[PM-18026] Implement forced, automatic KDF upgrades (#15937)

* Implement automatic kdf upgrades * Fix kdf config not being updated * Update legacy kdf state on master password unlock sync * Fix cli build * Fix * Deduplicate prompts * Fix dismiss time * Fix default kdf setting * Fix build * Undo changes * Fix test * Fix prettier * Fix test * Update libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.ts Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com> * Update libs/common/src/key-management/master-password/abstractions/master-password.service.abstraction.ts Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com> * Update libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.ts Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com> * Only sync when there is at least one migration * Relative imports * Add tech debt comment * Resolve inconsistent prefix * Clean up * Update docs * Use default PBKDF2 iteratinos instead of custom threshold * Undo type check * Fix build * Add comment * Cleanup * Cleanup * Address component feedback * Use isnullorwhitespace * Fix tests * Allow migration only on vault * Fix tests * Run prettier * Fix tests * Prevent await race condition * Fix min and default values in kdf migration * Run sync only when a migration was run * Update libs/common/src/key-management/encrypted-migrator/default-encrypted-migrator.ts Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com> * Fix link not being blue * Fix later button on browser --------- Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
2025-12-18 17:23:37 +00:00 · 2025-12-03 19:04:18 +01:00
parent 6ae096485a
commit 6e2203d6d4
48 changed files with 1471 additions and 31 deletions
--- a/libs/angular/src/auth/login-via-webauthn/login-via-webauthn.component.ts
+++ b/libs/angular/src/auth/login-via-webauthn/login-via-webauthn.component.ts
@@ -120,7 +120,7 @@ export class LoginViaWebAuthnComponent implements OnInit {
      // Only run loginSuccessHandlerService if webAuthn is used for vault decryption.
      const userKey = await firstValueFrom(this.keyService.userKey$(authResult.userId));
      if (userKey) {
-        await this.loginSuccessHandlerService.run(authResult.userId);
+        await this.loginSuccessHandlerService.run(authResult.userId, null);
      }

      await this.router.navigate([this.successRoute]);
--- a/libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.abstraction.ts
+++ b/libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.abstraction.ts
@@ -0,0 +1,9 @@
+import { UserId } from "@bitwarden/common/types/guid";
+
+export abstract class EncryptedMigrationsSchedulerService {
+  /**
+   * Runs migrations for a user if needed, handling both interactive and non-interactive cases
+   * @param userId The user ID to run migrations for
+   */
+  abstract runMigrationsIfNeeded(userId: UserId): Promise<void>;
+}
--- a/libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.spec.ts
+++ b/libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.spec.ts
@@ -0,0 +1,270 @@
+import { Router } from "@angular/router";
+import { mock } from "jest-mock-extended";
+import { of } from "rxjs";
+
+import { AccountInfo } from "@bitwarden/common/auth/abstractions/account.service";
+import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
+import { EncryptedMigrator } from "@bitwarden/common/key-management/encrypted-migrator/encrypted-migrator.abstraction";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { SingleUserState, StateProvider } from "@bitwarden/common/platform/state";
+import { SyncService } from "@bitwarden/common/platform/sync";
+import { FakeAccountService } from "@bitwarden/common/spec";
+import { UserId } from "@bitwarden/common/types/guid";
+import { DialogService, ToastService } from "@bitwarden/components";
+import { LogService } from "@bitwarden/logging";
+
+import {
+  DefaultEncryptedMigrationsSchedulerService,
+  ENCRYPTED_MIGRATION_DISMISSED,
+} from "./encrypted-migrations-scheduler.service";
+import { PromptMigrationPasswordComponent } from "./prompt-migration-password.component";
+
+const SomeUser = "SomeUser" as UserId;
+const AnotherUser = "SomeOtherUser" as UserId;
+const accounts: Record<UserId, AccountInfo> = {
+  [SomeUser]: {
+    name: "some user",
+    email: "some.user@example.com",
+    emailVerified: true,
+  },
+  [AnotherUser]: {
+    name: "some other user",
+    email: "some.other.user@example.com",
+    emailVerified: true,
+  },
+};
+
+describe("DefaultEncryptedMigrationsSchedulerService", () => {
+  let service: DefaultEncryptedMigrationsSchedulerService;
+  const mockAccountService = new FakeAccountService(accounts);
+  const mockAuthService = mock<AuthService>();
+  const mockEncryptedMigrator = mock<EncryptedMigrator>();
+  const mockStateProvider = mock<StateProvider>();
+  const mockSyncService = mock<SyncService>();
+  const mockDialogService = mock<DialogService>();
+  const mockToastService = mock<ToastService>();
+  const mockI18nService = mock<I18nService>();
+  const mockLogService = mock<LogService>();
+  const mockRouter = mock<Router>();
+
+  const mockUserId = "test-user-id" as UserId;
+  const mockMasterPassword = "test-master-password";
+
+  const createMockUserState = <T>(value: T): jest.Mocked<SingleUserState<T>> =>
+    ({
+      state$: of(value),
+      userId: mockUserId,
+      update: jest.fn(),
+      combinedState$: of([mockUserId, value]),
+    }) as any;
+
+  beforeEach(() => {
+    const mockDialogRef = {
+      closed: of(mockMasterPassword),
+    };
+
+    jest.spyOn(PromptMigrationPasswordComponent, "open").mockReturnValue(mockDialogRef as any);
+    mockI18nService.t.mockReturnValue("translated_migrationsFailed");
+    (mockRouter as any)["events"] = of({ url: "/vault" }) as any;
+
+    service = new DefaultEncryptedMigrationsSchedulerService(
+      mockSyncService,
+      mockAccountService,
+      mockStateProvider,
+      mockEncryptedMigrator,
+      mockAuthService,
+      mockLogService,
+      mockDialogService,
+      mockToastService,
+      mockI18nService,
+      mockRouter,
+    );
+  });
+
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  describe("runMigrationsIfNeeded", () => {
+    it("should return early if user is not unlocked", async () => {
+      mockAuthService.authStatusFor$.mockReturnValue(of(AuthenticationStatus.Locked));
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(mockEncryptedMigrator.needsMigrations).not.toHaveBeenCalled();
+      expect(mockLogService.info).not.toHaveBeenCalled();
+    });
+
+    it("should log and return when no migration is needed", async () => {
+      mockAuthService.authStatusFor$.mockReturnValue(of(AuthenticationStatus.Unlocked));
+      mockEncryptedMigrator.needsMigrations.mockResolvedValue("noMigrationNeeded");
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(mockEncryptedMigrator.needsMigrations).toHaveBeenCalledWith(mockUserId);
+      expect(mockLogService.info).toHaveBeenCalledWith(
+        `[EncryptedMigrationsScheduler] No migrations needed for user ${mockUserId}`,
+      );
+      expect(mockEncryptedMigrator.runMigrations).not.toHaveBeenCalled();
+    });
+
+    it("should run migrations without interaction when master password is not required", async () => {
+      mockAuthService.authStatusFor$.mockReturnValue(of(AuthenticationStatus.Unlocked));
+      mockEncryptedMigrator.needsMigrations.mockResolvedValue("needsMigration");
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(mockEncryptedMigrator.needsMigrations).toHaveBeenCalledWith(mockUserId);
+      expect(mockLogService.info).toHaveBeenCalledWith(
+        `[EncryptedMigrationsScheduler] User ${mockUserId} needs migrations with master password`,
+      );
+      expect(mockEncryptedMigrator.runMigrations).toHaveBeenCalledWith(mockUserId, null);
+    });
+
+    it("should run migrations with interaction when migration is needed", async () => {
+      mockAuthService.authStatusFor$.mockReturnValue(of(AuthenticationStatus.Unlocked));
+      mockEncryptedMigrator.needsMigrations.mockResolvedValue("needsMigrationWithMasterPassword");
+      const mockUserState = createMockUserState(null);
+      mockStateProvider.getUser.mockReturnValue(mockUserState);
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(mockEncryptedMigrator.needsMigrations).toHaveBeenCalledWith(mockUserId);
+      expect(mockLogService.info).toHaveBeenCalledWith(
+        `[EncryptedMigrationsScheduler] User ${mockUserId} needs migrations with master password`,
+      );
+      expect(PromptMigrationPasswordComponent.open).toHaveBeenCalledWith(mockDialogService);
+      expect(mockEncryptedMigrator.runMigrations).toHaveBeenCalledWith(
+        mockUserId,
+        mockMasterPassword,
+      );
+    });
+  });
+
+  describe("runMigrationsWithoutInteraction", () => {
+    it("should run migrations without master password", async () => {
+      mockAuthService.authStatusFor$.mockReturnValue(of(AuthenticationStatus.Unlocked));
+      mockEncryptedMigrator.needsMigrations.mockResolvedValue("needsMigration");
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(mockEncryptedMigrator.runMigrations).toHaveBeenCalledWith(mockUserId, null);
+      expect(mockLogService.error).not.toHaveBeenCalled();
+    });
+
+    it("should handle errors during migration without interaction", async () => {
+      const mockError = new Error("Migration failed");
+      mockAuthService.authStatusFor$.mockReturnValue(of(AuthenticationStatus.Unlocked));
+      mockEncryptedMigrator.needsMigrations.mockResolvedValue("needsMigration");
+      mockEncryptedMigrator.runMigrations.mockRejectedValue(mockError);
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(mockEncryptedMigrator.runMigrations).toHaveBeenCalledWith(mockUserId, null);
+      expect(mockLogService.error).toHaveBeenCalledWith(
+        "[EncryptedMigrationsScheduler] Error during migration without interaction",
+        mockError,
+      );
+    });
+  });
+
+  describe("runMigrationsWithInteraction", () => {
+    beforeEach(() => {
+      mockAuthService.authStatusFor$.mockReturnValue(of(AuthenticationStatus.Unlocked));
+      mockEncryptedMigrator.needsMigrations.mockResolvedValue("needsMigrationWithMasterPassword");
+    });
+
+    it("should skip if migration was dismissed recently", async () => {
+      const recentDismissDate = new Date(Date.now() - 12 * 60 * 60 * 1000); // 12 hours ago
+      const mockUserState = createMockUserState(recentDismissDate);
+      mockStateProvider.getUser.mockReturnValue(mockUserState);
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(mockStateProvider.getUser).toHaveBeenCalledWith(
+        mockUserId,
+        ENCRYPTED_MIGRATION_DISMISSED,
+      );
+      expect(mockLogService.info).toHaveBeenCalledWith(
+        "[EncryptedMigrationsScheduler] Migration prompt dismissed recently, skipping for now.",
+      );
+      expect(PromptMigrationPasswordComponent.open).not.toHaveBeenCalled();
+    });
+
+    it("should prompt for migration if dismissed date is older than 24 hours", async () => {
+      const oldDismissDate = new Date(Date.now() - 25 * 60 * 60 * 1000); // 25 hours ago
+      const mockUserState = createMockUserState(oldDismissDate);
+      mockStateProvider.getUser.mockReturnValue(mockUserState);
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(mockStateProvider.getUser).toHaveBeenCalledWith(
+        mockUserId,
+        ENCRYPTED_MIGRATION_DISMISSED,
+      );
+      expect(PromptMigrationPasswordComponent.open).toHaveBeenCalledWith(mockDialogService);
+      expect(mockEncryptedMigrator.runMigrations).toHaveBeenCalledWith(
+        mockUserId,
+        mockMasterPassword,
+      );
+    });
+
+    it("should prompt for migration if no dismiss date exists", async () => {
+      const mockUserState = createMockUserState(null);
+      mockStateProvider.getUser.mockReturnValue(mockUserState);
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(PromptMigrationPasswordComponent.open).toHaveBeenCalledWith(mockDialogService);
+      expect(mockEncryptedMigrator.runMigrations).toHaveBeenCalledWith(
+        mockUserId,
+        mockMasterPassword,
+      );
+    });
+
+    it("should set dismiss date when empty password is provided", async () => {
+      const mockUserState = createMockUserState(null);
+      mockStateProvider.getUser.mockReturnValue(mockUserState);
+
+      const mockDialogRef = {
+        closed: of(""), // Empty password
+      };
+      jest.spyOn(PromptMigrationPasswordComponent, "open").mockReturnValue(mockDialogRef as any);
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(PromptMigrationPasswordComponent.open).toHaveBeenCalledWith(mockDialogService);
+      expect(mockEncryptedMigrator.runMigrations).not.toHaveBeenCalled();
+      expect(mockStateProvider.setUserState).toHaveBeenCalledWith(
+        ENCRYPTED_MIGRATION_DISMISSED,
+        expect.any(Date),
+        mockUserId,
+      );
+    });
+
+    it("should handle errors during migration prompt and show toast", async () => {
+      const mockUserState = createMockUserState(null);
+      mockStateProvider.getUser.mockReturnValue(mockUserState);
+
+      const mockError = new Error("Migration failed");
+      mockEncryptedMigrator.runMigrations.mockRejectedValue(mockError);
+
+      await service.runMigrationsIfNeeded(mockUserId);
+
+      expect(PromptMigrationPasswordComponent.open).toHaveBeenCalledWith(mockDialogService);
+      expect(mockEncryptedMigrator.runMigrations).toHaveBeenCalledWith(
+        mockUserId,
+        mockMasterPassword,
+      );
+      expect(mockLogService.error).toHaveBeenCalledWith(
+        "[EncryptedMigrationsScheduler] Error during migration prompt",
+        mockError,
+      );
+      expect(mockToastService.showToast).toHaveBeenCalledWith({
+        variant: "error",
+        message: "translated_migrationsFailed",
+      });
+    });
+  });
+});
--- a/libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.ts
+++ b/libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.ts
@@ -0,0 +1,188 @@
+import { NavigationEnd, Router } from "@angular/router";
+import {
+  combineLatest,
+  switchMap,
+  of,
+  firstValueFrom,
+  filter,
+  concatMap,
+  Observable,
+  map,
+} from "rxjs";
+
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
+import { EncryptedMigrator } from "@bitwarden/common/key-management/encrypted-migrator/encrypted-migrator.abstraction";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { Utils } from "@bitwarden/common/platform/misc/utils";
+import {
+  UserKeyDefinition,
+  ENCRYPTED_MIGRATION_DISK,
+  StateProvider,
+} from "@bitwarden/common/platform/state";
+import { SyncService } from "@bitwarden/common/platform/sync";
+import { UserId } from "@bitwarden/common/types/guid";
+import { DialogService, ToastService } from "@bitwarden/components";
+import { LogService } from "@bitwarden/logging";
+
+import { EncryptedMigrationsSchedulerService } from "./encrypted-migrations-scheduler.service.abstraction";
+import { PromptMigrationPasswordComponent } from "./prompt-migration-password.component";
+
+export const ENCRYPTED_MIGRATION_DISMISSED = new UserKeyDefinition<Date>(
+  ENCRYPTED_MIGRATION_DISK,
+  "encryptedMigrationDismissed",
+  {
+    deserializer: (obj: string) => (obj != null ? new Date(obj) : null),
+    clearOn: [],
+  },
+);
+const DISMISS_TIME_HOURS = 24;
+const VAULT_ROUTE = "/vault";
+
+/**
+ * This services schedules encrypted migrations for users on clients that are interactive (non-cli), and handles manual interaction,
+ * if it is required by showing a UI prompt. It is only one means of triggering migrations, in case the user stays unlocked for a while,
+ * or regularly logs in without a master-password, when the migrations do require a master-password to run.
+ */
+export class DefaultEncryptedMigrationsSchedulerService
+  implements EncryptedMigrationsSchedulerService
+{
+  isMigrating = false;
+  url$: Observable<string>;
+
+  constructor(
+    private syncService: SyncService,
+    private accountService: AccountService,
+    private stateProvider: StateProvider,
+    private encryptedMigrator: EncryptedMigrator,
+    private authService: AuthService,
+    private logService: LogService,
+    private dialogService: DialogService,
+    private toastService: ToastService,
+    private i18nService: I18nService,
+    private router: Router,
+  ) {
+    this.url$ = this.router.events.pipe(
+      filter((event: any) => event instanceof NavigationEnd),
+      map((event: NavigationEnd) => event.url),
+    );
+
+    // For all accounts, if the auth status changes to unlocked or a sync happens, prompt for migration
+    this.accountService.accounts$
+      .pipe(
+        switchMap((accounts) => {
+          const userIds = Object.keys(accounts) as UserId[];
+
+          if (userIds.length === 0) {
+            return of([]);
+          }
+
+          return combineLatest(
+            userIds.map((userId) =>
+              combineLatest([
+                this.authService.authStatusFor$(userId),
+                this.syncService.lastSync$(userId).pipe(filter((lastSync) => lastSync != null)),
+                this.url$,
+              ]).pipe(
+                filter(
+                  ([authStatus, _date, url]) =>
+                    authStatus === AuthenticationStatus.Unlocked && url === VAULT_ROUTE,
+                ),
+                concatMap(() => this.runMigrationsIfNeeded(userId)),
+              ),
+            ),
+          );
+        }),
+      )
+      .subscribe();
+  }
+
+  async runMigrationsIfNeeded(userId: UserId): Promise<void> {
+    const authStatus = await firstValueFrom(this.authService.authStatusFor$(userId));
+    if (authStatus !== AuthenticationStatus.Unlocked) {
+      return;
+    }
+
+    if (this.isMigrating || this.encryptedMigrator.isRunningMigrations()) {
+      this.logService.info(
+        `[EncryptedMigrationsScheduler] Skipping migration check for user ${userId} because migrations are already in progress`,
+      );
+      return;
+    }
+
+    this.isMigrating = true;
+    switch (await this.encryptedMigrator.needsMigrations(userId)) {
+      case "noMigrationNeeded":
+        this.logService.info(
+          `[EncryptedMigrationsScheduler] No migrations needed for user ${userId}`,
+        );
+        break;
+      case "needsMigrationWithMasterPassword":
+        this.logService.info(
+          `[EncryptedMigrationsScheduler] User ${userId} needs migrations with master password`,
+        );
+        // If the user is unlocked, we can run migrations with the master password
+        await this.runMigrationsWithInteraction(userId);
+        break;
+      case "needsMigration":
+        this.logService.info(
+          `[EncryptedMigrationsScheduler] User ${userId} needs migrations with master password`,
+        );
+        // If the user is unlocked, we can prompt for the master password
+        await this.runMigrationsWithoutInteraction(userId);
+        break;
+    }
+    this.isMigrating = false;
+  }
+
+  private async runMigrationsWithoutInteraction(userId: UserId): Promise<void> {
+    try {
+      await this.encryptedMigrator.runMigrations(userId, null);
+    } catch (error) {
+      this.logService.error(
+        "[EncryptedMigrationsScheduler] Error during migration without interaction",
+        error,
+      );
+    }
+  }
+
+  private async runMigrationsWithInteraction(userId: UserId): Promise<void> {
+    // A dialog can be dismissed for a certain amount of time
+    const dismissedDate = await firstValueFrom(
+      this.stateProvider.getUser(userId, ENCRYPTED_MIGRATION_DISMISSED).state$,
+    );
+    if (dismissedDate != null) {
+      const now = new Date();
+      const timeDiff = now.getTime() - (dismissedDate as Date).getTime();
+      const hoursDiff = timeDiff / (1000 * 60 * 60);
+
+      if (hoursDiff < DISMISS_TIME_HOURS) {
+        this.logService.info(
+          "[EncryptedMigrationsScheduler] Migration prompt dismissed recently, skipping for now.",
+        );
+        return;
+      }
+    }
+
+    try {
+      const dialog = PromptMigrationPasswordComponent.open(this.dialogService);
+      const masterPassword = await firstValueFrom(dialog.closed);
+      if (Utils.isNullOrWhitespace(masterPassword)) {
+        await this.stateProvider.setUserState(ENCRYPTED_MIGRATION_DISMISSED, new Date(), userId);
+      } else {
+        await this.encryptedMigrator.runMigrations(
+          userId,
+          masterPassword === undefined ? null : masterPassword,
+        );
+      }
+    } catch (error) {
+      this.logService.error("[EncryptedMigrationsScheduler] Error during migration prompt", error);
+      // If migrations failed when the user actively was prompted, show a toast
+      this.toastService.showToast({
+        variant: "error",
+        message: this.i18nService.t("migrationsFailed"),
+      });
+    }
+  }
+}
--- a/libs/angular/src/key-management/encrypted-migration/prompt-migration-password.component.html
+++ b/libs/angular/src/key-management/encrypted-migration/prompt-migration-password.component.html
@@ -0,0 +1,55 @@
+<form [bitSubmit]="submit" [formGroup]="migrationPasswordForm">
+  <bit-dialog>
+    <div class="tw-font-semibold" bitDialogTitle>
+      {{ "updateEncryptionSettingsTitle" | i18n }}
+    </div>
+    <div bitDialogContent>
+      <p>
+        {{ "updateEncryptionSettingsDesc" | i18n }}
+        <a
+          bitLink
+          href="https://bitwarden.com/help/kdf-algorithms/"
+          target="_blank"
+          rel="noreferrer"
+          aria-label="external link"
+        >
+          {{ "learnMore" | i18n }}
+          <i class="bwi bwi-external-link" aria-hidden="true"></i>
+        </a>
+      </p>
+      <bit-form-field>
+        <bit-label>{{ "masterPass" | i18n }}</bit-label>
+        <bit-hint>{{ "confirmIdentityToContinue" | i18n }}</bit-hint>
+        <input
+          class="tw-font-mono"
+          bitInput
+          type="password"
+          formControlName="masterPassword"
+          [attr.title]="'masterPass' | i18n"
+        />
+        <button
+          type="button"
+          bitIconButton
+          bitSuffix
+          bitPasswordInputToggle
+          [attr.title]="'toggleVisibility' | i18n"
+          [attr.aria-label]="'toggleVisibility' | i18n"
+        ></button>
+      </bit-form-field>
+    </div>
+    <ng-container bitDialogFooter>
+      <button
+        type="submit"
+        bitButton
+        bitFormButton
+        buttonType="primary"
+        [disabled]="migrationPasswordForm.invalid"
+      >
+        <span>{{ "updateSettings" | i18n }}</span>
+      </button>
+      <button type="button" bitButton bitFormButton buttonType="secondary" bitDialogClose>
+        {{ "later" | i18n }}
+      </button>
+    </ng-container>
+  </bit-dialog>
+</form>
--- a/libs/angular/src/key-management/encrypted-migration/prompt-migration-password.component.ts
+++ b/libs/angular/src/key-management/encrypted-migration/prompt-migration-password.component.ts
@@ -0,0 +1,85 @@
+import { CommonModule } from "@angular/common";
+import { Component, inject, ChangeDetectionStrategy } from "@angular/core";
+import { FormBuilder, ReactiveFormsModule, Validators } from "@angular/forms";
+import { filter, firstValueFrom, map } from "rxjs";
+
+import { JslibModule } from "@bitwarden/angular/jslib.module";
+import { AccountService } from "@bitwarden/common/auth/abstractions/account.service";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
+import { VerificationType } from "@bitwarden/common/auth/enums/verification-type";
+import {
+  LinkModule,
+  AsyncActionsModule,
+  ButtonModule,
+  DialogModule,
+  DialogRef,
+  DialogService,
+  FormFieldModule,
+  IconButtonModule,
+} from "@bitwarden/components";
+
+/**
+ * This is a generic prompt to run encryption migrations that require the master password.
+ */
+@Component({
+  changeDetection: ChangeDetectionStrategy.OnPush,
+  templateUrl: "prompt-migration-password.component.html",
+  imports: [
+    DialogModule,
+    LinkModule,
+    CommonModule,
+    JslibModule,
+    ButtonModule,
+    IconButtonModule,
+    ReactiveFormsModule,
+    AsyncActionsModule,
+    FormFieldModule,
+  ],
+})
+export class PromptMigrationPasswordComponent {
+  private dialogRef = inject(DialogRef<string>);
+  private formBuilder = inject(FormBuilder);
+  private uvService = inject(UserVerificationService);
+  private accountService = inject(AccountService);
+
+  migrationPasswordForm = this.formBuilder.group({
+    masterPassword: ["", [Validators.required]],
+  });
+
+  static open(dialogService: DialogService) {
+    return dialogService.open<string>(PromptMigrationPasswordComponent);
+  }
+
+  submit = async () => {
+    const masterPasswordControl = this.migrationPasswordForm.controls.masterPassword;
+
+    if (!masterPasswordControl.value || masterPasswordControl.invalid) {
+      return;
+    }
+
+    const { userId, email } = await firstValueFrom(
+      this.accountService.activeAccount$.pipe(
+        filter((account) => account != null),
+        map((account) => {
+          return {
+            userId: account!.id,
+            email: account!.email,
+          };
+        }),
+      ),
+    );
+
+    if (
+      !(await this.uvService.verifyUserByMasterPassword(
+        { type: VerificationType.MasterPassword, secret: masterPasswordControl.value },
+        userId,
+        email,
+      ))
+    ) {
+      return;
+    }
+
+    // Return the master password to the caller
+    this.dialogRef.close(masterPasswordControl.value);
+  };
+}
--- a/libs/angular/src/services/jslib-services.module.ts
+++ b/libs/angular/src/services/jslib-services.module.ts
@@ -1,6 +1,7 @@
 // FIXME: Update this file to be type safe and remove this and next line
 // @ts-strict-ignore
-import { ErrorHandler, LOCALE_ID, NgModule } from "@angular/core";
+import { APP_INITIALIZER, ErrorHandler, LOCALE_ID, NgModule } from "@angular/core";
+import { Router } from "@angular/router";
 import { Subject } from "rxjs";

 // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
@@ -177,10 +178,12 @@ import { EncryptServiceImplementation } from "@bitwarden/common/key-management/c
 import { WebCryptoFunctionService } from "@bitwarden/common/key-management/crypto/services/web-crypto-function.service";
 import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction";
 import { DeviceTrustService } from "@bitwarden/common/key-management/device-trust/services/device-trust.service.implementation";
+import { DefaultEncryptedMigrator } from "@bitwarden/common/key-management/encrypted-migrator/default-encrypted-migrator";
+import { EncryptedMigrator } from "@bitwarden/common/key-management/encrypted-migrator/encrypted-migrator.abstraction";
 import { DefaultChangeKdfApiService } from "@bitwarden/common/key-management/kdf/change-kdf-api.service";
 import { ChangeKdfApiService } from "@bitwarden/common/key-management/kdf/change-kdf-api.service.abstraction";
-import { DefaultChangeKdfService } from "@bitwarden/common/key-management/kdf/change-kdf-service";
-import { ChangeKdfService } from "@bitwarden/common/key-management/kdf/change-kdf-service.abstraction";
+import { DefaultChangeKdfService } from "@bitwarden/common/key-management/kdf/change-kdf.service";
+import { ChangeKdfService } from "@bitwarden/common/key-management/kdf/change-kdf.service.abstraction";
 import { KeyConnectorService as KeyConnectorServiceAbstraction } from "@bitwarden/common/key-management/key-connector/abstractions/key-connector.service";
 import { KeyConnectorService } from "@bitwarden/common/key-management/key-connector/services/key-connector.service";
 import { KeyApiService } from "@bitwarden/common/key-management/keys/services/abstractions/key-api-service.abstraction";
@@ -328,6 +331,7 @@ import { DefaultTaskService, TaskService } from "@bitwarden/common/vault/tasks";
 import {
  AnonLayoutWrapperDataService,
  DefaultAnonLayoutWrapperDataService,
+  DialogService,
  ToastService,
 } from "@bitwarden/components";
 import {
@@ -396,6 +400,8 @@ import { DeviceTrustToastService as DeviceTrustToastServiceAbstraction } from ".
 import { DeviceTrustToastService } from "../auth/services/device-trust-toast.service.implementation";
 import { NoopPremiumInterestStateService } from "../billing/services/premium-interest/noop-premium-interest-state.service";
 import { PremiumInterestStateService } from "../billing/services/premium-interest/premium-interest-state.service.abstraction";
+import { DefaultEncryptedMigrationsSchedulerService } from "../key-management/encrypted-migration/encrypted-migrations-scheduler.service";
+import { EncryptedMigrationsSchedulerService } from "../key-management/encrypted-migration/encrypted-migrations-scheduler.service.abstraction";
 import { FormValidationErrorsService as FormValidationErrorsServiceAbstraction } from "../platform/abstractions/form-validation-errors.service";
 import { DocumentLangSetter } from "../platform/i18n";
 import { FormValidationErrorsService } from "../platform/services/form-validation-errors.service";
@@ -516,6 +522,23 @@ const safeProviders: SafeProvider[] = [
      TokenServiceAbstraction,
    ],
  }),
+  safeProvider({
+    provide: ChangeKdfService,
+    useClass: DefaultChangeKdfService,
+    deps: [ChangeKdfApiService, SdkService],
+  }),
+  safeProvider({
+    provide: EncryptedMigrator,
+    useClass: DefaultEncryptedMigrator,
+    deps: [
+      KdfConfigService,
+      ChangeKdfService,
+      LogService,
+      ConfigService,
+      MasterPasswordServiceAbstraction,
+      SyncService,
+    ],
+  }),
  safeProvider({
    provide: LoginStrategyServiceAbstraction,
    useClass: LoginStrategyService,
@@ -1665,6 +1688,7 @@ const safeProviders: SafeProvider[] = [
      SsoLoginServiceAbstraction,
      SyncService,
      UserAsymmetricKeysRegenerationService,
+      EncryptedMigrator,
      LogService,
    ],
  }),
@@ -1735,6 +1759,28 @@ const safeProviders: SafeProvider[] = [
      InternalMasterPasswordServiceAbstraction,
    ],
  }),
+  safeProvider({
+    provide: EncryptedMigrationsSchedulerService,
+    useClass: DefaultEncryptedMigrationsSchedulerService,
+    deps: [
+      SyncService,
+      AccountService,
+      StateProvider,
+      EncryptedMigrator,
+      AuthServiceAbstraction,
+      LogService,
+      DialogService,
+      ToastService,
+      I18nServiceAbstraction,
+      Router,
+    ],
+  }),
+  safeProvider({
+    provide: APP_INITIALIZER as SafeInjectionToken<() => Promise<void>>,
+    useFactory: (encryptedMigrationsScheduler: EncryptedMigrationsSchedulerService) => () => {},
+    deps: [EncryptedMigrationsSchedulerService],
+    multi: true,
+  }),
  safeProvider({
    provide: LockService,
    useClass: DefaultLockService,