From c58cb067f2b7e6f0bea83458095f567740e5f429 Mon Sep 17 00:00:00 2001
From: Sushanth Reddy <sushanthreddyk290395@gmail.com>
Date: Thu, 4 Jun 2026 03:29:40 +0530
Subject: [PATCH] fix(calendar): avoid double-encrypting CalDAV password

cfg is loaded from prefs and already holds the existing, already-encrypted
password. When the edit form was re-submitted without re-typing the
password, the elif branch called encrypt() on that stored ciphertext,
compounding the encryption on every save and eventually breaking sync with
a decrypt error.

Drop the elif branch: the stored value is preserved as-is, and we only
encrypt when a new password is actually supplied.

Fixes #1915

Co-authored-by: EkaTantra Dev <dev@ekatantra.com>
---
 routes/calendar_routes.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/routes/calendar_routes.py b/routes/calendar_routes.py
index 1352e40..bdddaec 100644
--- a/routes/calendar_routes.py
+++ b/routes/calendar_routes.py
@@ -598,12 +598,12 @@ def setup_calendar_routes() -> APIRouter:
         cfg["username"] = (body.get("username") or "").strip()
         # Preserve the stored password when the client sends an empty
         # one (edit form re-submitted without re-typing the password).
+        # cfg already holds the existing (already-encrypted) password from
+        # prefs, so we only touch it when a new password is supplied —
+        # re-encrypting the stored value would double-encrypt it.
         if body.get("password"):
             from src.secret_storage import encrypt
             cfg["password"] = encrypt(body["password"])
-        elif cfg.get("password"):
-            from src.secret_storage import encrypt
-            cfg["password"] = encrypt(cfg["password"])
         prefs["caldav"] = cfg
         _save_for_user(owner, prefs)
         return {"ok": True}