[PM-15333] Portable Desktop Fix

[justindbaur]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-15333

Fixes #12141

📔 Objective

We need to support someone using the portable Bitwarden app using and signing in on one account then transporting the executable and data files to another computer and unlocking there. Right now we can't do that because we store the access token and refresh token in Credential Manager which is not portable to the new computer.

The one problem with this fix is that people who are using the portable app right now on a single computer have their access token in Credential Manager and after this change the app will be told secure store isn't supported and won't even look there thinking they don't have an access token and they will need to fully login again. @JaredSnider-Bitwarden and I will need to discuss this and maybe we want TokenService to still look there when it's not supported, but I don't love that.

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[codecov]

Codecov Report

Attention: Patch coverage is 63.33333% with 22 lines in your changes missing coverage. Please review.

Project coverage is 35.10%. Comparing base (0974838) to head (7d7ad9f).
Report is 47 commits behind head on main.

✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...mon/src/platform/storage/secure-storage.service.ts	0.00%	6 Missing ⚠️
apps/desktop/src/app/services/services.module.ts	0.00%	5 Missing ⚠️
apps/browser/src/popup/services/services.module.ts	0.00%	3 Missing ⚠️
...atform/services/portable-secure-storage.service.ts	0.00%	3 Missing ⚠️
apps/browser/src/background/main.background.ts	0.00%	2 Missing ⚠️
...atform/services/electron-platform-utils.service.ts	0.00%	1 Missing ⚠️
libs/angular/src/services/jslib-services.module.ts	0.00%	1 Missing ⚠️
libs/common/src/auth/services/token.service.ts	97.14%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #12586      +/-   ##
==========================================
- Coverage   35.15%   35.10%   -0.05%     
==========================================
  Files        2984     3002      +18     
  Lines       90539    91359     +820     
  Branches    16947    17100     +153     
==========================================
+ Hits        31827    32074     +247     
- Misses      56251    56780     +529     
- Partials     2461     2505      +44     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

Checkmarx One – Scan Summary & Details – 0e925a17-38d9-4279-b19e-5a19fc7c4abd

New Issues (40)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2024-12692	Npm-electron-33.3.1	Vulnerable Package
	CVE-2024-12694	Npm-electron-33.3.1	Vulnerable Package
	CVE-2024-12695	Npm-electron-33.3.1	Vulnerable Package
	CVE-2024-11112	Npm-electron-33.3.1	Vulnerable Package
	CVE-2024-11113	Npm-electron-33.3.1	Vulnerable Package
	CVE-2024-11114	Npm-electron-33.3.1	Vulnerable Package
	CVE-2024-11115	Npm-electron-33.3.1	Vulnerable Package
	CVE-2024-11395	Npm-electron-33.3.1	Vulnerable Package
	CVE-2024-12053	Npm-electron-33.3.1	Vulnerable Package
	CVE-2024-12381	Npm-electron-33.3.1	Vulnerable Package
	CVE-2024-12382	Npm-electron-33.3.1	Vulnerable Package
	CVE-2024-12693	Npm-electron-33.3.1	Vulnerable Package
	CVE-2025-0291	Npm-electron-33.3.1	Vulnerable Package
	CVE-2025-0434	Npm-electron-33.3.1	Vulnerable Package
	CVE-2025-0436	Npm-electron-33.3.1	Vulnerable Package
	CVE-2025-0437	Npm-electron-33.3.1	Vulnerable Package
	CVE-2025-0438	Npm-electron-33.3.1	Vulnerable Package
	CVE-2025-0443	Npm-electron-33.3.1	Vulnerable Package
	CVE-2025-0447	Npm-electron-33.3.1	Vulnerable Package
	CVE-2024-11110	Npm-electron-33.3.1	Vulnerable Package
	CVE-2024-11111	Npm-electron-33.3.1	Vulnerable Package
	CVE-2024-11116	Npm-electron-33.3.1	Vulnerable Package
	CVE-2024-11117	Npm-electron-33.3.1	Vulnerable Package
	CVE-2025-0435	Npm-electron-33.3.1	Vulnerable Package
	CVE-2025-0439	Npm-electron-33.3.1	Vulnerable Package
	CVE-2025-0440	Npm-electron-33.3.1	Vulnerable Package
	CVE-2025-0441	Npm-electron-33.3.1	Vulnerable Package
	CVE-2025-0442	Npm-electron-33.3.1	Vulnerable Package
	CVE-2025-0446	Npm-electron-33.3.1	Vulnerable Package
	CVE-2025-0448	Npm-electron-33.3.1	Vulnerable Package
	Client_Privacy_Violation	/libs/angular/src/admin-console/components/collections.component.ts: 36	details Method at line 36 of /libs/angular/src/admin-console/components/collections.component.ts sends user information outside the application. This may ... Attack Vector
	Client_Privacy_Violation	/libs/angular/src/vault/components/add-edit.component.ts: 119	details Method at line 119 of /libs/angular/src/vault/components/add-edit.component.ts sends user information outside the application. This may constitute... Attack Vector
	Client_Privacy_Violation	/libs/angular/src/vault/components/add-edit.component.ts: 286	details Method load at line 286 of /libs/angular/src/vault/components/add-edit.component.ts sends user information outside the application. This may consti... Attack Vector
	Client_Privacy_Violation	/libs/angular/src/vault/components/add-edit.component.ts: 780	details Method loadAddEditCipherInfo at line 780 of /libs/angular/src/vault/components/add-edit.component.ts sends user information outside the application... Attack Vector
	Client_Privacy_Violation	/apps/browser/src/vault/popup/components/vault-v2/attachments/open-attachments/open-attachments.component.ts: 50	details Method OpenAttachmentsComponent at line 50 of /apps/browser/src/vault/popup/components/vault-v2/attachments/open-attachments/open-attachments.compo... Attack Vector
	Client_Privacy_Violation	/apps/browser/src/vault/popup/components/vault-v2/attachments/open-attachments/open-attachments.component.ts: 50	details Method at line 50 of /apps/browser/src/vault/popup/components/vault-v2/attachments/open-attachments/open-attachments.component.ts sends user infor... Attack Vector
	Client_Privacy_Violation	/libs/angular/src/vault/components/add-edit.component.ts: 70	details Method at line 70 of /libs/angular/src/vault/components/add-edit.component.ts sends user information outside the application. This may constitute ... Attack Vector
	Client_Privacy_Violation	/libs/angular/src/vault/components/add-edit.component.ts: 278	details Method load at line 278 of /libs/angular/src/vault/components/add-edit.component.ts sends user information outside the application. This may consti... Attack Vector
	Client_Privacy_Violation	/libs/angular/src/vault/components/add-edit.component.ts: 776	details Method loadAddEditCipherInfo at line 776 of /libs/angular/src/vault/components/add-edit.component.ts sends user information outside the application... Attack Vector
	Client_Privacy_Violation	/libs/angular/src/vault/components/add-edit.component.ts: 281	details Method load at line 281 of /libs/angular/src/vault/components/add-edit.component.ts sends user information outside the application. This may consti... Attack Vector