1 files changed, 11 insertions, 8 deletions

diff --git a/src/api/auth/password.rs b/src/api/auth/password.rs
index 0eeab4f..56ad2a2 100644
--- a/src/api/auth/password.rs
+++ b/src/api/auth/password.rs
@@ -64,15 +64,15 @@ pub(crate) async fn change_start(
     let key_fetch_token = SecretBytes::generate();
     let key_req = KeyFetchReq::from_token(&key_fetch_token);
     let wrapped = key_req.derive_resp().wrap_keys(&KeyBundle {
-        ka: user.ka.0.clone(),
-        wrap_kb: stretched.decrypt_wwkb(&user.wrapwrap_kb.0),
+        ka: SecretBytes(user.ka.0),
+        wrap_kb: stretched.decrypt_wwkb(&SecretBytes(user.wrapwrap_kb.0)),
     });
-    db.add_key_fetch(KeyFetchID(key_req.token_id.0), &HawkKey(key_req.req_hmac_key), &wrapped)
+    db.add_key_fetch(KeyFetchID(key_req.token_id.0), &HawkKey(key_req.req_hmac_key.0), &wrapped)
         .await?;
     db.add_password_change(
         &uid,
         &PasswordChangeID(change_req.token_id.0),
-        &HawkKey(change_req.req_hmac_key),
+        &HawkKey(change_req.req_hmac_key.0),
         None,
     )
     .await?;
@@ -99,7 +99,10 @@ impl<const IS_FORGOT: bool> AuthSource for WithChangeToken<IS_FORGOT> {
             .await
             .success_or_else(|| anyhow!("could not open db connection"))?;
         let db = pool.begin().await?;
-        let result = db.finish_password_change(id, IS_FORGOT).await.map(|(h, ctx)| (h.0, ctx))?;
+        let result = db
+            .finish_password_change(id, IS_FORGOT)
+            .await
+            .map(|(h, ctx)| (SecretBytes(h.0), ctx))?;
         db.commit().await?;
         Ok(result)
     }
@@ -151,7 +154,7 @@ pub(crate) async fn change_finish(
     db.change_user_auth(
         &data.context.0,
         auth_salt,
-        SecretKey(wrapwrap_kb),
+        SecretKey(wrapwrap_kb.0),
         VerifyHash(verify_hash),
     )
     .await?;
@@ -209,7 +212,7 @@ pub(crate) async fn forgot_start(
     db.add_password_change(
         &uid,
         &PasswordChangeID(forgot_req.token_id.0),
-        &HawkKey(forgot_req.req_hmac_key),
+        &HawkKey(forgot_req.req_hmac_key.0),
         Some(&forgot_code),
     )
     .await?;
@@ -252,7 +255,7 @@ pub(crate) async fn forgot_finish(
     db.add_account_reset(
         &data.context.0,
         &AccountResetID(reset_req.token_id.0),
-        &HawkKey(reset_req.req_hmac_key),
+        &HawkKey(reset_req.req_hmac_key.0),
     )
     .await?;