fix(banded ssid): match embedded PPSK by name first, passphrase fallback

The sibling-update path on prod failed with "Embedded PPSK not found by current passphrase" because the DB-stored x_passphrase on the unedited band was stale — earlier manual edits (pre-1.8.1) only touched one band, leaving the other band's row out of sync. When rotation then tried to use that stale passphrase to find the entry, no match. updateEmbeddedPpsk now takes an optional $name parameter and tries it first. PPSK names within a WLAN are unique, so name-matching survives any passphrase drift caused by historical out-of-band edits. Passphrase matching stays as a fallback for callers that don't have a name (none currently — both rotation and the manual modal pass it). v1.9.1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 20:38:10 -04:00
parent 2be17c70db
commit 720e94c54a
4 changed files with 51 additions and 30 deletions
--- a/src/Console/RotatePasswords.php
+++ b/src/Console/RotatePasswords.php
@@ -81,24 +81,22 @@ class RotatePasswords extends Command
                try {
                    if (str_starts_with((string) $ppsk->unifi_id, 'emb_')) {
                        // Embedded PPSK: update inside the parent WLAN object.
-                        // Synthetic ID is derived from the new passphrase, so update it too.
-                        $unifi->updateEmbeddedPpsk($ppsk->wlan_id, $ppsk->x_passphrase, $newPass);
+                        // Match by name (most reliable) — falls back to
+                        // passphrase if name is missing.
+                        $unifi->updateEmbeddedPpsk($ppsk->wlan_id, $ppsk->x_passphrase, $newPass, $ppsk->name);
                        $newUid = 'emb_' . substr(hash('sha256', $ppsk->wlan_id . ':' . $newPass), 0, 32);
-                        $oldPass = $ppsk->x_passphrase;
                        $ppsk->update(['x_passphrase' => $newPass, 'unifi_id' => $newUid]);

                        // Sibling WLANs (same SSID name on a different band):
-                        // their embedded PPSK with the same name also needs
-                        // to rotate to the same new password so the SSID's
-                        // 2.4/5GHz halves stay in sync.
+                        // rotate the matching-name PPSK in each so the
+                        // SSID's 2.4/5GHz halves stay in sync.
                        foreach ($unifi->getWlanSiblings($ppsk->wlan_id) as $siblingWlanId) {
                            $sibling = UnifiPpsk::where('wlan_id', $siblingWlanId)
                                ->where('name', $ppsk->name)
                                ->where('state', 'active')
                                ->first();
-                            $siblingOldPass = $sibling?->x_passphrase ?? $oldPass;
                            try {
-                                $unifi->updateEmbeddedPpsk($siblingWlanId, $siblingOldPass, $newPass);
+                                $unifi->updateEmbeddedPpsk($siblingWlanId, $sibling?->x_passphrase, $newPass, $ppsk->name);
                                if ($sibling) {
                                    $sibling->update([
                                        'x_passphrase' => $newPass,