mirror of
https://github.com/Termix-SSH/Termix.git
synced 2026-07-17 05:43:36 +00:00
refactor(crypto): make system-wrapped DEKs the authoritative key path
DataCrypto and AuthManager now read keys through UserKeyManager: DEKs are always unwrappable server-side, so the in-memory unlock session, DEK-in-JWT wrapping, session-expiry data locks and ALLOW_APIKEY_DATA_UNLOCK are gone. utils/user-crypto.ts is deleted; boot migration now cleans legacy wraps. A one-release shim adopts DEKs from legacy dataKeyWrap tokens so active password users migrate without re-login. Password login migrates legacy password-wrapped DEKs via migratePasswordUserAtLogin.
This commit is contained in:
@@ -1508,18 +1508,6 @@ router.post("/login", async (req, res) => {
|
||||
return res.status(401).json({ error: "Invalid username or password" });
|
||||
}
|
||||
|
||||
try {
|
||||
const kekSalt = await createCurrentSettingsRepository().get(
|
||||
`user_kek_salt_${userRecord.id}`,
|
||||
);
|
||||
|
||||
if (!kekSalt) {
|
||||
await authManager.registerUser(userRecord.id, password);
|
||||
}
|
||||
} catch {
|
||||
// expected - KEK salt registration may fail for existing users
|
||||
}
|
||||
|
||||
const deviceInfo = parseUserAgent(req);
|
||||
|
||||
let dataUnlocked = false;
|
||||
|
||||
Reference in New Issue
Block a user