bitwarden · quexten · Jan 28, 2025 · Jan 29, 2025 · Feb 5, 2025 · Feb 5, 2025
@@ -121,7 +121,7 @@ <h1>{{ "changeMasterPassword" | i18n }}</h1>
       [(ngModel)]="masterPasswordHint"
     />
   </div>
-  <button type="submit" buttonType="primary" bitButton [loading]="form.loading">
+  <button type="submit" buttonType="primary" bitButton [loading]="loading">
     {{ "changeMasterPassword" | i18n }}
   </button>
 </form>

@@ -13,6 +13,8 @@
 import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { PasswordRequest } from "@bitwarden/common/auth/models/request/password.request";
 import { getUserId } from "@bitwarden/common/auth/services/account.service";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
@@ -35,11 +37,13 @@
   extends BaseChangePasswordComponent
   implements OnInit, OnDestroy
 {
+  loading = false;
   rotateUserKey = false;
   currentMasterPassword: string;
   masterPasswordHint: string;
   checkForBreaches = true;
   characterMinimumMessage = "";
+  userkeyRotationV2 = false;
 
   constructor(
     i18nService: I18nService,
@@ -56,9 +60,10 @@
     private userVerificationService: UserVerificationService,
     private keyRotationService: UserKeyRotationService,
     kdfConfigService: KdfConfigService,
-    masterPasswordService: InternalMasterPasswordServiceAbstraction,
+    protected masterPasswordService: InternalMasterPasswordServiceAbstraction,
     accountService: AccountService,
     toastService: ToastService,
+    private configService: ConfigService,
   ) {
     super(
       i18nService,
@@ -75,6 +80,8 @@
   }
 
   async ngOnInit() {
+    this.userkeyRotationV2 = await this.configService.getFeatureFlag(FeatureFlag.UserKeyRotationV2);
+
     if (!(await this.userVerificationService.hasMasterPassword())) {
       // FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
       // eslint-disable-next-line @typescript-eslint/no-floating-promises
@@ -135,6 +142,130 @@
   }
 
   async submit() {
+    if (this.userkeyRotationV2) {
+      this.loading = true;
+      await this.submitNew();
+      this.loading = false;
+    } else {
+      await this.submitOld();
+    }
+  }
+
+  async submitNew() {
+    if (this.currentMasterPassword == null || this.currentMasterPassword === "") {
+      this.toastService.showToast({
+        variant: "error",
+        title: this.i18nService.t("errorOccurred"),
+        message: this.i18nService.t("masterPasswordRequired"),
+      });
+      return;
+    }
+
+    if (
+      this.masterPasswordHint != null &&
+      this.masterPasswordHint.toLowerCase() === this.masterPassword.toLowerCase()
+    ) {
+      this.toastService.showToast({
+        variant: "error",
+        title: this.i18nService.t("errorOccurred"),
+        message: this.i18nService.t("hintEqualsPassword"),
+      });
+      return;
+    }
+
+    this.leakedPassword = false;
+    if (this.checkForBreaches) {
+      this.leakedPassword = (await this.auditService.passwordLeaked(this.masterPassword)) > 0;
+    }
+
+    if (!(await this.strongPassword())) {
+      return;
+    }
+
+    try {
+      if (this.rotateUserKey) {
+        await this.syncService.fullSync(true);
+        const user = await firstValueFrom(this.accountService.activeAccount$);
+        await this.keyRotationService.rotateUserKeyMasterPasswordAndEncryptedData(
+          this.currentMasterPassword,
+          this.masterPassword,
+          user,
+          this.masterPasswordHint,
+        );
+      } else {
+        await this.updatePassword(this.masterPassword);
+      }
+    } catch (e) {
+      this.toastService.showToast({
+        variant: "error",
+        title: this.i18nService.t("errorOccurred"),
+        message: e.message,
+      });
+    }
+  }
+
+  // todo: move this to a service
+  // https://bitwarden.atlassian.net/browse/PM-17108
+  private async updatePassword(newMasterPassword: string) {
+    const currentMasterPassword = this.currentMasterPassword;
+    const { userId, email } = await firstValueFrom(
+      this.accountService.activeAccount$.pipe(map((a) => ({ userId: a?.id, email: a?.email }))),
+    );
+    const kdfConfig = await firstValueFrom(this.kdfConfigService.getKdfConfig$(userId));
+
+    const currentMasterKey = await this.keyService.makeMasterKey(
+      currentMasterPassword,
+      email,
+      kdfConfig,
+    );
+    const decryptedUserKey = await this.masterPasswordService.decryptUserKeyWithMasterKey(
+      currentMasterKey,
+      userId,
+    );
+    if (decryptedUserKey == null) {
+      this.toastService.showToast({
+        variant: "error",
+        title: null,
+        message: this.i18nService.t("invalidMasterPassword"),
+      });
+      return;
+    }
+
+    const newMasterKey = await this.keyService.makeMasterKey(newMasterPassword, email, kdfConfig);
+    const newMasterKeyEncryptedUserKey = await this.keyService.encryptUserKeyWithMasterKey(
+      newMasterKey,
+      decryptedUserKey,
+    );
+
+    const request = new PasswordRequest();
+    request.masterPasswordHash = await this.keyService.hashMasterKey(
+      this.currentMasterPassword,
+      currentMasterKey,
+    );
+    request.masterPasswordHint = this.masterPasswordHint;
+    request.newMasterPasswordHash = await this.keyService.hashMasterKey(
+      newMasterPassword,
+      newMasterKey,
+    );
+    request.key = newMasterKeyEncryptedUserKey[1].encryptedString;
+    try {
+      await this.apiService.postPassword(request);
+      this.toastService.showToast({
+        variant: "success",
+        title: this.i18nService.t("masterPasswordChanged"),
+        message: this.i18nService.t("masterPasswordChangedDesc"),
+      });
+      this.messagingService.send("logout");
+    } catch {
+      this.toastService.showToast({
+        variant: "error",
+        title: null,
+        message: this.i18nService.t("errorOccurred"),
+      });
+    }
+  }
+
+  async submitOld() {
     if (
       this.masterPasswordHint != null &&
       this.masterPasswordHint.toLowerCase() === this.masterPassword.toLowerCase()
@@ -240,6 +371,6 @@
 
   private async updateKey() {
     const user = await firstValueFrom(this.accountService.activeAccount$);
-    await this.keyRotationService.rotateUserKeyAndEncryptedData(this.masterPassword, user);
+    await this.keyRotationService.rotateUserKeyAndEncryptedDataLegacy(this.masterPassword, user);
   }
 }
@@ -0,0 +1,10 @@
+export class AccountKeysRequest {
+  // Other keys encrypted by the userkey
+  userKeyEncryptedAccountPrivateKey: string;
+  accountPublicKey: string;
+
+  constructor(userKeyEncryptedAccountPrivateKey: string, accountPublicKey: string) {
+    this.userKeyEncryptedAccountPrivateKey = userKeyEncryptedAccountPrivateKey;
+    this.accountPublicKey = accountPublicKey;
+  }
+}
@@ -0,0 +1,35 @@
+import { Argon2KdfConfig, KdfConfig, KdfType } from "@bitwarden/key-management";
+
+export class MasterPasswordUnlockDataRequest {
+  kdfType: KdfType = KdfType.PBKDF2_SHA256;
+  kdfIterations: number = 0;
+  kdfMemory?: number;
+  kdfParallelism?: number;
+
+  email: string;
+  masterKeyAuthenticationHash: string;
+
+  masterKeyEncryptedUserKey: string;
+
+  masterPasswordHint?: string;
+
+  constructor(
+    kdfConfig: KdfConfig,
+    email: string,
+    masterKeyAuthenticationHash: string,
+    masterKeyEncryptedUserKey: string,
+    masterPasswordHash?: string,
+  ) {
+    this.kdfType = kdfConfig.kdfType;
+    this.kdfIterations = kdfConfig.iterations;
+    if (kdfConfig.kdfType === KdfType.Argon2id) {
+      this.kdfMemory = (kdfConfig as Argon2KdfConfig).memory;
+      this.kdfParallelism = (kdfConfig as Argon2KdfConfig).parallelism;
+    }
+
+    this.email = email;
+    this.masterKeyAuthenticationHash = masterKeyAuthenticationHash;
+    this.masterKeyEncryptedUserKey = masterKeyEncryptedUserKey;
+    this.masterPasswordHint = masterPasswordHash;
+  }
+}
@@ -0,0 +1,29 @@
+import { AccountKeysRequest } from "./account-keys.request";
+import { UnlockDataRequest } from "./unlock-data.request";
+import { UserDataRequest as AccountDataRequest } from "./userdata.request";
+
+export class RotateUserAccountKeysRequest {
+  constructor(
+    accountUnlockData: UnlockDataRequest,
+    accountKeys: AccountKeysRequest,
+    accountData: AccountDataRequest,
+    oldMasterKeyAuthenticationHash: string,
+  ) {
+    this.accountUnlockData = accountUnlockData;
+    this.accountKeys = accountKeys;
+    this.accountData = accountData;
+    this.oldMasterKeyAuthenticationHash = oldMasterKeyAuthenticationHash;
+  }
+
+  // Authentication for the request
+  oldMasterKeyAuthenticationHash: string;
+
+  // All methods to get to the userkey
+  accountUnlockData: UnlockDataRequest;
+
+  // Other keys encrypted by the userkey
+  accountKeys: AccountKeysRequest;
+
+  // User vault data encrypted by the userkey
+  accountData: AccountDataRequest;
+}
@@ -0,0 +1,26 @@
+import { OrganizationUserResetPasswordWithIdRequest } from "@bitwarden/admin-console/common";
+import { WebauthnRotateCredentialRequest } from "@bitwarden/common/auth/models/request/webauthn-rotate-credential.request";
+
+import { EmergencyAccessWithIdRequest } from "../../../auth/emergency-access/request/emergency-access-update.request";
+
+import { MasterPasswordUnlockDataRequest } from "./master-password-unlock-data.request";
+
+export class UnlockDataRequest {
+  // All methods to get to the userkey
+  masterPasswordUnlockData: MasterPasswordUnlockDataRequest;
+  emergencyAccessUnlockData: EmergencyAccessWithIdRequest[];
+  organizationAccountRecoveryUnlockData: OrganizationUserResetPasswordWithIdRequest[];
+  passkeyUnlockData: WebauthnRotateCredentialRequest[];
+
+  constructor(
+    masterPasswordUnlockData: MasterPasswordUnlockDataRequest,
+    emergencyAccessUnlockData: EmergencyAccessWithIdRequest[],
+    organizationAccountRecoveryUnlockData: OrganizationUserResetPasswordWithIdRequest[],
+    passkeyUnlockData: WebauthnRotateCredentialRequest[],
+  ) {
+    this.masterPasswordUnlockData = masterPasswordUnlockData;
+    this.emergencyAccessUnlockData = emergencyAccessUnlockData;
+    this.organizationAccountRecoveryUnlockData = organizationAccountRecoveryUnlockData;
+    this.passkeyUnlockData = passkeyUnlockData;
+  }
+}
@@ -0,0 +1,19 @@
+import { SendWithIdRequest } from "@bitwarden/common/tools/send/models/request/send-with-id.request";
+import { CipherWithIdRequest } from "@bitwarden/common/vault/models/request/cipher-with-id.request";
+import { FolderWithIdRequest } from "@bitwarden/common/vault/models/request/folder-with-id.request";
+
+export class UserDataRequest {
+  ciphers: CipherWithIdRequest[];
+  folders: FolderWithIdRequest[];
+  sends: SendWithIdRequest[];
+
+  constructor(
+    ciphers: CipherWithIdRequest[],
+    folders: FolderWithIdRequest[],
+    sends: SendWithIdRequest[],
+  ) {
+    this.ciphers = ciphers;
+    this.folders = folders;
+    this.sends = sends;
+  }
+}
@@ -2,6 +2,7 @@
 
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 
+import { RotateUserAccountKeysRequest } from "./request/rotate-user-account-keys.request";
 import { UpdateKeyRequest } from "./request/update-key.request";
 
 @Injectable()
@@ -11,4 +12,14 @@
   postUserKeyUpdate(request: UpdateKeyRequest): Promise<any> {
     return this.apiService.send("POST", "/accounts/key", request, true, false);
   }
+
+  postUserKeyUpdateV2(request: RotateUserAccountKeysRequest): Promise<any> {
+    return this.apiService.send(
+      "POST",
+      "/accounts/key-management/rotate-user-account-keys",
+      request,
+      true,
+      false,
+    );
+  }
 }