From 51978e94cc6e0e59053083e00f1f0bc86cb405de Mon Sep 17 00:00:00 2001
From: thorved <54140516+thorved@users.noreply.github.com>
Date: Wed, 8 Oct 2025 12:40:18 +0530
Subject: [PATCH] fix(auth): preserve user credentials during password
 change/reset

- Maintain session during password change to prevent credential loss
- Add intelligent password reset that preserves data when logged in
- Improve Buffer handling and session cleanup
- Remove dead code that could fail for OIDC users

The DEK is now properly maintained in session memory when password
changes, preventing apparent data loss. Password reset intelligently
detects active sessions and preserves credentials when possible.
---
 src/backend/database/routes/users.ts | 1 +
 src/backend/utils/user-crypto.ts     | 8 +-------
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/src/backend/database/routes/users.ts b/src/backend/database/routes/users.ts
index 9b4b30f4..7ad84061 100644
--- a/src/backend/database/routes/users.ts
+++ b/src/backend/database/routes/users.ts
@@ -1339,6 +1339,7 @@ router.post("/complete-reset", async (req, res) => {
             },
           );
           await authManager.registerUser(userId, newPassword);
+          authManager.logoutUser(userId);
         } else {
           authLogger.success(
             `Password reset completed for user: ${username}. Data preserved using existing session.`,
diff --git a/src/backend/utils/user-crypto.ts b/src/backend/utils/user-crypto.ts
index ea55b8fe..0d4393b2 100644
--- a/src/backend/utils/user-crypto.ts
+++ b/src/backend/utils/user-crypto.ts
@@ -286,8 +286,7 @@ class UserCrypto {
       newKEK.fill(0);
 
       // Create a copy of DEK for the session before zeroing it out
-      const dekCopy = Buffer.allocUnsafe(DEK.length);
-      DEK.copy(dekCopy);
+      const dekCopy = Buffer.from(DEK);
 
       // Keep user session active with the same DEK
       const now = Date.now();
@@ -330,11 +329,6 @@ class UserCrypto {
         return false;
       }
 
-      const kekSalt = await this.getKEKSalt(userId);
-      if (!kekSalt) {
-        return false;
-      }
-
       // Generate new KEK from new password
       const newKekSalt = await this.generateKEKSalt();
       const newKEK = this.deriveKEK(newPassword, newKekSalt);