add enc key rotation option during master password change

src/app/settings/change-password.component.html

@@ -26,6 +26,15 @@
             </div>
         </div>
     </div>
+    <div class="form-group">
+        <div class="form-check">
+            <input class="form-check-input" type="checkbox" id="rotateEncKey" name="RotateEncKey" [(ngModel)]="rotateEncKey"
+                (change)="showEncKeyWarning()">
+            <label class="form-check-label" for="rotateEncKey">
+                {{'rotateAccountEncKey' | i18n}}
+            </label>
+        </div>
+    </div>
     <button type="submit" class="btn btn-primary btn-submit" [disabled]="form.loading">
         <i class="fa fa-spinner fa-spin" title="{{'loading' | i18n}}"></i>
         <span>{{'changeMasterPassword' | i18n}}</span>

src/app/settings/change-password.component.ts

@@ -7,14 +7,23 @@ import { ToasterService } from 'angular2-toaster';
 import { Angulartics2 } from 'angulartics2';
 
 import { ApiService } from 'jslib/abstractions/api.service';
+import { CipherService } from 'jslib/abstractions/cipher.service';
 import { CryptoService } from 'jslib/abstractions/crypto.service';
+import { FolderService } from 'jslib/abstractions/folder.service';
 import { I18nService } from 'jslib/abstractions/i18n.service';
 import { MessagingService } from 'jslib/abstractions/messaging.service';
 import { PasswordGenerationService } from 'jslib/abstractions/passwordGeneration.service';
 import { PlatformUtilsService } from 'jslib/abstractions/platformUtils.service';
+import { SyncService } from 'jslib/abstractions/sync.service';
 import { UserService } from 'jslib/abstractions/user.service';
 
+import { CipherString } from 'jslib/models/domain/cipherString';
+import { SymmetricCryptoKey } from 'jslib/models/domain/symmetricCryptoKey';
+
+import { CipherWithIdRequest } from 'jslib/models/request/cipherWithIdRequest';
+import { FolderWithIdRequest } from 'jslib/models/request/folderWithIdRequest';
 import { PasswordRequest } from 'jslib/models/request/passwordRequest';
+import { UpdateKeyRequest } from 'jslib/models/request/updateKeyRequest';
 
 @Component({
     selector: 'app-change-password',
@@ -26,6 +35,7 @@ export class ChangePasswordComponent implements OnInit {
     confirmNewMasterPassword: string;
     formPromise: Promise<any>;
     masterPasswordScore: number;
+    rotateEncKey = false;
 
     private masterPasswordStrengthTimeout: any;
     private email: string;
@@ -34,7 +44,8 @@ export class ChangePasswordComponent implements OnInit {
         private analytics: Angulartics2, private toasterService: ToasterService,
         private cryptoService: CryptoService, private messagingService: MessagingService,
         private userService: UserService, private passwordGenerationService: PasswordGenerationService,
-        private platformUtilsService: PlatformUtilsService) { }
+        private platformUtilsService: PlatformUtilsService, private folderService: FolderService,
+        private cipherService: CipherService, private syncService: SyncService) { }
 
     async ngOnInit() {
         this.email = await this.userService.getEmail();
@@ -75,6 +86,10 @@ export class ChangePasswordComponent implements OnInit {
             }
         }
 
+        if (this.rotateEncKey) {
+            await this.syncService.fullSync(true);
+        }
+
         const request = new PasswordRequest();
         request.masterPasswordHash = await this.cryptoService.hashPassword(this.currentMasterPassword, null);
         const email = await this.userService.getEmail();
@@ -85,7 +100,15 @@ export class ChangePasswordComponent implements OnInit {
         const newEncKey = await this.cryptoService.remakeEncKey(newKey);
         request.key = newEncKey[1].encryptedString;
         try {
-            this.formPromise = this.apiService.postPassword(request);
+            if (this.rotateEncKey) {
+                this.formPromise = this.apiService.postPassword(request).then(() => {
+                    return this.makeRequest(newKey, request.newMasterPasswordHash);
+                }).then((updateKeyRequest) => {
+                    return this.apiService.postAccountKey(updateKeyRequest);
+                });
+            } else {
+                this.formPromise = this.apiService.postPassword(request);
+            }
             await this.formPromise;
             this.analytics.eventTrack.next({ action: 'Changed Password' });
             this.toasterService.popAsync('success', this.i18nService.t('masterPasswordChanged'),
@@ -105,6 +128,18 @@ export class ChangePasswordComponent implements OnInit {
         }, 300);
     }
 
+    async showEncKeyWarning() {
+        if (this.rotateEncKey) {
+            const result = await this.platformUtilsService.showDialog(
+                this.i18nService.t('updateEncryptionKeyWarning') + ' ' +
+                this.i18nService.t('rotateEncKeyConfirmation'), this.i18nService.t('rotateEncKeyTitle'),
+                this.i18nService.t('yes'), this.i18nService.t('no'), 'warning');
+            if (!result) {
+                this.rotateEncKey = false;
+            }
+        }
+    }
+
     private getPasswordStrengthUserInput() {
         let userInput: string[] = [];
         const atPosition = this.email.indexOf('@');
@@ -113,4 +148,38 @@ export class ChangePasswordComponent implements OnInit {
         }
         return userInput;
     }
+
+    private async makeRequest(key: SymmetricCryptoKey, masterPasswordHash: string): Promise<UpdateKeyRequest> {
+        const encKey = await this.cryptoService.makeEncKey(key);
+        const privateKey = await this.cryptoService.getPrivateKey();
+        let encPrivateKey: CipherString = null;
+        if (privateKey != null) {
+            encPrivateKey = await this.cryptoService.encrypt(privateKey, encKey[0]);
+        }
+        const request = new UpdateKeyRequest();
+        request.privateKey = encPrivateKey != null ? encPrivateKey.encryptedString : null;
+        request.key = encKey[1].encryptedString;
+        request.masterPasswordHash = masterPasswordHash;
+
+        const folders = await this.folderService.getAllDecrypted();
+        for (let i = 0; i < folders.length; i++) {
+            if (folders[i].id == null) {
+                continue;
+            }
+            const folder = await this.folderService.encrypt(folders[i], encKey[0]);
+            request.folders.push(new FolderWithIdRequest(folder));
+        }
+
+        const ciphers = await this.cipherService.getAllDecrypted();
+        for (let i = 0; i < ciphers.length; i++) {
+            if (ciphers[i].organizationId != null) {
+                continue;
+            }
+
+            const cipher = await this.cipherService.encrypt(ciphers[i], encKey[0]);
+            request.ciphers.push(new CipherWithIdRequest(cipher));
+        }
+
+        return request;
+    }
 }

src/locales/en/messages.json

@@ -2530,5 +2530,14 @@
   },
   "weakMasterPasswordDesc": {
     "message": "The master password you have chosen is weak. You should use a strong master password (or a passphrase) to properly protect your Bitwarden account. Are you sure you want to use this master password?"
+  },
+  "rotateAccountEncKey": {
+    "message": "Also rotate my account's encryption key"
+  },
+  "rotateEncKeyTitle": {
+    "message": "Rotate Encryption Key"
+  },
+  "rotateEncKeyConfirmation": {
+    "message": "Are you sure you want to rotate your account's encryption key?"
   }
 }