fix: address review issues in iCloud Keychain password sync

datlechin · datlechin · commit 04e496ae9b96 · 2026-03-18T12:32:45.000+07:00
diff --git a/TablePro/AppDelegate.swift b/TablePro/AppDelegate.swift
@@ -55,7 +55,13 @@ class AppDelegate: NSObject, NSApplicationDelegate {
         KeychainHelper.shared.migrateFromLegacyKeychainIfNeeded()
         let syncSettings = AppSettingsStorage.shared.loadSync()
         let passwordSyncExpected = syncSettings.enabled && syncSettings.syncConnections && syncSettings.syncPasswords
-        UserDefaults.standard.set(passwordSyncExpected, forKey: "com.TablePro.keychainPasswordSyncEnabled")
+        let previousSyncState = UserDefaults.standard.bool(forKey: KeychainHelper.passwordSyncEnabledKey)
+        UserDefaults.standard.set(passwordSyncExpected, forKey: KeychainHelper.passwordSyncEnabledKey)
+        if passwordSyncExpected != previousSyncState {
+            Task.detached(priority: .background) {
+                KeychainHelper.shared.migratePasswordSyncState(synchronizable: passwordSyncExpected)
+            }
+        }
         PluginManager.shared.loadPlugins()
 
         Task { @MainActor in
diff --git a/TablePro/Core/Storage/KeychainHelper.swift b/TablePro/Core/Storage/KeychainHelper.swift
@@ -13,7 +13,9 @@ final class KeychainHelper {
     private let service = "com.TablePro"
     private static let logger = Logger(subsystem: "com.TablePro", category: "KeychainHelper")
     private static let migrationKey = "com.TablePro.keychainMigratedToDataProtection"
-    private static let passwordSyncEnabledKey = "com.TablePro.keychainPasswordSyncEnabled"
+    static let passwordSyncEnabledKey = "com.TablePro.keychainPasswordSyncEnabled"
+
+    private let migrationLock = NSLock()
 
     private var isPasswordSyncEnabled: Bool {
         UserDefaults.standard.bool(forKey: Self.passwordSyncEnabledKey)
@@ -40,6 +42,7 @@ final class KeychainHelper {
         var status = SecItemAdd(addQuery as CFDictionary, nil)
 
         if status == errSecDuplicateItem {
+            let synchronizable = isPasswordSyncEnabled
             let searchQuery: [String: Any] = [
                 kSecClass as String: kSecClassGenericPassword,
                 kSecAttrService as String: service,
@@ -48,7 +51,8 @@ final class KeychainHelper {
                 kSecAttrSynchronizable as String: kSecAttrSynchronizableAny
             ]
             let updateAttributes: [String: Any] = [
-                kSecValueData as String: data
+                kSecValueData as String: data,
+                kSecAttrSynchronizable as String: synchronizable
             ]
             status = SecItemUpdate(searchQuery as CFDictionary, updateAttributes as CFDictionary)
         }
@@ -195,7 +199,11 @@ final class KeychainHelper {
     // MARK: - Password Sync Migration
 
     /// Migrates all TablePro keychain items between local-only and iCloud-synchronizable.
+    /// Serialized via `migrationLock` to prevent concurrent migrations from rapid toggling.
     func migratePasswordSyncState(synchronizable: Bool) {
+        migrationLock.lock()
+        defer { migrationLock.unlock() }
+
         Self.logger.info("Starting keychain sync migration: synchronizable=\(synchronizable)")
 
         let searchQuery: [String: Any] = [
@@ -260,7 +268,7 @@ final class KeychainHelper {
                 kSecAttrService as String: service,
                 kSecAttrAccount as String: account,
                 kSecUseDataProtectionKeychain as String: true,
-                kSecAttrSynchronizable as String: !synchronizable as CFBoolean
+                kSecAttrSynchronizable as String: !synchronizable
             ]
             let deleteStatus = SecItemDelete(deleteQuery as CFDictionary)
             if deleteStatus != errSecSuccess, deleteStatus != errSecItemNotFound {
diff --git a/TablePro/Views/Settings/SyncSettingsView.swift b/TablePro/Views/Settings/SyncSettingsView.swift
@@ -178,9 +178,9 @@ struct SyncSettingsView: View {
     }
 
     private func onPasswordSyncChanged(_ enabled: Bool) {
-        UserDefaults.standard.set(enabled, forKey: "com.TablePro.keychainPasswordSyncEnabled")
         Task.detached {
             KeychainHelper.shared.migratePasswordSyncState(synchronizable: enabled)
+            UserDefaults.standard.set(enabled, forKey: KeychainHelper.passwordSyncEnabledKey)
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -178,9 +178,9 @@ struct SyncSettingsView: View {`
`178`	`178`	`}`
`179`	`179`
`180`	`180`	`private func onPasswordSyncChanged(_ enabled: Bool) {`
`181`		`- UserDefaults.standard.set(enabled, forKey: "com.TablePro.keychainPasswordSyncEnabled")`
`182`	`181`	`Task.detached {`
`183`	`182`	`KeychainHelper.shared.migratePasswordSyncState(synchronizable: enabled)`
	`183`	`+ UserDefaults.standard.set(enabled, forKey: KeychainHelper.passwordSyncEnabledKey)`
`184`	`184`	`}`
`185`	`185`	`}`
`186`	`186`