[PM-16603] Implement userkey rotation v2 (#12646)

* Implement key rotation v2 * Pass through masterpassword hint * Properly split old and new code * Mark legacy rotation as deprecated * Throw when data is null * Cleanup * Add tests * Fix build * Update libs/key-management/src/key.service.spec.ts Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Update apps/web/src/app/auth/settings/change-password.component.ts Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Add documentation * Centralize loading logic * Fix build * Remove sharedlib from legacymigration component --------- Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>
2025-12-15 07:43:35 +00:00 · 2025-03-24 20:41:21 +01:00
parent 8e62e0589d
commit 8c6a33d7b8
18 changed files with 642 additions and 19 deletions
--- a/libs/common/src/auth/services/user-verification/user-verification.service.spec.ts
+++ b/libs/common/src/auth/services/user-verification/user-verification.service.spec.ts
@@ -224,6 +224,8 @@ describe("UserVerificationService", () => {
        expect(result).toEqual({
          policyOptions: null,
          masterKey: "masterKey",
+          kdfConfig: "kdfConfig",
+          email: "email",
        });
      });

@@ -282,6 +284,8 @@ describe("UserVerificationService", () => {
        expect(result).toEqual({
          policyOptions: "MasterPasswordPolicyOptions",
          masterKey: "masterKey",
+          kdfConfig: "kdfConfig",
+          email: "email",
        });
      });

--- a/libs/common/src/auth/services/user-verification/user-verification.service.ts
+++ b/libs/common/src/auth/services/user-verification/user-verification.service.ts
@@ -237,7 +237,7 @@ export class UserVerificationService implements UserVerificationServiceAbstracti
    );
    await this.masterPasswordService.setMasterKeyHash(localKeyHash, userId);
    await this.masterPasswordService.setMasterKey(masterKey, userId);
-    return { policyOptions, masterKey };
+    return { policyOptions, masterKey, kdfConfig, email };
  }

  private async verifyUserByPIN(verification: PinVerification, userId: UserId): Promise<boolean> {
--- a/libs/common/src/auth/types/verification.ts
+++ b/libs/common/src/auth/types/verification.ts
@@ -1,3 +1,5 @@
+import { KdfConfig } from "@bitwarden/key-management";
+
 import { MasterKey } from "../../types/key";
 import { VerificationType } from "../enums/verification-type";
 import { MasterPasswordPolicyResponse } from "../models/response/master-password-policy.response";
@@ -22,5 +24,7 @@ export type ServerSideVerification = OtpVerification | MasterPasswordVerificatio

 export type MasterPasswordVerificationResponse = {
  masterKey: MasterKey;
+  kdfConfig: KdfConfig;
+  email: string;
  policyOptions: MasterPasswordPolicyResponse | null;
 };
--- a/libs/common/src/enums/feature-flag.enum.ts
+++ b/libs/common/src/enums/feature-flag.enum.ts
@@ -39,6 +39,7 @@ export enum FeatureFlag {
  /* Auth */
  PM9112_DeviceApprovalPersistence = "pm-9112-device-approval-persistence",

+  UserKeyRotationV2 = "userkey-rotation-v2",
  PM4154_BulkEncryptionService = "PM-4154-bulk-encryption-service",
  UnauthenticatedExtensionUIRefresh = "unauth-ui-refresh",
  CipherKeyEncryption = "cipher-key-encryption",
@@ -99,6 +100,7 @@ export const DefaultFeatureFlagValue = {
  /* Auth */
  [FeatureFlag.PM9112_DeviceApprovalPersistence]: FALSE,

+  [FeatureFlag.UserKeyRotationV2]: FALSE,
  [FeatureFlag.PM4154_BulkEncryptionService]: FALSE,
  [FeatureFlag.UnauthenticatedExtensionUIRefresh]: FALSE,
  [FeatureFlag.CipherKeyEncryption]: FALSE,