[PM-16603] Implement userkey rotation v2

[quexten]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-16603
Server PR: bitwarden/server#5204

📔 Objective

Userkey rotation previously consisted of two steps: Update masterpassword first, then update the userkey. Between these two, the clients relied on the local state to track the updated masterkey, but also to track kdf settings. If any of these were wrong, the userkey rotation request could corrupt vault data.

This combines both into one request, such that the kdf parameters are also always sent together with the userkey rotation request so that the corruption cannot occur. Further, this makes it so that cancelling during key rotation, does not force logout the user (where previously it had to, since the masterpassword was changed, and thus the security stamp was changed).

The old key rotation is still kept around for migration of legacy users.

📸 Screenshots

Screen.Recording.2025-01-03.at.13.51.35.mov

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – e5d2555f-6849-4181-ad50-33752a762f13

New Issues (7)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	Client_Privacy_Violation	/bitwarden_license/bit-web/src/app/tools/access-intelligence/org-at-risk-apps-dialog.component.html: 15	details Method at line 15 of /bitwarden_license/bit-web/src/app/tools/access-intelligence/org-at-risk-apps-dialog.component.html sends user information ou... Attack Vector
	Client_Privacy_Violation	/apps/web/src/app/auth/settings/change-password.component.html: 121	details Method change_password_component at line 121 of /apps/web/src/app/auth/settings/change-password.component.html sends user information outside the a... Attack Vector
	Client_Privacy_Violation	/apps/web/src/app/auth/settings/change-password.component.html: 68	details Method change_password_component at line 68 of /apps/web/src/app/auth/settings/change-password.component.html sends user information outside the ap... Attack Vector
	Client_Privacy_Violation	/apps/web/src/app/auth/settings/change-password.component.html: 26	details Method change_password_component at line 26 of /apps/web/src/app/auth/settings/change-password.component.html sends user information outside the ap... Attack Vector
	Client_Privacy_Violation	/bitwarden_license/bit-web/src/app/tools/access-intelligence/org-at-risk-members-dialog.component.html: 15	details Method at line 15 of /bitwarden_license/bit-web/src/app/tools/access-intelligence/org-at-risk-members-dialog.component.html sends user information... Attack Vector
	Client_Privacy_Violation	/apps/web/src/app/auth/settings/change-password.component.html: 42	details Method change_password_component at line 42 of /apps/web/src/app/auth/settings/change-password.component.html sends user information outside the ap... Attack Vector
	Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/content/notification-bar.ts: 872	details The application employs an HTML iframe at whose contents are not properly sandboxed Attack Vector

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/content/notification-bar.ts: 881

[codecov]

Codecov Report

Attention: Patch coverage is 60.00000% with 52 lines in your changes missing coverage. Please review.

Project coverage is 35.42%. Comparing base (582beaf) to head (4e3a44e).
Report is 19 commits behind head on main.

Files with missing lines	Patch %	Lines
...src/app/auth/settings/change-password.component.ts	6.06%	30 Missing and 1 partial ⚠️
...nagement/key-rotation/user-key-rotation.service.ts	83.92%	3 Missing and 6 partials ⚠️
libs/key-management/src/key.service.ts	0.00%	6 Missing ⚠️
...ion/request/master-password-unlock-data.request.ts	76.92%	3 Missing ⚠️
...-encryption/migrate-legacy-encryption.component.ts	0.00%	2 Missing ⚠️
...ment/key-rotation/user-key-rotation-api.service.ts	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #12646      +/-   ##
==========================================
+ Coverage   35.30%   35.42%   +0.11%     
==========================================
  Files        2997     3015      +18     
  Lines       90882    91279     +397     
  Branches    16969    17009      +40     
==========================================
+ Hits        32085    32332     +247     
- Misses      56310    56433     +123     
- Partials     2487     2514      +27     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[JaredSnider-Bitwarden]

Nice work! After a quick pass through, I've got a few questions / comments below:

[JaredSnider-Bitwarden]

LGTM!

[mzieniukbw]

should we rename the feature flag to userkey-rotation-v2 ?

[quexten]

Yeah, makes sense, this is the flag we had in launchdarkly, but i'll get that changed, because it does not match the actual change that is not a refactor.

[quexten]

Cleaned up the userkey rotation v2 api in the server PR and subsequently adjusted this PR to match.

Added some more tests aswell.