From d34142eef0dc830084a25d09db2293a429c003f3 Mon Sep 17 00:00:00 2001
From: Oli <oliver@opitz.ws>
Date: Sat, 1 Nov 2025 14:32:17 +0100
Subject: [PATCH] fix: resolve session corruption and sync issues

- Use BW_SESSION environment variable because commands don't support `--session` parameter anymore
- Suppress output from bw login and cmdkey to prevent pipeline pollution
- Set/unset BW_SESSION immediately in try/finally blocks for security
---
 vaultwarden_ssh-agent.ps1 | 44 ++++++++++++++++++++++++++++++---------
 1 file changed, 34 insertions(+), 10 deletions(-)

diff --git a/vaultwarden_ssh-agent.ps1 b/vaultwarden_ssh-agent.ps1
index 646532f..6ff5433 100644
--- a/vaultwarden_ssh-agent.ps1
+++ b/vaultwarden_ssh-agent.ps1
@@ -143,10 +143,9 @@ function Get-BWSession {
             # bw status is always locked when using --session
             # https://github.com/bitwarden/clients/issues/9254
             [Environment]::SetEnvironmentVariable("BW_SESSION", $Session, [System.EnvironmentVariableTarget]::Process)
-            $StatusResult = & bw status 2>&1
+            $Status = & bw status | ConvertFrom-Json
             [Environment]::SetEnvironmentVariable("BW_SESSION", $null, [System.EnvironmentVariableTarget]::Process)
             if ($LASTEXITCODE -eq 0) {
-                $Status = $StatusResult | ConvertFrom-Json
                 if ($Status.status -eq "unlocked") {
                     Write-Debug "Stored session is valid"
                     Write-Host "Using stored session"
@@ -173,10 +172,13 @@ function Get-BWSession {
     
     if ($Status.status -eq "unauthenticated") {
         Write-Debug "Not logged in, attempting API key login"
-        & bw login --apikey
+        & bw login --apikey | Out-Null
         if ($LASTEXITCODE -ne 0) {
             throw "Login failed"
         }
+        # Get status again after login to retrieve user email
+        Write-Debug "Getting user info after login"
+        $Status = & bw status | ConvertFrom-Json
     }
     else {
         Write-Debug "Already logged in as $($Status.userEmail)"
@@ -189,8 +191,8 @@ function Get-BWSession {
     }
 
     # Store session in Windows Credential Manager
-    Write-Debug "Storing session in Windows Credential Manager"
-    $Result = & cmdkey /generic:"Vaultwarden_Session" /user:$($Status.userEmail) /pass:$NewSession
+    Write-Debug "Storing session in Windows Credential Manager for user: $($Status.userEmail)"
+    $Result = & cmdkey /generic:"Vaultwarden_Session" /user:"$($Status.userEmail)" /pass:"$NewSession" | Out-Null
     if ($LASTEXITCODE -ne 0) {
         throw "Failed to store session: $Result"
     }
@@ -243,7 +245,13 @@ function Get-FolderId {
     )
     
     Write-Debug "Getting folder: $FolderName"
-    $Folders = & bw list folders --session $Session --search $FolderName | ConvertFrom-Json
+    try {
+        [Environment]::SetEnvironmentVariable("BW_SESSION", $Session, [System.EnvironmentVariableTarget]::Process)
+        $Folders = & bw list folders --search $FolderName | ConvertFrom-Json
+    }
+    finally {
+        [Environment]::SetEnvironmentVariable("BW_SESSION", $null, [System.EnvironmentVariableTarget]::Process)
+    }
     $Folder = $Folders | Where-Object { $_.name -eq $FolderName }
     
     if (-not $Folder) {
@@ -262,8 +270,14 @@ function Get-FolderItems {
     )
     
     Write-Debug "Getting items from folder: $FolderId"
+    try {
+        [Environment]::SetEnvironmentVariable("BW_SESSION", $Session, [System.EnvironmentVariableTarget]::Process)
+        $Items = & bw list items --folderid $FolderId | ConvertFrom-Json
+    }
+    finally {
+        [Environment]::SetEnvironmentVariable("BW_SESSION", $null, [System.EnvironmentVariableTarget]::Process)
+    }
     # Add filter for SSH key type (type=5)
-    $Items = & bw list items --session $Session --folderid $FolderId | ConvertFrom-Json
     $SshKeyItems = $Items | Where-Object { $_.type -eq 5 }
     Write-Debug "Found $($SshKeyItems.Count) SSH key items"
     return $SshKeyItems
@@ -361,6 +375,9 @@ function Add-PrivateKeyToSSHAgent {
         if ($PrivateKeyPlain) { 
             Clear-SensitiveData $PrivateKeyPlain 
         }
+        if ($SSHKey.PrivateKey) {
+            Clear-SensitiveData $SSHKey.PrivateKey
+        }
         if ($Process) { 
             $Process.Dispose() 
         }
@@ -384,9 +401,16 @@ try {
     $Session = Get-BWSession
 
     # Sync vault
-    Write-Debug "Syncing vault"
-    & bw sync --session $Session --quiet
-    if ($LASTEXITCODE -ne 0) {
+    Write-Host "Syncing vault"
+    try {
+        [Environment]::SetEnvironmentVariable("BW_SESSION", $Session, [System.EnvironmentVariableTarget]::Process)
+        & bw sync | Out-Null
+        $SyncExitCode = $LASTEXITCODE
+    }
+    finally {
+        [Environment]::SetEnvironmentVariable("BW_SESSION", $null, [System.EnvironmentVariableTarget]::Process)
+    }
+    if ($SyncExitCode -ne 0) {
         throw "Failed to sync vault"
     }