[PM-20134] Fix overwriteExisting and largeImport causing users to be deleted

[BTreston]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-20134

📔 Objective

This PR changes the request-builder interface method and caller in sync-service to accept an object with sync configuration rather than booleans as its params.batch-request-builder will now throw an error if you attempt to perform a sync with both largeImport and overwriteExisting enabled to prevent overwriting the imported users as the batched calls are made.

📸 Screenshots

11k users sync before:

Screen.Recording.2025-04-10.at.12.53.03.PM.mov

11k users sync after:

Screen.Recording.2025-04-10.at.12.56.31.PM.mov

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[codecov]

Codecov Report

Attention: Patch coverage is 35.52632% with 49 lines in your changes missing coverage. Please review.

Project coverage is 7.85%. Comparing base (42efd68) to head (2efe56a).
Report is 3 commits behind head on main.

✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/services/sync.service.integration.spec.ts	0.00%	49 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##            main    #737      +/-   ##
========================================
+ Coverage   7.27%   7.85%   +0.58%     
========================================
  Files         66      68       +2     
  Lines       2682    2751      +69     
  Branches     473     473              
========================================
+ Hits         195     216      +21     
- Misses      2475    2523      +48     
  Partials      12      12              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Checkmarx One – Scan Summary & Details – 7f07971d-f91b-4813-a5d4-a974d7140769

New Issues (2)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2025-3619	Npm-electron-34.1.1	details Recommended version: 36.0.0 Description: Heap-based Buffer Overflow in Codecs in Google Chrome on Windows prior to 135.0.7049.95 allowed a remote attacker to potentially exploit heap corru... Attack Vector: NETWORK Attack Complexity: LOW ID: 3nDAiq6H1TpHttoyO0r3VsSyjND2hlpfRIcGZ8OTH9Q%3D Vulnerable Package
	CVE-2025-3620	Npm-electron-34.1.1	details Recommended version: 36.0.0 Description: Use after free in USB in Google Chrome versions prior to 135.0.7049.95 allowed a remote attacker to potentially exploit heap corruption via a craft... Attack Vector: NETWORK Attack Complexity: LOW ID: nW3bRXLsWHzur%2F4mwqu516lof3U2iSme9KSsbSAL6Vw%3D Vulnerable Package

[eliykat]

Can you please add some unit tests for the following:

• SingleRequestBuilder - make sure that the options (removeDisabled and overwriteExisting) are set properly on the request object based on inputs
• BatchRequestBuilder - make sure that removeDisabled is set properly on the request object based on inputs (you've already covered overwriteExisting which is good)

Can you also consider what integration tests we can add for these? I didn't think it was worth it previously because these are directory-agnostic and unit tests should be enough. But our recent experience shows that a few happy path integration tests would also be a good safeguard.

I want to set up full end-to-end integration tests against a real server, but for now we can just work within the openldap test suite we already have.

[eliykat]

I forgot these tests are testing the directory service specifically, whereas our new tests are testing syncService.

After thinking about it some more I recommend:

• moving the new tests to a new spec file (sync.service.integration.spec.ts)
• only test the SyncService result/side effects
• still integrate against the openldap container

[eliykat]

Also assert against the call received by the mock api service. That's an important side-effect here, and it lets you check the other request properties that aren't included in the return value, particularly overwriteExisting.

[eliykat]

Some very minor cleanup, then good to go 🎉

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[eliykat]

Great work!