[PM-24051] Init crypto and update kdf with MasterPasswordUnlock

crates/bitwarden-core/src/auth/api/response/identity_success_response.rs

@@ -38,7 +38,7 @@ pub(crate) struct IdentityTokenSuccessResponse {
     key_connector_url: Option<String>,
 
     #[serde(rename = "userDecryptionOptions", alias = "UserDecryptionOptions")]
-    user_decryption_options: Option<UserDecryptionOptionsResponseModel>,
+    pub(crate) user_decryption_options: Option<UserDecryptionOptionsResponseModel>,
 
     /// Stores unknown api response fields
     extra: Option<HashMap<String, Value>>,

crates/bitwarden-core/src/auth/login/access_token.rs

@@ -85,6 +85,11 @@ pub(crate) async fn login_access_token(
             r.refresh_token.clone(),
             r.expires_in,
         );
+
+        client
+            .internal
+            .initialize_crypto_single_org_key(organization_id, encryption_key);
+
         client
             .internal
             .set_login_method(LoginMethod::ServiceAccount(
@@ -94,10 +99,6 @@ pub(crate) async fn login_access_token(
                     state_file: input.state_file.clone(),
                 },
             ));
-
-        client
-            .internal
-            .initialize_crypto_single_org_key(organization_id, encryption_key);
     }
 
     AccessTokenLoginResponse::process_response(response)

crates/bitwarden-core/src/auth/login/api_key.rs

@@ -9,6 +9,7 @@ use crate::{
         JwtToken,
     },
     client::{internal::UserKeyState, LoginMethod, UserLoginMethod},
+    key_management::UserDecryptionData,
     require, Client,
 };
 
@@ -32,34 +33,54 @@ pub(crate) async fn login_api_key(
         let kdf = client.auth().prelogin(email.clone()).await?;
 
         client.internal.set_tokens(
-            r.access_token.clone(),
-            r.refresh_token.clone(),
+            r.access_token.to_owned(),
+            r.refresh_token.to_owned(),
             r.expires_in,
         );
 
-        let master_key = MasterKey::derive(&input.password, &email, &kdf)?;
+        let private_key = r.private_key.as_deref();
+        let private_key: EncString = require!(private_key).parse()?;
+
+        let user_key_state = UserKeyState {
+            private_key,
+            signing_key: None,
+            security_state: None,
+        };
+
+        if let Some(master_password_unlock) = r
+            .user_decryption_options
+            .as_ref()
+            .map(UserDecryptionData::try_from)
+            .transpose()?
+            .and_then(|user_decryption| user_decryption.master_password_unlock)
+        {
+            client
+                .internal
+                .initialize_user_crypto_master_password_unlock(
+                    input.password.clone(),
+                    master_password_unlock,
+                    user_key_state,
+                )?;
+        } else {
+            let user_key = r.key.as_deref();
+            let user_key: EncString = require!(user_key).parse()?;
+            let master_key = MasterKey::derive(&input.password, &email, &kdf)?;
+
+            client.internal.initialize_user_crypto_master_key(
+                master_key,
+                user_key,
+                user_key_state,
+            )?;
+        }
 
         client
             .internal
             .set_login_method(LoginMethod::User(UserLoginMethod::ApiKey {
-                client_id: input.client_id.to_owned(),
-                client_secret: input.client_secret.to_owned(),
+                client_id: input.client_id.clone(),
+                client_secret: input.client_secret.clone(),
                 email,
                 kdf,
             }));
-
-        let user_key: EncString = require!(r.key.as_deref()).parse()?;
-        let private_key: EncString = require!(r.private_key.as_deref()).parse()?;
-
-        client.internal.initialize_user_crypto_master_key(
-            master_key,
-            user_key,
-            UserKeyState {
-                private_key,
-                signing_key: None,
-                security_state: None,
-            },
-        )?;
     }
 
     Ok(ApiKeyLoginResponse::process_response(response))

crates/bitwarden-core/src/auth/login/auth_request.rs

@@ -89,20 +89,11 @@ pub(crate) async fn complete_auth_request(
     .await?;
 
     if let IdentityTokenResponse::Authenticated(r) = response {
-        let kdf = Kdf::default();
-
         client.internal.set_tokens(
             r.access_token.clone(),
             r.refresh_token.clone(),
             r.expires_in,
         );
-        client
-            .internal
-            .set_login_method(LoginMethod::User(UserLoginMethod::Username {
-                client_id: "web".to_owned(),
-                email: auth_req.email.to_owned(),
-                kdf: kdf.clone(),
-            }));
 
         let method = match res.master_password_hash {
             Some(_) => AuthRequestMethod::MasterKey {
@@ -118,8 +109,8 @@ pub(crate) async fn complete_auth_request(
             .crypto()
             .initialize_user_crypto(InitUserCryptoRequest {
                 user_id: None,
-                kdf_params: kdf,
-                email: auth_req.email,
+                kdf_params: Kdf::default(),
+                email: auth_req.email.to_owned(),
                 private_key: require!(r.private_key).parse()?,
                 signing_key: None,
                 security_state: None,
@@ -130,6 +121,14 @@ pub(crate) async fn complete_auth_request(
             })
             .await?;
 
+        client
+            .internal
+            .set_login_method(LoginMethod::User(UserLoginMethod::Username {
+                client_id: "web".to_owned(),
+                email: auth_req.email.to_owned(),
+                kdf: Kdf::default(),
+            }));
+
         Ok(())
     } else {
         Err(LoginError::AuthenticationFailed)

crates/bitwarden-core/src/auth/login/mod.rs

@@ -77,4 +77,8 @@ pub enum LoginError {
 
     #[error("Failed to authenticate")]
     AuthenticationFailed,
+
+    #[cfg(feature = "internal")]
+    #[error(transparent)]
+    MasterPassword(#[from] crate::key_management::MasterPasswordError),
 }

crates/bitwarden-core/src/auth/login/password.rs

@@ -12,6 +12,7 @@ use crate::auth::{
 use crate::{
     auth::{api::request::PasswordTokenRequest, login::LoginError, login::TwoFactorRequest},
     client::LoginMethod,
+    key_management::UserDecryptionData,
     Client,
 };
 
@@ -41,26 +42,48 @@ pub(crate) async fn login_password(
             r.refresh_token.clone(),
             r.expires_in,
         );
+
+        let private_key = r.private_key.as_deref();
+        let private_key: EncString = require!(private_key).parse()?;
+
+        let user_key_state = UserKeyState {
+            private_key,
+            signing_key: None,
+            security_state: None,
+        };
+
+        if let Some(master_password_unlock) = r
+            .user_decryption_options
+            .as_ref()
+            .map(UserDecryptionData::try_from)
+            .transpose()?
+            .and_then(|user_decryption| user_decryption.master_password_unlock)
+        {
+            client
+                .internal
+                .initialize_user_crypto_master_password_unlock(
+                    input.password.clone(),
+                    master_password_unlock,
+                    user_key_state,
+                )?;
+        } else {
+            let user_key = r.key.as_deref();
+            let user_key: EncString = require!(user_key).parse()?;
+
+            client.internal.initialize_user_crypto_master_key(
+                master_key,
+                user_key,
+                user_key_state,
+            )?;
+        }
+
         client
             .internal
             .set_login_method(LoginMethod::User(UserLoginMethod::Username {
                 client_id: "web".to_owned(),
-                email: input.email.to_owned(),
-                kdf: input.kdf.to_owned(),
+                email: input.email.clone(),
+                kdf: input.kdf.clone(),
             }));
-
-        let user_key: EncString = require!(r.key.as_deref()).parse()?;
-        let private_key: EncString = require!(r.private_key.as_deref()).parse()?;
-
-        client.internal.initialize_user_crypto_master_key(
-            master_key,
-            user_key,
-            UserKeyState {
-                private_key,
-                signing_key: None,
-                security_state: None,
-            },
-        )?;
     }
 
     Ok(PasswordLoginResponse::process_response(response))

crates/bitwarden-core/src/auth/tde.rs

@@ -32,15 +32,6 @@ pub(super) fn make_register_tde_keys(
         None
     };
 
-    client
-        .internal
-        .set_login_method(crate::client::LoginMethod::User(
-            crate::client::UserLoginMethod::Username {
-                client_id: "".to_owned(),
-                email,
-                kdf: Kdf::default(),
-            },
-        ));
     client.internal.initialize_user_crypto_decrypted_key(
         user_key.0,
         UserKeyState {
@@ -52,6 +43,16 @@ pub(super) fn make_register_tde_keys(
         },
     )?;
 
+    client
+        .internal
+        .set_login_method(crate::client::LoginMethod::User(
+            crate::client::UserLoginMethod::Username {
+                client_id: "".to_owned(),
+                email,
+                kdf: Kdf::default(),
+            },
+        ));
+
     Ok(RegisterTdeKeyResponse {
         private_key: key_pair.private,
         public_key: key_pair.public,