[PM-19300] Session timeout policy

[mzieniukbw]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-19300

📔 Objective

Implements new Session Timeout Policy, which replaces current Vault Timeout Policy.
Key changes:

• Renamed to Session Timeout
• Moved the policy to Key Management ownership
• Can now set "maximum allowed timeout" to "Immediately", "Custom", "On system lock", "On app restart" and "Never"
  • When changing to "Custom":
    • Hours and Minutes fields shows up in the form, both are required.
    • Defaults to 8 hours 0 minutes
    • Clicking "Save" when "maximum allowed timeout" is not selected or hours and minutes are 0 results in validation error.
  • The "Never" and "On system lock" have a confirmation dialog, before changing to new value. When not confirmed, we switch to the previously selected value.
  • When policy have never been saved in organization, we defaults to not selected. It is required field, but does not show error and does not grey out the "Save" button, until it's clicked once.
  • For backwards compatibility, when policy have been saved at least once before (hence, it will have minutes set in policy), it will set the "maximum allowed timeout" to "Custom".

📸 Screenshots

Video:

2025-10-09.13-51-11.mp4

Screenshots:

Policy in the Policies list:

Policy dialog, when no values have ever been saved. Max allowed timeout dropdown default to not selected:

Policy dialog error, when no values have ever been saved, the max allowed timeout dropdown is not selected, Save button is clicked, shows validation error:

Custom selected:

Non-custom selected:

Never dialog confirmation:

System lock dialog confirmation:

Max allowed timeout dropdown:

Session timeout action dropdown:

Custom validation error when fields are empty:

and

and

Custom validation error toast when both hours and minutes are 0:

Policy saved:

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[codecov]

Codecov Report

❌ Patch coverage is 87.34177% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 38.91%. Comparing base (60aaa39) to head (21e0958).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...y-management/policies/session-timeout.component.ts	87.50%	4 Missing and 5 partials ⚠️
...app/admin-console/policies/policy-edit-register.ts	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #16583      +/-   ##
==========================================
+ Coverage   38.86%   38.91%   +0.05%     
==========================================
  Files        3419     3420       +1     
  Lines       97259    97307      +48     
  Branches    14611    14619       +8     
==========================================
+ Hits        37802    37871      +69     
+ Misses      57798    57772      -26     
- Partials     1659     1664       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Checkmarx One – Scan Summary & Details – e14db322-7be9-4e77-b534-cf3e2da180b7

New Issues (2)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2025-10501	Npm-electron-38.2.0	details Recommended version: 38.2.1 Description: Use After Free in WebRTC in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HT... Attack Vector: NETWORK Attack Complexity: LOW ID: 8wBe%2B3c20%2BlAU%2By16HrOFSxdpeVL3ZlcnoZkauIVA5A%3D Vulnerable Package
	CVE-2025-10502	Npm-electron-38.2.0	details Recommended version: 38.2.1 Description: Heap Buffer Overflow in 'ANGLE' in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via malic... Attack Vector: NETWORK Attack Complexity: LOW ID: d8p9b6EfBacmGBE3ytzElQDyzEHrwlg9ngcEHDwxbtM%3D Vulnerable Package

[Thomas-Avery]

Looking good, a few things to look at from me.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[mzieniukbw]

❓ To reviewers, do we want to update the naming of the PolicyType enum too in this PR ?

[Thomas-Avery]

I'm okay with leaving it as is but will defer to @BTreston since it is AC code.