SIMPLIFY: Delete fake migration system and implement honest legacy user handling
This commit removes 500+ lines of fake "migration" code that admitted it couldn't do what it claimed to do. Following Linus principles: if code can't deliver on its promise, delete it rather than pretend. Changes: - DELETE: security-migration.ts (448 lines of fake migration logic) - DELETE: SECURITY_REFACTOR_PLAN.md (outdated documentation) - DELETE: /encryption/migrate API endpoint (non-functional) - REPLACE: Complex "migration" with simple 3-line legacy user setup - CLEAN: Remove all migration imports and references The new approach is honest: legacy users get encryption setup on first login. No fake progress bars, no false promises, no broken complexity. Good code doesn't pretend to do things it can't do.
This commit is contained in:
ZacharyZcR
@@ -7,6 +7,7 @@ import {
|
||||
fileManagerPinned,
|
||||
fileManagerShortcuts,
|
||||
dismissedAlerts,
|
||||
settings,
|
||||
} from "../db/schema.js";
|
||||
import { eq, and } from "drizzle-orm";
|
||||
import bcrypt from "bcryptjs";
|
||||
@@ -18,7 +19,6 @@ import type { Request, Response, NextFunction } from "express";
|
||||
import { authLogger, apiLogger } from "../../utils/logger.js";
|
||||
import { SecuritySession } from "../../utils/security-session.js";
|
||||
import { UserKeyManager } from "../../utils/user-key-manager.js";
|
||||
import { SecurityMigration } from "../../utils/security-migration.js";
|
||||
|
||||
// Get security session instance
|
||||
const securitySession = SecuritySession.getInstance();
|
||||
@@ -785,24 +785,29 @@ router.post("/login", async (req, res) => {
|
||||
return res.status(401).json({ error: "Incorrect password" });
|
||||
}
|
||||
|
||||
// Check and handle user migration (from old encryption system)
|
||||
let migrationPerformed = false;
|
||||
// Check if legacy user needs encryption setup
|
||||
try {
|
||||
migrationPerformed = await SecurityMigration.handleUserLoginMigration(userRecord.id, password);
|
||||
if (migrationPerformed) {
|
||||
authLogger.success("User encryption migrated during login", {
|
||||
operation: "login_migration_success",
|
||||
const kekSalt = await db
|
||||
.select()
|
||||
.from(settings)
|
||||
.where(eq(settings.key, `user_kek_salt_${userRecord.id}`));
|
||||
|
||||
if (kekSalt.length === 0) {
|
||||
// Legacy user first login - set up new encryption
|
||||
await securitySession.registerUser(userRecord.id, password);
|
||||
authLogger.success("Legacy user encryption initialized", {
|
||||
operation: "legacy_user_setup",
|
||||
username,
|
||||
userId: userRecord.id,
|
||||
});
|
||||
}
|
||||
} catch (migrationError) {
|
||||
authLogger.error("Failed to migrate user during login", migrationError, {
|
||||
operation: "login_migration_failed",
|
||||
} catch (setupError) {
|
||||
authLogger.error("Failed to initialize user encryption", setupError, {
|
||||
operation: "user_encryption_setup_failed",
|
||||
username,
|
||||
userId: userRecord.id,
|
||||
});
|
||||
// Migration failure should not block login, but needs to be logged
|
||||
// Encryption setup failure should not block login for existing users
|
||||
}
|
||||
|
||||
// Unlock user data keys
|
||||
|
||||
Reference in New Issue
Block a user