Merge remote-tracking branch 'origin/dev-1.8.0' into dev-1.8.0

2025-10-21 22:09:16 -05:00
parent 217af1e286 232d6fe6ea
commit 40232af503
5 changed files with 143 additions and 105 deletions
--- a/src/backend/database/database.ts
+++ b/src/backend/database/database.ts
@@ -901,17 +901,40 @@ app.post(

      const userId = (req as AuthenticatedRequest).userId;
      const { password } = req.body;
+      const mainDb = getDb();

-      if (!password) {
-        return res.status(400).json({
-          error: "Password required for import",
-          code: "PASSWORD_REQUIRED",
-        });
+      const userRecords = await mainDb
+        .select()
+        .from(users)
+        .where(eq(users.id, userId));
+
+      if (!userRecords || userRecords.length === 0) {
+        return res.status(404).json({ error: "User not found" });
      }

-      const unlocked = await authManager.authenticateUser(userId, password);
-      if (!unlocked) {
-        return res.status(401).json({ error: "Invalid password" });
+      const isOidcUser = !!userRecords[0].is_oidc;
+
+      if (!isOidcUser) {
+        // Local accounts still prove knowledge of the password so their DEK can be derived again.
+        if (!password) {
+          return res.status(400).json({
+            error: "Password required for import",
+            code: "PASSWORD_REQUIRED",
+          });
+        }
+
+        const unlocked = await authManager.authenticateUser(userId, password);
+        if (!unlocked) {
+          return res.status(401).json({ error: "Invalid password" });
+        }
+      } else if (!DataCrypto.getUserDataKey(userId)) {
+        // OIDC users skip the password prompt; make sure their DEK is unlocked via the OIDC session.
+        const oidcUnlocked = await authManager.authenticateOIDCUser(userId);
+        if (!oidcUnlocked) {
+          return res.status(403).json({
+            error: "Failed to unlock user data with SSO credentials",
+          });
+        }
      }

      apiLogger.info("Importing SQLite data", {
@@ -922,7 +945,14 @@ app.post(
        mimetype: req.file.mimetype,
      });

-      const userDataKey = DataCrypto.getUserDataKey(userId);
+      let userDataKey = DataCrypto.getUserDataKey(userId);
+      if (!userDataKey && isOidcUser) {
+        // authenticateOIDCUser lazily provisions the session key; retry the fetch when it succeeds.
+        const oidcUnlocked = await authManager.authenticateOIDCUser(userId);
+        if (oidcUnlocked) {
+          userDataKey = DataCrypto.getUserDataKey(userId);
+        }
+      }
      if (!userDataKey) {
        throw new Error("User data not unlocked");
      }
@@ -976,7 +1006,6 @@ app.post(
      };

      try {
-        const mainDb = getDb();

        try {
          const importedHosts = importDb