fix(ppsk): embedded PPSKs update via WLAN config, not /rest/ppsk

Embedded PPSKs live inside the parent WLAN's private_preshared_keys array — they have no controller-side _id and the synthetic emb_<hash> we generate locally isn't a real REST id. Hitting /rest/ppsk/emb_xxx returns HTTP 400/503, which is what the GUEST PPSK rotation was failing on at the scheduled 3pm run. * New UnifiApiClient::updateEmbeddedPpsk($wlanId, $oldPass, $newPass): GETs /rest/wlanconf/{wlanId}, finds the matching entry in private_preshared_keys by current passphrase, swaps the value while preserving whichever field name the controller uses (x_passphrase / password / passphrase), and PUTs the whole WLAN object back. * RotatePasswords detects emb_-prefixed unifi_ids and routes through the embedded path. The synthetic id is rederived from the new passphrase so the DB row stays addressable. * WifiController::ppskUpdate (manual modal save) does the same — this is why manual edits sometimes appeared to succeed but the controller side actually rejected them. Verified live against the GUEST PPSK on 10.81.0.1. v1.5.5. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 18:14:45 -04:00
parent c89adeea97
commit 27c1584dc3
4 changed files with 77 additions and 5 deletions
--- a/src/Http/Controllers/WifiController.php
+++ b/src/Http/Controllers/WifiController.php
@@ -291,11 +291,18 @@ class WifiController extends Controller
                    fn ($v) => $v !== null
                );
                if (! empty($unifiUpdate)) {
-                    $unifi->updatePpsk($record->unifi_id, $unifiUpdate);
+                    if (str_starts_with($record->unifi_id, 'emb_') && isset($unifiUpdate['x_passphrase'])) {
+                        // Embedded PPSK update path — modify the WLAN's embedded array.
+                        $unifi->updateEmbeddedPpsk($record->wlan_id, $record->x_passphrase, $unifiUpdate['x_passphrase']);
+                        // Synthetic id is derived from the new passphrase.
+                        $data['unifi_id'] = 'emb_' . substr(hash('sha256', $record->wlan_id . ':' . $unifiUpdate['x_passphrase']), 0, 32);
+                    } else {
+                        $unifi->updatePpsk($record->unifi_id, $unifiUpdate);
+                    }
                }
            }

-            $dbUpdate = array_intersect_key($data, array_flip(['name', 'x_passphrase']));
+            $dbUpdate = array_intersect_key($data, array_flip(['name', 'x_passphrase', 'unifi_id']));
            // vlan can be explicitly set to null
            if (array_key_exists('vlan', $data)) $dbUpdate['vlan'] = $data['vlan'];
            if (! empty($dbUpdate)) $record->update($dbUpdate);