PM-27234: feat: jit password v2 encryption

[david-livefront]

🎟️ Tracking

PM-27234

📔 Objective

This PR adds the V2 Encryption flow for set password (JIT PAssword). Additional changes were made to fork the setPassword from the updatePassword logic.

This PR is broken into 2 commits:

• Commit 1 splits the setPassword flow into 2 distinct paths based on the forcePasswordResetReason and simplifies the flows where possible (removing the need to hash the passwords).
• Commit 2 is where the V2 Encryption flow is actually added.

[codecov]

Codecov Report

❌ Patch coverage is 92.63804% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.30%. Comparing base (32b704c) to head (8997c5b).
⚠️ Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
...twarden/data/auth/repository/AuthRepositoryImpl.kt	90.83%	2 Missing and 9 partials ⚠️
...ta/auth/repository/util/UserStateJsonExtensions.kt	92.30%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6835      +/-   ##
==========================================
- Coverage   85.73%   85.30%   -0.43%     
==========================================
  Files         836      966     +130     
  Lines       59300    61796    +2496     
  Branches     8654     8730      +76     
==========================================
+ Hits        50838    52718    +1880     
- Misses       5480     6073     +593     
- Partials     2982     3005      +23     

Flag	Coverage Δ
app-data	17.38% <92.63%> (-0.02%)	⬇️
app-ui-auth-tools	20.43% <0.00%> (+0.25%)	⬆️
app-ui-platform	16.49% <0.00%> (+0.59%)	⬆️
app-ui-vault	26.26% <0.00%> (+0.53%)	⬆️
authenticator	6.61% <0.00%> (-0.03%)	⬇️
lib-core-network-bridge	4.26% <0.00%> (+0.01%)	⬆️
lib-data-ui	1.02% <0.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Checkmarx One – Scan Summary & Details – c5b22c8c-3fd2-4297-89e3-029c0eb8ddeb

---

New Issues (10)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		Use_of_Hardcoded_Password	app/src/test/kotlin/com/x8bit/bitwarden/data/auth/datasource/sdk/AuthSdkSourceTest.kt: 61	details The application uses the hard-coded password "masterPassword" for authentication purposes, either using it to verify users' identities, or to acce... Attack Vector
2		Use_of_Hardcoded_Password	app/src/test/kotlin/com/x8bit/bitwarden/data/auth/datasource/sdk/AuthSdkSourceTest.kt: 62	details The application uses the hard-coded password "masterPasswordHint" for authentication purposes, either using it to verify users' identities, or to ... Attack Vector
3		Use_of_Hardcoded_Password	app/src/test/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryTest.kt: 5784	details The application uses the hard-coded password "passwordHint" for authentication purposes, either using it to verify users' identities, or to access... Attack Vector
4		Use_of_Hardcoded_Password	app/src/test/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryTest.kt: 5848	details The application uses the hard-coded password "passwordHint" for authentication purposes, either using it to verify users' identities, or to access... Attack Vector
5		Use_of_Hardcoded_Password	app/src/test/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryTest.kt: 5933	details The application uses the hard-coded password "passwordHint" for authentication purposes, either using it to verify users' identities, or to access... Attack Vector
6		Use_of_Hardcoded_Password	app/src/test/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryTest.kt: 6052	details The application uses the hard-coded password "passwordHint" for authentication purposes, either using it to verify users' identities, or to access... Attack Vector
7		Use_of_Hardcoded_Password	app/src/test/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryTest.kt: 6107	details The application uses the hard-coded password "passwordHint" for authentication purposes, either using it to verify users' identities, or to access... Attack Vector
8		Use_of_Hardcoded_Password	app/src/test/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryTest.kt: 6114	details The application uses the hard-coded password "resetPasswordKey" for authentication purposes, either using it to verify users' identities, or to ac... Attack Vector
9		Use_of_Hardcoded_Password	app/src/test/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryTest.kt: 6317	details The application uses the hard-coded password "passwordHint" for authentication purposes, either using it to verify users' identities, or to access... Attack Vector
10		Use_of_Hardcoded_Password	app/src/test/kotlin/com/x8bit/bitwarden/data/auth/repository/AuthRepositoryTest.kt: 6324	details The application uses the hard-coded password "resetPasswordKey" for authentication purposes, either using it to verify users' identities, or to ac... Attack Vector

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

Reviewed the JIT password V2 encryption flow added to AuthRepositoryImpl.setPassword. The change splits the single setPassword flow into distinct paths (setUpdatedPassword for TDE-with-reset-permission users and setPasswordForJit for ADMIN/WEAK/null force-reset reasons), gates the V2 SDK-based registration behind the V2EncryptionJitPassword feature flag with a preserved V1 fallback (setPasswordForJitV1), and introduces a WrappedAccountCryptographicState → AccountKeysJson extension to persist the SDK's V2 cryptographic state. Test coverage parallels the implementation: the V1 path retains its full test suite (renamed with for v1 suffix), the V2 path adds tests for each error point (getOrganizationAutoEnrollStatus, getOrganizationKeys, postKeysForJitPasswordRegistration, unlockVaultWithMasterPassword) plus a success case, and the new extension and toUserStateJsonWithPassword overload have dedicated tests.

Code Review Details

No findings to report. Notable observations validated as intentional during review:

• setPasswordForJit (V2) updates userState (with masterPasswordUnlock) before invoking unlockVaultWithMasterPassword, while V1 updates it after the unlock succeeds. This ordering is required because VaultRepositoryImpl.unlockVaultWithMasterPassword reads masterPasswordUnlock from userDecryptionOptions to construct InitUserCryptoMethod.MasterPasswordUnlock.
• enrollUserInPasswordReset is intentionally not invoked in the V2 path; shouldResetPasswordEnroll is forwarded to the SDK's postKeysForJitPasswordRegistration, which handles the server-side enrollment.
• Empty-string publicKey/verifyingKey in WrappedAccountCryptographicState.accountKeysJson are safe — toAccountCryptographicState only reads securityState, wrappedSigningKey, signedPublicKey, and wrappedPrivateKey, and no other call site reads the unset fields.
• Removal of explicit storeMasterPasswordHash calls is correct: VaultLockManagerImpl derives and stores the hash automatically when InitUserCryptoMethod.MasterPasswordUnlock is used.

[david-livefront]

Thanks @SaintPatrck