[PM-30584] Add unlock for key connector with SDK

[quexten]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-30584

📔 Objective

Adds unlock via the unlock service in the login strategies. The unlock service implements key-connector-unlock via the SDK.

📸 Screenshots

[github-actions]

Checkmarx One – Scan Summary & Details – c96248c0-e7c3-44e2-ab1f-71856976caca

---

New Issues (25)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2025-13631	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Inappropriate implementation in Google Updater in Google Chrome on Mac prior to 143.0.7499.41 allowed a remote attacker to perform Privilege Escala... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2025-13633	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Use After Free in Digital Credentials in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2025-13638	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Use After Free in Media Stream in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a craft... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2025-13639	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Inappropriate implementation in WebRTC in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to perform arbitrary read/write via a craf... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2025-13720	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Bad cast in Loader in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploi... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6		CVE-2025-13721	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Race in v8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
7		CVE-2026-0628	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malic... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8		CVE-2026-1861	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Heap Buffer Overflow in libvpx in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a craf... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9		CVE-2026-34770	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.x prior to 39.... Attack Vector: LOCAL Attack Complexity: HIGH Vulnerable Package
10		CVE-2026-34771	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.x prior to 39.... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
11		CVE-2026-34774	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 39.8.1, 40.x prior to 40.... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
12		CVE-2026-34780	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 prior to 39.8.... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
13		Cx39aef355-ca85	Npm-@eslint/plugin-kit-0.2.8	details Recommended version: 0.3.4 Description: The "ConfigCommentParser#parseJSONLikeConfig" API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. This... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
14		SSRF	/libs/common/src/services/api.service.ts: 1327	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
15		SSRF	/libs/common/src/services/api.service.ts: 1335	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
16		SSRF	/libs/common/src/services/api.service.ts: 1328	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
17		SSRF	/libs/common/src/services/api.service.ts: 1327	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
18		SSRF	/libs/common/src/services/api.service.ts: 1335	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
19		SSRF	/libs/common/src/services/api.service.ts: 1328	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
20		CVE-2025-13632	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Inappropriate implementation in DevTools in Google Chrome prior to 143.0.7499.41 allowed an attacker who convinced a user to install a malicious ex... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
21		CVE-2025-13635	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Inappropriate implementation in Downloads in Google Chrome prior to 143.0.7499.41 allowed a local attacker to perform UI spoofing via a crafted HTM... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
22		CVE-2025-13636	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Inappropriate implementation in Split View in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who convinced a user to engage in spec... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
23		CVE-2025-13637	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Inappropriate implementation in Downloads in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who convinced a user to engage in speci... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
24		Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277	details The potentially tainted value provided by substring in /apps/desktop/src/auth/scripts/duo.js at line 277 is used as a destination URL by open in /... Attack Vector
25		CVE-2025-13640	Npm-electron-39.2.6	details Recommended version: 41.2.0 Description: Inappropriate implementation in Passwords in Google Chrome prior to 143.0.7499.41 allowed a local attacker to bypass authentication via physical ac... Attack Vector: PHYSICAL Attack Complexity: LOW Vulnerable Package

---

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	SSRF	/libs/common/src/services/api.service.ts: 1343

[codecov]

Codecov Report

❌ Patch coverage is 64.70588% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 46.83%. Comparing base (9732938) to head (5d8ea47).
⚠️ Report is 176 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
libs/unlock/src/default-unlock.service.ts	22.22%	7 Missing ⚠️
...rc/auth/models/response/identity-token.response.ts	0.00%	4 Missing ⚠️
libs/unlock/src/index.ts	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #19367      +/-   ##
==========================================
+ Coverage   46.47%   46.83%   +0.36%     
==========================================
  Files        3866     3881      +15     
  Lines      115231   116507    +1276     
  Branches    17549    17756     +207     
==========================================
+ Hits        53553    54566    +1013     
- Misses      59237    59461     +224     
- Partials     2441     2480      +39     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ike-kottlowski]

#19422 has been merged.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
11.0% Duplication on New Code

See analysis details on SonarQube Cloud

[JaredSnider-Bitwarden]

Thank you for iterating on this! This looks great!
Not sure what's going on with CI rust lint errors, but approving.

[quexten]

Rust errors seem unrelated.