From 30365797cb6ba3644f857dbd9541a7c29bf7df41 Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Tue, 16 Dec 2025 10:57:37 +0100
Subject: [PATCH] Fix master key not being set to state after kdf update

---
 .../src/services/jslib-services.module.ts     |  4 ++--
 .../key-management/kdf/change-kdf.service.ts  | 20 ++++++++++++++++++-
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/libs/angular/src/services/jslib-services.module.ts b/libs/angular/src/services/jslib-services.module.ts
index 816e09fd45d..6881862615d 100644
--- a/libs/angular/src/services/jslib-services.module.ts
+++ b/libs/angular/src/services/jslib-services.module.ts
@@ -528,7 +528,7 @@ const safeProviders: SafeProvider[] = [
   safeProvider({
     provide: ChangeKdfService,
     useClass: DefaultChangeKdfService,
-    deps: [ChangeKdfApiService, SdkService],
+    deps: [ChangeKdfApiService, SdkService, KeyService, InternalMasterPasswordServiceAbstraction],
   }),
   safeProvider({
     provide: EncryptedMigrator,
@@ -1333,7 +1333,7 @@ const safeProviders: SafeProvider[] = [
   safeProvider({
     provide: ChangeKdfService,
     useClass: DefaultChangeKdfService,
-    deps: [ChangeKdfApiService, SdkService],
+    deps: [ChangeKdfApiService, SdkService, KeyService, InternalMasterPasswordServiceAbstraction],
   }),
   safeProvider({
     provide: AuthRequestServiceAbstraction,
diff --git a/libs/common/src/key-management/kdf/change-kdf.service.ts b/libs/common/src/key-management/kdf/change-kdf.service.ts
index 89d97e6704f..5b8d86e57a9 100644
--- a/libs/common/src/key-management/kdf/change-kdf.service.ts
+++ b/libs/common/src/key-management/kdf/change-kdf.service.ts
@@ -1,12 +1,14 @@
 import { firstValueFrom, map } from "rxjs";
 
 import { assertNonNullish } from "@bitwarden/common/auth/utils";
+import { HashPurpose } from "@bitwarden/common/platform/enums";
 import { UserId } from "@bitwarden/common/types/guid";
 // eslint-disable-next-line no-restricted-imports
-import { KdfConfig } from "@bitwarden/key-management";
+import { KdfConfig, KeyService } from "@bitwarden/key-management";
 
 import { KdfRequest } from "../../models/request/kdf.request";
 import { SdkService } from "../../platform/abstractions/sdk/sdk.service";
+import { InternalMasterPasswordServiceAbstraction } from "../master-password/abstractions/master-password.service.abstraction";
 import {
   fromSdkAuthenticationData,
   MasterPasswordAuthenticationData,
@@ -20,6 +22,8 @@ export class DefaultChangeKdfService implements ChangeKdfService {
   constructor(
     private changeKdfApiService: ChangeKdfApiService,
     private sdkService: SdkService,
+    private keyService: KeyService,
+    private masterPasswordService: InternalMasterPasswordServiceAbstraction,
   ) {}
 
   async updateUserKdfParams(masterPassword: string, kdf: KdfConfig, userId: UserId): Promise<void> {
@@ -56,5 +60,19 @@ export class DefaultChangeKdfService implements ChangeKdfService {
     const request = new KdfRequest(authenticationData, unlockData);
     request.authenticateWith(oldAuthenticationData);
     await this.changeKdfApiService.updateUserKdfParams(request);
+
+    // Update the locally stored master key and hash, so that UV, etc. still works
+    const masterKey = await this.keyService.makeMasterKey(
+      masterPassword,
+      unlockData.salt,
+      unlockData.kdf,
+    );
+    const serverMasterKeyHash = await this.keyService.hashMasterKey(
+      masterPassword,
+      masterKey,
+      HashPurpose.ServerAuthorization,
+    );
+    await this.masterPasswordService.setMasterKeyHash(serverMasterKeyHash, userId);
+    await this.masterPasswordService.setMasterKey(masterKey, userId);
   }
 }