[PM-5963] Fix tde offboarding vault corruption (#9480)

* Fix tde offboarding

* Add tde offboarding password request

* Add event for tde offboarding

* Update libs/auth/src/common/models/domain/user-decryption-options.ts

Co-authored-by: Jake Fink <jfink@bitwarden.com>

* Update libs/common/src/services/api.service.ts

Co-authored-by: Jake Fink <jfink@bitwarden.com>

* Make tde offboarding take priority

* Update tde offboarding message

* Fix unit tests

* Fix unit tests

* Fix typo

* Fix unit tests

---------

Co-authored-by: Jake Fink <jfink@bitwarden.com>

libs/auth/src/common/login-strategies/sso-login.strategy.spec.ts

@@ -211,6 +211,7 @@ describe("SsoLoginStrategy", () => {
         HasAdminApproval: true,
         HasLoginApprovingDevice: true,
         HasManageResetPasswordPermission: false,
+        IsTdeOffboarding: false,
         EncryptedPrivateKey: mockEncDevicePrivateKey,
         EncryptedUserKey: mockEncUserKey,
       },
@@ -343,6 +344,7 @@ describe("SsoLoginStrategy", () => {
             HasAdminApproval: true,
             HasLoginApprovingDevice: false,
             HasManageResetPasswordPermission: false,
+            IsTdeOffboarding: false,
             EncryptedPrivateKey: mockEncDevicePrivateKey,
             EncryptedUserKey: mockEncUserKey,
           },

libs/auth/src/common/models/domain/user-decryption-options.ts

@@ -54,6 +54,8 @@ export class TrustedDeviceUserDecryptionOption {
   hasLoginApprovingDevice: boolean;
   /** True if the user has manage reset password permission, as these users must be forced to have a master password. */
   hasManageResetPasswordPermission: boolean;
+  /** True if tde is disabled but user has not set a master password yet. */
+  isTdeOffboarding: boolean;
 
   /**
    * Initializes a new instance of the TrustedDeviceUserDecryptionOption from a response object.
@@ -70,6 +72,7 @@ export class TrustedDeviceUserDecryptionOption {
     options.hasAdminApproval = response?.hasAdminApproval ?? false;
     options.hasLoginApprovingDevice = response?.hasLoginApprovingDevice ?? false;
     options.hasManageResetPasswordPermission = response?.hasManageResetPasswordPermission ?? false;
+    options.isTdeOffboarding = response?.isTdeOffboarding ?? false;
     return options;
   }
 

libs/auth/src/common/models/spec/fake-user-decryption-options.ts

@@ -29,10 +29,12 @@ export class FakeTrustedDeviceUserDecryptionOption extends TrustedDeviceUserDecr
     hasAdminApproval: boolean,
     hasLoginApprovingDevice: boolean,
     hasManageResetPasswordPermission: boolean,
+    isTdeOffboarding: boolean,
   ) {
     super();
     this.hasAdminApproval = hasAdminApproval;
     this.hasLoginApprovingDevice = hasLoginApprovingDevice;
     this.hasManageResetPasswordPermission = hasManageResetPasswordPermission;
+    this.isTdeOffboarding = isTdeOffboarding;
   }
 }

libs/auth/src/common/services/user-decryption-options/user-decryption-options.service.spec.ts

@@ -8,6 +8,8 @@ import {
 } from "@bitwarden/common/spec";
 import { UserId } from "@bitwarden/common/types/guid";
 
+import { UserDecryptionOptions } from "../../models/domain/user-decryption-options";
+
 import {
   USER_DECRYPTION_OPTIONS,
   UserDecryptionOptionsService,
@@ -27,12 +29,13 @@ describe("UserDecryptionOptionsService", () => {
     sut = new UserDecryptionOptionsService(fakeStateProvider);
   });
 
-  const userDecryptionOptions = {
+  const userDecryptionOptions: UserDecryptionOptions = {
     hasMasterPassword: true,
     trustedDeviceOption: {
       hasAdminApproval: false,
       hasLoginApprovingDevice: false,
       hasManageResetPasswordPermission: true,
+      isTdeOffboarding: false,
     },
     keyConnectorOption: {
       keyConnectorUrl: "https://keyconnector.bitwarden.com",