[PM-2199] Implement userkey rotation for all TDE devices (#13576)

* Implement key rotation v2

* Pass through masterpassword hint

* Properly split old and new code

* Mark legacy rotation as deprecated

* Throw when data is null

* Cleanup

* Add tests

* Fix build

* Update libs/key-management/src/key.service.spec.ts

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Update apps/web/src/app/auth/settings/change-password.component.ts

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Add documentation

* Centralize loading logic

* Add proof-of-concept for tde rotation

* Fix build

* Only include trusted devices in rotation request

* Undo featureflag change

* Fix tests

* Prettier format

* Fix build

* Undo changes to migrate legacy component

* Address feedback & add tests

---------

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

apps/web/src/app/key-management/key-rotation/request/unlock-data.request.ts

@@ -1,4 +1,5 @@
 import { OrganizationUserResetPasswordWithIdRequest } from "@bitwarden/admin-console/common";
+import { DeviceKeysUpdateRequest } from "@bitwarden/common/auth/models/request/update-devices-trust.request";
 import { WebauthnRotateCredentialRequest } from "@bitwarden/common/auth/models/request/webauthn-rotate-credential.request";
 
 import { EmergencyAccessWithIdRequest } from "../../../auth/emergency-access/request/emergency-access-update.request";
@@ -11,16 +12,19 @@ export class UnlockDataRequest {
   emergencyAccessUnlockData: EmergencyAccessWithIdRequest[];
   organizationAccountRecoveryUnlockData: OrganizationUserResetPasswordWithIdRequest[];
   passkeyUnlockData: WebauthnRotateCredentialRequest[];
+  deviceKeyUnlockData: DeviceKeysUpdateRequest[];
 
   constructor(
     masterPasswordUnlockData: MasterPasswordUnlockDataRequest,
     emergencyAccessUnlockData: EmergencyAccessWithIdRequest[],
     organizationAccountRecoveryUnlockData: OrganizationUserResetPasswordWithIdRequest[],
     passkeyUnlockData: WebauthnRotateCredentialRequest[],
+    deviceTrustUnlockData: DeviceKeysUpdateRequest[],
   ) {
     this.masterPasswordUnlockData = masterPasswordUnlockData;
     this.emergencyAccessUnlockData = emergencyAccessUnlockData;
     this.organizationAccountRecoveryUnlockData = organizationAccountRecoveryUnlockData;
     this.passkeyUnlockData = passkeyUnlockData;
+    this.deviceKeyUnlockData = deviceTrustUnlockData;
   }
 }

apps/web/src/app/key-management/key-rotation/user-key-rotation.service.ts

@@ -180,11 +180,19 @@ export class UserKeyRotationService {
       newUnencryptedUserKey,
       user.id,
     );
+
+    const trustedDeviceUnlockData = await this.deviceTrustService.getRotatedData(
+      originalUserKey,
+      newUnencryptedUserKey,
+      user.id,
+    );
+
     const unlockDataRequest = new UnlockDataRequest(
       masterPasswordUnlockData,
       emergencyAccessUnlockData,
       organizationAccountRecoveryUnlockData,
       passkeyUnlockData,
+      trustedDeviceUnlockData,
     );
 
     const request = new RotateUserAccountKeysRequest(
@@ -198,14 +206,6 @@ export class UserKeyRotationService {
     await this.apiService.postUserKeyUpdateV2(request);
     this.logService.info("[Userkey rotation] Userkey rotation request posted to server");
 
-    // TODO PM-2199: Add device trust rotation support to the user key rotation endpoint
-    this.logService.info("[Userkey rotation] Rotating device trust...");
-    await this.deviceTrustService.rotateDevicesTrust(
-      user.id,
-      newUnencryptedUserKey,
-      newMasterKeyAuthenticationHash,
-    );
-    this.logService.info("[Userkey rotation] Device trust rotation completed");
     this.toastService.showToast({
       variant: "success",
       title: this.i18nService.t("rotationCompletedTitle"),