bitwarden · rr-bw · Apr 21, 2026 · Apr 14, 2026 · Apr 17, 2026 · Apr 17, 2026
diff --git a/...esktop/src/app/services/set-initial-password/desktop-set-initial-password.service.spec.ts b/...esktop/src/app/services/set-initial-password/desktop-set-initial-password.service.spec.ts
@@ -90,8 +90,7 @@ describe("DesktopSetInitialPasswordService", () => {
   });
 
   /**
-   * @deprecated To be removed in PM-28143. When you remove this, check also if there are any imports/properties
-   * in the test setup above that are now un-used and can also be removed.
+   * @deprecated use `initializePasswordJitPasswordUserV2Encryption()` instead
    */
   describe("setInitialPassword(...)", () => {
     // Mock function parameters

diff --git a/apps/desktop/src/app/services/set-initial-password/desktop-set-initial-password.service.ts b/apps/desktop/src/app/services/set-initial-password/desktop-set-initial-password.service.ts
@@ -56,7 +56,7 @@ export class DesktopSetInitialPasswordService
   }
 
   /**
-   * @deprecated To be removed in PM-28143
+   * @deprecated use `initializePasswordJitPasswordUserV2Encryption()` instead
    */
   override async setInitialPassword(
     credentials: SetInitialPasswordCredentials,

@@ -90,7 +90,9 @@ describe("WebSetInitialPasswordService", () => {
   });
 
   /**
-   * @deprecated To be removed in PM-28143. When you remove this, check also if there are any imports/properties
+   * @deprecated use `initializePasswordJitPasswordUserV2Encryption()` instead
+   *
+   * When you remove this, check also if there are any imports/properties
    * in the test setup above that are now un-used and can also be removed.
    */
   describe("setInitialPassword(...)", () => {

@@ -57,7 +57,7 @@ export class WebSetInitialPasswordService
   }
 
   /**
-   * @deprecated To be removed in PM-28143
+   * @deprecated use `initializePasswordJitPasswordUserV2Encryption()` instead
    */
   override async setInitialPassword(
     credentials: SetInitialPasswordCredentials,

@@ -46,7 +46,6 @@ import {
   SetInitialPasswordCredentials,
   SetInitialPasswordService,
   SetInitialPasswordUserType,
-  SetInitialPasswordTdeOffboardingCredentialsOld,
   SetInitialPasswordTdeOffboardingCredentials,
   SetInitialPasswordTdeUserWithPermissionCredentials,
 } from "./set-initial-password.service.abstraction";
@@ -68,8 +67,7 @@ export class DefaultSetInitialPasswordService implements SetInitialPasswordServi
   ) {}
 
   /**
-   * @deprecated To be removed in PM-28143. When you remove this, also check for any objects/methods
-   * in this default service that are now un-used and can also be removed.
+   * @deprecated use `initializePasswordJitPasswordUserV2Encryption()` instead
    */
   async setInitialPassword(
     credentials: SetInitialPasswordCredentials,
@@ -265,49 +263,6 @@ export class DefaultSetInitialPasswordService implements SetInitialPasswordServi
     await this.masterPasswordService.setForceSetPasswordReason(ForceSetPasswordReason.None, userId);
   }
 
-  /**
-   * @deprecated To be removed in PM-28143
-   */
-  async setInitialPasswordTdeOffboardingOld(
-    credentials: SetInitialPasswordTdeOffboardingCredentialsOld,
-    userId: UserId,
-  ) {
-    const { newMasterKey, newServerMasterKeyHash, newPasswordHint } = credentials;
-    for (const [key, value] of Object.entries(credentials)) {
-      if (value == null) {
-        throw new Error(`${key} not found. Could not set password.`);
-      }
-    }
-
-    if (userId == null) {
-      throw new Error("userId not found. Could not set password.");
-    }
-
-    const userKey = await firstValueFrom(this.keyService.userKey$(userId));
-    if (userKey == null) {
-      throw new Error("userKey not found. Could not set password.");
-    }
-
-    const newMasterKeyEncryptedUserKey = await this.keyService.encryptUserKeyWithMasterKey(
-      newMasterKey,
-      userKey,
-    );
-
-    if (!newMasterKeyEncryptedUserKey[1].encryptedString) {
-      throw new Error("newMasterKeyEncryptedUserKey not found. Could not set password.");
-    }
-
-    const request = new UpdateTdeOffboardingPasswordRequest();
-    request.key = newMasterKeyEncryptedUserKey[1].encryptedString;
-    request.newMasterPasswordHash = newServerMasterKeyHash;
-    request.masterPasswordHint = newPasswordHint;
-
-    await this.masterPasswordApiService.putUpdateTdeOffboardingPassword(request);
-
-    // Clear force set password reason to allow navigation back to vault.
-    await this.masterPasswordService.setForceSetPasswordReason(ForceSetPasswordReason.None, userId);
-  }
-
   async initializePasswordJitPasswordUserV2Encryption(
     credentials: InitializeJitPasswordCredentials,
     userId: UserId,
@@ -469,7 +424,7 @@ export class DefaultSetInitialPasswordService implements SetInitialPasswordServi
   }
 
   /**
-   * @deprecated To be removed in PM-28143
+   * @deprecated along with `setInitialPassword()` deprecation
    */
   private async makeMasterKeyEncryptedUserKey(
     masterKey: MasterKey,
@@ -491,6 +446,9 @@ export class DefaultSetInitialPasswordService implements SetInitialPasswordServi
     return masterKeyEncryptedUserKey;
   }
 
+  /**
+   * @deprecated along with `setInitialPassword()` deprecation
+   */
   private async updateAccountDecryptionProperties(
     masterKey: MasterKey,
     kdfConfig: KdfConfig,
@@ -548,7 +506,7 @@ export class DefaultSetInitialPasswordService implements SetInitialPasswordServi
   }
 
   /**
-   * @deprecated To be removed in PM-28143
+   * @deprecated along with `setInitialPassword()` deprecation
    *
    * As part of [PM-28494], adding this setting path to accommodate the changes that are
    * emerging with pm-23246-unlock-with-master-password-unlock-data.
@@ -574,7 +532,7 @@ export class DefaultSetInitialPasswordService implements SetInitialPasswordServi
   }
 
   /**
-   * @deprecated To be removed in PM-28143
+   * @deprecated
    *
    * This method is now deprecated because it is used with the deprecated `setInitialPassword()` method,
    * which handles both JIT MP and TDE + Permission user flows.

@@ -64,7 +64,6 @@ import {
   SetInitialPasswordCredentials,
   SetInitialPasswordService,
   SetInitialPasswordTdeOffboardingCredentials,
-  SetInitialPasswordTdeOffboardingCredentialsOld,
   SetInitialPasswordTdeUserWithPermissionCredentials,
   SetInitialPasswordUserType,
 } from "./set-initial-password.service.abstraction";
@@ -129,7 +128,9 @@ describe("DefaultSetInitialPasswordService", () => {
   });
 
   /**
-   * @deprecated To be removed in PM-28143. When you remove this, check also if there are any imports/properties
+   * @deprecated use `initializePasswordJitPasswordUserV2Encryption()` instead
+   *
+   * When you remove this, check also if there are any imports/properties
    * in the test setup above that are now un-used and can also be removed.
    */
   describe("setInitialPassword(...)", () => {
@@ -830,7 +831,7 @@ describe("DefaultSetInitialPasswordService", () => {
 
       it(`should throw if the userId was not passed in`, async () => {
         // Arrange
-        userId = null;
+        userId = null as unknown as UserId;
 
         // Act
         const promise = sut.setInitialPasswordTdeOffboarding(credentials, userId);
@@ -893,120 +894,6 @@ describe("DefaultSetInitialPasswordService", () => {
     });
   });
 
-  /**
-   * @deprecated To be removed in PM-28143. When you remove this, check also if there are any imports/properties
-   * in the test setup above that are now un-used and can also be removed.
-   */
-  describe("setInitialPasswordTdeOffboardingOld(...)", () => {
-    // Mock function parameters
-    let credentials: SetInitialPasswordTdeOffboardingCredentialsOld;
-
-    beforeEach(() => {
-      // Mock function parameters
-      credentials = {
-        newMasterKey: new SymmetricCryptoKey(new Uint8Array(32)) as MasterKey,
-        newServerMasterKeyHash: "newServerMasterKeyHash",
-        newPasswordHint: "newPasswordHint",
-      };
-    });
-
-    function setupTdeOffboardingMocks() {
-      keyService.userKey$.mockReturnValue(of(userKey));
-      keyService.encryptUserKeyWithMasterKey.mockResolvedValue(masterKeyEncryptedUserKey);
-    }
-
-    it("should successfully set an initial password for the TDE offboarding user", async () => {
-      // Arrange
-      setupTdeOffboardingMocks();
-
-      const request = new UpdateTdeOffboardingPasswordRequest();
-      request.key = masterKeyEncryptedUserKey[1].encryptedString;
-      request.newMasterPasswordHash = credentials.newServerMasterKeyHash;
-      request.masterPasswordHint = credentials.newPasswordHint;
-
-      // Act
-      await sut.setInitialPasswordTdeOffboardingOld(credentials, userId);
-
-      // Assert
-      expect(masterPasswordApiService.putUpdateTdeOffboardingPassword).toHaveBeenCalledTimes(1);
-      expect(masterPasswordApiService.putUpdateTdeOffboardingPassword).toHaveBeenCalledWith(
-        request,
-      );
-    });
-
-    describe("given the initial password has been successfully set", () => {
-      it("should clear the ForceSetPasswordReason by setting it to None", async () => {
-        // Arrange
-        setupTdeOffboardingMocks();
-
-        // Act
-        await sut.setInitialPasswordTdeOffboardingOld(credentials, userId);
-
-        // Assert
-        expect(masterPasswordApiService.putUpdateTdeOffboardingPassword).toHaveBeenCalledTimes(1);
-        expect(masterPasswordService.setForceSetPasswordReason).toHaveBeenCalledWith(
-          ForceSetPasswordReason.None,
-          userId,
-        );
-      });
-    });
-
-    describe("general error handling", () => {
-      ["newMasterKey", "newServerMasterKeyHash", "newPasswordHint"].forEach((key) => {
-        it(`should throw if ${key} is not provided on the SetInitialPasswordTdeOffboardingCredentials object`, async () => {
-          // Arrange
-          const invalidCredentials: SetInitialPasswordTdeOffboardingCredentialsOld = {
-            ...credentials,
-            [key]: null,
-          };
-
-          // Act
-          const promise = sut.setInitialPasswordTdeOffboardingOld(invalidCredentials, userId);
-
-          // Assert
-          await expect(promise).rejects.toThrow(`${key} not found. Could not set password.`);
-        });
-      });
-
-      it(`should throw if the userId was not passed in`, async () => {
-        // Arrange
-        userId = null;
-
-        // Act
-        const promise = sut.setInitialPasswordTdeOffboardingOld(credentials, userId);
-
-        // Assert
-        await expect(promise).rejects.toThrow("userId not found. Could not set password.");
-      });
-
-      it(`should throw if the userKey was not found`, async () => {
-        // Arrange
-        keyService.userKey$.mockReturnValue(of(null));
-
-        // Act
-        const promise = sut.setInitialPasswordTdeOffboardingOld(credentials, userId);
-
-        // Assert
-        await expect(promise).rejects.toThrow("userKey not found. Could not set password.");
-      });
-
-      it(`should throw if a newMasterKeyEncryptedUserKey was not returned`, async () => {
-        // Arrange
-        masterKeyEncryptedUserKey[1].encryptedString = "" as EncryptedString;
-
-        setupTdeOffboardingMocks();
-
-        // Act
-        const promise = sut.setInitialPasswordTdeOffboardingOld(credentials, userId);
-
-        // Assert
-        await expect(promise).rejects.toThrow(
-          "newMasterKeyEncryptedUserKey not found. Could not set password.",
-        );
-      });
-    });
-  });
-
   describe("initializePasswordJitPasswordUserV2Encryption()", () => {
     let mockSdkRef: {
       value: MockProxy<BitwardenClient>;
@@ -1345,7 +1232,7 @@ describe("DefaultSetInitialPasswordService", () => {
 
       it("should throw if userId is not given", async () => {
         // Arrange
-        userId = null;
+        userId = null as unknown as UserId;
 
         // Act
         const promise = sut.setInitialPasswordTdeUserWithPermission(credentials, userId);
@@ -1472,12 +1359,14 @@ describe("DefaultSetInitialPasswordService", () => {
           enrollmentRequest = new OrganizationUserResetPasswordEnrollmentRequest();
           enrollmentRequest.masterPasswordHash =
             authenticationData.masterPasswordAuthenticationHash;
-          enrollmentRequest.resetPasswordKey = orgPublicKeyEncryptedUserKey.encryptedString;
+          enrollmentRequest.resetPasswordKey = orgPublicKeyEncryptedUserKey.encryptedString!;
         });
 
         it("should throw if organization keys are not found", async () => {
           // Arrange
-          organizationApiService.getKeys.mockResolvedValue(null);
+          organizationApiService.getKeys.mockResolvedValue(
+            null as unknown as OrganizationKeysResponse,
+          );
 
           // Act
           const promise = sut.setInitialPasswordTdeUserWithPermission(credentials, userId);
@@ -1490,7 +1379,7 @@ describe("DefaultSetInitialPasswordService", () => {
 
         it("should throw if orgPublicKeyEncryptedUserKey is not found", async () => {
           // Arrange
-          encryptService.encapsulateKeyUnsigned.mockResolvedValue(null);
+          encryptService.encapsulateKeyUnsigned.mockResolvedValue(null as unknown as EncString);
 
           // Act
           const promise = sut.setInitialPasswordTdeUserWithPermission(credentials, userId);
@@ -1503,7 +1392,7 @@ describe("DefaultSetInitialPasswordService", () => {
 
         it("should throw if orgPublicKeyEncryptedUserKey.encryptedString is not found", async () => {
           // Arrange
-          orgPublicKeyEncryptedUserKey.encryptedString = null;
+          orgPublicKeyEncryptedUserKey.encryptedString = null as unknown as any;
 
           // Act
           const promise = sut.setInitialPasswordTdeUserWithPermission(credentials, userId);