[PM-28513] Fix biometrics unlock when pin is enabled on browser

[quexten]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-28513

📔 Objective

The order of dependency creation was wrong. This leads to an error being thrown when setPin is called from the background context when using biometric unlock. This breaks biometric unlock when also having a PIN enabled on browser.

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[claude]

Claude finished @quexten's task —— View job

---

Code Review Complete ✓

Summary

This PR fixes a critical initialization order bug that breaks biometric unlock when PIN is also enabled. The fix correctly reorders service instantiation to ensure sdkService is created before pinService and biometricsService.

Analysis

Root Cause: The dependency chain biometricsService → pinService → sdkService was violated in the constructor:

• pinService was instantiated at line 729 (apps/browser/src/background/main.background.ts:729)
• sdkService wasn't created until line 817 (apps/browser/src/background/main.background.ts:817)
• When biometric unlock called pinService.setPin() → sdkService.userClient$(), it failed with undefined

The Fix: Moves pinService and biometricsService initialization to lines 831-851, after sdkService creation at line 817.

Findings

No major issues found. The fix correctly resolves the dependency order problem.

Finding 1: Consider adding dependency validation (💭)

While this fix resolves the immediate issue, the codebase is susceptible to similar initialization order bugs. The constructor is ~1500 lines with dozens of interdependent services.

Potential improvements (future work, not blocking):

• Add runtime assertions in service constructors to validate critical dependencies aren't undefined
• Document the dependency graph to make the ordering requirements explicit
• Consider a dependency injection framework that handles initialization order automatically

Example assertion in PinService constructor:

constructor(private sdkService: SdkService, /* ... */) {
  if (!sdkService) {
    throw new Error("PinService requires sdkService to be initialized");
  }
}

This is a broader architectural consideration, not a requirement for this PR.

Verification

✓ The reordering maintains all existing dependencies
✓ No other services between the old and new positions depend on pinService or biometricsService
✓ The fix is minimal and focused on the reported issue
✓ No test changes needed - this fixes a runtime initialization bug

---

[github-actions]

Checkmarx One – Scan Summary & Details – 42e2bbdb-dbc9-4d53-8733-50fe372cce09

Great job! No new security vulnerabilities introduced in this pull request