fix(auth): invalidate password hash cache in save_settings() on password change

2026-05-26 19:50:15 +00:00 · 2026-05-13 14:08:37 -03:00
parent 978dbc15d8
commit 2bcf411519
1 changed files with 9 additions and 0 deletions
@@ -4039,15 +4039,18 @@ def save_settings(settings: dict) -> dict:
    theme_was_explicit = False
    skin_was_explicit = False
    # Handle _set_password: hash and store as password_hash
+    _password_changed = False
    raw_pw = settings.pop("_set_password", None)
    if raw_pw and isinstance(raw_pw, str) and raw_pw.strip():
        # Use PBKDF2 from auth module (600k iterations) -- never raw SHA-256
        from api.auth import _hash_password

        current["password_hash"] = _hash_password(raw_pw.strip())
+        _password_changed = True
    # Handle _clear_password: explicitly disable auth
    if settings.pop("_clear_password", False):
        current["password_hash"] = None
+        _password_changed = True
    for k, v in settings.items():
        if k in _SETTINGS_ALLOWED_KEYS:
            if k == "theme":
@@ -4089,6 +4092,12 @@ def save_settings(settings: dict) -> dict:
        json.dumps(persisted, ensure_ascii=False, indent=2),
        encoding="utf-8",
    )
+    # Invalidate the in-memory password hash cache so the next call to
+    # get_password_hash() picks up the new value from disk immediately.
+    if _password_changed:
+        from api.auth import _invalidate_password_hash_cache
+
+        _invalidate_password_hash_cache()
    # Update runtime defaults so new sessions use them immediately
    global DEFAULT_WORKSPACE
    if "default_workspace" in current: