From 2bcf411519b79cdaa7c997a69ac9de0ffb880def Mon Sep 17 00:00:00 2001
From: Lucas Coutinho <lrclucas@gmail.com>
Date: Wed, 13 May 2026 14:08:37 -0300
Subject: [PATCH] fix(auth): invalidate password hash cache in save_settings()
 on password change

---
 api/config.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/api/config.py b/api/config.py
index d44c1039..b0f88604 100644
--- a/api/config.py
+++ b/api/config.py
@@ -4039,15 +4039,18 @@ def save_settings(settings: dict) -> dict:
     theme_was_explicit = False
     skin_was_explicit = False
     # Handle _set_password: hash and store as password_hash
+    _password_changed = False
     raw_pw = settings.pop("_set_password", None)
     if raw_pw and isinstance(raw_pw, str) and raw_pw.strip():
         # Use PBKDF2 from auth module (600k iterations) -- never raw SHA-256
         from api.auth import _hash_password
 
         current["password_hash"] = _hash_password(raw_pw.strip())
+        _password_changed = True
     # Handle _clear_password: explicitly disable auth
     if settings.pop("_clear_password", False):
         current["password_hash"] = None
+        _password_changed = True
     for k, v in settings.items():
         if k in _SETTINGS_ALLOWED_KEYS:
             if k == "theme":
@@ -4089,6 +4092,12 @@ def save_settings(settings: dict) -> dict:
         json.dumps(persisted, ensure_ascii=False, indent=2),
         encoding="utf-8",
     )
+    # Invalidate the in-memory password hash cache so the next call to
+    # get_password_hash() picks up the new value from disk immediately.
+    if _password_changed:
+        from api.auth import _invalidate_password_hash_cache
+
+        _invalidate_password_hash_cache()
     # Update runtime defaults so new sessions use them immediately
     global DEFAULT_WORKSPACE
     if "default_workspace" in current: