From 6c7dfe02f53e6c34b0c1a25c69d214f6295a58e9 Mon Sep 17 00:00:00 2001 From: Jason Staack Date: Mon, 9 Mar 2026 21:30:09 -0500 Subject: [PATCH] fix(frontend): show Secret Key field when IndexedDB key is stale MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When a user logs in from a browser with an outdated Secret Key in IndexedDB (e.g. after server rebuild/re-enrollment), the SRP handshake fails with 401 but the Secret Key input field was never shown — leaving the user stuck with no way to enter their current key. Now detects stale-key 401s and prompts for manual Secret Key entry. Co-Authored-By: Claude Opus 4.6 --- frontend/src/lib/auth.ts | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/frontend/src/lib/auth.ts b/frontend/src/lib/auth.ts index e0ce9fd..ebe3436 100644 --- a/frontend/src/lib/auth.ts +++ b/frontend/src/lib/auth.ts @@ -159,7 +159,14 @@ export const useAuth = create((set, get) => ({ const detail = axErr?.response?.data?.detail ?? '' let message: string if (axErr?.response?.status === 401) { - // SRP proof failed — wrong password, wrong Secret Key, or stale credentials + // SRP proof failed — wrong password, wrong Secret Key, or stale credentials. + // If the user didn't manually provide a key, the stored IndexedDB key is wrong + // (e.g. server was rebuilt, user re-enrolled). Show the Secret Key field so they + // can enter their current key from their Emergency Kit. + if (!secretKeyInput) { + set({ needsSecretKey: true, isLoading: false, isDerivingKeys: false, error: 'This device has an outdated Secret Key. Please enter your current Secret Key from your Emergency Kit.' }) + return + } message = 'Sign in failed. Check your password and Secret Key. If you lost your Secret Key, use "Forgot password?" to reset your account and get a new one.' } else if (detail.includes('initialization failed')) { message = 'Authentication setup failed. Please try again or reset your password.'