[PM-29048] Validate pin protected user key envelope

[mzieniukbw]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-29048

📔 Objective

Enables validation for a PIN for a pin protected key envelope, so that mobile can move off of validatePin which only works with pin key protected userkeys.

The original validate_pin implementation compared the decrypted user key from envelope with the client key stored user key. This implementation is much simpler, we simply validate if the envelope can be successfully unsealed with provided PIN.

Tested against android.

🚨 Breaking Changes

None

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation
  team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed
  issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 7efbcc40-d61d-4824-9aa6-4b186e90852a

Great job! No new security vulnerabilities introduced in this pull request

[github-actions]

🔍 SDK Breaking Change Detection Results

SDK Version: km/pm-29048-validate-pin-for-envelope (7a162ed)
Completed: 2025-12-22 10:06:38 UTC
Total Time: 218s

Client	Status	Details
typescript	✅ No breaking changes detected	TypeScript compilation passed with new SDK version - View Details

---

Breaking change detection completed. View SDK workflow

[codecov]

Codecov Report

❌ Patch coverage is 74.60317% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.84%. Comparing base (b9cf7b7) to head (7a162ed).

Files with missing lines	Patch %	Lines
crates/bitwarden-uniffi/src/auth/mod.rs	0.00%	9 Missing ⚠️
crates/bitwarden-core/src/auth/auth_client.rs	0.00%	7 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #628   +/-   ##
=======================================
  Coverage   78.84%   78.84%           
=======================================
  Files         283      283           
  Lines       29660    29723   +63     
=======================================
+ Hits        23384    23434   +50     
- Misses       6276     6289   +13     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[quexten]

Some nits on the commenting, but nothing blocking.