User V2UpgradeToken for key rotation without logout

Author: mzieniukbw

src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs

@@ -121,6 +121,7 @@ public async Task RotateUserAccountKeysAsync([FromBody] RotateUserAccountKeysAnd
             OrganizationUsers = await _organizationUserValidator.ValidateAsync(user, model.AccountUnlockData.OrganizationAccountRecoveryUnlockData),
             WebAuthnKeys = await _webauthnKeyValidator.ValidateAsync(user, model.AccountUnlockData.PasskeyUnlockData),
             DeviceKeys = await _deviceValidator.ValidateAsync(user, model.AccountUnlockData.DeviceKeyUnlockData),
+            V2UpgradeToken = model.AccountUnlockData.V2UpgradeToken?.ToData(),
 
             Ciphers = await _cipherValidator.ValidateAsync(user, model.AccountData.Ciphers),
             Folders = await _folderValidator.ValidateAsync(user, model.AccountData.Folders),

src/Api/KeyManagement/Models/Requests/UnlockDataRequestModel.cs

@@ -14,4 +14,5 @@ public class UnlockDataRequestModel
     public required IEnumerable<ResetPasswordWithOrgIdRequestModel> OrganizationAccountRecoveryUnlockData { get; set; }
     public required IEnumerable<WebAuthnLoginRotateKeyRequestModel> PasskeyUnlockData { get; set; }
     public required IEnumerable<OtherDeviceKeysUpdateRequestModel> DeviceKeyUnlockData { get; set; }
+    public V2UpgradeTokenRequestModel? V2UpgradeToken { get; set; }
 }

src/Api/KeyManagement/Models/Requests/V2UpgradeTokenRequestModel.cs

@@ -0,0 +1,35 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.Utilities;
+
+namespace Bit.Api.KeyManagement.Models.Requests;
+
+/// <summary>
+/// Request model for V2 upgrade token submitted during key rotation.
+/// Contains wrapped user keys allowing clients to unlock after V1→V2 upgrade.
+/// </summary>
+public class V2UpgradeTokenRequestModel
+{
+    /// <summary>
+    /// User Key V2 Wrapped User Key V1.
+    /// </summary>
+    [Required]
+    [EncryptedString]
+    public required string WrappedUserKey1 { get; init; }
+
+    /// <summary>
+    /// User Key V1 Wrapped User Key V2.
+    /// </summary>
+    [Required]
+    [EncryptedString]
+    public required string WrappedUserKey2 { get; init; }
+
+    public V2UpgradeTokenData ToData()
+    {
+        return new V2UpgradeTokenData
+        {
+            WrappedUserKey1 = WrappedUserKey1,
+            WrappedUserKey2 = WrappedUserKey2
+        };
+    }
+}

src/Api/Vault/Models/Response/SyncResponseModel.cs

@@ -87,7 +87,14 @@ public SyncResponseModel(
                     Salt = user.Email.ToLowerInvariant()
                 }
                 : null,
-            WebAuthnPrfOptions = webAuthnPrfOptions.Length > 0 ? webAuthnPrfOptions : null
+            WebAuthnPrfOptions = webAuthnPrfOptions.Length > 0 ? webAuthnPrfOptions : null,
+            V2UpgradeToken = V2UpgradeTokenData.FromJson(user.V2UpgradeToken) is { } data
+                ? new V2UpgradeTokenResponseModel
+                {
+                    WrappedUserKey1 = data.WrappedUserKey1,
+                    WrappedUserKey2 = data.WrappedUserKey2
+                }
+                : null
         };
     }
 

src/Core/Constants.cs

@@ -208,6 +208,7 @@ public static class FeatureFlagKeys
     public const string EnableAccountEncryptionV2KeyConnectorRegistration = "enable-account-encryption-v2-key-connector-registration";
     public const string SdkKeyRotation = "pm-30144-sdk-key-rotation";
     public const string UnlockViaSdk = "unlock-via-sdk";
+    public const string NoLogoutOnKeyUpgradeRotation = "pm-31050-no-logout-key-upgrade-rotation";
     public const string EnableAccountEncryptionV2JitPasswordRegistration = "enable-account-encryption-v2-jit-password-registration";
 
     /* Mobile Team */

src/Core/Entities/User.cs

@@ -105,6 +105,11 @@ public class User : ITableObject<Guid>, IStorableSubscriber, IRevisable, ITwoFac
     public DateTime? LastKeyRotationDate { get; set; }
     public DateTime? LastEmailChangeDate { get; set; }
     public bool VerifyDevices { get; set; } = true;
+    /// <summary>
+    /// V2 upgrade token stored as JSON containing two wrapped user keys.
+    /// Allows clients to unlock vault after V1 to V2 key rotation without logout.
+    /// </summary>
+    public string? V2UpgradeToken { get; set; }
     // PM-28827 Uncomment below line.
     // public string? MasterPasswordSalt { get; set; }
 

src/Core/Enums/PushNotificationLogOutReason.cs

@@ -2,5 +2,6 @@
 
 public enum PushNotificationLogOutReason : byte
 {
-    KdfChange = 0
+    KdfChange = 0,
+    KeyRotation = 1
 }

src/Core/KeyManagement/Models/Api/Response/UserDecryptionResponseModel.cs

@@ -15,4 +15,10 @@ public class UserDecryptionResponseModel
     /// </summary>
     [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
     public WebAuthnPrfDecryptionOption[]? WebAuthnPrfOptions { get; set; }
+
+    /// <summary>
+    /// V2 upgrade token returned when available, allowing unlock after V1→V2 upgrade.
+    /// </summary>
+    [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+    public V2UpgradeTokenResponseModel? V2UpgradeToken { get; set; }
 }

src/Core/KeyManagement/Models/Api/Response/V2UpgradeTokenResponseModel.cs

@@ -0,0 +1,7 @@
+namespace Bit.Core.KeyManagement.Models.Api.Response;
+
+public class V2UpgradeTokenResponseModel
+{
+    public required string WrappedUserKey1 { get; set; }
+    public required string WrappedUserKey2 { get; set; }
+}

src/Core/KeyManagement/Models/Data/RotateUserAccountKeysData.cs

@@ -20,6 +20,7 @@ public class RotateUserAccountKeysData
     public required IReadOnlyList<OrganizationUser> OrganizationUsers { get; set; }
     public required IEnumerable<WebAuthnLoginRotateKeyData> WebAuthnKeys { get; set; }
     public required IEnumerable<Device> DeviceKeys { get; set; }
+    public V2UpgradeTokenData? V2UpgradeToken { get; set; }
 
     // User vault data encrypted by the userkey
     public required IEnumerable<Cipher> Ciphers { get; set; }