Skip to content

feat: vault unlock dialog (decrypt on app load) #321

Description

@glehmann

Create a dialog that appears when the app loads and detects encrypted credentials in localStorage.

UX flow:

  1. App loads → AuthProvider reads localStorage
  2. If stored value is an EncryptedTokenPayload (has method field + ciphertext):
    • For method: "password": show a password input field + submit button + "Reset vault" link
    • For method: "webauthn": show a "Unlock with biometrics" button + "Reset vault" link
  3. On successful unlock:
    • Derive/decrypt key via token-vault utils
    • Decrypt token
    • Cache derived key in sessionStorage (for silent re-encryption of refreshed tokens)
    • Set token in AuthProvider state → GitHubProvider initializes Octokit automatically
  4. On "Reset vault": clear the encrypted payload, fall back to unauthenticated state (user re-authenticates)

Detection logic (in AuthProvider initial state):

const raw = localStorage.getItem("pulldash_github_token");
let encryptedPayload: EncryptedTokenPayload | null = null;
try { encryptedPayload = JSON.parse(raw); } catch {}
if (encryptedPayload?.method) {
  // needs unlock
}

Same for pulldash_github_refresh_token.

Integration:

  • Add needsUnlock: boolean to AuthState
  • Add unlockToken(password) and unlockWithBiometrics() methods to AuthProvider
  • Render unlock dialog in WelcomeDialog when needsUnlock && !isAuthenticated

Part of #318

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2Default priority

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions