[Bug] Credential Storage (Primary Password) gets bricked after Login Error #121

New Issue

MrUnknownDE · 2026-04-05T16:16:10+02:00

MrUnknownDE commented

2026-04-05 16:16:10 +02:00

Originally created by @wilk-polarny on 1/22/2026

Describe the bug
When a login fails, the primary password function will be permanently broken. Logging into the same account again (after deleting it from the saved accounts) will never prompt for primary password generation again. The option in the adavanced settings is greyed out. "Save credentials" does not seem to have an effect, credentials get always saved.

To Reproduce
Steps to reproduce the behavior:

Have an account set up that uses saved credentials and a primary password
Make the login fail. In my case the session expired after ages after I changed my VRChat password. The UI will report

Error: 401 Unauthorized<br>Error Message: &#34;Invalid Username/Email or Password&#34;<br>Endpoint: &#34;auth/user&#34;

You can also provoke this error by encrypting an invalid VRChat password for a dead token/cookie/session and storing it within the saved credentials., so that logging in will fail

Remove the account (trash symbol)
Log in with the same account ID, but valid credentials.

You will be logged in, but not asked to set up a primary password. You can also not use the option within the advanced settings.

config:enableprimarypassword is false
config:savedcredentials is {} (if you did not chose "Save credentials", but you will be automagically logged in anyways?!)
Other config values related to that usr_ stay within the DB.

External Workaround using a Database editor and a JS REPL:
Use a backup of the main SQLite DB:

Set config:enableprimarypassword to true (if not already true)
Set config:savedcredentials to the previous value (if not already set). This will restore the broken account (with the old VRChat account password).
(Ab)use the encrypt/decrypt utility functions defined in this project to create a new encrypted password value using the same mechanics for AES key generation to generate a new encrypted password.
Edit the config:savedcredentials password entry and replace the previous encrypted password with your new encrypted password.
Launch VRCX and log in (you will be prompted for a new OTP)
Profit.

Expected behavior
I expect the UI to prompt me for a new password and OTP, and for it to re-encrypt the stored credentials using my primary key. The primary key option in the advanced settings should be accessible (and not greyed out).
When deleting an account, and logging in with the same one, the "Stay logged in" checkbox should always be honored. I still don't get how it can log me in without saved credentials. I did not dig through the whole code base yet.

Screenshots
none.

What version you are running
Version 2026.01.04

*Originally created by @wilk-polarny on 1/22/2026* **Describe the bug** When a login fails, the primary password function will be permanently broken. Logging into the same account again (after deleting it from the saved accounts) will never prompt for primary password generation again. The option in the adavanced settings is greyed out. "Save credentials" does not seem to have an effect, credentials get always saved. **To Reproduce** Steps to reproduce the behavior: 1) Have an account set up that uses saved credentials and a primary password 2) Make the login fail. In my case the session expired after ages after I changed my VRChat password. The UI will report ``` Error: 401 Unauthorized<br>Error Message: "Invalid Username/Email or Password"<br>Endpoint: "auth/user" ``` _You can also provoke this error by encrypting an invalid VRChat password for a dead token/cookie/session and storing it within the saved credentials., so that logging in will fail_ 3) Remove the account (trash symbol) 4) Log in with the same account ID, but valid credentials. You will be logged in, but not asked to set up a primary password. You can also not use the option within the advanced settings. `config:enableprimarypassword` is `false` `config:savedcredentials` is `{}` (if you did not chose "Save credentials", but you will be automagically logged in anyways?!) Other config values related to that usr_ stay within the DB. External Workaround using a Database editor and a JS REPL: Use a backup of the main SQLite DB: - Set `config:enableprimarypassword` to `true` (if not already true) - Set `config:savedcredentials` to the previous value (if not already set). This will restore the broken account (with the old VRChat account password). - (Ab)use the encrypt/decrypt utility functions defined in this project to create a new encrypted password value using the same mechanics for AES key generation to generate a new encrypted password. - Edit the `config:savedcredentials` password entry and replace the previous encrypted password with your new encrypted password. - Launch VRCX and log in (you will be prompted for a new OTP) - Profit. **Expected behavior** I expect the UI to prompt me for a new password and OTP, and for it to re-encrypt the stored credentials using my primary key. The primary key option in the advanced settings should be accessible (and not greyed out). When deleting an account, and logging in with the same one, the "Stay logged in" checkbox should always be honored. I still don't get how it can log me in without saved credentials. I did not dig through the whole code base yet. **Screenshots** none. **What version you are running** Version 2026.01.04

MrUnknownDE closed this issue

2026-04-05 16:16:10 +02:00

MrUnknownDE added the Bug Bug Done Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done labels 2026-04-05 16:16:10 +02:00

Sign in to join this conversation.

No Label Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Bug Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done Done

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/VRCX#121