Warning when secure local storage is unavailable

gingi · gingi · commit 0aaaddd36bd9 · 2025-12-12T11:34:37.000-05:00
Adds renderer SafeStorageService and IPC events
diff --git a/desktop/i18n/resources.resjson b/desktop/i18n/resources.resjson
@@ -51,6 +51,8 @@
   "auth-service.tenant-error": "Cannot access resources for tenant {tenantName}",
   "auth-settings.title": "Authentication Settings",
   "auth.cancel-button.label": "Cancel",
+  "auth.encryption-unavailable.message": "Secure credential storage is unavailable. You will need to sign in each time you start the application. On Linux, install libsecret to enable credential storage.",
+  "auth.encryption-unavailable.title": "Secure Storage Unavailable",
   "auth.not-logged-in": "You are not logged in. Please log in to continue.",
   "auth.signin-button.label": "Sign in",
   "auth.tenant-sign-in-title": "Sign in to {tenant}",
diff --git a/desktop/src/@batch-flask/ui/banner/banner.component.ts b/desktop/src/@batch-flask/ui/banner/banner.component.ts
@@ -57,6 +57,8 @@ export class BannerComponent implements OnChanges {
 
     @Input() public height: string = "standard";
 
+    @Input() public collapsible: boolean = true;
+
     @ContentChildren(BannerOtherFixDirective)
     public otherFixes: QueryList<BannerOtherFixDirective>;
 
diff --git a/desktop/src/@batch-flask/ui/banner/banner.html b/desktop/src/@batch-flask/ui/banner/banner.html
@@ -1,9 +1,9 @@
 <bl-card [class]="type">
     <bl-clickable class="summary-container"
         [ngClass]="height"
-        [tabindex]="details.children.length !== 0 ? 0 : -1"
-        (do)="showDetails = !showDetails && details.children.length !== 0"
-        [class.expandable]="details.children.length !== 0"
+        [tabindex]="collapsible && details.children.length !== 0 ? 0 : -1"
+        (do)="showDetails = !showDetails && collapsible && details.children.length !== 0"
+        [class.expandable]="collapsible && details.children.length !== 0"
         [attr.aria-expanded]="showDetails">
         <ng-content select="[code]"></ng-content>
         <div class="message">
@@ -31,7 +31,7 @@
                 </bl-clickable>
             </div>
         </div>
-        <i class="caret fa" [class.fa-caret-left]="!showDetails" [class.fa-caret-down]="showDetails" *ngIf="details.children.length !== 0" aria-hidden="true"></i>
+        <i class="caret fa" [class.fa-caret-left]="!showDetails" [class.fa-caret-down]="showDetails" *ngIf="collapsible && details.children.length !== 0" aria-hidden="true"></i>
     </bl-clickable>
     <div class="details-container" [hidden]="!showDetails || details.children.length === 0" #details>
         <ng-content select="[details]"></ng-content>
diff --git a/desktop/src/app/components/auth/auth.i18n.yml b/desktop/src/app/components/auth/auth.i18n.yml
@@ -6,3 +6,6 @@ auth:
     label: Sign in
   cancel-button:
     label: Cancel
+  encryption-unavailable:
+    title: Secure Storage Unavailable
+    message: Secure credential storage is unavailable. You will need to sign in each time you start the application. On Linux, install libsecret to enable credential storage.
diff --git a/desktop/src/app/components/welcome/welcome.component.ts b/desktop/src/app/components/welcome/welcome.component.ts
@@ -1,22 +1,35 @@
-import { Component } from "@angular/core";
-import { AuthService, NavigatorService } from "app/services";
+import { Component, OnInit } from "@angular/core";
+import { AuthService, NavigatorService, SafeStorageService } from "app/services";
 import { autobind } from "@batch-flask/core";
 import { first } from "rxjs/operators";
 
 @Component({
     selector: "be-welcome",
     templateUrl: "./welcome.html",
 })
-export class WelcomeComponent {
+export class WelcomeComponent implements OnInit {
+    public encryptionUnavailable = false;
+
     public static breadcrumb() {
         return { name: "Home" };
     }
 
     constructor(
         private authService: AuthService,
-        private navigationService: NavigatorService
+        private navigationService: NavigatorService,
+        private safeStorage: SafeStorageService
     ) {}
 
+    public async ngOnInit() {
+        // Check if encryption is available
+        try {
+            this.encryptionUnavailable = !(await this.safeStorage.isEncryptionAvailable());
+        } catch (error) {
+            console.warn("Failed to check encryption availability:", error);
+            this.encryptionUnavailable = true;
+        }
+    }
+
     @autobind()
     public async signIn() {
         await this.authService.login();
diff --git a/desktop/src/app/components/welcome/welcome.html b/desktop/src/app/components/welcome/welcome.html
@@ -1,6 +1,12 @@
 <div class="central-panel">
     <div class="central-panel-content">
         <h1>{{"common.welcome" | i18n}}</h1>
+
+        <bl-banner *ngIf="encryptionUnavailable" type="warning" [collapsible]="false">
+            <div message>{{"auth.encryption-unavailable.title" | i18n}}</div>
+            <div details>{{"auth.encryption-unavailable.message" | i18n}}</div>
+        </bl-banner>
+
         <div class="central-button-group">
             <bl-button type="wide" class="central-button"
                 [action]="signIn">
diff --git a/desktop/src/app/services/index.ts b/desktop/src/app/services/index.ts
@@ -33,3 +33,4 @@ export * from "./themes";
 export * from "./network";
 export * from "./user-configuration";
 export * from "./version";
+export * from "./safe-storage.service";
diff --git a/desktop/src/app/services/safe-storage.service.spec.ts b/desktop/src/app/services/safe-storage.service.spec.ts
@@ -0,0 +1,55 @@
+import { SafeStorageService } from "./safe-storage.service";
+import { IpcEvent } from "common/constants";
+
+describe("SafeStorageService", () => {
+    let service: SafeStorageService;
+    let ipcSpy;
+
+    beforeEach(() => {
+        ipcSpy = {
+            send: jasmine.createSpy("send").and.returnValue(Promise.resolve())
+        };
+
+        service = new SafeStorageService(ipcSpy);
+    });
+
+    it("should call IPC send for setPassword", async () => {
+        await service.setPassword("testService", "testAccount", "testPassword");
+
+        expect(ipcSpy.send).toHaveBeenCalledWith(IpcEvent.safeStorage.setPassword, {
+            key: "testService:testAccount",
+            password: "testPassword"
+        });
+    });
+
+    it("should call IPC send for getPassword", async () => {
+        ipcSpy.send.and.returnValue(Promise.resolve("retrievedPassword"));
+
+        const result = await service.getPassword("testService", "testAccount");
+
+        expect(ipcSpy.send).toHaveBeenCalledWith(IpcEvent.safeStorage.getPassword, {
+            key: "testService:testAccount"
+        });
+        expect(result).toBe("retrievedPassword");
+    });
+
+    it("should call IPC send for deletePassword", async () => {
+        ipcSpy.send.and.returnValue(Promise.resolve(true));
+
+        const result = await service.deletePassword("testService", "testAccount");
+
+        expect(ipcSpy.send).toHaveBeenCalledWith(IpcEvent.safeStorage.deletePassword, {
+            key: "testService:testAccount"
+        });
+        expect(result).toBe(true);
+    });
+
+    it("should call IPC send for isEncryptionAvailable", async () => {
+        ipcSpy.send.and.returnValue(Promise.resolve(true));
+
+        const result = await service.isEncryptionAvailable();
+
+        expect(ipcSpy.send).toHaveBeenCalledWith(IpcEvent.safeStorage.isEncryptionAvailable);
+        expect(result).toBe(true);
+    });
+});
diff --git a/desktop/src/app/services/safe-storage.service.ts b/desktop/src/app/services/safe-storage.service.ts
@@ -0,0 +1,52 @@
+import { Injectable } from "@angular/core";
+import { IpcService } from "@batch-flask/electron";
+import { IpcEvent } from "common/constants";
+
+/**
+ * Service wrapping Electron's safeStorage API for secure credential storage.
+ * This service is for use in the renderer process and communicates with the main process via IPC.
+ */
+@Injectable({ providedIn: "root" })
+export class SafeStorageService {
+    constructor(private ipc: IpcService) {}
+
+    /**
+     * Store a password securely using Electron's safeStorage API
+     * @param service Service name (equivalent to keytar service)
+     * @param account Account name (equivalent to keytar account)
+     * @param password Password to store
+     */
+    public async setPassword(service: string, account: string, password: string): Promise<void> {
+        const key = `${service}:${account}`;
+        return this.ipc.send(IpcEvent.safeStorage.setPassword, { key, password });
+    }
+
+    /**
+     * Retrieve a password securely using Electron's safeStorage API
+     * @param service Service name (equivalent to keytar service)
+     * @param account Account name (equivalent to keytar account)
+     * @returns Promise resolving to password or null if not found
+     */
+    public async getPassword(service: string, account: string): Promise<string | null> {
+        const key = `${service}:${account}`;
+        return this.ipc.send(IpcEvent.safeStorage.getPassword, { key });
+    }
+
+    /**
+     * Delete a password from secure storage
+     * @param service Service name
+     * @param account Account name
+     */
+    public async deletePassword(service: string, account: string): Promise<boolean> {
+        const key = `${service}:${account}`;
+        return this.ipc.send(IpcEvent.safeStorage.deletePassword, { key });
+    }
+
+    /**
+     * Check if encryption is available
+     * Important on Linux where safeStorage may fall back to unencrypted storage
+     */
+    public async isEncryptionAvailable(): Promise<boolean> {
+        return this.ipc.send(IpcEvent.safeStorage.isEncryptionAvailable);
+    }
+}
diff --git a/desktop/src/client/core/secure-data-store/safe-storage-main.service.ts b/desktop/src/client/core/secure-data-store/safe-storage-main.service.ts
@@ -1,6 +1,8 @@
 import { Injectable } from "@angular/core";
+import { BlIpcMain } from "../bl-ipc-main";
 import { safeStorage } from "electron";
 import { GlobalStorage } from "@batch-flask/core";
+import { IpcEvent } from "common/constants";
 
 /**
  * Handles safeStorage operations using Electron's safeStorage API.
@@ -9,7 +11,32 @@ import { GlobalStorage } from "@batch-flask/core";
 export class SafeStorageMainService {
     private _storageKey = "safeStorageData";
 
-    constructor(private _storage: GlobalStorage) {
+    constructor(
+        private ipcMain: BlIpcMain,
+        private _storage: GlobalStorage
+    ) {
+    }
+
+    public init() {
+        this._setupIpcHandlers();
+    }
+
+    private _setupIpcHandlers() {
+        this.ipcMain.on(IpcEvent.safeStorage.setPassword, async (data) => {
+            return this.setPassword(data.key, data.password);
+        });
+
+        this.ipcMain.on(IpcEvent.safeStorage.getPassword, async (data) => {
+            return this.getPassword(data.key);
+        });
+
+        this.ipcMain.on(IpcEvent.safeStorage.deletePassword, async (data) => {
+            return this.deletePassword(data.key);
+        });
+
+        this.ipcMain.on(IpcEvent.safeStorage.isEncryptionAvailable, async () => {
+            return safeStorage.isEncryptionAvailable();
+        });
     }
 
     public async setPassword(key: string, password: string): Promise<void> {
diff --git a/desktop/src/common/constants/constants.ts b/desktop/src/common/constants/constants.ts
@@ -228,6 +228,12 @@ export const IpcEvent = {
         downloadBlob: "STORAGE_BLOB_DOWNLOAD_BLOB",
         uploadFile: "STORAGE_BLOB_UPLOAD_FILE",
         deleteBlob: "STORAGE_BLOB_DELETE_BLOB",
+    },
+    safeStorage: {
+        setPassword: "SafeStorage:setPassword",
+        getPassword: "SafeStorage:getPassword",
+        deletePassword: "SafeStorage:deletePassword",
+        isEncryptionAvailable: "SafeStorage:isEncryptionAvailable",
     }
 };
 
