Implement key rotation v2

2026-02-25 17:13:24 +00:00 · 2025-01-28 15:26:10 +01:00
parent 582beaf706
commit d4caf6f8f5
17 changed files with 519 additions and 74 deletions
--- a/libs/common/src/auth/services/user-verification/user-verification.service.spec.ts
+++ b/libs/common/src/auth/services/user-verification/user-verification.service.spec.ts
@@ -226,6 +226,8 @@ describe("UserVerificationService", () => {
        expect(result).toEqual({
          policyOptions: null,
          masterKey: "masterKey",
+          kdfConfig: "kdfConfig",
+          email: "email",
        });
      });

@@ -284,6 +286,8 @@ describe("UserVerificationService", () => {
        expect(result).toEqual({
          policyOptions: "MasterPasswordPolicyOptions",
          masterKey: "masterKey",
+          kdfConfig: "kdfConfig",
+          email: "email",
        });
      });

--- a/libs/common/src/auth/services/user-verification/user-verification.service.ts
+++ b/libs/common/src/auth/services/user-verification/user-verification.service.ts
@@ -237,7 +237,7 @@ export class UserVerificationService implements UserVerificationServiceAbstracti
    );
    await this.masterPasswordService.setMasterKeyHash(localKeyHash, userId);
    await this.masterPasswordService.setMasterKey(masterKey, userId);
-    return { policyOptions, masterKey };
+    return { policyOptions, masterKey, kdfConfig, email };
  }

  private async verifyUserByPIN(verification: PinVerification, userId: UserId): Promise<boolean> {
--- a/libs/common/src/auth/types/verification.ts
+++ b/libs/common/src/auth/types/verification.ts
@@ -1,3 +1,5 @@
+import { KdfConfig } from "@bitwarden/key-management";
+
 import { MasterKey } from "../../types/key";
 import { VerificationType } from "../enums/verification-type";
 import { MasterPasswordPolicyResponse } from "../models/response/master-password-policy.response";
@@ -22,5 +24,7 @@ export type ServerSideVerification = OtpVerification | MasterPasswordVerificatio

 export type MasterPasswordVerificationResponse = {
  masterKey: MasterKey;
+  kdfConfig: KdfConfig;
+  email: string;
  policyOptions: MasterPasswordPolicyResponse;
 };
--- a/libs/common/src/enums/feature-flag.enum.ts
+++ b/libs/common/src/enums/feature-flag.enum.ts
@@ -34,6 +34,7 @@ export enum FeatureFlag {
  UnauthenticatedExtensionUIRefresh = "unauth-ui-refresh",
  SSHKeyVaultItem = "ssh-key-vault-item",
  SSHAgent = "ssh-agent",
+  UserKeyRotationV2 = "userkey-rotation-v2",
  CipherKeyEncryption = "cipher-key-encryption",
  PM11901_RefactorSelfHostingLicenseUploader = "PM-11901-refactor-self-hosting-license-uploader",
  CriticalApps = "pm-14466-risk-insights-critical-application",
@@ -91,6 +92,7 @@ export const DefaultFeatureFlagValue = {
  [FeatureFlag.UnauthenticatedExtensionUIRefresh]: FALSE,
  [FeatureFlag.SSHKeyVaultItem]: FALSE,
  [FeatureFlag.SSHAgent]: FALSE,
+  [FeatureFlag.UserKeyRotationV2]: FALSE,
  [FeatureFlag.CipherKeyEncryption]: FALSE,
  [FeatureFlag.PM11901_RefactorSelfHostingLicenseUploader]: FALSE,
  [FeatureFlag.CriticalApps]: FALSE,