dennii/Termix
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases 22 Wiki Activity

fix(auth): preserve user credentials during password change/reset

Browse Source 
- Maintain session during password change to prevent credential loss
- Add intelligent password reset that preserves data when logged in
- Improve Buffer handling and session cleanup
- Remove dead code that could fail for OIDC users

The DEK is now properly maintained in session memory when password
changes, preventing apparent data loss. Password reset intelligently
detects active sessions and preserves credentials when possible.
This commit is contained in:
thorved
2025-10-08 12:40:18 +05:30
parent d87c7a80a8
commit 51978e94cc
2 changed files with 2 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/backend/database/routes/users.ts
View File

@@ -1339,6 +1339,7 @@ router.post("/complete-reset", async (req, res) => {
},
);
await authManager.registerUser(userId, newPassword);
authManager.logoutUser(userId);
} else {
authLogger.success(
`Password reset completed for user: ${username}. Data preserved using existing session.`,

8
src/backend/utils/user-crypto.ts
View File

@@ -286,8 +286,7 @@ class UserCrypto {
newKEK.fill(0);
// Create a copy of DEK for the session before zeroing it out
const dekCopy = Buffer.allocUnsafe(DEK.length);
DEK.copy(dekCopy);
const dekCopy = Buffer.from(DEK);
// Keep user session active with the same DEK
const now = Date.now();
@@ -330,11 +329,6 @@ class UserCrypto {
return false;
}
const kekSalt = await this.getKEKSalt(userId);
if (!kekSalt) {
return false;
}
// Generate new KEK from new password
const newKekSalt = await this.generateKEKSalt();
const newKEK = this.deriveKEK(newPassword, newKekSalt);