Critical fixes:
1. Race Condition Mitigation:
- Added read-after-write verification in setupOIDCUserEncryption()
- Ensures session uses the DEK that's actually in the database
- Prevents data loss when concurrent logins occur for new OIDC users
- If race is detected, discards generated DEK and uses stored one
2. Remove Redundant kekSalt Logic:
- Removed unnecessary kekSalt generation and checks for OIDC users
- kekSalt is not used in OIDC key derivation (uses userId as salt)
- Reduces database operations from 4 to 2 per authentication
- Simplifies code and removes potential confusion
3. Improved Error Handling:
- systemKey cleanup moved to finally block
- Ensures sensitive key material is always cleared from memory
These changes ensure data consistency and prevent potential data loss
in high-concurrency scenarios.
The issue was that OIDC users were getting a new random Data Encryption Key (DEK)
on every login, which made previously encrypted credentials inaccessible.
Changes:
- Modified setupOIDCUserEncryption() to persist the DEK encrypted with a system-derived key
- Updated authenticateOIDCUser() to properly retrieve and use the persisted DEK
- Ensured OIDC users now have the same encryption persistence as password-based users
This fix ensures that credentials created by OIDC users remain accessible across
multiple login sessions.
