From 91320a4eba542d8542e2d1c8346c49168ecc52ed Mon Sep 17 00:00:00 2001
From: shuaiplus <2327005759@qq.com>
Date: Wed, 10 Jun 2026 13:44:43 +0800
Subject: [PATCH] fix: persist offline unlock record during passkey PRF login

- Add fallbackKdfIterations parameter to completeLoginWithVaultKeys
- Save offline unlock record (email, profile, profileKey, kdfIterations)
  when completing vault-key-based login, ensuring offline unlock works
  after passkey (PRF) authentication
- Pass through fallbackIterations from performPasskeyLogin caller
- Add .reasonix/ to .gitignore
---
 .gitignore                 |  2 ++
 webapp/src/lib/app-auth.ts | 11 +++++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index c236c6b..b30e475 100644
--- a/.gitignore
+++ b/.gitignore
@@ -53,3 +53,5 @@ NodeWarden-compat/
 .codex-upstream/bitwarden-clients/
 .codex-upstream/bitwarden-web/
 .codex-upstream/bitwarden-browser/
+
+.reasonix/
diff --git a/webapp/src/lib/app-auth.ts b/webapp/src/lib/app-auth.ts
index 90af556..4d1fe1b 100644
--- a/webapp/src/lib/app-auth.ts
+++ b/webapp/src/lib/app-auth.ts
@@ -363,7 +363,8 @@ function readPasskeyPrfOption(token: TokenSuccess): AccountPasskeyPrfOption | nu
 async function completeLoginWithVaultKeys(
   token: TokenSuccess,
   email: string,
-  keys: { symEncKey: string; symMacKey: string }
+  keys: { symEncKey: string; symMacKey: string },
+  fallbackKdfIterations: number
 ): Promise<CompletedLogin> {
   const normalizedEmail = email.trim().toLowerCase();
   const fallbackProfile = loadProfileSnapshot(normalizedEmail);
@@ -378,6 +379,12 @@ async function completeLoginWithVaultKeys(
     () => {}
   );
   const profile = buildTransientProfile(token, normalizedEmail, fallbackProfile);
+  saveOfflineUnlockRecord({
+    email: normalizedEmail,
+    profile,
+    profileKey: profile.key,
+    kdfIterations: kdfIterationsFromLogin(token, fallbackKdfIterations),
+  });
   return {
     session: { ...baseSession, ...keys },
     profile,
@@ -448,7 +455,7 @@ export async function performPasskeyLogin(fallbackIterations: number, expectedEm
       const keys = await unlockVaultKeyWithAccountPasskeyPrf(assertion.prfKey, prfOption);
       return {
         kind: 'success',
-        login: await completeLoginWithVaultKeys(token, email, keys),
+        login: await completeLoginWithVaultKeys(token, email, keys, fallbackIterations),
       };
     }