From de30095737f7ae9168aa6a4684b583fca6c93c1d Mon Sep 17 00:00:00 2001
From: zadam <adam.zivner@gmail.com>
Date: Fri, 25 Sep 2020 20:55:45 +0200
Subject: [PATCH] change salts on password change + more robust handling of
 decryption failures

---
 package-lock.json                            |  2 +-
 src/entities/note.js                         |  2 +-
 src/services/change_password.js              | 10 +++++++---
 src/services/note_cache/entities/note.js     |  2 +-
 src/services/note_cache/note_cache_loader.js |  8 +++++++-
 src/services/protected_session.js            | 12 +++++++++---
 6 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 42014c0a1..4aeaa7bbd 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "trilium",
-  "version": "0.44.3-beta",
+  "version": "0.44.4",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
diff --git a/src/entities/note.js b/src/entities/note.js
index 1db0e8abb..5bb4326a3 100644
--- a/src/entities/note.js
+++ b/src/entities/note.js
@@ -805,7 +805,7 @@ class Note extends Entity {
      * @returns {boolean} - true if note has children
      */
     hasChildren() {
-        return (this.getChildNotes()).length > 0;
+        return this.getChildNotes().length > 0;
     }
 
     /**
diff --git a/src/services/change_password.js b/src/services/change_password.js
index ed59a1808..b06e71328 100644
--- a/src/services/change_password.js
+++ b/src/services/change_password.js
@@ -14,10 +14,14 @@ function changePassword(currentPassword, newPassword) {
         };
     }
 
-    const newPasswordVerificationKey = utils.toBase64(myScryptService.getVerificationHash(newPassword));
-    const decryptedDataKey = passwordEncryptionService.getDataKey(currentPassword);
-
     sql.transactional(() => {
+        const decryptedDataKey = passwordEncryptionService.getDataKey(currentPassword);
+
+        optionService.setOption('passwordVerificationSalt', utils.randomSecureToken(32));
+        optionService.setOption('passwordDerivedKeySalt', utils.randomSecureToken(32));
+
+        const newPasswordVerificationKey = utils.toBase64(myScryptService.getVerificationHash(newPassword));
+
         passwordEncryptionService.setDataKey(newPassword, decryptedDataKey);
 
         optionService.setOption('passwordVerificationHash', newPasswordVerificationKey);
diff --git a/src/services/note_cache/entities/note.js b/src/services/note_cache/entities/note.js
index 0ed575941..7186eb9d0 100644
--- a/src/services/note_cache/entities/note.js
+++ b/src/services/note_cache/entities/note.js
@@ -327,7 +327,7 @@ class Note {
 
     decrypt() {
         if (this.isProtected && !this.isDecrypted && protectedSessionService.isProtectedSessionAvailable()) {
-            this.title = protectedSessionService.decryptString(note.title);
+            this.title = protectedSessionService.decryptString(this.title);
 
             this.isDecrypted = true;
         }
diff --git a/src/services/note_cache/note_cache_loader.js b/src/services/note_cache/note_cache_loader.js
index 6129bf07f..eca5b6d83 100644
--- a/src/services/note_cache/note_cache_loader.js
+++ b/src/services/note_cache/note_cache_loader.js
@@ -4,6 +4,7 @@ const sql = require('../sql.js');
 const eventService = require('../events.js');
 const noteCache = require('./note_cache');
 const sqlInit = require('../sql_init');
+const log = require('../log');
 const Note = require('./entities/note');
 const Branch = require('./entities/branch');
 const Attribute = require('./entities/attribute');
@@ -147,7 +148,12 @@ eventService.subscribe([eventService.ENTITY_CHANGED, eventService.ENTITY_DELETED
 });
 
 eventService.subscribe(eventService.ENTER_PROTECTED_SESSION, () => {
-    noteCache.decryptProtectedNotes();
+    try {
+        noteCache.decryptProtectedNotes();
+    }
+    catch (e) {
+        log.error(`Could not decrypt protected notes: ${e.message} ${e.stack}`);
+    }
 });
 
 module.exports = {
diff --git a/src/services/protected_session.js b/src/services/protected_session.js
index ebf4b998f..6b351320c 100644
--- a/src/services/protected_session.js
+++ b/src/services/protected_session.js
@@ -1,6 +1,7 @@
 "use strict";
 
 const utils = require('./utils');
+const log = require('./log');
 const dataEncryptionService = require('./data_encryption');
 const cls = require('./cls');
 
@@ -35,11 +36,16 @@ function isProtectedSessionAvailable() {
 }
 
 function decryptNotes(notes) {
-    for (const note of notes) {
-        if (note.isProtected) {
-            note.title = decryptString(note.title);
+    try {
+        for (const note of notes) {
+            if (note.isProtected) {
+                note.title = decryptString(note.title);
+            }
         }
     }
+    catch (e) {
+        log.error(`Could not decrypt protected notes: ${e.message} ${e.stack}`);
+    }
 }
 
 function encrypt(plainText) {