* user vault
* code cleanup and fixes
* improve ui
* prevent name collisions between users on the same device
* some improvements
* implement storage migration
* comments and cleanup
* make connect button primary instead of warning
* move show passphrase in new line (improvement for small screen devices)
* make show passphrase field readOnly
* fixes
* fix vault key unsync
* implicit migration
* move device sync under general tab
* fix locally disabled wallets and default wallet selection
* improve text
* remove useless SSR check
* add auth checks
* Rename variables
* Fix missing await
* Refactor local<>vault storage interface
I've changed quite some things here. Attempt of a summary:
* storageKey is now only controlled by useVaultStorageState
I've noticed that dealing with how storage keys are generated (to apply user scope) was handled in two places: the existing wallet code and in the new vault code.
This was confusing and error-prone. I've fixed that by completely relying on the new vault code to generate correct storage keys.
* refactored migration
Migration now simply encrypts any existing local wallets and sends them to the server. On success, the local unencrypted version is deleted.
The previous code seemed to unnecessarily generate new local entries prefixed by 'vault:'.
However, since we either use unencrypted local state OR use the encrypted vault on the server for the data, I didn't see any need for these.
Migration seems to work just as well as before.
* removed unnecessary state
In the <DeviceSync> component, enabled & connected were using a unnecessary combo of useState+useEffect.
They were only using variables that are always available during render so simple assignments were enough.
* other minor changes include:
* early returns
* remove unnecessary SSR checks in useEffect or useCallback
* formatting, comments
* remove unnecessary me? to expose possible bugs
* Fix missing dependency for useZap
This didn't cause any bugs because useWallet returns everything we need on first render.
This caused a bug with E2EE device sync branch though since there the wallet is loaded async.
This meant that during payment, the wallet config was undefined.
* Assume JSON during encryption and decryption
* Fix stale value from cache served on next fetches
* Add wallet.perDevice field
This adds 'perDevice' as a new wallet field to force local storage. For example, WebLN should not be synced across devices.
* Remove debug buttons
* Rename userVault -> vault
* Update console.log's
* revert some of the migration and key handling changes. restore debug buttons for testing
* Fix existing wallets not loaded
* Pass in localOnly and generate localStorageKey once
* Small refactor of migration
* Fix wallet drag and drop
* Add passphrase copy button
* Fix priorityOnly -> skipTests
* Disable autocompletion for reset confirmation prompt
* Show wrong passphrase as input error
* Move code into components/device-sync.js
* Import/export passphrase via QR code
* Fix modal back button invisible in light mode
* Fix modal closed even on connect error
* Use me-2 for cancel/close button
* Some rephrasing
* Fix wallet detach
* Remove debug buttons
* Fix QR code scan in dark mode
* Don't allow custom passphrases
* More rephrasing
* Only use schema if not enabled
* Fix typo in comment
* Replace 'generate passphrase' button with reload icon
* Add comment about IV reuse in GCM
* Use 600k iterations as recommended by OWASP
* Set extractable to false where not needed
* use-vault fallbacks to local storage only for anonymous users
* fix localStorage reset on logout
* add copy button
* move reset out of modals
* hide server side errors
* hardened passphrase storage
* do not show passphrase even if hardened storage is disabled (ie. indexeddb not supported)
* show qr code button on passphrase creation
* use toast for serverside error
* Move key (de)serialization burden to get/setLocalKey functions
* password textarea and remove qr
* don't print plaintext vault values into console
---------
Co-authored-by: ekzyis <ek@stacker.news>
Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com>
Co-authored-by: k00b <k00b@stacker.news>
* WIP: Account switching
* Fix empty USER query
ANON_USER_ID was undefined and thus the query for @anon had no variables.
* Apply multiAuthMiddleware in /api/graphql
* Fix 'you must be logged in' query error on switch to anon
* Add smart 'switch account' button
"smart" means that it only shows if there are accounts to which one can switch
* Fix multiAuth not set in backend
* Comment fixes, minor changes
* Use fw-bold instead of 'selected'
* Close dropdown and offcanvas
Inside a dropdown, we can rely on autoClose but need to wrap the buttons with <Dropdown.Item> for that to work.
For the offcanvas, we need to pass down handleClose.
* Use button to add account
* Some pages require hard reload on account switch
* Reinit settings form on account switch
* Also don't refetch WalletHistory
* Formatting
* Use width: fit-content for standalone SignUpButton
* Remove unused className
* Use fw-bold and text-underline on selected
* Fix inconsistent padding of login buttons
* Fix duplicate redirect from /settings on anon switch
* Never throw during refetch
* Throw errors which extend GraphQLError
* Only use meAnonSats if logged out
* Use reactive variable for meAnonSats
The previous commit broke the UI update after anon zaps because we actually updated item.meSats in the cache and not item.meAnonSats.
Updating item.meAnonSats was not possible because it's a local field. For that, one needs to use reactive variables.
We do this now and thus also don't need the useEffect hack in item-info.js anymore.
* Switch to new user
* Fix missing cleanup during logout
If we logged in but never switched to any other account, the 'multi_auth.user-id' cookie was not set.
This meant that during logout, the other 'multi_auth.*' cookies were not deleted.
This broke the account switch modal.
This is fixed by setting the 'multi_auth.user-id' cookie on login.
Additionally, we now cleanup if cookie pointer OR session is set (instead of only if both are set).
* Fix comments in middleware
* Remove unnecessary effect dependencies
setState is stable and thus only noise in effect dependencies
* Show but disable unavailable auth methods
* make signup button consistent with others
* Always reload page on switch
* refine account switch styling
* logout barrier
---------
Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com>
Co-authored-by: k00b <k00b@stacker.news>
* add random zapping support
adds an option to enable random zap amounts per stacker
configurable in settings, you can enable this feature and provide
an upper and lower range of your random zap amount
* rename github eslint check to lint
this has been bothering me since we aren't using eslint for linting
* fixup! add random zapping support
* fixup! rename github eslint check to lint
* fixup! fixup! add random zapping support
---------
Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com>
* Parse internal refs to links
* Item mention notifications
* Also parse item mentions as URLs
* Fix subType determined by referrer item instead of referee item
* Ignore subType
Considering if the item that was referred to was a post or comment made the code more complex than initially necessary.
For example, notifications for /notifications are deduplicated based on item id and the same item could refer to posts and comments, so to include "one of your posts" or "one of your comments" in the title would require splitting notifications based on the type of referred item.
I didn't want to do this but also wanted to have consistent notification titles between push and /notifications, so I use "items" in both places now, even though I think using "items" isn't ideal from a user perspective. I think it might be confusing.
* Fix rootText
* Replace full links to #<id> syntax in push notifications
* Refactor mention code into separate functions
* first pass of a mute mgmt page, ported from subscription mgmt page pr
* adjust error message for mutes
* muted users -> muted stackers
* fix typo in component name
* first pass of a subscription management page under settings
* add tabs to settings ui
* NymActionDropdown
* update Apollo InMemoryCache to merge paginated list of my subscribed users
* various updates
* switch from UsersNullable to Users
* bake the nym action dropdwon into the user component
* add back fields to the user query
* `meSubscriptionPosts`, `meSubscriptionComments`, `meMute`
* Refetch my subscribed users when a user subscription is changed
* update user list to hide stats in the subscribed list users
* update my sub'd users fragment to remove unnecessary user fields
* memoize subscribe user context provider value to avoid re-renders
* use inner join instead of left join
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* throw error when unauthenticated
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
---------
Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Generate API key in settings
* Check x-api-key for GraphQL API requests
* Don't fallback to cookie if x-api-key header was provided
* Select all session fields
* Fix error if API key not found
* Fix style in settings via form-label className
---------
Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com>
* Territory notifications
* Migrate old setting to new table
* Auto subscribe founders to their territories on creation
* Fix (un)subscribe not shown to founder
* Rename to toggleSubSubscription
* Fix inconsistency between toggleSubSubscription and toggleMuteSub
* Add dedicated button in header for following territories
* Don't drop noteTerritoryPosts column
* Fix db dip in Sub.meSubscription resolver
* Move territory subscribe to new territory context menu
* Decrease space between share icon and mute button
* Fix eslint
* add nterritories field to User
* add userSubs query
* show territories tab on user profiles
hide the tab if user has 0 territories, except when the
viewer navigated directly to the user's territories page
* add USER_WITH_SUBS query for user territories page
* add user territories page
* add nsfw column to sub
* add nsfw boolean to territorySchema
* save nsfw value in upsertSub mutation
* return nsfw value from Sub query for correct value in edit territory form
* add nsfw checkbox to territory form
* add nsfw badge to territory header
* add nsfwMode to user
* show nsfw badge next to item territory
* exclude nsfw sub from items query
* show nsfw mode checkbox on settings page
* fix nsfw badge formatting
* separate user from current, signed in user
* update relationClause to join with sub table
* refactor to simplify hide nsfw sql
* filter nsfw items when viewing user items
* hide nsfw posts for logged out users
* filter nsfw subs based on user preference
* show nsfw sub name if logged out user is viewing the page
* show current sub at the top of the list instead of bottom
* always join item with sub to check nsfw
* check for sub presence before showing nsfw badge on item
* skip manually adding sub to select if sub is null
* fix relationClause to join with root item
* move moderation and nsfw into accordion
---------
Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com>
* add custom range option to top items page
* add custom range option to profile page
* add date filter option to chart pages
* cleanup
* fix x-axis date labels
* date picker improvements
* enhancements to custom date selection
* remove unneeded condition
---------
Co-authored-by: rleed <rleed1@pm.me>
Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com>
* uber rough first pass at mention autocompletes
* support custom limit on topUsers query
* hot keys for selecting user suggestion in markdown input
* query top stackers for mentions with no search query
* refactor UserSuggestion to help with reusability
textarea-caret for placing the user suggest dropdown appropriately
other various code cleanup items to make it easier to use
off by one errors are fun!
various code cleanup and reuse the UserSuggest component in InputUserSuggest to reduce duplication
* change default users to week query
---------
Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com>
Co-authored-by: keyan <keyan.kousha+huumn@gmail.com>
* Crossposting discussion function, crossposting setting migration
* Passing in id, adding relays to test
* Adding checkbox setting for crossposting enabled
* Adding paramaterized event fields to crosspostDiscussion, successfully crossposting discussions
* Cleaning up for rebase
* Removing nostrRelays
* Retry crosspost toast
* Adding nostrCrossposting to settings, fixing migration
* Full flow is working with error surfacing, retries, and skips for a retry
* Updates to error handling/retries for crossposting, fixing settings for crossposting
* Allowing recursive retries for crossposting to specific relays
* Fixing / syncing crossposting settings, cleaning up and seperating out nostr functions
* Cleaning up
* Running linter
* make nostr crossposter a hook
---------
Co-authored-by: Austin <austin@pop-os.localdomain>
Co-authored-by: plebdev <plebdev@plebdevs-MacBook-Pro.local>
Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com>
Co-authored-by: keyan <keyan.kousha+huumn@gmail.com>
* Remove outdated comments about srcSet value
We no longer distinguish between `undefined` and `null` for `srcSet`.
* Fix misleading URL shown
* Update/fix comments in <ImageOriginal>
* Simplify condition when to show image
I think this is not required since `showImage` will always stay false if tab !== 'preview' or me?.clickToLoadImg are true.
* Rename to imgproxyOnly
* Add info to imgproxyOnly setting
* Fix text of markdown links not used on imgproxy errors
* Fix rendering markdown links with text as images
---------
Co-authored-by: ekzyis <ek@stacker.news>
* Add diagnostics settings & endpoint
Stackers can now help us to identify and fix bugs by enabling diagnostics.
This will send anonymized data to us.
For now, this is only used to send events around push notifications.
* Send diagnostics to slack
* Detect OS
* Diagnostics data is only pseudonymous, not anonymous
It's only pseudonymous since with additional knowledge (which stacker uses which fancy name), we could trace the events back to individual stackers.
Data is only anonymous if this is not possible - it must be irreversible.
* Check if window.navigator is defined
* Use Slack SDK
* Catch errors of slack requests
---------
Co-authored-by: ekzyis <ek@stacker.news>
Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com>
* Subscribe to user posts and comments independently
* Track when comments and posts subscriptions are set to filter out old items
* Only send push notification to subscribed user if posts/comments enabled
* Remove `posts` and `comments` boolean fields on UserSub, rely solely on timestamps
* Hide wallet balance on long press
* Use setting to hide wallet balance
* Fix layout shift on hover
* Fix SSR warning about useLayoutEffect
See https://reactjs.org/link/uselayouteffect-ssr
* Also hide balance in wallet
---------
Co-authored-by: ekzyis <ek@stacker.news>
* Notifications for when you are forwarded sats from a post
Support notifications when a post for which you are forwarded gets zapped
This is controlled by a new boolean flag in user settings
* Send push notifications to forwarded users when they get forwarded sats
* Add `Promise.allSettled` per PR feedback
* Remove `FEE` act type when building forwarded zaps notifications
Don't include `FEE` actions, only `TIP` actions to avoid "0 sats forwarded" notifications
---------
Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com>
* First pass of user subscriptions
* add new db model to track subscriptions
* update user typedef and api resolver for subscription state
* add subscribe action to user profile page
* add mutation to subscribe to a user
* Update notifications queries, hasNewNotes queries for FollowActivity note type
* Only show items that have been created since subscribing to the user
* Send push notifications to user subscribers for posts and comments
* Rename item dropdown to action dropdown and re-use for item info and user actions
* Don't allow self-follows
* Add index on followee for faster lookups
* Don't show subscribe action if not logged in
* small style enhance
---------
Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com>
Co-authored-by: keyan <keyan.kousha+huumn@gmail.com>
* Add new setting to hide bookmarks from other users (and anon)
* Optional chaining in case user doesnt exist, and avoid duplicate sql query in some cases
* Configure imgproxy timeouts
* Use click to load on imgproxy errors
* Add setting for click to load
---------
Co-authored-by: ekzyis <ek@stacker.news>
* Add anon zaps
* Add anon comments and posts (link, discussion, poll)
* Use payment hash instead of invoice id as proof of payment
Our invoice IDs can be enumerated.
So there is a - even though very rare - chance that an attacker could find a paid invoice which is not used yet and use it for himself.
Random payment hashes prevent this.
Also, since we delete invoices after use, using database IDs as proof of payments are not suitable.
If a user tells us an invoice ID after we deleted it, we can no longer tell if the invoice was paid or not since the LN node only knows about payment hashes but nothing about the database IDs.
* Allow pay per invoice for stackers
The modal which pops up if the stacker does not have enough sats now has two options: "fund wallet" and "pay invoice"
* Fix onSuccess called twice
For some reason, when calling `showModal`, `useMemo` in modal.js and the code for the modal component (here: <Invoice>) is called twice.
This leads to the `onSuccess` callback being called twice and one failing since the first one deletes the invoice.
* Keep invoice modal open if focus is lost
* Skip anon user during trust calculation
* Add error handling
* Skip 'invoice not found' errors
* Remove duplicate insufficient funds handling
* Fix insufficient funds error detection
* Fix invoice amount for comments
* Allow pay per invoice for bounty and job posts
* Also strike on payment after short press
* Fix unexpected token 'export'
* Fix eslint
* Remove unused id param
* Fix comment copy-paste error
* Rename to useInvoiceable
* Fix unexpected token 'export'
* Fix onConfirmation called at every render
* Add invoice HMAC
This prevents entities which know the invoice hash (like all LN nodes on the payment path) from using the invoice hash on SN.
Only the user which created the invoice knows the HMAC and thus can use the invoice hash.
* make anon posting less hidden, add anon info button explainer
* Fix anon users can't zap other anon users
* Always show repeat and contacts on action error
* Keep track of modal stack
* give anon an icon
* add generic date pivot helper
* make anon user's invoices expire in 5 minutes
* fix forgotten find and replace
* use datePivot more places
* add sat amounts to invoices
* reduce anon invoice expiration to 3 minutes
* don't abbreviate
* Fix [object Object] as error message
Any errors thrown here are already objects of shape { message: string }
* Fix empty invoice creation attempts
I stumbled across this while checking if anons can edit their items.
I monkey patched the code to make it possible (so they can see the 'edit' button) and tried to edit an item but I got this error:
Variable "$amount" of required type "Int!" was not provided.
I fixed this even though this function should never be called without an amount anyway. It will return a sane error in that case now.
* anon func mods, e.g. inv limits
* anon tips should be denormalized
* remove redundant meTotalSats
* correct overlay zap text for anon
* exclude anon from trust graph before algo runs
* remove balance limit on anon
* give anon a bio and remove cowboy hat/top stackers;
* make anon hat appear on profile
* concat hash and hmac and call it a token
* Fix localStorage cleared because error were swallowed
* fix qr layout shift
* restyle fund error modal
* Catch invoice errors in fund error modal
* invoice check backoff
* anon info typo
* make invoice expiration times have saner defaults
* add comma to anon info
* use builtin copy input label
---------
Co-authored-by: ekzyis <ek@stacker.news>
Co-authored-by: keyan <keyan.kousha+huumn@gmail.com>
* Show longest cowboy streak in profile
* Fix image offset
* Initialize maxStreak for every user
* Use resolver instead of denormalization for maxStreak
---------
Co-authored-by: ekzyis <ek@stacker.news>