[PM-35240] Add sync before forced kdf migration

[quexten]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-35240

📔 Objective

In some conditions, it is possible for the server KDF to change, without the client stored KDF changing. One of these cases is as follows:

• Device A, B are logged in, A is closed
• Device B upgrades the KDF
• Device A opens, with an active account different to the one A,B share and that was upgraded
  • (Many clients sync on launch which would prevent the double prompt)
• User account switches on device A and unlocks

in this case, we would get a second KDF migration, or even second KDF migration prompt in case the unlock method was not master-password.

This PR confirms that a "needs migration" actually needs a migration by doing another sync. Note, that the sync is not ideal here but accepted as a temporary measure. It should be replaced with a custom endpoint for updating decryption options in the future, and bound to the correct user id.

📸 Screenshots

[github-actions]

Checkmarx One – Scan Summary & Details – 42cdac4f-0628-46bc-8d2b-da5382ddf872

---

New Issues (4)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-2359	Npm-multer-2.0.2	details Recommended version: 2.1.1 Description: Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2026-27959	Npm-koa-3.1.1	details Recommended version: 3.1.2 Description: Koa is middleware for Node.js using ES2017 async functions. Prior to versions 2.16.4 and 3.x prior to 3.1.2, Koa's `ctx.hostname` API performs naiv... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2026-3304	Npm-multer-2.0.2	details Recommended version: 2.1.1 Description: Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 and 3.0.0-alpha1 allows an att... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2026-3520	Npm-multer-2.0.2	details Recommended version: 2.1.1 Description: Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 46.98%. Comparing base (8730a27) to head (a0b5fa2).
⚠️ Report is 35 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #20193      +/-   ##
==========================================
+ Coverage   46.80%   46.98%   +0.17%     
==========================================
  Files        3885     3891       +6     
  Lines      116980   117332     +352     
  Branches    17890    17943      +53     
==========================================
+ Hits        54754    55124     +370     
+ Misses      59744    59726      -18     
  Partials     2482     2482              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.