PM-2035: PRF Unlock (#6401)

* Initial refactor * Add WebauthnPRFOptions to syncResponse * MAYBE: Use KM owned ResponseModel? * REVERT ^- Keep using PrfUnlockOptions for simplicity This reverts commit 5a34e7dfa8. * UserDecryptionOptions: Only send one credential * format * Update UserDecryptionOptions.cs * format * Added feature flag (#6600)
2026-02-17 09:59:14 +00:00 · 2026-01-26 16:18:42 +01:00
parent c8124667ee
commit 40e293117d
7 changed files with 50 additions and 7 deletions
--- a/src/Core/Auth/Models/Api/Response/UserDecryptionOptions.cs
+++ b/src/Core/Auth/Models/Api/Response/UserDecryptionOptions.cs
@@ -45,13 +45,19 @@ public class WebAuthnPrfDecryptionOption
 {
    public string EncryptedPrivateKey { get; }
    public string EncryptedUserKey { get; }
+    public string CredentialId { get; }
+    public string[] Transports { get; }

    public WebAuthnPrfDecryptionOption(
        string encryptedPrivateKey,
-        string encryptedUserKey)
+        string encryptedUserKey,
+        string credentialId,
+        string[]? transports = null)
    {
        EncryptedPrivateKey = encryptedPrivateKey;
        EncryptedUserKey = encryptedUserKey;
+        CredentialId = credentialId;
+        Transports = transports ?? [];
    }
 }

--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -160,6 +160,7 @@ public static class FeatureFlagKeys
    public const string PM24579_PreventSsoOnExistingNonCompliantUsers = "pm-24579-prevent-sso-on-existing-non-compliant-users";
    public const string DisableAlternateLoginMethods = "pm-22110-disable-alternate-login-methods";
    public const string MJMLBasedEmailTemplates = "mjml-based-email-templates";
+    public const string PM2035PasskeyUnlock = "pm-2035-passkey-unlock";
    public const string MjmlWelcomeEmailTemplates = "pm-21741-mjml-welcome-email";
    public const string OrganizationConfirmationEmail = "pm-28402-update-confirmed-to-org-email-template";
    public const string MarketingInitiatedPremiumFlow = "pm-26140-marketing-initiated-premium-flow";
--- a/src/Core/KeyManagement/Models/Api/Response/UserDecryptionResponseModel.cs
+++ b/src/Core/KeyManagement/Models/Api/Response/UserDecryptionResponseModel.cs
@@ -1,4 +1,7 @@
-namespace Bit.Core.KeyManagement.Models.Api.Response;
+using System.Text.Json.Serialization;
+using Bit.Core.Auth.Models.Api.Response;
+
+namespace Bit.Core.KeyManagement.Models.Api.Response;

 public class UserDecryptionResponseModel
 {
@@ -6,4 +9,10 @@ public class UserDecryptionResponseModel
    /// Returns the unlock data when the user has a master password that can be used to decrypt their vault.
    /// </summary>
    public MasterPasswordUnlockResponseModel? MasterPasswordUnlock { get; set; }
+
+    /// <summary>
+    /// Gets or sets the WebAuthn PRF decryption keys.
+    /// </summary>
+    [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+    public WebAuthnPrfDecryptionOption[]? WebAuthnPrfOptions { get; set; }
 }