroundManager = appForegroundManager,
+            appStateManager = appStateManager,
             autofillEnabledManager = autofillEnabledManager,
             lifecycleScope = lifecycleScope,
         )

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/datasource/network/api/DigitalAssetLinkApi.kt

@@ -1,6 +1,7 @@
 package com.x8bit.bitwarden.data.autofill.fido2.datasource.network.api
 
 import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.model.DigitalAssetLinkResponseJson
+import com.x8bit.bitwarden.data.platform.datasource.network.model.NetworkResult
 import retrofit2.http.GET
 import retrofit2.http.Url
 
@@ -15,5 +16,5 @@ interface DigitalAssetLinkApi {
     @GET
     suspend fun getDigitalAssetLinks(
         @Url url: String,
-    ): Result<List<DigitalAssetLinkResponseJson>>
+    ): NetworkResult<List<DigitalAssetLinkResponseJson>>
 }

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/datasource/network/service/DigitalAssetLinkServiceImpl.kt

@@ -2,6 +2,7 @@ package com.x8bit.bitwarden.data.autofill.fido2.datasource.network.service
 
 import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.api.DigitalAssetLinkApi
 import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.model.DigitalAssetLinkResponseJson
+import com.x8bit.bitwarden.data.platform.datasource.network.util.toResult
 
 /**
  * Primary implementation of [DigitalAssetLinkService].
@@ -18,4 +19,5 @@ class DigitalAssetLinkServiceImpl(
             .getDigitalAssetLinks(
                 url = "$scheme$relyingParty/.well-known/assetlinks.json",
             )
+            .toResult()
 }

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/di/Fido2ProviderModule.kt

@@ -8,9 +8,13 @@ import com.x8bit.bitwarden.data.auth.repository.AuthRepository
 import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.service.DigitalAssetLinkService
 import com.x8bit.bitwarden.data.autofill.fido2.manager.Fido2CredentialManager
 import com.x8bit.bitwarden.data.autofill.fido2.manager.Fido2CredentialManagerImpl
+import com.x8bit.bitwarden.data.autofill.fido2.manager.Fido2OriginManager
+import com.x8bit.bitwarden.data.autofill.fido2.manager.Fido2OriginManagerImpl
 import com.x8bit.bitwarden.data.autofill.fido2.processor.Fido2ProviderProcessor
 import com.x8bit.bitwarden.data.autofill.fido2.processor.Fido2ProviderProcessorImpl
 import com.x8bit.bitwarden.data.platform.manager.AssetManager
+import com.x8bit.bitwarden.data.platform.manager.BiometricsEncryptionManager
+import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
 import com.x8bit.bitwarden.data.platform.manager.dispatcher.DispatcherManager
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
@@ -42,6 +46,8 @@ object Fido2ProviderModule {
         fido2CredentialManager: Fido2CredentialManager,
         dispatcherManager: DispatcherManager,
         intentManager: IntentManager,
+        biometricsEncryptionManager: BiometricsEncryptionManager,
+        featureFlagManager: FeatureFlagManager,
         clock: Clock,
     ): Fido2ProviderProcessor =
         Fido2ProviderProcessorImpl(
@@ -52,23 +58,34 @@ object Fido2ProviderModule {
             fido2CredentialManager,
             intentManager,
             clock,
+            biometricsEncryptionManager,
+            featureFlagManager,
             dispatcherManager,
         )
 
     @Provides
     @Singleton
     fun provideFido2CredentialManager(
-        assetManager: AssetManager,
-        digitalAssetLinkService: DigitalAssetLinkService,
         vaultSdkSource: VaultSdkSource,
         fido2CredentialStore: Fido2CredentialStore,
+        fido2OriginManager: Fido2OriginManager,
         json: Json,
     ): Fido2CredentialManager =
         Fido2CredentialManagerImpl(
-            assetManager = assetManager,
-            digitalAssetLinkService = digitalAssetLinkService,
             vaultSdkSource = vaultSdkSource,
             fido2CredentialStore = fido2CredentialStore,
+            fido2OriginManager = fido2OriginManager,
             json = json,
         )
+
+    @Provides
+    @Singleton
+    fun provideFido2OriginManager(
+        assetManager: AssetManager,
+        digitalAssetLinkService: DigitalAssetLinkService,
+    ): Fido2OriginManager =
+        Fido2OriginManagerImpl(
+            assetManager = assetManager,
+            digitalAssetLinkService = digitalAssetLinkService,
+        )
 }

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/manager/Fido2CredentialManager.kt

@@ -1,12 +1,10 @@
 package com.x8bit.bitwarden.data.autofill.fido2.manager
 
-import androidx.credentials.provider.CallingAppInfo
 import com.bitwarden.vault.CipherView
+import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CreateCredentialRequest
 import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CredentialAssertionRequest
 import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CredentialAssertionResult
-import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CredentialRequest
 import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2RegisterCredentialResult
-import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2ValidateOriginResult
 import com.x8bit.bitwarden.data.autofill.fido2.model.PasskeyAssertionOptions
 import com.x8bit.bitwarden.data.autofill.fido2.model.PasskeyAttestationOptions
 
@@ -26,14 +24,6 @@ interface Fido2CredentialManager {
      */
     var authenticationAttempts: Int
 
-    /**
-     * Attempt to validate the RP and origin of the provided [callingAppInfo] and [relyingPartyId].
-     */
-    suspend fun validateOrigin(
-        callingAppInfo: CallingAppInfo,
-        relyingPartyId: String,
-    ): Fido2ValidateOriginResult
-
     /**
      * Attempt to extract FIDO 2 passkey attestation options from the system [requestJson], or null.
      */
@@ -53,7 +43,7 @@ interface Fido2CredentialManager {
      */
     suspend fun registerFido2Credential(
         userId: String,
-        fido2CredentialRequest: Fido2CredentialRequest,
+        fido2CreateCredentialRequest: Fido2CreateCredentialRequest,
         selectedCipherView: CipherView,
     ): Fido2RegisterCredentialResult
 

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/manager/Fido2CredentialManagerImpl.kt

@@ -6,21 +6,17 @@ import com.bitwarden.fido.Origin
 import com.bitwarden.fido.UnverifiedAssetLink
 import com.bitwarden.sdk.Fido2CredentialStore
 import com.bitwarden.vault.CipherView
-import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.model.DigitalAssetLinkResponseJson
-import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.service.DigitalAssetLinkService
+import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CreateCredentialRequest
 import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CredentialAssertionRequest
 import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CredentialAssertionResult
-import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CredentialRequest
 import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2RegisterCredentialResult
 import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2ValidateOriginResult
 import com.x8bit.bitwarden.data.autofill.fido2.model.PasskeyAssertionOptions
 import com.x8bit.bitwarden.data.autofill.fido2.model.PasskeyAttestationOptions
-import com.x8bit.bitwarden.data.platform.manager.AssetManager
 import com.x8bit.bitwarden.data.platform.util.decodeFromStringOrNull
 import com.x8bit.bitwarden.data.platform.util.getAppOrigin
 import com.x8bit.bitwarden.data.platform.util.getAppSigningSignatureFingerprint
 import com.x8bit.bitwarden.data.platform.util.getSignatureFingerprintAsHexString
-import com.x8bit.bitwarden.data.platform.util.validatePrivilegedApp
 import com.x8bit.bitwarden.data.vault.datasource.sdk.VaultSdkSource
 import com.x8bit.bitwarden.data.vault.datasource.sdk.model.AuthenticateFido2CredentialRequest
 import com.x8bit.bitwarden.data.vault.datasource.sdk.model.RegisterFido2CredentialRequest
@@ -31,18 +27,14 @@ import kotlinx.serialization.SerializationException
 import kotlinx.serialization.encodeToString
 import kotlinx.serialization.json.Json
 
-private const val GOOGLE_ALLOW_LIST_FILE_NAME = "fido2_privileged_google.json"
-private const val COMMUNITY_ALLOW_LIST_FILE_NAME = "fido2_privileged_community.json"
-
 /**
  * Primary implementation of [Fido2CredentialManager].
  */
 @Suppress("TooManyFunctions")
 class Fido2CredentialManagerImpl(
-    private val assetManager: AssetManager,
-    private val digitalAssetLinkService: DigitalAssetLinkService,
     private val vaultSdkSource: VaultSdkSource,
     private val fido2CredentialStore: Fido2CredentialStore,
+    private val fido2OriginManager: Fido2OriginManager,
     private val json: Json,
 ) : Fido2CredentialManager,
     Fido2CredentialStore by fido2CredentialStore {
@@ -53,31 +45,31 @@ class Fido2CredentialManagerImpl(
 
     override suspend fun registerFido2Credential(
         userId: String,
-        fido2CredentialRequest: Fido2CredentialRequest,
+        fido2CreateCredentialRequest: Fido2CreateCredentialRequest,
         selectedCipherView: CipherView,
     ): Fido2RegisterCredentialResult {
-        val clientData = if (fido2CredentialRequest.callingAppInfo.isOriginPopulated()) {
-            fido2CredentialRequest
+        val clientData = if (fido2CreateCredentialRequest.callingAppInfo.isOriginPopulated()) {
+            fido2CreateCredentialRequest
                 .callingAppInfo
                 .getAppSigningSignatureFingerprint()
                 ?.let { ClientData.DefaultWithCustomHash(hash = it) }
                 ?: return Fido2RegisterCredentialResult.Error
         } else {
             ClientData.DefaultWithExtraData(
-                androidPackageName = fido2CredentialRequest
+                androidPackageName = fido2CreateCredentialRequest
                     .callingAppInfo
                     .packageName,
             )
         }
-        val assetLinkUrl = fido2CredentialRequest
+        val assetLinkUrl = fido2CreateCredentialRequest
             .origin
-            ?: getOriginUrlFromAttestationOptionsOrNull(fido2CredentialRequest.requestJson)
+            ?: getOriginUrlFromAttestationOptionsOrNull(fido2CreateCredentialRequest.requestJson)
             ?: return Fido2RegisterCredentialResult.Error
 
         val origin = Origin.Android(
             UnverifiedAssetLink(
-                packageName = fido2CredentialRequest.packageName,
-                sha256CertFingerprint = fido2CredentialRequest
+                packageName = fido2CreateCredentialRequest.packageName,
+                sha256CertFingerprint = fido2CreateCredentialRequest
                     .callingAppInfo
                     .getSignatureFingerprintAsHexString()
                     ?: return Fido2RegisterCredentialResult.Error,
@@ -91,7 +83,7 @@ class Fido2CredentialManagerImpl(
                 request = RegisterFido2CredentialRequest(
                     userId = userId,
                     origin = origin,
-                    requestJson = """{"publicKey": ${fido2CredentialRequest.requestJson}}""",
+                    requestJson = """{"publicKey": ${fido2CreateCredentialRequest.requestJson}}""",
                     clientData = clientData,
                     selectedCipherView = selectedCipherView,
                     // User verification is handled prior to engaging the SDK. We always respond
@@ -108,16 +100,14 @@ class Fido2CredentialManagerImpl(
             )
     }
 
-    override suspend fun validateOrigin(
+    private suspend fun validateOrigin(
         callingAppInfo: CallingAppInfo,
         relyingPartyId: String,
-    ): Fido2ValidateOriginResult {
-        return if (callingAppInfo.isOriginPopulated()) {
-            validatePrivilegedAppOrigin(callingAppInfo)
-        } else {
-            validateCallingApplicationAssetLinks(callingAppInfo, relyingPartyId)
-        }
-    }
+    ): Fido2ValidateOriginResult = fido2OriginManager
+        .validateOrigin(
+            callingAppInfo = callingAppInfo,
+            relyingPartyId = relyingPartyId,
+        )
 
     override fun getPasskeyAttestationOptionsOrNull(
         requestJson: String,
@@ -168,7 +158,7 @@ class Fido2CredentialManagerImpl(
                 Fido2CredentialAssertionResult.Error
             }
 
-            Fido2ValidateOriginResult.Success -> {
+            is Fido2ValidateOriginResult.Success -> {
                 vaultSdkSource
                     .authenticateFido2Credential(
                         request = AuthenticateFido2CredentialRequest(
@@ -200,127 +190,6 @@ class Fido2CredentialManagerImpl(
         }
     }
 
-    private suspend fun validateCallingApplicationAssetLinks(
-        callingAppInfo: CallingAppInfo,
-        relyingPartyId: String,
-    ): Fido2ValidateOriginResult {
-        return digitalAssetLinkService
-            .getDigitalAssetLinkForRp(relyingParty = relyingPartyId)
-            .onFailure {
-                return Fido2ValidateOriginResult.Error.AssetLinkNotFound
-            }
-            .map { statements ->
-                statements
-                    .filterMatchingAppStatementsOrNull(
-                        rpPackageName = callingAppInfo.packageName,
-                    )
-                    ?: return Fido2ValidateOriginResult.Error.ApplicationNotFound
-            }
-            .map { matchingStatements ->
-                callingAppInfo
-                    .getSignatureFingerprintAsHexString()
-                    ?.let { certificateFingerprint ->
-                        matchingStatements
-                            .filterMatchingAppSignaturesOrNull(
-                                signature = certificateFingerprint,
-                            )
-                    }
-                    ?: return Fido2ValidateOriginResult.Error.ApplicationNotVerified
-            }
-            .fold(
-                onSuccess = {
-                    Fido2ValidateOriginResult.Success
-                },
-                onFailure = {
-                    Fido2ValidateOriginResult.Error.Unknown
-                },
-            )
-    }
-
-    private suspend fun validatePrivilegedAppOrigin(
-        callingAppInfo: CallingAppInfo,
-    ): Fido2ValidateOriginResult {
-        val googleAllowListResult =
-            validatePrivilegedAppSignatureWithGoogleList(callingAppInfo)
-        return when (googleAllowListResult) {
-            is Fido2ValidateOriginResult.Success -> {
-                // Application was found and successfully validated against the Google allow list so
-                // we can return the result as the final validation result.
-                googleAllowListResult
-            }
-
-            is Fido2ValidateOriginResult.Error -> {
-                // Check the community allow list if the Google allow list failed, and return the
-                // result as the final validation result.
-                validatePrivilegedAppSignatureWithCommunityList(callingAppInfo)
-            }
-        }
-    }
-
-    private suspend fun validatePrivilegedAppSignatureWithGoogleList(
-        callingAppInfo: CallingAppInfo,
-    ): Fido2ValidateOriginResult =
-        validatePrivilegedAppSignatureWithAllowList(
-            callingAppInfo = callingAppInfo,
-            fileName = GOOGLE_ALLOW_LIST_FILE_NAME,
-        )
-
-    private suspend fun validatePrivilegedAppSignatureWithCommunityList(
-        callingAppInfo: CallingAppInfo,
-    ): Fido2ValidateOriginResult =
-        validatePrivilegedAppSignatureWithAllowList(
-            callingAppInfo = callingAppInfo,
-            fileName = COMMUNITY_ALLOW_LIST_FILE_NAME,
-        )
-
-    private suspend fun validatePrivilegedAppSignatureWithAllowList(
-        callingAppInfo: CallingAppInfo,
-        fileName: String,
-    ): Fido2ValidateOriginResult =
-        assetManager
-            .readAsset(fileName)
-            .map { allowList ->
-                callingAppInfo.validatePrivilegedApp(
-                    allowList = allowList,
-                )
-            }
-            .fold(
-                onSuccess = { it },
-                onFailure = { Fido2ValidateOriginResult.Error.Unknown },
-            )
-
-    /**
-     * Returns statements targeting the calling Android application, or null.
-     */
-    private fun List<DigitalAssetLinkResponseJson>.filterMatchingAppStatementsOrNull(
-        rpPackageName: String,
-    ): List<DigitalAssetLinkResponseJson>? =
-        filter { statement ->
-            val target = statement.target
-            target.namespace == "android_app" &&
-                target.packageName == rpPackageName &&
-                statement.relation.containsAll(
-                    listOf(
-                        "delegate_permission/common.get_login_creds",
-                        "delegate_permission/common.handle_all_urls",
-                    ),
-                )
-        }
-            .takeUnless { it.isEmpty() }
-
-    /**
-     * Returns statements that match the given [signature], or null.
-     */
-    private fun List<DigitalAssetLinkResponseJson>.filterMatchingAppSignaturesOrNull(
-        signature: String,
-    ): List<DigitalAssetLinkResponseJson>? =
-        filter { statement ->
-            statement.target.sha256CertFingerprints
-                ?.contains(signature)
-                ?: false
-        }
-            .takeUnless { it.isEmpty() }
-
     override fun hasAuthenticationAttemptsRemaining(): Boolean =
         authenticationAttempts < MAX_AUTHENTICATION_ATTEMPTS
 

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/manager/Fido2OriginManager.kt

@@ -0,0 +1,32 @@
+package com.x8bit.bitwarden.data.autofill.fido2.manager
+
+import androidx.credentials.provider.CallingAppInfo
+import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2ValidateOriginResult
+
+/**
+ * Responsible for managing FIDO2 origin validation.
+ */
+interface Fido2OriginManager {
+
+    /**
+     * Validates the origin of a calling app.
+     *
+     * @param callingAppInfo The calling app info.
+     * @param relyingPartyId The relying party ID.
+     *
+     * @return The result of the validation.
+     */
+    suspend fun validateOrigin(
+        callingAppInfo: CallingAppInfo,
+        relyingPartyId: String,
+    ): Fido2ValidateOriginResult
+
+    /**
+     * Returns the privileged app origin, or null if the calling app is not allowed.
+     *
+     * @param callingAppInfo The calling app info.
+     *
+     * @return The privileged app origin, or null.
+     */
+    suspend fun getPrivilegedAppOriginOrNull(callingAppInfo: CallingAppInfo): String?
+}

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/manager/Fido2OriginManagerImpl.kt

@@ -0,0 +1,172 @@
+package com.x8bit.bitwarden.data.autofill.fido2.manager
+
+import androidx.credentials.provider.CallingAppInfo
+import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.model.DigitalAssetLinkResponseJson
+import com.x8bit.bitwarden.data.autofill.fido2.datasource.network.service.DigitalAssetLinkService
+import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2ValidateOriginResult
+import com.x8bit.bitwarden.data.platform.manager.AssetManager
+import com.x8bit.bitwarden.data.platform.util.getSignatureFingerprintAsHexString
+import com.x8bit.bitwarden.data.platform.util.validatePrivilegedApp
+import timber.log.Timber
+
+private const val GOOGLE_ALLOW_LIST_FILE_NAME = "fido2_privileged_google.json"
+private const val COMMUNITY_ALLOW_LIST_FILE_NAME = "fido2_privileged_community.json"
+
+/**
+ * Primary implementation of [Fido2OriginManager].
+ */
+@Suppress("TooManyFunctions")
+class Fido2OriginManagerImpl(
+    private val assetManager: AssetManager,
+    private val digitalAssetLinkService: DigitalAssetLinkService,
+) : Fido2OriginManager {
+
+    override suspend fun validateOrigin(
+        callingAppInfo: CallingAppInfo,
+        relyingPartyId: String,
+    ): Fido2ValidateOriginResult {
+        return if (callingAppInfo.isOriginPopulated()) {
+            validatePrivilegedAppOrigin(callingAppInfo)
+        } else {
+            validateCallingApplicationAssetLinks(callingAppInfo, relyingPartyId)
+        }
+    }
+
+    override suspend fun getPrivilegedAppOriginOrNull(callingAppInfo: CallingAppInfo): String? {
+        if (!callingAppInfo.isOriginPopulated()) return null
+        return callingAppInfo.getOrigin(getGoogleAllowListOrNull().orEmpty())
+            ?: callingAppInfo.getOrigin(getCommunityAllowListOrNull().orEmpty())
+                ?.takeUnless { !callingAppInfo.isOriginPopulated() }
+    }
+
+    private suspend fun validateCallingApplicationAssetLinks(
+        callingAppInfo: CallingAppInfo,
+        relyingPartyId: String,
+    ): Fido2ValidateOriginResult = digitalAssetLinkService
+        .getDigitalAssetLinkForRp(relyingParty = relyingPartyId)
+        .onFailure {
+            return Fido2ValidateOriginResult.Error.AssetLinkNotFound
+        }
+        .mapCatching { statements ->
+            statements
+                .filterMatchingAppStatementsOrNull(
+                    rpPackageName = callingAppInfo.packageName,
+                )
+                ?: return Fido2ValidateOriginResult.Error.ApplicationNotFound
+        }
+        .mapCatching { matchingStatements ->
+            callingAppInfo
+                .getSignatureFingerprintAsHexString()
+                ?.let { certificateFingerprint ->
+                    matchingStatements
+                        .filterMatchingAppSignaturesOrNull(
+                            signature = certificateFingerprint,
+                        )
+                }
+                ?: return Fido2ValidateOriginResult.Error.ApplicationFingerprintNotVerified
+        }
+        .fold(
+            onSuccess = {
+                Fido2ValidateOriginResult.Success(null)
+            },
+            onFailure = {
+                Fido2ValidateOriginResult.Error.Unknown
+            },
+        )
+
+    private suspend fun validatePrivilegedAppOrigin(
+        callingAppInfo: CallingAppInfo,
+    ): Fido2ValidateOriginResult {
+        val googleAllowListResult =
+            validatePrivilegedAppSignatureWithGoogleList(callingAppInfo)
+        return when (googleAllowListResult) {
+            is Fido2ValidateOriginResult.Success -> {
+                // Application was found and successfully validated against the Google allow list so
+                // we can return the result as the final validation result.
+                googleAllowListResult
+            }
+
+            is Fido2ValidateOriginResult.Error -> {
+                // Check the community allow list if the Google allow list failed, and return the
+                // result as the final validation result.
+                validatePrivilegedAppSignatureWithCommunityList(callingAppInfo)
+            }
+        }
+    }
+
+    private suspend fun validatePrivilegedAppSignatureWithGoogleList(
+        callingAppInfo: CallingAppInfo,
+    ): Fido2ValidateOriginResult =
+        validatePrivilegedAppSignatureWithAllowList(
+            callingAppInfo = callingAppInfo,
+            fileName = GOOGLE_ALLOW_LIST_FILE_NAME,
+        )
+
+    private suspend fun validatePrivilegedAppSignatureWithCommunityList(
+        callingAppInfo: CallingAppInfo,
+    ): Fido2ValidateOriginResult =
+        validatePrivilegedAppSignatureWithAllowList(
+            callingAppInfo = callingAppInfo,
+            fileName = COMMUNITY_ALLOW_LIST_FILE_NAME,
+        )
+
+    private suspend fun validatePrivilegedAppSignatureWithAllowList(
+        callingAppInfo: CallingAppInfo,
+        fileName: String,
+    ): Fido2ValidateOriginResult =
+        assetManager
+            .readAsset(fileName)
+            .mapCatching { allowList ->
+                callingAppInfo.validatePrivilegedApp(
+                    allowList = allowList,
+                )
+            }
+            .fold(
+                onSuccess = { it },
+                onFailure = { Fido2ValidateOriginResult.Error.Unknown },
+            )
+
+    /**
+     * Returns statements targeting the calling Android application, or null.
+     */
+    private fun List<DigitalAssetLinkResponseJson>.filterMatchingAppStatementsOrNull(
+        rpPackageName: String,
+    ): List<DigitalAssetLinkResponseJson>? =
+        filter { statement ->
+            val target = statement.target
+            target.namespace == "android_app" &&
+                target.packageName == rpPackageName &&
+                statement.relation.containsAll(
+                    listOf(
+                        "delegate_permission/common.get_login_creds",
+                        "delegate_permission/common.handle_all_urls",
+                    ),
+                )
+        }
+            .takeUnless { it.isEmpty() }
+
+    /**
+     * Returns statements that match the given [signature], or null.
+     */
+    private fun List<DigitalAssetLinkResponseJson>.filterMatchingAppSignaturesOrNull(
+        signature: String,
+    ): List<DigitalAssetLinkResponseJson>? =
+        filter { statement ->
+            statement.target.sha256CertFingerprints
+                ?.contains(signature)
+                ?: false
+        }
+            .takeUnless { it.isEmpty() }
+
+    private suspend fun getGoogleAllowListOrNull(): String? =
+        assetManager
+            .readAsset(GOOGLE_ALLOW_LIST_FILE_NAME)
+            .onFailure { Timber.e(it, "Failed to read Google allow list.") }
+            .getOrNull()
+
+    private suspend fun getCommunityAllowListOrNull(): String? =
+        assetManager
+            .readAsset(COMMUNITY_ALLOW_LIST_FILE_NAME)
+            .onFailure { Timber.e(it, "Failed to read Community allow list.") }
+            .getOrNull()
+}

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/model/Fido2CreateCredentialRequest.kt

@@ -14,12 +14,13 @@ import kotlinx.parcelize.Parcelize
  * @property callingAppInfo Information about the application that initiated the request.
  */
 @Parcelize
-data class Fido2CredentialRequest(
+data class Fido2CreateCredentialRequest(
     val userId: String,
     val requestJson: String,
     val packageName: String,
     val signingInfo: SigningInfo,
     val origin: String?,
+    val isUserVerified: Boolean?,
 ) : Parcelable {
     val callingAppInfo: CallingAppInfo
         get() = CallingAppInfo(

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/model/Fido2CredentialAssertionRequest.kt

@@ -18,6 +18,7 @@ data class Fido2CredentialAssertionRequest(
     val packageName: String,
     val signingInfo: SigningInfo,
     val origin: String?,
+    val isUserVerified: Boolean?,
 ) : Parcelable {
     val callingAppInfo: CallingAppInfo
         get() = CallingAppInfo(packageName, signingInfo, origin)

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/model/Fido2ValidateOriginResult.kt

@@ -1,5 +1,8 @@
 package com.x8bit.bitwarden.data.autofill.fido2.model
 
+import androidx.annotation.StringRes
+import com.x8bit.bitwarden.R
+
 /**
  * Models the result of validating the origin of a FIDO2 request.
  */
@@ -7,49 +10,75 @@ sealed class Fido2ValidateOriginResult {
 
     /**
      * Represents a successful origin validation.
+     *
+     * @param origin The origin of the calling app, or null if the calling app is not privileged.
      */
-    data object Success : Fido2ValidateOriginResult()
+    data class Success(val origin: String?) : Fido2ValidateOriginResult()
 
     /**
      * Represents a validation error.
      */
     sealed class Error : Fido2ValidateOriginResult() {
+        /**
+         * The string resource ID of the error message.
+         */
+        @get:StringRes
+        abstract val messageResId: Int
 
         /**
          * Indicates the digital asset links file could not be located.
          */
-        data object AssetLinkNotFound : Error()
+        data object AssetLinkNotFound : Error() {
+            override val messageResId =
+                R.string.passkey_operation_failed_because_of_missing_asset_links
+        }
 
         /**
          * Indicates the application package name was not found in the digital asset links file.
          */
-        data object ApplicationNotFound : Error()
+        data object ApplicationNotFound : Error() {
+            override val messageResId =
+                R.string.passkey_operation_failed_because_app_not_found_in_asset_links
+        }
 
         /**
          * Indicates the application fingerprint was not found the digital asset links file.
          */
-        data object ApplicationNotVerified : Error()
+        data object ApplicationFingerprintNotVerified : Error() {
+            override val messageResId =
+                R.string.passkey_operation_failed_because_app_could_not_be_verified
+        }
 
         /**
          * Indicates the calling application is privileged but its package name is not found within
          * the privileged app allow list.
          */
-        data object PrivilegedAppNotAllowed : Error()
+        data object PrivilegedAppNotAllowed : Error() {
+            override val messageResId =
+                R.string.passkey_operation_failed_because_browser_is_not_privileged
+        }
 
         /**
          * Indicates the calling app is privileged but but no matching signing certificate signature
          * is present in the allow list.
          */
-        data object PrivilegedAppSignatureNotFound : Error()
+        data object PrivilegedAppSignatureNotFound : Error() {
+            override val messageResId =
+                R.string.passkey_operation_failed_because_browser_signature_does_not_match
+        }
 
         /**
          * Indicates passkeys are not supported for the requesting application.
          */
-        data object PasskeyNotSupportedForApp : Error()
+        data object PasskeyNotSupportedForApp : Error() {
+            override val messageResId = R.string.passkeys_not_supported_for_this_app
+        }
 
         /**
          * Indicates an unknown error was encountered while validating the origin.
          */
-        data object Unknown : Error()
+        data object Unknown : Error() {
+            override val messageResId = R.string.generic_error_message
+        }
     }
 }

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/processor/Fido2ProviderProcessorImpl.kt

@@ -1,10 +1,13 @@
 package com.x8bit.bitwarden.data.autofill.fido2.processor
 
 import android.content.Context
+import android.graphics.drawable.Icon
 import android.os.Build
 import android.os.CancellationSignal
 import android.os.OutcomeReceiver
 import androidx.annotation.RequiresApi
+import androidx.biometric.BiometricManager
+import androidx.biometric.BiometricPrompt
 import androidx.credentials.exceptions.ClearCredentialException
 import androidx.credentials.exceptions.ClearCredentialUnsupportedException
 import androidx.credentials.exceptions.CreateCredentialCancellationException
@@ -21,25 +24,35 @@ import androidx.credentials.provider.BeginCreatePublicKeyCredentialRequest
 import androidx.credentials.provider.BeginGetCredentialRequest
 import androidx.credentials.provider.BeginGetCredentialResponse
 import androidx.credentials.provider.BeginGetPublicKeyCredentialOption
+import androidx.credentials.provider.BiometricPromptData
 import androidx.credentials.provider.CreateEntry
 import androidx.credentials.provider.CredentialEntry
 import androidx.credentials.provider.ProviderClearCredentialStateRequest
 import androidx.credentials.provider.PublicKeyCredentialEntry
 import com.bitwarden.fido.Fido2CredentialAutofillView
 import com.bitwarden.sdk.Fido2CredentialStore
+import com.bitwarden.vault.CipherView
 import com.x8bit.bitwarden.R
 import com.x8bit.bitwarden.data.auth.repository.AuthRepository
 import com.x8bit.bitwarden.data.auth.repository.model.UserState
 import com.x8bit.bitwarden.data.autofill.fido2.manager.Fido2CredentialManager
 import com.x8bit.bitwarden.data.autofill.util.isActiveWithFido2Credentials
+import com.x8bit.bitwarden.data.platform.manager.BiometricsEncryptionManager
+import com.x8bit.bitwarden.data.platform.manager.FeatureFlagManager
 import com.x8bit.bitwarden.data.platform.manager.dispatcher.DispatcherManager
+import com.x8bit.bitwarden.data.platform.manager.model.FlagKey
+import com.x8bit.bitwarden.data.platform.repository.model.DataState
+import com.x8bit.bitwarden.data.platform.repository.util.takeUntilLoaded
+import com.x8bit.bitwarden.data.platform.util.isBuildVersionBelow
 import com.x8bit.bitwarden.data.vault.repository.VaultRepository
 import com.x8bit.bitwarden.data.vault.repository.model.DecryptFido2CredentialAutofillViewResult
 import com.x8bit.bitwarden.ui.platform.manager.intent.IntentManager
 import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.flow.fold
 import kotlinx.coroutines.launch
 import java.time.Clock
 import java.util.concurrent.atomic.AtomicInteger
+import javax.crypto.Cipher
 
 private const val CREATE_PASSKEY_INTENT = "com.x8bit.bitwarden.fido2.ACTION_CREATE_PASSKEY"
 const val GET_PASSKEY_INTENT = "com.x8bit.bitwarden.fido2.ACTION_GET_PASSKEY"
@@ -49,7 +62,7 @@ const val UNLOCK_ACCOUNT_INTENT = "com.x8bit.bitwarden.fido2.ACTION_UNLOCK_ACCOU
  * The default implementation of [Fido2ProviderProcessor]. Its purpose is to handle FIDO2 related
  * processing.
  */
-@Suppress("LongParameterList")
+@Suppress("LongParameterList", "TooManyFunctions")
 @RequiresApi(Build.VERSION_CODES.S)
 class Fido2ProviderProcessorImpl(
     private val context: Context,
@@ -59,6 +72,8 @@ class Fido2ProviderProcessorImpl(
     private val fido2CredentialManager: Fido2CredentialManager,
     private val intentManager: IntentManager,
     private val clock: Clock,
+    private val biometricsEncryptionManager: BiometricsEncryptionManager,
+    private val featureFlagManager: FeatureFlagManager,
     dispatcherManager: DispatcherManager,
 ) : Fido2ProviderProcessor {
 
@@ -122,7 +137,7 @@ class Fido2ProviderProcessorImpl(
 
     private fun UserState.Account.toCreateEntry(isActive: Boolean): CreateEntry {
         val accountName = name ?: email
-        return CreateEntry
+        val entryBuilder = CreateEntry
             .Builder(
                 accountName = accountName,
                 pendingIntent = intentManager.createFido2CreationPendingIntent(
@@ -140,7 +155,16 @@ class Fido2ProviderProcessorImpl(
             // Set the last used time to "now" so the active account is the default option in the
             // system prompt.
             .setLastUsedTime(if (isActive) clock.instant() else null)
-            .build()
+            .setAutoSelectAllowed(true)
+
+        if (isVaultUnlocked &&
+            featureFlagManager.getFeatureFlag(FlagKey.SingleTapPasskeyCreation)
+        ) {
+            biometricsEncryptionManager
+                .getOrCreateCipher(userId)
+                ?.let { entryBuilder.setBiometricPromptDataIfSupported(cipher = it) }
+        }
+        return entryBuilder.build()
     }
 
     override fun processGetCredentialRequest(
@@ -223,10 +247,14 @@ class Fido2ProviderProcessorImpl(
     ): List<CredentialEntry> {
         val cipherViews = vaultRepository
             .ciphersStateFlow
-            .value
-            .data
-            ?.filter { it.isActiveWithFido2Credentials }
-            ?: emptyList()
+            .takeUntilLoaded()
+            .fold(emptyList<CipherView>()) { _, dataState ->
+                when (dataState) {
+                    is DataState.Loaded -> dataState.data.filter { it.isActiveWithFido2Credentials }
+
+                    else -> emptyList()
+                }
+            }
         val result = vaultRepository
             .getDecryptedFido2CredentialAutofillViews(cipherViews)
         return when (result) {
@@ -252,23 +280,73 @@ class Fido2ProviderProcessorImpl(
     ): List<CredentialEntry> =
         this
             .map {
-                PublicKeyCredentialEntry
+                val publicKeyEntryBuilder = PublicKeyCredentialEntry
                     .Builder(
                         context = context,
                         username = it.userNameForUi ?: context.getString(R.string.no_username),
-                        pendingIntent = intentManager
-                            .createFido2GetCredentialPendingIntent(
-                                action = GET_PASSKEY_INTENT,
-                                userId = userId,
-                                credentialId = it.credentialId.toString(),
-                                cipherId = it.cipherId,
-                                requestCode = requestCode.getAndIncrement(),
-                            ),
+                        pendingIntent = intentManager.createFido2GetCredentialPendingIntent(
+                            action = GET_PASSKEY_INTENT,
+                            userId = userId,
+                            credentialId = it.credentialId.toString(),
+                            cipherId = it.cipherId,
+                            requestCode = requestCode.getAndIncrement(),
+                        ),
                         beginGetPublicKeyCredentialOption = option,
                     )
-                    .build()
+                    .setIcon(
+                        Icon.createWithResource(
+                            context,
+                            R.drawable.ic_bw_passkey,
+                        ),
+                    )
+
+                if (featureFlagManager.getFeatureFlag(FlagKey.SingleTapPasskeyAuthentication)) {
+                    biometricsEncryptionManager
+                        .getOrCreateCipher(userId)
+                        ?.let {
+                            publicKeyEntryBuilder
+                                .setBiometricPromptDataIfSupported(cipher = it)
+                        }
+                }
+                publicKeyEntryBuilder.build()
             }
 
+    private fun PublicKeyCredentialEntry.Builder.setBiometricPromptDataIfSupported(
+        cipher: Cipher,
+    ): PublicKeyCredentialEntry.Builder {
+        return if (isBuildVersionBelow(Build.VERSION_CODES.VANILLA_ICE_CREAM)) {
+            this
+        } else {
+            setBiometricPromptData(
+                biometricPromptData = BiometricPromptData
+                    .Builder()
+                    .buildPromptDataWithCipher(cipher),
+            )
+        }
+    }
+
+    private fun CreateEntry.Builder.setBiometricPromptDataIfSupported(
+        cipher: Cipher,
+    ): CreateEntry.Builder {
+        return if (isBuildVersionBelow(Build.VERSION_CODES.VANILLA_ICE_CREAM)) {
+            this
+        } else {
+            setBiometricPromptData(
+                biometricPromptData = BiometricPromptData
+                    .Builder()
+                    .buildPromptDataWithCipher(cipher),
+            )
+        }
+    }
+
+    @RequiresApi(Build.VERSION_CODES.VANILLA_ICE_CREAM)
+    private fun BiometricPromptData.Builder.buildPromptDataWithCipher(
+        cipher: Cipher,
+    ): BiometricPromptData = BiometricPromptData.Builder()
+        .setAllowedAuthenticators(BiometricManager.Authenticators.BIOMETRIC_STRONG)
+        .setCryptoObject(BiometricPrompt.CryptoObject(cipher))
+        .build()
+
     override fun processClearCredentialStateRequest(
         request: ProviderClearCredentialStateRequest,
         cancellationSignal: CancellationSignal,

app/src/main/java/com/x8bit/bitwarden/data/autofill/fido2/util/Fido2IntentUtils.kt

@@ -6,8 +6,8 @@ import androidx.credentials.CreatePublicKeyCredentialRequest
 import androidx.credentials.GetPublicKeyCredentialOption
 import androidx.credentials.provider.BeginGetPublicKeyCredentialOption
 import androidx.credentials.provider.PendingIntentHandler
+import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CreateCredentialRequest
 import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CredentialAssertionRequest
-import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2CredentialRequest
 import com.x8bit.bitwarden.data.autofill.fido2.model.Fido2GetCredentialsRequest
 import com.x8bit.bitwarden.data.platform.util.isBuildVersionBelow
 import com.x8bit.bitwarden.ui.platform.manager.intent.EXTRA_KEY_CIPHER_ID
@@ -15,10 +15,10 @@ import com.x8bit.bitwarden.ui.platform.manager.intent.EXTRA_KEY_CREDENTIAL_ID
 import com.x8bit.bitwarden.ui.platform.manager.intent.EXTRA_KEY_USER_ID
 
 /**
- * Checks if this [Intent] contains a [Fido2CredentialRequest] related to an ongoing FIDO 2
+ * Checks if this [Intent] contains a [Fido2CreateCredentialRequest] related to an ongoing FIDO 2
  * credential creation process.
  */
-fun Intent.getFido2CredentialRequestOrNull(): Fido2CredentialRequest? {
+fun Intent.getFido2CreateCredentialRequestOrNull(): Fido2CreateCredentialRequest? {
     if (isBuildVersionBelow(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)) return null
 
     val systemRequest = PendingIntentHandler
@@ -33,12 +33,13 @@ fun Intent.getFido2CredentialRequestOrNull(): Fido2CredentialRequest? {
     val userId = getStringExtra(EXTRA_KEY_USER_ID)
         ?: return null
 
-    return Fido2CredentialRequest(
+    return Fido2CreateCredentialRequest(
         userId = userId,
         requestJson = createPublicKeyRequest.requestJson,
         packageName = systemRequest.callingAppInfo.packageName,
         signingInfo = systemRequest.callingAppInfo.signingInfo,
         origin = systemRequest.callingAppInfo.origin,
+        isUserVerified = systemRequest.biometricPromptResult?.isSuccessful ?: false,
     )
 }
 
@@ -67,6 +68,9 @@ fun Intent.getFido2AssertionRequestOrNull(): Fido2CredentialAssertionRequest? {
     val userId: String = getStringExtra(EXTRA_KEY_USER_ID)
         ?: return null
 
+    val isUserVerified = systemRequest.biometricPromptResult?.isSuccessful
+        ?: false
+
     return Fido2CredentialAssertionRequest(
         userId = userId,
         cipherId = cipherId,
@@ -76,6 +80,7 @@ fun Intent.getFido2AssertionRequestOrNull(): Fido2CredentialAssertionRequest? {
         packageName = systemRequest.callingAppInfo.packageName,
         signingInfo = systemRequest.callingAppInfo.signingInfo,
         origin = systemRequest.callingAppInfo.origin,
+        isUserVerified = isUserVerified,
     )
 }
 

app/src/main/java/com/x8bit/bitwarden/data/autofill/manager/AutofillActivityManagerImpl.kt

@@ -2,7 +2,7 @@ package com.x8bit.bitwarden.data.autofill.manager
 
 import android.view.autofill.AutofillManager
 import androidx.lifecycle.LifecycleCoroutineScope
-import com.x8bit.bitwarden.data.platform.manager.AppForegroundManager
+import com.x8bit.bitwarden.data.platform.manager.AppStateManager
 import kotlinx.coroutines.flow.launchIn
 import kotlinx.coroutines.flow.onEach
 
@@ -12,7 +12,7 @@ import kotlinx.coroutines.flow.onEach
 class AutofillActivityManagerImpl(
     private val autofillManager: AutofillManager,
     private val autofillEnabledManager: AutofillEnabledManager,
-    appForegroundManager: AppForegroundManager,
+    appStateManager: AppStateManager,
     lifecycleScope: LifecycleCoroutineScope,
 ) : AutofillActivityManager {
     private val isAutofillEnabledAndSupported: Boolean
@@ -21,7 +21,7 @@ class AutofillActivityManagerImpl(
             autofillManager.isAutofillSupported
 
     init {
-        appForegroundManager
+        appStateManager
             .appForegroundStateFlow
             .onEach { autofillEnabledManager.isAutofillEnabled = isAutofillEnabledAndSupported }
             .launchIn(lifecycleScope)

app/src/main/java/com/x8bit/bitwarden/data/autofill/util/AutofillIntentUtils.kt

@@ -2,6 +2,7 @@
 
 package com.x8bit.bitwarden.data.autofill.util
 
+import android.app.Activity
 import android.app.PendingIntent
 import android.app.assist.AssistStructure
 import android.content.Context
@@ -38,7 +39,7 @@ fun createAutofillSelectionIntent(
         .apply {
             // This helps prevent a crash when using the accessibility framework
             if (framework == AutofillSelectionData.Framework.ACCESSIBILITY) {
-                setFlags(Intent.FLAG_ACTIVITY_NEW_TASK)
+                setFlags(Intent.FLAG_ACTIVITY_NEW_TASK or Intent.FLAG_ACTIVITY_REORDER_TO_FRONT)
             }
             putExtra(
                 AUTOFILL_BUNDLE_KEY,
@@ -147,3 +148,12 @@ fun Intent.getAutofillSelectionDataOrNull(): AutofillSelectionData? =
 fun Intent.getTotpCopyIntentOrNull(): AutofillTotpCopyData? =
     getBundleExtra(AUTOFILL_BUNDLE_KEY)
         ?.getSafeParcelableExtra(AUTOFILL_TOTP_COPY_DATA_KEY)
+
+/**
+ * Checks if the given [Activity] was created for Autofill. This is useful to avoid locking the
+ * vault if one of the Autofill services starts the only instance of the [MainActivity].
+ */
+val Activity.createdForAutofill: Boolean
+    get() = intent.getAutofillSelectionDataOrNull() != null ||
+        intent.getAutofillSaveItemOrNull() != null ||
+        intent.getAutofillAssistStructureOrNull() != null

app/src/main/java/com/x8bit/bitwarden/data/autofill/util/AutofillRequestExtensions.kt

@@ -24,7 +24,6 @@ fun AutofillRequest.Fillable.toAutofillSaveItem(): AutofillSaveItem =
                 .uri
                 ?.replace("https://", "")
                 ?.replace("http://", "")
-                ?.replace("androidapp://", "")
 
             AutofillSaveItem.Login(
                 username = partition.usernameSaveValue,

app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/disk/SettingsDiskSource.kt

@@ -18,6 +18,11 @@ interface SettingsDiskSource {
      */
     var appLanguage: AppLanguage?
 
+    /**
+     * Emits updates that track [AppLanguage].
+     */
+    val appLanguageFlow: Flow<AppLanguage?>
+
     /**
      * Has the initial autofill dialog been shown to the user.
      */
@@ -68,12 +73,6 @@ interface SettingsDiskSource {
      */
     val hasUserLoggedInOrCreatedAccountFlow: Flow<Boolean?>
 
-    /**
-     * The instant when the last database scheme change was applied. `null` if no scheme changes
-     * have been applied yet.
-     */
-    var lastDatabaseSchemeChangeInstant: Instant?
-
     /**
      * Clears all the settings data for the given user.
      */
@@ -298,4 +297,68 @@ interface SettingsDiskSource {
      * Emits updates that track [getShowUnlockSettingBadge] for the given [userId].
      */
     fun getShowUnlockSettingBadgeFlow(userId: String): Flow<Boolean?>
+
+    /**
+     * Gets whether or not the given [userId] has signalled they want to import logins later.
+     */
+    fun getShowImportLoginsSettingBadge(userId: String): Boolean?
+
+    /**
+     * Stores the given value for whether or not the given [userId] has signalled they want to
+     * set import logins later, during first time usage.
+     */
+    fun storeShowImportLoginsSettingBadge(userId: String, showBadge: Boolean?)
+
+    /**
+     * Emits updates that track [getShowImportLoginsSettingBadge] for the given [userId].
+     */
+    fun getShowImportLoginsSettingBadgeFlow(userId: String): Flow<Boolean?>
+
+    /**
+     * Gets whether or not the given [userId] has registered for export via the credential exchange
+     * protocol.
+     */
+    fun getVaultRegisteredForExport(userId: String): Boolean?
+
+    /**
+     * Stores the given value for whether or not the given [userId] has registered for export via
+     * the credential exchange protocol.
+     */
+    fun storeVaultRegisteredForExport(userId: String, isRegistered: Boolean?)
+
+    /**
+     * Emits updates that track [getVaultRegisteredForExport] for the given [userId].
+     */
+    fun getVaultRegisteredForExportFlow(userId: String): Flow<Boolean?>
+
+    /**
+     * Gets the number of qualifying add cipher actions for the device.
+     */
+    fun getAddCipherActionCount(): Int?
+
+    /**
+     * Stores the given [count] completed "add" cipher actions taken place on the device.
+     */
+    fun storeAddCipherActionCount(count: Int?)
+
+    /**
+     * Gets the number of qualifying generated result actions for the device.
+     */
+    fun getGeneratedResultActionCount(): Int?
+
+    /**
+     * Stores the given [count] completed generated password or username result actions taken
+     * for the device.
+     */
+    fun storeGeneratedResultActionCount(count: Int?)
+
+    /**
+     * Gets the number of qualifying create send actions for the device.
+     */
+    fun getCreateSendActionCount(): Int?
+
+    /**
+     * Stores the given [count] completed create send actions for the device.
+     */
+    fun storeCreateSendActionCount(count: Int?)
 }

app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/disk/SettingsDiskSourceImpl.kt

@@ -10,7 +10,6 @@ import com.x8bit.bitwarden.ui.platform.feature.settings.appearance.model.AppThem
 import kotlinx.coroutines.flow.Flow
 import kotlinx.coroutines.flow.MutableSharedFlow
 import kotlinx.coroutines.flow.onSubscription
-import kotlinx.serialization.encodeToString
 import kotlinx.serialization.json.Json
 import java.time.Instant
 
@@ -35,7 +34,11 @@ private const val INITIAL_AUTOFILL_DIALOG_SHOWN = "addSitePromptShown"
 private const val HAS_USER_LOGGED_IN_OR_CREATED_AN_ACCOUNT_KEY = "hasUserLoggedInOrCreatedAccount"
 private const val SHOW_AUTOFILL_SETTING_BADGE = "showAutofillSettingBadge"
 private const val SHOW_UNLOCK_SETTING_BADGE = "showUnlockSettingBadge"
-private const val LAST_SCHEME_CHANGE_INSTANT = "lastDatabaseSchemeChangeInstant"
+private const val SHOW_IMPORT_LOGINS_SETTING_BADGE = "showImportLoginsSettingBadge"
+private const val IS_VAULT_REGISTERED_FOR_EXPORT = "isVaultRegisteredForExport"
+private const val ADD_ACTION_COUNT = "addActionCount"
+private const val COPY_ACTION_COUNT = "copyActionCount"
+private const val CREATE_ACTION_COUNT = "createActionCount"
 
 /**
  * Primary implementation of [SettingsDiskSource].
@@ -46,6 +49,7 @@ class SettingsDiskSourceImpl(
     private val json: Json,
 ) : BaseDiskSource(sharedPreferences = sharedPreferences),
     SettingsDiskSource {
+    private val mutableAppLanguageFlow = bufferedMutableSharedFlow<AppLanguage?>(replay = 1)
     private val mutableAppThemeFlow = bufferedMutableSharedFlow<AppTheme>(replay = 1)
 
     private val mutableLastSyncFlowMap = mutableMapOf<String, MutableSharedFlow<Instant?>>()
@@ -65,6 +69,9 @@ class SettingsDiskSourceImpl(
     private val mutableShowUnlockSettingBadgeFlowMap =
         mutableMapOf<String, MutableSharedFlow<Boolean?>>()
 
+    private val mutableShowImportLoginsSettingBadgeFlowMap =
+        mutableMapOf<String, MutableSharedFlow<Boolean?>>()
+
     private val mutableIsIconLoadingDisabledFlow = bufferedMutableSharedFlow<Boolean?>()
 
     private val mutableIsCrashLoggingEnabledFlow = bufferedMutableSharedFlow<Boolean?>()
@@ -74,6 +81,9 @@ class SettingsDiskSourceImpl(
     private val mutableScreenCaptureAllowedFlowMap =
         mutableMapOf<String, MutableSharedFlow<Boolean?>>()
 
+    private val mutableVaultRegisteredForExportFlow =
+        mutableMapOf<String, MutableSharedFlow<Boolean?>>()
+
     override var appLanguage: AppLanguage?
         get() = getString(key = APP_LANGUAGE_KEY)
             ?.let { storedValue ->
@@ -84,8 +94,12 @@ class SettingsDiskSourceImpl(
                 key = APP_LANGUAGE_KEY,
                 value = value?.localeName,
             )
+            mutableAppLanguageFlow.tryEmit(value)
         }
 
+    override val appLanguageFlow: Flow<AppLanguage?>
+        get() = mutableAppLanguageFlow.onSubscription { emit(appLanguage) }
+
     override var initialAutofillDialogShown: Boolean?
         get() = getBoolean(key = INITIAL_AUTOFILL_DIALOG_SHOWN)
         set(value) {
@@ -152,10 +166,6 @@ class SettingsDiskSourceImpl(
         get() = mutableHasUserLoggedInOrCreatedAccountFlow
             .onSubscription { emit(getBoolean(HAS_USER_LOGGED_IN_OR_CREATED_AN_ACCOUNT_KEY)) }
 
-    override var lastDatabaseSchemeChangeInstant: Instant?
-        get() = getLong(LAST_SCHEME_CHANGE_INSTANT)?.let { Instant.ofEpochMilli(it) }
-        set(value) = putLong(LAST_SCHEME_CHANGE_INSTANT, value?.toEpochMilli())
-
     override fun clearData(userId: String) {
         storeVaultTimeoutInMinutes(userId = userId, vaultTimeoutInMinutes = null)
         storeVaultTimeoutAction(userId = userId, vaultTimeoutAction = null)
@@ -168,6 +178,7 @@ class SettingsDiskSourceImpl(
         storeLastSyncTime(userId = userId, lastSyncTime = null)
         storeClearClipboardFrequencySeconds(userId = userId, frequency = null)
         removeWithPrefix(prefix = ACCOUNT_BIOMETRIC_INTEGRITY_VALID_KEY.appendIdentifier(userId))
+        storeVaultRegisteredForExport(userId = userId, isRegistered = null)
 
         // The following are intentionally not cleared so they can be
         // restored after logging out and back in:
@@ -412,6 +423,69 @@ class SettingsDiskSourceImpl(
         getMutableShowUnlockSettingBadgeFlow(userId = userId)
             .onSubscription { emit(getShowUnlockSettingBadge(userId)) }
 
+    override fun getShowImportLoginsSettingBadge(userId: String): Boolean? {
+        return getBoolean(
+            key = SHOW_IMPORT_LOGINS_SETTING_BADGE.appendIdentifier(userId),
+        )
+    }
+
+    override fun storeShowImportLoginsSettingBadge(userId: String, showBadge: Boolean?) {
+        putBoolean(
+            key = SHOW_IMPORT_LOGINS_SETTING_BADGE.appendIdentifier(userId),
+            showBadge,
+        )
+        getMutableShowImportLoginsSettingBadgeFlow(userId).tryEmit(showBadge)
+    }
+
+    override fun getShowImportLoginsSettingBadgeFlow(userId: String): Flow<Boolean?> =
+        getMutableShowImportLoginsSettingBadgeFlow(userId)
+            .onSubscription { emit(getShowImportLoginsSettingBadge(userId)) }
+
+    override fun getVaultRegisteredForExport(userId: String): Boolean? =
+        getBoolean(IS_VAULT_REGISTERED_FOR_EXPORT.appendIdentifier(userId))
+
+    override fun storeVaultRegisteredForExport(userId: String, isRegistered: Boolean?) {
+        putBoolean(IS_VAULT_REGISTERED_FOR_EXPORT.appendIdentifier(userId), isRegistered)
+        getMutableVaultRegisteredForExportFlow(userId).tryEmit(isRegistered)
+    }
+
+    override fun getVaultRegisteredForExportFlow(userId: String): Flow<Boolean?> =
+        getMutableVaultRegisteredForExportFlow(userId)
+            .onSubscription { emit(getVaultRegisteredForExport(userId)) }
+
+    override fun getAddCipherActionCount(): Int? = getInt(
+        key = ADD_ACTION_COUNT,
+    )
+
+    override fun storeAddCipherActionCount(count: Int?) {
+        putInt(
+            key = ADD_ACTION_COUNT,
+            value = count,
+        )
+    }
+
+    override fun getGeneratedResultActionCount(): Int? = getInt(
+        key = COPY_ACTION_COUNT,
+    )
+
+    override fun storeGeneratedResultActionCount(count: Int?) {
+        putInt(
+            key = COPY_ACTION_COUNT,
+            value = count,
+        )
+    }
+
+    override fun getCreateSendActionCount(): Int? = getInt(
+        key = CREATE_ACTION_COUNT,
+    )
+
+    override fun storeCreateSendActionCount(count: Int?) {
+        putInt(
+            key = CREATE_ACTION_COUNT,
+            value = count,
+        )
+    }
+
     private fun getMutableLastSyncFlow(
         userId: String,
     ): MutableSharedFlow<Instant?> =
@@ -455,4 +529,17 @@ class SettingsDiskSourceImpl(
         mutableShowUnlockSettingBadgeFlowMap.getOrPut(userId) {
             bufferedMutableSharedFlow(replay = 1)
         }
+
+    private fun getMutableShowImportLoginsSettingBadgeFlow(
+        userId: String,
+    ): MutableSharedFlow<Boolean?> =
+        mutableShowImportLoginsSettingBadgeFlowMap.getOrPut(userId) {
+            bufferedMutableSharedFlow(replay = 1)
+        }
+
+    private fun getMutableVaultRegisteredForExportFlow(
+        userId: String,
+    ): MutableSharedFlow<Boolean?> = mutableVaultRegisteredForExportFlow.getOrPut(userId) {
+        bufferedMutableSharedFlow(replay = 1)
+    }
 }