feat: enhance login handling by introducing local hash derivation and updating session management

2026-06-20 21:00:41 +00:00 · 2026-03-17 08:50:47 +08:00
parent 0ba85229a9
commit 3791f89a5c
4 changed files with 118 additions and 19 deletions
@@ -32,6 +32,7 @@ import {
 } from '@/lib/app-support';
 import {
  bootstrapAppSession,
+  type CompletedLogin,
  readInitialAppBootstrapState,
  performPasswordLogin,
  performRecoverTwoFactorLogin,
@@ -94,9 +95,11 @@ export default function App() {
  const [decryptedFolders, setDecryptedFolders] = useState<VaultFolder[]>([]);
  const [decryptedCiphers, setDecryptedCiphers] = useState<Cipher[]>([]);
  const [decryptedSends, setDecryptedSends] = useState<Send[]>([]);
+  const sessionRef = useRef<SessionState | null>(initialBootstrap.session);
  const migratedPlainFolderIdsRef = useRef<Set<string>>(new Set());
  const silentRefreshVaultRef = useRef<() => Promise<void>>(async () => {});
  const refreshAuthorizedDevicesRef = useRef<() => Promise<void>>(async () => {});
+  const repairAttemptRef = useRef<string>('');
  const { toasts, pushToast, removeToast } = useToastManager();

  useEffect(() => {
@@ -153,6 +156,7 @@ export default function App() {
  }, []);

  function setSession(next: SessionState | null) {
+    sessionRef.current = next;
    setSessionState(next);
    saveSession(next);
  }
@@ -210,10 +214,9 @@ export default function App() {
    };
  }, []);

-  async function finalizeLogin(nextSession: SessionState, nextProfile: Profile) {
-    setSession(nextSession);
-    setProfile(nextProfile);
-    await silentlyRepairBackupSettingsIfNeeded(nextSession, nextProfile);
+  async function finalizeLogin(login: CompletedLogin) {
+    setSession(login.session);
+    setProfile(login.profile);
    setPendingTotp(null);
    setTotpCode('');
    setPhase('app');
@@ -221,6 +224,15 @@ export default function App() {
      navigate('/vault');
    }
    pushToast('success', t('txt_login_success'));
+    void (async () => {
+      try {
+        const hydratedProfile = await login.profilePromise;
+        if (sessionRef.current?.accessToken !== login.session.accessToken) return;
+        setProfile(hydratedProfile);
+      } catch {
+        // Keep the in-memory transient profile for the current session.
+      }
+    })();
  }

  async function handleLogin() {
@@ -233,7 +245,7 @@ export default function App() {
    try {
      const result = await performPasswordLogin(loginValues.email, loginValues.password, defaultKdfIterations);
      if (result.kind === 'success') {
-        await finalizeLogin(result.login.session, result.login.profile);
+        await finalizeLogin(result.login);
        return;
      }
      if (result.kind === 'totp') {
@@ -258,7 +270,7 @@ export default function App() {
    }
    try {
      const login = await performTotpLogin(pendingTotp, totpCode, rememberDevice);
-      await finalizeLogin(login.session, login.profile);
+      await finalizeLogin(login);
    } catch (error) {
      pushToast('error', error instanceof Error ? error.message : t('txt_totp_verify_failed'));
    }
@@ -275,7 +287,7 @@ export default function App() {
    try {
      const recovered = await performRecoverTwoFactorLogin(email, password, recoveryCode, defaultKdfIterations);
      if (recovered.login) {
-        await finalizeLogin(recovered.login.session, recovered.login.profile);
+        await finalizeLogin(recovered.login);
        if (recovered.newRecoveryCode) {
          pushToast('success', t('txt_text_2fa_recovered_new_recovery_code_code', { code: recovered.newRecoveryCode }));
        } else {
@@ -337,7 +349,6 @@ export default function App() {
    try {
      const nextSession = await performUnlock(session, profile, unlockPassword, defaultKdfIterations);
      setSession(nextSession);
-      await silentlyRepairBackupSettingsIfNeeded(nextSession, profile);
      setUnlockPassword('');
      setPhase('app');
      if (location === '/' || location === '/lock') navigate('/vault');
@@ -439,6 +450,20 @@ export default function App() {
    enabled: phase === 'app' && !!session?.accessToken,
  });

+  useEffect(() => {
+    if (phase !== 'app' || !session?.accessToken || !session?.symEncKey || !session?.symMacKey) return;
+    if (!profile?.role || profile.role !== 'admin') return;
+    if (repairAttemptRef.current === session.accessToken) return;
+
+    repairAttemptRef.current = session.accessToken;
+    void silentlyRepairBackupSettingsIfNeeded(session, profile);
+  }, [phase, session?.accessToken, session?.symEncKey, session?.symMacKey, profile]);
+
+  useEffect(() => {
+    if (session?.accessToken) return;
+    repairAttemptRef.current = '';
+  }, [session?.accessToken]);
+
  useEffect(() => {
    if (!session?.symEncKey || !session?.symMacKey) {
      setDecryptedFolders([]);
@@ -109,6 +109,18 @@ export async function deriveLoginHash(email: string, password: string, fallbackI
  return { hash: bytesToBase64(hash), masterKey, kdfIterations: iterations };
 }

+export async function deriveLoginHashLocally(
+  email: string,
+  password: string,
+  fallbackIterations: number
+): Promise<PreloginResult> {
+  const normalizedEmail = String(email || '').trim().toLowerCase();
+  const iterations = Number(fallbackIterations || 600000);
+  const masterKey = await pbkdf2(password, normalizedEmail, iterations, 32);
+  const hash = await pbkdf2(masterKey, password, 1, 32);
+  return { hash: bytesToBase64(hash), masterKey, kdfIterations: iterations };
+}
+
 export async function getPreloginKdfConfig(email: string, fallbackIterations: number): Promise<PreloginKdfConfig> {
  const normalized = String(email || '').trim().toLowerCase();
  if (!normalized) throw new Error('Email is required');
@@ -1,6 +1,7 @@
 import {
  createAuthedFetch,
  deriveLoginHash,
+  deriveLoginHashLocally,
  getProfile,
  loadSession,
  loginWithPassword,
@@ -10,7 +11,7 @@ import {
  unlockVaultKey,
 } from '@/lib/api/auth';
 import { readInviteCodeFromUrl } from '@/lib/app-support';
-import type { AppPhase, Profile, SessionState, WebBootstrapResponse } from '@/lib/types';
+import type { AppPhase, Profile, SessionState, TokenSuccess, WebBootstrapResponse } from '@/lib/types';

 export interface PendingTotp {
  email: string;
@@ -38,6 +39,7 @@ export interface InitialAppBootstrapState {
 export interface CompletedLogin {
  session: SessionState;
  profile: Profile;
+  profilePromise: Promise<Profile>;
 }

 export type PasswordLoginResult =
@@ -91,6 +93,42 @@ function readWindowBootstrap(): WebBootstrapResponse {
  return raw && typeof raw === 'object' ? raw : {};
 }

+interface AccessTokenClaims {
+  sub?: string;
+  email?: string;
+  name?: string | null;
+  premium?: boolean;
+}
+
+function decodeAccessTokenClaims(accessToken: string): AccessTokenClaims {
+  try {
+    const parts = accessToken.split('.');
+    if (parts.length < 2) return {};
+    const payload = parts[1].replace(/-/g, '+').replace(/_/g, '/');
+    const padded = payload.padEnd(Math.ceil(payload.length / 4) * 4, '=');
+    return (JSON.parse(atob(padded)) as AccessTokenClaims) || {};
+  } catch {
+    return {};
+  }
+}
+
+function buildTransientProfile(token: TokenSuccess, email: string): Profile {
+  const claims = decodeAccessTokenClaims(token.access_token);
+  const normalizedEmail = String(claims.email || email || '').trim().toLowerCase();
+  const accountKeys = token.accountKeys ?? token.AccountKeys ?? null;
+  return {
+    id: String(claims.sub || ''),
+    email: normalizedEmail,
+    name: String(claims.name || normalizedEmail || ''),
+    key: String(token.Key || ''),
+    privateKey: token.PrivateKey ?? null,
+    role: 'user',
+    premium: !!claims.premium,
+    accountKeys,
+    object: 'profile',
+  };
+}
+
 export function readInitialAppBootstrapState(): InitialAppBootstrapState {
  const boot = readWindowBootstrap();
  const defaultKdfIterations = Number(boot.defaultKdfIterations || 600000);
@@ -168,21 +206,29 @@ export async function bootstrapAppSession(): Promise<BootstrapAppResult> {
 }

 export async function completeLogin(
-  tokenAccess: string,
-  tokenRefresh: string,
+  token: TokenSuccess,
  email: string,
  masterKey: Uint8Array
 ): Promise<CompletedLogin> {
-  const baseSession: SessionState = { accessToken: tokenAccess, refreshToken: tokenRefresh, email };
+  const normalizedEmail = email.trim().toLowerCase();
+  const baseSession: SessionState = {
+    accessToken: token.access_token,
+    refreshToken: token.refresh_token,
+    email: normalizedEmail,
+  };
  const tempFetch = createAuthedFetch(
    () => baseSession,
    () => {}
  );
-  const profile = await getProfile(tempFetch);
+  const profile = buildTransientProfile(token, normalizedEmail);
+  if (!profile.key) {
+    throw new Error('Missing profile key');
+  }
  const keys = await unlockVaultKey(profile.key, masterKey);
  return {
    session: { ...baseSession, ...keys },
    profile,
+    profilePromise: getProfile(tempFetch),
  };
 }

@@ -192,13 +238,13 @@ export async function performPasswordLogin(
  fallbackIterations: number
 ): Promise<PasswordLoginResult> {
  const normalizedEmail = email.trim().toLowerCase();
-  const derived = await deriveLoginHash(normalizedEmail, password, fallbackIterations);
+  const derived = await deriveLoginHashLocally(normalizedEmail, password, fallbackIterations);
  const token = await loginWithPassword(normalizedEmail, derived.hash, { useRememberToken: true });

  if ('access_token' in token && token.access_token) {
    return {
      kind: 'success',
-      login: await completeLogin(token.access_token, token.refresh_token, normalizedEmail, derived.masterKey),
+      login: await completeLogin(token, normalizedEmail, derived.masterKey),
    };
  }

@@ -230,7 +276,7 @@ export async function performTotpLogin(
    rememberDevice,
  });
  if ('access_token' in token && token.access_token) {
-    return completeLogin(token.access_token, token.refresh_token, pendingTotp.email, pendingTotp.masterKey);
+    return completeLogin(token, pendingTotp.email, pendingTotp.masterKey);
  }
  const tokenError = token as { error_description?: string; error?: string };
  throw new Error(tokenError.error_description || tokenError.error || 'TOTP verify failed');
@@ -243,13 +289,13 @@ export async function performRecoverTwoFactorLogin(
  fallbackIterations: number
 ): Promise<RecoverTwoFactorResult> {
  const normalizedEmail = email.trim().toLowerCase();
-  const derived = await deriveLoginHash(normalizedEmail, password, fallbackIterations);
+  const derived = await deriveLoginHashLocally(normalizedEmail, password, fallbackIterations);
  const recovered = await recoverTwoFactor(normalizedEmail, derived.hash, recoveryCode.trim());
  const token = await loginWithPassword(normalizedEmail, derived.hash, { useRememberToken: false });

  if ('access_token' in token && token.access_token) {
    return {
-      login: await completeLogin(token.access_token, token.refresh_token, normalizedEmail, derived.masterKey),
+      login: await completeLogin(token, normalizedEmail, derived.masterKey),
      newRecoveryCode: recovered.newRecoveryCode || null,
    };
  }
@@ -282,7 +328,7 @@ export async function performUnlock(
  password: string,
  fallbackIterations: number
 ): Promise<SessionState> {
-  const derived = await deriveLoginHash(profile.email || session.email, password, fallbackIterations);
+  const derived = await deriveLoginHashLocally(profile.email || session.email, password, fallbackIterations);
  const keys = await unlockVaultKey(profile.key, derived.masterKey);
  const refreshedSession = await maybeRefreshSession(session);
  if (!refreshedSession) {
@@ -265,7 +265,23 @@ export interface WebBootstrapResponse {
 export interface TokenSuccess {
  access_token: string;
  refresh_token: string;
+  expires_in?: number;
+  token_type?: string;
  TwoFactorToken?: string;
+  Key?: string;
+  PrivateKey?: string | null;
+  AccountKeys?: unknown | null;
+  accountKeys?: unknown | null;
+  Kdf?: number;
+  KdfIterations?: number;
+  KdfMemory?: number | null;
+  KdfParallelism?: number | null;
+  ForcePasswordReset?: boolean;
+  ResetMasterPassword?: boolean;
+  scope?: string;
+  unofficialServer?: boolean;
+  UserDecryptionOptions?: unknown;
+  userDecryptionOptions?: unknown;
 }

 export interface TokenError {