fix!: cache not being decrypted (#664)

Drew Smirnoff created

Change summary

config/encryption.go | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)

Detailed changes

config/encryption.go 🔗

@@ -262,23 +262,29 @@ func DisableSecureMode(cfg *Config) error {
 	// Find config.json path to skip it (handled separately below)
 	cfgPath, _ := configFile()
 
-	// Read and decrypt all cache files while we still have the session key
-	key := GetSessionKey()
+	// Copy the key so ClearSessionKey's in-place zeroing doesn't destroy it.
+	origKey := GetSessionKey()
+	key := make([]byte, len(origKey))
+	copy(key, origKey)
+
+	// Decrypt all cache files and write them back as plain data.
+	// We use Decrypt directly instead of toggling the session key, because
+	// ClearSessionKey zeroes the slice in-place which would corrupt our copy.
 	for _, f := range files {
 		if f == cfgPath {
 			continue
 		}
-		data, err := SecureReadFile(f)
+		encrypted, err := os.ReadFile(f)
 		if err != nil {
 			continue // File may not exist
 		}
-		// Write plain
-		ClearSessionKey()
-		if err := os.WriteFile(f, data, 0600); err != nil {
-			SetSessionKey(key) // Restore on error
+		plain, err := Decrypt(encrypted, key)
+		if err != nil {
+			continue // File may not be encrypted
+		}
+		if err := os.WriteFile(f, plain, 0600); err != nil {
 			return err
 		}
-		SetSessionKey(key)
 	}
 
 	// Clear session key so SaveConfig writes plain JSON and restores passwords to keyring