dennii/Termix
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases 22 Wiki Activity

docs: clarify OIDC import unlocking flow

Browse Source
This commit is contained in:
Nikola Novoselec
2025-10-21 17:39:31 +02:00
parent 153000d3ff
commit 6f1b92b07b
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/backend/database/database.ts
View File

@@ -932,6 +932,7 @@ app.post(
const isOidcUser = !!userRecords[0].is_oidc; const isOidcUser = !!userRecords[0].is_oidc;
if (!isOidcUser) { if (!isOidcUser) {
// Local accounts still prove knowledge of the password so their DEK can be derived again.
if (!password) { if (!password) {
return res.status(400).json({ return res.status(400).json({
error: "Password required for import", error: "Password required for import",
@@ -944,6 +945,7 @@ app.post(
return res.status(401).json({ error: "Invalid password" }); return res.status(401).json({ error: "Invalid password" });
} }
} else if (!DataCrypto.getUserDataKey(userId)) { } else if (!DataCrypto.getUserDataKey(userId)) {
// OIDC users skip the password prompt; make sure their DEK is unlocked via the OIDC session.
const oidcUnlocked = await authManager.authenticateOIDCUser(userId); const oidcUnlocked = await authManager.authenticateOIDCUser(userId);
if (!oidcUnlocked) { if (!oidcUnlocked) {
return res.status(403).json({ return res.status(403).json({
@@ -962,6 +964,7 @@ app.post(
let userDataKey = DataCrypto.getUserDataKey(userId); let userDataKey = DataCrypto.getUserDataKey(userId);
if (!userDataKey && isOidcUser) { if (!userDataKey && isOidcUser) {
// authenticateOIDCUser lazily provisions the session key; retry the fetch when it succeeds.
const oidcUnlocked = await authManager.authenticateOIDCUser(userId); const oidcUnlocked = await authManager.authenticateOIDCUser(userId);
if (oidcUnlocked) { if (oidcUnlocked) {
userDataKey = DataCrypto.getUserDataKey(userId); userDataKey = DataCrypto.getUserDataKey(userId);