[PM-30703] Introduce CXF payload parser and update to alpha05

[SaintPatrck]

🎟️ Tracking

PM-30703

📔 Objective

Update the Credential Exchange (CXF/CXP) implementation to align with the androidx.credentials.providerevents:1.0.0-alpha04 library. The previous implementation was based on alpha03 and is now obsolete.

The primary behavioral change is the removal of the two-layered JSON structure (CXP wrapping CXF). The alpha04 specification simplifies this to a single, direct JSON payload for credential exchange.

Specific changes include:

• Dependency Update:

  • Upgraded androidx.credentials.providerevents from 1.0.0-alpha03 to 1.0.0-alpha05.

• Payload Parsing:

  • Introduced a CredentialExchangePayloadParser to handle the new direct JSON payload structure. This parser validates the CXF version, checks for the presence of accounts, and handles various error conditions.
  • The CredentialExchangeImportManager is refactored to use this new parser, removing the now-unnecessary logic for decoding the two-layered, base64-encoded payload.

• Import/Export Flow:

  • CredentialExchangeImporterImpl: Updated to use the modern ImportCredentialsRequest builder, which no longer requires manual JSON construction.
  • CredentialExchangeCompletionManagerImpl: Modified to return the new, simplified direct JSON response, removing the CXP wrapper and base64 encoding.
  • CredentialExchangeRegistryImpl: Aligned with alpha04 by including a default export_matcher.bin (a WASM binary from Google) in the registration request.

• DI and Module Structure:

  • Added a new CxfModule to provide the CredentialExchangePayloadParser.
  • Updated build.gradle.kts for the cxf module to include Hilt dependencies for DI.

• Testing:

  • Added extensive unit tests for the new CredentialExchangePayloadParser to cover valid payloads, version checks, and various error states.
  • Updated existing tests for CredentialExchangeImporterTest and CredentialExchangeImportManagerTest to reflect the API and structural changes from the library update.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 31ec83c4-bcb2-4d20-92cd-4c41c443db97

Great job! No new security vulnerabilities introduced in this pull request

[claude]

Claude finished @SaintPatrck's task in 5m 42s —— View job

---

Code Review: PR #6347 - PM-30703 Introduce CXF payload parser and update to alpha05

• Gather context and read changed files
• Review code for bugs, security issues, and best practices
• Post review findings

---

Summary

This PR cleanly updates the Credential Exchange implementation from alpha03 to alpha05, removing the two-layered CXP/CXF structure in favor of a direct JSON payload. The new CredentialExchangePayloadParser is well-structured, the import manager now processes all accounts via flatMap, and test coverage is comprehensive. The overall architecture follows established patterns well.

Findings

🎨 Suggestion: CxfModule missing @Singleton scope — cxf/src/main/kotlin/com/bitwarden/cxf/di/CxfModule.kt:18-22

The provideCredentialExchangePayloadParser function lacks @Singleton annotation. While CredentialExchangePayloadParserImpl is stateless, the CredentialExchangeImportManager that depends on it is @Singleton-scoped (see VaultManagerModule.kt:249). Without scoping, Hilt creates a new parser instance each time it's injected. This is functionally harmless since it's stateless, but inconsistent with how other dependencies in this graph are scoped.

---

🤔 Discussion: JSON string interpolation in CredentialExchangeCompletionManagerImpl — cxf/src/main/kotlin/com/bitwarden/cxf/manager/CredentialExchangeCompletionManagerImpl.kt:32-44

The export response JSON is constructed via string interpolation:

"exporterRpId": "${activity.packageName}",
"exporterDisplayName": "${activity.applicationInfo.name}",
...
"accounts": [${exportResult.payload}]

While packageName is safe and payload is SDK-generated, applicationInfo.name is technically user-facing metadata. If it ever contained characters like " or \, it would produce malformed JSON. This is a pre-existing pattern (not introduced in this PR), so it's fine to leave as-is — just noting it as a potential follow-up if you ever move to a serialization-based approach for constructing these responses.

---

👍 Well done: Multi-account processing — app/src/main/kotlin/com/x8bit/bitwarden/data/vault/manager/CredentialExchangeImportManagerImpl.kt:58-62

The flatMap approach for processing multiple accounts is clean and idiomatic:

val allCiphers = accountsJsonList.flatMap { accountJson ->
    vaultSdkSource
        .importCxf(userId = userId, payload = accountJson)
        .getOrElse { return ImportCxfPayloadResult.Error(error = it) }
}

The early return on first failure is a reasonable strategy for this use case.

---

👍 Test coverage — Parser tests cover valid payloads, multi-account, empty accounts, unsupported versions, invalid JSON, and serialization errors. Import manager tests cover multi-account aggregation, partial failure (second account), policy filtering, and all result paths. The CredentialExchangeImporterTest now covers all three catch blocks.

---

👍 .use{} on InputStream — cxf/src/main/kotlin/com/bitwarden/cxf/registry/CredentialExchangeRegistryImpl.kt:40 — Already addressed from previous review feedback.

---

Overall this is a solid PR. The simplification from the two-layered structure to direct JSON is a welcome change, and the parser abstraction makes the import manager much cleaner.

[claude]

⚠️ IMPORTANT: Inconsistent error handling loses context

The uploadCiphers function converts specific ImportCiphersResponseJson.Invalid responses into a generic ImportCredentialsUnknownErrorException, losing valuable error context.

Problems:

1. Lost validation errors: Invalid contains a validationErrors map with specific field-level errors, but this is completely discarded
2. Debugging difficulty: Support and developers lose insight into why the import failed on the server side
3. User experience: Generic errors provide no actionable feedback

Recommended fix:

is ImportCiphersResponseJson.Invalid -> {
    // Log validation errors for debugging
    Timber.w("Import ciphers validation failed: ${response.validationErrors}")
    Result.failure(
        ImportCredentialsUnknownErrorException(
            "Server validation failed: ${response.validationErrors.keys.joinToString()}"
        )
    )
}

Alternatively, consider creating a custom exception type that preserves the validation errors for upstream handling.

[SaintPatrck]

Log added.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.34%. Comparing base (34a7c44) to head (4cb594e).
⚠️ Report is 6 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #6347   +/-   ##
=======================================
  Coverage   86.34%   86.34%           
=======================================
  Files         794      792    -2     
  Lines       56782    56712   -70     
  Branches     8213     8214    +1     
=======================================
- Hits        49028    48968   -60     
+ Misses       4899     4889   -10     
  Partials     2855     2855           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[david-livefront]

Should we log this for the flight recorder?

[SaintPatrck]

Added a log statement. I'm not comfortable passing the exception to Timber since it could contain sensitive details.

[david-livefront]

Ohh, that makes sense

[david-livefront]

👍

[david-livefront]

Instead of the mutable list can we do something like this?

val allCiphers = accountsJsonList.flatMap { accountJson ->
    vaultSdkSource
        .importCxf(userId = userId, payload = accountJson)
        .getOrElse { return ImportCxfPayloadResult.Error(error = it) }
}

[SaintPatrck]

Thanks @david-livefront