forked from akai/readest
712d564e9d
* feat(sync): encrypt opds_catalog credentials end-to-end (TS path) Wires encrypted-credential sync for opds_catalog via the CryptoSession shipped in PR 4a (#4084) plus a new publish/pull crypto middleware. TS-only — native still uses ephemeral storage (re-enter passphrase per launch); PR 4d wires the OS keychain. - ReplicaAdapter gains optional `encryptedFields: readonly string[]`. Adapters stay sync; the middleware handles the crypto round trip. - replicaCryptoMiddleware.ts: encryptPackedFields drops the named fields from the push when the session is locked (no plaintext leak); decryptRowFields drops them on pull failure (local plaintext preserved by the store merge). - replicaPublish / replicaPullAndApply invoke the middleware. - OPDS adapter declares encryptedFields = [username, password] and now pack/unpack them as plaintext. - passphraseGate.ts: ensurePassphraseUnlocked coalesces concurrent calls, prompts via the registered prompter with kind=setup|unlock, throws NO_PASSPHRASE on cancel. - PassphrasePromptModal mounted at the Providers root; registers itself as the gate prompter. - CryptoSession.forget() wipes server-side envelopes + salts. - Migration 010 + replica_keys_forget RPC; DELETE /api/sync/replica-keys + client wrapper. - SyncPassphraseSection on the user page: status / Set / Unlock / Lock / Forgot. - CatalogManager pre-save: ensurePassphraseUnlocked when credentials are present; user cancel saves locally without sync. Plan updated: PR 4 split documented as 4a/4b/4c/4d. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(sync): persist sync passphrase via OS keychain (Tauri) Replaces the EphemeralPassphraseStore stub on native with real OS-keychain storage so users don't re-enter their sync passphrase every launch. Web stays on the in-memory ephemeral store by design. Native bridge plugin gains 4 commands wired across all platforms: - Rust desktop (`keyring` crate): macOS Keychain on apple-native, Windows Credential Manager on windows-native, Linux libsecret/ Secret Service on sync-secret-service. Per-target features so each platform compiles only the backend it needs. - iOS Swift: Security framework Keychain (kSecClassGenericPassword, SecItemAdd / Copy / Delete). - Android Kotlin: androidx.security EncryptedSharedPreferences (AndroidKeystore-derived AES-GCM master key, AES256_SIV / AES256_GCM key/value encryption). TS layer: - TauriPassphraseStore wraps the bridge calls. set is fail-loud (surfaces keychain rejection); get is fail-soft (returns null on any error so the gate prompts). - createPassphraseStore returns ephemeral synchronously; upgradeToKeychainIfAvailable swaps the singleton to TauriPassphraseStore on Tauri after probing the bridge. CryptoSession resolves the store via createPassphraseStore() each touch so the swap is transparent. - CryptoSession.tryRestoreFromStore: silent unlock at boot. Stale- entry recovery clears the store when the account has no salt server-side. unlock/setup persist; forget also clears the store. - Providers boot effect: upgrade keychain → silent restore. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(sync): make encrypted-credential pull actually decrypt + UX polish PR 4c shipped the encrypt path but the pull side silently dropped ciphers when locked, the modal was busy with double-rings, and web re-prompted on every page refresh. This rolls up the post-test fixes + UX polish: Pull-side decrypt: - decryptRowFields takes an `onLocked` callback the orchestrator wires to the passphrase gate; encountering a cipher field with a locked session now triggers the lazy-prompt path instead of dropping the field. - replicaPullAndApply re-applies the unpacked row for metadata-only kinds even when a local copy exists, so the now-decrypted creds reach the store (the binary-kind skip-if-local optimization doesn't apply). - Cipher fingerprint comparison: capture the row's `cipher.c` for each encrypted field, compare against the local record's lastSeenCipher. Same → skip prompt + decrypt entirely. Different (rotation / value change on another device) → prompt to re-decrypt. Fingerprint persists via OPDSCatalog.lastSeenCipher. Web persistence: - SessionStoragePassphraseStore: passphrase survives page refresh within the same tab, dies on tab close. Replaces EphemeralPassphraseStore as the default on web. Avoids localStorage / IndexedDB to keep the tab-scoped trust boundary. UI: - Renamed PassphrasePromptModal → PassphrasePrompt; modernized: filled input style with single subtle focus border, btn-primary + btn-ghost replaced with leaner custom buttons. eink-bordered + btn-primary classes give the dialog correct e-paper rendering. - globals.css: suppress redundant outline/box-shadow on focused text inputs / textareas (the element's own border is the focus indicator). - AGENTS.md: documents the e-ink convention (`eink-bordered`, `btn-primary` for inverted CTAs, etc.) so future widgets ship with e-paper support. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
154 lines
5.3 KiB
TypeScript
154 lines
5.3 KiB
TypeScript
'use client';
|
|
|
|
import { useEffect, useRef, useState } from 'react';
|
|
import ModalPortal from '@/components/ModalPortal';
|
|
import { useTranslation } from '@/hooks/useTranslation';
|
|
import { setPassphrasePrompter } from '@/services/sync/passphraseGate';
|
|
import type { PassphrasePromptKind } from '@/services/sync/passphraseGate';
|
|
|
|
interface PendingPrompt {
|
|
kind: PassphrasePromptKind;
|
|
resolve: (passphrase: string | null) => void;
|
|
}
|
|
|
|
/**
|
|
* Singleton passphrase prompt for the encrypted-fields flow. Mount
|
|
* once at the app root. Registers itself with the passphrase gate;
|
|
* any caller that invokes `ensurePassphraseUnlocked` causes this
|
|
* modal to render and resolve with the entered passphrase (or null
|
|
* on cancel).
|
|
*/
|
|
export default function PassphrasePrompt() {
|
|
const _ = useTranslation();
|
|
const [pending, setPending] = useState<PendingPrompt | null>(null);
|
|
const [value, setValue] = useState('');
|
|
const [confirm, setConfirm] = useState('');
|
|
const [error, setError] = useState('');
|
|
const inputRef = useRef<HTMLInputElement | null>(null);
|
|
|
|
useEffect(() => {
|
|
setPassphrasePrompter(({ kind }) => {
|
|
return new Promise<string | null>((resolve) => {
|
|
setValue('');
|
|
setConfirm('');
|
|
setError('');
|
|
setPending({ kind, resolve });
|
|
});
|
|
});
|
|
return () => setPassphrasePrompter(null);
|
|
}, []);
|
|
|
|
useEffect(() => {
|
|
if (pending) {
|
|
const t = setTimeout(() => inputRef.current?.focus(), 0);
|
|
return () => clearTimeout(t);
|
|
}
|
|
return undefined;
|
|
}, [pending]);
|
|
|
|
if (!pending) return null;
|
|
|
|
const isSetup = pending.kind === 'setup';
|
|
|
|
const close = (passphrase: string | null) => {
|
|
pending.resolve(passphrase);
|
|
setPending(null);
|
|
setValue('');
|
|
setConfirm('');
|
|
setError('');
|
|
};
|
|
|
|
const handleSubmit = (e: React.FormEvent) => {
|
|
e.preventDefault();
|
|
if (value.length < 8) {
|
|
setError(_('Passphrase must be at least 8 characters'));
|
|
return;
|
|
}
|
|
if (isSetup && value !== confirm) {
|
|
setError(_('Passphrases do not match'));
|
|
return;
|
|
}
|
|
close(value);
|
|
};
|
|
|
|
// Input pill — modern style for color themes; eink-bordered swaps to
|
|
// 1px border + base-100 bg under [data-eink='true'].
|
|
const inputClass =
|
|
'eink-bordered w-full rounded-xl bg-base-300/60 px-4 py-3 text-sm placeholder:text-base-content/40 ' +
|
|
'border border-transparent transition-colors focus:border-base-content/20 focus:bg-base-300';
|
|
|
|
return (
|
|
<ModalPortal>
|
|
<dialog className='modal modal-open'>
|
|
<div className='modal-box bg-base-200 max-w-md rounded-2xl p-6 shadow-2xl'>
|
|
<h3 className='mb-1.5 text-lg font-semibold tracking-tight'>
|
|
{isSetup ? _('Set sync passphrase') : _('Enter sync passphrase')}
|
|
</h3>
|
|
<p className='text-base-content/60 mb-5 text-sm leading-relaxed'>
|
|
{isSetup
|
|
? _(
|
|
'A sync passphrase encrypts your sensitive fields (like OPDS catalog credentials) before they sync. We never see this passphrase. Pick something memorable — there is no recovery without it.',
|
|
)
|
|
: _(
|
|
'Enter the sync passphrase you set on another device to decrypt your synced credentials.',
|
|
)}
|
|
</p>
|
|
<form onSubmit={handleSubmit} className='space-y-2.5'>
|
|
<input
|
|
ref={inputRef}
|
|
type='password'
|
|
value={value}
|
|
onChange={(e) => {
|
|
setValue(e.target.value);
|
|
setError('');
|
|
}}
|
|
placeholder={_('Sync passphrase')}
|
|
className={inputClass}
|
|
autoComplete='new-password'
|
|
required
|
|
/>
|
|
{isSetup && (
|
|
<input
|
|
type='password'
|
|
value={confirm}
|
|
onChange={(e) => {
|
|
setConfirm(e.target.value);
|
|
setError('');
|
|
}}
|
|
placeholder={_('Confirm passphrase')}
|
|
className={inputClass}
|
|
autoComplete='new-password'
|
|
required
|
|
/>
|
|
)}
|
|
{error && <p className='text-error pt-0.5 text-xs'>{error}</p>}
|
|
<div className='flex justify-end gap-2 pt-4'>
|
|
{/*
|
|
* Cancel: ghost in color themes, eink-bordered (white bg
|
|
* + base-content border) under eink. Submit: bg-primary
|
|
* in color themes, picks up the existing
|
|
* `[data-eink] .btn-primary` rule (inverted to
|
|
* base-content bg + base-100 text) under eink — so the
|
|
* two buttons stay visually distinct on e-paper.
|
|
*/}
|
|
<button
|
|
type='button'
|
|
onClick={() => close(null)}
|
|
className='eink-bordered hover:bg-base-300/70 rounded-lg px-4 py-2 text-sm font-medium transition-colors'
|
|
>
|
|
{_('Cancel')}
|
|
</button>
|
|
<button
|
|
type='submit'
|
|
className='btn btn-primary text-primary-content hover:bg-primary/90 active:bg-primary/80 rounded-lg border-0 px-4 py-2 text-sm font-medium transition-colors'
|
|
>
|
|
{isSetup ? _('Set passphrase') : _('Unlock')}
|
|
</button>
|
|
</div>
|
|
</form>
|
|
</div>
|
|
</dialog>
|
|
</ModalPortal>
|
|
);
|
|
}
|