store password hash in config

2025-09-10 00:09:04 +00:00 · 2025-06-30 09:34:04 -04:00
parent 529c62b747
commit 3b27a393a5
3 changed files with 75 additions and 18 deletions
--- a/src/password_manager/config_manager.py
+++ b/src/password_manager/config_manager.py
@@ -37,7 +37,11 @@ class ConfigManager:
        """
        if not self.config_path.exists():
            logger.info("Config file not found; returning defaults")
-            return {"relays": list(DEFAULT_NOSTR_RELAYS), "pin_hash": ""}
+            return {
+                "relays": list(DEFAULT_NOSTR_RELAYS),
+                "pin_hash": "",
+                "password_hash": "",
+            }
        try:
            data = self.vault.load_config()
            if not isinstance(data, dict):
@@ -45,6 +49,14 @@ class ConfigManager:
            # Ensure defaults for missing keys
            data.setdefault("relays", list(DEFAULT_NOSTR_RELAYS))
            data.setdefault("pin_hash", "")
+            data.setdefault("password_hash", "")
+
+            # Migrate legacy hashed_password.enc if present and password_hash is missing
+            legacy_file = self.fingerprint_dir / "hashed_password.enc"
+            if not data.get("password_hash") and legacy_file.exists():
+                with open(legacy_file, "rb") as f:
+                    data["password_hash"] = f.read().decode()
+                self.save_config(data)
            if require_pin and data.get("pin_hash"):
                for _ in range(3):
                    pin = getpass.getpass("Enter settings PIN: ").strip()
@@ -95,3 +107,9 @@ class ConfigManager:
            self.set_pin(new_pin)
            return True
        return False
+
+    def set_password_hash(self, password_hash: str) -> None:
+        """Persist the bcrypt password hash in the config."""
+        config = self.load_config(require_pin=False)
+        config["password_hash"] = password_hash
+        self.save_config(config)