fix(ppsk sync): match by name + salvage settings, prune dup tombstones

Every rotation changes an embedded PPSK's synthetic id (it's derived from sha256(wlan_id : passphrase)). The ingest sync matched only by unifi_id, so after rotation the row's id was "new" — the sync created a fresh active row and marked the previous one held. Over multiple rotations this accumulated: each rotation left a held tombstone, and the rotate_password / schedule flags were stuck on the original tombstone instead of transferring to the new active row. Dev's GUEST PPSK had 3 rows after a few rotations: two held (with rotate_password=true on the first), one active with rotate=false. Future rotations would silently skip that PPSK because the active row no longer had the rotate flag set. Fix in three layers, all in WifiController::ppskIndex: 1. Match priority extended: unifi_id → name within wlan → held by passphrase. The name match means a passphrase change just updates the existing row in place. No more new-row creation per rotation. 2. Salvage step before pruning: for each active row, scan held tombstones with the same name and copy over rotate_password and schedule. Operator's rotation opt-in survives history. 3. Prune step: held rows with the same name as an active row in the same wlan are now hard-deleted (their settings were just salvaged, their data is stale). Keeps the WiFi modal clean instead of accumulating phantoms. v1.10.2. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fix(banded ssid): treat "PPSK not on this band" as a quiet skip
2026-05-24 20:49:26 -04:00 · 2026-05-24 20:43:10 -04:00 · 2026-05-24 20:40:13 -04:00 · 2026-05-24 20:38:10 -04:00 · 2026-05-24 20:33:48 -04:00 · 2026-05-24 20:32:15 -04:00
4 changed files with 205 additions and 26 deletions
--- a/composer.json
+++ b/composer.json
@@ -1,7 +1,7 @@
 {
    "name": "dashboard/unifi",
    "description": "UniFi network management, WiFi stats, and captive portal authentication for the Dashboard platform",
-    "version": "1.7.1",
+    "version": "1.10.2",
    "type": "library",
    "license": "MIT",
    "autoload": {
--- a/src/Console/RotatePasswords.php
+++ b/src/Console/RotatePasswords.php
@@ -81,15 +81,57 @@ class RotatePasswords extends Command
                try {
                    if (str_starts_with((string) $ppsk->unifi_id, 'emb_')) {
                        // Embedded PPSK: update inside the parent WLAN object.
-                        // Synthetic ID is derived from the new passphrase, so update it too.
-                        $unifi->updateEmbeddedPpsk($ppsk->wlan_id, $ppsk->x_passphrase, $newPass);
+                        // Match by name (most reliable) — falls back to
+                        // passphrase if name is missing.
+                        $unifi->updateEmbeddedPpsk($ppsk->wlan_id, $ppsk->x_passphrase, $newPass, $ppsk->name);
                        $newUid = 'emb_' . substr(hash('sha256', $ppsk->wlan_id . ':' . $newPass), 0, 32);
                        $ppsk->update(['x_passphrase' => $newPass, 'unifi_id' => $newUid]);
+
+                        // Sibling WLANs (same SSID name on a different band):
+                        // rotate the matching-name PPSK in each so the
+                        // SSID's 2.4/5GHz halves stay in sync.
+                        foreach ($unifi->getWlanSiblings($ppsk->wlan_id) as $siblingWlanId) {
+                            $sibling = UnifiPpsk::where('wlan_id', $siblingWlanId)
+                                ->where('name', $ppsk->name)
+                                ->where('state', 'active')
+                                ->first();
+                            try {
+                                $unifi->updateEmbeddedPpsk($siblingWlanId, $sibling?->x_passphrase, $newPass, $ppsk->name);
+                                if ($sibling) {
+                                    $sibling->update([
+                                        'x_passphrase' => $newPass,
+                                        'unifi_id'     => 'emb_' . substr(hash('sha256', $siblingWlanId . ':' . $newPass), 0, 32),
+                                    ]);
+                                }
+                            } catch (\Throwable $e) {
+                                // "Not found" in a sibling just means the
+                                // PPSK isn't mirrored on that band — totally
+                                // normal if GUEST was only configured on one
+                                // band. Skip quietly; don't poison the
+                                // run status.
+                                if (str_contains($e->getMessage(), 'not found')) {
+                                    \Illuminate\Support\Facades\Log::info('unifi.ppsk_sibling_skipped', [
+                                        'sibling_wlan' => $siblingWlanId,
+                                        'ppsk_name'    => $ppsk->name,
+                                    ]);
+                                    continue;
+                                }
+                                $this->error("Sibling rotate failed for wlan {$siblingWlanId}: {$e->getMessage()}");
+                                $failedPpsks[] = ['name' => $ppsk->name . ' (sibling wlan ' . $siblingWlanId . ')', 'error' => $e->getMessage()];
+                            }
+                        }
                    } else {
                        $unifi->updatePpsk($ppsk->unifi_id, ['x_passphrase' => $newPass]);
                        $ppsk->update(['x_passphrase' => $newPass]);
                    }
                    $rotatedPpsks[] = $ppsk->name;
+
+                    // Save the active password every time a rotation
+                    // succeeds — covers PPSK-only rotation setups where
+                    // there's no whole-SSID rotation. Last successful
+                    // password wins if multiple PPSKs rotate in one run.
+                    Setting::set('unifi.password_rotation.last_password', $newPass);
+                    Setting::set('unifi.password_rotation.last_rotated_at', now()->toIso8601String());
                } catch (\Throwable $e) {
                    $this->error("Failed to rotate PPSK \"{$ppsk->name}\": {$e->getMessage()}");
                    $failedPpsks[] = ['name' => $ppsk->name, 'error' => $e->getMessage()];
--- a/src/Http/Controllers/WifiController.php
+++ b/src/Http/Controllers/WifiController.php
@@ -149,8 +149,18 @@ class WifiController extends Controller
                    $name = $networksById[$nconfId]['name'] ?? null;
                }

-                // Match by unifi_id, or by passphrase for a held embedded record re-appearing
+                // Match in priority order:
+                //   1. by current unifi_id (already-synced row)
+                //   2. by name within this wlan (catches rotation: passphrase
+                //      changed → synthetic id changed → row identity unchanged)
+                //   3. by passphrase among held rows (legacy fallback for
+                //      cases where name wasn't ingested)
                $record = UnifiPpsk::where('unifi_id', $uid)->first()
+                       ?? ($name
+                            ? UnifiPpsk::where('wlan_id', $wlanId)->where('name', $name)
+                                ->orderByRaw("FIELD(state, 'active', 'held')")
+                                ->first()
+                            : null)
                       ?? UnifiPpsk::where('wlan_id', $wlanId)
                            ->where('x_passphrase', $pass)
                            ->where('state', 'held')
@@ -174,8 +184,8 @@ class WifiController extends Controller
                }
            }

-            // Only mark as held when we have confirmed live IDs —
-            // never wipe on an empty API response (prevents false-holds on API failures)
+            // Mark non-matching active rows as held — but ONLY if there's no
+            // other active row with the same name we just reconnected.
            if (! empty($liveIds)) {
                UnifiPpsk::where('wlan_id', $wlanId)
                    ->where('state', 'active')
@@ -184,6 +194,47 @@ class WifiController extends Controller
                    ->update(['state' => 'held', 'unifi_id' => null]);
            }

+            // For each active row, salvage any rotate_password / schedule
+            // settings from the held tombstones with the same name BEFORE
+            // we prune them. Otherwise a row that had rotate=on loses the
+            // flag every time a rotation changes its synthetic id.
+            $activeRows = UnifiPpsk::where('wlan_id', $wlanId)
+                ->where('state', 'active')
+                ->whereNotNull('name')
+                ->get();
+            foreach ($activeRows as $active) {
+                $heldWithSettings = UnifiPpsk::where('wlan_id', $wlanId)
+                    ->where('state', 'held')
+                    ->where('name', $active->name)
+                    ->where(fn ($q) => $q
+                        ->where('rotate_password', true)
+                        ->orWhereNotNull('schedule'))
+                    ->orderByDesc('updated_at')
+                    ->first();
+                if (! $heldWithSettings) continue;
+
+                $patch = [];
+                if ($heldWithSettings->rotate_password && ! $active->rotate_password) {
+                    $patch['rotate_password'] = true;
+                }
+                if ($heldWithSettings->schedule && ! $active->schedule) {
+                    $patch['schedule'] = $heldWithSettings->schedule;
+                }
+                if ($patch) $active->update($patch);
+            }
+
+            // Prune obsolete held rows: any held row whose name matches an
+            // active row in the same wlan is a stale tombstone — its
+            // settings have been salvaged above, and its data has been
+            // superseded by the active one.
+            $activeNames = $activeRows->pluck('name')->filter()->unique();
+            if ($activeNames->isNotEmpty()) {
+                UnifiPpsk::where('wlan_id', $wlanId)
+                    ->where('state', 'held')
+                    ->whereIn('name', $activeNames)
+                    ->delete();
+            }
+
            $dbRecords = UnifiPpsk::where('wlan_id', $wlanId)
                ->orderByRaw("FIELD(state, 'active', 'held')")
                ->orderBy('name')
@@ -293,9 +344,37 @@ class WifiController extends Controller
                if (! empty($unifiUpdate)) {
                    if (str_starts_with($record->unifi_id, 'emb_') && isset($unifiUpdate['x_passphrase'])) {
                        // Embedded PPSK update path — modify the WLAN's embedded array.
-                        $unifi->updateEmbeddedPpsk($record->wlan_id, $record->x_passphrase, $unifiUpdate['x_passphrase']);
-                        // Synthetic id is derived from the new passphrase.
-                        $data['unifi_id'] = 'emb_' . substr(hash('sha256', $record->wlan_id . ':' . $unifiUpdate['x_passphrase']), 0, 32);
+                        // Match by name (reliable across drift).
+                        $newPass = $unifiUpdate['x_passphrase'];
+                        $unifi->updateEmbeddedPpsk($record->wlan_id, $record->x_passphrase, $newPass, $record->name);
+                        $data['unifi_id'] = 'emb_' . substr(hash('sha256', $record->wlan_id . ':' . $newPass), 0, 32);
+
+                        // Also update sibling WLANs (banded SSID — same name
+                        // on 2.4 and 5GHz are separate wlanconf rows).
+                        foreach ($unifi->getWlanSiblings($record->wlan_id) as $siblingWlanId) {
+                            $sibling = UnifiPpsk::where('wlan_id', $siblingWlanId)
+                                ->where('name', $record->name)
+                                ->where('state', 'active')
+                                ->first();
+                            try {
+                                $unifi->updateEmbeddedPpsk($siblingWlanId, $sibling?->x_passphrase, $newPass, $record->name);
+                                if ($sibling) {
+                                    $sibling->update([
+                                        'x_passphrase' => $newPass,
+                                        'unifi_id'     => 'emb_' . substr(hash('sha256', $siblingWlanId . ':' . $newPass), 0, 32),
+                                    ]);
+                                }
+                            } catch (\Throwable $e) {
+                                // PPSK absent on this band is fine — just
+                                // means it isn't mirrored. Anything else
+                                // gets warning-logged.
+                                $level = str_contains($e->getMessage(), 'not found') ? 'info' : 'warning';
+                                \Illuminate\Support\Facades\Log::log($level, 'unifi.ppsk_sibling_update', [
+                                    'sibling_wlan' => $siblingWlanId,
+                                    'error'        => $e->getMessage(),
+                                ]);
+                            }
+                        }
                    } else {
                        $unifi->updatePpsk($record->unifi_id, $unifiUpdate);
                    }
--- a/src/Services/UnifiApiClient.php
+++ b/src/Services/UnifiApiClient.php
@@ -312,6 +312,40 @@ class UnifiApiClient
        return $this->put("/rest/wlanconf/{$wlanId}", $data);
    }

+    /**
+     * Find sibling WLAN configs — same SSID name, different _id. UniFi
+     * splits a "banded" SSID (band-steering disabled) into one wlanconf
+     * per band, each with its own _id and its own embedded PPSK array.
+     * A rotation that updates one band must also update the others, or
+     * the SSID's two halves drift out of sync.
+     *
+     * Returns an array of sibling wlan IDs (excludes $wlanId itself).
+     * Empty array if the target WLAN is unique or can't be found.
+     */
+    public function getWlanSiblings(string $wlanId): array
+    {
+        try {
+            $all = $this->get('/rest/wlanconf');
+        } catch (\Throwable) {
+            return [];
+        }
+
+        $target = null;
+        foreach ($all as $w) {
+            if (($w['_id'] ?? null) === $wlanId) { $target = $w; break; }
+        }
+        if (! $target || empty($target['name'])) return [];
+
+        $siblings = [];
+        foreach ($all as $w) {
+            if (($w['_id'] ?? null) === $wlanId) continue;
+            if (($w['name'] ?? null) === $target['name']) {
+                $siblings[] = $w['_id'];
+            }
+        }
+        return $siblings;
+    }
+
    // ── PPSK ─────────────────────────────────────────────────────────────────

    /**
@@ -504,7 +538,7 @@ class UnifiApiClient
     * no controller-side ID. Only changes the entry's passphrase; name
     * isn't separately addressable on embedded PPSKs.
     */
-    public function updateEmbeddedPpsk(string $wlanId, string $oldPassphrase, string $newPassphrase): array
+    public function updateEmbeddedPpsk(string $wlanId, ?string $oldPassphrase, string $newPassphrase, ?string $name = null): array
    {
        $wlanResp = $this->get("/rest/wlanconf/{$wlanId}");
        $wlan     = $wlanResp[0] ?? $wlanResp;
@@ -514,26 +548,50 @@ class UnifiApiClient
            throw new \RuntimeException('WLAN has no embedded PPSKs to update.');
        }

-        $matched = false;
-        foreach ($entries as &$e) {
-            $current = $e['x_passphrase'] ?? $e['password'] ?? $e['passphrase'] ?? null;
-            if ($current === $oldPassphrase) {
-                // Preserve whichever field name the controller is using.
+        // Match in this order — most reliable first:
+        //   1. by PPSK name (if provided) — survives passphrase drift
+        //      caused by manual edits or previous out-of-sync rotations.
+        //   2. by current passphrase (legacy)
+        $applyUpdate = function (array &$e) use ($newPassphrase) {
            if (array_key_exists('x_passphrase', $e)) $e['x_passphrase'] = $newPassphrase;
            if (array_key_exists('password',     $e)) $e['password']     = $newPassphrase;
            if (array_key_exists('passphrase',   $e)) $e['passphrase']   = $newPassphrase;
-                // If none of the above existed, default to password (most common on embedded).
            if (! isset($e['x_passphrase']) && ! isset($e['password']) && ! isset($e['passphrase'])) {
                $e['password'] = $newPassphrase;
            }
+        };
+
+        $matched = false;
+        if ($name !== null && $name !== '') {
+            foreach ($entries as &$e) {
+                $entryName = $e['name'] ?? $e['label'] ?? $e['username'] ?? $e['privatePskName'] ?? null;
+                if ($entryName === $name) {
+                    $applyUpdate($e);
                    $matched = true;
                    break;
                }
            }
            unset($e);
+        }
+
+        if (! $matched && $oldPassphrase !== null && $oldPassphrase !== '') {
+            foreach ($entries as &$e) {
+                $current = $e['x_passphrase'] ?? $e['password'] ?? $e['passphrase'] ?? null;
+                if ($current === $oldPassphrase) {
+                    $applyUpdate($e);
+                    $matched = true;
+                    break;
+                }
+            }
+            unset($e);
+        }

        if (! $matched) {
-            throw new \RuntimeException('Embedded PPSK not found by current passphrase.');
+            throw new \RuntimeException(
+                'Embedded PPSK not found' .
+                ($name !== null ? " by name \"{$name}\"" : '') .
+                ' or by current passphrase.'
+            );
        }

        // UniFi REST expects the full WLAN object on PUT — send what we
Author	SHA1	Message	Date
jwed	bb74edf4c1	fix(ppsk sync): match by name + salvage settings, prune dup tombstones Every rotation changes an embedded PPSK's synthetic id (it's derived from sha256(wlan_id : passphrase)). The ingest sync matched only by unifi_id, so after rotation the row's id was "new" — the sync created a fresh active row and marked the previous one held. Over multiple rotations this accumulated: each rotation left a held tombstone, and the rotate_password / schedule flags were stuck on the original tombstone instead of transferring to the new active row. Dev's GUEST PPSK had 3 rows after a few rotations: two held (with rotate_password=true on the first), one active with rotate=false. Future rotations would silently skip that PPSK because the active row no longer had the rotate flag set. Fix in three layers, all in WifiController::ppskIndex: 1. Match priority extended: unifi_id → name within wlan → held by passphrase. The name match means a passphrase change just updates the existing row in place. No more new-row creation per rotation. 2. Salvage step before pruning: for each active row, scan held tombstones with the same name and copy over rotate_password and schedule. Operator's rotation opt-in survives history. 3. Prune step: held rows with the same name as an active row in the same wlan are now hard-deleted (their settings were just salvaged, their data is stale). Keeps the WiFi modal clean instead of accumulating phantoms. v1.10.2. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 20:49:26 -04:00
jwed	e5cc075938	fix(banded ssid): treat "PPSK not on this band" as a quiet skip The sibling-rotation path's "Embedded PPSK not found" error was being surfaced to the operator as a failure, but it's not — it just means the PPSK isn't mirrored on that band (GUEST was configured on one band only, which is a perfectly valid setup). Logging this as a sibling failure also poisoned the cron run status to "partial". Now: "not found"-style errors from updateEmbeddedPpsk on a sibling become info-level log entries and the loop continues. Other errors (API failures, permissions, etc.) still surface as warnings/failures. v1.10.1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 20:43:10 -04:00
jwed	4ec4a293c0	release: 1.10.0 — rolls up 1.9.1 (banded-SSID PPSK match by name) Bundled stable cut for prod. Contents since 1.9.0: * fix(banded ssid): updateEmbeddedPpsk now matches embedded PPSK entries by name first (e.g. "GUEST") and falls back to current passphrase. Name-matching survives any passphrase drift caused by pre-1.8.1 out-of-band manual edits — the sibling-rotation failure reported on prod after upgrading to 1.9.0 no longer happens. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 20:40:13 -04:00
jwed	720e94c54a	fix(banded ssid): match embedded PPSK by name first, passphrase fallback The sibling-update path on prod failed with "Embedded PPSK not found by current passphrase" because the DB-stored x_passphrase on the unedited band was stale — earlier manual edits (pre-1.8.1) only touched one band, leaving the other band's row out of sync. When rotation then tried to use that stale passphrase to find the entry, no match. updateEmbeddedPpsk now takes an optional $name parameter and tries it first. PPSK names within a WLAN are unique, so name-matching survives any passphrase drift caused by historical out-of-band edits. Passphrase matching stays as a fallback for callers that don't have a name (none currently — both rotation and the manual modal pass it). v1.9.1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 20:38:10 -04:00
jwed	2be17c70db	release: 1.9.0 — rolls up the 1.8.1 patch series Bundled stable cut for prod. Contents since 1.8.0: * fix(rotate): unifi.password_rotation.last_password is now saved on successful PPSK rotation as well as whole-SSID rotation. PPSK-only setups (typical guest-WiFi configurations) will populate the Settings → Tasks "current password" display and the /api/unifi/wifi/current-password endpoint after the next rotation. * fix(banded-ssid): when an SSID is split across 2.4 and 5GHz bands (band-steering disabled — two wlanconf rows with the same name), rotating or manually editing a PPSK on one band now also updates the same-name PPSK on every sibling band. Previously the two halves drifted out of sync. Both the rotation scheduler and the WiFi modal use the new UnifiApiClient::getWlanSiblings helper. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 20:33:48 -04:00
jwed	31686a35d5	fix(rotate): record PPSK rotation password + sync banded-SSID siblings Three bugs reported from prod after a PPSK rotation: 1. unifi.password_rotation.last_password was only saved after a whole-SSID rotation. PPSK-only setups (the typical guest-WiFi case) ran a successful rotation but the setting stayed empty, so the Settings → Tasks UI never showed the current password and the /api/unifi/wifi/current-password endpoint returned 404 "no rotated password recorded yet". The PPSK loop now writes last_password on every successful PPSK rotation. 2. When an SSID is "banded" (band-steering disabled), UniFi splits it into one wlanconf per band — 2.4GHz and 5GHz each get their own _id and their own embedded PPSK array. Rotating the PPSK on one band left the other band with the old password. New UnifiApiClient::getWlanSiblings($wlanId) finds all wlanconfs that share an SSID name; both rotation and the manual modal edit now call updateEmbeddedPpsk on each sibling and update the matching UnifiPpsk DB rows. 3. The manual WiFi modal edit had the same band-blindness as #2 — editing the GUEST PPSK on the 2.4GHz half left the 5GHz half stale. WifiController::ppskUpdate now walks siblings the same way. v1.8.1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 20:32:15 -04:00
jwed	8769308dfd	release: 1.8.0 — rolls up the 1.7.1 patch series Bundled stable cut for prod. Contents since 1.7.0: * feat(access): strict allowlist enforcement. A unifi page with NO grants is now visible only to super-admins — previously it fell back to "open for anyone with the route permission". Matches the new dashboard-wide access model. * feat(access): the Access tab now adds groups by typeahead search, mirroring the user-search flow. Only granted groups + super-admin groups appear in the matrix; other groups are added on demand. * fix(access): ungranted users hitting a unifi URL get 404 instead of 403 so the page doesn't leak its existence. Breaking note: super-admins continue to see everything. Non-super users that previously accessed a unifi page via permission alone now need an explicit grant in the Access tab. Configure grants before relying on existing permission-based access. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 20:17:21 -04:00