From 5d5f12a5ac2da638b0d732cfbd2ea4181fbeb71b Mon Sep 17 00:00:00 2001
From: fufesou <linlong1266@gmail.com>
Date: Thu, 19 Mar 2026 21:23:12 +0800
Subject: [PATCH] fix(password): guard
 set_permanent_password_storage_for_sync()

Signed-off-by: fufesou <linlong1266@gmail.com>
---
 src/config.rs | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/config.rs b/src/config.rs
index e44a27fde..558019772 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -1312,6 +1312,19 @@ impl Config {
             return Err(anyhow!("Invalid hashed permanent password storage"));
         }
 
+        // For hashed permanent password storage, `storage` and `salt` must be consistent as a pair.
+        //
+        // In theory, it should be impossible to observe "same storage but different salt" for a
+        // correct sync source. However, accepting such an update would persist an invalid
+        // (storage, salt) pair and make permanent-password verification fail for all inputs
+        // (effective lockout) until the password is reset. The impact is high enough that a
+        // defensive check here is worthwhile even if it is rarely triggered in practice.
+        if config.password == storage && config.salt != salt {
+            return Err(anyhow!(
+                "Refusing to change salt without updating hashed permanent password storage"
+            ));
+        }
+
         if config.password == storage && config.salt == salt {
             return Ok(false);
         }