Skip to content

[PM-37886] refactor: Pass keyConnectorKeyWrappedUserKey through LoginUnlockMethod instead of persisting in state#2764

Draft
matt-livefront wants to merge 1 commit into
matt/PM-37886-key-connector-urlfrom
matt/PM-37886-key-connector-encrypted-user-key
Draft

[PM-37886] refactor: Pass keyConnectorKeyWrappedUserKey through LoginUnlockMethod instead of persisting in state#2764
matt-livefront wants to merge 1 commit into
matt/PM-37886-key-connector-urlfrom
matt/PM-37886-key-connector-encrypted-user-key

Conversation

@matt-livefront
Copy link
Copy Markdown
Collaborator

@matt-livefront matt-livefront commented Jun 5, 2026
edited by atlassian Bot
Loading

🎟️ Tracking

PM-37886

📔 Objective

When a user logs in with key connector, their keyConnectorKeyWrappedUserKey is being persisted to the device as encryptedUserKey. For key connector, once the user is logged in and the vault is unlocked, this key is no longer used. As such, it doesn't need to be persisted.

Additional context: #2677 (comment)

This updates the key connector flows to pass the keyConnectorKeyWrappedUserKey from the login response through LoginUnlockMethod.keyConnector, which can then be used to unlock the vault in AuthRepository.unlockVaultWithKeyConnectorKey().

  • LoginUnlockMethod.keyConnector now carries encryptedUserKey: String? populated from response.key in AuthService.unlockMethod(for:), eliminating the need to read it back from state during unlock.
  • AuthRepository.unlockVaultWithKeyConnectorKey accepts a non-optional encryptedUserKey: String parameter directly, removing the redundant getAccountEncryptionKeys state read.
  • KeyConnectorService.convertNewUserToKeyConnector no longer persists encryptedUserKey to state (both v1 and v2 paths); the cryptographicState (private key) is still persisted as required for future operations.
  • SingleSignOnProcessor now uses an explicit guard let encryptedUserKey to trigger the key connector migration dialog for new users, replacing the implicit noAccountCryptographicState error path.

@matt-livefront matt-livefront added ai-review Request a Claude code review t:tech-debt Change Type - Tech debt labels Jun 5, 2026
@github-actions github-actions Bot added the app:password-manager Bitwarden Password Manager app context label Jun 5, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026
edited
Loading

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

This is a focused refactor that threads keyConnectorKeyWrappedUserKey from the identity token response through the LoginUnlockMethod.keyConnector enum case rather than reading it back from persisted state during vault unlock. The KeyConnectorService.convertNewUserToKeyConnector flow (both v1 and v2 paths) no longer persists encryptedUserKey to state, and the new explicit guard let pattern in SingleSignOnProcessor cleanly replaces the prior "catch specific error" approach to trigger the new-user migration dialog. All four consumers of the enum and repository method are updated consistently, and test coverage is expanded with new cases for the nil keyConnectorKeyWrappedUserKey path in both SingleSignOnProcessor and TwoFactorAuthProcessor.

Code Review Details

No findings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai-review Request a Claude code review app:password-manager Bitwarden Password Manager app context t:tech-debt Change Type - Tech debt

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@matt-livefront