bitwarden
diff --git a/‎BitwardenResources/Localizations/en.lproj/Localizable.strings‎
Lines changed: 4 additions & 0 deletions b/‎BitwardenResources/Localizations/en.lproj/Localizable.strings‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎BitwardenShared/Core/Auth/Repositories/AuthRepository.swift‎
Lines changed: 7 additions & 0 deletions b/‎BitwardenShared/Core/Auth/Repositories/AuthRepository.swift‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎BitwardenShared/Core/Auth/Repositories/AuthRepositoryTests.swift‎
Lines changed: 38 additions & 0 deletions b/‎BitwardenShared/Core/Auth/Repositories/AuthRepositoryTests.swift‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎BitwardenShared/Core/Auth/Services/ChangeKdfService.swift‎
Lines changed: 122 additions & 0 deletions b/‎BitwardenShared/Core/Auth/Services/ChangeKdfService.swift‎
Lines changed: 122 additions & 0 deletions
@@ -1278,3 +1278,7 @@
 "WhenUsingTwoStepVerification" = "When using 2-step verification, you’ll enter your username and password and a code generated in this app.";
 "YesSetDefault" = "Yes, set default";
 "YouCanUpdateYourDefaultAnytimeInSettings" = "You can update your default anytime in settings.";
+"UpdateYourEncryptionSettings" = "Update your encryption settings";
+"TheNewRecommendedEncryptionSettingsDescriptionLong" = "The new recommended encryption settings will improve your account security. Enter your master password to update now.";
+"Updating" = "Updating...";
+"EncryptionSettingsUpdated" = "Encryption settings updated";
@@ -420,6 +420,9 @@ class DefaultAuthRepository {
     /// The service to use system Biometrics for vault unlock.
     let biometricsRepository: BiometricsRepository
 
+    /// The service used to change the user's KDF settings.
+    private let changeKdfService: ChangeKdfService
+
     /// The service that handles common client functionality such as encryption and decryption.
     private let clientService: ClientService
 
@@ -468,6 +471,7 @@ class DefaultAuthRepository {
     ///   - appContextHelper: The helper to know about the app context.
     ///   - authService: The service used that handles some of the auth logic.
     ///   - biometricsRepository: The service to use system Biometrics for vault unlock.
+    ///   - changeKdfService: The service used to change the user's KDF settings.
     ///   - clientService: The service that handles common client functionality such as encryption and decryption.
     ///   - configService: The service to get server-specified configuration.
     ///   - environmentService: The service used by the application to manage the environment settings.
@@ -488,6 +492,7 @@ class DefaultAuthRepository {
         appContextHelper: AppContextHelper,
         authService: AuthService,
         biometricsRepository: BiometricsRepository,
+        changeKdfService: ChangeKdfService,
         clientService: ClientService,
         configService: ConfigService,
         environmentService: EnvironmentService,
@@ -506,6 +511,7 @@ class DefaultAuthRepository {
         self.appContextHelper = appContextHelper
         self.authService = authService
         self.biometricsRepository = biometricsRepository
+        self.changeKdfService = changeKdfService
         self.clientService = clientService
         self.configService = configService
         self.environmentService = environmentService
@@ -1105,6 +1111,7 @@ extension DefaultAuthRepository: AuthRepository {
                 purpose: .localAuthorization
             )
             try await stateService.setMasterPasswordHash(hashedPassword)
+            try await changeKdfService.updateKdfToMinimumsIfNeeded(password: password)
         case .decryptedKey,
              .deviceKey,
              .keyConnector,
 
@@ -15,6 +15,7 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
     var appContextHelper: MockAppContextHelper!
     var authService: MockAuthService!
     var biometricsRepository: MockBiometricsRepository!
+    var changeKdfService: MockChangeKdfService!
     var client: MockHTTPClient!
     var clientService: MockClientService!
     var configService: MockConfigService!
@@ -96,6 +97,7 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
         accountAPIService = APIService(client: client)
         authService = MockAuthService()
         biometricsRepository = MockBiometricsRepository()
+        changeKdfService = MockChangeKdfService()
         configService = MockConfigService()
         environmentService = MockEnvironmentService()
         errorReporter = MockErrorReporter()
@@ -112,6 +114,7 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
             appContextHelper: appContextHelper,
             authService: authService,
             biometricsRepository: biometricsRepository,
+            changeKdfService: changeKdfService,
             clientService: clientService,
             configService: configService,
             environmentService: environmentService,
@@ -135,6 +138,7 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
         appContextHelper = nil
         authService = nil
         biometricsRepository = nil
+        changeKdfService = nil
         client = nil
         clientService = nil
         configService = nil
@@ -1977,6 +1981,40 @@ class AuthRepositoryTests: BitwardenTestCase { // swiftlint:disable:this type_bo
         }
     }
 
+    // `unlockVaultWithPassword(_:)` unlocks the vault with the user's password and checks if the
+    // user's KDF settings need to be updated.
+    func test_unlockVaultWithPassword_checksForKdfUpdate() async throws {
+        let account = Account.fixture(profile: .fixture(kdfIterations: 100_000))
+        configService.featureFlagsBool[.forceUpdateKdfSettings] = false
+        changeKdfService.needsKdfUpdateToMinimumsResult = true
+        stateService.activeAccount = account
+        stateService.accountEncryptionKeys = [
+            "1": AccountEncryptionKeys(encryptedPrivateKey: "PRIVATE_KEY", encryptedUserKey: "USER_KEY"),
+        ]
+
+        try await subject.unlockVaultWithPassword(password: "password")
+
+        XCTAssertEqual(
+            clientService.mockCrypto.initializeUserCryptoRequest,
+            InitUserCryptoRequest(
+                userId: "1",
+                kdfParams: .pbkdf2(iterations: UInt32(100_000)),
+                email: "user@bitwarden.com",
+                privateKey: "PRIVATE_KEY",
+                signingKey: nil,
+                securityState: nil,
+                method: .password(password: "password", userKey: "USER_KEY")
+            )
+        )
+        XCTAssertFalse(vaultTimeoutService.isLocked(userId: "1"))
+        XCTAssertTrue(vaultTimeoutService.unlockVaultHadUserInteraction)
+        XCTAssertEqual(stateService.manuallyLockedAccounts["1"], false)
+
+        XCTAssertTrue(changeKdfService.needsKdfUpdateToMinimumsCalled)
+        XCTAssertTrue(changeKdfService.updateKdfToMinimumsCalled)
+        XCTAssertEqual(changeKdfService.updateKdfToMinimumsPassword, "password")
+    }
+
     /// `logout` throws an error with no accounts.
     func test_logout_noAccounts() async {
         stateService.accounts = []
 
@@ -0,0 +1,122 @@
+import BitwardenKit
+
+// MARK: - ChangeKdfService
+
+/// A protocol for a `ChangeKdfService` which handles updating the KDF settings for a user.
+///
+protocol ChangeKdfService {
+    /// Returns whether the user needs to update their KDF settings to the minimum.
+    ///
+    /// - Returns: Whether the user needs to update their KDF settings to the minimum.
+    ///
+    func needsKdfUpdateToMinimums() async -> Bool
+
+    /// Updates the user's KDF settings to the minimums.
+    ///
+    /// - Parameter password: The user's master password.
+    ///
+    func updateKdfToMinimums(password: String) async throws
+}
+
+extension ChangeKdfService {
+    /// Updates the user's KDF settings to the minimums if their current settings are below the minimums.
+    ///
+    /// - Parameter password: The user's master password.
+    ///
+    func updateKdfToMinimumsIfNeeded(password: String) async throws {
+        guard await needsKdfUpdateToMinimums() else { return }
+        try await updateKdfToMinimums(password: password)
+    }
+}
+
+// MARK: - DefaultChangeKdfService
+
+/// A default implementation of a `ChangeKdfService`.
+///
+class DefaultChangeKdfService: ChangeKdfService {
+    // MARK: Properties
+
+    /// The services used by the application to make account related API requests.
+    private let accountAPIService: AccountAPIService
+
+    /// The service that handles common client functionality such as encryption and decryption.
+    private let clientService: ClientService
+
+    /// The service to get server-specified configuration.
+    private let configService: ConfigService
+
+    /// The service used by the application to report non-fatal errors.
+    private let errorReporter: ErrorReporter
+
+    /// The service used by the application to manage account state.
+    private let stateService: StateService
+
+    // MARK: Initialization
+
+    /// Initialize a `DefaultChangeKdfService`.
+    ///
+    /// - Parameters:
+    ///   - accountAPIService: The services used by the application to make account related API requests.
+    ///   - clientService: The service that handles common client functionality such as encryption and decryption.
+    ///   - configService: The service to get server-specified configuration.
+    ///   - errorReporter: The service used by the application to report non-fatal errors.
+    ///   - stateService: The service used by the application to manage account state.
+    ///
+    init(
+        accountAPIService: AccountAPIService,
+        clientService: ClientService,
+        configService: ConfigService,
+        errorReporter: ErrorReporter,
+        stateService: StateService
+    ) {
+        self.accountAPIService = accountAPIService
+        self.clientService = clientService
+        self.configService = configService
+        self.errorReporter = errorReporter
+        self.stateService = stateService
+    }
+
+    // MARK: Methods
+
+    func needsKdfUpdateToMinimums() async -> Bool {
+        guard await configService.getFeatureFlag(.forceUpdateKdfSettings) else { return false }
+
+        do {
+            let account = try await stateService.getActiveAccount()
+            guard account.kdf.kdfType == .pbkdf2sha256,
+                  account.kdf.kdfIterations < Constants.minimumPbkdf2IterationsForUpgrade else {
+                return false
+            }
+            return true
+        } catch {
+            errorReporter.log(error: error)
+            return false
+        }
+    }
+
+    func updateKdfToMinimums(password: String) async throws {
+        guard await configService.getFeatureFlag(.forceUpdateKdfSettings) else { return }
+
+        let account = try await stateService.getActiveAccount()
+
+        do {
+            let updateKdfResponse = try await clientService.crypto().makeUpdateKdf(
+                password: password,
+                kdf: account.kdf.sdkKdf
+            )
+            try await accountAPIService.updateKdf(
+                UpdateKdfRequestModel(response: updateKdfResponse)
+            )
+
+            // TODO: Do we need to save updated KDF settings to Account/UserDefaults?
+
+        } catch {
+            // If an error occurs, log the error. Don't throw since that would block the vault unlocking.
+            errorReporter.log(error: BitwardenError.generalError(
+                type: "Force Update KDF Error",
+                message: "Unable to update KDF settings (\(account.kdf)",
+                error: error
+            ))
+        }
+    }
+}