From 26857413860cefcb498650488e77fea6117c2282 Mon Sep 17 00:00:00 2001
From: shuaiplus <2327005759@qq.com>
Date: Tue, 12 May 2026 18:01:04 +0800
Subject: [PATCH] feat: add permanent trust functionality for devices with
 corresponding API and UI updates

---
 src/handlers/devices.ts                       | 25 +++++++++++++++++++
 src/router-devices.ts                         |  7 ++++++
 src/services/storage-device-repo.ts           | 15 +++++++++++
 src/services/storage.ts                       |  5 ++++
 webapp/src/App.tsx                            |  1 +
 webapp/src/components/AppMainRoutes.tsx       |  2 ++
 webapp/src/components/SecurityDevicesPage.tsx | 20 +++++++++++++--
 webapp/src/hooks/useAccountSecurityActions.ts | 21 ++++++++++++++++
 webapp/src/lib/api/auth.ts                    |  8 ++++++
 webapp/src/lib/demo.ts                        |  8 ++++++
 webapp/src/lib/i18n/locales/en.ts             |  6 +++++
 webapp/src/lib/i18n/locales/es.ts             |  6 +++++
 webapp/src/lib/i18n/locales/ru.ts             |  6 +++++
 webapp/src/lib/i18n/locales/zh-CN.ts          |  6 +++++
 webapp/src/lib/i18n/locales/zh-TW.ts          |  6 +++++
 15 files changed, 140 insertions(+), 2 deletions(-)

diff --git a/src/handlers/devices.ts b/src/handlers/devices.ts
index b11406e..e62f950 100644
--- a/src/handlers/devices.ts
+++ b/src/handlers/devices.ts
@@ -6,6 +6,8 @@ import { errorResponse, jsonResponse } from '../utils/response';
 import { readKnownDeviceProbe } from '../utils/device';
 import { generateUUID } from '../utils/uuid';
 
+const PERMANENT_TRUST_EXPIRES_AT_MS = Date.UTC(2099, 11, 31, 23, 59, 59);
+
 function normalizeIdentifier(value: string | null | undefined): string {
   return String(value || '').trim();
 }
@@ -268,6 +270,29 @@ export async function handleRevokeTrustedDevice(
   return jsonResponse({ success: true, removed });
 }
 
+// POST /api/devices/authorized/:deviceIdentifier/permanent
+// Upgrades an existing active 2FA remember-token record to permanent trust.
+export async function handleTrustDevicePermanently(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  void request;
+  const normalized = String(deviceIdentifier || '').trim();
+  if (!normalized) return errorResponse('Invalid device identifier', 400);
+
+  const storage = new StorageService(env.DB);
+  const updated = await storage.updateTrustedTwoFactorTokensExpiryByDevice(userId, normalized, PERMANENT_TRUST_EXPIRES_AT_MS);
+  if (!updated) return errorResponse('Device is not currently trusted', 409);
+
+  return jsonResponse({
+    success: true,
+    updated,
+    trustedUntil: new Date(PERMANENT_TRUST_EXPIRES_AT_MS).toISOString(),
+  });
+}
+
 // DELETE /api/devices/:deviceIdentifier
 export async function handleDeleteDevice(
   request: Request,
diff --git a/src/router-devices.ts b/src/router-devices.ts
index dafb1ca..c6730c1 100644
--- a/src/router-devices.ts
+++ b/src/router-devices.ts
@@ -11,6 +11,7 @@ import {
   handleDeactivateDevice,
   handleRevokeAllTrustedDevices,
   handleRevokeTrustedDevice,
+  handleTrustDevicePermanently,
   handleDeleteAllDevices,
   handleDeleteDevice,
   handleUpdateDeviceName,
@@ -44,6 +45,12 @@ export async function handleAuthenticatedDeviceRoute(
     return handleRevokeTrustedDevice(request, env, userId, deviceIdentifier);
   }
 
+  const permanentAuthorizedDeviceMatch = path.match(/^\/api\/devices\/authorized\/([^/]+)\/permanent$/i);
+  if (permanentAuthorizedDeviceMatch && method === 'POST') {
+    const deviceIdentifier = decodeURIComponent(permanentAuthorizedDeviceMatch[1]);
+    return handleTrustDevicePermanently(request, env, userId, deviceIdentifier);
+  }
+
   const deleteDeviceMatch = path.match(/^\/api\/devices\/([^/]+)$/i);
   if (deleteDeviceMatch && method === 'GET') {
     const deviceIdentifier = decodeURIComponent(deleteDeviceMatch[1]);
diff --git a/src/services/storage-device-repo.ts b/src/services/storage-device-repo.ts
index a37c1b7..1a93cfd 100644
--- a/src/services/storage-device-repo.ts
+++ b/src/services/storage-device-repo.ts
@@ -233,6 +233,21 @@ export async function deleteTrustedTwoFactorTokensByUserId(db: D1Database, userI
   return Number(result.meta.changes ?? 0);
 }
 
+export async function updateTrustedTwoFactorTokensExpiryByDevice(
+  db: D1Database,
+  userId: string,
+  deviceIdentifier: string,
+  expiresAtMs: number
+): Promise<number> {
+  const now = Date.now();
+  await db.prepare('DELETE FROM trusted_two_factor_device_tokens WHERE expires_at < ?').bind(now).run();
+  const result = await db
+    .prepare('UPDATE trusted_two_factor_device_tokens SET expires_at = ? WHERE user_id = ? AND device_identifier = ? AND expires_at >= ?')
+    .bind(expiresAtMs, userId, deviceIdentifier, now)
+    .run();
+  return Number(result.meta.changes ?? 0);
+}
+
 export async function saveTrustedTwoFactorDeviceToken(
   db: D1Database,
   trustedTokenKey: TrustedTokenKeyFn,
diff --git a/src/services/storage.ts b/src/services/storage.ts
index 0a8cbde..51a2ec6 100644
--- a/src/services/storage.ts
+++ b/src/services/storage.ts
@@ -96,6 +96,7 @@ import {
   upsertDevice as saveStoredDevice,
   updateDeviceName as updateStoredDeviceName,
   updateDeviceKeys as updateStoredDeviceKeys,
+  updateTrustedTwoFactorTokensExpiryByDevice as updateStoredTrustedTokensExpiryByDevice,
 } from './storage-device-repo';
 import {
   ensureUsedAttachmentDownloadTokenTable as ensureStoredAttachmentTokenTable,
@@ -614,6 +615,10 @@ export class StorageService {
     return deleteStoredTrustedTokensByUserId(this.db, userId);
   }
 
+  async updateTrustedTwoFactorTokensExpiryByDevice(userId: string, deviceIdentifier: string, expiresAtMs: number): Promise<number> {
+    return updateStoredTrustedTokensExpiryByDevice(this.db, userId, deviceIdentifier, expiresAtMs);
+  }
+
   // --- Trusted 2FA remember tokens (device-bound) ---
 
   async saveTrustedTwoFactorDeviceToken(
diff --git a/webapp/src/App.tsx b/webapp/src/App.tsx
index 07d9b2f..c125d74 100644
--- a/webapp/src/App.tsx
+++ b/webapp/src/App.tsx
@@ -1517,6 +1517,7 @@ export default function App() {
     onSaveDomainRules: handleSaveDomainRules,
     onRenameAuthorizedDevice: accountSecurityActions.renameAuthorizedDevice,
     onRevokeDeviceTrust: accountSecurityActions.openRevokeDeviceTrust,
+    onTrustDevicePermanently: accountSecurityActions.openTrustDevicePermanently,
     onRemoveDevice: accountSecurityActions.openRemoveDevice,
     onRevokeAllDeviceTrust: accountSecurityActions.openRevokeAllDeviceTrust,
     onRemoveAllDevices: accountSecurityActions.openRemoveAllDevices,
diff --git a/webapp/src/components/AppMainRoutes.tsx b/webapp/src/components/AppMainRoutes.tsx
index 4fa84f9..ac7a7b6 100644
--- a/webapp/src/components/AppMainRoutes.tsx
+++ b/webapp/src/components/AppMainRoutes.tsx
@@ -116,6 +116,7 @@ export interface AppMainRoutesProps {
   onSaveDomainRules: (customEquivalentDomains: CustomEquivalentDomain[], excludedGlobalEquivalentDomains: number[]) => Promise<void>;
   onRenameAuthorizedDevice: (device: AuthorizedDevice, name: string) => Promise<void>;
   onRevokeDeviceTrust: (device: AuthorizedDevice) => void;
+  onTrustDevicePermanently: (device: AuthorizedDevice) => void;
   onRemoveDevice: (device: AuthorizedDevice) => void;
   onRevokeAllDeviceTrust: () => void;
   onRemoveAllDevices: () => void;
@@ -322,6 +323,7 @@ export default function AppMainRoutes(props: AppMainRoutesProps) {
               onRefresh={() => void props.onRefreshAuthorizedDevices()}
               onRenameDevice={props.onRenameAuthorizedDevice}
               onRevokeTrust={props.onRevokeDeviceTrust}
+              onTrustPermanently={props.onTrustDevicePermanently}
               onRemoveDevice={props.onRemoveDevice}
               onRevokeAll={props.onRevokeAllDeviceTrust}
               onRemoveAll={props.onRemoveAllDevices}
diff --git a/webapp/src/components/SecurityDevicesPage.tsx b/webapp/src/components/SecurityDevicesPage.tsx
index fd62fed..f6b1199 100644
--- a/webapp/src/components/SecurityDevicesPage.tsx
+++ b/webapp/src/components/SecurityDevicesPage.tsx
@@ -1,5 +1,5 @@
 import { useState } from 'preact/hooks';
-import { Clock3, Pencil, RefreshCw, ShieldOff, Trash2 } from 'lucide-preact';
+import { Clock3, Pencil, RefreshCw, ShieldCheck, ShieldOff, Trash2 } from 'lucide-preact';
 import ConfirmDialog from '@/components/ConfirmDialog';
 import LoadingState from '@/components/LoadingState';
 import type { AuthorizedDevice } from '@/lib/types';
@@ -12,6 +12,7 @@ interface SecurityDevicesPageProps {
   onRefresh: () => void;
   onRenameDevice: (device: AuthorizedDevice, name: string) => Promise<void>;
   onRevokeTrust: (device: AuthorizedDevice) => void;
+  onTrustPermanently: (device: AuthorizedDevice) => void;
   onRemoveDevice: (device: AuthorizedDevice) => void;
   onRevokeAll: () => void;
   onRemoveAll: () => void;
@@ -24,6 +25,12 @@ function formatDateTime(value: string | null | undefined): string {
   return date.toLocaleString();
 }
 
+function isPermanentTrust(value: string | null | undefined): boolean {
+  if (!value) return false;
+  const date = new Date(value);
+  return !Number.isNaN(date.getTime()) && date.getUTCFullYear() >= 2099;
+}
+
 function mapDeviceTypeName(type: number): string {
   switch (type) {
     case 0: return t('txt_android');
@@ -135,7 +142,7 @@ export default function SecurityDevicesPage(props: SecurityDevicesPageProps) {
                   {device.trusted ? (
                     <div className="trusted-cell">
                       <Clock3 size={13} />
-                      <span>{formatDateTime(device.trustedUntil)}</span>
+                      <span>{isPermanentTrust(device.trustedUntil) ? t('txt_permanent_trust') : formatDateTime(device.trustedUntil)}</span>
                     </div>
                   ) : (
                     <span className="muted-inline">{t('txt_not_trusted')}</span>
@@ -152,6 +159,15 @@ export default function SecurityDevicesPage(props: SecurityDevicesPageProps) {
                       <ShieldOff size={14} className="btn-icon" />
                       {t('txt_untrust')}
                     </button>
+                    <button
+                      type="button"
+                      className="btn btn-secondary small"
+                      disabled={!device.trusted || !device.trustedUntil || isPermanentTrust(device.trustedUntil)}
+                      onClick={() => props.onTrustPermanently(device)}
+                    >
+                      <ShieldCheck size={14} className="btn-icon" />
+                      {t('txt_trust_permanently')}
+                    </button>
                     <button
                       type="button"
                       className="btn btn-secondary small"
diff --git a/webapp/src/hooks/useAccountSecurityActions.ts b/webapp/src/hooks/useAccountSecurityActions.ts
index 90347b9..8f972ad 100644
--- a/webapp/src/hooks/useAccountSecurityActions.ts
+++ b/webapp/src/hooks/useAccountSecurityActions.ts
@@ -11,6 +11,7 @@ import {
   revokeAuthorizedDeviceTrust,
   revokeAllAuthorizedDeviceTrust,
   setTotp,
+  trustAuthorizedDevicePermanently,
   updateAuthorizedDeviceName,
   updateProfile,
 } from '@/lib/api/auth';
@@ -208,6 +209,26 @@ export default function useAccountSecurityActions(options: UseAccountSecurityAct
         });
       },
 
+      openTrustDevicePermanently(device: AuthorizedDevice) {
+        onSetConfirm({
+          title: t('txt_trust_device_permanently'),
+          message: t('txt_trust_device_permanently_for_name', { name: device.name }),
+          danger: false,
+          onConfirm: () => {
+            onSetConfirm(null);
+            void (async () => {
+              try {
+                await trustAuthorizedDevicePermanently(authedFetch, device.identifier);
+                await refetchAuthorizedDevices();
+                onNotify('success', t('txt_device_trusted_permanently'));
+              } catch (error) {
+                onNotify('error', error instanceof Error ? error.message : t('txt_trust_device_permanently_failed'));
+              }
+            })();
+          },
+        });
+      },
+
       openRemoveDevice(device: AuthorizedDevice) {
         onSetConfirm({
           title: t('txt_remove_device'),
diff --git a/webapp/src/lib/api/auth.ts b/webapp/src/lib/api/auth.ts
index 6c3cce4..fe43be5 100644
--- a/webapp/src/lib/api/auth.ts
+++ b/webapp/src/lib/api/auth.ts
@@ -667,6 +667,14 @@ export async function revokeAuthorizedDeviceTrust(
   if (!resp.ok) throw new Error(t('txt_revoke_device_trust_failed'));
 }
 
+export async function trustAuthorizedDevicePermanently(
+  authedFetch: AuthedFetch,
+  deviceIdentifier: string
+): Promise<void> {
+  const resp = await authedFetch(`/api/devices/authorized/${encodeURIComponent(deviceIdentifier)}/permanent`, { method: 'POST' });
+  if (!resp.ok) throw new Error(t('txt_trust_device_permanently_failed'));
+}
+
 export async function revokeAllAuthorizedDeviceTrust(authedFetch: AuthedFetch): Promise<void> {
   const resp = await authedFetch('/api/devices/authorized', { method: 'DELETE' });
   if (!resp.ok) throw new Error(t('txt_revoke_all_device_trust_failed'));
diff --git a/webapp/src/lib/demo.ts b/webapp/src/lib/demo.ts
index 0c91650..e22af0c 100644
--- a/webapp/src/lib/demo.ts
+++ b/webapp/src/lib/demo.ts
@@ -1083,6 +1083,14 @@ export function createDemoMainRoutesProps(base: AppMainRoutesProps, notify: Noti
       )));
       notify('success', t('txt_device_authorization_revoked'));
     },
+    onTrustDevicePermanently: (device) => {
+      state.setAuthorizedDevices((prev) => prev.map((item) => (
+        item.identifier === device.identifier && item.trusted
+          ? { ...item, trustedUntil: '2099-12-31T23:59:59.000Z', revisionDate: new Date().toISOString() }
+          : item
+      )));
+      notify('success', t('txt_device_trusted_permanently'));
+    },
     onRemoveDevice: (device) => {
       state.setAuthorizedDevices((prev) => prev.filter((item) => item.identifier !== device.identifier));
       notify('success', t('txt_device_removed'));
diff --git a/webapp/src/lib/i18n/locales/en.ts b/webapp/src/lib/i18n/locales/en.ts
index 9062732..f2fb03c 100644
--- a/webapp/src/lib/i18n/locales/en.ts
+++ b/webapp/src/lib/i18n/locales/en.ts
@@ -690,6 +690,12 @@ const en: Record<string, string> = {
   "txt_revoke_all_device_trust_failed": "Failed to revoke all device trust",
   "txt_revoke_trust": "Revoke Trust",
   "txt_untrust": "Untrust",
+  "txt_trust_permanently": "Trust permanently",
+  "txt_trust_device_permanently": "Trust device permanently",
+  "txt_trust_device_permanently_for_name": "Upgrade \"{name}\" from 30-day trust to permanent trust?",
+  "txt_trust_device_permanently_failed": "Failed to trust device permanently",
+  "txt_device_trusted_permanently": "Device trusted permanently",
+  "txt_permanent_trust": "Permanent trust",
   "txt_update_device_note_failed": "Update device note failed",
   "txt_role": "Role",
   "txt_save": "Save",
diff --git a/webapp/src/lib/i18n/locales/es.ts b/webapp/src/lib/i18n/locales/es.ts
index 058a3a1..8bcd2d2 100644
--- a/webapp/src/lib/i18n/locales/es.ts
+++ b/webapp/src/lib/i18n/locales/es.ts
@@ -690,6 +690,12 @@ const es: Record<string, string> = {
   "txt_revoke_all_device_trust_failed": "Error al revocar la confianza de todos los dispositivos",
   "txt_revoke_trust": "Revocar confianza",
   "txt_untrust": "Quitar confianza",
+  "txt_trust_permanently": "Confiar permanentemente",
+  "txt_trust_device_permanently": "Confiar permanentemente en el dispositivo",
+  "txt_trust_device_permanently_for_name": "¿Actualizar \"{name}\" de confianza de 30 días a confianza permanente?",
+  "txt_trust_device_permanently_failed": "Error al confiar permanentemente en el dispositivo",
+  "txt_device_trusted_permanently": "Dispositivo confiado permanentemente",
+  "txt_permanent_trust": "Confianza permanente",
   "txt_update_device_note_failed": "Error al actualizar la nota del dispositivo",
   "txt_role": "Rol",
   "txt_save": "Guardar",
diff --git a/webapp/src/lib/i18n/locales/ru.ts b/webapp/src/lib/i18n/locales/ru.ts
index ae4f638..5cf752e 100644
--- a/webapp/src/lib/i18n/locales/ru.ts
+++ b/webapp/src/lib/i18n/locales/ru.ts
@@ -690,6 +690,12 @@ const ru: Record<string, string> = {
   "txt_revoke_all_device_trust_failed": "Не удалось отозвать все доверие устройств.",
   "txt_revoke_trust": "Отозвать доверие",
   "txt_untrust": "Не доверять",
+  "txt_trust_permanently": "Доверять постоянно",
+  "txt_trust_device_permanently": "Постоянно доверять устройству",
+  "txt_trust_device_permanently_for_name": "Повысить доверие к «{name}» с 30 дней до постоянного?",
+  "txt_trust_device_permanently_failed": "Не удалось постоянно доверять устройству.",
+  "txt_device_trusted_permanently": "Устройство постоянно доверено",
+  "txt_permanent_trust": "Постоянное доверие",
   "txt_update_device_note_failed": "Не удалось обновить примечание об устройстве.",
   "txt_role": "Роль",
   "txt_save": "Сохранить",
diff --git a/webapp/src/lib/i18n/locales/zh-CN.ts b/webapp/src/lib/i18n/locales/zh-CN.ts
index e41594b..a544aac 100644
--- a/webapp/src/lib/i18n/locales/zh-CN.ts
+++ b/webapp/src/lib/i18n/locales/zh-CN.ts
@@ -690,6 +690,12 @@ const zhCN: Record<string, string> = {
   "txt_revoke_all_device_trust_failed": "撤销所有设备信任失败",
   "txt_revoke_trust": "撤销信任",
   "txt_untrust": "不信任",
+  "txt_trust_permanently": "永久信任",
+  "txt_trust_device_permanently": "永久信任设备",
+  "txt_trust_device_permanently_for_name": "确认把“{name}”从 30 天信任升级为永久信任吗？",
+  "txt_trust_device_permanently_failed": "永久信任设备失败",
+  "txt_device_trusted_permanently": "设备已永久信任",
+  "txt_permanent_trust": "永久信任",
   "txt_update_device_note_failed": "更新设备备注失败",
   "txt_role": "角色",
   "txt_save": "保存",
diff --git a/webapp/src/lib/i18n/locales/zh-TW.ts b/webapp/src/lib/i18n/locales/zh-TW.ts
index bee7c28..5b6872b 100644
--- a/webapp/src/lib/i18n/locales/zh-TW.ts
+++ b/webapp/src/lib/i18n/locales/zh-TW.ts
@@ -690,6 +690,12 @@ const zhTW: Record<string, string> = {
   "txt_revoke_all_device_trust_failed": "撤銷所有設備信任失敗",
   "txt_revoke_trust": "撤銷信任",
   "txt_untrust": "不信任",
+  "txt_trust_permanently": "永久信任",
+  "txt_trust_device_permanently": "永久信任設備",
+  "txt_trust_device_permanently_for_name": "確認把“{name}”從 30 天信任升級為永久信任嗎？",
+  "txt_trust_device_permanently_failed": "永久信任設備失敗",
+  "txt_device_trusted_permanently": "設備已永久信任",
+  "txt_permanent_trust": "永久信任",
   "txt_update_device_note_failed": "更新設備備註失敗",
   "txt_role": "角色",
   "txt_save": "保存",