Now the MainAccount CryptKey is sealed.

This way change-password extension, Oauth2 and others can easily change the cryptkey seal withoug loosing decrypt functionality

plugins/change-password/index.php

@@ -201,6 +201,7 @@ class ChangePasswordPlugin extends \RainLoop\Plugins\AbstractPlugin
 		$oAccount->SetPassword($oNewPassword);
 		if ($oAccount instanceof \RainLoop\Model\MainAccount) {
 			$oActions->SetAuthToken($oAccount);
+			$oAccount->resealCryptKey($oPrevPassword);
 		}
 
 		return $this->jsonResponse(__FUNCTION__, $oActions->AppData(false));

plugins/login-oauth2/index.php

@@ -77,8 +77,8 @@ class LoginOAuth2Plugin extends \RainLoop\Plugins\AbstractPlugin
 			 * So we need to securely save a cryptkey.
 			 * Encrypted using the old/new refresh token is an option:
 			 *   1. decrypt cryptkey with the old refresh token
-			 *   2. $oAccount->SetCryptKey('cryptkey')
+			 *   2. encrypt cryptkey with the new refresh token
-			 *   3. encrypt cryptkey with the new refresh token
+			 *   = $oAccount->resealCryptKey(new \SnappyMail\SensitiveString('old refresh token'))
 			 */
 		}
 	}

snappymail/v/0.0.0/app/libraries/RainLoop/Model/MainAccount.php

@@ -10,59 +10,46 @@ use SnappyMail\SensitiveString;
 class MainAccount extends Account
 {
 	private ?SensitiveString $sCryptKey = null;
-/*
+
-	public function resealCryptKey(
+	public function resealCryptKey(SensitiveString $oOldPass) : bool
-		#[\SensitiveParameter]
-		string $sOldPass,
-		#[\SensitiveParameter]
-		string $sNewPass
-	) : bool
 	{
-		$oStorage = \RainLoop\Api::Actions()->StorageProvider();
+		$sKey = $this->CryptKey();
-		$sKey = $oStorage->Get($this, StorageType::ROOT, '.cryptkey');
 		if ($sKey) {
-			$sKey = \SnappyMail\Crypt::DecryptUrlSafe($sKey, $sOldPass);
+			$sKey = \SnappyMail\Crypt::EncryptToJSON(\bin2hex($sKey), $this->IncPassword());
 			if ($sKey) {
-				$sKey = \SnappyMail\Crypt::EncryptUrlSafe($sKey, $sNewPass);
+				\RainLoop\Api::Actions()->StorageProvider()->Put($this, StorageType::ROOT, '.cryptkey', $sKey);
+				$sKey = \SnappyMail\Crypt::DecryptFromJSON($sKey, $this->IncPassword());
 				if ($sKey) {
-					$oStorage->Put($this, StorageType::ROOT, '.cryptkey', $sKey);
+					$this->sCryptKey = new SensitiveString(\hex2bin($sKey));
-					$sKey = \SnappyMail\Crypt::DecryptUrlSafe($sKey, $sNewPass);
-					$this->SetCryptKey($sKey);
-					return true;
 				}
+				return true;
 			}
 		}
 		return false;
 	}
-*/
+
 	public function CryptKey() : string
 	{
 		if (!$this->sCryptKey) {
-			$sKey = \sha1($this->IncPassword() . APP_SALT, true);
-/*
 			// Seal the cryptkey so that people who change their login password
 			// can use the old password to re-seal the cryptkey
 			$oStorage = \RainLoop\Api::Actions()->StorageProvider();
 			$sKey = $oStorage->Get($this, StorageType::ROOT, '.cryptkey');
 			if (!$sKey) {
-				$sKey = \sha1($this->IncPassword() . APP_SALT, true);
+				$sKey = \SnappyMail\Crypt::EncryptToJSON(
-				$sKey = \SnappyMail\Crypt::EncryptUrlSafe($sKey, $this->IncPassword());
+					\sha1($this->IncPassword() . APP_SALT),
+					$this->IncPassword()
+				);
 				$oStorage->Put($this, StorageType::ROOT, '.cryptkey', $sKey);
 			}
-			$sKey = \SnappyMail\Crypt::DecryptUrlSafe($sKey, $this->IncPassword());
+			$sKey = \SnappyMail\Crypt::DecryptFromJSON($sKey, $this->IncPassword());
-*/
+			if ($sKey) {
-			$this->SetCryptKey($sKey);
+				$this->sCryptKey = new SensitiveString(\hex2bin($sKey));
+			}
 		}
 		return $this->sCryptKey;
 	}
 
-	public function SetCryptKey(
-		#[\SensitiveParameter]
-		string $sKey
-	) : void
-	{
-		$this->sCryptKey = new SensitiveString($sKey);
-	}
 /*
 	// Stores settings in MainAccount
 	public function settings() : \RainLoop\Settings