* user vault
* code cleanup and fixes
* improve ui
* prevent name collisions between users on the same device
* some improvements
* implement storage migration
* comments and cleanup
* make connect button primary instead of warning
* move show passphrase in new line (improvement for small screen devices)
* make show passphrase field readOnly
* fixes
* fix vault key unsync
* implicit migration
* move device sync under general tab
* fix locally disabled wallets and default wallet selection
* improve text
* remove useless SSR check
* add auth checks
* Rename variables
* Fix missing await
* Refactor local<>vault storage interface
I've changed quite some things here. Attempt of a summary:
* storageKey is now only controlled by useVaultStorageState
I've noticed that dealing with how storage keys are generated (to apply user scope) was handled in two places: the existing wallet code and in the new vault code.
This was confusing and error-prone. I've fixed that by completely relying on the new vault code to generate correct storage keys.
* refactored migration
Migration now simply encrypts any existing local wallets and sends them to the server. On success, the local unencrypted version is deleted.
The previous code seemed to unnecessarily generate new local entries prefixed by 'vault:'.
However, since we either use unencrypted local state OR use the encrypted vault on the server for the data, I didn't see any need for these.
Migration seems to work just as well as before.
* removed unnecessary state
In the <DeviceSync> component, enabled & connected were using a unnecessary combo of useState+useEffect.
They were only using variables that are always available during render so simple assignments were enough.
* other minor changes include:
* early returns
* remove unnecessary SSR checks in useEffect or useCallback
* formatting, comments
* remove unnecessary me? to expose possible bugs
* Fix missing dependency for useZap
This didn't cause any bugs because useWallet returns everything we need on first render.
This caused a bug with E2EE device sync branch though since there the wallet is loaded async.
This meant that during payment, the wallet config was undefined.
* Assume JSON during encryption and decryption
* Fix stale value from cache served on next fetches
* Add wallet.perDevice field
This adds 'perDevice' as a new wallet field to force local storage. For example, WebLN should not be synced across devices.
* Remove debug buttons
* Rename userVault -> vault
* Update console.log's
* revert some of the migration and key handling changes. restore debug buttons for testing
* Fix existing wallets not loaded
* Pass in localOnly and generate localStorageKey once
* Small refactor of migration
* Fix wallet drag and drop
* Add passphrase copy button
* Fix priorityOnly -> skipTests
* Disable autocompletion for reset confirmation prompt
* Show wrong passphrase as input error
* Move code into components/device-sync.js
* Import/export passphrase via QR code
* Fix modal back button invisible in light mode
* Fix modal closed even on connect error
* Use me-2 for cancel/close button
* Some rephrasing
* Fix wallet detach
* Remove debug buttons
* Fix QR code scan in dark mode
* Don't allow custom passphrases
* More rephrasing
* Only use schema if not enabled
* Fix typo in comment
* Replace 'generate passphrase' button with reload icon
* Add comment about IV reuse in GCM
* Use 600k iterations as recommended by OWASP
* Set extractable to false where not needed
* use-vault fallbacks to local storage only for anonymous users
* fix localStorage reset on logout
* add copy button
* move reset out of modals
* hide server side errors
* hardened passphrase storage
* do not show passphrase even if hardened storage is disabled (ie. indexeddb not supported)
* show qr code button on passphrase creation
* use toast for serverside error
* Move key (de)serialization burden to get/setLocalKey functions
* password textarea and remove qr
* don't print plaintext vault values into console
---------
Co-authored-by: ekzyis <ek@stacker.news>
Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com>
Co-authored-by: k00b <k00b@stacker.news>
* Add image carousel in fullscreen
* Flip through all images of a post
* Disable image selection in fullscreen
* Keep max-width: 100vw for images
* Fix missing dependency
* fix merge resolve bug
* better css
* refactor, keypress/swipe events, remove scoll
* changes after self-review
* give previews their own carousel
* hooks for arrow keys and swiping
---------
Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com>
Co-authored-by: k00b <k00b@stacker.news>
* Generate API key in settings
* Check x-api-key for GraphQL API requests
* Don't fallback to cookie if x-api-key header was provided
* Select all session fields
* Fix error if API key not found
* Fix style in settings via form-label className
---------
Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com>
* Add anon zaps
* Add anon comments and posts (link, discussion, poll)
* Use payment hash instead of invoice id as proof of payment
Our invoice IDs can be enumerated.
So there is a - even though very rare - chance that an attacker could find a paid invoice which is not used yet and use it for himself.
Random payment hashes prevent this.
Also, since we delete invoices after use, using database IDs as proof of payments are not suitable.
If a user tells us an invoice ID after we deleted it, we can no longer tell if the invoice was paid or not since the LN node only knows about payment hashes but nothing about the database IDs.
* Allow pay per invoice for stackers
The modal which pops up if the stacker does not have enough sats now has two options: "fund wallet" and "pay invoice"
* Fix onSuccess called twice
For some reason, when calling `showModal`, `useMemo` in modal.js and the code for the modal component (here: <Invoice>) is called twice.
This leads to the `onSuccess` callback being called twice and one failing since the first one deletes the invoice.
* Keep invoice modal open if focus is lost
* Skip anon user during trust calculation
* Add error handling
* Skip 'invoice not found' errors
* Remove duplicate insufficient funds handling
* Fix insufficient funds error detection
* Fix invoice amount for comments
* Allow pay per invoice for bounty and job posts
* Also strike on payment after short press
* Fix unexpected token 'export'
* Fix eslint
* Remove unused id param
* Fix comment copy-paste error
* Rename to useInvoiceable
* Fix unexpected token 'export'
* Fix onConfirmation called at every render
* Add invoice HMAC
This prevents entities which know the invoice hash (like all LN nodes on the payment path) from using the invoice hash on SN.
Only the user which created the invoice knows the HMAC and thus can use the invoice hash.
* make anon posting less hidden, add anon info button explainer
* Fix anon users can't zap other anon users
* Always show repeat and contacts on action error
* Keep track of modal stack
* give anon an icon
* add generic date pivot helper
* make anon user's invoices expire in 5 minutes
* fix forgotten find and replace
* use datePivot more places
* add sat amounts to invoices
* reduce anon invoice expiration to 3 minutes
* don't abbreviate
* Fix [object Object] as error message
Any errors thrown here are already objects of shape { message: string }
* Fix empty invoice creation attempts
I stumbled across this while checking if anons can edit their items.
I monkey patched the code to make it possible (so they can see the 'edit' button) and tried to edit an item but I got this error:
Variable "$amount" of required type "Int!" was not provided.
I fixed this even though this function should never be called without an amount anyway. It will return a sane error in that case now.
* anon func mods, e.g. inv limits
* anon tips should be denormalized
* remove redundant meTotalSats
* correct overlay zap text for anon
* exclude anon from trust graph before algo runs
* remove balance limit on anon
* give anon a bio and remove cowboy hat/top stackers;
* make anon hat appear on profile
* concat hash and hmac and call it a token
* Fix localStorage cleared because error were swallowed
* fix qr layout shift
* restyle fund error modal
* Catch invoice errors in fund error modal
* invoice check backoff
* anon info typo
* make invoice expiration times have saner defaults
* add comma to anon info
* use builtin copy input label
---------
Co-authored-by: ekzyis <ek@stacker.news>
Co-authored-by: keyan <keyan.kousha+huumn@gmail.com>
k00b
Riccardo Balbo
ekzyis
Keyan
keyan
ekzyis
Austin Kelsay
kerooke