[PM-31270] New default argon2id in change kdf component by mzieniukbw · Pull Request #20058 · bitwarden/clients

mzieniukbw · 2026-04-08T16:05:45Z

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-31270

📔 Objective

Adjusted default Argon2 configuration when user manually selects Argon2Id in change kdf component to:
Iterations: 6
Memory: 32MB
Parallelism: 4

Also refactored PBKDF2KdfConfig and Argon2KdfConfig:

explicit defaults with createDefault function, instead of relying on the constructor with all optional arguments.
kdf fields are readonly, immutable - prevents change-kdf.component.ts from modifying the global const, like it was before.

📸 Screenshots

New Argon2Id defaults when changing KDF

Screen.Recording.2026-04-08.at.17.04.20.mov

codecov · 2026-04-08T16:15:02Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 46.76%. Comparing base (f3aff99) to head (08ddcd6).
⚠️ Report is 94 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #20058      +/-   ##
==========================================
+ Coverage   46.57%   46.76%   +0.19%     
==========================================
  Files        3879     3879              
  Lines      116030   116210     +180     
  Branches    17646    17699      +53     
==========================================
+ Hits        54042    54351     +309     
+ Misses      59532    59390     -142     
- Partials     2456     2469      +13

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

github-actions · 2026-04-08T16:15:42Z

Checkmarx One – Scan Summary & Details – d019eebd-7a30-479c-b6a2-800a9b2eff7e

New Issues (9)

Checkmarx found the following issues in this Pull Request

#	Issue	Source File / Package	Checkmarx Insight
1	CVE-2026-34770	Npm-electron-39.2.6	details Description: Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.x prior to 39.... Attack Vector: LOCAL Attack Complexity: HIGH Vulnerable Package
2	CVE-2026-34771	Npm-electron-39.2.6	details Description: Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.x prior to 39.... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
3	CVE-2026-34774	Npm-electron-39.2.6	details Description: Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 39.8.1, 40.x prior to 40.... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
4	SSRF	/libs/common/src/services/api.service.ts: 1327	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
5	SSRF	/libs/common/src/services/api.service.ts: 1335	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
6	SSRF	/libs/common/src/services/api.service.ts: 1328	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
7	SSRF	/libs/common/src/services/api.service.ts: 1327	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
8	SSRF	/libs/common/src/services/api.service.ts: 1335	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
9	SSRF	/libs/common/src/services/api.service.ts: 1328	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~SSRF~~	/libs/common/src/services/api.service.ts: 1343

Thomas-Avery

LGTM

sonarqubecloud · 2026-04-10T13:31:54Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

mzieniukbw added 2 commits April 8, 2026 15:19

new Argon2Id defaults for change kdf component

5219a18

explicit default kdf construction

6ac42c8

mzieniukbw requested review from a team as code owners April 8, 2026 16:05

mzieniukbw requested review from Thomas-Avery, addisonbeck and rr-bw April 8, 2026 16:05

ts strict fix

d37fa5e

quexten previously approved these changes Apr 9, 2026

View reviewed changes

addisonbeck previously approved these changes Apr 9, 2026

View reviewed changes

Thomas-Avery previously approved these changes Apr 9, 2026

View reviewed changes

rr-bw reviewed Apr 9, 2026

View reviewed changes

Comment thread apps/web/src/app/auth/emergency-access/services/emergency-access.service.ts

Comment thread libs/common/src/auth/password-prelogin/password-prelogin.model.ts

require kdf params

d5697e4

mzieniukbw dismissed stale reviews from Thomas-Avery, addisonbeck, and quexten via d5697e4 April 10, 2026 13:07

mzieniukbw requested review from Thomas-Avery, addisonbeck, quexten and rr-bw April 10, 2026 13:09

require kdf params in tests

08ddcd6

quexten approved these changes Apr 10, 2026

View reviewed changes

Thomas-Avery approved these changes Apr 10, 2026

View reviewed changes

rr-bw approved these changes Apr 13, 2026

View reviewed changes

mzieniukbw enabled auto-merge (squash) April 14, 2026 22:46

dani-garcia approved these changes Apr 15, 2026

View reviewed changes

mzieniukbw merged commit d40bbcf into main Apr 15, 2026
144 of 146 checks passed

mzieniukbw deleted the km/pm-31270-new-default-argon2-in-change-kdf-component branch April 15, 2026 09:58

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[PM-31270] New default argon2id in change kdf component#20058

[PM-31270] New default argon2id in change kdf component#20058
mzieniukbw merged 5 commits intomainfrom
km/pm-31270-new-default-argon2-in-change-kdf-component

mzieniukbw commented Apr 8, 2026

Uh oh!

codecov bot commented Apr 8, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Apr 8, 2026 •

edited

Loading

Uh oh!

Thomas-Avery left a comment

Uh oh!

Uh oh!

Uh oh!

sonarqubecloud bot commented Apr 10, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Conversation

mzieniukbw commented Apr 8, 2026

🎟️ Tracking

📔 Objective

📸 Screenshots

Uh oh!

codecov bot commented Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

github-actions bot commented Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Thomas-Avery left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

sonarqubecloud bot commented Apr 10, 2026

Quality Gate passed

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

codecov bot commented Apr 8, 2026 •

edited

Loading

github-actions bot commented Apr 8, 2026 •

edited

Loading