change salts on password change + more robust handling of decryption failures

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "trilium",
-  "version": "0.44.3-beta",
+  "version": "0.44.4",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {

src/entities/note.js

@@ -805,7 +805,7 @@ class Note extends Entity {
      * @returns {boolean} - true if note has children
      */
     hasChildren() {
-        return (this.getChildNotes()).length > 0;
+        return this.getChildNotes().length > 0;
     }
 
     /**

src/services/change_password.js

@@ -14,10 +14,14 @@ function changePassword(currentPassword, newPassword) {
         };
     }
 
-    const newPasswordVerificationKey = utils.toBase64(myScryptService.getVerificationHash(newPassword));
-    const decryptedDataKey = passwordEncryptionService.getDataKey(currentPassword);
-
     sql.transactional(() => {
+        const decryptedDataKey = passwordEncryptionService.getDataKey(currentPassword);
+
+        optionService.setOption('passwordVerificationSalt', utils.randomSecureToken(32));
+        optionService.setOption('passwordDerivedKeySalt', utils.randomSecureToken(32));
+
+        const newPasswordVerificationKey = utils.toBase64(myScryptService.getVerificationHash(newPassword));
+
         passwordEncryptionService.setDataKey(newPassword, decryptedDataKey);
 
         optionService.setOption('passwordVerificationHash', newPasswordVerificationKey);

src/services/note_cache/entities/note.js

@@ -327,7 +327,7 @@ class Note {
 
     decrypt() {
         if (this.isProtected && !this.isDecrypted && protectedSessionService.isProtectedSessionAvailable()) {
-            this.title = protectedSessionService.decryptString(note.title);
+            this.title = protectedSessionService.decryptString(this.title);
 
             this.isDecrypted = true;
         }

src/services/note_cache/note_cache_loader.js

@@ -4,6 +4,7 @@ const sql = require('../sql.js');
 const eventService = require('../events.js');
 const noteCache = require('./note_cache');
 const sqlInit = require('../sql_init');
+const log = require('../log');
 const Note = require('./entities/note');
 const Branch = require('./entities/branch');
 const Attribute = require('./entities/attribute');
@@ -147,7 +148,12 @@ eventService.subscribe([eventService.ENTITY_CHANGED, eventService.ENTITY_DELETED
 });
 
 eventService.subscribe(eventService.ENTER_PROTECTED_SESSION, () => {
-    noteCache.decryptProtectedNotes();
+    try {
+        noteCache.decryptProtectedNotes();
+    }
+    catch (e) {
+        log.error(`Could not decrypt protected notes: ${e.message} ${e.stack}`);
+    }
 });
 
 module.exports = {

src/services/protected_session.js

@@ -1,6 +1,7 @@
 "use strict";
 
 const utils = require('./utils');
+const log = require('./log');
 const dataEncryptionService = require('./data_encryption');
 const cls = require('./cls');
 
@@ -35,11 +36,16 @@ function isProtectedSessionAvailable() {
 }
 
 function decryptNotes(notes) {
-    for (const note of notes) {
+    try {
-        if (note.isProtected) {
+        for (const note of notes) {
-            note.title = decryptString(note.title);
+            if (note.isProtected) {
+                note.title = decryptString(note.title);
+            }
         }
     }
+    catch (e) {
+        log.error(`Could not decrypt protected notes: ${e.message} ${e.stack}`);
+    }
 }
 
 function encrypt(plainText) {