Skip to content

Auth/PM-38811 - KM - Update RotateUserAccountKeysCommand to use MasterPasswordService#7804

Open
JaredSnider-Bitwarden wants to merge 5 commits into
mainfrom
auth/pm-38811/update-rotate-user-keys-command-to-use-mp-service
Open

Auth/PM-38811 - KM - Update RotateUserAccountKeysCommand to use MasterPasswordService#7804
JaredSnider-Bitwarden wants to merge 5 commits into
mainfrom
auth/pm-38811/update-rotate-user-keys-command-to-use-mp-service

Conversation

@JaredSnider-Bitwarden

@JaredSnider-Bitwarden JaredSnider-Bitwarden commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-38811

📔 Objective

To finish consolidating KM usages of the MasterPasswordService which centralizes MP change logic in one location as part of the ongoing separation of MP salt & email work.

📸 Screenshots

Two flows - Change password without key rotation and then with key rotation

Screen.Recording.2026-06-30.at.4.00.37.PM.mov

…rite

UpdateUserKeyAndEncryptedDataV2Async enumerated a fixed column list and
omitted LastPasswordChangeDate, silently dropping the field on
PostgreSQL/MySQL/SQLite even when callers set it. The MSSQL sproc
User_Update already persists this column, so this aligns EF with the
existing Dapper behavior.
Wires PasswordChangeAndRotateUserAccountKeysAsync to
IMasterPasswordService.PrepareUpdateExistingMasterPasswordAsync
(Prepare* tier from PM-35392), replacing the inline master password
mutation block. RefreshStamp is false so the existing
BaseRotateUserAccountKeysAsync SecurityStamp + V2UpgradeToken logic
remains the sole owner of session-invalidation behavior. The hint is
sourced from the request because a password change can update it.

Closes the parity gap where LastPasswordChangeDate was not set on this
path even though the master password is changing.

Other rotation variants (master-password-only, TDE, Key Connector) are
untouched. Unit tests cover delegation, OneOf failure mapping, and
short-circuit on old-password mismatch.
Extends the existing happy-path integration test to verify the
master-key-wrapped user key, master password hint, master password
hash (rewritten and verifies against the new authentication hash),
and LastPasswordChangeDate are persisted as expected after a
password-change-and-rotate call.
@codecov

codecov Bot commented Jun 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.81%. Comparing base (425293d) to head (ec9c088).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #7804      +/-   ##
==========================================
+ Coverage   61.28%   65.81%   +4.52%     
==========================================
  Files        2226     2226              
  Lines       98296    98306      +10     
  Branches     8884     8885       +1     
==========================================
+ Hits        60241    64700    +4459     
+ Misses      35935    31389    -4546     
- Partials     2120     2217      +97     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Comment thread test/Core.Test/KeyManagement/UserKey/RotateUserAccountKeysCommandTests.cs Dismissed
Comment thread test/Core.Test/KeyManagement/UserKey/RotateUserAccountKeysCommandTests.cs Dismissed
@JaredSnider-Bitwarden JaredSnider-Bitwarden added t:tech-debt Change Type - Tech debt ai-review Request a Claude code review labels Jun 30, 2026
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

Reviewed the refactor of RotateUserAccountKeysCommand.PasswordChangeAndRotateUserAccountKeysAsync to delegate master-password mutation to IMasterPasswordService instead of hashing inline, plus the EF UserRepository change persisting LastPasswordChangeDate. Verified credential hashing (hash-of-hash via IPasswordHasher) is unchanged, SecurityStamp rotation remains owned by BaseRotateUserAccountKeysAsync (RefreshStamp = false correctly avoids double-handling), and the old-password check still short-circuits before any mutation. Confirmed dual-ORM parity for the new LastPasswordChangeDate persistence — the Dapper path already writes it via the [User_Update] stored procedure, and the EF path now enumerates it explicitly. Unit and integration test coverage for delegation, failure surfacing, wrong-password short-circuit, and the parity-gap closer is appropriate.

Code Review Details

No findings. The change is a faithful refactor that preserves session-invalidation semantics, zero-knowledge handling of the master-key-wrapped user key, and password-hashing behavior, while closing the LastPasswordChangeDate parity gap on this rotation path.

@JaredSnider-Bitwarden JaredSnider-Bitwarden marked this pull request as ready for review June 30, 2026 21:03
@JaredSnider-Bitwarden JaredSnider-Bitwarden requested a review from a team as a code owner June 30, 2026 21:03
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ai-review Request a Claude code review t:tech-debt Change Type - Tech debt

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants