feat: add uriChecksum handling and sha256Base64 function for enhanced security

webapp/src/lib/api/vault.ts

@@ -1,4 +1,4 @@
-import { base64ToBytes, decryptBw, decryptBwFileData, decryptStr, encryptBw, encryptBwFileData } from '../crypto';
+import { base64ToBytes, decryptBw, decryptBwFileData, decryptStr, encryptBw, encryptBwFileData, sha256Base64 } from '../crypto';
 import type {
   Cipher,
   CipherPasswordHistoryEntry,
@@ -574,12 +574,18 @@ async function encryptUris(
       entry?.extra && typeof entry.extra === 'object'
         ? { ...entry.extra }
         : {};
-    if (String(entry?.originalUri || '').trim() !== trimmed) {
+    const canReuseChecksum = String(entry?.originalUri || '').trim() === trimmed;
+    if (!canReuseChecksum) {
       delete preservedExtra.uriChecksum;
     }
+    const preservedChecksum = typeof preservedExtra.uriChecksum === 'string' && looksLikeCipherString(preservedExtra.uriChecksum)
+      ? preservedExtra.uriChecksum
+      : null;
+    const uriChecksum = preservedChecksum || await encryptTextValue(await sha256Base64(trimmed), enc, mac);
     out.push({
       ...preservedExtra,
       uri: await encryptTextValue(trimmed, enc, mac),
+      uriChecksum,
       match: typeof entry?.match === 'number' && Number.isFinite(entry.match) ? entry.match : null,
     });
   }

webapp/src/lib/crypto.ts

@@ -22,6 +22,12 @@ export function toBufferSource(bytes: Uint8Array): ArrayBuffer {
   return new Uint8Array(bytes).buffer;
 }
 
+export async function sha256Base64(value: string): Promise<string> {
+  const bytes = new TextEncoder().encode(value);
+  const hash = await crypto.subtle.digest('SHA-256', toBufferSource(bytes));
+  return bytesToBase64(new Uint8Array(hash));
+}
+
 const hmacSha256KeyCache = new WeakMap<Uint8Array, Promise<CryptoKey>>();
 const aesCbcEncryptKeyCache = new WeakMap<Uint8Array, Promise<CryptoKey>>();
 const aesCbcDecryptKeyCache = new WeakMap<Uint8Array, Promise<CryptoKey>>();