From 575749e970ac0e3d1f8cbe156e2312a920172301 Mon Sep 17 00:00:00 2001
From: zefie <zefie@zefie.net>
Date: Sun, 26 Apr 2026 17:22:30 -0400
Subject: [PATCH] password updates: fix couldnt password user_id 0, now encrypt
 instead of hash, backwards compatible

---
 .../wtv-setup/validate-change-password.js        |  2 +-
 .../includes/classes/WTVClientSessionData.js     | 16 ++++++++++++++--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/zefie_wtvp_minisrv/includes/ServiceVault/wtv-setup/validate-change-password.js b/zefie_wtvp_minisrv/includes/ServiceVault/wtv-setup/validate-change-password.js
index 4c5712fc..220d6a40 100644
--- a/zefie_wtvp_minisrv/includes/ServiceVault/wtv-setup/validate-change-password.js
+++ b/zefie_wtvp_minisrv/includes/ServiceVault/wtv-setup/validate-change-password.js
@@ -19,7 +19,7 @@ if (session_data.user_id !== 0 && session_data.user_id !== parseInt(request_head
     data = errpage[1];
 }
 
-if (user_id && !errpage) {
+if (user_id >= 0 && !errpage) {
     headers = `200 OK
 Connection: Keep-Alive
 Content-Type: text/html`
diff --git a/zefie_wtvp_minisrv/includes/classes/WTVClientSessionData.js b/zefie_wtvp_minisrv/includes/classes/WTVClientSessionData.js
index 03c37553..acabca81 100644
--- a/zefie_wtvp_minisrv/includes/classes/WTVClientSessionData.js
+++ b/zefie_wtvp_minisrv/includes/classes/WTVClientSessionData.js
@@ -692,10 +692,16 @@ class WTVClientSessionData {
         return CryptoJS.AES.decrypt(crypt, this.cryptoKey).toString(CryptoJS.enc.Utf8);
     }
 
-    encodePassword(passwd) {
+
+    oldDecodePassword(passwd) {
         return CryptoJS.SHA512(passwd).toString(CryptoJS.enc.Base64);
     }
 
+    encodePassword(passwd) {
+        //return CryptoJS.SHA512(passwd).toString(CryptoJS.enc.Base64);
+        return this.encryptPassword(passwd);
+    }
+
     setUserPassword(passwd) {
         this.setSessionData("subscriber_password", this.encodePassword(passwd));
         this.saveSessionData();
@@ -723,7 +729,13 @@ class WTVClientSessionData {
 
     validateUserPassword(passwd) {
         if (!this.getUserPasswordEnabled()) return true; // no password is set so always validate
-        return (this.encodePassword(passwd) === this.getSessionData("subscriber_password"));
+        if (passwd === this.decryptPassword(this.getSessionData("subscriber_password"))) return true; // check against current encryption
+        else if (this.oldDecodePassword(passwd) === this.getSessionData("subscriber_password")) {
+            // if password matches old hash, update to new encryption
+            this.setUserPassword(passwd);
+            return true;
+        }
+        return false;
     }
 
     isUserLoggedIn() {