[PR #1243] [MERGED] Fix Key Rotation during password change. #6566

New Issue

Closed

opened 2026-03-07 21:01:03 -06:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-03-07 21:01:03 -06:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/1243
Author: @BlackDex
Created: 11/28/2020
Status: ✅ Merged
Merged: 12/14/2020
Merged by: @dani-garcia

Base: master ← Head: fix-key-rotate

---

📝 Commits (1)

• de86aa6 Fix Key Rotation during password change

📊 Changes

13 files changed (+83 additions, -18 deletions)

View changed files

➕ migrations/mysql/2020-12-09-173101_add_stamp_exception/down.sql (+0 -0)
➕ migrations/mysql/2020-12-09-173101_add_stamp_exception/up.sql (+1 -0)
➕ migrations/postgresql/2020-12-09-173101_add_stamp_exception/down.sql (+0 -0)
➕ migrations/postgresql/2020-12-09-173101_add_stamp_exception/up.sql (+1 -0)
➕ migrations/sqlite/2020-12-09-173101_add_stamp_exception/down.sql (+0 -0)
➕ migrations/sqlite/2020-12-09-173101_add_stamp_exception/up.sql (+1 -0)
📝 src/api/core/accounts.rs (+5 -4)
📝 src/auth.rs (+22 -10)
📝 src/db/models/mod.rs (+1 -1)
📝 src/db/models/user.rs (+49 -3)
📝 src/db/schemas/mysql/schema.rs (+1 -0)
📝 src/db/schemas/postgresql/schema.rs (+1 -0)
📝 src/db/schemas/sqlite/schema.rs (+1 -0)

📄 Description

When ticking the 'Also rotate my account's encryption key' box, the key
rotated ciphers are posted after the change of password.

During the password change the security stamp was reseted which made
the posted key's return an invalid auth. This reset is needed to prevent other clients from still being able to read/write.

This fixes this by adding a new database column which stores a stamp exception which includes the allowed route and the current security stamp before it gets reseted.
When the security stamp check fails it will check if there is a stamp exception and tries to match the route and security stamp.

Currently it only allows for one exception. But if needed we could expand it by using a Vec<UserStampException> and change the functions accordingly.

fixes #1240

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/1243 **Author:** [@BlackDex](https://github.com/BlackDex) **Created:** 11/28/2020 **Status:** ✅ Merged **Merged:** 12/14/2020 **Merged by:** [@dani-garcia](https://github.com/dani-garcia) **Base:** `master` ← **Head:** `fix-key-rotate` --- ### 📝 Commits (1) - [`de86aa6`](https://github.com/dani-garcia/vaultwarden/commit/de86aa671eec9d08ab0e0d4cdd30584606882732) Fix Key Rotation during password change ### 📊 Changes **13 files changed** (+83 additions, -18 deletions) <details> <summary>View changed files</summary> ➕ `migrations/mysql/2020-12-09-173101_add_stamp_exception/down.sql` (+0 -0) ➕ `migrations/mysql/2020-12-09-173101_add_stamp_exception/up.sql` (+1 -0) ➕ `migrations/postgresql/2020-12-09-173101_add_stamp_exception/down.sql` (+0 -0) ➕ `migrations/postgresql/2020-12-09-173101_add_stamp_exception/up.sql` (+1 -0) ➕ `migrations/sqlite/2020-12-09-173101_add_stamp_exception/down.sql` (+0 -0) ➕ `migrations/sqlite/2020-12-09-173101_add_stamp_exception/up.sql` (+1 -0) 📝 `src/api/core/accounts.rs` (+5 -4) 📝 `src/auth.rs` (+22 -10) 📝 `src/db/models/mod.rs` (+1 -1) 📝 `src/db/models/user.rs` (+49 -3) 📝 `src/db/schemas/mysql/schema.rs` (+1 -0) 📝 `src/db/schemas/postgresql/schema.rs` (+1 -0) 📝 `src/db/schemas/sqlite/schema.rs` (+1 -0) </details> ### 📄 Description When ticking the 'Also rotate my account's encryption key' box, the key rotated ciphers are posted after the change of password. During the password change the security stamp was reseted which made the posted key's return an invalid auth. This reset is needed to prevent other clients from still being able to read/write. This fixes this by adding a new database column which stores a stamp exception which includes the allowed route and the current security stamp before it gets reseted. When the security stamp check fails it will check if there is a stamp exception and tries to match the route and security stamp. Currently it only allows for one exception. But if needed we could expand it by using a `Vec<UserStampException>` and change the functions accordingly. fixes #1240 --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-03-07 21:01:03 -06:00

GiteaMirror closed this issue 2026-03-07 21:01:03 -06:00

GiteaMirror referenced this issue 2026-03-07 21:17:42 -06:00

[PR #6566] [MERGED] Revert to gzip compression #7444

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#6566