[PM-16603] Implement userkey rotation v2

[quexten]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-16603
Server PR: bitwarden/server#5204

📔 Objective

Userkey rotation previously consisted of two steps: Update masterpassword first, then update the userkey. Between these two, the clients relied on the local state to track the updated masterkey, but also to track kdf settings. If any of these were wrong, the userkey rotation request could corrupt vault data.

This combines both into one request, such that the kdf parameters are also always sent together with the userkey rotation request so that the corruption cannot occur. Further, this makes it so that cancelling during key rotation, does not force logout the user (where previously it had to, since the masterpassword was changed, and thus the security stamp was changed).

This also makes it so kdf change, masterpassword change, key rotation, does not log out the web session anymore, instead it correctly updates the local state so the user can continue using the active session.

The old key rotation is still kept around for migration of legacy users.

📸 Screenshots

Screen.Recording.2025-01-03.at.13.51.35.mov

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – cb9b41a9-94cf-4939-89ad-fc2f21c5d581

Great job, no security vulnerabilities found in this Pull Request

[codecov]

Codecov Report

Attention: Patch coverage is 20.85890% with 129 lines in your changes missing coverage. Please review.

Project coverage is 34.12%. Comparing base (fe9b097) to head (a5694ef).

✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...nagement/key-rotation/user-key-rotation.service.ts	30.37%	49 Missing and 6 partials ⚠️
...src/app/auth/settings/change-password.component.ts	2.77%	33 Missing and 2 partials ⚠️
...ty/change-kdf/change-kdf-confirmation.component.ts	16.66%	25 Missing and 5 partials ⚠️
...tation/request/rotate-user-account-keys.request.ts	14.28%	6 Missing ⚠️
...-encryption/migrate-legacy-encryption.component.ts	0.00%	2 Missing ⚠️
...ment/key-rotation/user-key-rotation-api.service.ts	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #12646      +/-   ##
==========================================
- Coverage   34.14%   34.12%   -0.02%     
==========================================
  Files        2936     2938       +2     
  Lines       90440    90562     +122     
  Branches    16991    17016      +25     
==========================================
+ Hits        30878    30907      +29     
- Misses      57104    57182      +78     
- Partials     2458     2473      +15     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.